diff options
82 files changed, 9573 insertions, 8294 deletions
diff --git a/blog/2021-01-01-seum.org b/blog/2021-01-01-seum.org index e157ff0..639cede 100644 --- a/blog/2021-01-01-seum.org +++ b/blog/2021-01-01-seum.org @@ -1,84 +1,107 @@ -+++ -date = 2021-01-01 -title = "SEUM: Speedrunners from Hell" -description = "A video game review for SEUM: Speedrunners from Hell, an incredibly fast-paced mashup of a puzzle game and a free-running game." -+++ - -## Game Description - -[SEUM: Speedrunners from Hell](https://store.steampowered.com/app/457210/SEUM_Speedrunners_from_Hell/) -is an incredibly fast-paced mashup of a puzzle game and a free-running game. -Created by [Pine Studio](https://pinestudio.co) in early 2016 and first released -as a -[demo on GameJolt](https://gamejolt.com/games/seum-speedrunners-from-hell-demo/154868), -this game was successfully green-lit on Steam and has amassed a cult -following on multiple consoles. +#+title: SEUM: Speedrunners from Hell +#+date: 2021-01-01 + +** Game Description +:PROPERTIES: +:CUSTOM_ID: game-description +:ID: 809DA4E6-4E0D-4179-B8FF-6C9E767EC74D +:END: +[[https://store.steampowered.com/app/457210/SEUM_Speedrunners_from_Hell/][SEUM: +Speedrunners from Hell]] is an incredibly fast-paced mashup of a puzzle +game and a free-running game. Created by [[https://pinestudio.co][Pine +Studio]] in early 2016 and first released as a +[[https://gamejolt.com/games/seum-speedrunners-from-hell-demo/154868][demo +on GameJolt]], this game was successfully green-lit on Steam and has +amassed a cult following on multiple consoles. Here's the game description straight from the developers: -> Like a bastard child of Quake 3 and Super Meat Boy, SEUM: Speedrunners from -> Hell is truly hardcore and focuses on speed and fast reaction. - -## Story - -SEUM does a great job setting the stage when you open the game for the first -time, playing an animated video in the form of comic book images. You see Marty, -the protagonist, sitting around drinking his beer as Satan busts down the door, -cuts his hand off, and steals all his beer and bacon. As Satan is leaving, Marty -whips a vinyl record across the room and cuts off one of Satan's hands. This -hand is what allows you to use all the powers in the game. - -Check out the screenshot below for one of the first panels of the storyline: - - - -## Gameplay - -To accomplish each level, you will need to get to the final blue portal under a -certain time limit. You can beat a level by getting to the portal before the -time meter runs out or "Dominate" a level by beating it within a shorter time -limit (noted by a bright red/orange color in the time meter). - -The portal is usually set behind locked gates, protected by dangerous defenses, -or in hard-to-reach places. To reach the portal, you'll need to go through any -existing orange portals, light all yellow beacons, avoid things like fireballs -and blades, or use any satanic power orbs lying around. These special abilities -include: - -- Gravity -- Teleport -- Rewind -- Spawn platform -- Roar (DLC) -- Rocket (DLC) -- Shadow world (DLC) - -For the main storyline, there are nine floors to beat. Each floor contains nine -regular levels, one boss level, and one bonus level; although you don't -technically need to beat all levels to advance to the next floor. - - - -## In-Game Screenshots - -The main menu gives you plenty of options for tuning your system, playing main -levels, playing the DLC, or exploring the other game modes. - - - -Once you enter a level, you can look around and strategize before starting. -Clicking any button will start the menu, and you'll have to restart if you die. -One of the great things about SEUM is that it has great keyboard shortcuts. You -can quickly smash `R` to restart the level or `M` to return to the level menu. - - - -Once you're able to win a level, you'll see the high scores and can watch -replays of the best scores. - - - -Each regular level contains a beer in a disguised location that may take some -out-of-the-box thinking. - - +#+begin_quote +Like a bastard child of Quake 3 and Super Meat Boy, SEUM: Speedrunners +from Hell is truly hardcore and focuses on speed and fast reaction. + +#+end_quote + +** Story +:PROPERTIES: +:CUSTOM_ID: story +:ID: BF401145-763D-4399-922B-7D73322B5B40 +:END: +SEUM does a great job setting the stage when you open the game for the +first time, playing an animated video in the form of comic book images. +You see Marty, the protagonist, sitting around drinking his beer as +Satan busts down the door, cuts his hand off, and steals all his beer +and bacon. As Satan is leaving, Marty whips a vinyl record across the +room and cuts off one of Satan's hands. This hand is what allows you to +use all the powers in the game. + +Check out the screenshot below for one of the first panels of the +storyline: + +#+caption: SEUM Story +[[https://img.cleberg.net/blog/20210101-seum/seum_story.png]] + +** Gameplay +:PROPERTIES: +:CUSTOM_ID: gameplay +:ID: A55CB1AF-E818-4CA7-BF69-E8141369C269 +:END: +To accomplish each level, you will need to get to the final blue portal +under a certain time limit. You can beat a level by getting to the +portal before the time meter runs out or "Dominate" a level by beating +it within a shorter time limit (noted by a bright red/orange color in +the time meter). + +The portal is usually set behind locked gates, protected by dangerous +defenses, or in hard-to-reach places. To reach the portal, you'll need +to go through any existing orange portals, light all yellow beacons, +avoid things like fireballs and blades, or use any satanic power orbs +lying around. These special abilities include: + +- Gravity +- Teleport +- Rewind +- Spawn platform +- Roar (DLC) +- Rocket (DLC) +- Shadow world (DLC) + +For the main storyline, there are nine floors to beat. Each floor +contains nine regular levels, one boss level, and one bonus level; +although you don't technically need to beat all levels to advance to the +next floor. + +#+caption: SEUM Floor Menu +[[https://img.cleberg.net/blog/20210101-seum/seum_floor.png]] + +** In-Game Screenshots +:PROPERTIES: +:CUSTOM_ID: in-game-screenshots +:ID: C779F008-4C8A-4BA4-AA31-60A1BF5A3EE3 +:END: +The main menu gives you plenty of options for tuning your system, +playing main levels, playing the DLC, or exploring the other game modes. + +#+caption: SEUM Main Menu +[[https://img.cleberg.net/blog/20210101-seum/seum_menu.png]] + +Once you enter a level, you can look around and strategize before +starting. Clicking any button will start the menu, and you'll have to +restart if you die. One of the great things about SEUM is that it has +great keyboard shortcuts. You can quickly smash =R= to restart the level +or =M= to return to the level menu. + +#+caption: SEUM Level +[[https://img.cleberg.net/blog/20210101-seum/seum_level.png]] + +Once you're able to win a level, you'll see the high scores and can +watch replays of the best scores. + +#+caption: SEUM Win +[[https://img.cleberg.net/blog/20210101-seum/seum_win.png]] + +Each regular level contains a beer in a disguised location that may take +some out-of-the-box thinking. + +#+caption: SEUM Beer +[[https://img.cleberg.net/blog/20210101-seum/seum_beer.png]] diff --git a/blog/2021-01-04-fediverse.org b/blog/2021-01-04-fediverse.org index 1365fe1..4aa9d6f 100644 --- a/blog/2021-01-04-fediverse.org +++ b/blog/2021-01-04-fediverse.org @@ -1,106 +1,123 @@ -+++ -date = 2021-01-04 -title = "A Simple Guide to the Fediverse" -description = "A simple guide to the fediverse, a federated universe of servers commonly used for sharing content, like social media." -draft = false -+++ - -## What is the Fediverse? - -The fediverse is a federated universe of servers commonly used for sharing -content, like social media. So, instead of having to rely on a single -organization to run the server (e.g. Facebook), the fediverse is a giant -collection of servers across the world, owned by many people and organizations. - -Take a look at this depiction of a federated network. -Each server in this photo is owned and run by different -administrators/owners. -Federated networks are best explained as email servers: you have an email -account that exists on a server (e.g. Outlook), your friend has an account on -a different server (e.g. GMail), and another friend has an account on a -third server (e.g. ProtonMail). -All three of you can talk and communicate back and forth without having to -be on the same server. -However, responsible email admins are there to set rules and control the +#+title: A Simple Guide to the Fediverse +#+date: 2021-01-04 + +** What is the Fediverse? +:PROPERTIES: +:CUSTOM_ID: what-is-the-fediverse +:END: +The fediverse is a federated universe of servers commonly used for +sharing content, like social media. So, instead of having to rely on a +single organization to run the server (e.g. Facebook), the fediverse is +a giant collection of servers across the world, owned by many people and +organizations. + +Take a look at this depiction of a federated network. Each server in +this photo is owned and run by different administrators/owners. +Federated networks are best explained as email servers: you have an +email account that exists on a server (e.g. Outlook), your friend has an +account on a different server (e.g. GMail), and another friend has an +account on a third server (e.g. ProtonMail). All three of you can talk +and communicate back and forth without having to be on the same server. +However, responsible email admins are there to set rules and control the traffic going in/out of the server. - +#+caption: Federated services diagram +[[https://img.cleberg.net/blog/20210104-a-simple-guide-to-the-fediverse/federated-example.svg]] -The main objective of this architecture is to decentralize the control within -the internet connections. For example, if you run your own Mastodon instance, -you and your users can't be censored or impacted in any way by authorities of -another Mastodon instance. Some users have praised these features due to recent -criticism of popular social media websites that may be over-censoring their -users. +The main objective of this architecture is to decentralize the control +within the internet connections. For example, if you run your own +Mastodon instance, you and your users can't be censored or impacted in +any way by authorities of another Mastodon instance. Some users have +praised these features due to recent criticism of popular social media +websites that may be over-censoring their users. This strategy is great for making sure control of the social web isn't -controlled by a single organization, but it also has some downsides. If I create -a Mastodon instance and get a ton of users to sign up, I can shut the server -down at any time. That means you're at risk of losing the content you've created -unless you back it up, or the server backs it up for you. Also, depending on the -software used (e.g. Mastodon, Pixelfed, etc.), censorship may still be an issue -if the server admins decide they want to censor their users. Now, censorship -isn't always a bad thing and can even benefit the community as a whole, but -you'll want to determine which servers align with your idea of proper -censorship. - -However, these are risks that we take when we sign up for any online platform. -Whatever your reason is for trying out federated social networks, they are part -of the future of the internet. However, the popularity of these services is -still yet to be determined, especially with the increased difficulty -understanding and signing up for these platforms. Perhaps increased regulation -and litigation against current social media sites will push more users into the -fediverse. - -## Federated Alternatives to Popular Sites - -The list below is a small guide that will show you federated alternatives to -current popular websites. -There are many more out there, so go and explore: you might just find the -perfect home. - -### Reddit - -- [Lemmy](https://lemmy.ml/instances) - -### Twitter/Facebook/Tumblr - -- [Mastodon](https://joinmastodon.org) -- [Diaspora](https://diasporafoundation.org) -- [Friendica](https://friendi.ca) -- [GNU Social](https://gnusocial.network) -- [Pleroma](https://pleroma.social) - -### Instagram - -- [Pixelfed](https://pixelfed.org) - -### Slack/Discord - -- [Matrix](https://element.io) - -### Youtube/Vimeo - -- [Peertube](https://joinpeertube.org) - -### Spotify/Soundcloud - -- [Funkwhale](https://funkwhale.audio) - -### Podcasting - -- [Pubcast](https://pubcast.pub) - -### Medium/Blogger - -- [WriteFreely](https://writefreely.org) - -## Get Started - -The best way to get started is to simply sign up and learn as you go. If you're -comfortable signing up through a Mastodon, Pleroma, or Friendica server, here is -[a list of themed servers](https://fediverse.party/en/portal/servers) to choose -from. If you're looking for something else, try a web search for a federated -alternative to your favorite sites. +controlled by a single organization, but it also has some downsides. If +I create a Mastodon instance and get a ton of users to sign up, I can +shut the server down at any time. That means you're at risk of losing +the content you've created unless you back it up, or the server backs it +up for you. Also, depending on the software used (e.g. Mastodon, +Pixelfed, etc.), censorship may still be an issue if the server admins +decide they want to censor their users. Now, censorship isn't always a +bad thing and can even benefit the community as a whole, but you'll want +to determine which servers align with your idea of proper censorship. + +However, these are risks that we take when we sign up for any online +platform. Whatever your reason is for trying out federated social +networks, they are part of the future of the internet. However, the +popularity of these services is still yet to be determined, especially +with the increased difficulty understanding and signing up for these +platforms. Perhaps increased regulation and litigation against current +social media sites will push more users into the fediverse. + +** Federated Alternatives to Popular Sites +:PROPERTIES: +:CUSTOM_ID: federated-alternatives-to-popular-sites +:END: +The list below is a small guide that will show you federated +alternatives to current popular websites. There are many more out there, +so go and explore: you might just find the perfect home. + +*** Reddit +:PROPERTIES: +:CUSTOM_ID: reddit +:END: +- [[https://lemmy.ml/instances][Lemmy]] + +*** Twitter/Facebook/Tumblr +:PROPERTIES: +:CUSTOM_ID: twitterfacebooktumblr +:END: +- [[https://joinmastodon.org][Mastodon]] +- [[https://diasporafoundation.org][Diaspora]] +- [[https://friendi.ca][Friendica]] +- [[https://gnusocial.network][GNU Social]] +- [[https://pleroma.social][Pleroma]] + +*** Instagram +:PROPERTIES: +:CUSTOM_ID: instagram +:END: +- [[https://pixelfed.org][Pixelfed]] + +*** Slack/Discord +:PROPERTIES: +:CUSTOM_ID: slackdiscord +:END: +- [[https://element.io][Matrix]] + +*** Youtube/Vimeo +:PROPERTIES: +:CUSTOM_ID: youtubevimeo +:END: +- [[https://joinpeertube.org][Peertube]] + +*** Spotify/Soundcloud +:PROPERTIES: +:CUSTOM_ID: spotifysoundcloud +:END: +- [[https://funkwhale.audio][Funkwhale]] + +*** Podcasting +:PROPERTIES: +:CUSTOM_ID: podcasting +:END: +- [[https://pubcast.pub][Pubcast]] + +*** Medium/Blogger +:PROPERTIES: +:CUSTOM_ID: mediumblogger +:END: +- [[https://writefreely.org][WriteFreely]] + +** Get Started +:PROPERTIES: +:CUSTOM_ID: get-started +:END: +The best way to get started is to simply sign up and learn as you go. If +you're comfortable signing up through a Mastodon, Pleroma, or Friendica +server, here is [[https://fediverse.party/en/portal/servers][a list of +themed servers]] to choose from. If you're looking for something else, +try a web search for a federated alternative to your favorite sites. Find a server that focuses on your passions and start there! diff --git a/blog/2021-01-07-ufw.org b/blog/2021-01-07-ufw.org index aad5b81..242e296 100644 --- a/blog/2021-01-07-ufw.org +++ b/blog/2021-01-07-ufw.org @@ -1,158 +1,173 @@ -+++ -date = 2021-01-07 -title = "Secure Your Network with the Uncomplicated Firewall" -description = "Learn how to use the UFW, one of the simplest and most widely available firewalls on Linux." -draft = false -+++ - -## Uncomplicated Firewall - -Uncomplicated Firewall, also known as ufw, is a convenient and beginner-friendly -way to enforce OS-level firewall rules. For those who are hosting servers or any -device that is accessible to the world (i.e., by public IP or domain name), it's -critical that a firewall is properly implemented and active. - -Ufw is available by default in all Ubuntu installations after 8.04 LTS. For -other distributions, you can look to install ufw or check if there are -alternative firewalls installed already. There are usually alternatives -available, such as Fedora's `firewall` and the package available on most -distributions: `iptables`. Ufw is considered a beginner-friendly front-end to -iptables. - -[Gufw](https://gufw.org) is available as a graphical user interface (GUI) -application for users who are uncomfortable setting up a firewall through a -terminal. - - - -## Getting Help - -If you need help figuring out commands, remember that you can run the `--help` -flag to get a list of options. - -```sh +#+title: Secure Your Network with the Uncomplicated Firewall +#+date: 2021-01-07 + +** Uncomplicated Firewall +:PROPERTIES: +:CUSTOM_ID: uncomplicated-firewall +:END: +Uncomplicated Firewall, also known as ufw, is a convenient and +beginner-friendly way to enforce OS-level firewall rules. For those who +are hosting servers or any device that is accessible to the world (i.e., +by public IP or domain name), it's critical that a firewall is properly +implemented and active. + +Ufw is available by default in all Ubuntu installations after 8.04 LTS. +For other distributions, you can look to install ufw or check if there +are alternative firewalls installed already. There are usually +alternatives available, such as Fedora's =firewall= and the package +available on most distributions: =iptables=. Ufw is considered a +beginner-friendly front-end to iptables. + +[[https://gufw.org][Gufw]] is available as a graphical user interface +(GUI) application for users who are uncomfortable setting up a firewall +through a terminal. + +[[https://img.cleberg.net/blog/20210107-secure-your-network-with-the-uncomplicated-firewall/gufw.png]] + +** Getting Help +:PROPERTIES: +:CUSTOM_ID: getting-help +:END: +If you need help figuring out commands, remember that you can run the +=--help= flag to get a list of options. + +#+begin_src sh sudo ufw --help -``` - -## Set Default State - -The proper way to run a firewall is to set a strict default state and slowly -open up ports that you want to allow. This helps prevent anything malicious from -slipping through the cracks. The following command prevents all incoming traffic -(other than the rules we specify later), but you can also set this for outgoing -connections, if necessary. - -```sh +#+end_src + +** Set Default State +:PROPERTIES: +:CUSTOM_ID: set-default-state +:END: +The proper way to run a firewall is to set a strict default state and +slowly open up ports that you want to allow. This helps prevent anything +malicious from slipping through the cracks. The following command +prevents all incoming traffic (other than the rules we specify later), +but you can also set this for outgoing connections, if necessary. + +#+begin_src sh sudo ufw default deny incoming -``` +#+end_src -You should also allow outgoing traffic if you want to allow the device to -communicate back to you or other parties. For example, media servers like Plex -need to be able to send out data related to streaming the media. +You should also allow outgoing traffic if you want to allow the device +to communicate back to you or other parties. For example, media servers +like Plex need to be able to send out data related to streaming the +media. -```sh +#+begin_src sh sudo ufw default allow outgoing -``` - -## Adding Port Rules +#+end_src -Now that we've disabled all incoming traffic by default, we need to open up some -ports (or else no traffic would be able to come in). If you need to be able to -`ssh` into the machine, you'll need to open up port 22. +** Adding Port Rules +:PROPERTIES: +:CUSTOM_ID: adding-port-rules +:END: +Now that we've disabled all incoming traffic by default, we need to open +up some ports (or else no traffic would be able to come in). If you need +to be able to =ssh= into the machine, you'll need to open up port 22. -```sh +#+begin_src sh sudo ufw allow 22 -``` +#+end_src -You can also issue more restrictive rules. The following rule will allow `ssh` -connections only from machines on the local subnet. +You can also issue more restrictive rules. The following rule will allow +=ssh= connections only from machines on the local subnet. -```sh +#+begin_src sh sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22 -``` +#+end_src -If you need to set a rule that isn't tcp, just append your connection type to -the end of the rule. +If you need to set a rule that isn't tcp, just append your connection +type to the end of the rule. -```sh +#+begin_src sh sudo ufw allow 1900/udp -``` - -## Enable ufw +#+end_src +** Enable ufw +:PROPERTIES: +:CUSTOM_ID: enable-ufw +:END: Now that the firewall is configured and ready to go, you can enable the firewall. -```sh +#+begin_src sh sudo ufw enable -``` +#+end_src A restart may be required for the firewall to begin operating. -```sh +#+begin_src sh sudo reboot now -``` +#+end_src -## Checking Status +** Checking Status +:PROPERTIES: +:CUSTOM_ID: checking-status +:END: +Now that the firewall is enabled, let's check and see what the rules +look like. -Now that the firewall is enabled, let's check and see what the rules look like. - -```sh +#+begin_src sh sudo ufw status numbered -``` +#+end_src -```txt +#+begin_src txt Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 22 (v6) ALLOW IN Anywhere (v6) -``` - -## Deleting Rules +#+end_src -If you need to delete a rule, you need to know the number associated with that -rule. -Let's delete the first rule in the table above. -You'll be asked to confirm the deletion as part of this process. +** Deleting Rules +:PROPERTIES: +:CUSTOM_ID: deleting-rules +:END: +If you need to delete a rule, you need to know the number associated +with that rule. Let's delete the first rule in the table above. You'll +be asked to confirm the deletion as part of this process. -```sh +#+begin_src sh sudo ufw delete 1 -``` - -## Managing App Rules - -Luckily, there's a convenient way for installed applications to create files -that ufw can easily implement so that you don't have to search and find which -ports your application requires. To see if your device has any applications with -pre-installed ufw rules, execute the following command: - -```sh +#+end_src + +** Managing App Rules +:PROPERTIES: +:CUSTOM_ID: managing-app-rules +:END: +Luckily, there's a convenient way for installed applications to create +files that ufw can easily implement so that you don't have to search and +find which ports your application requires. To see if your device has +any applications with pre-installed ufw rules, execute the following +command: + +#+begin_src sh sudo ufw app list -``` +#+end_src The results should look something like this: -```txt +#+begin_src txt Available applications: OpenSSH Samba plexmediaserver plexmediaserver-all plexmediaserver-dlna -``` +#+end_src -If you want to get more information on a specific app rule, use the `info` -command. +If you want to get more information on a specific app rule, use the +=info= command. -```sh +#+begin_src sh sudo ufw app info plexmediaserver-dlna -``` +#+end_src You'll get a blurb of info back like this: -```txt +#+begin_src txt Profile: plexmediaserver-dlna Title: Plex Media Server (DLNA) Description: The Plex Media Server (additional DLNA capability only) @@ -160,29 +175,31 @@ Description: The Plex Media Server (additional DLNA capability only) Ports: 1900/udp 32469/tcp -``` +#+end_src -You can add or delete app rules the same way that you'd add or delete specific -port rules. +You can add or delete app rules the same way that you'd add or delete +specific port rules. -```sh +#+begin_src sh sudo ufw allow plexmediaserver-dlna -``` +#+end_src -```sh +#+begin_src sh sudo ufw delete RULE|NUM -``` - -## Creating App Rules +#+end_src -If you'd like to create you own app rule, you'll need to create a file in the -`/etc/ufw/applications.d` directory. Within the file you create, you need to -make sure the content is properly formatted. +** Creating App Rules +:PROPERTIES: +:CUSTOM_ID: creating-app-rules +:END: +If you'd like to create you own app rule, you'll need to create a file +in the =/etc/ufw/applications.d= directory. Within the file you create, +you need to make sure the content is properly formatted. -For example, here are the contents my `plexmediaserver` file, which creates -three distinct app rules for ufw: +For example, here are the contents my =plexmediaserver= file, which +creates three distinct app rules for ufw: -```config +#+begin_src config [plexmediaserver] title=Plex Media Server (Standard) description=The Plex Media Server @@ -197,24 +214,24 @@ ports=1900/udp|32469/tcp title=Plex Media Server (Standard + DLNA) description=The Plex Media Server (with additional DLNA capability) ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp|1900/udp|32469/tcp -``` +#+end_src -So, if I wanted to create a custom app rule called "mycustomrule," I'd create a -file and add my content like this: +So, if I wanted to create a custom app rule called "mycustomrule," I'd +create a file and add my content like this: -```sh +#+begin_src sh sudo nano /etc/ufw/applications.d/mycustomrule -``` +#+end_src -```config +#+begin_src config [mycustomrule] title=My Custom Rule description=This is a temporary ufw app rule. ports=88/tcp|9100/udp -``` +#+end_src Then, I would just enable this rule in ufw. -```sh +#+begin_src sh sudo ufw allow mycustomrule -``` +#+end_src diff --git a/blog/2021-02-19-macos.org b/blog/2021-02-19-macos.org index 33353b7..efbe257 100644 --- a/blog/2021-02-19-macos.org +++ b/blog/2021-02-19-macos.org @@ -1,205 +1,225 @@ -+++ -date = 2021-02-19 -title = "macOS: Testing Out A New OS" -description = "My personal experience with macOS, from the perspective of a Linux junkie." -draft = false -+++ - -## Diving into macOS - -After spending nearly 15 years working with Windows and 8 years on Linux, I -have experienced macOS for the first time. -By chance, my spouse happened to buy a new MacBook and gifted me their 2013 -model. -Of course, I still consider my Linux desktop to be my daily driver and keep -Windows around for gaming needs, but over the past week I've found myself using -the MacBook more and more for things that don't require gaming specs or advanced -dev tools. - -## Initial Thoughts - -Before I move on to the technical aspects of my set-up, I want to take some time -and express my thoughts on the overall OS. - - - -As expected, the initial computer setup is a breeze with Mac's guided GUI -installer. - -The desktop itself reminds me of GNOME more than anything else I've seen: even -Pantheon from [ElementaryOS](https://elementary.io/), which people commonly -refer to as the closest Linux distro to macOS. The desktop toolbar is great and -far surpasses the utility of the GNOME toolbar due to the fact that the -extensions and icons _actually work_. I launch macOS and immediately see my -shortcuts for Tresorit, Bitwarden, and Mullvad pop up as the computer loads. - -Even further, the app dock is very useful and will be yet another familiarity -for GNOME users. I know many people like panels instead of docks, but I've -always found docks to have a more pleasing UI. However, I had to disable the -"Show recent applications in Dock" preference; I can't stand items taking up -precious screen space if I'm not currently using them. On that same note, it's -taking me some time to get use to the fact that I have to manually quit an app -or else it will still stay open/active in the dock, even if I've closed out all -windows for that app (e.g. Firefox). - -Overall, I'm having a lot of fun and for users who spend a large majority of -their time performing basic tasks like web browsing, writing, watching media, -etc., macOS is a fantastic option. +#+title: macOS: Testing Out A New OS +#+date: 2021-02-19 + +** Diving into macOS +:PROPERTIES: +:CUSTOM_ID: diving-into-macos +:END: +After spending nearly 15 years working with Windows and 8 years on +Linux, I have experienced macOS for the first time. By chance, my spouse +happened to buy a new MacBook and gifted me their 2013 model. Of course, +I still consider my Linux desktop to be my daily driver and keep Windows +around for gaming needs, but over the past week I've found myself using +the MacBook more and more for things that don't require gaming specs or +advanced dev tools. + +** Initial Thoughts +:PROPERTIES: +:CUSTOM_ID: initial-thoughts +:END: +Before I move on to the technical aspects of my set-up, I want to take +some time and express my thoughts on the overall OS. + +#+caption: macOS Desktop +[[https://img.cleberg.net/blog/20210219-macos-testing-out-a-new-os/macos-desktop.png]] + +As expected, the initial computer setup is a breeze with Mac's guided +GUI installer. + +The desktop itself reminds me of GNOME more than anything else I've +seen: even Pantheon from [[https://elementary.io/][ElementaryOS]], which +people commonly refer to as the closest Linux distro to macOS. The +desktop toolbar is great and far surpasses the utility of the GNOME +toolbar due to the fact that the extensions and icons /actually work/. I +launch macOS and immediately see my shortcuts for Tresorit, Bitwarden, +and Mullvad pop up as the computer loads. + +Even further, the app dock is very useful and will be yet another +familiarity for GNOME users. I know many people like panels instead of +docks, but I've always found docks to have a more pleasing UI. However, +I had to disable the "Show recent applications in Dock" preference; I +can't stand items taking up precious screen space if I'm not currently +using them. On that same note, it's taking me some time to get use to +the fact that I have to manually quit an app or else it will still stay +open/active in the dock, even if I've closed out all windows for that +app (e.g. Firefox). + +Overall, I'm having a lot of fun and for users who spend a large +majority of their time performing basic tasks like web browsing, +writing, watching media, etc., macOS is a fantastic option. The rest of this post explains the technicalities of how I set up my CLI -environment to make me feel more at-home, similar to the environments I set up -on Fedora, Ubuntu, etc. - -## Making it Feel Like Home - -If you're someone who uses Linux primarily, no doubt your first thought when -booting macOS will be the same as mine was: "Where is the terminal and how do I -set up my favorite utilities?" - -Luckily, macOS hasn't completely hidden away the development tools from the -average user. You can easily find the Terminal app in the Launchpad area, but -it's probably not what you're used to. I was surprised (and happy) to see that -the default shell is `zsh`, the shell I use on all of my Linux distros. However, -the commands are not the same - even the ones you may think are native to the -shell. Commands like `dir` do not exist, so other native commands like `ls -la` -or `pwd` are more useful here. - -With only a few minutes of installing and tweaking a few packages, I was able to -recreate a terminal environment that I feel very comfortable using. See the -image below for a preview of the iTerm2 app with a split view between my macOS -desktop shell and an SSH session into my server. - - - -## Xcode - -My first step was to search the web for any hints on how to get `zsh` back up to -the state I like, with extensions, themes, etc. My first step was to install the -CLI tools for [Xcode](https://developer.apple.com/xcode/), Apple's suite of +environment to make me feel more at-home, similar to the environments I +set up on Fedora, Ubuntu, etc. + +** Making it Feel Like Home +:PROPERTIES: +:CUSTOM_ID: making-it-feel-like-home +:END: +If you're someone who uses Linux primarily, no doubt your first thought +when booting macOS will be the same as mine was: "Where is the terminal +and how do I set up my favorite utilities?" + +Luckily, macOS hasn't completely hidden away the development tools from +the average user. You can easily find the Terminal app in the Launchpad +area, but it's probably not what you're used to. I was surprised (and +happy) to see that the default shell is =zsh=, the shell I use on all of +my Linux distros. However, the commands are not the same - even the ones +you may think are native to the shell. Commands like =dir= do not exist, +so other native commands like =ls -la= or =pwd= are more useful here. + +With only a few minutes of installing and tweaking a few packages, I was +able to recreate a terminal environment that I feel very comfortable +using. See the image below for a preview of the iTerm2 app with a split +view between my macOS desktop shell and an SSH session into my server. + +#+caption: iTerm2 +[[https://img.cleberg.net/blog/20210219-macos-testing-out-a-new-os/iterm2.png]] + +** Xcode +:PROPERTIES: +:CUSTOM_ID: xcode +:END: +My first step was to search the web for any hints on how to get =zsh= +back up to the state I like, with extensions, themes, etc. My first step +was to install the CLI tools for +[[https://developer.apple.com/xcode/][Xcode]], Apple's suite of development tools. -```sh +#+begin_src sh sudo xcode-select -r -``` +#+end_src -```sh +#+begin_src sh sudo xcode-select --install -``` - -## Homebrew +#+end_src -Next up is to install [Homebrew](https://brew.sh), a nifty package manager for -macOS. +** Homebrew +:PROPERTIES: +:CUSTOM_ID: homebrew +:END: +Next up is to install [[https://brew.sh][Homebrew]], a nifty package +manager for macOS. -```sh +#+begin_src sh /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" -``` +#+end_src I ran into a permission error when installing Homebrew: -```sh +#+begin_src sh Error: Failed to link all completions, docs and manpages: Permission denied @ rb_file_s_symlink - (../../../Homebrew/completions/zsh/_brew, /usr/local/share/zsh/site-functions/_brew) Failed during: /usr/local/bin/brew update --force --quiet -``` +#+end_src -I found that the following permission modification worked like a charm. However, -I noted that some users online discussed the fact that this solution may not -work if your system has multiple users who use Homebrew. +I found that the following permission modification worked like a charm. +However, I noted that some users online discussed the fact that this +solution may not work if your system has multiple users who use +Homebrew. -```sh +#+begin_src sh sudo chown -R $(whoami) $(brew --prefix)/* -``` +#+end_src Next up is to ensure Homebrew is updated and cleaned. -```sh +#+begin_src sh brew update -``` +#+end_src -```sh +#+begin_src sh brew cleanup -``` +#+end_src -## iTerm2 +** iTerm2 +:PROPERTIES: +:CUSTOM_ID: iterm2 +:END: +Now that I've installed the basic utilities for development, I moved +onto installing iTerm2, a much better terminal than the default. -Now that I've installed the basic utilities for development, I moved onto -installing iTerm2, a much better terminal than the default. - -```sh +#+begin_src sh brew install --cask iterm2 -``` +#+end_src -I also used the `Make iTerm2 Default Term` and `Install Shell Integration` -options in the iTerm2 application menu to make sure I don't run into any issues -later on with different terminals. +I also used the =Make iTerm2 Default Term= and +=Install Shell Integration= options in the iTerm2 application menu to +make sure I don't run into any issues later on with different terminals. -We will also install `zsh` so we can use it in iTerm2. +We will also install =zsh= so we can use it in iTerm2. -```sh +#+begin_src sh brew install zsh -``` - -## Oh-My-Zsh +#+end_src -I've shown the great aspects of [Oh My Zsh](https://ohmyz.sh) in other blog -posts, so I'll skip over that speech for now. Simply install it and run an -update. +** Oh-My-Zsh +:PROPERTIES: +:CUSTOM_ID: oh-my-zsh +:END: +I've shown the great aspects of [[https://ohmyz.sh][Oh My Zsh]] in other +blog posts, so I'll skip over that speech for now. Simply install it and +run an update. -```sh +#+begin_src sh sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)" -``` +#+end_src -```sh +#+begin_src sh omz update -``` +#+end_src -Finally, restart the iTerm2 application to ensure all changes go into effect. +Finally, restart the iTerm2 application to ensure all changes go into +effect. -## Oh-My-Zsh Themes +** Oh-My-Zsh Themes +:PROPERTIES: +:CUSTOM_ID: oh-my-zsh-themes +:END: +Let's change the theme of the terminal to make it a little more +friendly. -Let's change the theme of the terminal to make it a little more friendly. - -```sh +#+begin_src sh open ~/.zshrc -``` +#+end_src -The third section of this file should contain a line like the code below. Change -that theme to -[any theme you want](https://github.com/ohmyzsh/ohmyzsh/wiki/Themes), save the -file, and exit. +The third section of this file should contain a line like the code +below. Change that theme to +[[https://github.com/ohmyzsh/ohmyzsh/wiki/Themes][any theme you want]], +save the file, and exit. -```sh +#+begin_src sh ZSH_THEME="af-magic" -``` - -After changing the `.zshrc` file, you'll need to close your terminal and re-open -it to see the changes. -Optionally, just open a new tab if you're using iTerm2, and you'll see the -new shell config. +#+end_src -## Oh-My-Zsh Plugins - -Of course, my customization of `zsh` would not be complete without -[zsh-autosuggestions](https://github.com/zsh-users/zsh-autosuggestions). This -will bring up commands you've run in the past as you type them. For example, if -you've run `ssh user@192.168.1.99` before, the terminal will show this command -as soon as you start typing it (e.g. `zsh u`), and you can hit the right arrow -to autocomplete the command. +After changing the =.zshrc= file, you'll need to close your terminal and +re-open it to see the changes. Optionally, just open a new tab if you're +using iTerm2, and you'll see the new shell config. -```sh +** Oh-My-Zsh Plugins +:PROPERTIES: +:CUSTOM_ID: oh-my-zsh-plugins +:END: +Of course, my customization of =zsh= would not be complete without +[[https://github.com/zsh-users/zsh-autosuggestions][zsh-autosuggestions]]. +This will bring up commands you've run in the past as you type them. For +example, if you've run =ssh user@192.168.1.99= before, the terminal will +show this command as soon as you start typing it (e.g. =zsh u=), and you +can hit the right arrow to autocomplete the command. + +#+begin_src sh git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions -``` +#+end_src -```sh +#+begin_src sh open ~/.zshrc -``` +#+end_src -```sh +#+begin_src sh # Scroll down the script and edit this line to add zsh-autosuggestions plugins=(git zsh-autosuggestions) -``` +#+end_src -Remember: After changing the `.zshrc` file, you'll need to close your terminal -and re-open it to see the changes. Optionally, just open a new tab if you're -using iTerm2, and you'll see the new shell config. +Remember: After changing the =.zshrc= file, you'll need to close your +terminal and re-open it to see the changes. Optionally, just open a new +tab if you're using iTerm2, and you'll see the new shell config. diff --git a/blog/2021-03-19-clone-github-repos.org b/blog/2021-03-19-clone-github-repos.org index 795b766..edd8fda 100644 --- a/blog/2021-03-19-clone-github-repos.org +++ b/blog/2021-03-19-clone-github-repos.org @@ -1,60 +1,59 @@ -+++ -date = 2021-03-19 -title = "How to Clone All Repositories from a GitHub or Sourcehut Account" -description = "Learn how to properly clone all repositories from a GitHub or sourcehut account." -draft = false -+++ - -## Cloning from GitHub - -If you're like me and use a lot of different devices (and sometimes decide to -just wipe your device and start with a new OS), you probably know the pain of -cloning all your old code repositories down to your local file system. - -If you're using GitHub, you can easily clone all of your code back down in just -seconds. -First, create a bash script. -I do so by opening a new file in `nano`, but you can use `gedit`, `vim`, or -something else: - -```sh +#+title: How to Clone All Repositories from a GitHub or Sourcehut Account +#+date: 2021-03-19 + +** Cloning from GitHub +:PROPERTIES: +:CUSTOM_ID: cloning-from-github +:END: +If you're like me and use a lot of different devices (and sometimes +decide to just wipe your device and start with a new OS), you probably +know the pain of cloning all your old code repositories down to your +local file system. + +If you're using GitHub, you can easily clone all of your code back down +in just seconds. First, create a bash script. I do so by opening a new +file in =nano=, but you can use =gedit=, =vim=, or something else: + +#+begin_src sh nano clone_github_repos.sh -``` +#+end_src -Next, paste in the following information. Note that you can replace the word -`users` in the first line with `orgs` and type an organization's name instead of -a user's name. +Next, paste in the following information. Note that you can replace the +word =users= in the first line with =orgs= and type an organization's +name instead of a user's name. -```sh +#+begin_src sh CNTX=users; NAME=YOUR-USERNAME; PAGE=1 curl "https://api.github.com/$CNTX/$NAME/repos?page=$PAGE&per_page=100" | grep -e 'git_url*' | cut -d \" -f 4 | xargs -L1 git clone -``` +#+end_src Finally, save the bash script and make it executable. -```sh +#+begin_src sh chmod a+x clone_github_repos.sh -``` +#+end_src Now you can run the script and should see the cloning process begin. -```sh +#+begin_src sh ./clone_github_repos.sh -``` +#+end_src -## Cloning from Sourcehut - -I haven't fully figured out how to directly incorporate Sourcehut's GraphQL API -into a bash script yet, so this one will take two steps. +** Cloning from Sourcehut +:PROPERTIES: +:CUSTOM_ID: cloning-from-sourcehut +:END: +I haven't fully figured out how to directly incorporate Sourcehut's +GraphQL API into a bash script yet, so this one will take two steps. First, log-in to Sourcehut and go to their -[GraphQL playground for Git](https://git.sr.ht/graphql). Next, paste the -following query into the left box: +[[https://git.sr.ht/graphql][GraphQL playground for Git]]. Next, paste +the following query into the left box: -```sh +#+begin_src sh query { me { canonicalName @@ -66,26 +65,27 @@ query { } } } -``` +#+end_src -The output on the right side will give you an object of all your repositories. -Just grab that text and remove all the characters such as quotation marks and -curly brackets. You will need a single-line list of space-separated values for -the next step. +The output on the right side will give you an object of all your +repositories. Just grab that text and remove all the characters such as +quotation marks and curly brackets. You will need a single-line list of +space-separated values for the next step. Now let's create the bash script: -```sh +#+begin_src sh nano clone_sourcehut_repos.sh -``` +#+end_src -Next, paste the following bash script in with the list of repositories you -obtained above and replace `your-username` with your username. +Next, paste the following bash script in with the list of repositories +you obtained above and replace =your-username= with your username. -Note that this uses the SSH-based Git cloning method (e.g. `git@git...`), so -you'll need to ensure you have set up Sourcehut with your SSH key. +Note that this uses the SSH-based Git cloning method +(e.g. =git@git...=), so you'll need to ensure you have set up Sourcehut +with your SSH key. -```sh +#+begin_src sh repos=(repo1 repo2 repo3) # List all sub-directories in the current directory @@ -94,36 +94,38 @@ do # Clone git clone git@git.sr.ht:~your-username/$repo done -``` +#+end_src Finally, save the bash script and make it executable. -```sh +#+begin_src sh chmod a+x clone_sourcehut_repos.sh -``` +#+end_src Now you can run the script and should see the cloning process begin. -```sh +#+begin_src sh ./clone_sourcehut_repos.sh -``` - -## Moving Repositories to a New Host +#+end_src -Now that you have all of your code repositories cloned to your local computer, -you may want to change the remote host (e.g., moving from GitHub to GitLab). -To do this, let's create another bash script: +** Moving Repositories to a New Host +:PROPERTIES: +:CUSTOM_ID: moving-repositories-to-a-new-host +:END: +Now that you have all of your code repositories cloned to your local +computer, you may want to change the remote host (e.g., moving from +GitHub to GitLab). To do this, let's create another bash script: -```sh +#+begin_src sh nano change_remote_urls.sh -``` +#+end_src -Past the following information and be sure to change the URL information to -whichever host you are moving to. For this example, I am looping through all of -my cloned GitHub directories and changing them to Sourcehut (e.g. -`<YOUR_NEW_REMOTE_URL>` -\> `git@git.sr.ht:~myusername`). +Past the following information and be sure to change the URL information +to whichever host you are moving to. For this example, I am looping +through all of my cloned GitHub directories and changing them to +Sourcehut (e.g. =<YOUR_NEW_REMOTE_URL>= -> =git@git.sr.ht:~myusername=). -```sh +#+begin_src sh # List all sub-directories in the current directory for dir in */ do @@ -138,16 +140,16 @@ do # Go back to main directory cd .. done -``` +#+end_src Finally, save the bash script and make it executable. -```sh +#+begin_src sh chmod a+x change_remote_urls.sh -``` +#+end_src Now you can run the script and should see the cloning process begin. -```sh +#+begin_src sh ./change_remote_urls.sh -``` +#+end_src diff --git a/blog/2021-03-28-gemini-capsule.org b/blog/2021-03-28-gemini-capsule.org index fe17864..d1ebcf7 100644 --- a/blog/2021-03-28-gemini-capsule.org +++ b/blog/2021-03-28-gemini-capsule.org @@ -1,30 +1,29 @@ -+++ -date = 2021-03-28 -title = "Launching a Gemini Capsule" -description = "Learn more about Gemini, an alternative internet protocol to the World Wide Web (WWW)" -draft = false -+++ - -## What is Gemini? - -[Gemini](https://gemini.circumlunar.space/) is an internet protocol introduced -in June 2019 as an alternative to HTTP(S) or Gopher. In layman's terms, it's an -alternative way to browse sites (called capsules) that requires a special -browser. Since Gemini is not standardized as an internet standard, normal web -browsers won't be able to load a Gemini capsule. -Instead, you'll need to use [a Gemini-specific browser](https://gemini. -circumlunar.space/clients.html). +#+title: Launching a Gemini Capsule +#+date: 2021-03-28 + +** What is Gemini? +:PROPERTIES: +:CUSTOM_ID: what-is-gemini +:END: +[[https://gemini.circumlunar.space/][Gemini]] is an internet protocol +introduced in June 2019 as an alternative to HTTP(S) or Gopher. In +layman's terms, it's an alternative way to browse sites (called +capsules) that requires a special browser. Since Gemini is not +standardized as an internet standard, normal web browsers won't be able +to load a Gemini capsule. Instead, you'll need to use +[[https://gemini.%20circumlunar.space/clients.html][a Gemini-specific +browser]]. The content found within a Gemini page is called -[Gemtext](https://gemini.circumlunar.space/docs/cheatsheet.gmi) and is -_extremely_ basic (on purpose). -Gemini only processes the text, no media content like images. However, -you're able to style 3 levels of headings, regular text, links (which will -display on their own line), quotes, and an unordered list. +[[https://gemini.circumlunar.space/docs/cheatsheet.gmi][Gemtext]] and is +/extremely/ basic (on purpose). Gemini only processes the text, no media +content like images. However, you're able to style 3 levels of headings, +regular text, links (which will display on their own line), quotes, and +an unordered list. Here's a complete listing of valid Gemtext: -```txt +#+begin_src txt # Heading 1 ## Heading 2 ### Heading 3 @@ -41,97 +40,109 @@ My List: * Item ```Anything between three backticks will be rendered as code.``` -``` - -## Free Option - -There are probably numerous websites that allow you to create your personal -Gemini capsule, but I'm going to focus on the two sites that I have personally -tested. The first option below, Midnight Pub, allows you to create/edit any -Gemini files you want in your account. This is essentially a GUI option with a -built-in text box for editing. The second option below, Sourcehut, allows you to -use a Git repository and automatic build process to deploy your personal Gemini -capsule every time you push a commit. - -### Midnight Pub - Beginner Friendly - -[Midnight Pub](https://midnight.pub/) is a small, virtual community meant to -reflect the atmosphere of wandering into a small alley pub. The site is built in -Gemtext and has a server-side process to convert Gemtext to HTML if someone -loads the site in an HTTP(S) browser. - -To create an account, you'll need to email the owner of the website to obtain a -key. -You can find their email on the Midnight Pub homepage. -Once registered, head to [your account](https://midnight.pub/account) and select -[manage site](https://midnight.pub/site). This is the screen where you can -upload or create any files to be displayed on the internet. - -For example, I've created both an HTML file and a Gemini file. Remember that -Gemini is automatically converted to HTML on the Pub, so you don't need an HTML -version. -For example, I created an HTML version to add in some extra styling. - -All you need to do is create a page like `index.gmi` and use your Gemini browser -to head over to your-username.midnight.pub to see the result. - -That's all there is to it! Easy enough, right? Let's check out a more advanced -version in the next section. - -## Paid Option - -As of 2021, Sourcehut has decided to require users to have a paid account in -order to utilize their automated build system. For now, paid accounts can be as -low as $2/month. - -### Sourcehut - -[Sourcehut](https://sourcehut.org/) is a collection of software development -tools, but mostly surrounds their hosted Git repository service. Simply put, -it's a minimal and more private alternative to services like GitHub. - -This walkthrough is more advanced and involves things like Git, SSH, the command -line. If you don't think you know enough to do this, check out my walkthrough on -creating a Gemini capsule for the Midnight Pub instead. - -The first thing you'll need to do is create an SSH key pair, if you don't -already have one on your system. Once created, grab the contents of `id_rsa.pub` -and add it to your Sourcehut account settings - this will allow you to push and -pull code changes without using a username/password. - -```sh +#+end_src + +** Free Option +:PROPERTIES: +:CUSTOM_ID: free-option +:END: +There are probably numerous websites that allow you to create your +personal Gemini capsule, but I'm going to focus on the two sites that I +have personally tested. The first option below, Midnight Pub, allows you +to create/edit any Gemini files you want in your account. This is +essentially a GUI option with a built-in text box for editing. The +second option below, Sourcehut, allows you to use a Git repository and +automatic build process to deploy your personal Gemini capsule every +time you push a commit. + +*** Midnight Pub - Beginner Friendly +:PROPERTIES: +:CUSTOM_ID: midnight-pub---beginner-friendly +:END: +[[https://midnight.pub/][Midnight Pub]] is a small, virtual community +meant to reflect the atmosphere of wandering into a small alley pub. The +site is built in Gemtext and has a server-side process to convert +Gemtext to HTML if someone loads the site in an HTTP(S) browser. + +To create an account, you'll need to email the owner of the website to +obtain a key. You can find their email on the Midnight Pub homepage. +Once registered, head to [[https://midnight.pub/account][your account]] +and select [[https://midnight.pub/site][manage site]]. This is the +screen where you can upload or create any files to be displayed on the +internet. + +For example, I've created both an HTML file and a Gemini file. Remember +that Gemini is automatically converted to HTML on the Pub, so you don't +need an HTML version. For example, I created an HTML version to add in +some extra styling. + +All you need to do is create a page like =index.gmi= and use your Gemini +browser to head over to your-username.midnight.pub to see the result. + +That's all there is to it! Easy enough, right? Let's check out a more +advanced version in the next section. + +** Paid Option +:PROPERTIES: +:CUSTOM_ID: paid-option +:END: +As of 2021, Sourcehut has decided to require users to have a paid +account in order to utilize their automated build system. For now, paid +accounts can be as low as $2/month. + +*** Sourcehut +:PROPERTIES: +:CUSTOM_ID: sourcehut +:END: +[[https://sourcehut.org/][Sourcehut]] is a collection of software +development tools, but mostly surrounds their hosted Git repository +service. Simply put, it's a minimal and more private alternative to +services like GitHub. + +This walkthrough is more advanced and involves things like Git, SSH, the +command line. If you don't think you know enough to do this, check out +my walkthrough on creating a Gemini capsule for the Midnight Pub +instead. + +The first thing you'll need to do is create an SSH key pair, if you +don't already have one on your system. Once created, grab the contents +of =id_rsa.pub= and add it to your Sourcehut account settings - this +will allow you to push and pull code changes without using a +username/password. + +#+begin_src sh ssh keygen -``` +#+end_src -Next up, let's create a repository with the proper name so that the Sourcehut -build system will know we want them to host a website for us. Use the following -format exactly: +Next up, let's create a repository with the proper name so that the +Sourcehut build system will know we want them to host a website for us. +Use the following format exactly: -```sh +#+begin_src sh mkdir your-username.srht.site && cd your-username.srht.site -``` +#+end_src -Now that we've created the repo, let's initialize Git and add the proper remote -URL. +Now that we've created the repo, let's initialize Git and add the proper +remote URL. -```sh +#+begin_src sh git init -``` +#+end_src -```sh +#+begin_src sh git remote add origin git@git.sr.ht:~your-username/your-username.srht.site -``` +#+end_src -Now that our repository is set up and configured, we will need to create at -least two files: +Now that our repository is set up and configured, we will need to create +at least two files: -- `index.gmi` -- `.build.yml` +- =index.gmi= +- =.build.yml= -For your `.build.yml` file, use the following content and be sure to update the -`site` line with your username! +For your =.build.yml= file, use the following content and be sure to +update the =site= line with your username! -```yaml +#+begin_src yaml image: alpine/latest oauth: pages.sr.ht/PAGES:RW environment: @@ -142,37 +153,38 @@ tasks: tar -cvz . > ../site.tar.gz - upload: | acurl -f https://pages.sr.ht/publish/$site -Fcontent=@site.tar.gz -Fprotocol=GEMINI -``` +#+end_src -For the `index.gmi` file, put whatever you want in there and save it. You could -even just copy and paste the Gemtext cheatsheet. +For the =index.gmi= file, put whatever you want in there and save it. +You could even just copy and paste the Gemtext cheatsheet. -If you want to serve both HTML and Gemini files from this repository, just add a -second command to the `upload` section: +If you want to serve both HTML and Gemini files from this repository, +just add a second command to the =upload= section: -```yaml +#+begin_src yaml - upload: | acurl -f https://pages.sr.ht/publish/$site -Fcontent=@site.tar.gz -Fprotocol=GEMINI acurl -f https://pages.sr.ht/publish/$site -Fcontent=@site.tar.gz -``` +#+end_src Lastly, commit your changes and push them to the remote repo. -```sh +#+begin_src sh git add .; git commit -m "initial commit"; git push --set-upstream origin HEAD -``` +#+end_src -If you've successfully created the files with the proper format, you'll see the -terminal print a message that lets you know where the automatic build is taking -place. For example, here's what the terminal tells me: +If you've successfully created the files with the proper format, you'll +see the terminal print a message that lets you know where the automatic +build is taking place. For example, here's what the terminal tells me: -```sh +#+begin_src sh remote: Build started: remote: https://builds.sr.ht/~user/job/689803 [.build.yml] -``` +#+end_src Now that you've properly built your Sourcehut page, you can browse to -your-username.srht.site in a Gemini browser and view the final results. Take a -look at the image below for my Sourcehut Gemini capsule. +your-username.srht.site in a Gemini browser and view the final results. +Take a look at the image below for my Sourcehut Gemini capsule. - +#+caption: Gemini page on the amfora browser +[[https://img.cleberg.net/blog/20210328-launching-a-gemini-capsule/amfora.png]] diff --git a/blog/2021-03-28-vaporwave-vs-outrun.org b/blog/2021-03-28-vaporwave-vs-outrun.org index 700a5d6..b12f472 100644 --- a/blog/2021-03-28-vaporwave-vs-outrun.org +++ b/blog/2021-03-28-vaporwave-vs-outrun.org @@ -1,120 +1,151 @@ -+++ -date = 2021-03-28 -title = "Vaporwave vs Outrun" -description = "This post discusses Vaporwave and Outrun, which have become almost synonymous in the minds of those online who aren't hardcore into these genres of media." -+++ - -## Overview - -When it comes to an aesthetic that originated primarily online, there tends to -be a lot of confusion around what falls into each specific genre. This post -discusses Vaporwave and Outrun, which have become almost synonymous in the minds -of those online who aren't hardcore into these genres of media. More -specifically, Outrun is largely an unknown term while all aesthetics in these -two genres are usually attributed to Vaporwave. For example, take a look at the -image search results for Vaporwave: the results include **a lot** of -Outrun-themed images. You'll find a similar trend almost everywhere. - - - -## Vaporwave - - - -Okay, so what is Vaporwave? I'm going to just copy-and-paste some general info -from the Wikipedia article on -[Vaporwave](https://en.wikipedia.org/wiki/Vaporwave), so that I'm not repeating -everything you can already search for online: - -> Vaporwave is a microgenre of electronic music, a visual art style, and an -> Internet meme that emerged in the early 2010s. It is defined partly by its -> slowed-down, chopped and screwed samples of smooth jazz, elevator, R&B, and -> lounge music from the 1980s and 1990s. The surrounding subculture is sometimes -> associated with an ambiguous or satirical take on consumer capitalism and pop -> culture, and tends to be characterized by a nostalgic or surrealist engagement -> with the popular entertainment, technology and advertising of previous -> decades. Visually, it incorporates early Internet imagery, late 1990s web -> design, glitch art, anime, 3D-rendered objects, and cyberpunk tropes in its -> cover artwork and music videos. - -This is an excellent summary, and it helps address my point here: there are -specific aspects that make Vaporwave unique: - -### Time Frame - -The time frame for references, logos, etc. focuses mostly on the 1990s in -Vaporwave. You'll see old school Pepsi logos, Microsoft 95 screens, tropical -plants, classic marble sculptures, and many references from Japan's influence in -the 90s. - -### Art - -The color scheme is generally a soft, light palette that uses pastel colors. The -backdrop will often be in a light-pink or teal blue. - -### Music - -The musical genre of Vaporwave incorporates soft tunes, lounge music, and sound -effects that will make the listener reminisce of the 90s. The sounds of the -genre are generally slower-paced and calming. The major breakthrough artist for -Vaporwave was [Macintosh Plus](https://en.wikipedia.org/wiki/Vektroid), who -released the album -[Floral Shoppe](https://archive.org/details/MACINTOSHPLUS-FLORALSHOPPE_complete) -in 2011. Another more recent example is the artist -[sadbert](https://sadbert.bandcamp.com/), whose latest album incorporates the -upbeat tones of the 1999 Dilbert TV series. - -Notice that Vaporwave doesn't include things like racing cars, futuristic -technology, chrome, or the deep orange/purple color scheme. Vaporwave is a focus -on the idyllic state of the world when technology was becoming common in -households, a reality that we have already experienced. Focus on the most -aesthetically-pleasing parts of that past is a large part of Vaporwave. - -## Outrun - - - -Now, let's get to Outrun. This one is a little trickier since the genre has -largely been lumped under the Vaporwave title for so long. However, it stems -from the [Synthwave](https://en.wikipedia.org/wiki/Synthwave) music genre and is -likely named after the 1986 racer game, -[Out Run](https://en.wikipedia.org/wiki/Out_Run). - -### Time Frame - -Outrun can be thought of as a retro-futuristic aesthetic born from the 1980s. - -### Art - -The color scheme uses a very dark color palette with the main colors being deep -oranges, blues, and purples. Red edges are common around objects in Outrun art. -The background of the Outrun aesthetic is almost always a neon grid like you'd -expect to see in Tron or a 1980s arcade machine. - -Classic sports cars, chrome robots, computer generated graphics and fonts, and -the occasional use of rain or palm trees can be found in Outrun art. - -### Music - -This aesthetic has a more aggressive and fast-paced style of music, which tends -to match the subject of the art in this aesthetic. - -Outrun enthusiasts love what people in the 1980s thought the future would look -like. Take a look at a common video game discussed in Outrun circles, Far Cry 3: -Blood Dragon: - - - -Another example that doesn't force the color scheme as hard as some online art -does is Kung Fury: - - - - - -## Conclusion - -While Vaporwave and Outrun share similarities, they are two distinct aesthetics -with many important distinctions. Someone who enjoys one may not necessarily -enjoy the other, so it's important to make sure we properly describe the -aesthetic we're looking for. +#+title: Vaporwave vs Outrun +#+date: 2021-03-28 + +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +When it comes to an aesthetic that originated primarily online, there +tends to be a lot of confusion around what falls into each specific +genre. This post discusses Vaporwave and Outrun, which have become +almost synonymous in the minds of those online who aren't hardcore into +these genres of media. More specifically, Outrun is largely an unknown +term while all aesthetics in these two genres are usually attributed to +Vaporwave. For example, take a look at the image search results for +Vaporwave: the results include *a lot* of Outrun-themed images. You'll +find a similar trend almost everywhere. + +[[https://img.cleberg.net/blog/20210328-vaporwave-vs-outrun/vaporwave-search-results.png]] + +** Vaporwave +:PROPERTIES: +:CUSTOM_ID: vaporwave +:END: +[[https://img.cleberg.net/blog/20210328-vaporwave-vs-outrun/macintosh-plus.png]] + +Okay, so what is Vaporwave? I'm going to just copy-and-paste some +general info from the Wikipedia article on +[[https://en.wikipedia.org/wiki/Vaporwave][Vaporwave]], so that I'm not +repeating everything you can already search for online: + +#+begin_quote +Vaporwave is a microgenre of electronic music, a visual art style, and +an Internet meme that emerged in the early 2010s. It is defined partly +by its slowed-down, chopped and screwed samples of smooth jazz, +elevator, R&B, and lounge music from the 1980s and 1990s. The +surrounding subculture is sometimes associated with an ambiguous or +satirical take on consumer capitalism and pop culture, and tends to be +characterized by a nostalgic or surrealist engagement with the popular +entertainment, technology and advertising of previous decades. Visually, +it incorporates early Internet imagery, late 1990s web design, glitch +art, anime, 3D-rendered objects, and cyberpunk tropes in its cover +artwork and music videos. + +#+end_quote + +This is an excellent summary, and it helps address my point here: there +are specific aspects that make Vaporwave unique: + +*** Time Frame +:PROPERTIES: +:CUSTOM_ID: time-frame +:END: +The time frame for references, logos, etc. focuses mostly on the 1990s +in Vaporwave. You'll see old school Pepsi logos, Microsoft 95 screens, +tropical plants, classic marble sculptures, and many references from +Japan's influence in the 90s. + +*** Art +:PROPERTIES: +:CUSTOM_ID: art +:END: +The color scheme is generally a soft, light palette that uses pastel +colors. The backdrop will often be in a light-pink or teal blue. + +*** Music +:PROPERTIES: +:CUSTOM_ID: music +:END: +The musical genre of Vaporwave incorporates soft tunes, lounge music, +and sound effects that will make the listener reminisce of the 90s. The +sounds of the genre are generally slower-paced and calming. The major +breakthrough artist for Vaporwave was +[[https://en.wikipedia.org/wiki/Vektroid][Macintosh Plus]], who released +the album +[[https://archive.org/details/MACINTOSHPLUS-FLORALSHOPPE_complete][Floral +Shoppe]] in 2011. Another more recent example is the artist +[[https://sadbert.bandcamp.com/][sadbert]], whose latest album +incorporates the upbeat tones of the 1999 Dilbert TV series. + +Notice that Vaporwave doesn't include things like racing cars, +futuristic technology, chrome, or the deep orange/purple color scheme. +Vaporwave is a focus on the idyllic state of the world when technology +was becoming common in households, a reality that we have already +experienced. Focus on the most aesthetically-pleasing parts of that past +is a large part of Vaporwave. + +** Outrun +:PROPERTIES: +:CUSTOM_ID: outrun +:END: +#+caption: Outrun +[[https://img.cleberg.net/blog/20210328-vaporwave-vs-outrun/outrun.png]] + +Now, let's get to Outrun. This one is a little trickier since the genre +has largely been lumped under the Vaporwave title for so long. However, +it stems from the [[https://en.wikipedia.org/wiki/Synthwave][Synthwave]] +music genre and is likely named after the 1986 racer game, +[[https://en.wikipedia.org/wiki/Out_Run][Out Run]]. + +*** Time Frame +:PROPERTIES: +:CUSTOM_ID: time-frame-1 +:END: +Outrun can be thought of as a retro-futuristic aesthetic born from the +1980s. + +*** Art +:PROPERTIES: +:CUSTOM_ID: art-1 +:END: +The color scheme uses a very dark color palette with the main colors +being deep oranges, blues, and purples. Red edges are common around +objects in Outrun art. The background of the Outrun aesthetic is almost +always a neon grid like you'd expect to see in Tron or a 1980s arcade +machine. + +Classic sports cars, chrome robots, computer generated graphics and +fonts, and the occasional use of rain or palm trees can be found in +Outrun art. + +*** Music +:PROPERTIES: +:CUSTOM_ID: music-1 +:END: +This aesthetic has a more aggressive and fast-paced style of music, +which tends to match the subject of the art in this aesthetic. + +Outrun enthusiasts love what people in the 1980s thought the future +would look like. Take a look at a common video game discussed in Outrun +circles, Far Cry 3: Blood Dragon: + +#+caption: Fry Cry 3: Blood Dragon +[[https://img.cleberg.net/blog/20210328-vaporwave-vs-outrun/far-cry.png]] + +Another example that doesn't force the color scheme as hard as some +online art does is Kung Fury: + +#+caption: Kung Fury +[[https://img.cleberg.net/blog/20210328-vaporwave-vs-outrun/kung-fury.png]] + +#+caption: Kung Fury Hacker Scene +[[https://img.cleberg.net/blog/20210328-vaporwave-vs-outrun/kung-fury-hacker.png]] + +** Conclusion +:PROPERTIES: +:CUSTOM_ID: conclusion +:END: +While Vaporwave and Outrun share similarities, they are two distinct +aesthetics with many important distinctions. Someone who enjoys one may +not necessarily enjoy the other, so it's important to make sure we +properly describe the aesthetic we're looking for. diff --git a/blog/2021-03-30-vps-web-server.org b/blog/2021-03-30-vps-web-server.org index 9648452..147b86f 100644 --- a/blog/2021-03-30-vps-web-server.org +++ b/blog/2021-03-30-vps-web-server.org @@ -1,270 +1,293 @@ -+++ -date = 2021-03-30 -title = "How to Set Up a VPS Web Server" -description = "Choosing a place to host a website is one of the most confusing decisions for beginner web developers. Even for experienced web devs, choosing between different forms of web hosting can be a daunting choice." -draft = false -+++ - -## Shared Hosting vs. VPS - -Choosing a place to host a website is one of the most confusing decisions for -beginner web developers. Even for experienced web devs, choosing between -different forms of web hosting can be a daunting choice. +#+title: How to Set Up a VPS Web Server +#+date: 2021-03-30 + +** Shared Hosting vs. VPS +:PROPERTIES: +:CUSTOM_ID: shared-hosting-vs.-vps +:END: +Choosing a place to host a website is one of the most confusing +decisions for beginner web developers. Even for experienced web devs, +choosing between different forms of web hosting can be a daunting +choice. First, let's take a look at -[shared web hosting](https://en.wikipedia.org/wiki/Shared_web_hosting_service). -Shared web hosting is a product where you are purchasing a small piece of a web -server that is being shared between many websites. As a result, the cost of -shared hosting is extremely low. You won't have access to the server itself, -which means you can't install your own software on the server, such as Docker. -Usually, you are simply allowed to connect your domains to the server, set up -domain security, and other small utilities. +[[https://en.wikipedia.org/wiki/Shared_web_hosting_service][shared web +hosting]]. Shared web hosting is a product where you are purchasing a +small piece of a web server that is being shared between many websites. +As a result, the cost of shared hosting is extremely low. You won't have +access to the server itself, which means you can't install your own +software on the server, such as Docker. Usually, you are simply allowed +to connect your domains to the server, set up domain security, and other +small utilities. In contrast, a -[virtual private server](https://en.wikipedia.org/wiki/Virtual_private_server) -(VPS) is a virtual machine that replicates the environment of having a dedicated -server to yourself. You are able to control the virtual server's host names, -base file system, package manager, etc. Another great upside of a VPS is that -since it's virtual, the company providing the VPS can dynamically increase the -disk size, RAM size, or number of CPUs at any time. However, the virtual server -is still physically located on a server that is shared between multiple virtual +[[https://en.wikipedia.org/wiki/Virtual_private_server][virtual private +server]] (VPS) is a virtual machine that replicates the environment of +having a dedicated server to yourself. You are able to control the +virtual server's host names, base file system, package manager, etc. +Another great upside of a VPS is that since it's virtual, the company +providing the VPS can dynamically increase the disk size, RAM size, or +number of CPUs at any time. However, the virtual server is still +physically located on a server that is shared between multiple virtual servers. -The choice between shared hosting and VPS mostly depends on your skill level -with system administration. If you're comforting working on a server that is -mostly left up to you (or you're willing to learn), then a VPS is usually a -better option. However, shared hosting is a fantastic option for people who -don't want to have to learn how to manage their server. - -## My Situation +The choice between shared hosting and VPS mostly depends on your skill +level with system administration. If you're comforting working on a +server that is mostly left up to you (or you're willing to learn), then +a VPS is usually a better option. However, shared hosting is a fantastic +option for people who don't want to have to learn how to manage their +server. -I had used shared hosting for approximately 5 years before trying my first VPS. -I manage a homelab and have had success running a server and performing typical -sysadmin duties, but I was still hesitant to get a VPS. One fear was that I -always struggled to properly set up the networking part of a server - DNS and -hostname configurations were not my friend. +** My Situation +:PROPERTIES: +:CUSTOM_ID: my-situation +:END: +I had used shared hosting for approximately 5 years before trying my +first VPS. I manage a homelab and have had success running a server and +performing typical sysadmin duties, but I was still hesitant to get a +VPS. One fear was that I always struggled to properly set up the +networking part of a server - DNS and hostname configurations were not +my friend. As a little bit of background, I originally used -[Siteground](https://www.siteground.com) for my initially shared hosting and -stayed on that platform for at least a year. However, the UI was clunky, and I -didn't like how they handled certain technical aspects, so I switched to -[Namecheap](https://www.namecheap.com). Namecheap was great because it is the -service I primarily use for purchasing domain names, which made it incredibly -easy to link them to my hosting service. However, it was still mediocre shared -hosting, and Namecheap is notorious for not letting you use -[Let's Encrypt](https://letsencrypt.org) to obtain free SSL/TLS certificates; -Namecheap wants to make you purchase certificates through their store. - -Finally, I settled down with [iWebFusion](https://www.iwebfusion.net) for about -the last year of my shared hosting. This service was pretty great, came with -free SSL/TLS, and I never had any complaints. - -However, I finally grew tired of not being able to install software on my own -web server. I wanted to be able to try out things like -[Postmill](https://postmill.xyz) or [Matrix](https://matrix.org). This is -possible with a VPS, so I decided to grab a new domain name to try it out. - -## Getting Started: Buying a VPS - -The first step to moving over to a VPS is (you guessed it): finding a VPS -provider. For my VPSs, I use [1984](https://1984hosting.com) and prefer their -services much more than any alternative, due to their location (Iceland), their -[privacy policy](https://1984hosting.com/GDPR/), their respect for GDPR, and the -ability to remain anonymous if you pay in Bitcoin or Monero. - -[Njalla](https://njal.la) is another good, privacy-oriented option for VPS -services. - -You'll have to decide what specifications you want on your VPS. For me, I only -build and deploy low-resource HTML, PHP, and Python websites. This means I can -survive on the smallest VPS: 1 CPU, 1GB of RAM, and 25GB SSD for $5.00 per -month. - -As noted above, the great thing about a VPS is you can request your provider to -increase the resources at any time. - -## Configuring DNS Settings - -Okay, so now let's get into some actual work that has to be done to get content -moved from a shared host to a VPS. At this point, I'm assuming you have a shared -host with website content that you can still access, and you've purchased a new -VPS and can SSH into that server. +[[https://www.siteground.com][Siteground]] for my initially shared +hosting and stayed on that platform for at least a year. However, the UI +was clunky, and I didn't like how they handled certain technical +aspects, so I switched to [[https://www.namecheap.com][Namecheap]]. +Namecheap was great because it is the service I primarily use for +purchasing domain names, which made it incredibly easy to link them to +my hosting service. However, it was still mediocre shared hosting, and +Namecheap is notorious for not letting you use +[[https://letsencrypt.org][Let's Encrypt]] to obtain free SSL/TLS +certificates; Namecheap wants to make you purchase certificates through +their store. + +Finally, I settled down with [[https://www.iwebfusion.net][iWebFusion]] +for about the last year of my shared hosting. This service was pretty +great, came with free SSL/TLS, and I never had any complaints. + +However, I finally grew tired of not being able to install software on +my own web server. I wanted to be able to try out things like +[[https://postmill.xyz][Postmill]] or [[https://matrix.org][Matrix]]. +This is possible with a VPS, so I decided to grab a new domain name to +try it out. + +** Getting Started: Buying a VPS +:PROPERTIES: +:CUSTOM_ID: getting-started-buying-a-vps +:END: +The first step to moving over to a VPS is (you guessed it): finding a +VPS provider. For my VPSs, I use [[https://1984hosting.com][1984]] and +prefer their services much more than any alternative, due to their +location (Iceland), their [[https://1984hosting.com/GDPR/][privacy +policy]], their respect for GDPR, and the ability to remain anonymous if +you pay in Bitcoin or Monero. + +[[https://njal.la][Njalla]] is another good, privacy-oriented option for +VPS services. + +You'll have to decide what specifications you want on your VPS. For me, +I only build and deploy low-resource HTML, PHP, and Python websites. +This means I can survive on the smallest VPS: 1 CPU, 1GB of RAM, and +25GB SSD for $5.00 per month. + +As noted above, the great thing about a VPS is you can request your +provider to increase the resources at any time. + +** Configuring DNS Settings +:PROPERTIES: +:CUSTOM_ID: configuring-dns-settings +:END: +Okay, so now let's get into some actual work that has to be done to get +content moved from a shared host to a VPS. At this point, I'm assuming +you have a shared host with website content that you can still access, +and you've purchased a new VPS and can SSH into that server. The first change is minor, but it should be done immediately in order to -get things moving: DNS settings. Go to wherever your DNS settings are handled. -If your shared host also managed your DNS settings, you'll need to first move -that DNS over to your new VPS provider. For me, I route my DNS through -[Gandi](https://www.gandi.net). +get things moving: DNS settings. Go to wherever your DNS settings are +handled. If your shared host also managed your DNS settings, you'll need +to first move that DNS over to your new VPS provider. For me, I route my +DNS through [[https://www.gandi.net][Gandi]]. -Once you know where your DNS settings are, go ahead and update the `A` records -to match the public IP address of your VPS. For example: +Once you know where your DNS settings are, go ahead and update the =A= +records to match the public IP address of your VPS. For example: -```txt +#+begin_src txt A example.com xxx.xxx.xxx.xxx A subdomain xxx.xxx.xxx.xxx CNAME www example.com. -``` - -If you have any other records that require updates, such as MX or TXT records -for a mail server, be sure to update those accordingly. Personally, I don't host -my own mail server. -I route all mail on my custom domains to [Migadu](https://www.migadu.com). -Hosting your own email server can become complex quickly and is not for -beginners. - -DNS changes can take up to 48 hours to propagate, so be sure to give it some -time before assuming you've made an error. - -## Server Updates and Packages - -Now that the DNS settings have been changed, let's set up our server while we -wait for the DNS to propagate. -First up is to ssh into your server. -If you've signed up with a service like DigitalOcean, you can add your SSH -key to your account and to your VPS droplet so that you don't need a -password in order to SSH. - -```sh +#+end_src + +If you have any other records that require updates, such as MX or TXT +records for a mail server, be sure to update those accordingly. +Personally, I don't host my own mail server. I route all mail on my +custom domains to [[https://www.migadu.com][Migadu]]. Hosting your own +email server can become complex quickly and is not for beginners. + +DNS changes can take up to 48 hours to propagate, so be sure to give it +some time before assuming you've made an error. + +** Server Updates and Packages +:PROPERTIES: +:CUSTOM_ID: server-updates-and-packages +:END: +Now that the DNS settings have been changed, let's set up our server +while we wait for the DNS to propagate. First up is to ssh into your +server. If you've signed up with a service like DigitalOcean, you can +add your SSH key to your account and to your VPS droplet so that you +don't need a password in order to SSH. + +#+begin_src sh ssh root@xxx.xxx.xxx.xxx -``` +#+end_src -The VPS that is used in this blog post runs Ubuntu 20.04 with an Apache web -server. -If you're working on a different operating system (OS) or want a -different web server, such as Nginx, you'll have to use different commands -to set it up. +The VPS that is used in this blog post runs Ubuntu 20.04 with an Apache +web server. If you're working on a different operating system (OS) or +want a different web server, such as Nginx, you'll have to use different +commands to set it up. First, let's update and upgrade our server. -**NOTE:** Since we have logged in to the server as `root` for now, we don't need -to use the `sudo` modifier before our commands. +*NOTE:* Since we have logged in to the server as =root= for now, we +don't need to use the =sudo= modifier before our commands. -```sh +#+begin_src sh apt update && apt upgrade -y -``` - -## Create A User Account +#+end_src -While being able to use `root` can be beneficial at times, you shouldn't use -`root` unless you have to. +** Create A User Account +:PROPERTIES: +:CUSTOM_ID: create-a-user-account +:END: +While being able to use =root= can be beneficial at times, you shouldn't +use =root= unless you have to. -So let's set up a new user in our system. The `-m` option below tells the OS to -create a home directory for the new user. +So let's set up a new user in our system. The =-m= option below tells +the OS to create a home directory for the new user. -```sh +#+begin_src sh adduser USERNAME -``` +#+end_src Now, create a password for that user. -```sh +#+begin_src sh passwd USERNAME -``` +#+end_src -Finally, add the user to the sudoers file, so they can perform priveleged -commands. +Finally, add the user to the sudoers file, so they can perform +priveleged commands. -```sh +#+begin_src sh usermod -a -G sudo USERNAME -``` +#+end_src -If you are using SSH keys and not passwords, you'll need to copy your SSH key -from your local machine to the VPS. If you haven't disabled password-based SSH -yet, the easiest way to do this is `ssh-copy-id` from your local computer (not -from the VPS): +If you are using SSH keys and not passwords, you'll need to copy your +SSH key from your local machine to the VPS. If you haven't disabled +password-based SSH yet, the easiest way to do this is =ssh-copy-id= from +your local computer (not from the VPS): -```sh +#+begin_src sh ssh-copy-id testuser@xxx.xxx.xxx.xxx -``` +#+end_src -If you've disabled password-based SSH, you'll need to manually copy your SSH key -into the `~/.ssh/authorized_keys` file. +If you've disabled password-based SSH, you'll need to manually copy your +SSH key into the =~/.ssh/authorized_keys= file. -## Install Software +** Install Software +:PROPERTIES: +:CUSTOM_ID: install-software +:END: +Our goal here is to host a web server, so the next step is to install +the Apache web server and any other packages we need. -Our goal here is to host a web server, so the next step is to install the Apache -web server and any other packages we need. +From this point on, I will be logged in as a user (not =root=) and will +need to use the =sudo= modifier for most commands. -From this point on, I will be logged in as a user (not `root`) and will need to -use the `sudo` modifier for most commands. - -```sh +#+begin_src sh sudo apt update; sudo apt upgrade -y; sudo apt autoremove -y sudo apt install apache2 -``` +#+end_src -If you need other language support, such as PHP, you'll need to install that -too. +If you need other language support, such as PHP, you'll need to install +that too. -```sh +#+begin_src sh sudo apt install libapache2-mod-php php-dom sudo a2enmod php sudo systemctl restart apache2 -``` - -## Website Files & Folders +#+end_src -Next up is to create the directories for the domain(s) we want to be hosted on -this web server. +** Website Files & Folders +:PROPERTIES: +:CUSTOM_ID: website-files-folders +:END: +Next up is to create the directories for the domain(s) we want to be +hosted on this web server. -```sh +#+begin_src sh cd /var/www sudo mkdir example.com -``` +#+end_src -We have a folder for `example.com` now, so let's add an `index.html` file and -put it within a specific `public_html` folder. You don't need this `public_html` -if you don't want it, but it helps with organizing items related to -`example.com` that you don't want to publish to the internet. +We have a folder for =example.com= now, so let's add an =index.html= +file and put it within a specific =public_html= folder. You don't need +this =public_html= if you don't want it, but it helps with organizing +items related to =example.com= that you don't want to publish to the +internet. -```sh +#+begin_src sh cd example.com sudo mkdir public_html && cd public_html sudo nano index.html -``` +#+end_src -You can put anything you want in this `index.html` file. If you can't think of -anything, paste this in there: +You can put anything you want in this =index.html= file. If you can't +think of anything, paste this in there: -```html +#+begin_src html <!DOCTYPE html> <html lang="en"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1" /> - <title>Hello, world!</title> - </head> - <body> - <h1>Hello, world!</h1> - </body> + <head> + <meta charset="utf-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1" /> + <title>Hello, world!</title> + </head> + <body> + <h1>Hello, world!</h1> + </body> </html> -``` +#+end_src -If you want something to be served at `example.com/page01/file.txt`, you'll have -to create the `page01` directory under the `example.com` directory. For example: +If you want something to be served at =example.com/page01/file.txt=, +you'll have to create the =page01= directory under the =example.com= +directory. For example: -```sh +#+begin_src sh cd /var/www/example.com/public_html sudo mkdir page01 sudo nano file.txt -``` +#+end_src -## Apache Configuration +** Apache Configuration +:PROPERTIES: +:CUSTOM_ID: apache-configuration +:END: +Now, let's set up the files that will tell the server where to find the +files for =example.com=. We will copy the default configuration file and +create our own. -Now, let's set up the files that will tell the server where to find the files -for `example.com`. We will copy the default configuration file and create our -own. - -```sh +#+begin_src sh cd /etc/apache2/sites-available sudo cp 000-default.conf example.com.conf sudo nano example.com.conf -``` +#+end_src -This configuration file will have a few default lines, but you'll need to edit -it to look similar to this (settings may change based on your personal needs): +This configuration file will have a few default lines, but you'll need +to edit it to look similar to this (settings may change based on your +personal needs): -```config +#+begin_src config <VirtualHost *:80> ServerAdmin your-email@email-provider.com ServerName example.com @@ -273,128 +296,138 @@ it to look similar to this (settings may change based on your personal needs): ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> -``` +#+end_src Now, enable the configuration for your new site, disable the default configuration, and reload the web server. -```sh +#+begin_src sh sudo a2ensite example.com.conf sudo a2dissite 000-default.conf sudo systemctl reload apache2 -``` +#+end_src -You can always run a test to make sure no errors or warnings are found in your -configuration files. +You can always run a test to make sure no errors or warnings are found +in your configuration files. -```sh +#+begin_src sh sudo apache2ctl configtest -``` +#+end_src -Now, restart the web server entirely. After this, you should be able to browse -to `http://example.com` and see the HTML content you provided earlier. Note that -SSL/TLS has not been enabled yet, so you won't be able to use the secure version -yet (`https://example.com`). +Now, restart the web server entirely. After this, you should be able to +browse to =http://example.com= and see the HTML content you provided +earlier. Note that SSL/TLS has not been enabled yet, so you won't be +able to use the secure version yet (=https://example.com=). -```sh +#+begin_src sh sudo systemctl restart apache2 -``` - -You can repeat this for as many websites as you need. Just create the domain -folders in `/var/www/`, add the configuration file, enable the configuration, -and restart `apache2`. +#+end_src -## SSL/TLS Certificates: Serve Websites Over HTTPS +You can repeat this for as many websites as you need. Just create the +domain folders in =/var/www/=, add the configuration file, enable the +configuration, and restart =apache2=. -In order to serve secure content, you'll need to obtain SSL/TLS certificates. -Luckily, there's a free tool called [Certbot](https://certbot.eff.org) that -helps us with the process. +** SSL/TLS Certificates: Serve Websites Over HTTPS +:PROPERTIES: +:CUSTOM_ID: ssltls-certificates-serve-websites-over-https +:END: +In order to serve secure content, you'll need to obtain SSL/TLS +certificates. Luckily, there's a free tool called +[[https://certbot.eff.org][Certbot]] that helps us with the process. -The first step is to install `snapd` and `core` for Ubuntu. +The first step is to install =snapd= and =core= for Ubuntu. -```sh +#+begin_src sh sudo apt install snapd sudo snap install core sudo snap refresh core -``` +#+end_src -Next, install the `certbot` snap package. +Next, install the =certbot= snap package. -```sh +#+begin_src sh sudo snap install --classic certbot -``` +#+end_src -Execute the following command to ensure that the `certbot` command can be run. +Execute the following command to ensure that the =certbot= command can +be run. -```sh +#+begin_src sh sudo ln -s /snap/bin/certbot /usr/bin/certbot -``` +#+end_src -Finally, you can run `certbot` one of two ways: +Finally, you can run =certbot= one of two ways: -1. run it and let it alter your Apache configuration files automatically to - enable HTTPS redirects. -2. run it and only allow it to create certificates. - You'll need to manually alter the config files to enable HTTPS redirects. +1. run it and let it alter your Apache configuration files automatically + to enable HTTPS redirects. +2. run it and only allow it to create certificates. You'll need to + manually alter the config files to enable HTTPS redirects. Run certbot and allow automatic config changes: -```sh +#+begin_src sh sudo certbot --apache -``` +#+end_src -Run certbot for certificates only and don't allow it to alter config files: +Run certbot for certificates only and don't allow it to alter config +files: -```sh +#+begin_src sh sudo certbot certonly --apache -``` +#+end_src -The Certbot packages on your system come with a cron job or systemd timer that -will renew your certificates automatically before they expire. You will not need -to run Certbot again unless you change your configuration. You can test -automatic renewal for your certificates by running this command: +The Certbot packages on your system come with a cron job or systemd +timer that will renew your certificates automatically before they +expire. You will not need to run Certbot again unless you change your +configuration. You can test automatic renewal for your certificates by +running this command: -```sh +#+begin_src sh sudo certbot renew --dry-run -``` +#+end_src -Now, test your domains by going to `https://example.com`. - -## Firewall Security +Now, test your domains by going to =https://example.com=. +** Firewall Security +:PROPERTIES: +:CUSTOM_ID: firewall-security +:END: To enable better security on your server, you'll need to enable a basic firewall. For Ubuntu, we'll use -[the uncomplicated firewall](https://cleberg.net/blog/secure-your-network-with-the-uncomplicated-firewall.html). +[[https://cleberg.net/blog/secure-your-network-with-the-uncomplicated-firewall.html][the +uncomplicated firewall]]. -Now, add the following rules to the firewall allow SSH, Apache, and HTTP(S) -connections. If you need to, you can enable different ports for specifics -applications, SFTP, etc. +Now, add the following rules to the firewall allow SSH, Apache, and +HTTP(S) connections. If you need to, you can enable different ports for +specifics applications, SFTP, etc. -```sh +#+begin_src sh sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow OpenSSH sudo ufw allow Apache sudo ufw allow proto tcp from any to any port 80,443 -``` +#+end_src Once you've added all the rules you need, enable the firewall. -```sh +#+begin_src sh sudo ufw enable -``` - -## Troubleshooting +#+end_src -If you run into any issues during your VPS set-up, be sure to walk back through -your actions and make sure you didn't miss any steps. +** Troubleshooting +:PROPERTIES: +:CUSTOM_ID: troubleshooting +:END: +If you run into any issues during your VPS set-up, be sure to walk back +through your actions and make sure you didn't miss any steps. Many websites have fantastic guides to setting up various web servers. -This is one of the areas [where DigitalOcean shines](https://www.digitalocean. -com/community/tutorials). -For simpler or more Linux-oriented questions, I suggest using [Linuxize] -(https://linuxize.com). - -If you're getting certain errors (e.g. `500 Internal Server Error`) and need to -debug locally, you can view the `access.log` and `error.log` files in the -`/var/log/apache/` directory. +This is one of the areas +[[https://www.digitalocean.%20com/community/tutorials][where +DigitalOcean shines]]. For simpler or more Linux-oriented questions, I +suggest using [Linuxize] (https://linuxize.com). + +If you're getting certain errors (e.g. =500 Internal Server Error=) and +need to debug locally, you can view the =access.log= and =error.log= +files in the =/var/log/apache/= directory. diff --git a/blog/2021-04-17-gemini-server.org b/blog/2021-04-17-gemini-server.org index b6a7794..6494c9c 100644 --- a/blog/2021-04-17-gemini-server.org +++ b/blog/2021-04-17-gemini-server.org @@ -1,159 +1,181 @@ -+++ -date = 2021-04-17 -title = "Hosting a Gemini Server" -description = "Dive deeper into Gemini by hosting your own Gemini web server." -draft = false -+++ - -## Similar Article Available - -To read more about Gemini and ways to test out this new protocol without your -own server, see my previous post -[Launching a Gemini Capsule](/blog/launching-a-gemini-capsule/). - -## Preparation - -This guide assumes you have access to a server accessible to the world through a -public IP address and that you own a domain name used for this Gemini capsule. - -## Getting Started with Agate - -We are going to use [Agate](https://github.com/mbrubeck/agate) for this -tutorial. -This is a basic Gemini server written in Rust. -It takes very little time and maintenance to get it running. - -## Install Dependencies - -First, you will need to install the Rust package for your system. On Ubuntu, use -the following commands (remember to use `sudo` if you are not the root user). -The Rust installation will give you options to customize the installation; I -used the default installation options. - -```sh +#+title: Hosting a Gemini Server +#+date: 2021-04-17 + +** Similar Article Available +:PROPERTIES: +:CUSTOM_ID: similar-article-available +:END: +To read more about Gemini and ways to test out this new protocol without +your own server, see my previous post +[[/blog/launching-a-gemini-capsule/][Launching a Gemini Capsule]]. + +** Preparation +:PROPERTIES: +:CUSTOM_ID: preparation +:END: +This guide assumes you have access to a server accessible to the world +through a public IP address and that you own a domain name used for this +Gemini capsule. + +** Getting Started with Agate +:PROPERTIES: +:CUSTOM_ID: getting-started-with-agate +:END: +We are going to use [[https://github.com/mbrubeck/agate][Agate]] for +this tutorial. This is a basic Gemini server written in Rust. It takes +very little time and maintenance to get it running. + +** Install Dependencies +:PROPERTIES: +:CUSTOM_ID: install-dependencies +:END: +First, you will need to install the Rust package for your system. On +Ubuntu, use the following commands (remember to use =sudo= if you are +not the root user). The Rust installation will give you options to +customize the installation; I used the default installation options. + +#+begin_src sh sudo apt update && sudo apt upgrade -y curl https://sh.rustup.rs -sSf | sh -``` +#+end_src Remember to configure your shell with the new configuration: -```sh +#+begin_src sh source $HOME/.cargo/env -``` +#+end_src -Before we install agate, make sure you have the `gcc` package installed: +Before we install agate, make sure you have the =gcc= package installed: -```sh +#+begin_src sh sudo apt install gcc -``` +#+end_src -Next, you'll need to install the agate executable with Rust's Cargo package -maintainer: +Next, you'll need to install the agate executable with Rust's Cargo +package maintainer: -```sh +#+begin_src sh cargo install agate -``` - -## Create Symlinks +#+end_src -Once Cargo has finished installing all the required packages, symlink the -executable to your \$PATH. +** Create Symlinks +:PROPERTIES: +:CUSTOM_ID: create-symlinks +:END: +Once Cargo has finished installing all the required packages, symlink +the executable to your $PATH. -```sh +#+begin_src sh sudo ln -s $HOME/.cargo/bin/agate /usr/local/bin/agate -``` +#+end_src -## Using Agate's Built-In Installation Tool +** Using Agate's Built-In Installation Tool +:PROPERTIES: +:CUSTOM_ID: using-agates-built-in-installation-tool +:END: +If you're running Ubuntu or Debian, use the Debian installation script +found in Agate's GitHub repository, under the =tools/debian= folder. -If you're running Ubuntu or Debian, use the Debian installation script found in -Agate's GitHub repository, under the `tools/debian` folder. - -```sh +#+begin_src sh git clone https://github.com/mbrubeck/agate cd agate/tools/debian sudo ./install.sh -``` - -## Configure the Gemini Service - -We have a little more to do, but since this script tries to immediately run the -service, it will likely fail with an exit code. Let's add our finishing touches. -Edit the following file and replace the hostname with your desired URL. You can -also change the directory where content will be served. - -```sh +#+end_src + +** Configure the Gemini Service +:PROPERTIES: +:CUSTOM_ID: configure-the-gemini-service +:END: +We have a little more to do, but since this script tries to immediately +run the service, it will likely fail with an exit code. Let's add our +finishing touches. Edit the following file and replace the hostname with +your desired URL. You can also change the directory where content will +be served. + +#+begin_src sh sudo nano /etc/systemd/system/gemini.service -``` +#+end_src -```sh +#+begin_src sh # Edit these lines to whatever you want - see the next code block for my personal configuration. WorkingDirectory=/srv/gemini ExecStart=agate --hostname $(uname -n) --lang en -``` +#+end_src This is my personal config: -```sh +#+begin_src sh WorkingDirectory=/var/gemini/ ExecStart=agate --hostname gemini.example.com --lang en -``` +#+end_src -Since we've altered the systemd configuration files, we have to reload the -daemon. Let's do that, restart our service, and check its status. +Since we've altered the systemd configuration files, we have to reload +the daemon. Let's do that, restart our service, and check its status. -```sh +#+begin_src sh sudo systemctl daemon-reload sudo systemctl restart gemini.service sudo systemctl status gemini.service -``` - -## Fixing Systemd Errors +#+end_src -If you're still getting errors, the installation process may not have properly -enabled the gemini service. Fix it with the following commands. +** Fixing Systemd Errors +:PROPERTIES: +:CUSTOM_ID: fixing-systemd-errors +:END: +If you're still getting errors, the installation process may not have +properly enabled the gemini service. Fix it with the following commands. -```sh +#+begin_src sh sudo systemctl enable gemini.service sudo systemctl restart gemini.service sudo systemctl status gemini.service -``` +#+end_src -## Firewall Rules +** Firewall Rules +:PROPERTIES: +:CUSTOM_ID: firewall-rules +:END: +Great! Our server is now functional and running. The first consideration +now is that you need to be able to access port 1965 on the server. If +you have a firewall enabled, you'll need to open that port up. -Great! Our server is now functional and running. The first consideration now is -that you need to be able to access port 1965 on the server. If you have a -firewall enabled, you'll need to open that port up. - -```sh +#+begin_src sh sudo ufw allow 1965 sudo ufw reload -``` - -## Creating Content - -Let's create the Gemini capsule. Note that wherever you set the WorkingDirectory -variable to earlier, Agate will expect you to put your Gemini capsule contents -in a sub-folder called "content." So, I place my files in "/var/gmi/content." I'm -going to create that folder now and put a file in there. - -```sh +#+end_src + +** Creating Content +:PROPERTIES: +:CUSTOM_ID: creating-content +:END: +Let's create the Gemini capsule. Note that wherever you set the +WorkingDirectory variable to earlier, Agate will expect you to put your +Gemini capsule contents in a sub-folder called "content." So, I place my +files in "/var/gmi/content." I'm going to create that folder now and put +a file in there. + +#+begin_src sh sudo mkdir /var/gemini/content sudo nano /var/gemini/content/index.gmi -``` - -You can put whatever you want in the "index.gmi" file, just make sure it's valid -Gemtext. +#+end_src -## The Results +You can put whatever you want in the "index.gmi" file, just make sure +it's valid Gemtext. +** The Results +:PROPERTIES: +:CUSTOM_ID: the-results +:END: Here are some screenshots of the Gemini page I just created in the -[Lagrange](https://gmi.skyjake.fi/lagrange/) browser and the -[amfora](https://github.com/makeworld-the-better-one/amfora) browser. +[[https://gmi.skyjake.fi/lagrange/][Lagrange]] browser and the +[[https://github.com/makeworld-the-better-one/amfora][amfora]] browser. - +#+caption: GUI Gemini browser +[[https://img.cleberg.net/blog/20210417-hosting-a-gemini-server/lagrange.png]] -_Lagrange_ +/Lagrange/ - +#+caption: CLI Gemini browser +[[https://img.cleberg.net/blog/20210417-hosting-a-gemini-server/amfora.png]] -_Amfora_ +/Amfora/ diff --git a/blog/2021-04-23-php-comment-system.org b/blog/2021-04-23-php-comment-system.org index 50c77f1..d539a4e 100644 --- a/blog/2021-04-23-php-comment-system.org +++ b/blog/2021-04-23-php-comment-system.org @@ -1,151 +1,161 @@ -+++ -date = 2021-04-23 -title = "Roll Your Own Static Commenting System in PHP" -description = "Learn how to skip the tedium of finding the proper commenting system by simply rolling your own in PHP." -draft = false -+++ +#+title: Roll Your Own Static Commenting System in PHP +#+date: 2021-04-23 -## The Terrible-ness of Commenting Systems +** The Terrible-ness of Commenting Systems +:PROPERTIES: +:CUSTOM_ID: the-terrible-ness-of-commenting-systems +:END: +The current state of affairs regarding interactive comment systems is, +well, terrible. It is especially awful if you're a privacy conscious +person who does not generally load third-party scripts or frames on the +websites you visit. -The current state of affairs regarding interactive comment systems is, well, -terrible. It is especially awful if you're a privacy conscious person who does -not generally load third-party scripts or frames on the websites you visit. - -Even further, many comment systems are charging exorbitant fees for something -that should be standard. +Even further, many comment systems are charging exorbitant fees for +something that should be standard. Of course, there are some really terrible options: -- Facebook Comments -- Discourse - -There are some options that are better but still use too many scripts, frames, -or social integrations on your web page that could impact some users: - -- Disqus -- Isso -- Remark42 - -Lastly, I looked into a few unique ways of generating blog comments, such as -using Twitter threads or GitHub issues to automatically post issues. However, -these both rely on external third-party sites that I don't currently use. - -## Stay Static with Server-Side Comments - -The main issue for my personal use-case is that my blog is completely, 100% -static. I use PHP on the back-end but website visitors only see HTML and a -single CSS file. No external javascript and no embedded frames. - -So, how do we keep a site static and still allow users to interact with blog -posts? The key actually pretty simple - I'm already using PHP, so why not rely -on the classic HTML `<form>` and a PHP script to save the comments somewhere? As -it turns out, this was a perfect solution for me. - -The second issue for my personal use-case is that I am trying to keep the -contents of my website accessible over time, as described by @brandur, in his -post entitled -[Blog with Markdown + Git, and degrade gracefully through time](https://brandur.org/fragments/graceful-degradation-time) -. - -This means I cannot rely on a database for comments, since I do not rely on a -database for any other part of my websites. - -I blog in plain Markdown files, commit all articles to Git, and ensure that -future readers will be able to see the source data long after I'm gone, or the -website has gone offline. However, I still haven't committed any images served -on my blog to Git, as I'm not entirely sold on Git LFS yet - for now, images can -be found at [img.cleberg.net](https://img.cleberg.net). - -Saving my comments back to the Git repository ensures that another aspect of my -site will degrade gracefully. - -## Create a Comment Form - -Okay, let's get started. The first step is to create an HTML form that users can -see and utilize to submit comments. This is fairly easy and can be changed -depending on your personal preferences. - -Take a look at the code block below for the form I currently use. Note that -`<current-url>` is replaced automatically in PHP with the current post's URL, so -that my PHP script used later will know which blog post the comment is related -to. +- Facebook Comments +- Discourse + +There are some options that are better but still use too many scripts, +frames, or social integrations on your web page that could impact some +users: + +- Disqus +- Isso +- Remark42 + +Lastly, I looked into a few unique ways of generating blog comments, +such as using Twitter threads or GitHub issues to automatically post +issues. However, these both rely on external third-party sites that I +don't currently use. + +** Stay Static with Server-Side Comments +:PROPERTIES: +:CUSTOM_ID: stay-static-with-server-side-comments +:END: +The main issue for my personal use-case is that my blog is completely, +100% static. I use PHP on the back-end but website visitors only see +HTML and a single CSS file. No external javascript and no embedded +frames. + +So, how do we keep a site static and still allow users to interact with +blog posts? The key actually pretty simple - I'm already using PHP, so +why not rely on the classic HTML =<form>= and a PHP script to save the +comments somewhere? As it turns out, this was a perfect solution for me. + +The second issue for my personal use-case is that I am trying to keep +the contents of my website accessible over time, as described by +[cite/t:@brandur], in his post entitled +[[https://brandur.org/fragments/graceful-degradation-time][Blog with +Markdown + Git, and degrade gracefully through time]] . + +This means I cannot rely on a database for comments, since I do not rely +on a database for any other part of my websites. + +I blog in plain Markdown files, commit all articles to Git, and ensure +that future readers will be able to see the source data long after I'm +gone, or the website has gone offline. However, I still haven't +committed any images served on my blog to Git, as I'm not entirely sold +on Git LFS yet - for now, images can be found at +[[https://img.cleberg.net][img.cleberg.net]]. + +Saving my comments back to the Git repository ensures that another +aspect of my site will degrade gracefully. + +** Create a Comment Form +:PROPERTIES: +:CUSTOM_ID: create-a-comment-form +:END: +Okay, let's get started. The first step is to create an HTML form that +users can see and utilize to submit comments. This is fairly easy and +can be changed depending on your personal preferences. + +Take a look at the code block below for the form I currently use. Note +that =<current-url>= is replaced automatically in PHP with the current +post's URL, so that my PHP script used later will know which blog post +the comment is related to. The form contains the following structure: -1. `<form>` - This is the form and will determine which PHP script to send the - comment to. -2. `<section hidden>` - This section is hidden from the user and is used to - ensure that we know which blog post sent the comment. -3. `<section>` Display Name (Optional) - Used to accept a display name, if - entered. -4. `<section>` Comment (Required) - Used to accept the user's full comment. - Markdown is allowed. -5. `<button>` - A button to submit the form. - -```html +1. =<form>= - This is the form and will determine which PHP script to + send the comment to. +2. =<section hidden>= - This section is hidden from the user and is used + to ensure that we know which blog post sent the comment. +3. =<section>= Display Name (Optional) - Used to accept a display name, + if entered. +4. =<section>= Comment (Required) - Used to accept the user's full + comment. Markdown is allowed. +5. =<button>= - A button to submit the form. + +#+begin_src html <form action="/comment.php" method="POST"> - <h3>Leave a Comment</h3> - <section hidden> - <label class="form-label" for="postURL">Post URL</label> - <input - class="form-control" - id="postURL" - name="postURL" - type="text" - value="<current-url>" - /> - </section> - <section> - <label class="form-label" for="userName">Display Name</label> - <input - class="form-control" - id="userName" - name="userName" - placeholder="John Doe" - type="text" - /> - </section> - <section> - <label class="form-label" for="userContent">Your Comment</label> - <textarea - class="form-control" - id="userContent" - name="userContent" - rows="3" - placeholder="# Feel free to use Markdown" - aria-describedby="commentHelp" - required - ></textarea> - <div id="commentHelp" class="form-text"> - Comments are saved as Markdown and cannot be edited or deleted. - </div> - </section> - <button type="submit">Submit</button> + <h3>Leave a Comment</h3> + <section hidden> + <label class="form-label" for="postURL">Post URL</label> + <input + class="form-control" + id="postURL" + name="postURL" + type="text" + value="<current-url>" + /> + </section> + <section> + <label class="form-label" for="userName">Display Name</label> + <input + class="form-control" + id="userName" + name="userName" + placeholder="John Doe" + type="text" + /> + </section> + <section> + <label class="form-label" for="userContent">Your Comment</label> + <textarea + class="form-control" + id="userContent" + name="userContent" + rows="3" + placeholder="# Feel free to use Markdown" + aria-describedby="commentHelp" + required + ></textarea> + <div id="commentHelp" class="form-text"> + Comments are saved as Markdown and cannot be edited or deleted. + </div> + </section> + <button type="submit">Submit</button> </form> -``` - -## Handle Comments via POST +#+end_src -Now that we have a form and can submit comments, we need to create a PHP script -so that the server can fetch the comment data and save it. Make sure your PHP -script name matches the name you entered in the `action` field in your form. +** Handle Comments via POST +:PROPERTIES: +:CUSTOM_ID: handle-comments-via-post +:END: +Now that we have a form and can submit comments, we need to create a PHP +script so that the server can fetch the comment data and save it. Make +sure your PHP script name matches the name you entered in the =action= +field in your form. -See the code block below for the contents of my `comment.php` script. We perform -the following tasks in this script: +See the code block below for the contents of my =comment.php= script. We +perform the following tasks in this script: 1. Grab the POST data from the HTML form. -2. Sanitize the comment data with `htmlentities`. -3. Set the display name to `Anonymous` if it was left blank. +2. Sanitize the comment data with =htmlentities=. +3. Set the display name to =Anonymous= if it was left blank. 4. Create a PHP object that combines all of this data. -5. Check if our destination file `comments.json` exists. +5. Check if our destination file =comments.json= exists. 6. If so, convert the PHP object to JSON and save it to the file. -7. If the `comments.json` file does not exist, the script will exit with an - error. You can alter this to ensure it creates the script, but my source code - includes the file by default, so it will always exist. -8. Finally, send the user back to the `#comments` section of the blog post they - just read. +7. If the =comments.json= file does not exist, the script will exit with + an error. You can alter this to ensure it creates the script, but my + source code includes the file by default, so it will always exist. +8. Finally, send the user back to the =#comments= section of the blog + post they just read. -```php +#+begin_src php // Get the content sent from the comment form $comment = htmlentities($_POST['userContent']); $post_url = $_POST['postURL']; @@ -180,30 +190,35 @@ if (file_exists($file_name)) { // Send the user back header('Location: ' . $post_url . '#comments'); -``` +#+end_src -If you're using Apache, make sure the `www-data` user on your server has the -correct permissions to your website directory or else it will not be able to -write to `comments.json`. +If you're using Apache, make sure the =www-data= user on your server has +the correct permissions to your website directory or else it will not be +able to write to =comments.json=. -```sh +#+begin_src sh chgrp -R www-data /path/to/website/ chmod -R g+w comments.json -``` - -## Display User Comments - -Now that we can submit comments, and they are saved to the `comments.json` file, -let's make sure we can show those comments in each blog post. - -The code block below shows the function I use to decode my `comments.json` file, -check if the comments apply to the current post, and then display them. - -This piece of code should **really** be inside a function (or at least in an -organized PHP workflow). Don't just copy-and-paste and expect it to work. You -need to at least supply a `$query` variable depending on the page visited. - -```php +#+end_src + +** Display User Comments +:PROPERTIES: +:CUSTOM_ID: display-user-comments +:END: +Now that we can submit comments, and they are saved to the +=comments.json= file, let's make sure we can show those comments in each +blog post. + +The code block below shows the function I use to decode my +=comments.json= file, check if the comments apply to the current post, +and then display them. + +This piece of code should *really* be inside a function (or at least in +an organized PHP workflow). Don't just copy-and-paste and expect it to +work. You need to at least supply a =$query= variable depending on the +page visited. + +#+begin_src php $query = 'your-blog-post.html'; // Load saved comments @@ -235,28 +250,35 @@ foreach ($comments as $comment) { } echo $comment_section; -``` - -## Bonus: Create a 'Recent Comments' Page - -Finally, the last part of my current system is to create a Recent Comments page -so that I can easily check-in on my blog and moderate any spam. As an -alternative, you could use PHP's `mail()` function to email you for each blog -comment. - -The code to do this is literally the same code as the previous section, I just -make sure it is printed when someone visits `https://example.com/comments/`. - -## Possible Enhancements - -This comment system is by no means a fully-developed system. I have noted a few -possible enhancements here that I may implement in the future: - -- Create a secure moderator page with user authentication at - `https://blog.example.com/mod/`. This page could have the option to edit or - delete any comment found in `comments.json`. -- Create a temporary file, such as `pending_comments.json`, that will store - newly-submitted comments and won't display on blog posts until approved by a - moderator. -- Create a `/modlog/` page with a chronological log, showing which moderator - approved which comments and why certain comments were rejected. +#+end_src + +** Bonus: Create a 'Recent Comments' Page +:PROPERTIES: +:CUSTOM_ID: bonus-create-a-recent-comments-page +:END: +Finally, the last part of my current system is to create a Recent +Comments page so that I can easily check-in on my blog and moderate any +spam. As an alternative, you could use PHP's =mail()= function to email +you for each blog comment. + +The code to do this is literally the same code as the previous section, +I just make sure it is printed when someone visits +=https://example.com/comments/=. + +** Possible Enhancements +:PROPERTIES: +:CUSTOM_ID: possible-enhancements +:END: +This comment system is by no means a fully-developed system. I have +noted a few possible enhancements here that I may implement in the +future: + +- Create a secure moderator page with user authentication at + =https://blog.example.com/mod/=. This page could have the option to + edit or delete any comment found in =comments.json=. +- Create a temporary file, such as =pending_comments.json=, that will + store newly-submitted comments and won't display on blog posts until + approved by a moderator. +- Create a =/modlog/= page with a chronological log, showing which + moderator approved which comments and why certain comments were + rejected. diff --git a/blog/2021-04-28-photography.org b/blog/2021-04-28-photography.org index 99f3331..6e2627d 100644 --- a/blog/2021-04-28-photography.org +++ b/blog/2021-04-28-photography.org @@ -1,67 +1,75 @@ -+++ -date = 2021-04-28 -title = "Jumping Back Into Photography" -description = "After a long respite, I have returned to my hobby of photography with a brand-new camera." -draft = false -+++ - -## Why Photography? +#+title: Jumping Back Into Photography +#+date: 2021-04-28 +** Why Photography? +:PROPERTIES: +:CUSTOM_ID: why-photography +:END: I've often wondered why photography is as enticing as it is. You can see -billions of people around the world taking photographs every single moment of -the day. New technology often boasts about their photographic capabilities, -especially smartphones. I would even assume that we live in a world where there -is never a moment in which a photograph is not being taken somewhere on Earth. - -As for myself, I would simply say that I enjoy preserving a memory in physical -(or digital) form. I've never had the best memory when it comes to recalling -details of places and people gone by, so it helps to have a frame of reference -lying around. - -Regardless of the reason, I think most people would agree that you simply cannot -have too many hobbies. +billions of people around the world taking photographs every single +moment of the day. New technology often boasts about their photographic +capabilities, especially smartphones. I would even assume that we live +in a world where there is never a moment in which a photograph is not +being taken somewhere on Earth. -## Older Cameras +As for myself, I would simply say that I enjoy preserving a memory in +physical (or digital) form. I've never had the best memory when it comes +to recalling details of places and people gone by, so it helps to have a +frame of reference lying around. -I started playing around with the idea of photography when my family purchased a -Fujifilm camera for family-specific events. I don't recall the specific model, -but I do recall it was a point-and-shoot camera without an interchangeable lens. -However, it was of great value to someone, like myself, who couldn't afford any -other camera. I took about 10,000 shots with that camera over a 3-5 year span. -Most notably, all of my trips to California were documented through this camera. +Regardless of the reason, I think most people would agree that you +simply cannot have too many hobbies. -When possible, I would borrow my sister's camera, which is a Sony SLT-A58. This -camera was great and allowed for some of my best early shots, especially those -taken in Utah's and Nevada's parks. +** Older Cameras +:PROPERTIES: +:CUSTOM_ID: older-cameras +:END: +I started playing around with the idea of photography when my family +purchased a Fujifilm camera for family-specific events. I don't recall +the specific model, but I do recall it was a point-and-shoot camera +without an interchangeable lens. However, it was of great value to +someone, like myself, who couldn't afford any other camera. I took about +10,000 shots with that camera over a 3-5 year span. Most notably, all of +my trips to California were documented through this camera. -## My Current Kit +When possible, I would borrow my sister's camera, which is a Sony +SLT-A58. This camera was great and allowed for some of my best early +shots, especially those taken in Utah's and Nevada's parks. -I've finally come to a point in my life where I have the disposable income to -invest in a solid photography kit. I played around with the idea of a lot of -different cameras, different types, new vs used, etc. Finally, I settled on the -[Sony α7 III](https://en.wikipedia.org/wiki/Sony_%CE%B17_III). This camera is -mirror-less and uses a full-frame image sensor at 24 megapixels. I don't create -large prints, and I am mostly focused on preserving memories in high quality for -the next 5-10 years with this camera, so the specifications here are just -perfect for me. +** My Current Kit +:PROPERTIES: +:CUSTOM_ID: my-current-kit +:END: +I've finally come to a point in my life where I have the disposable +income to invest in a solid photography kit. I played around with the +idea of a lot of different cameras, different types, new vs used, etc. +Finally, I settled on the +[[https://en.wikipedia.org/wiki/Sony_%CE%B17_III][Sony α7 III]]. This +camera is mirror-less and uses a full-frame image sensor at 24 +megapixels. I don't create large prints, and I am mostly focused on +preserving memories in high quality for the next 5-10 years with this +camera, so the specifications here are just perfect for me. For lenses, I decided to buy two lenses that could carry me through most situations: -- [Vario-Tessar T\* FE 24-70 mm F4 ZA OSS](https://electronics.sony.com/imaging/lenses/full-frame-e-mount/p/sel2470z) -- [Tamron 70-300mm f4.5-6.3 Di III RXD](https://www.tamron-usa.com/product/lenses/a047.html) +- [[https://electronics.sony.com/imaging/lenses/full-frame-e-mount/p/sel2470z][Vario-Tessar + T* FE 24-70 mm F4 ZA OSS]] +- [[https://www.tamron-usa.com/product/lenses/a047.html][Tamron 70-300mm + f4.5-6.3 Di III RXD]] In addition, I grabbed a couple -[HGX Prime 67mm](https://www.promaster.com/Product/6725) protection filters for -the lenses. +[[https://www.promaster.com/Product/6725][HGX Prime 67mm]] protection +filters for the lenses. -As I delve further into photography and pick up more skills, I will most likely -go back and grab a lens with a higher f-stop value, such as f/1.8. I toyed with -the idea of grabbing a 50 mm at `f/1.8`, but decided to keep things in a -reasonable price range instead. +As I delve further into photography and pick up more skills, I will most +likely go back and grab a lens with a higher f-stop value, such as +f/1.8. I toyed with the idea of grabbing a 50 mm at =f/1.8=, but decided +to keep things in a reasonable price range instead. -Finally, I made sure to buy a photography-specific backpack with a rain guard, -and the zipper on the back panel, to protect the equipment while wearing the -bag. If you've ever had to haul around a DSLR (or camera of similar heft) in a -bag that only has a shoulder strap, you'll know the pain it can cause. Putting -all my equipment in a backpack was an easy decision. +Finally, I made sure to buy a photography-specific backpack with a rain +guard, and the zipper on the back panel, to protect the equipment while +wearing the bag. If you've ever had to haul around a DSLR (or camera of +similar heft) in a bag that only has a shoulder strap, you'll know the +pain it can cause. Putting all my equipment in a backpack was an easy +decision. diff --git a/blog/2021-05-30-changing-git-authors.org b/blog/2021-05-30-changing-git-authors.org index 9e916a6..a41f5f3 100644 --- a/blog/2021-05-30-changing-git-authors.org +++ b/blog/2021-05-30-changing-git-authors.org @@ -1,33 +1,31 @@ -+++ -date = 2021-05-30 -title = "Changing Git Authors" -description = "Learn how to haphazardly replace Git authors and/or emails within the Git history." -+++ - -## Changing Git Author/Email Based on Previously Committed Email - -Here's the dilemma: You've been committing changes to your git repository with -an incorrect name or email (or multiple repositories), and now you want to fix -it. -Luckily, there's a semi-reliable way to fix that. -While I have never experienced issues with this method, some people have -warned that it can mess with historical hashes and integrity of commits, so -use this method only if you're okay accepting that risk. +#+title: Changing Git Authors +#+date: 2021-05-30 + +** Changing Git Author/Email Based on Previously Committed Email +:PROPERTIES: +:CUSTOM_ID: changing-git-authoremail-based-on-previously-committed-email +:END: +Here's the dilemma: You've been committing changes to your git +repository with an incorrect name or email (or multiple repositories), +and now you want to fix it. Luckily, there's a semi-reliable way to fix +that. While I have never experienced issues with this method, some +people have warned that it can mess with historical hashes and integrity +of commits, so use this method only if you're okay accepting that risk. Okay, let's create the bash script: -```sh +#+begin_src sh nano change_git_authors.sh -``` +#+end_src -The following information can be pasted directly into your bash script. The only -changes you need to make are to the following variables: +The following information can be pasted directly into your bash script. +The only changes you need to make are to the following variables: -- `OLD_EMAIL` -- `CORRECT_NAME` -- `CORRECT_EMAIL` +- =OLD_EMAIL= +- =CORRECT_NAME= +- =CORRECT_EMAIL= -```sh +#+begin_src sh #!/bin/sh # List all sub-directories in the current directory @@ -60,16 +58,16 @@ do cd .. done -``` +#+end_src Finally, save the bash script and make it executable. -```sh +#+begin_src sh chmod a+x change_git_authors.sh -``` +#+end_src Now you can run the script and should see the process begin. -```sh +#+begin_src sh ./change_git_authors.sh -``` +#+end_src diff --git a/blog/2021-07-15-delete-gitlab-repos.org b/blog/2021-07-15-delete-gitlab-repos.org index 5d126f4..99249e9 100644 --- a/blog/2021-07-15-delete-gitlab-repos.org +++ b/blog/2021-07-15-delete-gitlab-repos.org @@ -1,53 +1,57 @@ -+++ -date = 2021-07-15 -title = "How to Delete All GitLab Repositories" -description = "Learn how to delete all GitLab repositories in your user account." -draft = false -+++ - -## Background - -Have you ever used GitLab to host your source code, moved to a different host, -and wanted to delete everything from your GitLab account? -Well, this post covers any scenario where you would want to delete all +#+title: How to Delete All GitLab Repositories +#+date: 2021-07-15 + +** Background +:PROPERTIES: +:CUSTOM_ID: background +:END: +Have you ever used GitLab to host your source code, moved to a different +host, and wanted to delete everything from your GitLab account? Well, +this post covers any scenario where you would want to delete all repositories from your GitLab account. -For me, I currently maintain around 30 repositories and don't like to manually -delete them whenever I switch host. -GitHub has a few different tools online to delete all repositories for you, -but I have not found anything similar for GitLab, so I needed an alternative -solution. - -## Use a Python Script - -### Requirements - -Before we look at the script, make sure you know your GitLab username. Next, -[create an authorization token](https://gitlab.com/-/profile/personal_access_tokens) -so that the Python script can delete your repositories. Don't lose this token or -else you'll need to create a new one. - -### Create the Script - -To run a Python script, you must first create it. Open a terminal and enter the -following commands in whichever directory you prefer to store the script. You -can do the same things in a file manager if you prefer. - -```sh +For me, I currently maintain around 30 repositories and don't like to +manually delete them whenever I switch host. GitHub has a few different +tools online to delete all repositories for you, but I have not found +anything similar for GitLab, so I needed an alternative solution. + +** Use a Python Script +:PROPERTIES: +:CUSTOM_ID: use-a-python-script +:END: +*** Requirements +:PROPERTIES: +:CUSTOM_ID: requirements +:END: +Before we look at the script, make sure you know your GitLab username. +Next, [[https://gitlab.com/-/profile/personal_access_tokens][create an +authorization token]] so that the Python script can delete your +repositories. Don't lose this token or else you'll need to create a new +one. + +*** Create the Script +:PROPERTIES: +:CUSTOM_ID: create-the-script +:END: +To run a Python script, you must first create it. Open a terminal and +enter the following commands in whichever directory you prefer to store +the script. You can do the same things in a file manager if you prefer. + +#+begin_src sh mkdir delete-gitlab -``` +#+end_src -```sh +#+begin_src sh cd delete-gitlab -``` +#+end_src -```sh +#+begin_src sh nano main.py -``` +#+end_src -Enter the following code into your `main.py` script. +Enter the following code into your =main.py= script. -```python +#+begin_src python import request import json @@ -101,15 +105,16 @@ def main(): if __name__ == "__main__": main() -``` +#+end_src -Now that you have the proper information, replace `{user-id}` with your GitLab -username and `{auth-token}` with the authorization token you created earlier. +Now that you have the proper information, replace ={user-id}= with your +GitLab username and ={auth-token}= with the authorization token you +created earlier. -Finally, simply run the script and watch the output. You can also use PyCharm -Community Edition to edit and run the Python script if you don't want to work -in a terminal. +Finally, simply run the script and watch the output. You can also use +PyCharm Community Edition to edit and run the Python script if you don't +want to work in a terminal. -```sh +#+begin_src sh python3 main.py -``` +#+end_src diff --git a/blog/2021-08-25-audit-sampling.org b/blog/2021-08-25-audit-sampling.org index 8283199..ac6f157 100644 --- a/blog/2021-08-25-audit-sampling.org +++ b/blog/2021-08-25-audit-sampling.org @@ -1,52 +1,55 @@ -+++ -date = 2021-08-25 -title = "Audit Sampling with Python" -description = "Learn how to use Python to automate the boring parts of audit sampling." -draft = false -+++ - -## Introduction +#+title: Audit Sampling with Python +#+date: 2021-08-25 +** Introduction +:PROPERTIES: +:CUSTOM_ID: introduction +:END: For anyone who is familiar with internal auditing, external auditing, or -consulting, you will understand how tedious audit testing can become when you -are required to test large swaths of data. When we cannot establish an automated -means of testing an entire population, we generate samples to represent the -population of data. This helps ensure we can have a small enough data pool to -test and that our results still represent the population. - -However, sampling data within the world of audit still seems to confuse quite a -lot of people. While some audit-focused tools have introduced sampling -functionality (e.g. Wdesk), many audit departments and firms cannot use software -like this due to certain constraints, such as the team's budget or knowledge. -Here is where this article comes in: we're going to use -[Python](https://www.python.org), a free and open-source programming language, -to generate random samples from a dataset in order to suffice numerous audit -situations. - -## Audit Requirements for Sampling - -Before we get into the details of how to sample with Python, I want to make sure -I discuss the different requirements that auditors may have of samples used -within their projects. - -### Randomness - -First, let's discuss randomness. When testing out new technology to help assist -with audit sampling, you need to understand exactly how your samples are being -generated. For example, if the underlying function is just picking every 57th -element from a list, that's not truly random; it's a systematic form of -sampling. Luckily, since Python is open-source, we have access to its codebase. -Through this blog post, I will be using the [pandas](https://pandas.pydata.org) -module in order to generate the random samples. More specifically, I will be -using the -[pandas.DataFrame.sample](https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.DataFrame.sample.html) +consulting, you will understand how tedious audit testing can become +when you are required to test large swaths of data. When we cannot +establish an automated means of testing an entire population, we +generate samples to represent the population of data. This helps ensure +we can have a small enough data pool to test and that our results still +represent the population. + +However, sampling data within the world of audit still seems to confuse +quite a lot of people. While some audit-focused tools have introduced +sampling functionality (e.g. Wdesk), many audit departments and firms +cannot use software like this due to certain constraints, such as the +team's budget or knowledge. Here is where this article comes in: we're +going to use [[https://www.python.org][Python]], a free and open-source +programming language, to generate random samples from a dataset in order +to suffice numerous audit situations. + +** Audit Requirements for Sampling +:PROPERTIES: +:CUSTOM_ID: audit-requirements-for-sampling +:END: +Before we get into the details of how to sample with Python, I want to +make sure I discuss the different requirements that auditors may have of +samples used within their projects. + +*** Randomness +:PROPERTIES: +:CUSTOM_ID: randomness +:END: +First, let's discuss randomness. When testing out new technology to help +assist with audit sampling, you need to understand exactly how your +samples are being generated. For example, if the underlying function is +just picking every 57th element from a list, that's not truly random; +it's a systematic form of sampling. Luckily, since Python is +open-source, we have access to its codebase. Through this blog post, I +will be using the [[https://pandas.pydata.org][pandas]] module in order +to generate the random samples. More specifically, I will be using the +[[https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.DataFrame.sample.html][pandas.DataFrame.sample]] function provided by Pandas. -Now that you know what you're using, you can always check out the code behind -`pandas.DataFrame.sample`. This function does a lot of work, but we really only -care about the following snippets of code: +Now that you know what you're using, you can always check out the code +behind =pandas.DataFrame.sample=. This function does a lot of work, but +we really only care about the following snippets of code: -```python +#+begin_src python # Process random_state argument rs = com.random_state(random_state) @@ -58,45 +61,45 @@ if ignore_index: result.index = ibase.default_index(len(result)) return result -``` - -The block of code above shows you that if you assign a `random_state` -argument when you run the function, that will be used as a seed number in -the random generation and will allow you to reproduce a sample, given that -nothing else changes. -This is critical to the posterity of audit work. -After all, how can you say your audit process is adequately documented if -the next person can't run the code and get the same sample? -The final piece here on randomness is to look at the [choice](https://docs. -python.org/3/library/random.html#random.choice) function used above. -This is the crux of the generation and can also be examined for more -detailed analysis on its reliability. -As far as auditing goes, we will trust that these functions are -mathematically random. - -### Sample Sizes - -As mentioned in the intro, sampling is only an effective method of auditing -when it truly represents the entire population. -While some audit departments or firms may consider certain judgmental sample -sizes to be adequate, you may need to rely on statistically-significant -confidence levels of sample testing at certain points. -I will demonstrate both here. -For statistically-significant confidence levels, most people will assume a -90% - 99% confidence level. -In order to actually calculate the correct sample size, it is best to use -statistical tools due to the tedious math work required. -For example, for a population of 1000, and a 90% confidence level that no -more than 5% of the items are nonconforming, you would sample 45 items. - -However, in my personal experience, many audit departments and firms do not use -statistical sampling. Most people use a predetermined, often proprietary, table -that will instruct auditors which sample sizes to choose. This allows for -uniform testing and reduces overall workload. See the table below for a common -implementation of sample sizes: +#+end_src + +The block of code above shows you that if you assign a =random_state= +argument when you run the function, that will be used as a seed number +in the random generation and will allow you to reproduce a sample, given +that nothing else changes. This is critical to the posterity of audit +work. After all, how can you say your audit process is adequately +documented if the next person can't run the code and get the same +sample? The final piece here on randomness is to look at the +[[https://docs.%20python.org/3/library/random.html#random.choice][choice]] +function used above. This is the crux of the generation and can also be +examined for more detailed analysis on its reliability. As far as +auditing goes, we will trust that these functions are mathematically +random. + +*** Sample Sizes +:PROPERTIES: +:CUSTOM_ID: sample-sizes +:END: +As mentioned in the intro, sampling is only an effective method of +auditing when it truly represents the entire population. While some +audit departments or firms may consider certain judgmental sample sizes +to be adequate, you may need to rely on statistically-significant +confidence levels of sample testing at certain points. I will +demonstrate both here. For statistically-significant confidence levels, +most people will assume a 90% - 99% confidence level. In order to +actually calculate the correct sample size, it is best to use +statistical tools due to the tedious math work required. For example, +for a population of 1000, and a 90% confidence level that no more than +5% of the items are nonconforming, you would sample 45 items. + +However, in my personal experience, many audit departments and firms do +not use statistical sampling. Most people use a predetermined, often +proprietary, table that will instruct auditors which sample sizes to +choose. This allows for uniform testing and reduces overall workload. +See the table below for a common implementation of sample sizes: | Control Frequency | Sample Size - High Risk | Sample Size - Low Risk | -|-------------------|-------------------------|------------------------| +|-------------------+-------------------------+------------------------| | More Than Daily | 40 | 25 | | Daily | 40 | 25 | | Weekly | 12 | 5 | @@ -106,23 +109,27 @@ implementation of sample sizes: | Annually | 1 | 1 | | Ad-hoc | 1 | 1 | -## Sampling with Python & Pandas - -In this section, I am going to cover a few basic audit situations that require -sampling. While some situations may require more effort, the syntax, -organization, and intellect used remain largely the same. If you've never used -Python before, note that lines starting with a '`#`' symbol are called comments, -and they will be skipped by Python. I highly recommend taking a quick tutorial -online to understand the basics of Python if any of the code below is confusing -to you. - -### Simple Random Sample - -First, let's look at a simple, random sample. The code block below will import -the `pandas` module, load a data file, sample the data, and export the sample to -a file. - -```python +** Sampling with Python & Pandas +:PROPERTIES: +:CUSTOM_ID: sampling-with-python-pandas +:END: +In this section, I am going to cover a few basic audit situations that +require sampling. While some situations may require more effort, the +syntax, organization, and intellect used remain largely the same. If +you've never used Python before, note that lines starting with a '=#=' +symbol are called comments, and they will be skipped by Python. I highly +recommend taking a quick tutorial online to understand the basics of +Python if any of the code below is confusing to you. + +*** Simple Random Sample +:PROPERTIES: +:CUSTOM_ID: simple-random-sample +:END: +First, let's look at a simple, random sample. The code block below will +import the =pandas= module, load a data file, sample the data, and +export the sample to a file. + +#+begin_src python # Import the Pandas module import pandas @@ -140,14 +147,16 @@ sample = df.sample(n=25, random_state=0) # Save the sample to Excel sample.to_excel(file_output) -``` +#+end_src -### Simple Random Sample: Using Multiple Input Files +*** Simple Random Sample: Using Multiple Input Files +:PROPERTIES: +:CUSTOM_ID: simple-random-sample-using-multiple-input-files +:END: +Now that we've created a simple sample, let's create a sample from +multiple files. -Now that we've created a simple sample, let's create a sample from multiple -files. - -```python +#+begin_src python # Import the Pandas module import pandas @@ -174,15 +183,17 @@ sample = pandas.concat([sample_01, sample_02, sample_03], ignore_index=True) # Save the sample to Excel sample.to_excel(file_output) -``` - -### Stratified Random Sample +#+end_src -Well, what if you need to sample distinct parts of a single file? For example, -let's write some code to separate our data by "Region" and sample those regions -independently. +*** Stratified Random Sample +:PROPERTIES: +:CUSTOM_ID: stratified-random-sample +:END: +Well, what if you need to sample distinct parts of a single file? For +example, let's write some code to separate our data by "Region" and +sample those regions independently. -```python +#+begin_src python # Import the Pandas module import pandas @@ -208,16 +219,18 @@ sample = pandas.concat([sample_east, sample_west], ignore_index=True) # Save the sample to Excel sample.to_excel(file_output) -``` - -### Stratified Systematic Sample - -This next example is quite useful if you need audit coverage over a certain time -period. This code will generate samples for each month in the data and combine -them all together at the end. Obviously, this code can be modified to stratify -by something other than months, if needed. - -```python +#+end_src + +*** Stratified Systematic Sample +:PROPERTIES: +:CUSTOM_ID: stratified-systematic-sample +:END: +This next example is quite useful if you need audit coverage over a +certain time period. This code will generate samples for each month in +the data and combine them all together at the end. Obviously, this code +can be modified to stratify by something other than months, if needed. + +#+begin_src python # Import the Pandas module import pandas @@ -257,21 +270,23 @@ def monthly_stratified_sample(df: pandas.DataFrame, date_column: str, num_select sample_size = 3 sample = monthly_stratified_sample(df, 'Date of Sale', sample_size) sample.to_excel(file_output) -``` - -## Documenting the Results - -Once you've generated a proper sample, there are a few things left to do in -order to properly ensure your process is reproducible. - -1. Document the sample. Make sure the resulting file is readable and includes - the documentation listed in the next bullet. -2. Include documentation around the data source, extraction techniques, any - modifications made to the data, and be sure to include a copy of the script - itself. -3. Whenever possible, perform a completeness and accuracy test to ensure your - sample is coming from a complete and accurate population. To ensure - completeness, compare the record count from the data source to the record - count loaded into Python. To ensure accuracy, test a small sample against the - source data (e.g., test 5 sales against the database to see if the details are - accurate). +#+end_src + +** Documenting the Results +:PROPERTIES: +:CUSTOM_ID: documenting-the-results +:END: +Once you've generated a proper sample, there are a few things left to do +in order to properly ensure your process is reproducible. + +1. Document the sample. Make sure the resulting file is readable and + includes the documentation listed in the next bullet. +2. Include documentation around the data source, extraction techniques, + any modifications made to the data, and be sure to include a copy of + the script itself. +3. Whenever possible, perform a completeness and accuracy test to ensure + your sample is coming from a complete and accurate population. To + ensure completeness, compare the record count from the data source to + the record count loaded into Python. To ensure accuracy, test a small + sample against the source data (e.g., test 5 sales against the + database to see if the details are accurate). diff --git a/blog/2021-10-09-apache-redirect.org b/blog/2021-10-09-apache-redirect.org index 497fada..f925f31 100644 --- a/blog/2021-10-09-apache-redirect.org +++ b/blog/2021-10-09-apache-redirect.org @@ -1,45 +1,47 @@ -+++ -date = 2021-10-10 -title = "Apache Redirect HTML Files to a Directory" -description = "Learn how to conveniently rewrite certain Apache web file URLs to directories with the Apache web server." -draft = false -+++ - -## The Problem - -After recently switching static site generators (SSG), my blog URLs changed with -no option to preserve the classic `.html` extension at the end of my blog -post URLs. - -I really disliked using my old SSG ([Jekyll](https://jekyllrb.com)) and prefer -my new tool ([Zola](https://www.getzola.org)) much more, so I was determined to -figure out a way to get the proper redirect set up so that people who find my -posts online aren't constantly met by 404 errors. - -## The Solution - +#+title: Apache Redirect HTML Files to a Directory +#+date: 2021-10-10 + +** The Problem +:PROPERTIES: +:CUSTOM_ID: the-problem +:END: +After recently switching static site generators (SSG), my blog URLs +changed with no option to preserve the classic =.html= extension at the +end of my blog post URLs. + +I really disliked using my old SSG ([[https://jekyllrb.com][Jekyll]]) +and prefer my new tool ([[https://www.getzola.org][Zola]]) much more, so +I was determined to figure out a way to get the proper redirect set up +so that people who find my posts online aren't constantly met by 404 +errors. + +** The Solution +:PROPERTIES: +:CUSTOM_ID: the-solution +:END: To solve this problem, I really needed to solve two pieces: -1. Redirect all blog post URL requests from `/blog/some-post.html` to - `/blog/some-post/`. -2. Ensure that no other `.html` files are redirected, such as `index.html`. +1. Redirect all blog post URL requests from =/blog/some-post.html= to + =/blog/some-post/=. +2. Ensure that no other =.html= files are redirected, such as + =index.html=. -After _a lot_ of tweaking and testing, I believe I have finally found the -solution. The solution is shown below. +After /a lot/ of tweaking and testing, I believe I have finally found +the solution. The solution is shown below. -```config +#+begin_src config RewriteEngine On RewriteCond %{REQUEST_URI} !\index.html$ [NC] RewriteRule ^(.*).html$ https://example.com/$1 [R=301,L] -``` +#+end_src -This piece of code in the Apache `.conf` or `.htaccess` file will do the +This piece of code in the Apache =.conf= or =.htaccess= file will do the following: 1. Turn on the RewriteEngine so that we can modify URLs. -2. Ignore any `index.html` files from the rule we are about to specify. -3. Find any `.html` files within the website directory and redirect it to - exclude the file extension. -4. The final piece is adding the trailing slash (`/`) at the end of the URL - - you'll notice that I don't have an Apache rule for that since Apache handles - that automatically. +2. Ignore any =index.html= files from the rule we are about to specify. +3. Find any =.html= files within the website directory and redirect it + to exclude the file extension. +4. The final piece is adding the trailing slash (=/=) at the end of the + URL - you'll notice that I don't have an Apache rule for that since + Apache handles that automatically. diff --git a/blog/2021-12-04-cisa.org b/blog/2021-12-04-cisa.org index e67127f..7b70b80 100644 --- a/blog/2021-12-04-cisa.org +++ b/blog/2021-12-04-cisa.org @@ -1,197 +1,224 @@ -+++ -date = 2021-12-04 -title = "I Passed the CISA!" -description = "After nearly a year of on-and-off studying, I passed the CISA exam by ISACA." -draft = false -+++ - -## What is the CISA? +#+title: I Passed the CISA! +#+date: 2021-12-04 +** What is the CISA? +:PROPERTIES: +:CUSTOM_ID: what-is-the-cisa +:END: For those of you lucky enough not to be knee-deep in the world of IT/IS -Auditing, [CISA](https://www.isaca.org/credentialing/cisa) stands for Certified -Information Systems Auditor. This certification and exam are part of ISACA's -suite of certifications. As I often explain it to people like my family, it -basically means you're employed to use your knowledge of information systems, -regulations, common threats, risks, etc. in order to assess an organization's -current control of their risk. If a risk isn't controlled (and the company -doesn't want to accept the risk), an IS auditor will suggest implementing a -control to address that risk. - -Now, the CISA certification itself is, in my opinion, the main certification for -this career. While certifications such as the CPA or CISSP are beneficial, -nothing matches the power of the CISA for an IS auditor when it comes to getting -hired, getting a raise/bonus, or earning respect in the field. - -However, to be honest, I am a skeptic of most certifications. I understand the -value they hold in terms of how much you need to commit to studying or learning -on the job, as well as the market value for certifications such as the CISA. -But I also have known some very ~~incompetent~~ _less than stellar_ auditors -who have CPAs, CISAs, CIAs, etc. - -The same goes for most industries: if a person is good at studying, they can -earn the certification. However, that knowledge means nothing unless you're -actually able to use it in real life and perform as expected of a certification -holder. The challenge comes when people are hired or connected strictly because -of their certifications or resume; you need to see a person work before you can -assume them having a CISA means they're better than someone without the CISA. - -Okay, rant over. Certifications are generally accepted as a measuring stick of -commitment and quality of an employee, so I am accepting it too. - -## Exam Content - -The CISA is broken down into five sections, each weighted with a percentage of -test questions that may appear. - - - -Since the exam contains 150 questions, here's how those sections break down: - -| Exam Section | Percentage of Exam | Questions | -|:---------------:|:------------------:|:---------:| -| 1 | 21% | 32 | -| 2 | 17% | 26 | -| 3 | 12% | 18 | -| 4 | 23% | 34 | -| 5 | 27% | 40 | -| **Grand Total** | **100%** | **150** | - -## My Studying Habits - -This part is a little hard for me to break down into specific detail due to the -craziness of the last year. While I officially purchased my studying materials -in December 2020 and opened them to "start studying" in January 2021, I really -wasn't able to study much due to the demands of my job and personal life. +Auditing, [[https://www.isaca.org/credentialing/cisa][CISA]] stands for +Certified Information Systems Auditor. This certification and exam are +part of ISACA's suite of certifications. As I often explain it to people +like my family, it basically means you're employed to use your knowledge +of information systems, regulations, common threats, risks, etc. in +order to assess an organization's current control of their risk. If a +risk isn't controlled (and the company doesn't want to accept the risk), +an IS auditor will suggest implementing a control to address that risk. + +Now, the CISA certification itself is, in my opinion, the main +certification for this career. While certifications such as the CPA or +CISSP are beneficial, nothing matches the power of the CISA for an IS +auditor when it comes to getting hired, getting a raise/bonus, or +earning respect in the field. + +However, to be honest, I am a skeptic of most certifications. I +understand the value they hold in terms of how much you need to commit +to studying or learning on the job, as well as the market value for +certifications such as the CISA. But I also have known some very ++incompetent+ /less than stellar/ auditors who have CPAs, CISAs, CIAs, +etc. + +The same goes for most industries: if a person is good at studying, they +can earn the certification. However, that knowledge means nothing unless +you're actually able to use it in real life and perform as expected of a +certification holder. The challenge comes when people are hired or +connected strictly because of their certifications or resume; you need +to see a person work before you can assume them having a CISA means +they're better than someone without the CISA. + +Okay, rant over. Certifications are generally accepted as a measuring +stick of commitment and quality of an employee, so I am accepting it +too. + +** Exam Content +:PROPERTIES: +:CUSTOM_ID: exam-content +:END: +The CISA is broken down into five sections, each weighted with a +percentage of test questions that may appear. + +#+caption: CISA exam sections +[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-exam-sections.png]] + +Since the exam contains 150 questions, here's how those sections break +down: + +| Exam Section | Percentage of Exam | Questions | +|---------------+--------------------+-----------| +| 1 | 21% | 32 | +| 2 | 17% | 26 | +| 3 | 12% | 18 | +| 4 | 23% | 34 | +| 5 | 27% | 40 | +| *Grand Total* | *100%* | *150* | + +** My Studying Habits +:PROPERTIES: +:CUSTOM_ID: my-studying-habits +:END: +This part is a little hard for me to break down into specific detail due +to the craziness of the last year. While I officially purchased my +studying materials in December 2020 and opened them to "start studying" +in January 2021, I really wasn't able to study much due to the demands +of my job and personal life. Let me approach this from a few different viewpoints. -### Study Materials - -Let's start by discussing the study materials I purchased. I'll be referring to -#1 as the CRM and #2 as the QAE. - -1. [CISA Review Manual, 27th Edition | Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK) -2. [CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK) - -The CRM is an excellent source of information and could honestly be used as a -reference for most IS auditors as a learning reference during their daily audit -responsibilities. However, it is **full** of information and can be overloading -if you're not good at filtering out useless information while studying. - -The QAE is the real star of the show here. This book contains 1000 questions, -separated by exam section, and a practice exam. My only complaint about the QAE -is that each question is immediately followed with the correct answer and -explanations below it, which means I had to use something to constantly cover -the answers while I was studying. - -I didn't use the online database version of the QAE, but I've heard that it's -easier to use than the printed book. However, it is more expensive ($299 -database vs $129 book) which might be important if you're paying for materials -yourself. - -In terms of question difficulty, I felt that the QAE was a good representation -of the actual exam. I've seen a lot of people online say it wasn't accurate to -the exam or that it was much easier/harder, but I disagree with all of those. -The exam was fairly similar to the QAE, just focusing on whichever topics they -chose for my version of the exam. - -If you understand the concepts, skim the CRM (and read in-depth on topics you -struggle with), and use the QAE to continue practicing exam-like questions, you -should be fine. I didn't use any online courses, videos, etc. - the ISACA -materials are more than enough. - -### Studying Process - -While I was able to briefly read through sections 1 and 2 in early 2021, I had -to stop and take a break from February/March to September. -I switched jobs in September, which allowed me a lot more free time to study. - -In September, I studied sections 3-5, took notes, and did a quick review of the -section topics. Once I felt comfortable with my notes, I took a practice exam -from the QAE manual and scored 70% (105/150). +*** Study Materials +:PROPERTIES: +:CUSTOM_ID: study-materials +:END: +Let's start by discussing the study materials I purchased. I'll be +referring to #1 as the CRM and #2 as the QAE. + +1. [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK][CISA + Review Manual, 27th Edition | Print]] +2. [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK][CISA + Review Questions, Answers & Explanations Manual, 12th Edition | + Print]] + +The CRM is an excellent source of information and could honestly be used +as a reference for most IS auditors as a learning reference during their +daily audit responsibilities. However, it is *full* of information and +can be overloading if you're not good at filtering out useless +information while studying. + +The QAE is the real star of the show here. This book contains 1000 +questions, separated by exam section, and a practice exam. My only +complaint about the QAE is that each question is immediately followed +with the correct answer and explanations below it, which means I had to +use something to constantly cover the answers while I was studying. + +I didn't use the online database version of the QAE, but I've heard that +it's easier to use than the printed book. However, it is more expensive +($299 database vs $129 book) which might be important if you're paying +for materials yourself. + +In terms of question difficulty, I felt that the QAE was a good +representation of the actual exam. I've seen a lot of people online say +it wasn't accurate to the exam or that it was much easier/harder, but I +disagree with all of those. The exam was fairly similar to the QAE, just +focusing on whichever topics they chose for my version of the exam. + +If you understand the concepts, skim the CRM (and read in-depth on +topics you struggle with), and use the QAE to continue practicing +exam-like questions, you should be fine. I didn't use any online +courses, videos, etc. - the ISACA materials are more than enough. + +*** Studying Process +:PROPERTIES: +:CUSTOM_ID: studying-process +:END: +While I was able to briefly read through sections 1 and 2 in early 2021, +I had to stop and take a break from February/March to September. I +switched jobs in September, which allowed me a lot more free time to +study. + +In September, I studied sections 3-5, took notes, and did a quick review +of the section topics. Once I felt comfortable with my notes, I took a +practice exam from the QAE manual and scored 70% (105/150). Here's a breakdown of my initial practice exam: -| Exam Section | Incorrect | Correct | Grand Total | Percent | -|:---------------:|:---------:|:-------:|:-----------:|:-------:| -| 1 | 8 | 25 | 33 | 76% | -| 2 | 5 | 20 | 25 | 80% | -| 3 | 6 | 12 | 18 | 67% | -| 4 | 10 | 23 | 33 | 70% | -| 5 | 16 | 25 | 41 | 61% | -| **Grand Total** | **45** | **105** | **150** | **70%** | +| Exam Section | Incorrect | Correct | Grand Total | Percent | +|---------------+-----------+---------+-------------+---------| +| 1 | 8 | 25 | 33 | 76% | +| 2 | 5 | 20 | 25 | 80% | +| 3 | 6 | 12 | 18 | 67% | +| 4 | 10 | 23 | 33 | 70% | +| 5 | 16 | 25 | 41 | 61% | +| *Grand Total* | *45* | *105* | *150* | *70%* | As I expected, my toughest sections were related to project management, development, implementation, and security. -This just leaves October and November. For these months, I tried to practice -every few days, doing 10 questions for each section, until the exam. This came -out to 13 practice sessions, ~140 questions per section, and ~700 questions -total. - -While some practice sessions were worse and some were better, the final results -were similar to my practice exam results. As you can see below, my averages were -slightly worse than my practice exam. However, I got in over 700 questions of -practice and, most importantly, **I read through the explanations every time I -answered incorrectly and learned from my mistakes**. - -| Exam Section | Incorrect | Correct | Grand Total | Percent | -|:---------------:|:---------:|:-------:|:-----------:|:-------:| -| 1 | 33 | 108 | 141 | 77% | -| 2 | 33 | 109 | 142 | 77% | -| 3 | 55 | 89 | 144 | 62% | -| 4 | 52 | 88 | 140 | 63% | -| 5 | 55 | 85 | 140 | 61% | -| **Grand Total** | **228** | **479** | **707** | **68%** | - - - -## Results - -Now, how do the practice scores reflect my actual results? -After all, it's hard to tell how good a practice regimen is unless you see -how it turns out. - -| Exam Section | Section Name | Score | -|:------------:|------------------------------------------------------------------|:-------:| -| 1 | Information Systems Auditing Process | 678 | -| 2 | Governance and Management of IT | 590 | -| 3 | Information Systems Acquisition, Development, and Implementation | 721 | -| 4 | Information Systems Operations and Business Resilience | 643 | -| 5 | Protection of Information Assets | 511 | -| **TOTAL** | | **616** | - -Now, in order to pass the CISA, you need at least 450 on a sliding scale of -200-800. Personally, I really have no clue what an average CISA score is. After -a _very_ brief look online, I can see that the high end is usually in the low -700s. In addition, only about 50-60% of people pass the exam. - -Given this information, I feel great about my scores. -616 may not be phenomenal, and I wish I had done better on sections 2 & 5, -but my practicing seems to have worked very well overall. - -However, the practice results do not conform to the actual results. Section 2 -was one of my highest practice sections and was my second-lowest score in the -exam. Conversely, section 3 was my second-lowest practice section and turned out -to be my highest actual score! - -After reflecting, it is obvious that if you have any background on the CISA -topics at all, the most important part of studying is doing practice questions. -You really need to understand how to read the questions critically and pick the -best answer. - -## Looking Forward - -I am extremely happy that I was finally able to pass the CISA. Looking to the -future, I'm not sure what's next in terms of professional learning. My current -company offers internal learning courses, so I will most likely focus on that if -I need to gain more knowledge in certain areas. - -To be fair, even if you pass the CISA, it's hard to become an expert on any -specific topic found within. -My career may take me in a different direction, and I might need to focus -more on security or networking certifications (or possibly building a better -analysis/visualization portfolio if I want to go into data analysis/science). +This just leaves October and November. For these months, I tried to +practice every few days, doing 10 questions for each section, until the +exam. This came out to 13 practice sessions, ~140 questions per section, +and ~700 questions total. + +While some practice sessions were worse and some were better, the final +results were similar to my practice exam results. As you can see below, +my averages were slightly worse than my practice exam. However, I got in +over 700 questions of practice and, most importantly, *I read through +the explanations every time I answered incorrectly and learned from my +mistakes*. + +| Exam Section | Incorrect | Correct | Grand Total | Percent | +|---------------+-----------+---------+-------------+---------| +| 1 | 33 | 108 | 141 | 77% | +| 2 | 33 | 109 | 142 | 77% | +| 3 | 55 | 89 | 144 | 62% | +| 4 | 52 | 88 | 140 | 63% | +| 5 | 55 | 85 | 140 | 61% | +| *Grand Total* | *228* | *479* | *707* | *68%* | + +#+caption: CISA practice question results +[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-practice-questions-results.png]] + +** Results +:PROPERTIES: +:CUSTOM_ID: results +:END: +Now, how do the practice scores reflect my actual results? After all, +it's hard to tell how good a practice regimen is unless you see how it +turns out. + +| Exam Section | Section Name | Score | +|--------------+------------------------------------------------------------------+-------| +| 1 | Information Systems Auditing Process | 678 | +| 2 | Governance and Management of IT | 590 | +| 3 | Information Systems Acquisition, Development, and Implementation | 721 | +| 4 | Information Systems Operations and Business Resilience | 643 | +| 5 | Protection of Information Assets | 511 | +| *TOTAL* | | *616* | + +Now, in order to pass the CISA, you need at least 450 on a sliding scale +of 200-800. Personally, I really have no clue what an average CISA score +is. After a /very/ brief look online, I can see that the high end is +usually in the low 700s. In addition, only about 50-60% of people pass +the exam. + +Given this information, I feel great about my scores. 616 may not be +phenomenal, and I wish I had done better on sections 2 & 5, but my +practicing seems to have worked very well overall. + +However, the practice results do not conform to the actual results. +Section 2 was one of my highest practice sections and was my +second-lowest score in the exam. Conversely, section 3 was my +second-lowest practice section and turned out to be my highest actual +score! + +After reflecting, it is obvious that if you have any background on the +CISA topics at all, the most important part of studying is doing +practice questions. You really need to understand how to read the +questions critically and pick the best answer. + +** Looking Forward +:PROPERTIES: +:CUSTOM_ID: looking-forward +:END: +I am extremely happy that I was finally able to pass the CISA. Looking +to the future, I'm not sure what's next in terms of professional +learning. My current company offers internal learning courses, so I will +most likely focus on that if I need to gain more knowledge in certain +areas. + +To be fair, even if you pass the CISA, it's hard to become an expert on +any specific topic found within. My career may take me in a different +direction, and I might need to focus more on security or networking +certifications (or possibly building a better analysis/visualization +portfolio if I want to go into data analysis/science). All I know is that I am content at the moment and extremely proud of my accomplishment. diff --git a/blog/2022-02-10-leaving-the-office.org b/blog/2022-02-10-leaving-the-office.org index 2e30f3e..df5fc33 100644 --- a/blog/2022-02-10-leaving-the-office.org +++ b/blog/2022-02-10-leaving-the-office.org @@ -1,227 +1,274 @@ -+++ -date = 2022-02-10 -title = "Leaving Office-Based Work In the Past" -description = "As the world moves on from the before-times, I'm taking a look back on how working from different office environments affected my effectiveness and comfort." -draft = false -+++ - -## The Working World is Changing - -There has been a trend for the past few years of companies slowly realizing that -the pandemic is not just a temporary state that will go away eventually and let -everything return to the way it was before. In terms of business and employment, -this means that more and more jobs are being offered as permanently remote -roles. +#+title: Leaving Office-Based Work In the Past +#+date: 2022-02-10 + +** The Working World is Changing +:PROPERTIES: +:CUSTOM_ID: the-working-world-is-changing +:END: +There has been a trend for the past few years of companies slowly +realizing that the pandemic is not just a temporary state that will go +away eventually and let everything return to the way it was before. In +terms of business and employment, this means that more and more jobs are +being offered as permanently remote roles. I had always dreamt of working from home but thought of it as a fantasy, -especially since I did not want to move over into the software development -field. However, I have found that almost all roles being sent to me via -recruiters are permanently remote (although most are limited to US citizens or -even region-locked for companies who only operate in select states). - -I decided to take a look back at my relatively short career so far and compare -the positive and negative effects of the different work environments I've been -in. - -## In-Person Offices - -### Retail Internship - -I started my first job as a management intern at a busy retail pharmacy, working -my 40-hour weeks on my feet. -As these retail stores don't believe in resting or sitting down, you can -guarantee that you will spend entire shifts standing, walking, or running -around the store. -Unfortunately, I worked at a time when our store didn't have enough managers, -so I spent the majority of my tenure at the store running and breaking a sweat. - -Now, things aren't all bad in retail stores like this. It is definitely tiring -and inefficient to force employees to work constantly, or pretend to work if -there's nothing to do, and not allow anyone to sit down. However, if you are -able to operate a retail store with a limited crew and provide enough comfort -and support, I believe these jobs could be both comfortable and efficient. - -### Semi-Private Cubicles - - - -After about a year, I was able to find another internship - this time, it was in -my field of interest: internal auditing. This was for a life insurance company -that was well over 100 years old. The age of the company shows if you work -there, as most people in management are well into their 40s-60s with little to -no youthful leadership in the company. -Likewise, they owned a large headquarters in a nice area of town with plenty -of space, parking, etc. - -One upside is that each person gets their own large L-shaped desk, formed into -cubicles that house 4 desks/employees. These "pods" of 4-person cubicles are -linked throughout each floor of the headquarters (except the sales -people, who had that open-floor concept going on). The walls of the cubicle were -tall and provided a lot of privacy and sound-proofing, except when I used the -standing desk feature (I'm over 6 feet tall, so probably not an issue for most -people). +especially since I did not want to move over into the software +development field. However, I have found that almost all roles being +sent to me via recruiters are permanently remote (although most are +limited to US citizens or even region-locked for companies who only +operate in select states). + +I decided to take a look back at my relatively short career so far and +compare the positive and negative effects of the different work +environments I've been in. + +** In-Person Offices +:PROPERTIES: +:CUSTOM_ID: in-person-offices +:END: +*** Retail Internship +:PROPERTIES: +:CUSTOM_ID: retail-internship +:END: +I started my first job as a management intern at a busy retail pharmacy, +working my 40-hour weeks on my feet. As these retail stores don't +believe in resting or sitting down, you can guarantee that you will +spend entire shifts standing, walking, or running around the store. +Unfortunately, I worked at a time when our store didn't have enough +managers, so I spent the majority of my tenure at the store running and +breaking a sweat. + +Now, things aren't all bad in retail stores like this. It is definitely +tiring and inefficient to force employees to work constantly, or pretend +to work if there's nothing to do, and not allow anyone to sit down. +However, if you are able to operate a retail store with a limited crew +and provide enough comfort and support, I believe these jobs could be +both comfortable and efficient. + +*** Semi-Private Cubicles +:PROPERTIES: +:CUSTOM_ID: semi-private-cubicles +:END: +#+caption: Semi-Private Cubicles +[[https://img.cleberg.net/blog/20220210-leaving-office-based-work-in-the-past/private_cubicles.png]] + +After about a year, I was able to find another internship - this time, +it was in my field of interest: internal auditing. This was for a life +insurance company that was well over 100 years old. The age of the +company shows if you work there, as most people in management are well +into their 40s-60s with little to no youthful leadership in the company. +Likewise, they owned a large headquarters in a nice area of town with +plenty of space, parking, etc. + +One upside is that each person gets their own large L-shaped desk, +formed into cubicles that house 4 desks/employees. These "pods" of +4-person cubicles are linked throughout each floor of the headquarters +(except the sales people, who had that open-floor concept going on). The +walls of the cubicle were tall and provided a lot of privacy and +sound-proofing, except when I used the standing desk feature (I'm over 6 +feet tall, so probably not an issue for most people). I loved this environment, it allowed me to focus on my work with minimal -distractions, but also allowed easy access, so I could spin around in my chair -and chat with my friends without leaving my chair. This is the closest I've been -to a home office environment (which is my personal favorite, as I'll get to -later in this post). - -### Semi-Open Floor Concept - - - -When I shifted to my first full-time internal audit job out of college, I was -working at a company that was headquartered on a floor in a downtown high-rise -building. The company was only about 20 years old when I worked there and were -trying a lot of new things to attract young talent, one of which was a -semi-open floor concept for the office. My department worked just around the -hallway corner from the executive offices and used that "modern" layout young -tech companies started using in the 2000s/2010s. - -Each desk was brief, and you could look most coworkers in the face without -moving from your chair, I hated this so much. -Directly to my left was the Chief Audit Executive (our department's leading -boss), and his desk was pointed so that his face would stare straight at my -desk all day. -I spent more time thinking about who was looking at me or checking on me -than actually working. - -The other annoying part of the open concept they used was that the kitchen area -and pathways were too close to everyone's desks (since the desks were spread -out, to provide space or something), so noise and conversation would be constant -throughout the day while you try to work. For someone like me, who needs silence -to get work done, that was a non-starter. - -### Hotel Office Concept - - - -I currently work for a company remotely (for now) and travel to the office every -once in a while for events and to help coach the staff underneath me. The office -I visit uses the hotel desk concept, where you need to check in at a touch -screen when you enter the office and "rent" a desk for the day. The same goes -for offices and meeting rooms. - -These desks are flat-top only and do not have any walls at all. In addition, -they're stacked with one row of 4 desks facing another row of 4 desks. These -pairs of desk rows are repeated through the office. - -This means that when I go, I need to rent a random desk or try to remember the -unique ID numbers on desks I like. Once I rent it, I have to make sure no one -sat down in that desk without renting it. Then, I can sit down and work, but -will probably need to adjust the monitors so that I'm not staring in the face of -the person across from me all day. Finally, I need to wear headphones as this -environment does nothing to provide you with peace or quiet. - -Luckily, you can rent offices with doors that offer quiet and privacy, which can -be very nice if you have a lot of meetings or webinars on a certain day. - -## Home Office - - - -Okay, now let's finally get to the home office concept. I have worked from home -for a little over two years at this point, across three different -jobs/employers. Over this time, I have experimented with a plethora of different -organizational ideas, desks, and room layouts to find what works best for me. - -These things might not apply to you, and that's fine. -Everyone has a different situation, and I really don't think you'll know -what works until you try. - -### Tip #1 - +distractions, but also allowed easy access, so I could spin around in my +chair and chat with my friends without leaving my chair. This is the +closest I've been to a home office environment (which is my personal +favorite, as I'll get to later in this post). + +*** Semi-Open Floor Concept +:PROPERTIES: +:CUSTOM_ID: semi-open-floor-concept +:END: +#+caption: Semi-Open Floor Concept +[[https://img.cleberg.net/blog/20220210-leaving-office-based-work-in-the-past/semi_open_office.png]] + +When I shifted to my first full-time internal audit job out of college, +I was working at a company that was headquartered on a floor in a +downtown high-rise building. The company was only about 20 years old +when I worked there and were trying a lot of new things to attract young +talent, one of which was a semi-open floor concept for the office. My +department worked just around the hallway corner from the executive +offices and used that "modern" layout young tech companies started using +in the 2000s/2010s. + +Each desk was brief, and you could look most coworkers in the face +without moving from your chair, I hated this so much. Directly to my +left was the Chief Audit Executive (our department's leading boss), and +his desk was pointed so that his face would stare straight at my desk +all day. I spent more time thinking about who was looking at me or +checking on me than actually working. + +The other annoying part of the open concept they used was that the +kitchen area and pathways were too close to everyone's desks (since the +desks were spread out, to provide space or something), so noise and +conversation would be constant throughout the day while you try to work. +For someone like me, who needs silence to get work done, that was a +non-starter. + +*** Hotel Office Concept +:PROPERTIES: +:CUSTOM_ID: hotel-office-concept +:END: +#+caption: Hotel Office Concept +[[https://img.cleberg.net/blog/20220210-leaving-office-based-work-in-the-past/hotel_desks.png]] + +I currently work for a company remotely (for now) and travel to the +office every once in a while for events and to help coach the staff +underneath me. The office I visit uses the hotel desk concept, where you +need to check in at a touch screen when you enter the office and "rent" +a desk for the day. The same goes for offices and meeting rooms. + +These desks are flat-top only and do not have any walls at all. In +addition, they're stacked with one row of 4 desks facing another row of +4 desks. These pairs of desk rows are repeated through the office. + +This means that when I go, I need to rent a random desk or try to +remember the unique ID numbers on desks I like. Once I rent it, I have +to make sure no one sat down in that desk without renting it. Then, I +can sit down and work, but will probably need to adjust the monitors so +that I'm not staring in the face of the person across from me all day. +Finally, I need to wear headphones as this environment does nothing to +provide you with peace or quiet. + +Luckily, you can rent offices with doors that offer quiet and privacy, +which can be very nice if you have a lot of meetings or webinars on a +certain day. + +** Home Office +:PROPERTIES: +:CUSTOM_ID: home-office +:END: +#+caption: Home Office +[[https://img.cleberg.net/blog/20220210-leaving-office-based-work-in-the-past/home_office.png]] + +Okay, now let's finally get to the home office concept. I have worked +from home for a little over two years at this point, across three +different jobs/employers. Over this time, I have experimented with a +plethora of different organizational ideas, desks, and room layouts to +find what works best for me. + +These things might not apply to you, and that's fine. Everyone has a +different situation, and I really don't think you'll know what works +until you try. + +*** Tip #1 +:PROPERTIES: +:CUSTOM_ID: tip-1 +:END: Let's start with my top rule for a home office: -> If you live with others, working in a shared space is not effective. +#+begin_quote +If you live with others, working in a shared space is not effective. -It just does not work. -If you have another person sleeping in your bedroom, it is difficult to -manage your work schedule with their sleeping/work/school schedule. -If they wake up after you need to start work, you might wake them up -or have to suffer the agony of staring at bright screens in a dark room. +#+end_quote -In a similar vein, working from a location such as the living room likely won't -work either. -Distractions will come far more frequently: televisions, cooking, cleaning, -deliveries, etc. If you're like me, you'll end up playing a game instead of -actually doing any work. +It just does not work. If you have another person sleeping in your +bedroom, it is difficult to manage your work schedule with their +sleeping/work/school schedule. If they wake up after you need to start +work, you might wake them up or have to suffer the agony of staring at +bright screens in a dark room. -### Tip #2 +In a similar vein, working from a location such as the living room +likely won't work either. Distractions will come far more frequently: +televisions, cooking, cleaning, deliveries, etc. If you're like me, +you'll end up playing a game instead of actually doing any work. +*** Tip #2 +:PROPERTIES: +:CUSTOM_ID: tip-2 +:END: Okay, the second thing I've discovered that works for me: -> Use the pomodoro method (or something similar) to balance work tasks with -> personal tasks. - -I use a very casual version of the pomodoro method where I will work for 1-2 -hours (usually set in strict intervals like 1, 1.5, 2 hours) and then will allow -myself 30-60 minutes for personal tasks. This schedule works for me, since my -work schedule really only comes to 3-6 hours of work per day. - -In this case, I'll work through my list of tasks for an hour or two and then -give myself personal time to get drinks and food, wash dishes, put clothes in -the washer, get the mail, etc. If you're in a convenient location, this usually -gives time for things like getting groceries (as long as you're not a slow -shopper). - -### Tip #3 - -While I listed this one as number three, I don't think I'd accomplish anything -without it: - -> Document everything: even things you didn't before - such as task lists and -> notes from casual calls or meetings. - -I've noticed that staying in an office gave me more constant reminders of -outstanding tasks or facts I had learned in a conversation. Translating -everything to a digital world has made me lose a bit of that focus (perhaps -since I don't have visual reminders?). - -Keeping a running task list of all things I have to do - even potential tasks! - -has helped me keep up without missing anything small. Likewise, keeping notes -for ALL meetings and calls, no matter how casual/quick, has improved my -retention immensely. Beyond helping my mental recollection, it has saved me -numerous times when I need to do a keyword search for some topic that was discussed -6+ months ago. - -### Tip #4 - +#+begin_quote +Use the pomodoro method (or something similar) to balance work tasks +with personal tasks. + +#+end_quote + +I use a very casual version of the pomodoro method where I will work for +1-2 hours (usually set in strict intervals like 1, 1.5, 2 hours) and +then will allow myself 30-60 minutes for personal tasks. This schedule +works for me, since my work schedule really only comes to 3-6 hours of +work per day. + +In this case, I'll work through my list of tasks for an hour or two and +then give myself personal time to get drinks and food, wash dishes, put +clothes in the washer, get the mail, etc. If you're in a convenient +location, this usually gives time for things like getting groceries (as +long as you're not a slow shopper). + +*** Tip #3 +:PROPERTIES: +:CUSTOM_ID: tip-3 +:END: +While I listed this one as number three, I don't think I'd accomplish +anything without it: + +#+begin_quote +Document everything: even things you didn't before - such as task lists +and notes from casual calls or meetings. + +#+end_quote + +I've noticed that staying in an office gave me more constant reminders +of outstanding tasks or facts I had learned in a conversation. +Translating everything to a digital world has made me lose a bit of that +focus (perhaps since I don't have visual reminders?). + +Keeping a running task list of all things I have to do - even potential +tasks! - has helped me keep up without missing anything small. Likewise, +keeping notes for ALL meetings and calls, no matter how casual/quick, +has improved my retention immensely. Beyond helping my mental +recollection, it has saved me numerous times when I need to do a keyword +search for some topic that was discussed 6+ months ago. + +*** Tip #4 +:PROPERTIES: +:CUSTOM_ID: tip-4 +:END: Okay, last one for now. -> Keep your work area clean. +#+begin_quote +Keep your work area clean. -This one is straightforward, but I know some people struggle with cleanliness or -may not believe it makes a difference. Trust me, keeping your desk area clean -and organized makes a huge difference, both mentally and emotionally. +#+end_quote -Just think about it, you walk into your home office and see a clean desk with a -laptop, dock, monitors, keyboard, mouse, and a notepad with a pen on top. +This one is straightforward, but I know some people struggle with +cleanliness or may not believe it makes a difference. Trust me, keeping +your desk area clean and organized makes a huge difference, both +mentally and emotionally. -Now imagine the opposite, there's an office with the same equipment, but there -are clothes hanging on the chair, empty drink bottles, candy wrappers and dirty -plates. This can take both a mental and emotional toll by bringing constant -disarray and stress into your working environment. +Just think about it, you walk into your home office and see a clean desk +with a laptop, dock, monitors, keyboard, mouse, and a notepad with a pen +on top. -Just keep things clean each day, and you won't need to do any big cleaning days -to recover. +Now imagine the opposite, there's an office with the same equipment, but +there are clothes hanging on the chair, empty drink bottles, candy +wrappers and dirty plates. This can take both a mental and emotional +toll by bringing constant disarray and stress into your working +environment. -## My Preferences +Just keep things clean each day, and you won't need to do any big +cleaning days to recover. -I've talked about the different environments I've worked in and expressed some -honest thoughts on pros or cons to each, but what do I prefer? Well, if you're -reading along, you should be able to tell that I much prefer a home office above -all else. +** My Preferences +:PROPERTIES: +:CUSTOM_ID: my-preferences +:END: +I've talked about the different environments I've worked in and +expressed some honest thoughts on pros or cons to each, but what do I +prefer? Well, if you're reading along, you should be able to tell that I +much prefer a home office above all else. -Being able to control my own day and allot my time as needed has brought a -calmness to my life and has allowed me to maximize each day. I feel far more -effective and efficient in a home office than any other office, especially -open-office layouts. +Being able to control my own day and allot my time as needed has brought +a calmness to my life and has allowed me to maximize each day. I feel +far more effective and efficient in a home office than any other office, +especially open-office layouts. -If I do need to return to an office part-time in the future, I really hope the -office will have privacy and quietness in order for me to get my work done. +If I do need to return to an office part-time in the future, I really +hope the office will have privacy and quietness in order for me to get +my work done. Cubicles are good! I agree with Alice (from the comic Dilbert): - +#+caption: Dilbert comic strip +[[https://img.cleberg.net/blog/20220210-leaving-office-based-work-in-the-past/dilbert_120109.png]] diff --git a/blog/2022-02-16-debian-and-nginx.org b/blog/2022-02-16-debian-and-nginx.org index 50cadf9..39ab36c 100644 --- a/blog/2022-02-16-debian-and-nginx.org +++ b/blog/2022-02-16-debian-and-nginx.org @@ -1,76 +1,78 @@ -+++ -date = 2022-02-16 -title = "Migrating to a New Web Server Setup with Debian, Nginx, and Agate" -description = "I've finally taken the leap of faith on two different technologies for the first time: trying out Debian as my main server OS and Nginx as my web server software." -draft = false -+++ - -## Server OS: Debian - - - -I've used various Linux distributions throughout the years, but I've never used -anything except Ubuntu for my servers. -Why? -I really have no idea, mostly just comfort around the commands and software -availability. - -However, I have always wanted to try Debian as a server OS after testing it out -in a VM a few years ago (side-note: I'd love to try Alpine too, but I always -struggle with compatibility). So, I decided to launch a new VPS and use -[Debian](https://www.debian.org) 11 as the OS. Spoiler alert: it feels identical -to Ubuntu for my purposes. - -I did the normal things when first launching the VPS, such as adding a new user, -locking down SSH, etc. If you want to see that level of detail, read my other -post about -[How to Set Up a VPS Web Server](https://cleberg.net/blog/how-to-set-up-a-vps-web-server/). - -All of this has been similar, apart from small things such as the location of -users' home folders. No complaints at all from me - Debian seems great. - -## Web Server: Nginx - - - -Once I had the baseline server configuration set-up for Debian, I moved on to -trying out [Nginx](https://nginx.org) as my web server software. This required -me to install the `nginx` and `ufw` packages, as well as setting up the initial -UFW config: - -```sh +#+title: Migrating to a New Web Server Setup with Debian, Nginx, and Agate +#+date: 2022-02-16 + +** Server OS: Debian +:PROPERTIES: +:CUSTOM_ID: server-os-debian +:END: +#+caption: Debian + neofetch +[[https://img.cleberg.net/blog/20220216-migrating-to-debian-and-nginx/neofetch.png]] + +I've used various Linux distributions throughout the years, but I've +never used anything except Ubuntu for my servers. Why? I really have no +idea, mostly just comfort around the commands and software availability. + +However, I have always wanted to try Debian as a server OS after testing +it out in a VM a few years ago (side-note: I'd love to try Alpine too, +but I always struggle with compatibility). So, I decided to launch a new +VPS and use [[https://www.debian.org][Debian]] 11 as the OS. Spoiler +alert: it feels identical to Ubuntu for my purposes. + +I did the normal things when first launching the VPS, such as adding a +new user, locking down SSH, etc. If you want to see that level of +detail, read my other post about +[[https://cleberg.net/blog/how-to-set-up-a-vps-web-server/][How to Set +Up a VPS Web Server]]. + +All of this has been similar, apart from small things such as the +location of users' home folders. No complaints at all from me - Debian +seems great. + +** Web Server: Nginx +:PROPERTIES: +:CUSTOM_ID: web-server-nginx +:END: +#+caption: Nginx status +[[https://img.cleberg.net/blog/20220216-migrating-to-debian-and-nginx/nginx.png]] + +Once I had the baseline server configuration set-up for Debian, I moved +on to trying out [[https://nginx.org][Nginx]] as my web server software. +This required me to install the =nginx= and =ufw= packages, as well as +setting up the initial UFW config: + +#+begin_src sh sudo apt install nginx ufw sudo ufw allow 'Nginx Full' sudo ufw allow SSH sudo ufw enable sudo ufw status sudo systemctl status nginx -``` +#+end_src -Once I had the firewall set, I moved on to creating the directories and files -for my website. This is very easy and is basically the same as setting up an -Apache server, so no struggles here. +Once I had the firewall set, I moved on to creating the directories and +files for my website. This is very easy and is basically the same as +setting up an Apache server, so no struggles here. -```sh +#+begin_src sh sudo mkdir -p /var/www/your_domain/html sudo chown -R $USER:$USER /var/www/your_domain/html sudo chmod -R 755 /var/www/your_domain nano /var/www/your_domain/html/index.html -``` +#+end_src -The next part, creating the Nginx configuration files, is quite a bit different -from Apache. First, you need to create the files in the `sites-available` folder -and symlink it the `sites-enabled` folder. +The next part, creating the Nginx configuration files, is quite a bit +different from Apache. First, you need to create the files in the +=sites-available= folder and symlink it the =sites-enabled= folder. Creating the config file for your domain: -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/your_domain -``` +#+end_src Default content for an Nginx config file: -```sh +#+begin_src sh server { listen 80; listen [::]:80; @@ -84,42 +86,43 @@ server { try_files $uri $uri/ =404; } } -``` +#+end_src Finally, symlink it together: -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/ -``` +#+end_src This will make your site available to the public (as long as you have -`your_domain` DNS records pointed at the server's IP address)! +=your_domain= DNS records pointed at the server's IP address)! -Next, I used [certbot](https://certbot.eff.org/) to issue an HTTPS certificate -for my domains using the following commands: +Next, I used [[https://certbot.eff.org/][certbot]] to issue an HTTPS +certificate for my domains using the following commands: -```sh +#+begin_src sh sudo apt install snapd; sudo snap install core; sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot sudo certbot --nginx -``` +#+end_src -Now that certbot ran successfully and updated my Nginx config files to include a -`443` server block of code, I went back in and edited the config file to include -security HTTP headers. This part is optional, but is recommended for security -purposes; you can even test a website's HTTP header security at -[Security Headers](https://securityheaders.com/). +Now that certbot ran successfully and updated my Nginx config files to +include a =443= server block of code, I went back in and edited the +config file to include security HTTP headers. This part is optional, but +is recommended for security purposes; you can even test a website's HTTP +header security at [[https://securityheaders.com/][Security Headers]]. -The configuration below shows a set-up where you only want your website to serve -content from its own domain, except for images and scripts, which may come from -`nullitics.com`. All other content would be blocked from loading in a browser. +The configuration below shows a set-up where you only want your website +to serve content from its own domain, except for images and scripts, +which may come from =nullitics.com=. All other content would be blocked +from loading in a browser. -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/your_domain -``` +#+end_src -```sh +#+begin_src sh server { ... add_header Content-Security-Policy "default-src 'none'; img-src 'self' https://nullitics.com; script-src 'self' https://nullitics.com; style-src 'self'; font-src 'self'"; @@ -130,46 +133,50 @@ server { add_header Referrer-Policy "no-referrer"; ... } -``` +#+end_src -```sh +#+begin_src sh sudo systemctl restart nginx -``` - -### Nginx vs. Apache - -As I stated at the beginning, my historical hesitation with trying Nginx was -that the differences in configuration formats scared me away from leaving -Apache. -However, I prefer Nginx to Apache for a few reasons: - -1. Nginx uses only one config file (`your_domain`) vs. Apache's two-file - approach for HTTP vs. HTTPS (`your_domain.conf` and - `your_domain-le-ssl.conf`). -2. Symlinking new configurations files and reloading Nginx are way easier than - Apache's process of having to enable headers with `a2enmod mod_headers`, - enable PHP with `a2enmod php` (plus any other mods you need), and then - enabling sites with `a2ensite`, and THEN reloading Apache. -3. The contents of the Nginx config files seem more organized and logical with - the curly-bracket approach. - This is a minor reason, but everything just felt cleaner while I was - installing my sites and that had a big quality of life impact on the - installation for me. - -They're both great software packages, but Nginx just seems more organized and -easier to use these days. -I will certainly be exploring the Nginx docs to see what other fun things I -can do with all of this. - -## Gemini Server: Agate - - - -Finally, I set up the Agate software on this server again to host my Gemini -server content, using Rust as I have before. -You can read my other post for more information on installing Agate: -[Hosting a Gemini Server](https://cleberg.net/blog/hosting-a-gemini-server/). - -All in all, Debian + Nginx is very slick and I prefer it over my old combination -of Ubuntu + Apache (although it's really just Nginx > Apache for me, since -Debian seems mostly the same as Ubuntu is so far). +#+end_src + +*** Nginx vs. Apache +:PROPERTIES: +:CUSTOM_ID: nginx-vs.-apache +:END: +As I stated at the beginning, my historical hesitation with trying Nginx +was that the differences in configuration formats scared me away from +leaving Apache. However, I prefer Nginx to Apache for a few reasons: + +1. Nginx uses only one config file (=your_domain=) vs. Apache's two-file + approach for HTTP vs. HTTPS (=your_domain.conf= and + =your_domain-le-ssl.conf=). +2. Symlinking new configurations files and reloading Nginx are way + easier than Apache's process of having to enable headers with + =a2enmod mod_headers=, enable PHP with =a2enmod php= (plus any other + mods you need), and then enabling sites with =a2ensite=, and THEN + reloading Apache. +3. The contents of the Nginx config files seem more organized and + logical with the curly-bracket approach. This is a minor reason, but + everything just felt cleaner while I was installing my sites and that + had a big quality of life impact on the installation for me. + +They're both great software packages, but Nginx just seems more +organized and easier to use these days. I will certainly be exploring +the Nginx docs to see what other fun things I can do with all of this. + +** Gemini Server: Agate +:PROPERTIES: +:CUSTOM_ID: gemini-server-agate +:END: +#+caption: Agate status +[[https://img.cleberg.net/blog/20220216-migrating-to-debian-and-nginx/agate.png]] + +Finally, I set up the Agate software on this server again to host my +Gemini server content, using Rust as I have before. You can read my +other post for more information on installing Agate: +[[https://cleberg.net/blog/hosting-a-gemini-server/][Hosting a Gemini +Server]]. + +All in all, Debian + Nginx is very slick and I prefer it over my old +combination of Ubuntu + Apache (although it's really just Nginx > Apache +for me, since Debian seems mostly the same as Ubuntu is so far). diff --git a/blog/2022-02-17-exiftool.org b/blog/2022-02-17-exiftool.org index acb2f6b..790e1a1 100644 --- a/blog/2022-02-17-exiftool.org +++ b/blog/2022-02-17-exiftool.org @@ -1,63 +1,67 @@ -+++ -date = 2022-02-17 -title = "Stripping Image Metadata with exiftool" -description = "Become a h@ck3r (i.e., just protect your privacy) by using the exiftool command line package to strip metadata from images." -draft = false -+++ - -## Why Strip Metadata? - -Okay, so you want to strip metadata from your photos. Perhaps you take pictures -of very rare birds, and the location metadata is a gold mine for poachers, or -perhaps you're just privacy-oriented like me and prefer to strip metadata from -publicly-available images. - -There are various components of image metadata that you may want to delete -before releasing a photo to the public. Here's an incomplete list of things I -could easily see just by inspecting a photo on my laptop: - -- Location (Latitude & Longitude) -- Dimensions -- Device Make & Model -- Color Space -- Color Profile -- Focal Length -- Alpha Channel -- Red Eye -- Metering Mode -- F Number - -Regardless of your reasoning, I'm going to explain how I used the `exiftool` -package in Linux to automatically strip metadata from all images in a directory -(+ subdirectories). - -## Installing `exiftool` - -First things first: we need to install the tool. I'm running Debian 11 on my -server (Ubuntu will work the same), so the command is as simple as: - -```sh +#+title: Stripping Image Metadata with exiftool +#+date: 2022-02-17 + +** Why Strip Metadata? +:PROPERTIES: +:CUSTOM_ID: why-strip-metadata +:END: +Okay, so you want to strip metadata from your photos. Perhaps you take +pictures of very rare birds, and the location metadata is a gold mine +for poachers, or perhaps you're just privacy-oriented like me and prefer +to strip metadata from publicly-available images. + +There are various components of image metadata that you may want to +delete before releasing a photo to the public. Here's an incomplete list +of things I could easily see just by inspecting a photo on my laptop: + +- Location (Latitude & Longitude) +- Dimensions +- Device Make & Model +- Color Space +- Color Profile +- Focal Length +- Alpha Channel +- Red Eye +- Metering Mode +- F Number + +Regardless of your reasoning, I'm going to explain how I used the +=exiftool= package in Linux to automatically strip metadata from all +images in a directory (+ subdirectories). + +** Installing =exiftool= +:PROPERTIES: +:CUSTOM_ID: installing-exiftool +:END: +First things first: we need to install the tool. I'm running Debian 11 +on my server (Ubuntu will work the same), so the command is as simple +as: + +#+begin_src sh sudo apt install exiftool -``` +#+end_src There are different tools that can accomplish the same thing across distributions, but I really only care to test out this one package. -## Recursively Strip Data - -I actually use this tool extensively to strip any photos uploaded to the website -that serves all the images for my blog (`img.cleberg.net`). +** Recursively Strip Data +:PROPERTIES: +:CUSTOM_ID: recursively-strip-data +:END: +I actually use this tool extensively to strip any photos uploaded to the +website that serves all the images for my blog (=img.cleberg.net=). -The following command is incredibly useful and can be modified to include any -image extensions that `exiftool` supports: +The following command is incredibly useful and can be modified to +include any image extensions that =exiftool= supports: -```sh +#+begin_src sh exiftool -r -all= -ext jpg -ext png /path/to/directory/ -``` +#+end_src -See below for the results of my most recent usage of `exiftool` after I uploaded -the image for this blog post. You can see that the command will let you know how -many directories were scanned, how many images were updated, and how many images -were unchanged. +See below for the results of my most recent usage of =exiftool= after I +uploaded the image for this blog post. You can see that the command will +let you know how many directories were scanned, how many images were +updated, and how many images were unchanged. - +#+caption: exiftool results +[[https://img.cleberg.net/blog/20220217-stripping-metadata-with-exiftool/exiftool.png]] diff --git a/blog/2022-02-20-nginx-caching.org b/blog/2022-02-20-nginx-caching.org index d93a0b9..7f16932 100644 --- a/blog/2022-02-20-nginx-caching.org +++ b/blog/2022-02-20-nginx-caching.org @@ -1,23 +1,22 @@ -+++ -date = 2022-02-20 -title = "Caching Static Content with Nginx" -description = "Learn how to cache static content client-side with Nginx configurations." -draft = false -+++ - -## Update Your Nginx Config to Cache Static Files - -If you run a website on Nginx that serves static content (i.e., content that is -not dynamic and changing with interactions from the user), you would likely -benefit from caching that content on the client-side. If you're used to Apache -and looking for the Nginx equivalent, this post should help. - -Luckily, setting up the cache is as easy as identifying the file types you want -to cache and determining the expiration length. To include more file types, -simply use the bar separator (`|`) and type the new file extension you want to -include. - -```config +#+title: Caching Static Content with Nginx +#+date: 2022-02-20 + +** Update Your Nginx Config to Cache Static Files +:PROPERTIES: +:CUSTOM_ID: update-your-nginx-config-to-cache-static-files +:END: +If you run a website on Nginx that serves static content (i.e., content +that is not dynamic and changing with interactions from the user), you +would likely benefit from caching that content on the client-side. If +you're used to Apache and looking for the Nginx equivalent, this post +should help. + +Luckily, setting up the cache is as easy as identifying the file types +you want to cache and determining the expiration length. To include more +file types, simply use the bar separator (=|=) and type the new file +extension you want to include. + +#+begin_src config server { ... @@ -27,41 +26,50 @@ server { ... } -``` - -I have seen some people who prefer to set `expires` as `365d` or even `max`, but -that is only for stable, infrequently changing websites. -As my site often changes (i.e., I'm never content with my website), I need -to know that my readers are seeing the new content without waiting too long. - -So, I went ahead and set the expiration date at `30d`, which is short enough to -refresh for readers but long enough that clients/browsers won't be re-requesting -the static files too often, hopefully resulting in faster loading times, as -images should be the only thing slowing down my site. - -## Testing Results - +#+end_src + +I have seen some people who prefer to set =expires= as =365d= or even +=max=, but that is only for stable, infrequently changing websites. As +my site often changes (i.e., I'm never content with my website), I need +to know that my readers are seeing the new content without waiting too +long. + +So, I went ahead and set the expiration date at =30d=, which is short +enough to refresh for readers but long enough that clients/browsers +won't be re-requesting the static files too often, hopefully resulting +in faster loading times, as images should be the only thing slowing down +my site. + +** Testing Results +:PROPERTIES: +:CUSTOM_ID: testing-results +:END: To test my changes to the Nginx configuration, I used the -[HTTP Header Live](https://addons.mozilla.org/en-US/firefox/addon/http-header-live/) -extension on my Gecko browser and used the sidebar to inspect the headers of a -recent image from my blog. - -In the image below, you can see that the `Cache-Control` header is now present -and set to 2592000, which is 30 days represented in seconds (30 days _ 24 -hours/day _ 60 minutes/hour \* 60 seconds/minute = 2,592,000 seconds). - -The `Expires` field is now showing 22 March 2022, which is 30 days from the day -of this post, 20 February 2022. - - - -## Caveats - -Remember that this caching system is **client-side**, which means that content -is only cached for as long as a client allows it. For example, my browser purges -all caches, data, etc. upon exit, so this caching policy will only work as long -as my browser remains open and running. - -If you need to test updates to your site, you'll need to clear the cache to see -updates for any file extension you configured. This can often be done with the -`Shift + F5` or `Ctrl + F5` key combinations in most browsers. +[[https://addons.mozilla.org/en-US/firefox/addon/http-header-live/][HTTP +Header Live]] extension on my Gecko browser and used the sidebar to +inspect the headers of a recent image from my blog. + +In the image below, you can see that the =Cache-Control= header is now +present and set to 2592000, which is 30 days represented in seconds (30 +days _ 24 hours/day _ 60 minutes/hour * 60 seconds/minute = 2,592,000 +seconds). + +The =Expires= field is now showing 22 March 2022, which is 30 days from +the day of this post, 20 February 2022. + +#+caption: Image Headers +[[https://img.cleberg.net/blog/20220220-caching-static-content-with-nginx/image_headers.png]] + +** Caveats +:PROPERTIES: +:CUSTOM_ID: caveats +:END: +Remember that this caching system is *client-side*, which means that +content is only cached for as long as a client allows it. For example, +my browser purges all caches, data, etc. upon exit, so this caching +policy will only work as long as my browser remains open and running. + +If you need to test updates to your site, you'll need to clear the cache +to see updates for any file extension you configured. This can often be +done with the =Shift + F5= or =Ctrl + F5= key combinations in most +browsers. diff --git a/blog/2022-02-22-tuesday.org b/blog/2022-02-22-tuesday.org index b2cf440..1c9efb5 100644 --- a/blog/2022-02-22-tuesday.org +++ b/blog/2022-02-22-tuesday.org @@ -1,35 +1,38 @@ -+++ -date = 2022-02-22 -title = "Tuesday" -description = "Today is Tuesday, February 22nd, 2022 - also a ubiquitous six-digit palindrome date known as Twosday." -draft = false -+++ +#+title: Tuesday +#+date: 2022-02-22 -## Tuesday, Twosday +** Tuesday, Twosday +:PROPERTIES: +:CUSTOM_ID: tuesday-twosday +:END: +I'm taking a break from my usual technology-related posts and writing +about something a little more enjoyable today. -I'm taking a break from my usual technology-related posts and writing about -something a little more enjoyable today. - -Today is Tuesday, February 22nd, 2022. Today is 02-22-2022. Today is Twosday. +Today is Tuesday, February 22nd, 2022. Today is 02-22-2022. Today is +Twosday. Let's look at everything that fell in place today: -1. Written in the `m-dd-yy` or `dd-m-yy` formats, today is 2-22-22 or 22-2-22, - which is a neat little palindrome in either format. (The last ubiquitous - six-digit palindrome was 1-11-11.) -2. Today is Tuesday, which is why everyone is using the nickname Twosday to call - out these similarities. +1. Written in the =m-dd-yy= or =dd-m-yy= formats, today is 2-22-22 or + 22-2-22, which is a neat little palindrome in either format. (The + last ubiquitous six-digit palindrome was 1-11-11.) +2. Today is Tuesday, which is why everyone is using the nickname Twosday + to call out these similarities. 3. Falling on Tuesday means today is the 2nd day of the week (for most cultures. For the US, it's the 3rd day of the week since we start on Sunday). -4. The only culture I could find with a connection to a `2` is that some Slavic - languages derived their version of Tuesday from the Old Church Slavonic word - `въторъ`, meaning "the second." -5. Written in the classic monospaced, digital font (think of digital clocks from - the 80s/90s), there is nice symmetry to the numbers - ([view the image here](https://img.cleberg.net/blog/20220222-tuesday/digital_font.png)!). -6. This one isn't naturally-occurring, but it seems people around the world are - celebrating the day. For example, a group is putting together - [a wedding of 222 couples at the California State Capitol in Sacramento](https://www.eventbrite.com/e/2-22-22-a-collective-wedding-ceremony-at-the-state-capitol-tickets-211434605597), - concluding at exactly 2:22 PM. These couples will record their marriage dates - as 2-22-22 2:22 PM. Tickets were on sale for $222.22. +4. The only culture I could find with a connection to a =2= is that some + Slavic languages derived their version of Tuesday from the Old Church + Slavonic word =въторъ=, meaning "the second." +5. Written in the classic monospaced, digital font (think of digital + clocks from the 80s/90s), there is nice symmetry to the numbers + ([[https://img.cleberg.net/blog/20220222-tuesday/digital_font.png][view + the image here]]!). +6. This one isn't naturally-occurring, but it seems people around the + world are celebrating the day. For example, a group is putting + together + [[https://www.eventbrite.com/e/2-22-22-a-collective-wedding-ceremony-at-the-state-capitol-tickets-211434605597][a + wedding of 222 couples at the California State Capitol in + Sacramento]], concluding at exactly 2:22 PM. These couples will + record their marriage dates as 2-22-22 2:22 PM. Tickets were on sale + for $222.22. diff --git a/blog/2022-03-02-note-taking.org b/blog/2022-03-02-note-taking.org index 884ad1d..15f0b7c 100644 --- a/blog/2022-03-02-note-taking.org +++ b/blog/2022-03-02-note-taking.org @@ -1,125 +1,157 @@ -+++ -date = 2022-03-02 -title = "Easy, Reliable Note-Taking" -description = "After years of testing, I have finally settled on maintaining my collection of personal notes and writings." -draft = false -+++ +#+title: Easy, Reliable Note-Taking +#+date: 2022-03-02 -## Choosing Durable File Formats +** Choosing Durable File Formats +:PROPERTIES: +:CUSTOM_ID: choosing-durable-file-formats +:END: -> TL;DR: Write in a format that can be easily rendered and read in plain-text -> mode (e.g., `.txt`, `.md`, etc.). +#+begin_quote +TL;DR: Write in a format that can be easily rendered and read in +plain-text mode (e.g., =.txt=, =.md=, etc.). + +#+end_quote As I've written more and more over the years, I've found that my love of -note-taking is always growing. Everything I learn or need to remember can be -written down in a note and saved digitally, with no cost to myself. Unlike paper -copies that need physical storage space, digital files simply need space on your -local disk or cloud storage, which is fairly abundant these days. +note-taking is always growing. Everything I learn or need to remember +can be written down in a note and saved digitally, with no cost to +myself. Unlike paper copies that need physical storage space, digital +files simply need space on your local disk or cloud storage, which is +fairly abundant these days. -However, I had a historical struggle with migration of notes between different -apps that require different formats and applied proprietary styling. This meant -that I had to go through each note during migration and edit the file to look -presentable again. +However, I had a historical struggle with migration of notes between +different apps that require different formats and applied proprietary +styling. This meant that I had to go through each note during migration +and edit the file to look presentable again. For the last year or two, I have written everything exclusively in -[Markdown](https://en.wikipedia.org/wiki/Markdown) format. Small notes, -long-form writings, and even these blog posts are all written in Markdown. - -Why Markdown? While I do appreciate the simplicity of plain-text files without -any formatting, I often need visual cues such as heading and code blocks to keep -my thoughts straight. Markdown provides a minimal set of styling indicators for -me to style my notes without adding any proprietary, embedded data into the -files. If I want a top-level heading, I simply add a hash (`#`) before the line. -An added bonus is that even if a system doesn't understand Markdown, it will -render it as plain-text and I can read it just as easily. - -For example, here's how TextEdit on macOS will open and display a Markdown file -in plain-text, since it does contain any features to preview Markdown as HTML: - - - -## Saving & Syncing Files - -In order to read and edit my notes across platforms, I use my personal cloud -storage through Tresorit due to its native integration with macOS and iOS file -managers. In addition, Tresorit works well on Debian-based Linux distros, which -I used before macOS (and will likely switch back to in a few years). - -You can use whatever sync software you want - syncing plain-text or markdown -files is incredibly easy and fast, since the files are generally tiny. - -Since the cloud storage syncs files automatically, there is no need for me to -sync anything manually or kick-off a sync job to update my files. This means -that I can edit on mobile, and it takes about 5-10 seconds to see the changes on +[[https://en.wikipedia.org/wiki/Markdown][Markdown]] format. Small +notes, long-form writings, and even these blog posts are all written in +Markdown. + +Why Markdown? While I do appreciate the simplicity of plain-text files +without any formatting, I often need visual cues such as heading and +code blocks to keep my thoughts straight. Markdown provides a minimal +set of styling indicators for me to style my notes without adding any +proprietary, embedded data into the files. If I want a top-level +heading, I simply add a hash (=#=) before the line. An added bonus is +that even if a system doesn't understand Markdown, it will render it as +plain-text and I can read it just as easily. + +For example, here's how TextEdit on macOS will open and display a +Markdown file in plain-text, since it does contain any features to +preview Markdown as HTML: + +#+caption: Plain Text Markdown +[[https://img.cleberg.net/blog/20220302-easy-reliable-note-taking/plain_markdown.png]] + +** Saving & Syncing Files +:PROPERTIES: +:CUSTOM_ID: saving-syncing-files +:END: +In order to read and edit my notes across platforms, I use my personal +cloud storage through Tresorit due to its native integration with macOS +and iOS file managers. In addition, Tresorit works well on Debian-based +Linux distros, which I used before macOS (and will likely switch back to +in a few years). + +You can use whatever sync software you want - syncing plain-text or +markdown files is incredibly easy and fast, since the files are +generally tiny. + +Since the cloud storage syncs files automatically, there is no need for +me to sync anything manually or kick-off a sync job to update my files. +This means that I can edit on mobile, and it takes about 5-10 seconds to +see the changes on desktop. + +*** Version Control with Git +:PROPERTIES: +:CUSTOM_ID: version-control-with-git +:END: +A different approach I've contemplated is storing my notes and +attachments is using a hosted Git repository to track changes to the +files. However, I don't want to rely on an external service that could +potentially see into my data, even if the repository is private. + +I might just do =git init= locally and then commit my changes each time +I write or update a note, but that seems to be a lot of work just for +tracking changes - which I don't necessarily care to know. + +*** Backups! +:PROPERTIES: +:CUSTOM_ID: backups +:END: +One small addition to the storage/sync conversation is the idea of +backups. Personally, I manually create periodic backups of my entire +cloud storage, compress it into an archive, and store it on my home +server. + +To improve my workflow, I am going to be exploring options to +automatically compress the mounted cloud directory and send it over to +my server on a set schedule. + +** Writing on Desktop +:PROPERTIES: +:CUSTOM_ID: writing-on-desktop +:END: + +#+begin_quote +*Update (06.14.22)*: Since writing this post, I have reverted to simply +keeping my =notes= folder open and opening notes individually in +TextEdit for a more minimal and relaxing writing experience on the desktop. -### Version Control with Git - -A different approach I've contemplated is storing my notes and attachments is -using a hosted Git repository to track changes to the files. However, I don't -want to rely on an external service that could potentially see into my data, -even if the repository is private. +#+end_quote -I might just do `git init` locally and then commit my changes each time I write -or update a note, but that seems to be a lot of work just for tracking changes - -which I don't necessarily care to know. +The bulk of my writing occurs in a desktop environment, with a full +keyboard layout and wide screen. I don't illustrate with a smart pen, I +rarely use embedded images, and I love being able to see all of my +notes/directories in a sidebar. -### Backups! - -One small addition to the storage/sync conversation is the idea of backups. -Personally, I manually create periodic backups of my entire cloud storage, -compress it into an archive, and store it on my home server. - -To improve my workflow, I am going to be exploring options to automatically -compress the mounted cloud directory and send it over to my server on a set -schedule. - -## Writing on Desktop - -> **Update (06.14.22)**: Since writing this post, I have reverted to simply -> keeping my `notes` folder open and opening notes individually in TextEdit -> for a more minimal and relaxing writing experience on the desktop. - -The bulk of my writing occurs in a desktop environment, with a full keyboard -layout and wide screen. I don't illustrate with a smart pen, I rarely use -embedded images, and I love being able to see all of my notes/directories in a -sidebar. - -With this simple set of requirements, I chose [Obsidian](https://obsidian.md) as -my desktop text editor. -Obsidian has some in-depth tools like a graph view, command palette, -mentions, etc., but I've found that using it as a simple Markdown editor is +With this simple set of requirements, I chose +[[https://obsidian.md][Obsidian]] as my desktop text editor. Obsidian +has some in-depth tools like a graph view, command palette, mentions, +etc., but I've found that using it as a simple Markdown editor is incredibly easy and straightforward. -Here's an example of how my Markdown notes look when opened in plain-text mode: - - - -Here's the "live preview" version, where the Markdown is rendered into its HTML -format: +Here's an example of how my Markdown notes look when opened in +plain-text mode: - +#+caption: Obsidian Markdown Source Mode +[[https://img.cleberg.net/blog/20220302-easy-reliable-note-taking/obsidian_source_mode.png]] -### Programming on Desktop +Here's the "live preview" version, where the Markdown is rendered into +its HTML format: -While I was writing this, I realized I should specify that I don't use the same -editor for writing notes and for writing code. For programming purposes, I use -[VSCodium](https://vscodium.com) as my development IDE. +#+caption: Obsidian Markdown Live Preview +[[https://img.cleberg.net/blog/20220302-easy-reliable-note-taking/obsidian_live_preview.png]] -## Writing on Mobile +*** Programming on Desktop +:PROPERTIES: +:CUSTOM_ID: programming-on-desktop +:END: +While I was writing this, I realized I should specify that I don't use +the same editor for writing notes and for writing code. For programming +purposes, I use [[https://vscodium.com][VSCodium]] as my development +IDE. +** Writing on Mobile +:PROPERTIES: +:CUSTOM_ID: writing-on-mobile +:END: Personally, I write very little on mobile, except when needing to take -important notes on-the-go. Any long-form writing, journals, etc. are done at -home, where I always have my laptop available. +important notes on-the-go. Any long-form writing, journals, etc. are +done at home, where I always have my laptop available. I wanted a simple and foolproof editor for iOS, preferably open-source. -After a long journey of testing the few (& terrible) open-source iOS +After a long journey of testing the few (& terrible) open-source iOS note-taking apps, I finally found a phenomenal one: -[Runestone](https://github.com/simonbs/runestone). This app is fantastic -for note-taking, has plenty of optional features, and integrates natively -with the iOS file manager. +[[https://github.com/simonbs/runestone][Runestone]]. This app is +fantastic for note-taking, has plenty of optional features, and +integrates natively with the iOS file manager. -This app opens the iOS file manager and allows you to click any file you want, -opens it up in an editor, and lets me save and close out of that note. +This app opens the iOS file manager and allows you to click any file you +want, opens it up in an editor, and lets me save and close out of that +note. Quite simple but effective. diff --git a/blog/2022-03-03-financial-database.org b/blog/2022-03-03-financial-database.org index e0f524d..c097c64 100644 --- a/blog/2022-03-03-financial-database.org +++ b/blog/2022-03-03-financial-database.org @@ -1,153 +1,166 @@ -+++ -date = 2022-03-03 -title = "Maintaining a Personal Financial Database" -description = "Detailing my process for creating, maintaining, and utilizing a personal financial database." -draft = false -+++ - -## Personal Financial Tracking - -For the last 6-ish years, I've tracked my finances in a spreadsheet. This is -common practice in the business world, but any good dev will cringe at the -thought of storing long-term data in a spreadsheet. A spreadsheet is not for -long-term storage or as a source of data to pull data/reports. - -As I wanted to expand the functionality of my financial data (e.g., adding more -reports), I decided to migrate the data into a database. To run reports, I would -query the database and use a language like Python or Javascript to process the -data, perform calculations, and visualize the data. - -## SQLite - -When choosing the type of database I wanted to use for this project, I was split -between three options: - -1. MySQL: The database I have the most experience with and have used for years. +#+title: Maintaining a Personal Financial Database +#+date: 2022-03-03 + +** Personal Financial Tracking +:PROPERTIES: +:CUSTOM_ID: personal-financial-tracking +:END: +For the last 6-ish years, I've tracked my finances in a spreadsheet. +This is common practice in the business world, but any good dev will +cringe at the thought of storing long-term data in a spreadsheet. A +spreadsheet is not for long-term storage or as a source of data to pull +data/reports. + +As I wanted to expand the functionality of my financial data (e.g., +adding more reports), I decided to migrate the data into a database. To +run reports, I would query the database and use a language like Python +or Javascript to process the data, perform calculations, and visualize +the data. + +** SQLite +:PROPERTIES: +:CUSTOM_ID: sqlite +:END: +When choosing the type of database I wanted to use for this project, I +was split between three options: + +1. MySQL: The database I have the most experience with and have used for + years. 2. PostgreSQL: A database I'm new to, but want to learn. -3. SQLite: A database that I've used for a couple projects and have moderate - experience. - -I ended up choosing SQLite since it can be maintained within a single `.sqlite` -file, which allows me more flexibility for storage and backup. I keep this file -in my cloud storage and pull it up whenever needed. - -### GUI Editing - -Since I didn't want to try and import 1000–1500 records into my new database -via the command line, I opted to use -[DB Browser for SQLite (DB4S)](https://sqlitebrowser.org/) as a GUI tool. This -application is excellent, and I don't see myself going back to the CLI -when working in this database. +3. SQLite: A database that I've used for a couple projects and have + moderate experience. + +I ended up choosing SQLite since it can be maintained within a single +=.sqlite= file, which allows me more flexibility for storage and backup. +I keep this file in my cloud storage and pull it up whenever needed. + +*** GUI Editing +:PROPERTIES: +:CUSTOM_ID: gui-editing +:END: +Since I didn't want to try and import 1000--1500 records into my new +database via the command line, I opted to use +[[https://sqlitebrowser.org/][DB Browser for SQLite (DB4S)]] as a GUI +tool. This application is excellent, and I don't see myself going back +to the CLI when working in this database. DB4S allows you to copy a range of cells from a spreadsheet and paste it -straight into the SQL table. I used this process for all 36 accounts, 1290 -account statements, and 126 pay statements. Overall, I'm guessing this took -anywhere between 4–8 hours. In comparison, it probably took me 2-3 days to -initially create the spreadsheet. +straight into the SQL table. I used this process for all 36 accounts, +1290 account statements, and 126 pay statements. Overall, I'm guessing +this took anywhere between 4--8 hours. In comparison, it probably took +me 2-3 days to initially create the spreadsheet. - +#+caption: DB4S +[[https://img.cleberg.net/blog/20220303-maintaining-a-personal-financial-database/db4s.png]] -### Schema - -The schema for this database is actually extremely simple and involves only -three tables (for now): +*** Schema +:PROPERTIES: +:CUSTOM_ID: schema +:END: +The schema for this database is actually extremely simple and involves +only three tables (for now): 1. Accounts 2. Statements 3. Payroll -**Accounts** +*Accounts* -The Accounts table contains summary information about an account, such as a car -loan or a credit card. By viewing this table, you can find high-level data, such -as interest rate, credit line, or owner. +The Accounts table contains summary information about an account, such +as a car loan or a credit card. By viewing this table, you can find +high-level data, such as interest rate, credit line, or owner. -```sql +#+begin_src sql CREATE TABLE "Accounts" ( - "AccountID" INTEGER NOT NULL UNIQUE, - "AccountType" TEXT, - "AccountName" TEXT, - "InterestRate" NUMERIC, - "CreditLine" NUMERIC, - "State" TEXT, - "Owner" TEXT, - "Co-Owner" TEXT, - PRIMARY KEY("AccountID" AUTOINCREMENT) + "AccountID" INTEGER NOT NULL UNIQUE, + "AccountType" TEXT, + "AccountName" TEXT, + "InterestRate" NUMERIC, + "CreditLine" NUMERIC, + "State" TEXT, + "Owner" TEXT, + "Co-Owner" TEXT, + PRIMARY KEY("AccountID" AUTOINCREMENT) ) -``` +#+end_src -**Statements** +*Statements* -The Statements table uses the same unique identifier as the Accounts table, -meaning you can join the tables to find a monthly statement for any of the -accounts listed in the Accounts table. Each statement has an account ID, -statement date, and total balance. +The Statements table uses the same unique identifier as the Accounts +table, meaning you can join the tables to find a monthly statement for +any of the accounts listed in the Accounts table. Each statement has an +account ID, statement date, and total balance. -```sql +#+begin_src sql CREATE TABLE "Statements" ( - "StatementID" INTEGER NOT NULL UNIQUE, - "AccountID" INTEGER, - "StatementDate" INTEGER, - "Balance" NUMERIC, - PRIMARY KEY("StatementID" AUTOINCREMENT), - FOREIGN KEY("AccountID") REFERENCES "Accounts"("AccountID") + "StatementID" INTEGER NOT NULL UNIQUE, + "AccountID" INTEGER, + "StatementDate" INTEGER, + "Balance" NUMERIC, + PRIMARY KEY("StatementID" AUTOINCREMENT), + FOREIGN KEY("AccountID") REFERENCES "Accounts"("AccountID") ) -``` +#+end_src -**Payroll** +*Payroll* -The Payroll table is a separate entity, unrelated to the Accounts or Statements -tables. This table contains all information you would find on a pay statement -from an employer. As you change employers or obtain new perks/benefits, just add -new columns to adapt to the new data. +The Payroll table is a separate entity, unrelated to the Accounts or +Statements tables. This table contains all information you would find on +a pay statement from an employer. As you change employers or obtain new +perks/benefits, just add new columns to adapt to the new data. -```sql +#+begin_src sql CREATE TABLE "Payroll" ( - "PaycheckID" INTEGER NOT NULL UNIQUE, - "PayDate" TEXT, - "Payee" TEXT, - "Employer" TEXT, - "JobTitle" TEXT, - "IncomeRegular" NUMERIC, - "IncomePTO" NUMERIC, - "IncomeHoliday" NUMERIC, - "IncomeBonus" NUMERIC, - "IncomePTOPayout" NUMERIC, - "IncomeReimbursements" NUMERIC, - "FringeHSA" NUMERIC, - "FringeStudentLoan" NUMERIC, - "Fringe401k" NUMERIC, - "PreTaxMedical" NUMERIC, - "PreTaxDental" NUMERIC, - "PreTaxVision" NUMERIC, - "PreTaxLifeInsurance" NUMERIC, - "PreTax401k" NUMERIC, - "PreTaxParking" NUMERIC, - "PreTaxStudentLoan" NUMERIC, - "PreTaxOther" NUMERIC, - "TaxFederal" NUMERIC, - "TaxSocial" NUMERIC, - "TaxMedicare" NUMERIC, - "TaxState" NUMERIC, - PRIMARY KEY("PaycheckID" AUTOINCREMENT) + "PaycheckID" INTEGER NOT NULL UNIQUE, + "PayDate" TEXT, + "Payee" TEXT, + "Employer" TEXT, + "JobTitle" TEXT, + "IncomeRegular" NUMERIC, + "IncomePTO" NUMERIC, + "IncomeHoliday" NUMERIC, + "IncomeBonus" NUMERIC, + "IncomePTOPayout" NUMERIC, + "IncomeReimbursements" NUMERIC, + "FringeHSA" NUMERIC, + "FringeStudentLoan" NUMERIC, + "Fringe401k" NUMERIC, + "PreTaxMedical" NUMERIC, + "PreTaxDental" NUMERIC, + "PreTaxVision" NUMERIC, + "PreTaxLifeInsurance" NUMERIC, + "PreTax401k" NUMERIC, + "PreTaxParking" NUMERIC, + "PreTaxStudentLoan" NUMERIC, + "PreTaxOther" NUMERIC, + "TaxFederal" NUMERIC, + "TaxSocial" NUMERIC, + "TaxMedicare" NUMERIC, + "TaxState" NUMERIC, + PRIMARY KEY("PaycheckID" AUTOINCREMENT) ) -``` - -### Python Reporting - -Once I created the database tables and imported all my data, the only step left -was to create a process to report and visualize on various aspects of the data. - -In order to explore and create the reports I'm interested in, I utilized a -two-part process involving Jupyter Notebooks and Python scripts. - -#### Step 1: Jupyter Notebooks - +#+end_src + +*** Python Reporting +:PROPERTIES: +:CUSTOM_ID: python-reporting +:END: +Once I created the database tables and imported all my data, the only +step left was to create a process to report and visualize on various +aspects of the data. + +In order to explore and create the reports I'm interested in, I utilized +a two-part process involving Jupyter Notebooks and Python scripts. + +**** Step 1: Jupyter Notebooks +:PROPERTIES: +:CUSTOM_ID: step-1-jupyter-notebooks +:END: When I need to explore data, try different things, and re-run my code -cell-by-cell, I use Jupyter Notebooks. For example, I explored the `Accounts` -table until I found the following useful information: +cell-by-cell, I use Jupyter Notebooks. For example, I explored the +=Accounts= table until I found the following useful information: -```python +#+begin_src python import sqlite3 import pandas as pd import matplotlib @@ -167,14 +180,17 @@ matplotlib.rcParams['legend.labelcolor'] = 'black' # Display graph df.groupby(['AccountType']).sum().plot.pie(title='Credit Line by Account Type', y='CreditLine', figsize=(5,5), autopct='%1.1f%%') -``` - -#### Step 2: Python Scripts +#+end_src -Once I explored enough through the notebooks and had a list of reports I wanted, -I moved on to create a Python project with the following structure: +**** Step 2: Python Scripts +:PROPERTIES: +:CUSTOM_ID: step-2-python-scripts +:END: +Once I explored enough through the notebooks and had a list of reports I +wanted, I moved on to create a Python project with the following +structure: -``` +#+begin_example finance/ ├── notebooks/ │ │ ├── account_summary.ipynb @@ -191,23 +207,24 @@ finance/ ├── process.py ├── requirements.txt └── README.md -``` +#+end_example This structure allows me to: -1. Compile all required python packages into `requirements.txt` for easy +1. Compile all required python packages into =requirements.txt= for easy installation if I move to a new machine. -2. Activate a virtual environment in `venv/` so I don't need to maintain a - system-wide Python environment just for this project. -3. Keep my `notebooks/` folder to continuously explore the data as I see fit. -4. Maintain a local copy of the database in `src/` for easy access. -5. Export reports, images, HTML files, etc. to `public/`. - -Now, onto the differences between the code in a Jupyter Notebook and the actual -Python files. To create the report in the Notebook snippet above, I created the -following function inside `process.py`: - -```python +2. Activate a virtual environment in =venv/= so I don't need to maintain + a system-wide Python environment just for this project. +3. Keep my =notebooks/= folder to continuously explore the data as I see + fit. +4. Maintain a local copy of the database in =src/= for easy access. +5. Export reports, images, HTML files, etc. to =public/=. + +Now, onto the differences between the code in a Jupyter Notebook and the +actual Python files. To create the report in the Notebook snippet above, +I created the following function inside =process.py=: + +#+begin_src python # Create summary pie chart def summary_data(accounts: pandas.DataFrame) -> None: accounts_01 = accounts[accounts["Owner"] == "Person01"] @@ -233,21 +250,23 @@ def summary_data(accounts: pandas.DataFrame) -> None: ) ) summary_chart.figure.savefig(f"public/summary_chart_{x}.png", dpi=1200) -``` +#+end_src The result? A high-quality pie chart that is read directly by the -`public/index.html` template I use. +=public/index.html= template I use. - +#+caption: Summary Pie Chart +[[https://img.cleberg.net/blog/20220303-maintaining-a-personal-financial-database/summary_chart.png]] Other charts generated by this project include: -- Charts of account balances over time. -- Line chart of effective tax rate (taxes divided by taxable income). -- Salary projections and error limits using past income and inflation rates. -- Multi-line chart of gross income, taxable income, and net income. +- Charts of account balances over time. +- Line chart of effective tax rate (taxes divided by taxable income). +- Salary projections and error limits using past income and inflation + rates. +- Multi-line chart of gross income, taxable income, and net income. -The best thing about this project? I can improve it at any given time, shaping -it into whatever helps me the most for that time. I imagine that I will be -introducing an asset tracking table soon to track the depreciating value of -cars, houses, etc. Who knows what's next? +The best thing about this project? I can improve it at any given time, +shaping it into whatever helps me the most for that time. I imagine that +I will be introducing an asset tracking table soon to track the +depreciating value of cars, houses, etc. Who knows what's next? diff --git a/blog/2022-03-08-plex-migration.org b/blog/2022-03-08-plex-migration.org index 0921b88..5546942 100644 --- a/blog/2022-03-08-plex-migration.org +++ b/blog/2022-03-08-plex-migration.org @@ -1,233 +1,270 @@ -+++ -date = 2022-03-08 -title = "Migrating Plex to New Server (+ Nvidia Transcoding)" -description = "A quick instructional guide on how to migrate Plex Media Server to a new server, including servers with Nvidia GPUs." -draft = false -+++ - -## Migration Phases - -I recently decided to migrate my server from an old OptiPlex desktop machine to -a custom-built tower with better hardware in every category. In order to do -this, I would need to properly migrate a full Plex installation. - -The second part of this migration is that the new server uses an Nvidia GPU and -does not have any integrated graphics, which requires extra work for -installation, but provides much better hardware transcoding options for Plex. +#+title: Migrating Plex to New Server (+ Nvidia Transcoding) +#+date: 2022-03-08 + +** Migration Phases +:PROPERTIES: +:CUSTOM_ID: migration-phases +:END: +I recently decided to migrate my server from an old OptiPlex desktop +machine to a custom-built tower with better hardware in every category. +In order to do this, I would need to properly migrate a full Plex +installation. + +The second part of this migration is that the new server uses an Nvidia +GPU and does not have any integrated graphics, which requires extra work +for installation, but provides much better hardware transcoding options +for Plex. Therefore, I have broken this migration down into three phases: -1. [Configure the New Server](#phase-1-configure-the-new-server) -2. [Migrate Plex Data & Devices](#phase-2-migrate-plex-data-devices) -3. [Configure GPU Transcoding](#phase-3-configure-gpu-transcoding) - ---- +1. [[#phase-1-configure-the-new-server][Configure the New Server]] +2. [[#phase-2-migrate-plex-data-devices][Migrate Plex Data & Devices]] +3. [[#phase-3-configure-gpu-transcoding][Configure GPU Transcoding]] -## Phase 1: Configure the New Server - -### Choosing an OS +-------------- +** Phase 1: Configure the New Server +:PROPERTIES: +:CUSTOM_ID: phase-1-configure-the-new-server +:END: +*** Choosing an OS +:PROPERTIES: +:CUSTOM_ID: choosing-an-os +:END: In order to migrate Plex to my new server, I first needed to choose an -appropriate operating system (OS) and install it on the machine. Given that I -have encountered numerous issues installing other Linux distributions -properly with Nvidia graphics, I chose -[Ubuntu Server](https://ubuntu.com/download/server). - -The first step is to create a bootable USB with Ubuntu Server. This is easy with -[Etcher](https://www.balena.io/etcher/), an app that runs on many different -platforms. Just download the Ubuntu Server `.iso` image, launch Etcher, and -install the `.iso` on the USB. - -Once the USB is created, insert it into my server, reboot, and click `Esc` (or -any of the `F1-12` keys) until the BIOS menu appears. Finally, launch the USB -boot drive. - -### Booting with Nvidia - +appropriate operating system (OS) and install it on the machine. Given +that I have encountered numerous issues installing other Linux +distributions properly with Nvidia graphics, I chose +[[https://ubuntu.com/download/server][Ubuntu Server]]. + +The first step is to create a bootable USB with Ubuntu Server. This is +easy with [[https://www.balena.io/etcher/][Etcher]], an app that runs on +many different platforms. Just download the Ubuntu Server =.iso= image, +launch Etcher, and install the =.iso= on the USB. + +Once the USB is created, insert it into my server, reboot, and click +=Esc= (or any of the =F1-12= keys) until the BIOS menu appears. Finally, +launch the USB boot drive. + +*** Booting with Nvidia +:PROPERTIES: +:CUSTOM_ID: booting-with-nvidia +:END: In order to install Ubuntu Server with an Nvidia Graphics card (and no -integrated graphics on this device for some reason), you'll have to configure -the boot menu to allow different graphics drivers to be loaded. +integrated graphics on this device for some reason), you'll have to +configure the boot menu to allow different graphics drivers to be +loaded. -When booting from the USB, the machine will launch the initial installation -menu. From this menu, type `e` to view the default command options that come -with the device - it's a good idea to take a photo of this screen, so you can -enter these commands on the next screen (along with adding support for Nvidia). +When booting from the USB, the machine will launch the initial +installation menu. From this menu, type =e= to view the default command +options that come with the device - it's a good idea to take a photo of +this screen, so you can enter these commands on the next screen (along +with adding support for Nvidia). -Finally, type `Ctrl + C` to enter the command line. From this command line, -enter the commands found on the `e` screen. **Remember to add `nomodeset` to the -`linux ...` line so that your Nvidia device will display the installation -screens properly!** +Finally, type =Ctrl + C= to enter the command line. From this command +line, enter the commands found on the =e= screen. *Remember to add +=nomodeset= to the =linux ...= line so that your Nvidia device will +display the installation screens properly!* -Here's an example of the commands I pulled from the `e` screen and entered on -the command line. +Here's an example of the commands I pulled from the =e= screen and +entered on the command line. -```sh +#+begin_src sh setparams 'Install Ubuntu Server' setgfxpayload=keep linux /casper/vmlinuz quiet nomodeset --- initrd /casper/initrd boot -``` +#+end_src - +#+caption: Ubuntu Server Installation 01 +[[https://img.cleberg.net/blog/20220308-plex-media-server-migration/ubuntu_server_installation_01.png]] - +#+caption: Ubuntu Server Installation 02 +[[https://img.cleberg.net/blog/20220308-plex-media-server-migration/ubuntu_server_installation_02.png]] -Once the machine is rebooted, enter the `e` screen again and add `nomodeset` to -the `linux ...` line again and press `Ctrl + X` to save the boot options. +Once the machine is rebooted, enter the =e= screen again and add +=nomodeset= to the =linux ...= line again and press =Ctrl + X= to save +the boot options. -The machine is now fully installed and can properly display on an external -display using the Nvidia GPU. +The machine is now fully installed and can properly display on an +external display using the Nvidia GPU. Always remember to update and upgrade on a new installation: -```sh +#+begin_src sh sudo apt update; sudo apt upgrade -y; sudo apt autoremove -y -``` +#+end_src ---- - -## Phase 2: Migrate Plex Data & Devices +-------------- +** Phase 2: Migrate Plex Data & Devices +:PROPERTIES: +:CUSTOM_ID: phase-2-migrate-plex-data-devices +:END: This phase uses the great Plex article on migrations -([Move an Installation to Another System](https://support.plex.tv/articles/201370363-move-an-install-to-another-system/)) -and adds a bit more information to help with commands and context. - -### Terminology - -**Source:** The original server that is being replaced. -**Destination:** The new server. -**Client:** Any application that can be used to modify settings for both +([[https://support.plex.tv/articles/201370363-move-an-install-to-another-system/][Move +an Installation to Another System]]) and adds a bit more information to +help with commands and context. + +*** Terminology +:PROPERTIES: +:CUSTOM_ID: terminology +:END: +*Source:* The original server that is being replaced.\\ +*Destination:* The new server.\\ +*Client:* Any application that can be used to modify settings for both source/destination. -### Step 01: [Client] Update Settings - -Open up a Plex app and _disable_ the `Account` > `Library` > -`Empty trash automatically after every scan` preference for the source server. - -### Step 02: [Destination] Install Plex - -Open up the -[Plex Media Server download page](https://www.plex.tv/media-server-downloads/) -and copy the link for the appropriate platform. - -Execute the following commands on the destination server to install Plex: - -```sh +*** Step 01: [Client] Update Settings +:PROPERTIES: +:CUSTOM_ID: step-01-client-update-settings +:END: +Open up a Plex app and /disable/ the =Account= > =Library= > +=Empty trash automatically after every scan= preference for the source +server. + +*** Step 02: [Destination] Install Plex +:PROPERTIES: +:CUSTOM_ID: step-02-destination-install-plex +:END: +Open up the [[https://www.plex.tv/media-server-downloads/][Plex Media +Server download page]] and copy the link for the appropriate platform. + +Execute the following commands on the destination server to install +Plex: + +#+begin_src sh wget <url> sudo dpkg -i <filename> sudo systemctl stop plexmediaserver.service -``` - -### Step 03: [Source] Stop Plex & Migrate Data +#+end_src -First, stop the Plex service so that no data is created or modified during the -migration. +*** Step 03: [Source] Stop Plex & Migrate Data +:PROPERTIES: +:CUSTOM_ID: step-03-source-stop-plex-migrate-data +:END: +First, stop the Plex service so that no data is created or modified +during the migration. -```sh +#+begin_src sh sudo systemctl stop plexmediaserver.service -``` +#+end_src -Next, copy the data to the new server. To find where the Plex data directory is -located, Plex has another excellent article available: -[Where is the Plex Media Server data directory located?](https://support.plex.tv/articles/202915258-where-is-the-plex-media-server-data-directory-located/). +Next, copy the data to the new server. To find where the Plex data +directory is located, Plex has another excellent article available: +[[https://support.plex.tv/articles/202915258-where-is-the-plex-media-server-data-directory-located/][Where +is the Plex Media Server data directory located?]]. -There are many ways to copy the data to the new server and will largely depend -on the size of the folder being copied. Personally, my data folder was ~23GB and -I opted to simply use the `scp` command to copy the files over SSH. +There are many ways to copy the data to the new server and will largely +depend on the size of the folder being copied. Personally, my data +folder was ~23GB and I opted to simply use the =scp= command to copy the +files over SSH. -This process was throttled by the old server's slow HDD and ports and took -approximately 90 minutes to complete. In comparison, moving the data from the -new server's `home/user/` directory to the `/var/.../Plex Media Server` -directory took 2-3 minutes. +This process was throttled by the old server's slow HDD and ports and +took approximately 90 minutes to complete. In comparison, moving the +data from the new server's =home/user/= directory to the +=/var/.../Plex Media Server= directory took 2-3 minutes. -```sh +#+begin_src sh scp -r "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server" your_user@xxx.xxx.xxx.xxx:"'/path/to/destination/'" -``` +#+end_src -### Step 04: [Destination] Update File Permissions +*** Step 04: [Destination] Update File Permissions +:PROPERTIES: +:CUSTOM_ID: step-04-destination-update-file-permissions +:END: +In case you move the data directory to a common area on the new server, +it will have to be moved to the proper location before Plex can function +properly: -In case you move the data directory to a common area on the new server, it will -have to be moved to the proper location before Plex can function properly: - -```sh +#+begin_src sh mv "Plex Media Server" /var/lib/plexmediaserver/Library/Application Support/ -``` +#+end_src -To ensure permissions were retained properly, the server will need to show that -all files and folders in the data directory are owned by `plex:plex` (or -whichever user is running the Plex application). +To ensure permissions were retained properly, the server will need to +show that all files and folders in the data directory are owned by +=plex:plex= (or whichever user is running the Plex application). -```sh +#+begin_src sh sudo chown -R plex:plex "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server" -``` +#+end_src Finally, start the service and check the status. -```sh +#+begin_src sh sudo systemctl start plexmediaserver.service sudo systemctl status plexmediaserver.service -``` - -### Step 05: [Client] Update Libraries & Metadata - -The first step - now that the new server is up and running - is to sign out of -the client and sign back in. Once this is done, update any library locations, if -necessary. This was unnecessary in my case since I simply moved my storage -drives from the source server to the destination server. +#+end_src + +*** Step 05: [Client] Update Libraries & Metadata +:PROPERTIES: +:CUSTOM_ID: step-05-client-update-libraries-metadata +:END: +The first step - now that the new server is up and running - is to sign +out of the client and sign back in. Once this is done, update any +library locations, if necessary. This was unnecessary in my case since I +simply moved my storage drives from the source server to the destination +server. Next, perform the following actions in the client: -1. On the left sidebar, click `More` > Three-Dot Menu > `Scan Library Files` -2. _Enable_ the `Account` > `Library` > - `Empty trash automatically after every scan` preference for the source - server. -3. On the left sidebar, click `More` > Three-Dot Menu > `Manage Server` > - `Empty Trash` -4. On the left sidebar, click `More` > Three-Dot Menu > `Manage Server` > - `Clean Bundles` -5. On the left sidebar, click `More` > Three-Dot Menu > `Manage Server` > - `Optimize Database` - -Finally, double-check the Remote Access settings to make sure no changes have -caused issues with accessing the server from outside the network. - -In my case, I use a single port forwarding rule in my router and needed to -update the Local LAN IP Address to the new server IP address. - - - ---- - -## Phase 3: Configure GPU Transcoding - -The final piece to the migration is enabling hardware transcoding so that Plex -can fully utilize the new Nvidia GPU available in the server. The first step is -to install Nvidia graphics drivers. This process may take a few minutes, but the -commands are pretty simple: - -```sh +1. On the left sidebar, click =More= > Three-Dot Menu > + =Scan Library Files= +2. /Enable/ the =Account= > =Library= > + =Empty trash automatically after every scan= preference for the + source server. +3. On the left sidebar, click =More= > Three-Dot Menu > =Manage Server= + > =Empty Trash= +4. On the left sidebar, click =More= > Three-Dot Menu > =Manage Server= + > =Clean Bundles= +5. On the left sidebar, click =More= > Three-Dot Menu > =Manage Server= + > =Optimize Database= + +Finally, double-check the Remote Access settings to make sure no changes +have caused issues with accessing the server from outside the network. + +In my case, I use a single port forwarding rule in my router and needed +to update the Local LAN IP Address to the new server IP address. + +#+caption: Router port forwarding +[[https://img.cleberg.net/blog/20220308-plex-media-server-migration/port_forwarding.png]] + +-------------- + +** Phase 3: Configure GPU Transcoding +:PROPERTIES: +:CUSTOM_ID: phase-3-configure-gpu-transcoding +:END: +The final piece to the migration is enabling hardware transcoding so +that Plex can fully utilize the new Nvidia GPU available in the server. +The first step is to install Nvidia graphics drivers. This process may +take a few minutes, but the commands are pretty simple: + +#+begin_src sh sudo add-apt-repository ppa:graphics-drivers/ppa sudo apt update sudo apt-get install ubuntu-drivers-common sudo ubuntu-drivers autoinstall -``` +#+end_src Finally, reboot so that the changes are loaded: -```sh +#+begin_src sh sudo reboot now -``` +#+end_src To ensure that the Nvidia graphics drivers are working properly, run the following command to view the available GPUs, statistics, and processes: -```sh +#+begin_src sh sudo nvidia-smi -``` +#+end_src - +#+caption: nvidia-smi +[[https://img.cleberg.net/blog/20220308-plex-media-server-migration/nvidia_smi.png]] Finally, enable hardware transcoding settings in the Plex application: - +#+caption: Plex transcoding settings +[[https://img.cleberg.net/blog/20220308-plex-media-server-migration/plex_transcoding.png]] diff --git a/blog/2022-03-23-cloudflare-dns-api.org b/blog/2022-03-23-cloudflare-dns-api.org index 8b87aba..3a80a71 100644 --- a/blog/2022-03-23-cloudflare-dns-api.org +++ b/blog/2022-03-23-cloudflare-dns-api.org @@ -1,39 +1,40 @@ -+++ -date = 2022-03-23 -title = "Dynamic DNS with Cloudflare API" -description = "Learn how to update Cloudflare DNS records automatically with a simple bash script." -draft = false -+++ - -## DDNS: Dynamic DNS - -If you're hosting a service from a location with dynamic DNS (where your IP may -change at any time), you must have a solution to update the DNS so that you can -access your service even when the IP of the server changes. - -The process below uses the [Cloudflare API](https://api.cloudflare.com/) to -update DNS `A` and `AAAA` records with the server's current IP. If you use -another DNS provider, you will have to find a way to update your DNS (or find a -way to get a static IP). - -First, install `jq` since we will use it in the next script: - -```sh +#+title: Dynamic DNS with Cloudflare API +#+date: 2022-03-23 + +** DDNS: Dynamic DNS +:PROPERTIES: +:CUSTOM_ID: ddns-dynamic-dns +:END: +If you're hosting a service from a location with dynamic DNS (where your +IP may change at any time), you must have a solution to update the DNS +so that you can access your service even when the IP of the server +changes. + +The process below uses the [[https://api.cloudflare.com/][Cloudflare +API]] to update DNS =A= and =AAAA= records with the server's current IP. +If you use another DNS provider, you will have to find a way to update +your DNS (or find a way to get a static IP). + +First, install =jq= since we will use it in the next script: + +#+begin_src sh sudo apt install jq -``` +#+end_src -Next, create a location for your DDNS update scripts and open the first script: +Next, create a location for your DDNS update scripts and open the first +script: -```sh +#+begin_src sh mkdir ~/ddns nano ~/ddns/update.sh -``` +#+end_src -The following `update.sh` script will take all of your domains and subdomains -and check Cloudflare to see if the current `A` and `AAAA` records match your -server's IP address. If not, it will update the records. +The following =update.sh= script will take all of your domains and +subdomains and check Cloudflare to see if the current =A= and =AAAA= +records match your server's IP address. If not, it will update the +records. -```sh +#+begin_src sh # file: update.sh #!/bin/bash @@ -55,20 +56,20 @@ do echo -e "\nUpdating $subdomain..." zone_name=$domain dns_record=$subdomain /home/<your-username>/ddns/ddns.sh done -``` +#+end_src -Next, open up the `ddns.sh` script. Paste the following into the script and -update the `api_token` and `email` variables. +Next, open up the =ddns.sh= script. Paste the following into the script +and update the =api_token= and =email= variables. -```sh +#+begin_src sh nano ~/ddns/ddns.sh -``` +#+end_src -:warning: **Note**: If you want your DNS records to be proxied through -Cloudflare, find and update the following snippet: `\"proxied\":false}"` to say -`true` instead of `false`. +:warning: *Note*: If you want your DNS records to be proxied through +Cloudflare, find and update the following snippet: =\"proxied\":false}"= +to say =true= instead of =false=. -```sh +#+begin_src sh # file: ddns.sh #!/bin/bash # based on https://gist.github.com/Tras2/cba88201b17d765ec065ccbedfb16d9a @@ -161,30 +162,30 @@ then else echo "There is a problem with either the email or the password" fi -``` +#+end_src Once the script is saved and closed, make the scripts executable: -```sh +#+begin_src sh chmod +x ~/ddns/ddns.sh chmod +x ~/ddns/update.sh -``` +#+end_src You can test the script by running it manually: -```sh +#+begin_src sh ./update.sh -``` +#+end_src -To make sure the scripts run automatically, add it to the `cron` file so that it -will run on a schedule. To do this, open the cron file: +To make sure the scripts run automatically, add it to the =cron= file so +that it will run on a schedule. To do this, open the cron file: -```sh +#+begin_src sh crontab -e -``` +#+end_src In the cron file, paste the following at the bottom of the editor: -```sh +#+begin_src sh */5 * * * * bash /home/<your_username>/ddns/update.sh -``` +#+end_src diff --git a/blog/2022-03-23-nextcloud-on-ubuntu.org b/blog/2022-03-23-nextcloud-on-ubuntu.org index f5642c0..c28da25 100644 --- a/blog/2022-03-23-nextcloud-on-ubuntu.org +++ b/blog/2022-03-23-nextcloud-on-ubuntu.org @@ -1,80 +1,90 @@ -+++ -date = 2022-03-23 -title = "Installing Nextcloud on Ubuntu" -description = "Learn how to install the self-hosted cloud storage solution, Nextcloud, on Ubuntu." -draft = false -+++ +#+title: Installing Nextcloud on Ubuntu +#+date: 2022-03-23 -## What is Nextcloud? - -[Nextcloud](https://nextcloud.com/) is a self-hosted solution for storage, -communications, editing, calendar, contacts, and more. +** What is Nextcloud? +:PROPERTIES: +:CUSTOM_ID: what-is-nextcloud +:END: +[[https://nextcloud.com/][Nextcloud]] is a self-hosted solution for +storage, communications, editing, calendar, contacts, and more. This tutorial assumes that you have an Ubuntu server and a domain name configured to point toward the server. -## Install Dependencies - +** Install Dependencies +:PROPERTIES: +:CUSTOM_ID: install-dependencies +:END: To start, you will need to install the packages that Nextcloud requires: -```sh +#+begin_src sh sudo apt install apache2 mariadb-server libapache2-mod-php7.4 sudo apt install php7.4-gd php7.4-mysql php7.4-curl php7.4-mbstring php7.4-intl sudo apt install php7.4-gmp php7.4-bcmath php-imagick php7.4-xml php7.4-zip -``` +#+end_src -## Set Up MySQL +** Set Up MySQL +:PROPERTIES: +:CUSTOM_ID: set-up-mysql +:END: +Next, you will need to log in to MySQL as the =root= user of the +machine. -Next, you will need to log in to MySQL as the `root` user of the machine. - -```sh +#+begin_src sh sudo mysql -uroot -p -``` +#+end_src -Once you've logged in, you must create a new user so that Nextcloud can manage -the database. You will also create a `nextcloud` database and assign privileges: +Once you've logged in, you must create a new user so that Nextcloud can +manage the database. You will also create a =nextcloud= database and +assign privileges: -```sql +#+begin_src sql CREATE USER 'username'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; GRANT ALL PRIVILEGES ON nextcloud.* TO 'username'@'localhost'; FLUSH PRIVILEGES; quit; -``` - -## Download & Install Nextcloud +#+end_src +** Download & Install Nextcloud +:PROPERTIES: +:CUSTOM_ID: download-install-nextcloud +:END: To download Nextcloud, go the -[Nextcloud downloads page](https://nextcloud.com/install/#instructions-server), -click on `Archive File` and right-click the big blue button to copy the link. +[[https://nextcloud.com/install/#instructions-server][Nextcloud +downloads page]], click on =Archive File= and right-click the big blue +button to copy the link. -Then, go to your server and enter the following commands to download, unzip, and -move the files to your destination directory. This example uses `example.com` as -the destination, but you can put it wherever you want to server your files from. +Then, go to your server and enter the following commands to download, +unzip, and move the files to your destination directory. This example +uses =example.com= as the destination, but you can put it wherever you +want to server your files from. -```sh +#+begin_src sh wget https://download.nextcloud.com/server/releases/nextcloud-23.0.3.zip sudo apt install unzip unzip nextcloud-23.0.3.zip sudo cp -r nextcloud /var/www/example.com -``` +#+end_src -## Configure the Apache Web Server - -Now that the database is set up and Nextcloud is installed, you need to set up -the Apache configuration files to tell the server how to handle requests for -`example.com/nextcloud`. +** Configure the Apache Web Server +:PROPERTIES: +:CUSTOM_ID: configure-the-apache-web-server +:END: +Now that the database is set up and Nextcloud is installed, you need to +set up the Apache configuration files to tell the server how to handle +requests for =example.com/nextcloud=. First, open the following file in the editor: -```sh +#+begin_src sh sudo nano /etc/apache2/sites-available/nextcloud.conf -``` +#+end_src -Once the editor is open, paste the following information in. Then, save and -close the file. +Once the editor is open, paste the following information in. Then, save +and close the file. -```config +#+begin_src config <VirtualHost *:80> DocumentRoot /var/www/example.com ServerName example.com @@ -93,69 +103,79 @@ close the file. </IfModule> </Directory> </VirtualHost> -``` +#+end_src Once the file is saved, enable it with Apache: -```sh +#+begin_src sh sudo a2ensite nextcloud.conf -``` +#+end_src Next, enable the Apache mods required by Nextcloud: -```sh +#+begin_src sh sudo a2enmod rewrite headers env dir mime -``` +#+end_src -Finally, restart Apache. If any errors arise, you must solve those before -continuing. +Finally, restart Apache. If any errors arise, you must solve those +before continuing. -```sh +#+begin_src sh sudo systemctl restart apache2 -``` +#+end_src For the app to work, you must have the correct file permissions on your -`nextcloud` directory. Set the owner to be `www-data`: +=nextcloud= directory. Set the owner to be =www-data=: -```sh +#+begin_src sh sudo chown -R www-data:www-data /var/www/example.com/nextcloud/ -``` - -## DNS +#+end_src +** DNS +:PROPERTIES: +:CUSTOM_ID: dns +:END: If you do not have a static IP address, you will need to update your DNS -settings (at your DNS provider) whenever your dynamic IP address changes. +settings (at your DNS provider) whenever your dynamic IP address +changes. For an example on how I do that with Cloudflare, see my other post: -[Updating Dynamic DNS with Cloudflare API](/blog/updating-dynamic-dns-with-cloudflare-api/) +[[/blog/updating-dynamic-dns-with-cloudflare-api/][Updating Dynamic DNS +with Cloudflare API]] -## Certbot +** Certbot +:PROPERTIES: +:CUSTOM_ID: certbot +:END: +If you want to serve Nextcloud from HTTPS rather than plain HTTP, use +the following commands to issue Let's Encrypt SSL certificates: -If you want to serve Nextcloud from HTTPS rather than plain HTTP, use the -following commands to issue Let's Encrypt SSL certificates: - -```sh +#+begin_src sh sudo apt install snapd sudo snap install core sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot sudo certbot --apache -``` - -## Results +#+end_src -Voilà! -You're all done and should be able to access Nextcloud from your domain or -IP address. +** Results +:PROPERTIES: +:CUSTOM_ID: results +:END: +Voilà! You're all done and should be able to access Nextcloud from your +domain or IP address. -See the screenshots below for the dashboard and a settings page on my instance -of Nextcloud, using the `Breeze Dark` theme I installed from the Apps page. +See the screenshots below for the dashboard and a settings page on my +instance of Nextcloud, using the =Breeze Dark= theme I installed from +the Apps page. - +#+caption: Nextcloud Dashboard +[[https://img.cleberg.net/blog/20220323-installing-nextcloud-on-ubuntu/nextcloud_dashboard.png]] -_Figure 01: Nextcloud Dashboard_ +/Figure 01: Nextcloud Dashboard/ - +#+caption: Nextcloud Settings +[[https://img.cleberg.net/blog/20220323-installing-nextcloud-on-ubuntu/nextcloud_settings.png]] -_Figure 02: Nextcloud Security Settings_ +/Figure 02: Nextcloud Security Settings/ diff --git a/blog/2022-03-24-server-hardening.org b/blog/2022-03-24-server-hardening.org index b91ef0e..88fd44e 100644 --- a/blog/2022-03-24-server-hardening.org +++ b/blog/2022-03-24-server-hardening.org @@ -1,23 +1,28 @@ -+++ -date = 2022-03-24 -title = "Hardening a Public-Facing Home Server" -description = "My personal reflection on the steps it took to get a home server ready to be publicly-accessible." -draft = false -+++ - -## Post Updates - -> After reviewing this post today (2022-10-04), I noticed quite a few gaps in my -> write-up and wanted to add a few things, even though this blog is really -> just a retrospective and knowledge dump for myself. -> I left things intact and simply crossed them out (~~like this~~) for -> posterity. - -## Planning Data Flows & Security - -### My Personal Data Flow - -```txt +#+title: Hardening a Public-Facing Home Server +#+date: 2022-03-24 + +** Post Updates +:PROPERTIES: +:CUSTOM_ID: post-updates +:END: + +#+begin_quote +After reviewing this post today (2022-10-04), I noticed quite a few gaps +in my write-up and wanted to add a few things, even though this blog is +really just a retrospective and knowledge dump for myself. I left things +intact and simply crossed them out (+like this+) for posterity. + +#+end_quote + +** Planning Data Flows & Security +:PROPERTIES: +:CUSTOM_ID: planning-data-flows-security +:END: +*** My Personal Data Flow +:PROPERTIES: +:CUSTOM_ID: my-personal-data-flow +:END: +#+begin_src txt ┌───────┐ ┌─────────────────┐ ┌──► VLAN1 ├───► Private Devices │ │ └───────┘ └─────────────────┘ @@ -27,320 +32,355 @@ draft = false │ ┌───────┐ ┌───────────────┐ └──► VLAN2 ├───► Public Server │ └───────┘ └───────────────┘ -``` - -### Thought Process +#+end_src -To serve content from your home server and harden your security posture, you -have to think about the transport of data from `server` to `client`. +*** Thought Process +:PROPERTIES: +:CUSTOM_ID: thought-process +:END: +To serve content from your home server and harden your security posture, +you have to think about the transport of data from =server= to =client=. Let's start with the actual server itself. Think about the following: -- Do I have a firewall enabled? Do I need to update this to allow new ports or - IPs? -- Do I have an IPS/IDS that may prevent outside traffic? -- Do I have any other security software installed? -- Are the services hosted inside Docker containers, behind a reverse proxy, or - virtualized? If so, are they configured to allow outside traffic? - -Once the data leaves the server, where does it go? In my case, it goes to a -managed switch. In this case, I asked the following: - -- What configurations is the switch using? -- Am I using VLANs? - - Yes, I am using 802.1Q VLANs. -- Are the VLANs configured properly? - - Yes, as shown in the [Switch](#switch) section below, I have a separate - VLAN to allow outside traffic to and from the server alone. No other - devices, except for a service port, and in that VLAN. - -At this point, the data has been processed through the switch. Where does it go -next? In my case, it's pretty simple: it goes to the router/modem device. - -- Does my ISP block any ports that I need? - - This is an important step that a lot of people run into when - self-hosting at home. - Use an online port-checker tool for your IP or call your ISP if you - think ports are blocked. -- Is there a router firewall? - - Yes, I checked that it's configured to allow the ports I need to run my - services publicly. Common web servers and reverse proxies require ports - 80 and 443, but other services like media servers or games can require - unique ports, so be sure to check the documentation for your service(s). -- Are there any other settings affecting inbound/outbound traffic? - - Schedules or access blocks - - Static Routing - - QoS - - Port Forwarding - - DMZ Hosting - - Remote Management (this can sometimes mess with services that also - require the use of ports 80 and 443) - -Once the data leaves my router, it goes to the upstream ISP and can be accessed -publicly. - -## Server - -~~The services I run on my server are installed straight into the OS, without -any use of Docker or VMs, so I don't need any extra application configuration to -make them accessible to the outside world.~~ - -As of 2022-10-04, the paragraph above is no longer true as I now run a reverse -proxy with Nginx and host many services inside Docker. However, it doesn't -change anything regarding this post as I still just need to open ports 80 & 443 -and create the necessary website configuration files. - -When creating new services - either installed directly on bare metal or within -something like Docker - I ensure that I read through the documentation -thoroughly to understand a few key things: - - What network activities should this app perform (if any)? Using which ports - and protocols? - - Does this app require any commands/services to be run as `root`? - - Does this app log errors, authentication failures/successes, or anything - else that would be useful for an investigation? - -For extra security, I use limit all incoming connections to SSH connections -through my server firewall (`ufw`) and disable common SSH settings. After all of -that, I use `fail2ban` as a preventative measure against brute-force login -attempts. - -As another piece of security, you can randomize your SSH port to ensure that -random scanners or attackers can't easily try to force their way into your -network. For example, you can edit the port rules in your server to block all -connection requests to port `22` but forward all remote connections from port -`12345` to your server's port `22`. Then you just need to SSH to your network -via your randomized port. - -### `ufw` - -To see how to configure `ufw`, see my other post: -[Secure Your Network with the Uncomplicated Firewall](/blog/secure-your-network-with-the-uncomplicated-firewall/). - -The general notion with an on-device firewall is that you want to deny all -incoming connections by default and then selectively open certain ports for -services or users that you know need access. - -If you know that you will only be logging into this server from a certain set or -list of IPs, you can always set the firewall to only allow connections to port -22 from those IPs. +- Do I have a firewall enabled? Do I need to update this to allow new + ports or IPs? +- Do I have an IPS/IDS that may prevent outside traffic? +- Do I have any other security software installed? +- Are the services hosted inside Docker containers, behind a reverse + proxy, or virtualized? If so, are they configured to allow outside + traffic? + +Once the data leaves the server, where does it go? In my case, it goes +to a managed switch. In this case, I asked the following: + +- What configurations is the switch using? +- Am I using VLANs? + - Yes, I am using 802.1Q VLANs. +- Are the VLANs configured properly? + - Yes, as shown in the [[#switch][Switch]] section below, I have a + separate VLAN to allow outside traffic to and from the server alone. + No other devices, except for a service port, and in that VLAN. + +At this point, the data has been processed through the switch. Where +does it go next? In my case, it's pretty simple: it goes to the +router/modem device. + +- Does my ISP block any ports that I need? + - This is an important step that a lot of people run into when + self-hosting at home. Use an online port-checker tool for your IP or + call your ISP if you think ports are blocked. +- Is there a router firewall? + - Yes, I checked that it's configured to allow the ports I need to run + my services publicly. Common web servers and reverse proxies require + ports 80 and 443, but other services like media servers or games can + require unique ports, so be sure to check the documentation for your + service(s). +- Are there any other settings affecting inbound/outbound traffic? + - Schedules or access blocks + - Static Routing + - QoS + - Port Forwarding + - DMZ Hosting + - Remote Management (this can sometimes mess with services that also + require the use of ports 80 and 443) + +Once the data leaves my router, it goes to the upstream ISP and can be +accessed publicly. + +** Server +:PROPERTIES: +:CUSTOM_ID: server +:END: ++The services I run on my server are installed straight into the OS, +without any use of Docker or VMs, so I don't need any extra application +configuration to make them accessible to the outside world.+ + +As of 2022-10-04, the paragraph above is no longer true as I now run a +reverse proxy with Nginx and host many services inside Docker. However, +it doesn't change anything regarding this post as I still just need to +open ports 80 & 443 and create the necessary website configuration +files. + +When creating new services - either installed directly on bare metal or +within something like Docker - I ensure that I read through the +documentation thoroughly to understand a few key things: - What network +activities should this app perform (if any)? Using which ports and +protocols? - Does this app require any commands/services to be run as +=root=? - Does this app log errors, authentication failures/successes, +or anything else that would be useful for an investigation? + +For extra security, I use limit all incoming connections to SSH +connections through my server firewall (=ufw=) and disable common SSH +settings. After all of that, I use =fail2ban= as a preventative measure +against brute-force login attempts. + +As another piece of security, you can randomize your SSH port to ensure +that random scanners or attackers can't easily try to force their way +into your network. For example, you can edit the port rules in your +server to block all connection requests to port =22= but forward all +remote connections from port =12345= to your server's port =22=. Then +you just need to SSH to your network via your randomized port. + +*** =ufw= +:PROPERTIES: +:CUSTOM_ID: ufw +:END: +To see how to configure =ufw=, see my other post: +[[/blog/secure-your-network-with-the-uncomplicated-firewall/][Secure +Your Network with the Uncomplicated Firewall]]. + +The general notion with an on-device firewall is that you want to deny +all incoming connections by default and then selectively open certain +ports for services or users that you know need access. + +If you know that you will only be logging into this server from a +certain set or list of IPs, you can always set the firewall to only +allow connections to port 22 from those IPs. For a quick start to only allow SSH connections to the server, use this: -```sh +#+begin_src sh sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22 sudo ufw enable -``` - - - -### `ssh` - -#### Using SSH Keys - -First, make sure you have an SSH keypair generated on the device(s) that you'll -be using to log in to the server. If you don't have an SSH key, run this -command: - -```sh +#+end_src + +#+caption: ufw +[[https://img.cleberg.net/blog/20220324-hardening-a-public-facing-home-server/ufw.png]] + +*** =ssh= +:PROPERTIES: +:CUSTOM_ID: ssh +:END: +**** Using SSH Keys +:PROPERTIES: +:CUSTOM_ID: using-ssh-keys +:END: +First, make sure you have an SSH keypair generated on the device(s) that +you'll be using to log in to the server. If you don't have an SSH key, +run this command: + +#+begin_src sh ssh-keygen -``` +#+end_src -Now that we have an SSH key, copy it to the server with the following command, -which will ask for the user's password before accepting the key: +Now that we have an SSH key, copy it to the server with the following +command, which will ask for the user's password before accepting the +key: -```sh +#+begin_src sh ssh-copy-id my_user@my_server -``` +#+end_src -If you have multiple keys, you'll need to specify which to use. After it's -complete, `ssh` back into the server as that user and make sure it doesn't ask -for a password. +If you have multiple keys, you'll need to specify which to use. After +it's complete, =ssh= back into the server as that user and make sure it +doesn't ask for a password. -#### Disable Password & Root Authentication +**** Disable Password & Root Authentication +:PROPERTIES: +:CUSTOM_ID: disable-password-root-authentication +:END: +Now that we can access the server without a password, we will disable +password authentication and disable anyone from using =ssh= to login as +=root=. -Now that we can access the server without a password, we will disable password -authentication and disable anyone from using `ssh` to login as `root`. +To do this, open the =sshd_config= file: -To do this, open the `sshd_config` file: - -```sh +#+begin_src sh sudo nano /etc/ssh/sshd_config -``` +#+end_src -You'll need to update the parameters to the values below. If one of these rules -is commented-out or doesn't exist, create the rule at the bottom of the file. +You'll need to update the parameters to the values below. If one of +these rules is commented-out or doesn't exist, create the rule at the +bottom of the file. -```config +#+begin_src config PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes -``` +#+end_src -Finally, restart the `ssh` service: +Finally, restart the =ssh= service: -```sh +#+begin_src sh sudo systemctl restart sshd.service -``` - -To test that everything’s working so far, open ANOTHER terminal and try logging -in as `root` over SSH. It is very important that you keep your current SSH -session open and test with an additional session, or you will lock yourself out -at some point and will need to use a recovery method (e.g., hooking monitor up -to home server) to get yourself back in. - -#### Enable MFA for `ssh` - -This part is optional, but I highly recommend it. -So far, we've ensured that no one can log into our user on the server -without using our secret key, and we've ensured that no one can log in -remotely as `root`. -Next, you can enable MFA authentication for `ssh` connections. - -This process involves editing a couple files and installing an MFA package, so I -will not include all the details in this post. To see how to configure MFA for -`ssh`, see my other post: -[Enabling MFA for SSH](/blog/enable-totp-mfa-for-ssh/). - - - -### `fail2ban` - -I haven't written a post on how I use `fail2ban`, but it's quite simple. I use -the default `sshd` jail, but you can always create new jails for respective -applications or ports. For example, if you use Nginx as your web server, you can -use the `nginx-http-auth` jail. +#+end_src + +To test that everything's working so far, open ANOTHER terminal and try +logging in as =root= over SSH. It is very important that you keep your +current SSH session open and test with an additional session, or you +will lock yourself out at some point and will need to use a recovery +method (e.g., hooking monitor up to home server) to get yourself back +in. + +**** Enable MFA for =ssh= +:PROPERTIES: +:CUSTOM_ID: enable-mfa-for-ssh +:END: +This part is optional, but I highly recommend it. So far, we've ensured +that no one can log into our user on the server without using our secret +key, and we've ensured that no one can log in remotely as =root=. Next, +you can enable MFA authentication for =ssh= connections. + +This process involves editing a couple files and installing an MFA +package, so I will not include all the details in this post. To see how +to configure MFA for =ssh=, see my other post: +[[/blog/enable-totp-mfa-for-ssh/][Enabling MFA for SSH]]. + +#+caption: SSH MFA +[[https://img.cleberg.net/blog/20220324-hardening-a-public-facing-home-server/ssh_mfa.png]] + +*** =fail2ban= +:PROPERTIES: +:CUSTOM_ID: fail2ban +:END: +I haven't written a post on how I use =fail2ban=, but it's quite simple. +I use the default =sshd= jail, but you can always create new jails for +respective applications or ports. For example, if you use Nginx as your +web server, you can use the =nginx-http-auth= jail. In order to get it up and running, use the following commands: -```sh +#+begin_src sh sudo apt install fail2ban sudo fail2ban-client start sshd sudo fail2ban-client status sshd -``` - -This should be used as a last-resort defense and shouldn't be a replacement for -the security measures mentioned above. - - - -## Switch - -Between the router and any local devices is my managed switch, which is used to -create VLANs. The example below shows how I would isolate the VLANs if I were -starting to host a single service at home. - -### 802.1Q VLAN Configuration - -In this configuration, port 8 is the public server that needs to be accessed -from the outside. Port 23 is my 'dedicated service port' for this server. In -order to SSH to this server, I need to plug my laptop into port 23 or else I -cannot SSH. Otherwise, I'd need to hook up a monitor and keyboard directly to -the server to manage it. +#+end_src + +This should be used as a last-resort defense and shouldn't be a +replacement for the security measures mentioned above. + +#+caption: fail2ban +[[https://img.cleberg.net/blog/20220324-hardening-a-public-facing-home-server/fail2ban.png]] + +** Switch +:PROPERTIES: +:CUSTOM_ID: switch +:END: +Between the router and any local devices is my managed switch, which is +used to create VLANs. The example below shows how I would isolate the +VLANs if I were starting to host a single service at home. + +*** 802.1Q VLAN Configuration +:PROPERTIES: +:CUSTOM_ID: q-vlan-configuration +:END: +In this configuration, port 8 is the public server that needs to be +accessed from the outside. Port 23 is my 'dedicated service port' for +this server. In order to SSH to this server, I need to plug my laptop +into port 23 or else I cannot SSH. Otherwise, I'd need to hook up a +monitor and keyboard directly to the server to manage it. | VLAN ID | VLAN Name | Member Ports | Tagged Ports | Untagged Ports | -|:-------:|:---------:|:------------:|:------------:|:--------------:| -| 1 | Default | 1-24 | | 1-24 | -| 2 | Server | 1,8,23 | | 1,8,23 | - -### 802.1Q VLAN PVID Setting - -Once the VLAN is created, I simply add the `VLAN ID` of `2` as the `PVID` for -any related ports (in this case, see that ports `8` and `23` have a PVID of -`2`). +|---------+-----------+--------------+--------------+----------------| +| 1 | Default | 1-24 | | 1-24 | +| 2 | Server | 1,8,23 | | 1,8,23 | + +*** 802.1Q VLAN PVID Setting +:PROPERTIES: +:CUSTOM_ID: q-vlan-pvid-setting +:END: +Once the VLAN is created, I simply add the =VLAN ID= of =2= as the +=PVID= for any related ports (in this case, see that ports =8= and =23= +have a PVID of =2=). | Port | PVID | -|:----:|:----:| -| 1 | 1 | -| 2 | 1 | -| 3 | 1 | -| 4 | 1 | -| 5 | 1 | -| 6 | 1 | -| 7 | 1 | -| 8 | 2 | -| 9 | 1 | -| 10 | 1 | -| 11 | 1 | -| 12 | 1 | -| 13 | 1 | -| 14 | 1 | -| 15 | 1 | -| 16 | 1 | -| 17 | 1 | -| 18 | 1 | -| 19 | 1 | -| 20 | 1 | -| 21 | 1 | -| 22 | 1 | -| 23 | 2 | -| 24 | 1 | - -## Router - -On my router, the configuration was as easy as opening the firewall settings and -unblocking the ports I needed for my services (e.g., HTTP/S, Plex, SSH, MySQL, -etc.). - -~~Since I'm relying on an ISP-provided modem/router combo for now (not by -choice), I do not use any other advanced settings on my router that would -inhibit any valid traffic to these services.~~ - -The paragraph above regarding the ISP-owned router is no longer accurate as I -now use the Ubiquiti Unifi Dream Machine Pro as my router. -Within this router, I enabled port forwarding/firewall rules, segregate the -network based on the device, and enable traffic restrictions (e.g., silently -drop traffic from certain countries and threat categories). - -If you have the option with your ISP, I recommend using a personal router with -software that you are familiar with so that you can explore all the options -available to you. - -## Physical Security - -One large piece of self-hosting that people generally don't discuss online is -physical security. However, physical security is very important for everyone who -hosts a server like this. Exactly *how* important it is depends on the server -use/purpose. - -If you self-host customer applications that hold protected data (HIPAA, GDPR, -COPPA, etc.), then physical security is extremely important and cannot be -ignored. If you simply host a blog and some hobby sites, then it's a relatively -minor consideration, but one you still need to think about. - -### Location - -The first consideration is quite simple: location. - - Is the server within a property you own or housed on someone else's property? - - Is it nearby (in your house, in your work office, in your neighbor's garage, - in a storage unit, etc.)? - - Do you have 24/7 access to the server? - - Are there climate considerations, such as humidity, fires, tornadoes, - monsoons? - - Do you have emergency equipment nearby in case of emergency? - -### Hardware Ownership - -Secondly, consider the hardware itself: - - Do you own the server in its entirety? - - Are any other users able to access the server, even if your data/space is - segregated? - - If you're utilizing a third party, do they have any documentation to show - responsibility? This could be a SOC 1/2/3 report, ISO compliance report, - internal security/safety documentation. - -### Physical Controls - -Regardless of who owns the hardware, ensure that there are adequate safeguards -in place, if necessary. These usually don't apply to small home servers and are -usually covered already if you're utilizing a third party. - -These can include: - - Server bezel locks - - Server room locks - physical, digital, or biometric authentication - - Security cameras - - Raised floors/lowered ceilings with proper guards/gates in-place within the - floors or ceilings - - Security personnel - - Log sheets and/or guest badges +|------+------| +| 1 | 1 | +| 2 | 1 | +| 3 | 1 | +| 4 | 1 | +| 5 | 1 | +| 6 | 1 | +| 7 | 1 | +| 8 | 2 | +| 9 | 1 | +| 10 | 1 | +| 11 | 1 | +| 12 | 1 | +| 13 | 1 | +| 14 | 1 | +| 15 | 1 | +| 16 | 1 | +| 17 | 1 | +| 18 | 1 | +| 19 | 1 | +| 20 | 1 | +| 21 | 1 | +| 22 | 1 | +| 23 | 2 | +| 24 | 1 | + +** Router +:PROPERTIES: +:CUSTOM_ID: router +:END: +On my router, the configuration was as easy as opening the firewall +settings and unblocking the ports I needed for my services (e.g., +HTTP/S, Plex, SSH, MySQL, etc.). + ++Since I'm relying on an ISP-provided modem/router combo for now (not by +choice), I do not use any other advanced settings on my router that +would inhibit any valid traffic to these services.+ + +The paragraph above regarding the ISP-owned router is no longer accurate +as I now use the Ubiquiti Unifi Dream Machine Pro as my router. Within +this router, I enabled port forwarding/firewall rules, segregate the +network based on the device, and enable traffic restrictions (e.g., +silently drop traffic from certain countries and threat categories). + +If you have the option with your ISP, I recommend using a personal +router with software that you are familiar with so that you can explore +all the options available to you. + +** Physical Security +:PROPERTIES: +:CUSTOM_ID: physical-security +:END: +One large piece of self-hosting that people generally don't discuss +online is physical security. However, physical security is very +important for everyone who hosts a server like this. Exactly /how/ +important it is depends on the server use/purpose. + +If you self-host customer applications that hold protected data (HIPAA, +GDPR, COPPA, etc.), then physical security is extremely important and +cannot be ignored. If you simply host a blog and some hobby sites, then +it's a relatively minor consideration, but one you still need to think +about. + +*** Location +:PROPERTIES: +:CUSTOM_ID: location +:END: +The first consideration is quite simple: location. - Is the server +within a property you own or housed on someone else's property? - Is it +nearby (in your house, in your work office, in your neighbor's garage, +in a storage unit, etc.)? - Do you have 24/7 access to the server? - Are +there climate considerations, such as humidity, fires, tornadoes, +monsoons? - Do you have emergency equipment nearby in case of emergency? + +*** Hardware Ownership +:PROPERTIES: +:CUSTOM_ID: hardware-ownership +:END: +Secondly, consider the hardware itself: - Do you own the server in its +entirety? - Are any other users able to access the server, even if your +data/space is segregated? - If you're utilizing a third party, do they +have any documentation to show responsibility? This could be a SOC 1/2/3 +report, ISO compliance report, internal security/safety documentation. + +*** Physical Controls +:PROPERTIES: +:CUSTOM_ID: physical-controls +:END: +Regardless of who owns the hardware, ensure that there are adequate +safeguards in place, if necessary. These usually don't apply to small +home servers and are usually covered already if you're utilizing a third +party. + +These can include: - Server bezel locks - Server room locks - physical, +digital, or biometric authentication - Security cameras - Raised +floors/lowered ceilings with proper guards/gates in-place within the +floors or ceilings - Security personnel - Log sheets and/or guest badges diff --git a/blog/2022-03-26-ssh-mfa.org b/blog/2022-03-26-ssh-mfa.org index 3560dcf..1d7141e 100644 --- a/blog/2022-03-26-ssh-mfa.org +++ b/blog/2022-03-26-ssh-mfa.org @@ -1,82 +1,88 @@ -+++ -date = 2022-03-26 -title = "Enable TOTP MFA for SSH" -description = "Harden your SSH target with user-enabled MFA options, such as TOTP." -draft = false -+++ - -## Why Do I Need MFA for SSH? - -If you are a sysadmin of a server anywhere (that includes at home!), you may -want an added layer of protection against intruders. This is not a replacement -for other security measures, such as: - -- Disable root SSH -- Disable SSH password authentication -- Allow only certain users to login via SSH -- Allow SSH only from certain IPs - -However, MFA can be added as an additional security measure to ensure that your -server is protected. This is especially important if you need to allow password -authentication for SSH. +#+title: Enable TOTP MFA for SSH +#+date: 2022-03-26 + +** Why Do I Need MFA for SSH? +:PROPERTIES: +:CUSTOM_ID: why-do-i-need-mfa-for-ssh +:END: +If you are a sysadmin of a server anywhere (that includes at home!), you +may want an added layer of protection against intruders. This is not a +replacement for other security measures, such as: + +- Disable root SSH +- Disable SSH password authentication +- Allow only certain users to login via SSH +- Allow SSH only from certain IPs + +However, MFA can be added as an additional security measure to ensure +that your server is protected. This is especially important if you need +to allow password authentication for SSH. For more guidance on server security measures, see my other post: -[Hardening a Public-Facing Home Server](/blog/hardening-a-public-facing-home-server/). - -## Install MFA PAM Module - -PAM, which stands for Pluggable Authentication Module, is an authentication -infrastructure used on Linux systems to authenticate a user. In order to use -this technology, let's install the `libpam-google-authenticator` package: - -```sh +[[/blog/hardening-a-public-facing-home-server/][Hardening a +Public-Facing Home Server]]. + +** Install MFA PAM Module +:PROPERTIES: +:CUSTOM_ID: install-mfa-pam-module +:END: +PAM, which stands for Pluggable Authentication Module, is an +authentication infrastructure used on Linux systems to authenticate a +user. In order to use this technology, let's install the +=libpam-google-authenticator= package: + +#+begin_src sh sudo apt-get update -``` +#+end_src -```sh +#+begin_src sh sudo apt-get install libpam-google-authenticator -``` - -## Initialize the PAM Module - -### Interactive Method - -Once the package is installed, initialize it and following the interactive -prompts to generate your OTP or TOTP: - -```sh +#+end_src + +** Initialize the PAM Module +:PROPERTIES: +:CUSTOM_ID: initialize-the-pam-module +:END: +*** Interactive Method +:PROPERTIES: +:CUSTOM_ID: interactive-method +:END: +Once the package is installed, initialize it and following the +interactive prompts to generate your OTP or TOTP: + +#+begin_src sh google-authenticator -``` +#+end_src -If you are not sure how to answer, read the prompts carefully and think about -having to how each situation would affect your normal login attempts. If you are -still not sure, use my default responses below. +If you are not sure how to answer, read the prompts carefully and think +about having to how each situation would affect your normal login +attempts. If you are still not sure, use my default responses below. -```txt +#+begin_src txt OUTPUT Do you want authentication tokens to be time-based (y/n) y -``` +#+end_src -At this point, use an authenticator app somewhere one of your devices to scan -the QR code. Any future login attempts after our upcoming configuration changes -will require that TOTP. +At this point, use an authenticator app somewhere one of your devices to +scan the QR code. Any future login attempts after our upcoming +configuration changes will require that TOTP. -```txt +#+begin_src txt OUTPUT Do you want me to update your "/home/user/.google_authenticator" file? (y/n) y -``` +#+end_src -```txt +#+begin_src txt OUTPUT Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y -``` +#+end_src -```txt +#+begin_src txt OUTPUT By default, a new token is generated every 30 seconds by the mobile app. @@ -89,30 +95,32 @@ code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) n -``` +#+end_src -```txt +#+begin_src txt OUTPUT If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y -``` +#+end_src -### Non-Interactive Method +*** Non-Interactive Method +:PROPERTIES: +:CUSTOM_ID: non-interactive-method +:END: +If you need to do this quickly, know your responses to the prompts, or +are setting this up for numerous users, the non-interactive method can +be much faster: -If you need to do this quickly, know your responses to the prompts, or are -setting this up for numerous users, the non-interactive method can be much -faster: - -```sh +#+begin_src sh google-authenticator -t -d -f -r 3 -R 30 -w 3 -``` +#+end_src The options referenced above are as follows: -```txt +#+begin_src txt google-authenticator [<options>] -h, --help Print this message -c, --counter-based Set up counter-based (HOTP) verification @@ -132,65 +140,69 @@ google-authenticator [<options>] -w, --window-size=W Set window of concurrently valid codes -W, --minimal-window Disable window of concurrently valid codes -e, --emergency-codes=N Number of emergency codes to generate -``` - -This fully configures the authenticator, saves it to a file, and then outputs -the secret key, QR code, and recovery codes. (If you add the flag `-q`, then -there won’t be any output). If you use this command in an automated fashion, -make sure your script captures the secret key and/or recovery codes and makes -them available to the user. - -## PAM Configuration Settings - -Once you've enabled the T/OTP and have it saved to an MFA app on your phone or -other device, open the PAM `sshd` file: - -```sh +#+end_src + +This fully configures the authenticator, saves it to a file, and then +outputs the secret key, QR code, and recovery codes. (If you add the +flag =-q=, then there won't be any output). If you use this command in +an automated fashion, make sure your script captures the secret key +and/or recovery codes and makes them available to the user. + +** PAM Configuration Settings +:PROPERTIES: +:CUSTOM_ID: pam-configuration-settings +:END: +Once you've enabled the T/OTP and have it saved to an MFA app on your +phone or other device, open the PAM =sshd= file: + +#+begin_src sh sudo nano /etc/pam.d/sshd -``` +#+end_src -You need to do two things in this file. First, add the following lines to the -bottom of the file: +You need to do two things in this file. First, add the following lines +to the bottom of the file: -```config +#+begin_src config auth required pam_google_authenticator.so nullok auth required pam_permit.so -``` +#+end_src Second, comment-out the following line near the top of the file. -If you leave this line uncommented, every SSH login attempt will ask for the -following three authentication factors: +If you leave this line uncommented, every SSH login attempt will ask for +the following three authentication factors: 1. Publickey 2. Password 3. T/OTP code -```config +#+begin_src config #@include common-auth -``` - -## SSH Configuration Settings +#+end_src -Finally, edit the `sshd_config` file again: +** SSH Configuration Settings +:PROPERTIES: +:CUSTOM_ID: ssh-configuration-settings +:END: +Finally, edit the =sshd_config= file again: -```sh +#+begin_src sh sudo nano /etc/ssh/sshd_config -``` +#+end_src -You'll need to change `ChallengeResponseAuthentication` to yes and add the -`AuthenticationMethods` line to the bottom of the file. +You'll need to change =ChallengeResponseAuthentication= to yes and add +the =AuthenticationMethods= line to the bottom of the file. -```config +#+begin_src config ChallengeResponseAuthentication yes AuthenticationMethods publickey,password publickey,keyboard-interactive -``` +#+end_src -Finally, restart the `ssh` service: +Finally, restart the =ssh= service: -```sh +#+begin_src sh sudo systemctl restart sshd.service -``` +#+end_src -The next time you log in, you should be greeted with a verification code +The next time you log in, you should be greeted with a verification code request! diff --git a/blog/2022-04-02-nginx-reverse-proxy.org b/blog/2022-04-02-nginx-reverse-proxy.org index 2311d53..fc023a5 100644 --- a/blog/2022-04-02-nginx-reverse-proxy.org +++ b/blog/2022-04-02-nginx-reverse-proxy.org @@ -1,42 +1,43 @@ -+++ -date = 2022-04-02 -title = "Set-Up a Reverse Proxy with Nginx" -description = "Learn how to set-up a reverse proxy server with Nginx on Ubuntu." -draft = false -+++ - -## What is a Reverse Proxy? - -A reverse proxy is a server that is placed between local servers or services and -clients/users (e.g., the internet). The reverse proxy intercepts all requests -from clients at the network edge and uses its configuration files to determine -where each request should be sent. - -### A Brief Example - +#+title: Set-Up a Reverse Proxy with Nginx +#+date: 2022-04-02 + +** What is a Reverse Proxy? +:PROPERTIES: +:CUSTOM_ID: what-is-a-reverse-proxy +:END: +A reverse proxy is a server that is placed between local servers or +services and clients/users (e.g., the internet). The reverse proxy +intercepts all requests from clients at the network edge and uses its +configuration files to determine where each request should be sent. + +*** A Brief Example +:PROPERTIES: +:CUSTOM_ID: a-brief-example +:END: For example, let's say that I run three servers in my home: -- Server_01 (`example.com`) -- Server_02 (`service01.example.com`) -- Server_03 (`service02.example.com`) +- Server_01 (=example.com=) +- Server_02 (=service01.example.com=) +- Server_03 (=service02.example.com=) -I also run a reverse proxy in my home that intercepts all public traffic: +I also run a reverse proxy in my home that intercepts all public +traffic: -- Reverse Proxy +- Reverse Proxy -Assume that I have a domain name (`example.com`) that allows clients to request -websites or services from my home servers. +Assume that I have a domain name (=example.com=) that allows clients to +request websites or services from my home servers. -In this case, the reverse proxy will intercept all traffic from `example.com` -that enters my network and determine if the client is requesting valid data, -based on my configuration. +In this case, the reverse proxy will intercept all traffic from +=example.com= that enters my network and determine if the client is +requesting valid data, based on my configuration. -If the user is requesting `example.com` and my configuration files say that -Server_01 holds that data, Nginx will send the user to Server_01. If I were to -change the configuration so that `example.com` is routed to Server_02, that same -user would be sent to Server_02 instead. +If the user is requesting =example.com= and my configuration files say +that Server_01 holds that data, Nginx will send the user to Server_01. +If I were to change the configuration so that =example.com= is routed to +Server_02, that same user would be sent to Server_02 instead. -```txt +#+begin_src txt ┌──────┐ ┌───────────┐ │ User │─┐ ┌──► Server_01 │ └──────┘ │ │ └───────────┘ @@ -46,133 +47,151 @@ user would be sent to Server_02 instead. ┌──────┐ │ │ ┌───────────┐ │ User │─┘ └──► Server_03 │ └──────┘ └───────────┘ -``` - -## Reverse Proxy Options - -There are a lot of options when it comes to reverse proxy servers, so I'm just -going to list a few of the options I've heard recommended over the last few -years: - -- [Nginx](https://nginx.com) -- [Caddy](https://caddyserver.com) -- [Traefik](https://traefik.io/) -- [HAProxy](https://www.haproxy.org/) -- [Squid](https://ubuntu.com/server/docs/proxy-servers-squid) - -In this post, we will be using Nginx as our reverse proxy, running on Ubuntu -Server 20.04.4 LTS. - -## Nginx Reverse Proxy Example - -### Local Applications - -You may be like me and have a lot of applications running on your local network -that you'd like to expose publicly with a domain. - -In my case, I have services running in multiple Docker containers within a -single server and want a way to visit those services from anywhere with a URL. -For example, on my local network, [Dashy](https://dashy.to) runs through port -4000 (`localhost:4000`) and -[Uptime Kuma](https://github.com/louislam/uptime-kuma) runs through port 3001 -(`localhost:3001`). +#+end_src + +** Reverse Proxy Options +:PROPERTIES: +:CUSTOM_ID: reverse-proxy-options +:END: +There are a lot of options when it comes to reverse proxy servers, so +I'm just going to list a few of the options I've heard recommended over +the last few years: + +- [[https://nginx.com][Nginx]] +- [[https://caddyserver.com][Caddy]] +- [[https://traefik.io/][Traefik]] +- [[https://www.haproxy.org/][HAProxy]] +- [[https://ubuntu.com/server/docs/proxy-servers-squid][Squid]] + +In this post, we will be using Nginx as our reverse proxy, running on +Ubuntu Server 20.04.4 LTS. + +** Nginx Reverse Proxy Example +:PROPERTIES: +:CUSTOM_ID: nginx-reverse-proxy-example +:END: +*** Local Applications +:PROPERTIES: +:CUSTOM_ID: local-applications +:END: +You may be like me and have a lot of applications running on your local +network that you'd like to expose publicly with a domain. + +In my case, I have services running in multiple Docker containers within +a single server and want a way to visit those services from anywhere +with a URL. For example, on my local network, +[[https://dashy.to][Dashy]] runs through port 4000 (=localhost:4000=) +and [[https://github.com/louislam/uptime-kuma][Uptime Kuma]] runs +through port 3001 (=localhost:3001=). In order to expose these services to the public, I will need to do the following: -1. Set up DNS records for a domain or subdomain (one per service) to point - toward the IP address of the server. -2. Open up the server network's HTTP and HTTPS ports (80 & 443) so that the - reverse proxy can accept traffic and determine where to send it. +1. Set up DNS records for a domain or subdomain (one per service) to + point toward the IP address of the server. +2. Open up the server network's HTTP and HTTPS ports (80 & 443) so that + the reverse proxy can accept traffic and determine where to send it. 3. Install the reverse proxy software. -4. Configure the reverse proxy to recognize which service should get traffic - from any of the domains or subdomains. +4. Configure the reverse proxy to recognize which service should get + traffic from any of the domains or subdomains. -### Step 1: DNS Configuration +*** Step 1: DNS Configuration +:PROPERTIES: +:CUSTOM_ID: step-1-dns-configuration +:END: +To start, update your DNS configuration so that you have an =A= record +for each domain or subdomain. -To start, update your DNS configuration so that you have an `A` record for each -domain or subdomain. +The =A= records should point toward the public IP address of the server. +If you don't know the public IP address, log in to the server and run +the following command: -The `A` records should point toward the public IP address of the server. If you -don't know the public IP address, log in to the server and run the following -command: - -```sh +#+begin_src sh curl ifconfig.co -``` +#+end_src -In the DNS example below, `xxx.xxx.xxx.xxx` is the public IP address of the -server. +In the DNS example below, =xxx.xxx.xxx.xxx= is the public IP address of +the server. -```config +#+begin_src config example.com A xxx.xxx.xxx.xxx uptime.example.com A xxx.xxx.xxx.xxx dashy.example.com A xxx.xxx.xxx.xxx www CNAME example.com -``` +#+end_src Finally, ensure the DNS has propagated correctly with -[DNS Checker](https://dnschecker.org) by entering your domains or subdomains in -the search box and ensuring the results are showing the correct IP address. - -### Step 2: Open Network Ports - -This step will be different depending on which router you have in your home. If -you're not sure, try to visit [192.168.1.1](http://192.168.1.1) in your browser. -Login credentials are usually written on a sticker somewhere on your -modem/router. - -Once you're able to log in to your router, find the Port Forwarding settings. -You will need to forward ports `80` and `443` to whichever machine is -running the reverse proxy. - -In my case, the table below shows the port-forwarding rules I've created. -In this table, `xxx.xxx.xxx.xxx` is the local device IP of the reverse proxy -server, it will probably be an IP between `192.168.1.1` and `192.168.1.255`. - -| NAME | FROM | PORT | DEST PORT/IP | ENABLED | -|:-----:|:----:|:----:|:---------------:|:-------:| -| HTTP | \* | 80 | xxx.xxx.xxx.xxx | TRUE | -| HTTPS | \* | 443 | xxx.xxx.xxx.xxx | TRUE | - -Once configured, these rules will direct all web traffic to your reverse proxy. - -### Step 3: Nginx Installation - +[[https://dnschecker.org][DNS Checker]] by entering your domains or +subdomains in the search box and ensuring the results are showing the +correct IP address. + +*** Step 2: Open Network Ports +:PROPERTIES: +:CUSTOM_ID: step-2-open-network-ports +:END: +This step will be different depending on which router you have in your +home. If you're not sure, try to visit +[[http://192.168.1.1][192.168.1.1]] in your browser. Login credentials +are usually written on a sticker somewhere on your modem/router. + +Once you're able to log in to your router, find the Port Forwarding +settings. You will need to forward ports =80= and =443= to whichever +machine is running the reverse proxy. + +In my case, the table below shows the port-forwarding rules I've +created. In this table, =xxx.xxx.xxx.xxx= is the local device IP of the +reverse proxy server, it will probably be an IP between =192.168.1.1= +and =192.168.1.255=. + +| NAME | FROM | PORT | DEST PORT/IP | ENABLED | +|-------+------+------+-----------------+---------| +| HTTP | * | 80 | xxx.xxx.xxx.xxx | TRUE | +| HTTPS | * | 443 | xxx.xxx.xxx.xxx | TRUE | + +Once configured, these rules will direct all web traffic to your reverse +proxy. + +*** Step 3: Nginx Installation +:PROPERTIES: +:CUSTOM_ID: step-3-nginx-installation +:END: To install Nginx, simply run the following command: -```sh +#+begin_src sh sudo apt install nginx -``` +#+end_src -If you have a firewall enabled, open up ports `80` and `443` on your server so -that Nginx can accept web traffic from the router. +If you have a firewall enabled, open up ports =80= and =443= on your +server so that Nginx can accept web traffic from the router. -For example, if you want to use `ufw` for web traffic and SSH, run the following -commands: +For example, if you want to use =ufw= for web traffic and SSH, run the +following commands: -```sh +#+begin_src sh sudo ufw allow 'Nginx Full' sudo ufw allow SSH sudo ufw enable -``` +#+end_src -### Step 4: Nginx Configuration - -Now that we have domains pointing toward the server, the only step left is to -configure the reverse proxy to direct traffic from domains to local services. +*** Step 4: Nginx Configuration +:PROPERTIES: +:CUSTOM_ID: step-4-nginx-configuration +:END: +Now that we have domains pointing toward the server, the only step left +is to configure the reverse proxy to direct traffic from domains to +local services. To start, you'll need to create a configuration file for each domain in -`/etc/nginx/sites-available/`. They will look identical except for the -`server_name` variable and the `proxy_pass` port. +=/etc/nginx/sites-available/=. They will look identical except for the +=server_name= variable and the =proxy_pass= port. Dashy: -```sh +#+begin_src sh nano /etc/nginx/sites-available/dashy.example.com -``` +#+end_src -```config +#+begin_src config server { listen 80; server_name dashy.example.com; @@ -181,15 +200,15 @@ server { proxy_pass http://localhost:4000; } } -``` +#+end_src Uptime: -```sh +#+begin_src sh nano /etc/nginx/sites-available/uptime.example.com -``` +#+end_src -```config +#+begin_src config server { listen 80; server_name uptime.example.com; @@ -198,29 +217,31 @@ server { proxy_pass http://localhost:3001; } } -``` +#+end_src -Once the configuration files are created, you will need to enable them with the -`symlink` command: +Once the configuration files are created, you will need to enable them +with the =symlink= command: -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/dashy.example.com /etc/nginx/sites-enabled/ -``` +#+end_src Voilà! Your local services should now be available through their URLs. -## HTTPS with Certbot - -If you've followed along, you'll notice that your services are only available -via HTTP (not HTTPS). +** HTTPS with Certbot +:PROPERTIES: +:CUSTOM_ID: https-with-certbot +:END: +If you've followed along, you'll notice that your services are only +available via HTTP (not HTTPS). -If you want to enable HTTPS for your new domains, you will need to generate -SSL/TLS certificates for them. The easiest way to generate certificates on Nginx -is [Certbot](https://certbot.eff.org): +If you want to enable HTTPS for your new domains, you will need to +generate SSL/TLS certificates for them. The easiest way to generate +certificates on Nginx is [[https://certbot.eff.org][Certbot]]: -```sh +#+begin_src sh sudo apt install snapd; sudo snap install core; sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot sudo certbot --nginx -``` +#+end_src diff --git a/blog/2022-04-09-pinetime.org b/blog/2022-04-09-pinetime.org index 0bd7814..b0fc662 100644 --- a/blog/2022-04-09-pinetime.org +++ b/blog/2022-04-09-pinetime.org @@ -1,148 +1,178 @@ -+++ -date = 2022-04-09 -title = "PineTime: An Open-Source SmartWatch" -description = "Exploring the PineTime, an open-source smartwatch created by PINE64." -draft = false -+++ - -## PineTime Product Information - -### Overview - -The [PineTime](https://www.pine64.org/pinetime/) is an open-source smartwatch, -created by [PINE64](https://www.pine64.org). Originally announced in September -2019, this ARM-based watch is a fantastic option for users who want the benefits -of a modern smartwatch with the backing of open-source components and software. - -### Product Specifications - +#+title: PineTime: An Open-Source SmartWatch +#+date: 2022-04-09 + +** PineTime Product Information +:PROPERTIES: +:CUSTOM_ID: pinetime-product-information +:END: +*** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +The [[https://www.pine64.org/pinetime/][PineTime]] is an open-source +smartwatch, created by [[https://www.pine64.org][PINE64]]. Originally +announced in September 2019, this ARM-based watch is a fantastic option +for users who want the benefits of a modern smartwatch with the backing +of open-source components and software. + +*** Product Specifications +:PROPERTIES: +:CUSTOM_ID: product-specifications +:END: I won't dive into too many details that you can find on -[the product page](https://www.pine64.org/pinetime/), but I wanted to point out -the prices for each watch and the primary functions: - -#### Price: - -- $26.99 (Sealed) -- $24.99 (Dev Kit) -- $51.98 (One Sealed + One Dev Kit) - -#### Primary Functionality: - -- Clock (+ Smartphone Sync) -- Pedometer -- Heart Rate Monitor -- Sleep Monitor -- Calories burned -- Messaging -- Smartphone Notifications -- Media Controls - -## Unboxing - -Now, my PineTime was ordered on 2022-02-17, shipped on 2022-02-22, and was -delivered on 2022-03-23. -With the current delays on shipping times around the world (and the -semiconductor shortage), a month for delivery from China seems reasonable to me. - -The packaging is simple, and the watch comes with instructions, technical -information, the watch, and a charger (it does not include a USB wall adapter). - -The watch itself was able to turn on immediately when I pulled it out of the -box, but the battery was depleted and required charging right away. - - - -## Software - -### Watch OS: InfiniTime - -While turning on the watch for the first time, some of the main design choices -you can see in the watch OS, -[InfiniTime](https://wiki.pine64.org/wiki/InfiniTime), are: - -- A square bezel, not too thin against the sides of the watch. -- A simple, rubber band. -- Basic font and screen pixel design. -- Swipe gestures to access other screens. - - - -The OS itself is fantastic in terms of functionality for me. It does exactly -what a smartwatch should do - track time, steps, heart rates, and connect to -another smart device, without being overly burdensome to the user. - -My only gripe so far is that it's _really_ difficult to swipe to different -screens, such as pulling down the notification tray. I'm not sure if this is an -OS or hardware issue, but it makes it quite hard to quickly move around the -screens. - -However, my absolute favorite design choice is that the button the side turns -the screen on and off and tilting/waving my wrist doesn't accidentally turn on -the screen. With other watches, I absolutely hated not being able to turn off -the raise-to-wake or wave features (i.e., blinding myself while wearing a watch -at night because I moved my arm). - -### iOS App: InfiniLink - +[[https://www.pine64.org/pinetime/][the product page]], but I wanted to +point out the prices for each watch and the primary functions: + +**** Price: +:PROPERTIES: +:CUSTOM_ID: price +:END: +- $26.99 (Sealed) +- $24.99 (Dev Kit) +- $51.98 (One Sealed + One Dev Kit) + +**** Primary Functionality: +:PROPERTIES: +:CUSTOM_ID: primary-functionality +:END: +- Clock (+ Smartphone Sync) +- Pedometer +- Heart Rate Monitor +- Sleep Monitor +- Calories burned +- Messaging +- Smartphone Notifications +- Media Controls + +** Unboxing +:PROPERTIES: +:CUSTOM_ID: unboxing +:END: +Now, my PineTime was ordered on 2022-02-17, shipped on 2022-02-22, and +was delivered on 2022-03-23. With the current delays on shipping times +around the world (and the semiconductor shortage), a month for delivery +from China seems reasonable to me. + +The packaging is simple, and the watch comes with instructions, +technical information, the watch, and a charger (it does not include a +USB wall adapter). + +The watch itself was able to turn on immediately when I pulled it out of +the box, but the battery was depleted and required charging right away. + +#+caption: PineTime Box Contents +[[https://img.cleberg.net/blog/20220409-pinetime-smart-watch/pinetime_box_contents.png]] + +** Software +:PROPERTIES: +:CUSTOM_ID: software +:END: +*** Watch OS: InfiniTime +:PROPERTIES: +:CUSTOM_ID: watch-os-infinitime +:END: +While turning on the watch for the first time, some of the main design +choices you can see in the watch OS, +[[https://wiki.pine64.org/wiki/InfiniTime][InfiniTime]], are: + +- A square bezel, not too thin against the sides of the watch. +- A simple, rubber band. +- Basic font and screen pixel design. +- Swipe gestures to access other screens. + +#+caption: PineTime Screens +[[https://img.cleberg.net/blog/20220409-pinetime-smart-watch/pinetime.png]] + +The OS itself is fantastic in terms of functionality for me. It does +exactly what a smartwatch should do - track time, steps, heart rates, +and connect to another smart device, without being overly burdensome to +the user. + +My only gripe so far is that it's /really/ difficult to swipe to +different screens, such as pulling down the notification tray. I'm not +sure if this is an OS or hardware issue, but it makes it quite hard to +quickly move around the screens. + +However, my absolute favorite design choice is that the button the side +turns the screen on and off and tilting/waving my wrist doesn't +accidentally turn on the screen. With other watches, I absolutely hated +not being able to turn off the raise-to-wake or wave features (i.e., +blinding myself while wearing a watch at night because I moved my arm). + +*** iOS App: InfiniLink +:PROPERTIES: +:CUSTOM_ID: ios-app-infinilink +:END: Since I am using iOS as my primary mobile device OS, I am using the -[InfiniLink](https://github.com/xan-m/InfiniLink) app to connect my watch. +[[https://github.com/xan-m/InfiniLink][InfiniLink]] app to connect my +watch. This app provides the following for PineTime owners: -- Firmware updates -- Steps -- Charts -- Notifications +- Firmware updates +- Steps +- Charts +- Notifications -I mashed up a few screenshots to show off the home page, menu, firmware update, -and notification test screens: +I mashed up a few screenshots to show off the home page, menu, firmware +update, and notification test screens: - +#+caption: InfiniLink Home +[[https://img.cleberg.net/blog/20220409-pinetime-smart-watch/infinilink_home.png]] -Another big feature of InfiniLink is the ability to track pedometer steps in a -collection of beautiful graphs, with the option to change your step goal and -add in manual steps. +Another big feature of InfiniLink is the ability to track pedometer +steps in a collection of beautiful graphs, with the option to change +your step goal and add in manual steps. - +#+caption: InfiniLink Steps +[[https://img.cleberg.net/blog/20220409-pinetime-smart-watch/infinilink_steps.png]] -Finally, there are charts to display the battery percentage and heart rates over -time. This area also comes with an option to clear data. +Finally, there are charts to display the battery percentage and heart +rates over time. This area also comes with an option to clear data. - +#+caption: InfiniLink Charts +[[https://img.cleberg.net/blog/20220409-pinetime-smart-watch/infinilink_charts.png]] -## Final Thoughts - -### Pros - -After wearing my watch for a few weeks, I have mostly positive thoughts about -the watch so far. -In the past, I have owned smartwatches by FitBit, Fossil, Apple, etc. - -**but I prefer the PineTime over all of those watches**. +** Final Thoughts +:PROPERTIES: +:CUSTOM_ID: final-thoughts +:END: +*** Pros +:PROPERTIES: +:CUSTOM_ID: pros +:END: +After wearing my watch for a few weeks, I have mostly positive thoughts +about the watch so far. In the past, I have owned smartwatches by +FitBit, Fossil, Apple, etc. - *but I prefer the PineTime over all of +those watches*. The PineTime strips out all the unnecessary features and performs the functions that it provides effectively and efficiently. -The battery life is amazing on this device. By default, the watch seems to last -anywhere from a few days to a week before dying. +The battery life is amazing on this device. By default, the watch seems +to last anywhere from a few days to a week before dying. And of course, it's open source and backed by some of the most dedicated -enthusiasts and developers I've seen. Watching the Matrix channel, forums, and -website have been exciting to see. - -### Cons - -If I had to complain about anything, it would simply be the small bugs in some -features that can be contributed to the companion apps more than the watch -itself. - -A regular user would want native notification support out-of-the-box, which is -the biggest item not working for me at the moment. - -My only other complaint is that the battery indicator on the watch doesn't seem -accurate when it's nearing depletion - it seems that there's a bit of battery -life left and then my watch is dead very suddenly after. This could just be me -misinterpreting the battery level icons, but it has fooled me a few times into -thinking I had more battery left than I actually did. - -Other than those small items, I really do love this watch and am glad I replaced -my Apple Watch with the PineTime. +enthusiasts and developers I've seen. Watching the Matrix channel, +forums, and website have been exciting to see. + +*** Cons +:PROPERTIES: +:CUSTOM_ID: cons +:END: +If I had to complain about anything, it would simply be the small bugs +in some features that can be contributed to the companion apps more than +the watch itself. + +A regular user would want native notification support out-of-the-box, +which is the biggest item not working for me at the moment. + +My only other complaint is that the battery indicator on the watch +doesn't seem accurate when it's nearing depletion - it seems that +there's a bit of battery life left and then my watch is dead very +suddenly after. This could just be me misinterpreting the battery level +icons, but it has fooled me a few times into thinking I had more battery +left than I actually did. + +Other than those small items, I really do love this watch and am glad I +replaced my Apple Watch with the PineTime. diff --git a/blog/2022-06-01-ditching-cloudflare.org b/blog/2022-06-01-ditching-cloudflare.org index 56cee28..df61114 100644 --- a/blog/2022-06-01-ditching-cloudflare.org +++ b/blog/2022-06-01-ditching-cloudflare.org @@ -1,89 +1,105 @@ -+++ -date = 2022-06-01 -title = "Ditching Cloudflare for Njalla" -description = "After spending a few years jumping around to different DNS hosts, I'm finally ditching Cloudflare for good." -draft = false -+++ - -## Registrar - -After spending a year or so using Cloudflare for DNS only - no proxying or -applications - I spent the last few months using Cloudflare Tunnels and -Cloudflare Access to protect my self-hosted websites and applications via their -proxy traffic model. - -However, I have never liked using Cloudflare due to their increasingly large -share of control over web traffic, as well as their business model of being a -MITM for all of your traffic. - -So, as of today, I have switched over to [Njalla](https://njal.la) as my -registrar and DNS manager. I was able to easily transfer my domains over -rapidly, with only one domain taking more than 15-30 minutes to propagate. - -~~I do still have two domains sitting at Cloudflare for the moment while I -decide if they're worth the higher rates (one domain is 30€ and the other is -45€).~~ - -> **Update (2022.06.03)**: I ended up transferring my final two domains over to -> Njalla, clearing my Cloudflare account of personal data, and deleting the -> Cloudflare account entirely. _I actually feel relieved to have moved on to a -> provider I trust._ - -## DNS - -As noted above, I'm using Njalla exclusively for DNS configurations on my -domains. - -However, the transfer process was not ideal. As soon as the domains transferred -over, I switched the nameservers from Cloudflare to Njalla and lost most of the -associated DNS records. So, the majority of the time spent during the migration -was simply re-typing all the DNS records back in one-by-one. - -This would be much simpler if I were able to edit the plain-text format of the -DNS configuration. I was able to do that at a past registrar (perhaps it was -[Gandi.net](https://gandi.net/)?) and it made life a lot easier. - -### Dynamic DNS Updates - -I have built an easy Python script to run (or set-up in `cron` to run -automatically) that will check my server's IPv4 and IPv6, compare it to Njalla, -and update the DNS records if they don't match. You can see the full script and -process in my other post: -[Updating Dynamic DNS with Njalla API](/blog/njalla-dns-api/). - -I haven't used this other method, but I do know that you can create `Dynamic` -DNS records with Njalla that -[work for updating dynamic subdomains](https://njal.la/docs/ddns/). - -### Njalla's DNS Tool - +#+title: Ditching Cloudflare for Njalla +#+date: 2022-06-01 + +** Registrar +:PROPERTIES: +:CUSTOM_ID: registrar +:END: +After spending a year or so using Cloudflare for DNS only - no proxying +or applications - I spent the last few months using Cloudflare Tunnels +and Cloudflare Access to protect my self-hosted websites and +applications via their proxy traffic model. + +However, I have never liked using Cloudflare due to their increasingly +large share of control over web traffic, as well as their business model +of being a MITM for all of your traffic. + +So, as of today, I have switched over to [[https://njal.la][Njalla]] as +my registrar and DNS manager. I was able to easily transfer my domains +over rapidly, with only one domain taking more than 15-30 minutes to +propagate. + ++I do still have two domains sitting at Cloudflare for the moment while +I decide if they're worth the higher rates (one domain is 30€ and the +other is 45€).+ + +#+begin_quote +*Update (2022.06.03)*: I ended up transferring my final two domains over +to Njalla, clearing my Cloudflare account of personal data, and deleting +the Cloudflare account entirely. /I actually feel relieved to have moved +on to a provider I trust./ + +#+end_quote + +** DNS +:PROPERTIES: +:CUSTOM_ID: dns +:END: +As noted above, I'm using Njalla exclusively for DNS configurations on +my domains. + +However, the transfer process was not ideal. As soon as the domains +transferred over, I switched the nameservers from Cloudflare to Njalla +and lost most of the associated DNS records. So, the majority of the +time spent during the migration was simply re-typing all the DNS records +back in one-by-one. + +This would be much simpler if I were able to edit the plain-text format +of the DNS configuration. I was able to do that at a past registrar +(perhaps it was [[https://gandi.net/][Gandi.net]]?) and it made life a +lot easier. + +*** Dynamic DNS Updates +:PROPERTIES: +:CUSTOM_ID: dynamic-dns-updates +:END: +I have built an easy Python script to run (or set-up in =cron= to run +automatically) that will check my server's IPv4 and IPv6, compare it to +Njalla, and update the DNS records if they don't match. You can see the +full script and process in my other post: +[[/blog/njalla-dns-api/][Updating Dynamic DNS with Njalla API]]. + +I haven't used this other method, but I do know that you can create +=Dynamic= DNS records with Njalla that +[[https://njal.la/docs/ddns/][work for updating dynamic subdomains]]. + +*** Njalla's DNS Tool +:PROPERTIES: +:CUSTOM_ID: njallas-dns-tool +:END: One neat upside to Njalla is that they have a -[DNS lookup tool](https://check.njal.la/dns/) that provides a lot of great -information for those of you (AKA: me) who hate using the `dig` command. - -This was very useful for monitoring a couple of my transferred domains to see -when the changes in nameservers, records, and DNSSEC went into effect. - -## Tunnel - +[[https://check.njal.la/dns/][DNS lookup tool]] that provides a lot of +great information for those of you (AKA: me) who hate using the =dig= +command. + +This was very useful for monitoring a couple of my transferred domains +to see when the changes in nameservers, records, and DNSSEC went into +effect. + +** Tunnel +:PROPERTIES: +:CUSTOM_ID: tunnel +:END: Cloudflare Tunnel is a service that acts as a reverse-proxy (hosted on -Cloudflare's servers) and allowed me to mask the private IP address of the -server hosting my various websites and apps. - -However, as I was moving away from Cloudflare, I was not able to find a suitable -replacement that was both inexpensive and simple. So, I simply went back to -hosting [my own reverse proxy with Nginx](/blog/set-up-nginx-reverse-proxy/). -With the recent additions of Unifi hardware in my server/network rack, I am much -more protected against spam and malicious attacks at the network edge than I was -before I switched to Cloudflare. - -## Access - -Cloudflare Access, another app I used in combination with Cloudflare Tunnel, -provided an authentication screen that required you to enter valid credentials -before Cloudflare would forward you to the actual website or app (if the -website/app has their own authentication, you'd then have to authenticate a -second time). - -I did not replace this service with anything since I only host a handful of -non-sensitive apps that don't require duplicate authentication. +Cloudflare's servers) and allowed me to mask the private IP address of +the server hosting my various websites and apps. + +However, as I was moving away from Cloudflare, I was not able to find a +suitable replacement that was both inexpensive and simple. So, I simply +went back to hosting [[/blog/set-up-nginx-reverse-proxy/][my own reverse +proxy with Nginx]]. With the recent additions of Unifi hardware in my +server/network rack, I am much more protected against spam and malicious +attacks at the network edge than I was before I switched to Cloudflare. + +** Access +:PROPERTIES: +:CUSTOM_ID: access +:END: +Cloudflare Access, another app I used in combination with Cloudflare +Tunnel, provided an authentication screen that required you to enter +valid credentials before Cloudflare would forward you to the actual +website or app (if the website/app has their own authentication, you'd +then have to authenticate a second time). + +I did not replace this service with anything since I only host a handful +of non-sensitive apps that don't require duplicate authentication. diff --git a/blog/2022-06-04-njalla-dns-api.org b/blog/2022-06-04-njalla-dns-api.org index 5a90875..d6a74d6 100644 --- a/blog/2022-06-04-njalla-dns-api.org +++ b/blog/2022-06-04-njalla-dns-api.org @@ -1,104 +1,113 @@ -+++ -date = 2022-06-04 -title = "Dynamic DNS with Njalla API" -description = "Learn how to update Njalla DNS records automatically with a simple Python script." -draft = false -+++ - -## Njalla's API - -As noted in my recent post about -[switching to Njalla from Cloudflare](/blog/ditching-cloudflare/), I was -searching for a way to replace my very easy-to-use bash script to -[update Cloudflare's DNS via their API](/blog/cloudflare-dns-api/). - -To reiterate what I said in those posts, this is a common necessity for those of -us who have non-static IP addresses that can change at any moment due to ISP -policy. - -In order to keep a home server running smoothly, the server admin needs to have -a process to constantly monitor their public IP address and update their -domain's DNS records if it changes. - -This post explains how to use Python to update Njalla's DNS records whenever a -machine's public IP address changes. - -### Creating a Token - -To use Njalla's API, you will first need to create a token that will be used to -authenticate you every time you call the API. Luckily, this is very easy to do -if you have an account with Njalla. - -Simply go the [API Settings](https://njal.la/settings/api/) page and click the -`Add Token` button. Next, enter a name for the token and click `Add`. - -Finally, click the `Manage` button next to your newly created token and copy the -`API Token` field. - -### Finding the Correct API Request - -Once you have a token, you're ready to call the Njalla API for any number of -requests. For a full listing of available requests, see the -[Njalla API Documentation](https://njal.la/api/). - -For this demo, we are using the `list-records` and `edit-record` requests. - -The `list-records` request requires the following payload to be sent when -calling the API: - -```txt +#+title: Dynamic DNS with Njalla API +#+date: 2022-06-04 + +** Njalla's API +:PROPERTIES: +:CUSTOM_ID: njallas-api +:END: +As noted in my recent post about [[/blog/ditching-cloudflare/][switching +to Njalla from Cloudflare]], I was searching for a way to replace my +very easy-to-use bash script to [[/blog/cloudflare-dns-api/][update +Cloudflare's DNS via their API]]. + +To reiterate what I said in those posts, this is a common necessity for +those of us who have non-static IP addresses that can change at any +moment due to ISP policy. + +In order to keep a home server running smoothly, the server admin needs +to have a process to constantly monitor their public IP address and +update their domain's DNS records if it changes. + +This post explains how to use Python to update Njalla's DNS records +whenever a machine's public IP address changes. + +*** Creating a Token +:PROPERTIES: +:CUSTOM_ID: creating-a-token +:END: +To use Njalla's API, you will first need to create a token that will be +used to authenticate you every time you call the API. Luckily, this is +very easy to do if you have an account with Njalla. + +Simply go the [[https://njal.la/settings/api/][API Settings]] page and +click the =Add Token= button. Next, enter a name for the token and click +=Add=. + +Finally, click the =Manage= button next to your newly created token and +copy the =API Token= field. + +*** Finding the Correct API Request +:PROPERTIES: +:CUSTOM_ID: finding-the-correct-api-request +:END: +Once you have a token, you're ready to call the Njalla API for any +number of requests. For a full listing of available requests, see the +[[https://njal.la/api/][Njalla API Documentation]]. + +For this demo, we are using the =list-records= and =edit-record= +requests. + +The =list-records= request requires the following payload to be sent +when calling the API: + +#+begin_src txt params: { domain: string } -``` +#+end_src -The `edit-record` request requires the following payload to be sent when calling -the API: +The =edit-record= request requires the following payload to be sent when +calling the API: -```txt +#+begin_src txt params: { domain: string id: int content: string } -``` - -## Server Set-Up - -To create this script, we will be using Python. By default, I use Python 3 on my -servers, so please note that I did not test this in Python 2, and I do not know -if Python 2 will work for this. - -### Creating the Script - -First, find a suitable place to create your script. Personally, I just create a -directory called `ddns` in my home directory: - -```sh +#+end_src + +** Server Set-Up +:PROPERTIES: +:CUSTOM_ID: server-set-up +:END: +To create this script, we will be using Python. By default, I use Python +3 on my servers, so please note that I did not test this in Python 2, +and I do not know if Python 2 will work for this. + +*** Creating the Script +:PROPERTIES: +:CUSTOM_ID: creating-the-script +:END: +First, find a suitable place to create your script. Personally, I just +create a directory called =ddns= in my home directory: + +#+begin_src sh mkdir ~/ddns -``` +#+end_src Next, create a Python script file: -```sh +#+begin_src sh nano ~/ddns/ddns.py -``` +#+end_src -The following code snippet is quite long, so I won't go into depth on each part. -However, I suggest you read through the entire script before running it; it is -quite simple and contains comments to help explain each code block. +The following code snippet is quite long, so I won't go into depth on +each part. However, I suggest you read through the entire script before +running it; it is quite simple and contains comments to help explain +each code block. -:warning: **Note**: You will need to update the following variables for this to -work: +:warning: *Note*: You will need to update the following variables for +this to work: -- `token`: This is the Njalla API token you created earlier. -- `user_domain`: This is the top-level domain you want to modify. -- `include_subdomains`: Set this to `True` if you also want to modify - subdomains found under the TLD. -- `subdomains`: If `include_subdomains` = `True`, you can include your list of - subdomains to be modified here. +- =token=: This is the Njalla API token you created earlier. +- =user_domain=: This is the top-level domain you want to modify. +- =include_subdomains=: Set this to =True= if you also want to modify + subdomains found under the TLD. +- =subdomains=: If =include_subdomains= = =True=, you can include your + list of subdomains to be modified here. -```python +#+begin_src python #!/usr/bin/python # -*- coding: utf-8 -*- # Import Python modules @@ -177,29 +186,33 @@ for record in data['records']: 'does not match Njalla\'s value of', record['content'], '. Updating...') update_record(user_domain, record['id'], ipv6) -``` +#+end_src -### Running the Script +*** Running the Script +:PROPERTIES: +:CUSTOM_ID: running-the-script +:END: +Once you've created the script and are ready to test it, run the +following command: -Once you've created the script and are ready to test it, run the following -command: - -```sh +#+begin_src sh python3 ~/ddns/ddns.py -``` - -### Setting the Script to Run Automatically +#+end_src -To make sure the scripts run automatically, add it to the `cron` file so that it -will run on a schedule. To do this, open the `cron` file: +*** Setting the Script to Run Automatically +:PROPERTIES: +:CUSTOM_ID: setting-the-script-to-run-automatically +:END: +To make sure the scripts run automatically, add it to the =cron= file so +that it will run on a schedule. To do this, open the =cron= file: -```sh +#+begin_src sh crontab -e -``` +#+end_src -In the cron file, paste the following at the bottom of the editor in order to -check the IP every five minutes: +In the cron file, paste the following at the bottom of the editor in +order to check the IP every five minutes: -```sh +#+begin_src sh */5 * * * * python3 /home/<your_username>/ddns/ddns.py -``` +#+end_src diff --git a/blog/2022-06-07-freshrss.org b/blog/2022-06-07-freshrss.org index cc752b8..653e5a3 100644 --- a/blog/2022-06-07-freshrss.org +++ b/blog/2022-06-07-freshrss.org @@ -1,67 +1,75 @@ -+++ -date = 2022-06-07 -title = "Self-Hosting FreshRSS" -description = "A detailed description of my process to self-host FreshRSS on Ubuntu." -draft = false -+++ - -## Why RSS? - -After noticing that I have collected 50+ blogs as bookmarks, I decided to -migrate back to using RSS feeds to stay up-to-date with my favorite websites. -Using RSS allows me to read all of these posts in a single app (on both mobile & -desktop) and allows me to be notified when new posts are available. - -However, I ran into one issue: syncing subscriptions and read/unread posts -across devices. Since I want to be able to easily read on both mobile and -desktop, I decided to look for a self-hosted RSS solution. - -Thus, I found [FreshRSS](https://www.freshrss.org/) and was able to successfully -install it on my server in about 30 minutes. - -## Documentation - +#+title: Self-Hosting FreshRSS +#+date: 2022-06-07 + +** Why RSS? +:PROPERTIES: +:CUSTOM_ID: why-rss +:END: +After noticing that I have collected 50+ blogs as bookmarks, I decided +to migrate back to using RSS feeds to stay up-to-date with my favorite +websites. Using RSS allows me to read all of these posts in a single app +(on both mobile & desktop) and allows me to be notified when new posts +are available. + +However, I ran into one issue: syncing subscriptions and read/unread +posts across devices. Since I want to be able to easily read on both +mobile and desktop, I decided to look for a self-hosted RSS solution. + +Thus, I found [[https://www.freshrss.org/][FreshRSS]] and was able to +successfully install it on my server in about 30 minutes. + +** Documentation +:PROPERTIES: +:CUSTOM_ID: documentation +:END: While it's certainly not robust, the -[FreshRSS documentation](https://freshrss.github.io/FreshRSS/) is helpful for -figuring out basic information about the service. - -However, I wanted to install this service as a Docker container and stumbled -across the -[Docker README](https://github.com/FreshRSS/FreshRSS/tree/edge/Docker) within -the GitHub repository. - -This README was the documentation I actually needed. However, as you'll see -below, I still had to manually edit one file (`config.php`) to access the API -externally via my RSS apps. - -## Installation - -### DNS - -The first step, as required by any external web service, was assigning a domain -name to use. I chose to use a subdomain, like `rss.example.com`. - -To assign this, I created an `A` record in my DNS settings with the IPv4 address -of the server and an `AAAA` record with the IPv6 address of the server. Note: -assigning an IPv6 (`AAAA`) record is optional, but I like to enable IPV6 for my -services. - -```config +[[https://freshrss.github.io/FreshRSS/][FreshRSS documentation]] is +helpful for figuring out basic information about the service. + +However, I wanted to install this service as a Docker container and +stumbled across the +[[https://github.com/FreshRSS/FreshRSS/tree/edge/Docker][Docker README]] +within the GitHub repository. + +This README was the documentation I actually needed. However, as you'll +see below, I still had to manually edit one file (=config.php=) to +access the API externally via my RSS apps. + +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +*** DNS +:PROPERTIES: +:CUSTOM_ID: dns +:END: +The first step, as required by any external web service, was assigning a +domain name to use. I chose to use a subdomain, like =rss.example.com=. + +To assign this, I created an =A= record in my DNS settings with the IPv4 +address of the server and an =AAAA= record with the IPv6 address of the +server. Note: assigning an IPv6 (=AAAA=) record is optional, but I like +to enable IPV6 for my services. + +#+begin_src config rss.example.com A xxx.xxx.xxx.xxx rss.example.com AAAA xxxx:xxxx: ... :xxxx -``` - -### Docker - -I initially tried to set up a `docker-compose.yml` file with a `.env` file -because I prefer to have a file I can look back at later to see how I initially -started the container, but it simply wouldn't work for me. I'm not sure why, but -I assume I wasn't telling `docker-compose` where the `.env` file was. - -Regardless, I chose to simply run the service with `docker run`. See the -following command for my `docker run` configuration: - -```sh +#+end_src + +*** Docker +:PROPERTIES: +:CUSTOM_ID: docker +:END: +I initially tried to set up a =docker-compose.yml= file with a =.env= +file because I prefer to have a file I can look back at later to see how +I initially started the container, but it simply wouldn't work for me. +I'm not sure why, but I assume I wasn't telling =docker-compose= where +the =.env= file was. + +Regardless, I chose to simply run the service with =docker run=. See the +following command for my =docker run= configuration: + +#+begin_src sh sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ -p 8080:80 \ -e TZ=America/Chicago \ @@ -70,42 +78,46 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ -v freshrss_extensions:/var/www/FreshRSS/extensions \ --name freshrss \ freshrss/freshrss -``` - -This started the container successfully and allowed me to visit the FreshRSS -instance at `localhost:8080`. - -### Fresh RSS Set-Up - -I **HIGHLY** suggest that you set up your user account prior to -exposing this service to the public. It's unlikely that someone is trying to -access the exact domain or IP/port you're assigning here, but as soon as you -expose this service, the first person to open the URL will be able to create the -admin user. - -In order to set up your FreshRSS service, open the `localhost:8080` URL in your -browser (you may need to use a local IP instead of `localhost` if you're -accessing the page from a different machine on the network - e.g., -`192.168.1.20:8080`). +#+end_src + +This started the container successfully and allowed me to visit the +FreshRSS instance at =localhost:8080=. + +*** Fresh RSS Set-Up +:PROPERTIES: +:CUSTOM_ID: fresh-rss-set-up +:END: +I *HIGHLY* suggest that you set up your user account prior to exposing +this service to the public. It's unlikely that someone is trying to +access the exact domain or IP/port you're assigning here, but as soon as +you expose this service, the first person to open the URL will be able +to create the admin user. + +In order to set up your FreshRSS service, open the =localhost:8080= URL +in your browser (you may need to use a local IP instead of =localhost= +if you're accessing the page from a different machine on the network - +e.g., =192.168.1.20:8080=). Once the page loads, set up your default user with a strong username and -password. You may also choose to configure other settings prior to exposing this -service. - -### Nginx Reverse-Proxy +password. You may also choose to configure other settings prior to +exposing this service. +*** Nginx Reverse-Proxy +:PROPERTIES: +:CUSTOM_ID: nginx-reverse-proxy +:END: In order to access this service outside my home, I needed to set up a -reverse-proxy to connect `localhost:8080` to `rss.example.com`. +reverse-proxy to connect =localhost:8080= to =rss.example.com=. First, I created a new Nginx configuration file: -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/rss.example.com -``` +#+end_src Within the config file, I pasted the following code: -```config +#+begin_src config upstream freshrss { server 127.0.0.1:8080; keepalive 64; @@ -134,80 +146,91 @@ server { proxy_pass_header Authorization; } } -``` +#+end_src -Finally, restart Nginx and you will be able to access your service via HTTP: +Finally, restart Nginx and you will be able to access your service via +HTTP: -```sh +#+begin_src sh sudo systemctl restart nginx.service -``` - -### HTTPS - -However, I don't want to access my RSS feeds via HTTP. I want it available only -via HTTPS. In order to do this, I ran the [certbot](https://certbot.eff.org/) -program to generate SSL certificates for me: - -```sh +#+end_src + +*** HTTPS +:PROPERTIES: +:CUSTOM_ID: https +:END: +However, I don't want to access my RSS feeds via HTTP. I want it +available only via HTTPS. In order to do this, I ran the +[[https://certbot.eff.org/][certbot]] program to generate SSL +certificates for me: + +#+begin_src sh sudo certbot --nginx -``` - -This process will automatically generate an SSL certificate for you and modify -the Nginx configuration file to include a redirect from HTTP to HTTPS. - -## Post-Installation Fixes - -At this point, we have a functional FreshRSS website, available from anywhere -and secured with HTTPS. However, attempting to connect this service to an RSS -app resulted in many errors regarding unavailable URLs and incorrect -credentials. - -### API Set-Up - -First, you need to open your user profile in FreshRSS (`Settings` > `Profile`) -and set an API password in the field at the bottom. This is the password you -will need to provide to your RSS apps. - -Once that is set and saved, click the link below the API password field to open -the API check tool. It should look something like `https://localhost:8080/api/` -or `https://rss.example.com/api/`. - -Within this page, you _should_ see your correct external URL and "PASS" at the -bottom of each API type. -This would mean everything is set up correctly, and you can now move on and -login to any RSS apps that support self-hosted options. +#+end_src + +This process will automatically generate an SSL certificate for you and +modify the Nginx configuration file to include a redirect from HTTP to +HTTPS. + +** Post-Installation Fixes +:PROPERTIES: +:CUSTOM_ID: post-installation-fixes +:END: +At this point, we have a functional FreshRSS website, available from +anywhere and secured with HTTPS. However, attempting to connect this +service to an RSS app resulted in many errors regarding unavailable URLs +and incorrect credentials. + +*** API Set-Up +:PROPERTIES: +:CUSTOM_ID: api-set-up +:END: +First, you need to open your user profile in FreshRSS (=Settings= > +=Profile=) and set an API password in the field at the bottom. This is +the password you will need to provide to your RSS apps. + +Once that is set and saved, click the link below the API password field +to open the API check tool. It should look something like +=https://localhost:8080/api/= or =https://rss.example.com/api/=. + +Within this page, you /should/ see your correct external URL and "PASS" +at the bottom of each API type. This would mean everything is set up +correctly, and you can now move on and login to any RSS apps that +support self-hosted options. In my case, the URL showed an internal URL and I had a warning that the -`base_url` variable may be misconfigured. If this is the case, see the next -section for a fix. - -### Base URL Fix +=base_url= variable may be misconfigured. If this is the case, see the +next section for a fix. -In order to fix the `base_url` for the API, I opened up my docker container with -the following command: +*** Base URL Fix +:PROPERTIES: +:CUSTOM_ID: base-url-fix +:END: +In order to fix the =base_url= for the API, I opened up my docker +container with the following command: -```sh +#+begin_src sh sudo docker exec -it freshrss bash -``` +#+end_src Within this container, update the packages and install an editor: -```sh +#+begin_src sh apt-get update apt-get install nano -``` +#+end_src -Finally, open up `config.php` in the `data` directory: +Finally, open up =config.php= in the =data= directory: -```sh +#+begin_src sh nano data/config.php -``` +#+end_src -Within `config.php`, you will need to update the `base_url` variable and update -it to match your external URL. In my case, I simply commented-out the incorrect -URL with `//` and added the correct one on a new line: +Within =config.php=, you will need to update the =base_url= variable and +update it to match your external URL. In my case, I simply commented-out +the incorrect URL with =//= and added the correct one on a new line: -```php +#+begin_src php <?php return array ( ... @@ -216,25 +239,25 @@ URL with `//` and added the correct one on a new line: ... ) > -``` +#+end_src -You can now exit the file with `Ctrl + x`, press `y` to save the file, and then -click `Enter` to keep the same file name. +You can now exit the file with =Ctrl + x=, press =y= to save the file, +and then click =Enter= to keep the same file name. Finally, just exit out of the docker container: -```sh +#+begin_src sh exit -``` +#+end_src Next, just restart the container: -```sh +#+begin_src sh sudo docker restart freshrss -``` +#+end_src -Voilà! Your API check should now "PASS" and you should be able to use one of the -API URLs in your RSS apps. +Voilà! Your API check should now "PASS" and you should be able to use +one of the API URLs in your RSS apps. -In my case, I use [NetNewsWire](https://netnewswire.com) on my desktop and -phone. +In my case, I use [[https://netnewswire.com][NetNewsWire]] on my desktop +and phone. diff --git a/blog/2022-06-16-terminal-lifestyle.org b/blog/2022-06-16-terminal-lifestyle.org index c248ea9..4056415 100644 --- a/blog/2022-06-16-terminal-lifestyle.org +++ b/blog/2022-06-16-terminal-lifestyle.org @@ -1,43 +1,48 @@ -+++ -date = 2022-06-16 -title = "A Terminal Lifestyle" -description = "A detailed description on how I'm living my digital life in the terminal." -+++ - -## Text-Based Simplicity - -I've detailed my views on web-based minimalism and related topics in other -posts throughout the years; e.g., JavaScript/CSS bloat slowing down websites -that are essentially a text document. However, I have never really expanded -beyond talking about the web and describing how I focus on minimizing -distractions in other digital environments. - -This post is going to set the baseline for how I *try* to live my digital life. -It does not necessarily get into my physical life, which is often harder to -control and contain all the noise in our modern world. - -While there are new things to do every day in our digital world, I find that -keeping a core set of values and interests can ground you and keep you mindful -of *why* you are participating in the digital world. For example, if - at your -core - you have no interest in what strangers think about random topics, it -would be unwise to start participating in social media. However, I am someone -who has been dragged in by effective advertising to participate in communities -that I realize I do not care for. - -I won't dive much further into explaining the philosophy of all this, but I will -link a few helpful articles that may pique your interest if you're in search of -more meaningful experiences: - -- [Mindfulness](https://en.wikipedia.org/wiki/Mindfulness) -- [Minimalism](https://en.wikipedia.org/wiki/Minimalism) -- [Stoicism](https://en.wikipedia.org/wiki/Stoicism) - -## Living Life in the Terminal - -My personal approach to reducing digital distractions and increasing my focus on -the task at hand is to use a terminal for as much as I possibly can. - -Most days, this means that I have a few tabs open constantly in my terminal: +#+title: A Terminal Lifestyle +#+date: 2022-06-16 + +** Text-Based Simplicity +:PROPERTIES: +:CUSTOM_ID: text-based-simplicity +:END: +I've detailed my views on web-based minimalism and related topics in +other posts throughout the years; e.g., JavaScript/CSS bloat slowing +down websites that are essentially a text document. However, I have +never really expanded beyond talking about the web and describing how I +focus on minimizing distractions in other digital environments. + +This post is going to set the baseline for how I /try/ to live my +digital life. It does not necessarily get into my physical life, which +is often harder to control and contain all the noise in our modern +world. + +While there are new things to do every day in our digital world, I find +that keeping a core set of values and interests can ground you and keep +you mindful of /why/ you are participating in the digital world. For +example, if - at your core - you have no interest in what strangers +think about random topics, it would be unwise to start participating in +social media. However, I am someone who has been dragged in by effective +advertising to participate in communities that I realize I do not care +for. + +I won't dive much further into explaining the philosophy of all this, +but I will link a few helpful articles that may pique your interest if +you're in search of more meaningful experiences: + +- [[https://en.wikipedia.org/wiki/Mindfulness][Mindfulness]] +- [[https://en.wikipedia.org/wiki/Minimalism][Minimalism]] +- [[https://en.wikipedia.org/wiki/Stoicism][Stoicism]] + +** Living Life in the Terminal +:PROPERTIES: +:CUSTOM_ID: living-life-in-the-terminal +:END: +My personal approach to reducing digital distractions and increasing my +focus on the task at hand is to use a terminal for as much as I possibly +can. + +Most days, this means that I have a few tabs open constantly in my +terminal: 1. A web browser 2. A chat client @@ -46,157 +51,180 @@ Most days, this means that I have a few tabs open constantly in my terminal: 5. A local shell for navigating my computer's files 6. A remote shell for managing servers and other machines -Beyond this, I rarely open other tabs or GUI applications, unless absolutely -necessary. If you look, you may be surprised what can be accomplished in the -terminal. +Beyond this, I rarely open other tabs or GUI applications, unless +absolutely necessary. If you look, you may be surprised what can be +accomplished in the terminal. -For example, I have moved my music and entertainment downloads to the -terminal, along with my device VPN connections. I am exploring options for -moving my RSS subscriptions to something like [Newsboat](https://newsboat.org/), -so that I can read my daily articles without all the fuss. +For example, I have moved my music and entertainment downloads to the +terminal, along with my device VPN connections. I am exploring options +for moving my RSS subscriptions to something like +[[https://newsboat.org/][Newsboat]], so that I can read my daily +articles without all the fuss. -Now that we have some examples out of the way, let's dive into the +Now that we have some examples out of the way, let's dive into the specifics. -### Browsing the Web - -I'm going to start off with a hard topic for those who prefer to live in the -terminal: web browsing. This task is made hard mostly by websites and web apps -that require JavaScript to run. The other difficult part is that if you're using -a text-based browser, that means images won't load (hopefully that's obvious). - -I am using [Lynx](https://lynx.invisible-island.net), a text-based browser that -runs quickly and easily in the terminal. Lynx allows me to browser most websites -by simply typing `g` and then typing in the URL I want. - - - -If you need a search engine while in Lynx, I recommend [DuckDuckGo -(Lite)](https://lite.duckduckgo.com/lite/), which allows you to search the web -using their text-only interface. - - - -Eventually, you will run into websites that don't work (or are just too ugly -and messy) in a text-only mode, and you'll be forced to switch over to a GUI -browser to look at that site. Personally, I don't mind this as it doesn't happen -as often as I thought it would. - -The only time I need to do this is when I want to browse an image/video-focused -webpage or if I need to log in to a site, and it doesn't support a text-only -login page. -For example, I am able to easily log in to [Sourcehut](https://sr.ht) in lynx. - -### Chatting with Friends - -After web browsing activities, my main form of terminal communication is Matrix. -I use the [gomuks](https://docs.mau.fi/gomuks/) client currently. - -This was incredibly easy to install on macOS (but I will need to see if it'll -be just as easy on Linux when my new laptop arrives): - -```sh +*** Browsing the Web +:PROPERTIES: +:CUSTOM_ID: browsing-the-web +:END: +I'm going to start off with a hard topic for those who prefer to live in +the terminal: web browsing. This task is made hard mostly by websites +and web apps that require JavaScript to run. The other difficult part is +that if you're using a text-based browser, that means images won't load +(hopefully that's obvious). + +I am using [[https://lynx.invisible-island.net][Lynx]], a text-based +browser that runs quickly and easily in the terminal. Lynx allows me to +browser most websites by simply typing =g= and then typing in the URL I +want. + +#+caption: Lynx +[[https://img.cleberg.net/blog/20220616-terminal-lifestyle/lynx.png]] + +If you need a search engine while in Lynx, I recommend +[[https://lite.duckduckgo.com/lite/][DuckDuckGo (Lite)]], which allows +you to search the web using their text-only interface. + +#+caption: DuckDuckGo !Lite +[[https://img.cleberg.net/blog/20220616-terminal-lifestyle/ddg.png]] + +Eventually, you will run into websites that don't work (or are just too +ugly and messy) in a text-only mode, and you'll be forced to switch over +to a GUI browser to look at that site. Personally, I don't mind this as +it doesn't happen as often as I thought it would. + +The only time I need to do this is when I want to browse an +image/video-focused webpage or if I need to log in to a site, and it +doesn't support a text-only login page. For example, I am able to easily +log in to [[https://sr.ht][Sourcehut]] in lynx. + +*** Chatting with Friends +:PROPERTIES: +:CUSTOM_ID: chatting-with-friends +:END: +After web browsing activities, my main form of terminal communication is +Matrix. I use the [[https://docs.mau.fi/gomuks/][gomuks]] client +currently. + +This was incredibly easy to install on macOS (but I will need to see if +it'll be just as easy on Linux when my new laptop arrives): + +#+begin_src sh brew install gomuks -``` +#+end_src -Once you launch gomuks, it will sync and require your username and password to -login. After doing so, the only problem I ran into was verifying my gomuks -client so that I could participate in rooms with E2EE. +Once you launch gomuks, it will sync and require your username and +password to login. After doing so, the only problem I ran into was +verifying my gomuks client so that I could participate in rooms with +E2EE. -Finally, I was able to verify the session by opening the Element desktop app (I -assume you can do this in the browser and mobile app too, but I'm not sure) and -manually verifying myself with this process: +Finally, I was able to verify the session by opening the Element desktop +app (I assume you can do this in the browser and mobile app too, but I'm +not sure) and manually verifying myself with this process: 1. Open the Element desktop app 2. Open a room I was a member of -3. Open the `Room Info` pane -4. Open the `People` menu and search for myself +3. Open the =Room Info= pane +4. Open the =People= menu and search for myself 5. Click on my profile name -6. Click on the session link under the `Security` section and follow the -prompts to manually verify the session - -Overall, I like gomuks and am able to enjoy all the features I was using in -Element. The only hiccup I have occurred is manually downloading images to view -them, which can be annoying. - - - -### Email - -Moving email to the terminal has been the hardest of the tasks for me. Unlike -web browsing, where I can simply decide to not look at a website that does not -work in the terminal, I cannot simply ignore emails sent to me. - -Personally, I am experimenting with [neomutt](https://neomutt.org/) as a -potential email client. - -However, this requires a **TON** of configuration and tweaking to get right. -Even when I was able to set up neomutt, configure my email account, and -customize a few personal preferences, a lot of emails still do not display -correctly (mostly due to HTML and images). - -I won't get into the details of configuring `neomutt`; I mostly followed this -blog post: [Email in the Terminal: Configuring -Neomutt](https://gideonwolfe.com/posts/workflow/neomutt/intro/). - -Finally, I have yet to figure out how to connect my GPG keys to `neomutt`, but -that's a problem for another day. - -### RSS Feed Reader - -I have just started using [Newsboat](https://newsboat.org/) to read articles in -my terminal and have found quick success with it. +6. Click on the session link under the =Security= section and follow the + prompts to manually verify the session + +Overall, I like gomuks and am able to enjoy all the features I was using +in Element. The only hiccup I have occurred is manually downloading +images to view them, which can be annoying. + +#+caption: gomuks +[[https://img.cleberg.net/blog/20220616-terminal-lifestyle/gomuks.png]] + +*** Email +:PROPERTIES: +:CUSTOM_ID: email +:END: +Moving email to the terminal has been the hardest of the tasks for me. +Unlike web browsing, where I can simply decide to not look at a website +that does not work in the terminal, I cannot simply ignore emails sent +to me. + +Personally, I am experimenting with [[https://neomutt.org/][neomutt]] as +a potential email client. + +However, this requires a *TON* of configuration and tweaking to get +right. Even when I was able to set up neomutt, configure my email +account, and customize a few personal preferences, a lot of emails still +do not display correctly (mostly due to HTML and images). + +I won't get into the details of configuring =neomutt=; I mostly followed +this blog post: +[[https://gideonwolfe.com/posts/workflow/neomutt/intro/][Email in the +Terminal: Configuring Neomutt]]. + +Finally, I have yet to figure out how to connect my GPG keys to +=neomutt=, but that's a problem for another day. + +*** RSS Feed Reader +:PROPERTIES: +:CUSTOM_ID: rss-feed-reader +:END: +I have just started using [[https://newsboat.org/][Newsboat]] to read +articles in my terminal and have found quick success with it. I'll show you a quick screenshot first: - +#+caption: Newsboat +[[https://img.cleberg.net/blog/20220616-terminal-lifestyle/newsboat.png]] -The configuration was super easy for this app; I simply installed the app, -created a file for URLs, and imported my OPML subscriptions that I had exported -out of my old feed reader: +The configuration was super easy for this app; I simply installed the +app, created a file for URLs, and imported my OPML subscriptions that I +had exported out of my old feed reader: -```sh +#+begin_src sh brew install newsboat -``` +#+end_src -```sh +#+begin_src sh touch ~/.newsboat/urls -``` +#+end_src -```sh +#+begin_src sh newsboat -i=my_subscriptions.opml -``` - -### Writing & Programming +#+end_src -Unfortunately, the weak link in my terminal-based environment right now is my -grasp of the possibilities of editing files within a shell. +*** Writing & Programming +:PROPERTIES: +:CUSTOM_ID: writing-programming +:END: +Unfortunately, the weak link in my terminal-based environment right now +is my grasp of the possibilities of editing files within a shell. -I am used to the easy extensions found in VSCodium and Kate, so I am slowly -learning how to mold the default editing tools to my needs. Currently, this -means I am using `nano` with the following configuration: +I am used to the easy extensions found in VSCodium and Kate, so I am +slowly learning how to mold the default editing tools to my needs. +Currently, this means I am using =nano= with the following +configuration: -```config +#+begin_src config set breaklonglines set autoindent set linenumbers set tabstospaces set tabsize 2 set fill 80 -``` +#+end_src -This configuration allows nano to automatically hard-wrap lines at 80 -characters, autoindent the wrapped lines (if the previous line was indented), -use 2 spaces per tab, and display line numbers within each file I open. +This configuration allows nano to automatically hard-wrap lines at 80 +characters, autoindent the wrapped lines (if the previous line was +indented), use 2 spaces per tab, and display line numbers within each +file I open. -I am currently looking to see if `vim` or `emacs` would be more useful for my -current needs, but I'm not in any rush, so I don't expect to find an answer -anytime soon. +I am currently looking to see if =vim= or =emacs= would be more useful +for my current needs, but I'm not in any rush, so I don't expect to find +an answer anytime soon. -With my current life demands, I am not programming at the moment and have not -explored the best terminal set-up for programming. However, I have seen many -peers find success configuring `vim` and `emacs`, so that's where I will start -when I pick my projects back up. +With my current life demands, I am not programming at the moment and +have not explored the best terminal set-up for programming. However, I +have seen many peers find success configuring =vim= and =emacs=, so +that's where I will start when I pick my projects back up. - +#+caption: nano +[[https://img.cleberg.net/blog/20220616-terminal-lifestyle/nano.png]] diff --git a/blog/2022-06-22-daily-poetry.org b/blog/2022-06-22-daily-poetry.org index 37a9e0b..dd1e249 100644 --- a/blog/2022-06-22-daily-poetry.org +++ b/blog/2022-06-22-daily-poetry.org @@ -1,71 +1,80 @@ -+++ -date = 2022-06-22 -title = "Daily Plaintext Poetry via Email" -description = "A quick tutorial showing how to use Python and the PoetryDB API to email daily poetry." -draft = false -+++ - -## Source Code - -I don't want to bury the lede here, so if you'd like to see the full source -code I use to email myself plaintext poems daily, visit the repository: -[daily-poem](https://git.sr.ht/~cmc/daily-poem/). - -## My Daily Dose of Poetry - -Most of my programming projects are small, random projects that are made +#+title: Daily Plaintext Poetry via Email +#+date: 2022-06-22 + +** Source Code +:PROPERTIES: +:CUSTOM_ID: source-code +:END: +I don't want to bury the lede here, so if you'd like to see the full +source code I use to email myself plaintext poems daily, visit the +repository: [[https://git.sr.ht/~cmc/daily-poem/][daily-poem]]. + +** My Daily Dose of Poetry +:PROPERTIES: +:CUSTOM_ID: my-daily-dose-of-poetry +:END: +Most of my programming projects are small, random projects that are made strictly to fix some small problem I have or enhance my quality of life. -In this case, I was looking for a simply and easy way to get a daily dose of -literature or poetry to read in the mornings. - -However, I don't want to sign up for a random mailing list on just any website. -I also don't want to have to work to find the reading content each morning, as I -know I would simply give up and stop reading daily. +In this case, I was looking for a simply and easy way to get a daily +dose of literature or poetry to read in the mornings. -Thus, I found a way to deliver poetry to myself in plain-text format, on a daily -basis, and scheduled to deliver automatically. +However, I don't want to sign up for a random mailing list on just any +website. I also don't want to have to work to find the reading content +each morning, as I know I would simply give up and stop reading daily. -## Prerequisites +Thus, I found a way to deliver poetry to myself in plain-text format, on +a daily basis, and scheduled to deliver automatically. -This solution uses Python and email, so the following process requires the -following to be installed: +** Prerequisites +:PROPERTIES: +:CUSTOM_ID: prerequisites +:END: +This solution uses Python and email, so the following process requires +the following to be installed: -1. An SMTP server, which can be as easy as installing `mailutils` if you're on -a Debian-based distro. +1. An SMTP server, which can be as easy as installing =mailutils= if + you're on a Debian-based distro. 2. Python (& pip!) -3. The following Python packages: `email`, `smtplib`, `json`, and `requests` - -## Breaking Down the Logic - -I want to break down the logic for this program, as it's quite simple and -informational. - -### Required Packages - -This program starts with a simple import of the required packages, so I wanted -to explain why each package is used: - -```py +3. The following Python packages: =email=, =smtplib=, =json=, and + =requests= + +** Breaking Down the Logic +:PROPERTIES: +:CUSTOM_ID: breaking-down-the-logic +:END: +I want to break down the logic for this program, as it's quite simple +and informational. + +*** Required Packages +:PROPERTIES: +:CUSTOM_ID: required-packages +:END: +This program starts with a simple import of the required packages, so I +wanted to explain why each package is used: + +#+begin_src py from email.mime.text import MIMEText # Required for translating MIMEText import smtplib # Required to process the SMTP mail delivery import json # Required to parse the poetry API results import requests # Required to send out a request to the API -``` - -### Sending the API Request +#+end_src -Next, we need to actually send the API request. In my case, I'm calling a random -poem from the entire API. If you want, you can call specific poems or authors -from this API. +*** Sending the API Request +:PROPERTIES: +:CUSTOM_ID: sending-the-api-request +:END: +Next, we need to actually send the API request. In my case, I'm calling +a random poem from the entire API. If you want, you can call specific +poems or authors from this API. -```py +#+begin_src py json_data = requests.get('https://poetrydb.org/random').json() -``` +#+end_src This gives us the following result in JSON: -```json +#+begin_src json [ { "title": "Sonnet XXII: With Fools and Children", @@ -91,80 +100,95 @@ This gives us the following result in JSON: "linecount": "15" } ] -``` - -### Parsing the API Results - -In order to parse this into a readable format, we need to use the `json` package -and extract the fields we want. In the example below, I am grabbing every field -presented by the API. - -For the actual poem content, we need to loop over each line in the `lines` -variable since each line is a separate string by default. - -> You *could* also extract the title or author and make another call out to the -> API to avoid having to build the plaintext poem with a loop, but it just -> doesn't make sense to me to send multiple requests when we can create a simple -> loop on our local machine to work with the data we already have. -> -> For -> [example](https://poetrydb.org/title/Sonnet%20XXII:%20With%20Fools%20and%20Children/lines.text), -> look at the raw data response of this link to see the poem's lines returned -> in plaintext. - -```py +#+end_src + +*** Parsing the API Results +:PROPERTIES: +:CUSTOM_ID: parsing-the-api-results +:END: +In order to parse this into a readable format, we need to use the =json= +package and extract the fields we want. In the example below, I am +grabbing every field presented by the API. + +For the actual poem content, we need to loop over each line in the +=lines= variable since each line is a separate string by default. + +#+begin_quote +You /could/ also extract the title or author and make another call out +to the API to avoid having to build the plaintext poem with a loop, but +it just doesn't make sense to me to send multiple requests when we can +create a simple loop on our local machine to work with the data we +already have. + +For +[[https://poetrydb.org/title/Sonnet%20XXII:%20With%20Fools%20and%20Children/lines.text][example]], +look at the raw data response of this link to see the poem's lines +returned in plaintext. + +#+end_quote + +#+begin_src py title = json_data[0]['title'] author = json_data[0]['author'] line_count = json_data[0]['linecount'] lines = '' for line in json_data[0]['lines']: lines = lines + line + "\n" -``` - -### Composing the Email +#+end_src -Now that I have all the data I need, I just need to compose it into a message -and prepare the message metadata. +*** Composing the Email +:PROPERTIES: +:CUSTOM_ID: composing-the-email +:END: +Now that I have all the data I need, I just need to compose it into a +message and prepare the message metadata. -For my daily email, I want to see the title of the poem first, followed by the -author, then a blank line, and finally the full poem. This code snippet combines -that data and packages it into a MIMEText container, ready to be emailed. +For my daily email, I want to see the title of the poem first, followed +by the author, then a blank line, and finally the full poem. This code +snippet combines that data and packages it into a MIMEText container, +ready to be emailed. -```py +#+begin_src py msg_body = title + "\n" + author + "\n\n" + lines msg = MIMEText(msg_body) -``` +#+end_src -Before we send the email, we need to prepare the metadata (subject, from, to, -etc.): +Before we send the email, we need to prepare the metadata (subject, +from, to, etc.): -```py +#+begin_src py sender_email = 'example@server.local' recipient_emails = ['user@example.com'] msg['Subject'] = 'Your Daily Poem (' + line_count + ' lines)' msg['From'] = sender_email msg['To'] = recipient_email -``` - -### Sending the Email - -Now that I have everything ready to be emailed, the last step is to simply -connect to an SMTP server and send the email out to the recipients. In my case, -I installed `mailutils` on Ubuntu and let my SMTP server be `localhost`. - -```py +#+end_src + +*** Sending the Email +:PROPERTIES: +:CUSTOM_ID: sending-the-email +:END: +Now that I have everything ready to be emailed, the last step is to +simply connect to an SMTP server and send the email out to the +recipients. In my case, I installed =mailutils= on Ubuntu and let my +SMTP server be =localhost=. + +#+begin_src py smtp_server = 'localhost' s = smtplib.SMTP(smtp_server) s.sendmail(sender_email, recipient_emails, msg.as_string()) s.quit() -``` +#+end_src -## The Result! +** The Result! +:PROPERTIES: +:CUSTOM_ID: the-result +:END: +Instead of including a screenshot, I've copied the contents of the email +that was delivered to my inbox below since I set this process up in +plaintext format. -Instead of including a screenshot, I've copied the contents of the email that -was delivered to my inbox below since I set this process up in plaintext format. - -```txt +#+begin_src txt Date: Wed, 22 Jun 2022 14:37:19 +0000 (UTC) From: REDACTED To: REDACTED @@ -190,24 +214,26 @@ You that behold us, laugh us not to scorn; Give Nature thanks you are not such as we. Yet fools and children sometimes tell in play Some, wise in show, more fools indeed than they. -``` - -## Scheduling the Daily Email +#+end_src -Last, but not least, is scheduling this Python script with `crontab`. To -schedule a script to run daily, you can add it to the `crontab` file. To do -this, open `crontab` in editing mode: +** Scheduling the Daily Email +:PROPERTIES: +:CUSTOM_ID: scheduling-the-daily-email +:END: +Last, but not least, is scheduling this Python script with =crontab=. To +schedule a script to run daily, you can add it to the =crontab= file. To +do this, open =crontab= in editing mode: -```sh +#+begin_src sh crontab -e -``` +#+end_src -In the file, simply paste the following snippet at the bottom of the file and -ensure that the file path is correctly pointing to wherever you saved your -Python script: +In the file, simply paste the following snippet at the bottom of the +file and ensure that the file path is correctly pointing to wherever you +saved your Python script: -```config +#+begin_src config 0 8 * * * python3 /home/<your_user>/dailypoem/main.py -``` +#+end_src We have now set up the script and scheduled it to run daily at 08:00! diff --git a/blog/2022-06-24-fedora-i3.org b/blog/2022-06-24-fedora-i3.org index 7bc7719..af02902 100644 --- a/blog/2022-06-24-fedora-i3.org +++ b/blog/2022-06-24-fedora-i3.org @@ -1,78 +1,86 @@ -+++ -date = 2022-06-24 -title = "Rebooting My Love Affair with Linux" -description = "A quick recap on my migration from macOS to Fedora i3." -draft = false -+++ - -## Leaving macOS - -As I noted [in a recent post](/blog/foss-macos-apps), I have been planning on -migrating from macOS back to a Linux-based OS. I am happy to say that I have -finally completed my migration and am now stuck in the wonderful world of Linux -again. - -My decision to leave macOS really came down to just a few important things: - -- Apple Security (Gatekeeper) restricting me from running any software I want. -Even if you disable Gatekeeper and allow software to bypass the rest of the -device installation security, you still have to repeat that process every time -the allowed software is updated. -- macOS sends out nearly constant connections, pings, telemetry, etc. to a -myriad of mysterious Apple services. I'm not even going to dive into how many -macOS apps have constant telemetry on, as well. -- Lastly, I just *really* missed the customization and freedom that comes with -Linux. Being able to switch to entirely new kernel, OS, or desktop within -minutes is a freedom I took for granted when I switched to macOS. - -Now that I've covered macOS, I'm going to move on to more exciting topics: my -personal choice of OS, DE, and various customizations I'm using. - -## Fedora - -After trying a ton of distros (I think I booted and tested around 20-25 -distros), I finally landed on [Fedora Linux](https://getfedora.org/). I have -quite a bit of experience with Fedora and enjoy the `dnf` package manager. -Fedora allows me to keep up-to-date with recent software (I'm looking at you, -Debian), but still provides a level of stability you don't find in every distro. - -In a very close second place was Arch Linux, as well as its spin-off: Garuda -Linux (Garuda w/ sway is *beautiful*). Arch is great for compatibility and the -massive community it has, but I have just never had the time to properly sit -down and learn the methodology behind their packaging systems. - -Basically, everything else I tested was unacceptable in at least one way or -another. -Void (`glibc`) was great, but doesn't support all the software I need. -Slackware worked well as a tui, but I wasn't skilled enough to get a tiling -window manager (WM) working on it. - -### i3 - -One of the reasons I settled on Fedora is that it comes with an official i3 -spin. Being able to use a tiling WM, such as i3 or sway, is one of the biggest -things I wanted to do as soon as I adopted Linux again. - -I will probably set up a dotfile repository soon, so that I don't lose any -of my configurations, but nothing big has been configured thus far. - -The two main things I have updated in i3wm are natural scrolling and binding my -brightness keys to the `brightnessctl` program. - -#### Natural Scrolling - +#+title: Rebooting My Love Affair with Linux +#+date: 2022-06-24 + +** Leaving macOS +:PROPERTIES: +:CUSTOM_ID: leaving-macos +:END: +As I noted [[/blog/foss-macos-apps][in a recent post]], I have been +planning on migrating from macOS back to a Linux-based OS. I am happy to +say that I have finally completed my migration and am now stuck in the +wonderful world of Linux again. + +My decision to leave macOS really came down to just a few important +things: + +- Apple Security (Gatekeeper) restricting me from running any software I + want. Even if you disable Gatekeeper and allow software to bypass the + rest of the device installation security, you still have to repeat + that process every time the allowed software is updated. +- macOS sends out nearly constant connections, pings, telemetry, etc. to + a myriad of mysterious Apple services. I'm not even going to dive into + how many macOS apps have constant telemetry on, as well. +- Lastly, I just /really/ missed the customization and freedom that + comes with Linux. Being able to switch to entirely new kernel, OS, or + desktop within minutes is a freedom I took for granted when I switched + to macOS. + +Now that I've covered macOS, I'm going to move on to more exciting +topics: my personal choice of OS, DE, and various customizations I'm +using. + +** Fedora +:PROPERTIES: +:CUSTOM_ID: fedora +:END: +After trying a ton of distros (I think I booted and tested around 20-25 +distros), I finally landed on [[https://getfedora.org/][Fedora Linux]]. +I have quite a bit of experience with Fedora and enjoy the =dnf= package +manager. Fedora allows me to keep up-to-date with recent software (I'm +looking at you, Debian), but still provides a level of stability you +don't find in every distro. + +In a very close second place was Arch Linux, as well as its spin-off: +Garuda Linux (Garuda w/ sway is /beautiful/). Arch is great for +compatibility and the massive community it has, but I have just never +had the time to properly sit down and learn the methodology behind their +packaging systems. + +Basically, everything else I tested was unacceptable in at least one way +or another. Void (=glibc=) was great, but doesn't support all the +software I need. Slackware worked well as a tui, but I wasn't skilled +enough to get a tiling window manager (WM) working on it. + +*** i3 +:PROPERTIES: +:CUSTOM_ID: i3 +:END: +One of the reasons I settled on Fedora is that it comes with an official +i3 spin. Being able to use a tiling WM, such as i3 or sway, is one of +the biggest things I wanted to do as soon as I adopted Linux again. + +I will probably set up a dotfile repository soon, so that I don't lose +any of my configurations, but nothing big has been configured thus far. + +The two main things I have updated in i3wm are natural scrolling and +binding my brightness keys to the =brightnessctl= program. + +**** Natural Scrolling +:PROPERTIES: +:CUSTOM_ID: natural-scrolling +:END: You can enable natural scrolling by opening the following file: -```sh +#+begin_src sh sudo nano /usr/share/X11/xorg.conf.d/40-libinput.conf -``` +#+end_src -Within the `40-libinput.conf` file, find the following input sections and enable -the natural scrolling option. +Within the =40-libinput.conf= file, find the following input sections +and enable the natural scrolling option. -This is the `pointer` section: +This is the =pointer= section: -```conf +#+begin_src conf Section "InputClass" Identifier "libinput pointer catchall" MatchIsPointer "on" @@ -80,11 +88,11 @@ Section "InputClass" Driver "libinput" Option "NaturalScrolling" "True" EndSection -``` +#+end_src -This is the `touchpad` section: +This is the =touchpad= section: -```conf +#+begin_src conf Section "InputClass" Identifier "libinput touchpad catchall" MatchIsTouchpad "on" @@ -92,44 +100,53 @@ Section "InputClass" Driver "libinput" Option "NaturalScrolling" "True" EndSection -``` +#+end_src -#### Enabling Brightness Keys - -Likewise, enabling brightness key functionality is as simple as binding the keys -to the `brightnessctl` program. +**** Enabling Brightness Keys +:PROPERTIES: +:CUSTOM_ID: enabling-brightness-keys +:END: +Likewise, enabling brightness key functionality is as simple as binding +the keys to the =brightnessctl= program. To do this, open up your i3 config file. Mine is located here: -```sh +#+begin_src sh nano /home/<my-user>/.config/i3/config -``` +#+end_src -```conf +#+begin_src conf # Use brightnessctl to adjust brightness. bindsym XF86MonBrightnessDown exec --no-startup-id brightnessctl --min-val=2 -q set 3%- bindsym XF86MonBrightnessUp exec --no-startup-id brightnessctl -q set 3%+ -``` - -#### `polybar` - -Instead of using the default `i3status` bar, I have opted to use `polybar` -instead (as you can also see in the screenshot above). - -My config for this menu bar is basically just the default settings with modified -colors and an added battery block to quickly show me the machine's battery info. - -#### `alacritty` - -Not much to say on this part yet, as I haven't configured it much, but I -installed `alacritty` as my default terminal, and I am using `zsh` and the -shell. - -## Software Choices - -Again, I'm not going to say much that I haven't said yet in other blog -posts, so I'll just do a quick rundown of the apps I installed immediately after -I set up the environment. +#+end_src + +**** =polybar= +:PROPERTIES: +:CUSTOM_ID: polybar +:END: +Instead of using the default =i3status= bar, I have opted to use +=polybar= instead (as you can also see in the screenshot above). + +My config for this menu bar is basically just the default settings with +modified colors and an added battery block to quickly show me the +machine's battery info. + +**** =alacritty= +:PROPERTIES: +:CUSTOM_ID: alacritty +:END: +Not much to say on this part yet, as I haven't configured it much, but I +installed =alacritty= as my default terminal, and I am using =zsh= and +the shell. + +** Software Choices +:PROPERTIES: +:CUSTOM_ID: software-choices +:END: +Again, I'm not going to say much that I haven't said yet in other blog +posts, so I'll just do a quick rundown of the apps I installed +immediately after I set up the environment. Flatpak Apps: diff --git a/blog/2022-07-01-git-server.org b/blog/2022-07-01-git-server.org index ae08905..049603e 100644 --- a/blog/2022-07-01-git-server.org +++ b/blog/2022-07-01-git-server.org @@ -1,244 +1,271 @@ -+++ -date = 2022-07-01 -title = "Self-Hosting a Personal Git Server" -description = "My retrospective on successfully setting up a personal git server at home." -+++ +#+title: Self-Hosting a Personal Git Server +#+date: 2022-07-01 -## My Approach to Self-Hosting Git +** My Approach to Self-Hosting Git +:PROPERTIES: +:CUSTOM_ID: my-approach-to-self-hosting-git +:END: +I have often tried to self-host my Git repositories, but have always +fallen short when I tried to find a suitable web interface to show on +the front-end. -I have often tried to self-host my Git repositories, but have always fallen -short when I tried to find a suitable web interface to show on the front-end. +After a few years, I have finally found a combination of methods that +allow me to easily self-host my projects, view them on the web, and +access them from anywhere. -After a few years, I have finally found a combination of methods that allow me -to easily self-host my projects, view them on the web, and access them from -anywhere. +Before I dive into the details, I want to state a high-level summary of +my self-hosted Git approach: -Before I dive into the details, I want to state a high-level summary of my -self-hosted Git approach: - -- This method uses the `ssh://` (read & write) and `git://` (read-only) +- This method uses the =ssh://= (read & write) and =git://= (read-only) protocols for push and pull access. - - For the `git://` protocol, I create a `git-daemon-export-ok` file in any - repository that I want to be cloneable by anyone. - - The web interface I am using (`cgit`) allows simple HTTP cloning by - default. - I do not disable this setting as I want beginners to be able to - clone one of my repositories even if they don't know the proper method. -- I am not enabling Smart HTTPS for any repositories. Updates to repositories - must be pushed via SSH. -- Beyond the actual repository management, I am using `cgit` for the front-end - web interface. - - If you use the `scan-path=<path>` configuration in the `cgitrc` - configuration file to automatically find repositories, you can't exclude a - repository from `cgit` if it's stored within the path that `cgit` reads. To - host private repositories, you'd need to set up another directory that `cgit` - can't read. - -## Assumptions - + - For the =git://= protocol, I create a =git-daemon-export-ok= file in + any repository that I want to be cloneable by anyone. + - The web interface I am using (=cgit=) allows simple HTTP cloning by + default. I do not disable this setting as I want beginners to be + able to clone one of my repositories even if they don't know the + proper method. +- I am not enabling Smart HTTPS for any repositories. Updates to + repositories must be pushed via SSH. +- Beyond the actual repository management, I am using =cgit= for the + front-end web interface. + - If you use the =scan-path=<path>= configuration in the =cgitrc= + configuration file to automatically find repositories, you can't + exclude a repository from =cgit= if it's stored within the path that + =cgit= reads. To host private repositories, you'd need to set up + another directory that =cgit= can't read. + +** Assumptions +:PROPERTIES: +:CUSTOM_ID: assumptions +:END: For the purposes of this walkthrough, I am assuming you have a URL -(`git.example.com`) or IP address (`207.84.26.991`) addressed to the server that -you will be using to host your git repositories. - -## Adding a Git User - -In order to use the SSH method associated with git, we will need to add a -user named `git`. If you have used the SSH method for other git hosting sites, -you are probably used to the following syntax: - -```sh +(=git.example.com=) or IP address (=207.84.26.991=) addressed to the +server that you will be using to host your git repositories. + +** Adding a Git User +:PROPERTIES: +:CUSTOM_ID: adding-a-git-user +:END: +In order to use the SSH method associated with git, we will need to add +a user named =git=. If you have used the SSH method for other git +hosting sites, you are probably used to the following syntax: + +#+begin_src sh git clone [user@]server:project.git -``` +#+end_src -The syntax above is an `scp`-like syntax for using SSH on the `git` user on the -server to access your repository. +The syntax above is an =scp=-like syntax for using SSH on the =git= user +on the server to access your repository. -Let's delete any remnants of an old `git` user, if any, and create the new user -account: +Let's delete any remnants of an old =git= user, if any, and create the +new user account: -```sh +#+begin_src sh sudo deluser --remove-home git sudo adduser git -``` +#+end_src -### Import Your SSH Keys to the Git User - -Once the `git` user is created, you will need to copy your public SSH key on -your local development machine to the `git` user on the server. +*** Import Your SSH Keys to the Git User +:PROPERTIES: +:CUSTOM_ID: import-your-ssh-keys-to-the-git-user +:END: +Once the =git= user is created, you will need to copy your public SSH +key on your local development machine to the =git= user on the server. If you don't have an SSH key yet, create one with this command: -```sh +#+begin_src sh ssh-keygen -``` +#+end_src -Once you create the key pair, the public should be saved to `~/.ssh/id_rsa.pub`. +Once you create the key pair, the public should be saved to +=~/.ssh/id_rsa.pub=. -If your server still has password-based authentication available, you can copy -it over to your user's home directory like this: +If your server still has password-based authentication available, you +can copy it over to your user's home directory like this: -```sh +#+begin_src sh ssh-copy-id git@server -``` +#+end_src Otherwise, copy it over to any user that you can access. -```sh +#+begin_src sh scp ~/.ssh/id_rsa.pub your_user@your_server: -``` +#+end_src -Once on the server, you will need to copy the contents into the `git` user's -`authorized_keys` file: +Once on the server, you will need to copy the contents into the =git= +user's =authorized_keys= file: -```sh +#+begin_src sh cat id_rsa.pub > /home/git/.ssh/authorized_keys -``` - -### (Optional) Disable Password-Based SSH +#+end_src -If you want to lock down your server and ensure that no one can authenticate in -via SSH with a password, you will need to edit your SSH configuration. +*** (Optional) Disable Password-Based SSH +:PROPERTIES: +:CUSTOM_ID: optional-disable-password-based-ssh +:END: +If you want to lock down your server and ensure that no one can +authenticate in via SSH with a password, you will need to edit your SSH +configuration. -```sh +#+begin_src sh sudo nano /etc/ssh/sshd_config -``` +#+end_src -Within this file, find the following settings and set them to the values I am -showing below: +Within this file, find the following settings and set them to the values +I am showing below: -```conf +#+begin_src conf PermitRootLogin no PasswordAuthentication no AuthenticationMethods publickey -``` +#+end_src -You may have other Authentication Methods required in your personal set-up, so -the key here is just to ensure that `AuthenticationMethods` does not allow -passwords. +You may have other Authentication Methods required in your personal +set-up, so the key here is just to ensure that =AuthenticationMethods= +does not allow passwords. -## Setting up the Base Directory +** Setting up the Base Directory +:PROPERTIES: +:CUSTOM_ID: setting-up-the-base-directory +:END: +Now that we have set up a =git= user to handle all transport methods, we +need to set up the directory that we will be using as our base of all +repositories. -Now that we have set up a `git` user to handle all transport methods, we need -to set up the directory that we will be using as our base of all repositories. +In my case, I am using =/git= as my source folder. To create this folder +and assign it to the user we created, execute the following commands: -In my case, I am using `/git` as my source folder. To create this folder and -assign it to the user we created, execute the following commands: - -```sh +#+begin_src sh sudo mkdir /git sudo chown -R git:git /git -``` - -## Creating a Test Repository +#+end_src -On your server, switch over to the `git` user in order to start managing git -files. +** Creating a Test Repository +:PROPERTIES: +:CUSTOM_ID: creating-a-test-repository +:END: +On your server, switch over to the =git= user in order to start managing +git files. -```sh +#+begin_src sh su git -``` +#+end_src -Once logged-in as the `git` user, go to your base directory and create a test -repository. +Once logged-in as the =git= user, go to your base directory and create a +test repository. -```sh +#+begin_src sh cd /git mkdir test.git && cd test.git git init --bare -``` +#+end_src -If you want to make this repo viewable/cloneable to the public via the `git://` -protocol, you need to create a `git-daemon-export-ok` file inside the -repository. +If you want to make this repo viewable/cloneable to the public via the +=git://= protocol, you need to create a =git-daemon-export-ok= file +inside the repository. -```sh +#+begin_src sh touch git-daemon-export-ok -``` +#+end_src -## Change the Login Shell for `git` +** Change the Login Shell for =git= +:PROPERTIES: +:CUSTOM_ID: change-the-login-shell-for-git +:END: +To make sure that the =git= user is only used for git operations and +nothing else, you need to change the user's login shell. To do this, +simply use the =chsh= command: -To make sure that the `git` user is only used for git operations and nothing -else, you need to change the user's login shell. To do this, simply use the -`chsh` command: - -```sh +#+begin_src sh sudo chsh git -``` +#+end_src -The interactive prompt will ask which shell you want the `git` user to use. You -must use the following value: +The interactive prompt will ask which shell you want the =git= user to +use. You must use the following value: -```sh +#+begin_src sh /usr/bin/git-shell -``` - -Once done, no one will be able to SSH to the `git` user or execute commands -other than the standard git commands. +#+end_src -## Opening the Firewall +Once done, no one will be able to SSH to the =git= user or execute +commands other than the standard git commands. -Don't forget to open up ports on the device firewall and network firewall if -you want to access these repositories publicly. If you're using default ports, -forward ports `22` (ssh) and `9418` (git) from your router to your server's IP -address. +** Opening the Firewall +:PROPERTIES: +:CUSTOM_ID: opening-the-firewall +:END: +Don't forget to open up ports on the device firewall and network +firewall if you want to access these repositories publicly. If you're +using default ports, forward ports =22= (ssh) and =9418= (git) from your +router to your server's IP address. -If your server also has a firewall, ensure that the firewall allows the same -ports that are forwarded from the router. For example, if you use `ufw`: +If your server also has a firewall, ensure that the firewall allows the +same ports that are forwarded from the router. For example, if you use +=ufw=: -```sh +#+begin_src sh sudo ufw allow 22 sudo ufw allow 9418 -``` - -### Non-Standard SSH Ports +#+end_src -If you use a non-standard port for SSH, such as `9876`, you will need to create -an SSH configuration file on your local development machine in order to connect -to your server's git repositories. +*** Non-Standard SSH Ports +:PROPERTIES: +:CUSTOM_ID: non-standard-ssh-ports +:END: +If you use a non-standard port for SSH, such as =9876=, you will need to +create an SSH configuration file on your local development machine in +order to connect to your server's git repositories. -To do this, you'll need to define your custom port on your client machine in -your `~/.ssh/config` file: +To do this, you'll need to define your custom port on your client +machine in your =~/.ssh/config= file: -```sh +#+begin_src sh nano ~/.ssh/config -``` +#+end_src -```conf +#+begin_src conf Host git.example.com # HostName can be a URL or an IP address HostName git.example.com Port 9876 User git -``` - -### Testing SSH +#+end_src +*** Testing SSH +:PROPERTIES: +:CUSTOM_ID: testing-ssh +:END: There are two main syntaxes you can use to manage git over SSH: -- `git clone [user@]server:project.git` -- `git clone ssh://[user@]server/project.git` +- =git clone [user@]server:project.git= +- =git clone ssh://[user@]server/project.git= -I prefer the first, which is an `scp`-like syntax. To test it, try to clone the -test repository you set up on the server: +I prefer the first, which is an =scp=-like syntax. To test it, try to +clone the test repository you set up on the server: -```sh +#+begin_src sh git clone git@git.example.com:/git/test.git -``` - -## Enabling Read-Only Access +#+end_src -If you want people to be able to clone any repository where you've placed a -`git-daemon-export-ok` file, you will need to start the git daemon. +** Enabling Read-Only Access +:PROPERTIES: +:CUSTOM_ID: enabling-read-only-access +:END: +If you want people to be able to clone any repository where you've +placed a =git-daemon-export-ok= file, you will need to start the git +daemon. -To do this on a system with `systemd`, create a service file: +To do this on a system with =systemd=, create a service file: -```sh +#+begin_src sh sudo nano /etc/systemd/system/git-daemon.service -``` +#+end_src -Inside the `git-daemon.service` file, paste the following: +Inside the =git-daemon.service= file, paste the following: -```conf +#+begin_src conf [Unit] Description=Start Git Daemon @@ -257,72 +284,79 @@ Group=git [Install] WantedBy=multi-user.target -``` +#+end_src Once created, enable and start the service: -```sh +#+begin_src sh sudo systemctl enable git-daemon.service sudo systemctl start git-daemon.service -``` +#+end_src -To clone read-only via the `git://` protocol, you can use the following syntax: +To clone read-only via the =git://= protocol, you can use the following +syntax: -```sh +#+begin_src sh git clone git://git.example.com/test.git -``` - -## Migrating Repositories +#+end_src +** Migrating Repositories +:PROPERTIES: +:CUSTOM_ID: migrating-repositories +:END: At this point, we have a working git server that works with both SSH and read-only access. -For each of the repositories I had hosted a different provider, I executed the -following commands in order to place a copy on my server as my new source of -truth: +For each of the repositories I had hosted a different provider, I +executed the following commands in order to place a copy on my server as +my new source of truth: Server: -```sh +#+begin_src sh su git mkdir /git/<REPOSITORY_NAME>.git && cd /git/<REPOSITORY_NAME>.git git init --bare # If you want to make this repo viewable/cloneable to the public touch git-daemon-export-ok -``` +#+end_src Client: -```sh +#+begin_src sh git clone git@<PREVIOUS_HOST>:<REPOSITORY_NAME> git remote set-url origin git@git.EXAMPLE.COM:/git/<REPOSITORY_NAME>.git git push -``` - -## Optional Web View: `cgit` - -If you want a web viewer for your repositories, you can use various tools, such -as `gitweb`, `cgit`, or `klaus`. I chose `cgit` due to its simple interface and -fairly easy set-up (compared to others). Not to mention that the -[Linux kernel uses `cgit`](https://git.kernel.org/). - -### Docker Compose - -Instead of using my previous method of using a `docker run` command, I've -updated this section to use `docker-compose` instead for an easier installation -and simpler management and configuration. - -In order to use Docker Compose, you will set up a `docker-compose.yml` file to -automatically connect resources like the repositories, `cgitrc`, and various -files or folders to the `cgit` container you're creating: - -```sh +#+end_src + +** Optional Web View: =cgit= +:PROPERTIES: +:CUSTOM_ID: optional-web-view-cgit +:END: +If you want a web viewer for your repositories, you can use various +tools, such as =gitweb=, =cgit=, or =klaus=. I chose =cgit= due to its +simple interface and fairly easy set-up (compared to others). Not to +mention that the [[https://git.kernel.org/][Linux kernel uses =cgit=]]. + +*** Docker Compose +:PROPERTIES: +:CUSTOM_ID: docker-compose +:END: +Instead of using my previous method of using a =docker run= command, +I've updated this section to use =docker-compose= instead for an easier +installation and simpler management and configuration. + +In order to use Docker Compose, you will set up a =docker-compose.yml= +file to automatically connect resources like the repositories, =cgitrc=, +and various files or folders to the =cgit= container you're creating: + +#+begin_src sh mkdir ~/cgit && cd ~/cgit nano docker-compose.yml -``` +#+end_src -```conf +#+begin_src conf # docker-compose.yml version: '3' @@ -338,39 +372,41 @@ services: ports: - "8763:80" restart: always -``` +#+end_src Then, just start the container: -```sh +#+begin_src sh sudo docker-compose up -d -``` - -Once it's finished installing, you can access the site at `<SERVER_IP>:8763` or -use a reverse-proxy service to forward `cgit` to a URL, such as -`git.example.com`. See the next section for more details on reverse proxying a -URL to a local port. - -### Nginx Reverse Proxy - -I am using Nginx as my reverse proxy so that the `cgit` Docker container can use -`git.example.com` as its URL. To do so, I simply created the following -configuration file: - -```sh +#+end_src + +Once it's finished installing, you can access the site at +=<SERVER_IP>:8763= or use a reverse-proxy service to forward =cgit= to a +URL, such as =git.example.com=. See the next section for more details on +reverse proxying a URL to a local port. + +*** Nginx Reverse Proxy +:PROPERTIES: +:CUSTOM_ID: nginx-reverse-proxy +:END: +I am using Nginx as my reverse proxy so that the =cgit= Docker container +can use =git.example.com= as its URL. To do so, I simply created the +following configuration file: + +#+begin_src sh sudo nano /etc/nginx/sites-available/git.example.com -``` +#+end_src -```conf +#+begin_src conf server { listen 80; - server_name git.example.com; + server_name git.example.com; - if ($host = git.example.com) { - return 301 https://$host$request_uri; - } + if ($host = git.example.com) { + return 301 https://$host$request_uri; + } - return 404; + return 404; } server { @@ -379,7 +415,7 @@ server { location / { # The final `/` is important. - proxy_pass http://localhost:8763/; + proxy_pass http://localhost:8763/; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; proxy_redirect off; @@ -395,64 +431,71 @@ server { include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } - -``` +#+end_src Once created, symlink it and restart the web server. -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/git.example.com /etc/nginx/sites-enabled/ sudo systemctl restart nginx.service -``` - -As we can see below, my site at `git.example.com` is available and running: +#+end_src -### Settings Up Git Details +As we can see below, my site at =git.example.com= is available and +running: -Once you have `cgit` running, you can add some small details, such as repository -owners and descriptions by editing the following files within each repository. +*** Settings Up Git Details +:PROPERTIES: +:CUSTOM_ID: settings-up-git-details +:END: +Once you have =cgit= running, you can add some small details, such as +repository owners and descriptions by editing the following files within +each repository. -Alternatively, you can use the `cgitrc` file to edit these details if you only -care to edit them for the purpose of seeing them on your website. +Alternatively, you can use the =cgitrc= file to edit these details if +you only care to edit them for the purpose of seeing them on your +website. -The `description` file within the repository on your server will display the -description online. +The =description= file within the repository on your server will display +the description online. -```sh +#+begin_src sh cd /git/example.git nano description -``` +#+end_src -You can add a `[gitweb]` block to the `config` file in order to display the -owner of the repository. +You can add a =[gitweb]= block to the =config= file in order to display +the owner of the repository. -```sh +#+begin_src sh cd /git/example.git nano config -``` +#+end_src -```conf +#+begin_src conf [gitweb] - owner = "YourName" -``` + owner = "YourName" +#+end_src -Note that you can ignore the configuration within each repository and simply set -up this information in the `cgitrc` file, if you want to do it that way. +Note that you can ignore the configuration within each repository and +simply set up this information in the =cgitrc= file, if you want to do +it that way. -### Editing `cgit` +*** Editing =cgit= +:PROPERTIES: +:CUSTOM_ID: editing-cgit +:END: +In order to edit certain items within =cgit=, you need to edit the +=cgitrc= file. -In order to edit certain items within `cgit`, you need to edit the `cgitrc` -file. - -```sh +#+begin_src sh nano ~/cgit/cgitrc -``` +#+end_src -Below is an example configuration for `cgitrc`. -You can find all the configuration options within the [configuration manual] +Below is an example configuration for =cgitrc=. You can find all the +configuration options within the [configuration manual] (https://git.zx2c4.com/cgit/plain/cgitrc.5.txt). -```conf +#+begin_src conf css=/cgit.css logo=/logo.png favicon=/favicon.png @@ -524,103 +567,112 @@ repo.path=/git/test.git repo.readme=:README.md repo.owner=John Doe repo.desc=An example repository! -``` - -### Final Fixes: Syntax Highlighting & README Rendering +#+end_src -After completing my initial install and playing around with it for a few days, I -noticed two issues: +*** Final Fixes: Syntax Highlighting & README Rendering +:PROPERTIES: +:CUSTOM_ID: final-fixes-syntax-highlighting-readme-rendering +:END: +After completing my initial install and playing around with it for a few +days, I noticed two issues: -1. Syntax highlighting did not work when viewing the source code within a file. -2. The `about` tab within a repository was not rendered to HTML. +1. Syntax highlighting did not work when viewing the source code within + a file. +2. The =about= tab within a repository was not rendered to HTML. -The following process fixes these issues. -To start, let's go to the `cgit` directory where we were editing our -configuration file earlier. +The following process fixes these issues. To start, let's go to the +=cgit= directory where we were editing our configuration file earlier. -```sh +#+begin_src sh cd ~/cgit -``` +#+end_src In here, create two folders that will hold our syntax files: -```sh +#+begin_src sh mkdir filters && mkdir filters/html-converters && cd filters -``` +#+end_src Next, download the default filters: -```sh +#+begin_src sh curl https://git.zx2c4.com/cgit/plain/filters/about-formatting.sh > about-formatting.sh chmod 755 about-formatting.sh curl https://git.zx2c4.com/cgit/plain/filters/syntax-highlighting.py > syntax-highlighting.py chmod 755 syntax-highlighting.py -``` +#+end_src -Finally, download the HTML conversion files you need. -The example below downloads the Markdown converter: +Finally, download the HTML conversion files you need. The example below +downloads the Markdown converter: -```sh +#+begin_src sh cd html-converters curl https://git.zx2c4.com/cgit/plain/filters/html-converters/md2html > md2html chmod 755 md2html -``` +#+end_src -If you need other filters or html-converters found within [the cgit project -files](https://git.zx2c4.com/cgit/tree/filters), repeat the `curl` and `chmod` -process above for whichever files you need. +If you need other filters or html-converters found within +[[https://git.zx2c4.com/cgit/tree/filters][the cgit project files]], +repeat the =curl= and =chmod= process above for whichever files you +need. -However, formatting will not work quite yet since the Docker cgit container -we're using doesn't have the formatting package installed. You can install this -easily by install Python 3+ and the `pygments` package: +However, formatting will not work quite yet since the Docker cgit +container we're using doesn't have the formatting package installed. You +can install this easily by install Python 3+ and the =pygments= package: -```sh +#+begin_src sh # Enter the container's command line sudo docker exec -it cgit bash -``` +#+end_src -```sh +#+begin_src sh # Install the necessary packages and then exit yum update -y && \ yum upgrade -y && \ yum install python3 python3-pip -y && \ pip3 install markdown pygments && \ exit -``` +#+end_src -**You will need to enter the cgit docker container and re-run these `yum` -commands every time you kill and restart the container!** +*You will need to enter the cgit docker container and re-run these =yum= +commands every time you kill and restart the container!* -If not done already, we need to add the following variables to our -`cgitrc` file in order for `cgit` to know where our filtering files are: +If not done already, we need to add the following variables to our +=cgitrc= file in order for =cgit= to know where our filtering files are: -```conf +#+begin_src conf # Highlight source code with python pygments-based highlighter source-filter=/var/www/htdocs/cgit/filters/syntax-highlighting.py # Format markdown, restructuredtext, manpages, text files, and html files # through the right converters about-filter=/var/www/htdocs/cgit/filters/about-formatting.sh -``` - -Now you should see that syntax highlighting and README rendering to the `about` -tab is fixed. - -### Theming - -I won't go into much detail in this section, but you can fully theme your -installation of `cgit` since you have access to the `cgit.css` file in your web -root. This is another file you can add as a volume to the `docker-compose.yml` -file if you want to edit this without entering the container's command line. - -## :warning: Remember to Back Up Your Data! - -The last thing to note is that running services on your own equipment means that -you're assuming a level of risk that exists regarding data loss, catastrophes, -etc. In order to reduce the impact of any such occurrence, I suggest backing up -your data regularly. - -Backups can be automated via `cron`, by hooking your base directory up to a -cloud provider, or even setting up hooks to push all repository info to git -mirrors on other git hosts. Whatever the method, make sure that your data -doesn't vanish in the event that your drives or servers fail. +#+end_src + +Now you should see that syntax highlighting and README rendering to the +=about= tab is fixed. + +*** Theming +:PROPERTIES: +:CUSTOM_ID: theming +:END: +I won't go into much detail in this section, but you can fully theme +your installation of =cgit= since you have access to the =cgit.css= file +in your web root. This is another file you can add as a volume to the +=docker-compose.yml= file if you want to edit this without entering the +container's command line. + +** :warning: Remember to Back Up Your Data! +:PROPERTIES: +:CUSTOM_ID: warning-remember-to-back-up-your-data +:END: +The last thing to note is that running services on your own equipment +means that you're assuming a level of risk that exists regarding data +loss, catastrophes, etc. In order to reduce the impact of any such +occurrence, I suggest backing up your data regularly. + +Backups can be automated via =cron=, by hooking your base directory up +to a cloud provider, or even setting up hooks to push all repository +info to git mirrors on other git hosts. Whatever the method, make sure +that your data doesn't vanish in the event that your drives or servers +fail. diff --git a/blog/2022-07-14-gnupg.org b/blog/2022-07-14-gnupg.org index 66822f0..66aee7c 100644 --- a/blog/2022-07-14-gnupg.org +++ b/blog/2022-07-14-gnupg.org @@ -1,39 +1,41 @@ -+++ -date = 2022-07-14 -title = "GNU Privacy Guard (GPG)" -description = "An overview of the GPG encryption program and its uses." -draft = false -+++ - -## The History of GPG - -[GNU Privacy Guard](https://gnupg.org/), also known as GnuPG and GPG, is a free -("free" as in both speech and beer) software that fully implements the OpenPGP -Message Format documented in [RFC 4880](https://www.rfc-editor.org/rfc/rfc4880). - -I won't go in-depth on the full history of the software in this post, but it is -important to understand that GPG is not the same as PGP (Pretty Good Privacy), -which is a different implementation of RFC 4880. However, GPG was designed to -interoperate with PGP. - -GPG was originally developed in the late 1990s by [Werner -Koch](https://en.wikipedia.org/wiki/Werner_Koch) and has historically been -funded generously by the German government. - -Now that we have all the high-level info out of the way, let's dive into the -different aspects of GPG and its uses. - -## Encryption Algorithms - -GPG supports a wide range of different encryption algorithms, including -public-key, cipher, hash, and compression algorithms. The support for these -algorithms has grown since the adoption of the Libgcrypt library in the 2.x -versions of GPG. - -As you will be able to see below in an example of a full key generation with the -GPG command line tool, GPG recommends the following algorithms to new users: - -```sh +#+title: GNU Privacy Guard (GPG) +#+date: 2022-07-14 + +** The History of GPG +:PROPERTIES: +:CUSTOM_ID: the-history-of-gpg +:END: +[[https://gnupg.org/][GNU Privacy Guard]], also known as GnuPG and GPG, +is a free ("free" as in both speech and beer) software that fully +implements the OpenPGP Message Format documented in +[[https://www.rfc-editor.org/rfc/rfc4880][RFC 4880]]. + +I won't go in-depth on the full history of the software in this post, +but it is important to understand that GPG is not the same as PGP +(Pretty Good Privacy), which is a different implementation of RFC 4880. +However, GPG was designed to interoperate with PGP. + +GPG was originally developed in the late 1990s by +[[https://en.wikipedia.org/wiki/Werner_Koch][Werner Koch]] and has +historically been funded generously by the German government. + +Now that we have all the high-level info out of the way, let's dive into +the different aspects of GPG and its uses. + +** Encryption Algorithms +:PROPERTIES: +:CUSTOM_ID: encryption-algorithms +:END: +GPG supports a wide range of different encryption algorithms, including +public-key, cipher, hash, and compression algorithms. The support for +these algorithms has grown since the adoption of the Libgcrypt library +in the 2.x versions of GPG. + +As you will be able to see below in an example of a full key generation +with the GPG command line tool, GPG recommends the following algorithms +to new users: + +#+begin_src sh Please select what kind of key you want: (1) RSA and RSA (2) DSA and Elgamal @@ -41,80 +43,84 @@ Please select what kind of key you want: (4) RSA (sign only) (9) ECC (sign and encrypt) *default* (10) ECC (sign only) -``` - -I am not doing an in-depth explanation here in order to keep the focus on GPG -and not encryption algorithms. If you want a deep dive into cryptography -or encryption algorithms, please read my other posts: - -- [AES Encryption](/blog/aes-encryption/) (2018) -- [Cryptography Basics](/blog/cryptography-basics/) (2020) - -### Vulnerabilities - -As of 2022-07-14, there are a few different vulnerabilities associated with -GPG or the libraries it uses: - -- GPG versions 1.0.2–1.2.3 contains a bug where "as soon as one - (GPG-generated) ElGamal signature of an arbitrary message is released, one - can recover the signer's private key in less than a second on a PC." - ([Source](https://www.di.ens.fr/~pnguyen/pub_Ng04.htm)) -- GPG versions prior to 1.4.2.1 contain a false positive signature +#+end_src + +I am not doing an in-depth explanation here in order to keep the focus +on GPG and not encryption algorithms. If you want a deep dive into +cryptography or encryption algorithms, please read my other posts: + +- [[/blog/aes-encryption/][AES Encryption]] (2018) +- [[/blog/cryptography-basics/][Cryptography Basics]] (2020) + +*** Vulnerabilities +:PROPERTIES: +:CUSTOM_ID: vulnerabilities +:END: +As of 2022-07-14, there are a few different vulnerabilities associated +with GPG or the libraries it uses: + +- GPG versions 1.0.2--1.2.3 contains a bug where "as soon as one + (GPG-generated) ElGamal signature of an arbitrary message is released, + one can recover the signer's private key in less than a second on a + PC." ([[https://www.di.ens.fr/~pnguyen/pub_Ng04.htm][Source]]) +- GPG versions prior to 1.4.2.1 contain a false positive signature verification bug. - ([Source](https://lists.gnupg. - org/pipermail/gnupg-announce/2006q1/000211.html)) -- GPG versions prior to 1.4.2.2 cannot detect injection of unsigned data. - ( - [Source](https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html)) -- Libgcrypt, a library used by GPG, contained a bug which enabled full key - recovery for RSA-1024 and some RSA-2048 keys. - This was resolved in a GPG update in 2017. - ([Source](https://lwn.net/Articles/727179/)) -- The [ROCA Vulnerability](https://en.wikipedia.org/wiki/ROCA_vulnerability) - affects RSA keys generated by YubiKey 4 tokens. - ([Source](https://crocs.fi. - muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf)) -- The [SigSpoof Attack](https://en.wikipedia.org/wiki/SigSpoof) allows an - attacker to spoof digital signatures. - ([Source](https://arstechnica. - com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/)) -- Libgcrypt 1.9.0 contains a severe flaw related to a heap buffer overflow, - fixed in Libgcrypt 1.9.1 ([Source](https://web.archive. - org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/)) - -## Platforms - -Originally developed as a command-line program for *nix systems, GPG now has a -wealth of front-end applications and libraries available for end-users. However, -the most recommended programs remain the same: - -- [GnuPG](https://gnupg.org) for Linux (depending on distro) -- [Gpg4win](https://gpg4win.org) for Windows -- [GPGTools](https://gpgtools.org) for macOS - -## Creating a Key Pair - -In order to create a GPG key pair, a user would first need to install GPG on -their system. If we're assuming that the user is on Fedora Linux, they would -execute the following: - -```sh + ([[https://lists.gnupg.%20org/pipermail/gnupg-announce/2006q1/000211.html][Source]]) +- GPG versions prior to 1.4.2.2 cannot detect injection of unsigned + data. ( + [[https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html][Source]]) +- Libgcrypt, a library used by GPG, contained a bug which enabled full + key recovery for RSA-1024 and some RSA-2048 keys. This was resolved in + a GPG update in 2017. ([[https://lwn.net/Articles/727179/][Source]]) +- The [[https://en.wikipedia.org/wiki/ROCA_vulnerability][ROCA + Vulnerability]] affects RSA keys generated by YubiKey 4 tokens. + ([[https://crocs.fi.%20muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf][Source]]) +- The [[https://en.wikipedia.org/wiki/SigSpoof][SigSpoof Attack]] allows + an attacker to spoof digital signatures. + ([[https://arstechnica.%20com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/][Source]]) +- Libgcrypt 1.9.0 contains a severe flaw related to a heap buffer + overflow, fixed in Libgcrypt 1.9.1 + ([[https://web.archive.%20org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/][Source]]) + +** Platforms +:PROPERTIES: +:CUSTOM_ID: platforms +:END: +Originally developed as a command-line program for *nix systems, GPG now +has a wealth of front-end applications and libraries available for +end-users. However, the most recommended programs remain the same: + +- [[https://gnupg.org][GnuPG]] for Linux (depending on distro) +- [[https://gpg4win.org][Gpg4win]] for Windows +- [[https://gpgtools.org][GPGTools]] for macOS + +** Creating a Key Pair +:PROPERTIES: +:CUSTOM_ID: creating-a-key-pair +:END: +In order to create a GPG key pair, a user would first need to install +GPG on their system. If we're assuming that the user is on Fedora Linux, +they would execute the following: + +#+begin_src sh sudo dnf install gpg -``` +#+end_src -Once installed, a user can create a new key pair with the following command(s): +Once installed, a user can create a new key pair with the following +command(s): -```sh +#+begin_src sh gpg --full-generate-key -``` +#+end_src -GPG will walk the user through an interactive setup that asks for an algorithm -preference, expiration date, name, and email to associate with this key. +GPG will walk the user through an interactive setup that asks for an +algorithm preference, expiration date, name, and email to associate with +this key. -See the following example key set-up for a default key generation using the -GnuPG command-line interface: +See the following example key set-up for a default key generation using +the GnuPG command-line interface: -```sh +#+begin_src sh gpg (GnuPG) 2.3.6; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. @@ -166,13 +172,15 @@ pub ed25519 2022-07-14 [SC] E955B7700FFC11EF51C2BA1FE096AACDD4C32E9C uid John Doe (test key) <johndoe@example.com> sub cv25519 2022-07-14 [E] -``` +#+end_src -Please note that GUI apps may differ slightly from the GPG command-line +Please note that GUI apps may differ slightly from the GPG command-line interface. -## Common Usage - +** Common Usage +:PROPERTIES: +:CUSTOM_ID: common-usage +:END: As noted in RFC 4880, the general functions of OpenPGP are as follows: - digital signatures @@ -181,98 +189,110 @@ As noted in RFC 4880, the general functions of OpenPGP are as follows: - Radix-64 conversion - key management and certificate services -From this, you can probably gather that the main use of GPG is for encrypting -data and/or signing the data with a key. The purpose of encrypting data with GPG -is to ensure that no one except the intended recipient(s) can access the data. +From this, you can probably gather that the main use of GPG is for +encrypting data and/or signing the data with a key. The purpose of +encrypting data with GPG is to ensure that no one except the intended +recipient(s) can access the data. Let's explore some specific GPG use-cases. -### Email - -One of the more popular uses of GPG is to sign and/or encrypt emails. With the -use of a GPG keypair, you can encrypt a message, its subject, and even the -attachments within. - -The first process, regarding the signing of a message without any encryption, is -generally used to provide assurance that an email is truly coming from the -sender that the message claims. When I send an email, and it's signed with my -public key, the recipient(s) of the message can verify that the message was -signed with my personal key. - -The second process, regarding the actual encryption of the message and its -contents, works by using a combination of the sender's keys and the recipient's -keys. This process may vary slightly by implementation, but it most commonly -uses asymmetric cryptography, also known as public-key cryptography. In this -version of encryption, the sender's private key to sign the message and a -combination of the sender's keys and the recipient's public key to encrypt the -message. - -If two people each have their own private keys and exchange their public keys, -they can send encrypted messages back and forth with GPG. This is also possible -with symmetric cryptography, but the process differs since there are no key -pairs. - -Implementation of email encryption varies greatly between email clients, so you -will need to reference your email client's documentation to ensure you are -setting it up correctly for that specific client. - -### File Encryption - -As noted in the section above regarding emails, GPG enables users to be able to -send a message to each other if they are both set-up with GPG keys. -In this example, I am going to show how a user could send a file called -`example_file.txt` to another user via the recipient's email. - -The sender would find the file they want to send and execute the following -command: - -```sh +*** Email +:PROPERTIES: +:CUSTOM_ID: email +:END: +One of the more popular uses of GPG is to sign and/or encrypt emails. +With the use of a GPG keypair, you can encrypt a message, its subject, +and even the attachments within. + +The first process, regarding the signing of a message without any +encryption, is generally used to provide assurance that an email is +truly coming from the sender that the message claims. When I send an +email, and it's signed with my public key, the recipient(s) of the +message can verify that the message was signed with my personal key. + +The second process, regarding the actual encryption of the message and +its contents, works by using a combination of the sender's keys and the +recipient's keys. This process may vary slightly by implementation, but +it most commonly uses asymmetric cryptography, also known as public-key +cryptography. In this version of encryption, the sender's private key to +sign the message and a combination of the sender's keys and the +recipient's public key to encrypt the message. + +If two people each have their own private keys and exchange their public +keys, they can send encrypted messages back and forth with GPG. This is +also possible with symmetric cryptography, but the process differs since +there are no key pairs. + +Implementation of email encryption varies greatly between email clients, +so you will need to reference your email client's documentation to +ensure you are setting it up correctly for that specific client. + +*** File Encryption +:PROPERTIES: +:CUSTOM_ID: file-encryption +:END: +As noted in the section above regarding emails, GPG enables users to be +able to send a message to each other if they are both set-up with GPG +keys. In this example, I am going to show how a user could send a file +called =example_file.txt= to another user via the recipient's email. + +The sender would find the file they want to send and execute the +following command: + +#+begin_src sh gpg --encrypt --output example_file.txt.gpg --recipient \ recipient@example.com example_file.txt -``` +#+end_src -Once received, the recipient can decrypt the file with the following command: +Once received, the recipient can decrypt the file with the following +command: -```sh +#+begin_src sh gpg --decrypt --output example_file.txt example_file.txt.gpg -``` - -### Ownership Signatures - -One important aspect of GPG, especially for developers, is the ability to sign -data without encrypting it. For example, developers often sign code changes when -they commit the changes back to a central repository, in order to display -ownership of who made the changes. This allows other users to look at a code -change and determine that the change was valid. - -In order to do this using [Git](https://git-scm.com), the developer simply needs -to alter the `git commit` command to include the `-S` flag. Here's an example: - -```sh +#+end_src + +*** Ownership Signatures +:PROPERTIES: +:CUSTOM_ID: ownership-signatures +:END: +One important aspect of GPG, especially for developers, is the ability +to sign data without encrypting it. For example, developers often sign +code changes when they commit the changes back to a central repository, +in order to display ownership of who made the changes. This allows other +users to look at a code change and determine that the change was valid. + +In order to do this using [[https://git-scm.com][Git]], the developer +simply needs to alter the =git commit= command to include the =-S= flag. +Here's an example: + +#+begin_src sh git commit -S -m "my commit message" -``` +#+end_src -As an expansion of the example above, Git users can configure their environment -with a default key to use by adding their GPG signature: +As an expansion of the example above, Git users can configure their +environment with a default key to use by adding their GPG signature: -```sh +#+begin_src sh git config --global user.signingkey XXXXXXXXXXXXXXXX -``` +#+end_src -If you're not sure what your signature is, you can find it titled `sig` in the -output of this command: +If you're not sure what your signature is, you can find it titled =sig= +in the output of this command: -```sh +#+begin_src sh gpg --list-signatures -``` - -### File Integrity - -When a person generates a signature for data, they are allowing users the -ability to verify the signature on that data in the future to ensure the data -has not been corrupted. This is most common with software applications hosted on -the internet - developers provide signatures so that users can verify a website -was not hijacked and download links replaced with dangerous software. +#+end_src + +*** File Integrity +:PROPERTIES: +:CUSTOM_ID: file-integrity +:END: +When a person generates a signature for data, they are allowing users +the ability to verify the signature on that data in the future to ensure +the data has not been corrupted. This is most common with software +applications hosted on the internet - developers provide signatures so +that users can verify a website was not hijacked and download links +replaced with dangerous software. In order to verify signed data, a user needs to have: @@ -280,26 +300,29 @@ In order to verify signed data, a user needs to have: 2. A signature file 3. The public GPG key of the signer -Once the signer's public key is imported on the user's system, and they have -the data and signature, they can verify the data with the following commands: +Once the signer's public key is imported on the user's system, and they +have the data and signature, they can verify the data with the following +commands: -```sh +#+begin_src sh # If the signature is attached to the data gpg --verify [signature-file] # If the signature is detached as a separate file from the data gpg --verify [signature-file] [original-file] -``` - -## Finding Public Keys - -In order to use GPG with others, a user needs to know the other user(s) keys. -This is easy to do if the user knows the other user(s) in person, but may be -hard if the relationship is strictly digital. Luckily, there are a few options. -The first option is to look at a user's web page or social pages if they have -them. +#+end_src + +** Finding Public Keys +:PROPERTIES: +:CUSTOM_ID: finding-public-keys +:END: +In order to use GPG with others, a user needs to know the other user(s) +keys. This is easy to do if the user knows the other user(s) in person, +but may be hard if the relationship is strictly digital. Luckily, there +are a few options. The first option is to look at a user's web page or +social pages if they have them. Otherwise, the best option is to use a keyserver, such as: -- [pgp.mit.edu](https://pgp.mit.edu) -- [keys.openpgp.org](https://keys.openpgp.org) +- [[https://pgp.mit.edu][pgp.mit.edu]] +- [[https://keys.openpgp.org][keys.openpgp.org]] diff --git a/blog/2022-07-25-curseradio.org b/blog/2022-07-25-curseradio.org index 9dc6b67..351c4b9 100644 --- a/blog/2022-07-25-curseradio.org +++ b/blog/2022-07-25-curseradio.org @@ -1,99 +1,114 @@ -+++ -date = 2022-07-25 -title = "CurseRadio: Listening to the Radio on the Command Line" -description = "A quick and easy installation for CurseRadio on Fedora Linux." -+++ - -## Overview - -While exploring some interesting Linux applications, I stumbled across -[curseradio](https://github.com/chronitis/curseradio), a command-line radio -player based on Python. - -This application is fantastic and incredibly easy to install, so I wanted to -dedicate a post today to this app. Let's look at the features within the app and -then walk through the installation process I took to get `curseradio` working. - -## Features - - - -The radio player itself is quite minimal. As you can see in the screenshot -above, it contains a simple plaintext list of all available categories, which -can be broken down further and further. In addition, radio shows are available -for listening, alongside regular radio stations. - -For example, the `Sports` > `Pro Basketball` > `Shows` category contains a -number of specific shows related to Professional Basketball. - -Aside from being able to play any of the listed stations/shows, you can make -a channel your favorite by pressing `f`. -It will now show up at the top of the radio player in the `Favourites` category. - -### Commands/Shortcuts - -| Key(s) | Command | -|:----------:|:-------------------------------:| -| ↑, ↓ | navigate | -| PgUp, PgDn | navigate quickly | -| Home, End | to top/bottom | -| Enter | open/close folders, play stream | -| k | stop playing stream | -| q | quit | -| f | toggle favourite | - -## Installation - -### Dependencies - -Before installing `curseradio`, a handful of system and Python packages are -required. To get started, install `python3`, `pip3`, and `mpv` on your system. -In this example, I'm using Fedora Linux, which uses the `dnf` package manager. -You may need to adjust this if you're using a different system. - -```sh +#+title: CurseRadio: Listening to the Radio on the Command Line +#+date: 2022-07-25 + +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +While exploring some interesting Linux applications, I stumbled across +[[https://github.com/chronitis/curseradio][curseradio]], a command-line +radio player based on Python. + +This application is fantastic and incredibly easy to install, so I +wanted to dedicate a post today to this app. Let's look at the features +within the app and then walk through the installation process I took to +get =curseradio= working. + +** Features +:PROPERTIES: +:CUSTOM_ID: features +:END: +#+caption: curseradio +[[https://img.cleberg.net/blog/20220725-curseradio/curseradio.png]] + +The radio player itself is quite minimal. As you can see in the +screenshot above, it contains a simple plaintext list of all available +categories, which can be broken down further and further. In addition, +radio shows are available for listening, alongside regular radio +stations. + +For example, the =Sports= > =Pro Basketball= > =Shows= category contains +a number of specific shows related to Professional Basketball. + +Aside from being able to play any of the listed stations/shows, you can +make a channel your favorite by pressing =f=. It will now show up at the +top of the radio player in the =Favourites= category. + +*** Commands/Shortcuts +:PROPERTIES: +:CUSTOM_ID: commandsshortcuts +:END: +| Key(s) | Command | +|------------+---------------------------------| +| ↑, ↓ | navigate | +| PgUp, PgDn | navigate quickly | +| Home, End | to top/bottom | +| Enter | open/close folders, play stream | +| k | stop playing stream | +| q | quit | +| f | toggle favourite | + +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +*** Dependencies +:PROPERTIES: +:CUSTOM_ID: dependencies +:END: +Before installing =curseradio=, a handful of system and Python packages +are required. To get started, install =python3=, =pip3=, and =mpv= on +your system. In this example, I'm using Fedora Linux, which uses the +=dnf= package manager. You may need to adjust this if you're using a +different system. + +#+begin_src sh sudo dnf install python3 pip3 mpv -``` +#+end_src -Next, use `pip3` to install `requests`, `xdg`, and `lxml`: +Next, use =pip3= to install =requests=, =xdg=, and =lxml=: -```sh +#+begin_src sh pip3 install requests xdg lxml -``` +#+end_src -### Repository Source Installation +*** Repository Source Installation +:PROPERTIES: +:CUSTOM_ID: repository-source-installation +:END: +Once all the dependencies are installed, we can clone the source code +and enter that directory: -Once all the dependencies are installed, we can clone the source code and enter -that directory: - -```sh +#+begin_src sh git clone https://github.com/chronitis/curseradio && cd curseradio -``` +#+end_src -Once you're within the `curseradio` directory, you can install the application -with the provided `setup.py` script. +Once you're within the =curseradio= directory, you can install the +application with the provided =setup.py= script. -```sh +#+begin_src sh sudo python3 setup.py install -``` +#+end_src -In my case, I ran into a few errors and needed to create the folders that -curseradio wanted to use for its installation. If you don't get any errors, you -can skip this and run the app. +In my case, I ran into a few errors and needed to create the folders +that curseradio wanted to use for its installation. If you don't get any +errors, you can skip this and run the app. -```sh +#+begin_src sh sudo mkdir /usr/local/lib/python3.10/ sudo mkdir /usr/local/lib/python3.10/site-packages/ -``` +#+end_src -```sh +#+begin_src sh sudo chown -R $USER:$USER /usr/local/lib/python3.10/ -``` - -## Run the Application +#+end_src +** Run the Application +:PROPERTIES: +:CUSTOM_ID: run-the-application +:END: Once fully installed without errors, you can run the application! -```sh +#+begin_src sh python3 /usr/local/bin/curseradio -``` +#+end_src diff --git a/blog/2022-07-30-flac-to-opus.org b/blog/2022-07-30-flac-to-opus.org index df069b0..5d9d291 100644 --- a/blog/2022-07-30-flac-to-opus.org +++ b/blog/2022-07-30-flac-to-opus.org @@ -1,67 +1,72 @@ -+++ -date = 2022-07-30 -title = "Recursive Command-Line FLAC to Opus Conversion" -description = "A retrospective on how I recursively converting my FLAC file music library to OPUS with opusenc." -+++ - -## Converting FLAC to OPUS - -I am currently rebuilding my music library from scratch so that I can -effectively archive all the music I own in the [FLAC file -format](https://en.wikipedia.org/wiki/FLAC), a lossless audio codec. - -However, streaming FLAC files outside the home can be difficult due to the -size of the files, especially if you're using a weak connection. - -So, in order to archive the music in a lossless format and still be able to -stream it easily, I opted to create a copy of my FLAC files in the [Opus audio -codec](https://en.wikipedia.org/wiki/Opus_(audio_format)). This allows me to -archive a quality, lossless version of the music and then point my streaming -service to the smaller, stream-ready version. - -### Dependencies - -The process I follow utilizes the `opus-tools` package in Ubuntu. Before +#+title: Recursive Command-Line FLAC to Opus Conversion +#+date: 2022-07-30 + +** Converting FLAC to OPUS +:PROPERTIES: +:CUSTOM_ID: converting-flac-to-opus +:END: +I am currently rebuilding my music library from scratch so that I can +effectively archive all the music I own in the +[[https://en.wikipedia.org/wiki/FLAC][FLAC file format]], a lossless +audio codec. + +However, streaming FLAC files outside the home can be difficult due to +the size of the files, especially if you're using a weak connection. + +So, in order to archive the music in a lossless format and still be able +to stream it easily, I opted to create a copy of my FLAC files in the +[[https://en.wikipedia.org/wiki/Opus_(audio_format)][Opus audio codec]]. +This allows me to archive a quality, lossless version of the music and +then point my streaming service to the smaller, stream-ready version. + +*** Dependencies +:PROPERTIES: +:CUSTOM_ID: dependencies +:END: +The process I follow utilizes the =opus-tools= package in Ubuntu. Before proceeding, install the package: -```sh +#+begin_src sh sudo apt install opus-tools -``` +#+end_src -If you want to use a different conversion method, such as `ffmpeg` or `avconv`, -simply install that package instead. +If you want to use a different conversion method, such as =ffmpeg= or +=avconv=, simply install that package instead. -### Conversion Process +*** Conversion Process +:PROPERTIES: +:CUSTOM_ID: conversion-process +:END: +The script I'm using is stored in my home directory, but feel free to +create it wherever you want. It does not need to be in the same +directory as your music files. -The script I'm using is stored in my home directory, but feel free to create it -wherever you want. It does not need to be in the same directory as your music -files. - -```sh +#+begin_src sh cd ~ && nano transform.sh -``` +#+end_src -Once you have your new bash script opened in an editor, go ahead and paste the -following logic into the script. +Once you have your new bash script opened in an editor, go ahead and +paste the following logic into the script. -You **MUST** edit the following variables in order for it to work: +You *MUST* edit the following variables in order for it to work: -- `source`: The source directory where your FLAC files are stored. -- `dest`: The destination directory where you want the resulting Opus files to -be stored. +- =source=: The source directory where your FLAC files are stored. +- =dest=: The destination directory where you want the resulting Opus + files to be stored. -You **MAY** want to edit the following variables to suit your needs: +You *MAY* want to edit the following variables to suit your needs: -- `filename`: If you are converting to a file format other than Opus, you'll -need to edit this so that your resulting files have the correct filename -extension. -- `reldir`: This variable can be edited to strip out more leading directories in -the file path. As you'll see later, I ignore this for now and simply clean it up -afterward. -- `opusenc`: This is the actual conversion process. You may want to edit the -bitrate to suit your needs. I set mine at 128 but some prefer 160 or higher. +- =filename=: If you are converting to a file format other than Opus, + you'll need to edit this so that your resulting files have the correct + filename extension. +- =reldir=: This variable can be edited to strip out more leading + directories in the file path. As you'll see later, I ignore this for + now and simply clean it up afterward. +- =opusenc=: This is the actual conversion process. You may want to edit + the bitrate to suit your needs. I set mine at 128 but some prefer 160 + or higher. -```sh +#+begin_src sh #!/bin/bash ## - The IFS takes care of spaces in file and dirnames ## - your folders may vary @@ -123,52 +128,55 @@ opusenc --vbr --bitrate 128 --date "$DATE" \ ## just for testing # sleep 1 done -``` +#+end_src -Once you're done, simply save the file and exit your editor. Don't forget to -enable execution of the script: +Once you're done, simply save the file and exit your editor. Don't +forget to enable execution of the script: -```sh +#+begin_src sh chmod +x transform.sh -``` +#+end_src Finally, you may now run the script: -```sh +#+begin_src sh ./transform.sh -``` - -If you used `opusenc`, you'll see the conversions happen within the terminal as -it progresses. -You will also see variables printed if you uncommented any of the bash -script's comments. - -### Cleanup - -As I noted above, I didn't customize my `reldir` variable in the script, which -caused my output directory to be `/mnt/music/library/archives` instead of -`/mnt/music/library`. So, I moved the output up one level and deleted the -accidental directory. - -```sh +#+end_src + +If you used =opusenc=, you'll see the conversions happen within the +terminal as it progresses. You will also see variables printed if you +uncommented any of the bash script's comments. + +*** Cleanup +:PROPERTIES: +:CUSTOM_ID: cleanup +:END: +As I noted above, I didn't customize my =reldir= variable in the script, +which caused my output directory to be =/mnt/music/library/archives= +instead of =/mnt/music/library=. So, I moved the output up one level and +deleted the accidental directory. + +#+begin_src sh cd /mnt/music/library mv archives/* . rm -rf archives -``` - -### Check the Resulting Size +#+end_src -If you want to see what kind of file size savings you've gained, you can always -use the `du` command to check: +*** Check the Resulting Size +:PROPERTIES: +:CUSTOM_ID: check-the-resulting-size +:END: +If you want to see what kind of file size savings you've gained, you can +always use the =du= command to check: -```sh +#+begin_src sh cd /mnt/music du -h --max-depth=1 . -``` +#+end_src In my case, my small library went from 78GB to 6.3GB! -```txt +#+begin_src txt 78G ./archives 6.3G ./library -``` +#+end_src diff --git a/blog/2022-07-31-bash-it.org b/blog/2022-07-31-bash-it.org index 6ec4eeb..47e726b 100644 --- a/blog/2022-07-31-bash-it.org +++ b/blog/2022-07-31-bash-it.org @@ -1,116 +1,126 @@ -+++ -date = 2022-07-31 -title = "Upgrade Bash with Bash-It & Ble.sh" -description = "In this post, I walk through the Bash-It and Ble.sh projects, their features, and how they help users power-up their bash shell." -+++ - -## Bash - -For those who are not familiar, -[Bash](https://en.wikipedia.org/wiki/Bash_(Unix_shell)) is a Unix shell that is -used as the default login shell for most Linux distributions. This shell and -command processor should be familiar if you've used Linux (or older version of -macOS) before. - -However, bash is not the only option. -There are numerous other shells that exist. -Here are some popular examples: - -- [zsh](https://en.wikipedia.org/wiki/Z_shell) -- [fish](https://en.wikipedia.org/wiki/Fish_(Unix_shell)) -- [oksh](https://github.com/ibara/oksh) -- [mksh](https://wiki.gentoo.org/wiki/Mksh) -- [dash](https://en.wikipedia.org/wiki/Debian_Almquist_shell) - -While each shell has its differences, bash is POSIX compliant and the default -for many Linux users. Because of this, I am going to explore a program called -`bash-it` below that helps bash users increase the utility of their shell -without installing a completely new shell. - -### Installation - -First, if bash is not already installed on your system, you can [download bash -from GNU](https://www.gnu.org/software/bash/) or use your package manager to -install it. +#+title: Upgrade Bash with Bash-It & Ble.sh +#+date: 2022-07-31 + +** Bash +:PROPERTIES: +:CUSTOM_ID: bash +:END: +For those who are not familiar, +[[https://en.wikipedia.org/wiki/Bash_(Unix_shell)][Bash]] is a Unix +shell that is used as the default login shell for most Linux +distributions. This shell and command processor should be familiar if +you've used Linux (or older version of macOS) before. + +However, bash is not the only option. There are numerous other shells +that exist. Here are some popular examples: + +- [[https://en.wikipedia.org/wiki/Z_shell][zsh]] +- [[https://en.wikipedia.org/wiki/Fish_(Unix_shell)][fish]] +- [[https://github.com/ibara/oksh][oksh]] +- [[https://wiki.gentoo.org/wiki/Mksh][mksh]] +- [[https://en.wikipedia.org/wiki/Debian_Almquist_shell][dash]] + +While each shell has its differences, bash is POSIX compliant and the +default for many Linux users. Because of this, I am going to explore a +program called =bash-it= below that helps bash users increase the +utility of their shell without installing a completely new shell. + +*** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +First, if bash is not already installed on your system, you can +[[https://www.gnu.org/software/bash/][download bash from GNU]] or use +your package manager to install it. For example, this is how you can install bash on Fedora Linux: -```sh +#+begin_src sh sudo dnf install bash -``` +#+end_src -If you are not using bash as your default shell, use the `chsh` command to -change your shell: +If you are not using bash as your default shell, use the =chsh= command +to change your shell: -```sh +#+begin_src sh chsh -``` +#+end_src -You should see a prompt like the one below. If the brackets (`[]`) contain -`bash` already, you're done, and you can simply continue by hitting the Enter -key. +You should see a prompt like the one below. If the brackets (=[]=) +contain =bash= already, you're done, and you can simply continue by +hitting the Enter key. -If the brackets contain another shell path (e.g. `/usr/bin/zsh`), enter the path -to the bash program on your system (it's most likely located at -`/usr/bin/bash`). +If the brackets contain another shell path (e.g. =/usr/bin/zsh=), enter +the path to the bash program on your system (it's most likely located at +=/usr/bin/bash=). -```sh +#+begin_src sh Changing shell for <user>. New shell [/usr/bin/bash]: -``` +#+end_src -You must log out or restart the machine in order for the login shell to be -refreshed. You can do it now or wait until you're finished customizing the -shell. +You must log out or restart the machine in order for the login shell to +be refreshed. You can do it now or wait until you're finished +customizing the shell. -```sh +#+begin_src sh sudo reboot now -``` +#+end_src -## Bash-it +** Bash-it +:PROPERTIES: +:CUSTOM_ID: bash-it +:END: +As noted on the [[https://github.com/Bash-it/bash-it][Bash-it]] +repository: -As noted on the [Bash-it](https://github.com/Bash-it/bash-it) repository: +#+begin_quote +Bash-it is a collection of community Bash commands and scripts for Bash +3.2+. (And a shameless ripoff of oh-my-zsh 😃) -> Bash-it is a collection of community Bash commands and scripts for Bash 3.2+. -> (And a shameless ripoff of oh-my-zsh 😃) +#+end_quote -Bash-it makes it easy to install plugins, set up aliases for common commands, -and easily change the visual theme of your shell. +Bash-it makes it easy to install plugins, set up aliases for common +commands, and easily change the visual theme of your shell. -### Installation +*** Installation +:PROPERTIES: +:CUSTOM_ID: installation-1 +:END: +To install the framework, simply copy the repository files and use the +=install.sh= script provided. If you want, you can (and should!) inspect +the contents of the installation script before you run it. -To install the framework, simply copy the repository files and use the -`install.sh` script provided. If you want, you can (and should!) inspect the -contents of the installation script before you run it. - -```sh +#+begin_src sh git clone --depth=1 https://github.com/Bash-it/bash-it.git ~/.bash_it ~/.bash_it/install.sh -``` +#+end_src -If you didn't restart your session after making bash the default, and are -currently working within another shell, be sure to enter a bash session before -using `bash-it`: +If you didn't restart your session after making bash the default, and +are currently working within another shell, be sure to enter a bash +session before using =bash-it=: -```sh +#+begin_src sh bash -``` - -### Aliases +#+end_src -Bash-it contains a number of aliases for common commands to help improve -efficiency in the terminal. To list all available options, use the following -command: +*** Aliases +:PROPERTIES: +:CUSTOM_ID: aliases +:END: +Bash-it contains a number of aliases for common commands to help improve +efficiency in the terminal. To list all available options, use the +following command: -```sh +#+begin_src sh bash-it show aliases -``` +#+end_src This will provide you a list that looks like the following text block. -Within this screen, you will be able to see all available options and which -ones are currently enabled. +Within this screen, you will be able to see all available options and +which ones are currently enabled. -```txt +#+begin_src txt Alias Enabled? Description ag [ ] the silver searcher (ag) aliases ansible [ ] ansible abbreviations @@ -123,32 +133,35 @@ clipboard [ ] xclip shortcuts composer [ ] common composer abbreviations curl [x] Curl aliases for convenience. ... -``` +#+end_src To enable an alias, do: -```sh +#+begin_src sh bash-it enable alias <alias name> [alias name]... -or- $ bash-it enable alias all -``` +#+end_src To disable an alias, do: -```sh +#+begin_src sh bash-it disable alias <alias name> [alias name]... -or- $ bash-it disable alias all -``` +#+end_src -### Plugins +*** Plugins +:PROPERTIES: +:CUSTOM_ID: plugins +:END: +Similar to aliases, plugins are available with bash-it. You can find a +complete list of plugins in the same way as aliases. Simply execute the +following: -Similar to aliases, plugins are available with bash-it. You can find a complete -list of plugins in the same way as aliases. Simply execute the following: - -```sh +#+begin_src sh bash-it show plugins -``` +#+end_src You will see the following output showing enabled and disabled plugins: -```txt +#+begin_src txt Plugin Enabled? Description alias-completion [ ] autojump [ ] Autojump configuration, see https://github.com/wting/autojump for more details @@ -159,79 +172,87 @@ battery [x] display info about your battery charge level blesh [ ] load ble.sh, the Bash line editor! boot2docker [ ] Helpers to get Docker setup correctly for boot2docker browser [ ] render commandline output in your browser -``` +#+end_src To enable a plugin, do: -```sh +#+begin_src sh bash-it enable plugin <plugin name> [plugin name]... -or- $ bash-it enable plugin all -``` +#+end_src To disable a plugin, do: -```sh +#+begin_src sh bash-it disable plugin <plugin name> [plugin name]... -or- $ bash-it disable plugin all -``` - -### Themes - -There are quite a few pre-defined -[themes](https://bash-it.readthedocs.io/en/latest/themes-list/#list-of-themes) +#+end_src + +*** Themes +:PROPERTIES: +:CUSTOM_ID: themes +:END: +There are quite a few pre-defined +[[https://bash-it.readthedocs.io/en/latest/themes-list/#list-of-themes][themes]] available with bash-it. To list all themes: -```sh +#+begin_src sh ls ~/.bash_it/themes/ -``` +#+end_src -To use a new theme, you'll need to edit `.bashrc` and alter the `BASH_IT_THEME` -variable to your desired theme. For example, I am using the `zork` theme. +To use a new theme, you'll need to edit =.bashrc= and alter the +=BASH_IT_THEME= variable to your desired theme. For example, I am using +the =zork= theme. -```sh +#+begin_src sh nano ~/.bashrc -``` +#+end_src -```sh +#+begin_src sh export BASH_IT_THEME='zork' -``` - -Once you save your changes, you just need to exit your terminal and create a new -one in order to see your changes to the `.bashrc` file. You can also `source` -the file to see changes, but I recommend starting a completely new shell -instead. - -## ble.sh - -One big feature I was missing in Bash that both `zsh` and `fish` have is an -autosuggestion feature. To explain: as you type, an autosuggestion feature in -the shell will offer suggestions in a lighter font color beyond the characters -already typed. Once you see the command you want, you can click the right arrow -and have the shell auto-complete that line for you. - -Luckily, the [Bash Line Editor](https://github.com/akinomyoga/ble.sh) (ble.sh) -exists! This program provides a wonderful autosuggestions feature perfectly, -among other features that I haven't tested yet. +#+end_src + +Once you save your changes, you just need to exit your terminal and +create a new one in order to see your changes to the =.bashrc= file. You +can also =source= the file to see changes, but I recommend starting a +completely new shell instead. + +** ble.sh +:PROPERTIES: +:CUSTOM_ID: ble.sh +:END: +One big feature I was missing in Bash that both =zsh= and =fish= have is +an autosuggestion feature. To explain: as you type, an autosuggestion +feature in the shell will offer suggestions in a lighter font color +beyond the characters already typed. Once you see the command you want, +you can click the right arrow and have the shell auto-complete that line +for you. + +Luckily, the [[https://github.com/akinomyoga/ble.sh][Bash Line Editor]] +(ble.sh) exists! This program provides a wonderful autosuggestions +feature perfectly, among other features that I haven't tested yet. In order to install ble.sh, execute the following: -```sh +#+begin_src sh git clone --recursive https://github.com/akinomyoga/ble.sh.git make -C ble.sh install PREFIX=~/.local echo 'source ~/.local/share/blesh/ble.sh' >> ~/.bashrc -``` - -Again, exit the terminal and open a new one in order to see the newly-configured -shell. +#+end_src -## Restart the Session +Again, exit the terminal and open a new one in order to see the +newly-configured shell. -Finally, as mentioned above, you'll need to restart the session to ensure that -your user is using bash by default. +** Restart the Session +:PROPERTIES: +:CUSTOM_ID: restart-the-session +:END: +Finally, as mentioned above, you'll need to restart the session to +ensure that your user is using bash by default. -You will also need to exit and re-open a shell (e.g., terminal or terminal tab) -any time you make changes to the `.bashrc` file. +You will also need to exit and re-open a shell (e.g., terminal or +terminal tab) any time you make changes to the =.bashrc= file. -```sh +#+begin_src sh sudo reboot now -``` +#+end_src diff --git a/blog/2022-08-31-privacy.com-changes.org b/blog/2022-08-31-privacy.com-changes.org index 9cf23c6..c734a5e 100644 --- a/blog/2022-08-31-privacy.com-changes.org +++ b/blog/2022-08-31-privacy.com-changes.org @@ -1,92 +1,110 @@ -+++ -date = 2022-08-31 -title = "Concerning Changes on Privacy.com" -description = "A quick description of the recent changes of Privacy.com toward a credit card model." -+++ - -## Privacy.com Changes Their Terms - -Recently, Privacy.com reached out to their customers regarding a change in their -terms of use. Further, all customers are required to agree to the changes in -order to continue using their accounts. - -[You can view the new cardholder agreement -here](https://privacy.com/commercial-cardholder-agreement). - -When you log in, you'll be greeted with a pop-up window asking you to review -and agree to the new terms of use. -You will also not be able to open any new cards until the terms are agreed to. - -### Changing from a "Prepaid Debit" Model to a "Charge Card" Model - -The actual content of the changes is interesting. While the historical model of -using Privacy.com was akin to prepaid debit cards, the new model is very similar -to a credit card (they use the term "charge card"). - -I have used Privacy.com for 1-2 years, and the process was always that you -would create a single-use or merchant-locked card. -This card could be used for any dollar limit you set and would immediately -draw the funds from whatever funding source you connected, e.g. PayPal -account or a bank account. - -The benefit this service provides with a premium account is masking the merchant -names from your funding source. If you have a concern that your bank account -uses merchant data from your account, you could direct all charges through -Privacy.com and set the merchant as one of their pre-set options, such as -"Smiley's Corner Store" or "NSA Gift Shop." - -The new model still works with a bank account as a funding source, but the model -is changed so that you get a "line of credit" set according to a 14-day billing -cycle. It seems that Privacy.com will now allow charges to be incurred without -being immediately paid. - -### Daily Payments and Available Credit - -Instead of paying as charges are incurred, you must make a "Daily Payment" and -your "Available Credit" will be locked until you make that payment. There are -also "End of Billing Cycle Payments" that are assigned a due date. - -Further, Privacy.com will decline charges that would cause you to exceed your -Available Credit or Credit Limit. +#+title: Concerning Changes on Privacy.com +#+date: 2022-08-31 + +** Privacy.com Changes Their Terms +:PROPERTIES: +:CUSTOM_ID: privacy.com-changes-their-terms +:END: +Recently, Privacy.com reached out to their customers regarding a change +in their terms of use. Further, all customers are required to agree to +the changes in order to continue using their accounts. + +[[https://privacy.com/commercial-cardholder-agreement][You can view the +new cardholder agreement here]]. + +When you log in, you'll be greeted with a pop-up window asking you to +review and agree to the new terms of use. You will also not be able to +open any new cards until the terms are agreed to. + +*** Changing from a "Prepaid Debit" Model to a "Charge Card" Model +:PROPERTIES: +:CUSTOM_ID: changing-from-a-prepaid-debit-model-to-a-charge-card-model +:END: +The actual content of the changes is interesting. While the historical +model of using Privacy.com was akin to prepaid debit cards, the new +model is very similar to a credit card (they use the term "charge +card"). + +I have used Privacy.com for 1-2 years, and the process was always that +you would create a single-use or merchant-locked card. This card could +be used for any dollar limit you set and would immediately draw the +funds from whatever funding source you connected, e.g. PayPal account or +a bank account. + +The benefit this service provides with a premium account is masking the +merchant names from your funding source. If you have a concern that your +bank account uses merchant data from your account, you could direct all +charges through Privacy.com and set the merchant as one of their pre-set +options, such as "Smiley's Corner Store" or "NSA Gift Shop." + +The new model still works with a bank account as a funding source, but +the model is changed so that you get a "line of credit" set according to +a 14-day billing cycle. It seems that Privacy.com will now allow charges +to be incurred without being immediately paid. + +*** Daily Payments and Available Credit +:PROPERTIES: +:CUSTOM_ID: daily-payments-and-available-credit +:END: +Instead of paying as charges are incurred, you must make a "Daily +Payment" and your "Available Credit" will be locked until you make that +payment. There are also "End of Billing Cycle Payments" that are +assigned a due date. + +Further, Privacy.com will decline charges that would cause you to exceed +your Available Credit or Credit Limit. One particular interesting section states the following: -> YOUR OBLIGATION TO PAY US BACK FOR ALL CARD TRANSACTIONS AND OTHER OBLIGATIONS -> YOU INCUR IS SECURED BY THE SECURED ACCOUNT. IF YOU DO NOT PAY US BACK FOR ANY -> AMOUNT YOU OWE US WHEN YOUR PAYMENTS ARE DUE, WE WILL EXERCISE OUR INTEREST -> AND DEBIT THE SECURED ACCOUNT, AND YOU WILL LOSE THE MONEY IN THE SECURED -> ACCOUNT. SEE SECTION 8: SECURITY AGREEMENT FOR MORE INFORMATION. - -### Personal Information - -Now that Privacy.com is more of a financial institution, they are obligated to -comply with the [know your -customer](https://en.wikipedia.org/wiki/Know_your_customer) guidelines/laws. - -I did not proceed with the change to my Privacy.com account, but I have heard -from some peers that the changes require more personal information to be -submitted, such as SSN. I am not aware of all new personal information required -or if the funding source is now required to only be a bank account. - -### Fees - -Luckily, the fees section did not change much. The subscription fees for a -premium account are still the only fees. - -## My Thoughts - -Personally, I wiped my personal information from my account and then permanently -deleted it when I heard about these changes. I have no interest in yet another -method of credit lending offered by private companies. While I accepted that -they would have access to my bank account information for the purposes of paying -off my prepaid debit payments, I have no interest in incurring charges that will -need to be paid back at a later date. I also have no interest in submitting +#+begin_quote +YOUR OBLIGATION TO PAY US BACK FOR ALL CARD TRANSACTIONS AND OTHER +OBLIGATIONS YOU INCUR IS SECURED BY THE SECURED ACCOUNT. IF YOU DO NOT +PAY US BACK FOR ANY AMOUNT YOU OWE US WHEN YOUR PAYMENTS ARE DUE, WE +WILL EXERCISE OUR INTEREST AND DEBIT THE SECURED ACCOUNT, AND YOU WILL +LOSE THE MONEY IN THE SECURED ACCOUNT. SEE SECTION 8: SECURITY AGREEMENT +FOR MORE INFORMATION. + +#+end_quote + +*** Personal Information +:PROPERTIES: +:CUSTOM_ID: personal-information +:END: +Now that Privacy.com is more of a financial institution, they are +obligated to comply with the +[[https://en.wikipedia.org/wiki/Know_your_customer][know your customer]] +guidelines/laws. + +I did not proceed with the change to my Privacy.com account, but I have +heard from some peers that the changes require more personal information +to be submitted, such as SSN. I am not aware of all new personal +information required or if the funding source is now required to only be +a bank account. + +*** Fees +:PROPERTIES: +:CUSTOM_ID: fees +:END: +Luckily, the fees section did not change much. The subscription fees for +a premium account are still the only fees. + +** My Thoughts +:PROPERTIES: +:CUSTOM_ID: my-thoughts +:END: +Personally, I wiped my personal information from my account and then +permanently deleted it when I heard about these changes. I have no +interest in yet another method of credit lending offered by private +companies. While I accepted that they would have access to my bank +account information for the purposes of paying off my prepaid debit +payments, I have no interest in incurring charges that will need to be +paid back at a later date. I also have no interest in submitting personal information to Privacy.com. -This type of change toward a "buy it now, pay us later" model is concerning, -and I will be watching Privacy.com to see if they further their interests in -the credit model as time goes on. +This type of change toward a "buy it now, pay us later" model is +concerning, and I will be watching Privacy.com to see if they further +their interests in the credit model as time goes on. -Could we see them start charging interest, fees, etc.? I'm not sure, but -this change does not inspire confidence in their mission as a +Could we see them start charging interest, fees, etc.? I'm not sure, but +this change does not inspire confidence in their mission as a privacy-focused company. diff --git a/blog/2022-09-17-serenity-os.org b/blog/2022-09-17-serenity-os.org index 329e91c..d3da4b1 100644 --- a/blog/2022-09-17-serenity-os.org +++ b/blog/2022-09-17-serenity-os.org @@ -1,113 +1,128 @@ -+++ -date = 2022-09-17 -title = "Serenity OS: Testing Out a Unique System" -description = "Walking through my exploration of Serenity OS, a unique 90s-esque system." -+++ +#+title: Serenity OS: Testing Out a Unique System +#+date: 2022-09-17 -## Overview +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +[[https://serenityos.org][SerenityOS]] is a unique operating system (OS) +that I have seen pop up in my news feed a few times over the last few +years, but I have never had time to test it out until now. -[SerenityOS](https://serenityos.org) is a unique operating system (OS) that I -have seen pop up in my news feed a few times over the last few years, but I have -never had time to test it out until now. - -Testing out this system brought back fond memories of yellowed, -modem-screeching, 100-pound computers that brought so many fond memories to my -youth. +Testing out this system brought back fond memories of yellowed, +modem-screeching, 100-pound computers that brought so many fond memories +to my youth. Per their website: -> A graphical Unix-like operating system for desktop computers! -> -> SerenityOS is a love letter to '90s user interfaces with a custom Unix-like -> core. -> It flatters with sincerity by stealing beautiful ideas from various -> other systems. -> -> Roughly speaking, the goal is a marriage between the aesthetic of late-1990s -> productivity software and the power-user accessibility of late-2000s *nix. -> -> This is a system by us, for us, based on the things we like. - -## Building - -Your first question may be "Where's the iso?" and the answer is... there are -none. SerenityOS does not provide pre-built images for testing. You must build -the images yourself. This seems intentionally to limit participation to only -those who are truly interested enough to learn how to build the OS. +#+begin_quote +A graphical Unix-like operating system for desktop computers! -### Clone - -In order to get started, you'll need to clone the source repository: +SerenityOS is a love letter to '90s user interfaces with a custom +Unix-like core. It flatters with sincerity by stealing beautiful ideas +from various other systems. -```sh -git clone https://github.com/SerenityOS/serenity && cd serenity -``` +Roughly speaking, the goal is a marriage between the aesthetic of +late-1990s productivity software and the power-user accessibility of +late-2000s *nix. -### Build +This is a system by us, for us, based on the things we like. -Note that I followed the [Build -Instructions](https://github.com/SerenityOS/serenity/blob/master/Documentation/BuildInstructions.md) -in the SerenityOS repository as of commit -`660d2b53b1206e868d5470eee80b5e62d7e30da7`. -Things may have changed since my installation, and you should double-check -the instructions first. +#+end_quote -Regardless, I want to repeat my steps here to illustrate any errors or differing -commands I needed to run in order to build and run SerenityOS. +** Building +:PROPERTIES: +:CUSTOM_ID: building +:END: +Your first question may be "Where's the iso?" and the answer is... there +are none. SerenityOS does not provide pre-built images for testing. You +must build the images yourself. This seems intentionally to limit +participation to only those who are truly interested enough to learn how +to build the OS. -Since I am running Fedora, I needed to install these packages in order to build -the OS images: +*** Clone +:PROPERTIES: +:CUSTOM_ID: clone +:END: +In order to get started, you'll need to clone the source repository: -```sh +#+begin_src sh +git clone https://github.com/SerenityOS/serenity && cd serenity +#+end_src + +*** Build +:PROPERTIES: +:CUSTOM_ID: build +:END: +Note that I followed the +[[https://github.com/SerenityOS/serenity/blob/master/Documentation/BuildInstructions.md][Build +Instructions]] in the SerenityOS repository as of commit +=660d2b53b1206e868d5470eee80b5e62d7e30da7=. Things may have changed +since my installation, and you should double-check the instructions +first. + +Regardless, I want to repeat my steps here to illustrate any errors or +differing commands I needed to run in order to build and run SerenityOS. + +Since I am running Fedora, I needed to install these packages in order +to build the OS images: + +#+begin_src sh sudo dnf install texinfo binutils-devel curl cmake mpfr-devel libmpc-devel gmp-devel e2fsprogs ninja-build patch ccache rsync @"C Development Tools and Libraries" @Virtualization -``` +#+end_src -Next, make sure you're inside the `serenity` directory created earlier +Next, make sure you're inside the =serenity= directory created earlier during the git cloning process and process to build the toolchain: -```sh +#+begin_src sh Meta/serenity.sh rebuild-toolchain -``` +#+end_src Once the toolchain is built, you can Build and run the OS! -```sh +#+begin_src sh Meta/serenity.sh run -``` - -After this process is completed, the image should run automatically and launch. - -## Issues +#+end_src -I played around in SerenityOS for an hour or two in order to see what I could do -and had a lot of fun with it. The only issue I ran into was a lack of working -internet. I didn't try very hard, but I could tell that the main network link -wasn't connecting to my Fedora host properly. +After this process is completed, the image should run automatically and +launch. -## Screenshots +** Issues +:PROPERTIES: +:CUSTOM_ID: issues +:END: +I played around in SerenityOS for an hour or two in order to see what I +could do and had a lot of fun with it. The only issue I ran into was a +lack of working internet. I didn't try very hard, but I could tell that +the main network link wasn't connecting to my Fedora host properly. -The initial launch of the image displays the SerenityOS desktop, with a simple -terminal already launched: +** Screenshots +:PROPERTIES: +:CUSTOM_ID: screenshots +:END: +The initial launch of the image displays the SerenityOS desktop, with a +simple terminal already launched: - +[[https://img.cleberg.net/blog/20220917-serenityos/initial_launch.png]] -Here you can see the Fire application (literally just shows fire burning), a -browser with the local Serenity Browser page loaded, and a text editor. +Here you can see the Fire application (literally just shows fire +burning), a browser with the local Serenity Browser page loaded, and a +text editor. - +[[https://img.cleberg.net/blog/20220917-serenityos/basic_apps.png]] -I also poked around the system utilities and found most tools you'd expect to -find within a standard desktop. +I also poked around the system utilities and found most tools you'd +expect to find within a standard desktop. - +[[https://img.cleberg.net/blog/20220917-serenityos/system_monitor.png]] -Lastly, I noted that the default desktop contains numerous pre-defined themes to -choose from. This is a small piece, but it's actually wonderful to see desktop -developers consider theming directly out of the box rather than using an -addon-based mentality. +Lastly, I noted that the default desktop contains numerous pre-defined +themes to choose from. This is a small piece, but it's actually +wonderful to see desktop developers consider theming directly out of the +box rather than using an addon-based mentality. - +[[https://img.cleberg.net/blog/20220917-serenityos/themes.png]] -I didn't take a screenshot of the other pre-installed games, but I did spend -nearly 30 minutes playing Solitaire before remembering that I was supposed to be -writing a post about the OS. +I didn't take a screenshot of the other pre-installed games, but I did +spend nearly 30 minutes playing Solitaire before remembering that I was +supposed to be writing a post about the OS. diff --git a/blog/2022-09-21-graphene-os.org b/blog/2022-09-21-graphene-os.org index b16b88a..f17f860 100644 --- a/blog/2022-09-21-graphene-os.org +++ b/blog/2022-09-21-graphene-os.org @@ -1,160 +1,186 @@ -+++ -date = 2022-09-21 -title = "Installing Graphene OS on the Pixel 6 Pro" -description = "A walkthrough tutorial on how to install GrapheneOS on the Pixel 6 Pro with Fedora Linux." -+++ - -## Introduction - -After using iOS for a couple of years, I finally took the plunge and +#+title: Installing Graphene OS on the Pixel 6 Pro +#+date: 2022-09-21 + +** Introduction +:PROPERTIES: +:CUSTOM_ID: introduction +:END: +After using iOS for a couple of years, I finally took the plunge and purchased a Pixel 6 Pro in order to test and use [GrapheneOS] (https://grapheneos.org). -The installation process was rather quick once you have the tools and files you -need. Overall, it can be done in just a few minutes. - -## Gathering Tools & Files - -### Android Tools - -First, in order to interact with the device, we will need the [Android -platform -tools](https://developer.android.com/studio/releases/platform-tools.html). Find -the Linux download and save the ZIP folder to your preferred location. - -Once we've downloaded the files, we will need to unzip them, enter the -directory, and move the necessary executables to a central location, such as -`/usr/bin/`. For this installation, we only need the `fastboot` and `adb` -executables. - -```sh +The installation process was rather quick once you have the tools and +files you need. Overall, it can be done in just a few minutes. + +** Gathering Tools & Files +:PROPERTIES: +:CUSTOM_ID: gathering-tools-files +:END: +*** Android Tools +:PROPERTIES: +:CUSTOM_ID: android-tools +:END: +First, in order to interact with the device, we will need the +[[https://developer.android.com/studio/releases/platform-tools.html][Android +platform tools]]. Find the Linux download and save the ZIP folder to +your preferred location. + +Once we've downloaded the files, we will need to unzip them, enter the +directory, and move the necessary executables to a central location, +such as =/usr/bin/=. For this installation, we only need the =fastboot= +and =adb= executables. + +#+begin_src sh cd ~/Downloads -``` +#+end_src -```sh +#+begin_src sh unzip platform-tools_r33.0.3-linux.zip cd platform-tools sudo mv fastboot /usr/bin/ sudo mv adb /usr/bin -``` - -### GrapheneOS Files +#+end_src -Next, we need the [GrapheneOS files](https://grapheneos.org/releases) for -our device and model. For example, the Pixel 6 Pro is codenamed `raven` on the -release page. +*** GrapheneOS Files +:PROPERTIES: +:CUSTOM_ID: grapheneos-files +:END: +Next, we need the [[https://grapheneos.org/releases][GrapheneOS files]] +for our device and model. For example, the Pixel 6 Pro is codenamed +=raven= on the release page. Once we have the links, let's download them to our working directory: -```sh +#+begin_src sh curl -O https://releases.grapheneos.org/factory.pub curl -0 https://releases.grapheneos.org/raven-factory-2022091400.zip curl -0 https://releases.grapheneos.org/raven-factory-2022091400.zip.sig -``` - -#### Validate Integrity +#+end_src -In order to validate the integrity of the downloaded files, we will need the -`signify` package and Graphene's `factory.pub` file. +**** Validate Integrity +:PROPERTIES: +:CUSTOM_ID: validate-integrity +:END: +In order to validate the integrity of the downloaded files, we will need +the =signify= package and Graphene's =factory.pub= file. -```sh +#+begin_src sh sudo dnf install signify -``` +#+end_src -```sh +#+begin_src sh curl -O https://releases.grapheneos.org/factory.pub -``` +#+end_src -Then we can validate the files and ensure that no data was corrupted or +Then we can validate the files and ensure that no data was corrupted or modified before it was saved to our device. -```sh +#+begin_src sh signify -Cqp factory.pub -x raven-factory-2022091400.zip.sig && echo verified -``` +#+end_src -#### Unzip Files +**** Unzip Files +:PROPERTIES: +:CUSTOM_ID: unzip-files +:END: +Once the files are verified, we can unzip the Graphene image and enter +the directory: -Once the files are verified, we can unzip the Graphene image and enter the -directory: - -```sh +#+begin_src sh unzip raven-factory-2022091400.zip && cd raven-factory-2022091400 -``` - -## Installation Process - -### Enable Developer Debugging & OEM Unlock - -Before we can actually flash anything to the phone, we will need to enable -OEM Unlocking, as well as either USB Debugging or Wireless Debugging, depending on -which method we will be using. - -To start, enable developer mode by going to `Settings` > `About` and tapping -`Build Number` seven (7) times. You may need to enter your PIN to enable this -mode. - -Once developer mode is enabled, go to `Settings` > `System` > `Devloper -Options` and enable OEM Unlocking, as well as USB or Wireless Debugging. In my -case, I chose USB Debugging and performed all actions via USB cable. - -Once these options are enabled, plug the phone into the computer and execute the -following command: - -```sh +#+end_src + +** Installation Process +:PROPERTIES: +:CUSTOM_ID: installation-process +:END: +*** Enable Developer Debugging & OEM Unlock +:PROPERTIES: +:CUSTOM_ID: enable-developer-debugging-oem-unlock +:END: +Before we can actually flash anything to the phone, we will need to +enable OEM Unlocking, as well as either USB Debugging or Wireless +Debugging, depending on which method we will be using. + +To start, enable developer mode by going to =Settings= > =About= and +tapping =Build Number= seven (7) times. You may need to enter your PIN +to enable this mode. + +Once developer mode is enabled, go to =Settings= > =System= > +=Devloper Options= and enable OEM Unlocking, as well as USB or Wireless +Debugging. In my case, I chose USB Debugging and performed all actions +via USB cable. + +Once these options are enabled, plug the phone into the computer and +execute the following command: + +#+begin_src sh adb devices -``` - -If an unauthorized error occurs, make sure the USB mode on the phone is -changed from charging to something like "File Transfer" or "PTP." -You can find the USB mode in the notification tray. +#+end_src -### Reboot Device +If an unauthorized error occurs, make sure the USB mode on the phone is +changed from charging to something like "File Transfer" or "PTP." You +can find the USB mode in the notification tray. -Once we have found the device via `adb`, we can either boot into the -bootloader interface by holding the volume down button while the phone reboots -or by executing the following command: +*** Reboot Device +:PROPERTIES: +:CUSTOM_ID: reboot-device +:END: +Once we have found the device via =adb=, we can either boot into the +bootloader interface by holding the volume down button while the phone +reboots or by executing the following command: -```sh +#+begin_src sh adb reboot bootloader -``` +#+end_src -### Unlock the Bootloader +*** Unlock the Bootloader +:PROPERTIES: +:CUSTOM_ID: unlock-the-bootloader +:END: +The phone will reboot and load the bootloader screen upon startup. At +this point, we are ready to start the actual flashing of GrapheneOS onto +the device. -The phone will reboot and load the bootloader screen upon startup. At this -point, we are ready to start the actual flashing of GrapheneOS onto the device. +*NOTE*: In my situation, I needed to use =sudo= with every =fastboot= +command, but not with =adb= commands. I am not sure if this is standard +or a Fedora quirk, but I'm documenting my commands verbatim in this +post. -**NOTE**: In my situation, I needed to use `sudo` with every `fastboot` -command, but not with `adb` commands. I am not sure if this is standard or a -Fedora quirk, but I'm documenting my commands verbatim in this post. +First, we start by unlocking the bootloader so that we can load other +ROMs: -First, we start by unlocking the bootloader so that we can load other ROMs: - -```sh +#+begin_src sh sudo fastboot flashing unlock -``` - -### Flashing Factory Images +#+end_src -Once the phone is unlocked, we can flash it with the `flash-all.sh` script found -inside the `raven-factory-2022091400` folder we entered earlier: +*** Flashing Factory Images +:PROPERTIES: +:CUSTOM_ID: flashing-factory-images +:END: +Once the phone is unlocked, we can flash it with the =flash-all.sh= +script found inside the =raven-factory-2022091400= folder we entered +earlier: -```sh +#+begin_src sh sudo ./flash-all.sh -``` - -This process should take a few minutes and will print informational messages as -things progress. Avoid doing anything on the phone while this process is -operating. - -### Lock the Bootloader - -If everything was successful, the phone should reboot a few times and finally -land back on the bootloader screen. At this point, we can re-lock the -bootloader to enable full verified boot and protect the device from unwanted -flashing or erasure of data. - -```sh +#+end_src + +This process should take a few minutes and will print informational +messages as things progress. Avoid doing anything on the phone while +this process is operating. + +*** Lock the Bootloader +:PROPERTIES: +:CUSTOM_ID: lock-the-bootloader +:END: +If everything was successful, the phone should reboot a few times and +finally land back on the bootloader screen. At this point, we can +re-lock the bootloader to enable full verified boot and protect the +device from unwanted flashing or erasure of data. + +#+begin_src sh sudo fastboot flashing lock -``` +#+end_src Once done, the device will be wiped and ready for a fresh set-up! diff --git a/blog/2022-10-04-mtp-linux.org b/blog/2022-10-04-mtp-linux.org index d2c0543..0117fbd 100644 --- a/blog/2022-10-04-mtp-linux.org +++ b/blog/2022-10-04-mtp-linux.org @@ -1,79 +1,85 @@ -+++ -date = 2022-10-04 -title = "How to Mount an MTP Mobile Device on Linux" -description = "Learn how to easily mount Android MTP smartphones on Linux using the command line." -+++ - -I recently ran into trouble attempting to mount my GrapheneOS phone to my laptop -running Fedora Linux via the [Media Transfer -Protocol](https://en.wikipedia.org/wiki/Media_transfer_protocol) (MTP) and -discovered a simple and effective solution. - -## Use a USB 3.0 Port - -First, ensure that the device was plugged in to the laptop through a -USB 3.0 port, if possible. From a brief glance online, it seems that USB 2.0 -ports may cause issues with dropped connections over MTP. This is purely -anecdotal since I don't have any evidence to link showing that USB 2.0 causes -issues, but I can confirm that switching to a USB 3.0 port seemed to cut out -most -of my issues. - -## Switch USB Preferences to MTP - -Secondly, you need to ensure that the phone's USB preferences/mode is -changed to MTP or File Transfer once the phone is plugged in. Other modes will -not allow you to access the phone's file system. - -## Install `jmtpfs` - -Next, I used the `jmtpfs` package to mount my phone to my laptop. There are -other packages that exist, but this one worked perfectly for me. On Fedora -Linux, you can install it like this: - -```sh +#+title: How to Mount an MTP Mobile Device on Linux +#+date: 2022-10-04 + +I recently ran into trouble attempting to mount my GrapheneOS phone to my laptop +running Fedora Linux via the [[https://en.wikipedia.org/wiki/Media_transfer_protocol][Media Transfer Protocol]] (MTP) and discovered a +simple and effective solution. + +** Use a USB 3.0 Port +:PROPERTIES: +:CUSTOM_ID: use-a-usb-3.0-port +:END: +First, ensure that the device was plugged in to the laptop through a USB +3.0 port, if possible. From a brief glance online, it seems that USB 2.0 +ports may cause issues with dropped connections over MTP. This is purely +anecdotal since I don't have any evidence to link showing that USB 2.0 +causes issues, but I can confirm that switching to a USB 3.0 port seemed +to cut out most of my issues. + +** Switch USB Preferences to MTP +:PROPERTIES: +:CUSTOM_ID: switch-usb-preferences-to-mtp +:END: +Secondly, you need to ensure that the phone's USB preferences/mode is +changed to MTP or File Transfer once the phone is plugged in. Other +modes will not allow you to access the phone's file system. + +** Install =jmtpfs= +:PROPERTIES: +:CUSTOM_ID: install-jmtpfs +:END: +Next, I used the =jmtpfs= package to mount my phone to my laptop. There +are other packages that exist, but this one worked perfectly for me. On +Fedora Linux, you can install it like this: + +#+begin_src sh sudo dnf install jmtpfs -y -``` +#+end_src -## Create a Mount Point +** Create a Mount Point +:PROPERTIES: +:CUSTOM_ID: create-a-mount-point +:END: +Once you have the package installed, you just need to create a folder +for the device to use as a mount point. In my case, I used =/mnt/pixel=: -Once you have the package installed, you just need to create a folder for the -device to use as a mount point. In my case, I used `/mnt/pixel`: - -```sh +#+begin_src sh sudo mkdir /mnt/pixel sudo chown -R $USER:$USER /mnt/pixel -``` - -## Mount & Access the Phone's File System +#+end_src -Finally, plug-in and mount the device, and you should be able to see all +** Mount & Access the Phone's File System +:PROPERTIES: +:CUSTOM_ID: mount-access-the-phones-file-system +:END: +Finally, plug-in and mount the device, and you should be able to see all storage (internal and external) inside your new folder! -```sh +#+begin_src sh jmtpfs /mnt/pixel -``` +#+end_src The output should look something like this: -```sh +#+begin_src sh Device 0 (VID=18d1 and PID=4ee1) is a Google Inc Nexus/Pixel (MTP). Android device detected, assigning default bug flags -``` +#+end_src -Now you are mounted and can do anything you'd like with the device's files: +Now you are mounted and can do anything you'd like with the device's +files: -```sh +#+begin_src sh cd /mnt/pixel ls -lha -``` +#+end_src -From here, you will be able to see any internal or external storage available on -the device: +From here, you will be able to see any internal or external storage +available on the device: -```sh +#+begin_src sh total 0 drwxr-xr-x. 3 user user 0 Jan 1 1970 . drwxr-xr-x. 1 root root 10 Oct 4 13:29 .. drwxr-xr-x. 16 user user 0 Apr 21 4426383 'Internal shared storage' -``` +#+end_src diff --git a/blog/2022-10-20-syncthing.org b/blog/2022-10-20-syncthing.org index 20e25a9..1892d48 100644 --- a/blog/2022-10-20-syncthing.org +++ b/blog/2022-10-20-syncthing.org @@ -1,166 +1,198 @@ -+++ -date = 2022-10-20 -title = "Syncthing: A Minimal Self-Hosted Cloud Storage Solution" -description = "In this post, I walk through the Syncthing software and how to set it up on multiple devices." -+++ - -## An Overview of Syncthing - -If you've been looking around the self-hosted cloud storage space for a while, -you've undoubtedly run into someone suggesting -[Syncthing](https://syncthing.net) as an option. However, it is an unusual -alternative for those users out there who are used to having a centralized cloud -server that serves as the "controller" of the data and interacts with clients on -devices to fetch files. - -This post is a walkthrough of the Syncthing software, how I set up my personal -storage, and some pros and cons of using the software. - -## Installing Syncthing - -To install Syncthing, visit the [Downloads](https://syncthing.net/downloads/) -page or install via your device's package manager. - -### Server & Desktop - -You can install Syncthing on servers and desktops via the Downloads page linked -above or via the command-line. +#+title: Syncthing: A Minimal Self-Hosted Cloud Storage Solution +#+date: 2022-10-20 + +** An Overview of Syncthing +:PROPERTIES: +:CUSTOM_ID: an-overview-of-syncthing +:END: +If you've been looking around the self-hosted cloud storage space for a +while, you've undoubtedly run into someone suggesting +[[https://syncthing.net][Syncthing]] as an option. However, it is an +unusual alternative for those users out there who are used to having a +centralized cloud server that serves as the "controller" of the data and +interacts with clients on devices to fetch files. + +This post is a walkthrough of the Syncthing software, how I set up my +personal storage, and some pros and cons of using the software. + +** Installing Syncthing +:PROPERTIES: +:CUSTOM_ID: installing-syncthing +:END: +To install Syncthing, visit the +[[https://syncthing.net/downloads/][Downloads]] page or install via your +device's package manager. + +*** Server & Desktop +:PROPERTIES: +:CUSTOM_ID: server-desktop +:END: +You can install Syncthing on servers and desktops via the Downloads page +linked above or via the command-line. For Debian-based distros: -```sh +#+begin_src sh sudo apt install syncthing -``` +#+end_src For Fedora-based distros: -```sh +#+begin_src sh sudo dnf install syncthing -``` - -### Mobile - -Syncthing for Android is available on -[F-Droid](https://f-droid.org/packages/com.nutomic.syncthingandroid/) and -[Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid). -Syncthing does not have an official iOS client, but there is a third-party -client called [Möbius -Sync](https://apps.apple.com/us/app/m%C3%B6bius-sync/id1539203216). - -## How Does Syncthing Work? - -To start, I wanted to include the main marketing blurb from their website: - -> Syncthing is a continuous file synchronization program. It synchronizes files -> between two or more computers in real time, safely protected from prying eyes. -> Your data is your data alone, and you deserve to choose where it is stored, -> whether it is shared with some third party, and how it's transmitted over the -> internet. - -Let's break this apart and add in some other details to help explain what -exactly Syncthing does in order to sync files between devices. - -### Local Syncthing Server(s) - -Syncthing syncs files between multiple devices by creating a local server on -each device. These local servers handle a few different things, such as -watching files and directories for changes, hosting an administrative GUI -website, and authenticating with connected devices. - -You can also start, stop, and restart the Syncthing server via the command-line -or web dashboard. If you're running Syncthing on a device with `systemd`, you -can use the following commands: - -```sh +#+end_src + +*** Mobile +:PROPERTIES: +:CUSTOM_ID: mobile +:END: +Syncthing for Android is available on +[[https://f-droid.org/packages/com.nutomic.syncthingandroid/][F-Droid]] +and +[[https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid][Google +Play]]. Syncthing does not have an official iOS client, but there is a +third-party client called +[[https://apps.apple.com/us/app/m%C3%B6bius-sync/id1539203216][Möbius +Sync]]. + +** How Does Syncthing Work? +:PROPERTIES: +:CUSTOM_ID: how-does-syncthing-work +:END: +To start, I wanted to include the main marketing blurb from their +website: + +#+begin_quote +Syncthing is a continuous file synchronization program. It synchronizes +files between two or more computers in real time, safely protected from +prying eyes. Your data is your data alone, and you deserve to choose +where it is stored, whether it is shared with some third party, and how +it's transmitted over the internet. + +#+end_quote + +Let's break this apart and add in some other details to help explain +what exactly Syncthing does in order to sync files between devices. + +*** Local Syncthing Server(s) +:PROPERTIES: +:CUSTOM_ID: local-syncthing-servers +:END: +Syncthing syncs files between multiple devices by creating a local +server on each device. These local servers handle a few different +things, such as watching files and directories for changes, hosting an +administrative GUI website, and authenticating with connected devices. + +You can also start, stop, and restart the Syncthing server via the +command-line or web dashboard. If you're running Syncthing on a device +with =systemd=, you can use the following commands: + +#+begin_src sh sudo systemctl start syncthing@username.service sudo systemctl restart syncthing@username.service sudo systemctl stop syncthing@username.service -``` - -### Syncthing Dashboard - -This biggest part of Syncthing is the admin GUI website that runs on each -device (note that mobile devices will use the Syncthing app rather than the -web GUI). The admin GUI is available through the web browser on the -local device that is running Syncthing - simply go to `http://localhost:8384` -or `http://127.0.0.1:8384`. This web page is the place where you will change -settings, add/modify synced files, and add/modify connected devices. +#+end_src + +*** Syncthing Dashboard +:PROPERTIES: +:CUSTOM_ID: syncthing-dashboard +:END: +This biggest part of Syncthing is the admin GUI website that runs on +each device (note that mobile devices will use the Syncthing app rather +than the web GUI). The admin GUI is available through the web browser on +the local device that is running Syncthing - simply go to +=http://localhost:8384= or =http://127.0.0.1:8384=. This web page is the +place where you will change settings, add/modify synced files, and +add/modify connected devices. Here's an example web GUI dashboard: - - -### Remote Devices - -A cloud storage solution wouldn't be very useful if you aren't able to share -data among various devices. Syncthing does this by sharing Device IDs to connect -servers, and then by manually sharing Folders with devices that have been -connected. - -For instance, if you have a laptop running Syncthing and then install the -Syncthing mobile app on a phone, you could scan the laptop's QR code for Device -ID and then accept the authentication on the laptop's dashboard. Next, you can -use either device to select a folder for sharing and dictating which device -should send, receive, or both. - -When you connect devices, you can set one device as an "Introducer," which can -add devices from the introducer to the device list, for mutually shared folders. -You can also configure Auto Accept, compression, rate limits, and more settings -per device. - -## My Personal Cloud Storage Set-up - -Personally, I use a model similar to a traditional cloud storage service. I have -a "centralized" server running 24/7 that acts as an Introducer for my Syncthing -network. I think of this as my main storage and all other devices as tertiary -client devices. I will likely add additional servers as backups as time goes on -so that I don't have to rely on my laptop or phone as the only backups. - -Currently, I have one desktop and one mobile device connected to the network, -both running intermittently as they are not powered-on 24/7. - -The initial set-up of the software was easy enough, but data transfer rates were -incredibly slow for me due to the Wi-Fi. Instead, I plugged my laptop into the -ethernet network that my server is on and manually copied my folders over to the -server with `scp`. Once complete, Syncthing validated that all files were there -and not missing, and it did not need to transfer any data through the WAN. - -As slow as the transfer was going, this probably saved me a few days of waiting -for my ~100GB sync. - -## Pros & Cons - -I've put together a short list of pros and cons for Syncthing. I thought about -my experiences with Nextcloud, WebDAV, proprietary services (Google Drive, -iCloud, etc.), and privacy-focused cloud solutions (pCloud, Tresorit, etc.). - -**Pros:** +#+caption: Syncthing Dashboard +[[https://img.cleberg.net/blog/20221020-syncthing/syncthing_gui.png]] + +*** Remote Devices +:PROPERTIES: +:CUSTOM_ID: remote-devices +:END: +A cloud storage solution wouldn't be very useful if you aren't able to +share data among various devices. Syncthing does this by sharing Device +IDs to connect servers, and then by manually sharing Folders with +devices that have been connected. + +For instance, if you have a laptop running Syncthing and then install +the Syncthing mobile app on a phone, you could scan the laptop's QR code +for Device ID and then accept the authentication on the laptop's +dashboard. Next, you can use either device to select a folder for +sharing and dictating which device should send, receive, or both. + +When you connect devices, you can set one device as an "Introducer," +which can add devices from the introducer to the device list, for +mutually shared folders. You can also configure Auto Accept, +compression, rate limits, and more settings per device. + +** My Personal Cloud Storage Set-up +:PROPERTIES: +:CUSTOM_ID: my-personal-cloud-storage-set-up +:END: +Personally, I use a model similar to a traditional cloud storage +service. I have a "centralized" server running 24/7 that acts as an +Introducer for my Syncthing network. I think of this as my main storage +and all other devices as tertiary client devices. I will likely add +additional servers as backups as time goes on so that I don't have to +rely on my laptop or phone as the only backups. + +Currently, I have one desktop and one mobile device connected to the +network, both running intermittently as they are not powered-on 24/7. + +The initial set-up of the software was easy enough, but data transfer +rates were incredibly slow for me due to the Wi-Fi. Instead, I plugged +my laptop into the ethernet network that my server is on and manually +copied my folders over to the server with =scp=. Once complete, +Syncthing validated that all files were there and not missing, and it +did not need to transfer any data through the WAN. + +As slow as the transfer was going, this probably saved me a few days of +waiting for my ~100GB sync. + +** Pros & Cons +:PROPERTIES: +:CUSTOM_ID: pros-cons +:END: +I've put together a short list of pros and cons for Syncthing. I thought +about my experiences with Nextcloud, WebDAV, proprietary services +(Google Drive, iCloud, etc.), and privacy-focused cloud solutions +(pCloud, Tresorit, etc.). + +*Pros:* - I've faced no data loss at all through my two-month trial run. - No third-parties store your data on their servers. -- You have full control over your data and can take your data and leave at any -time. -- It's possible to encrypt client-side easily with software like Cryptomator. -- No proprietary clients or mounted volumes, just plain files and folders. +- You have full control over your data and can take your data and leave + at any time. +- It's possible to encrypt client-side easily with software like + Cryptomator. +- No proprietary clients or mounted volumes, just plain files and + folders. -**Cons:** +*Cons:* -- The learning curve is steeper than traditional cloud services and is +- The learning curve is steeper than traditional cloud services and is focused on a technical audience. -- If a device needs to modify files in a Folder, the devices will need to - sync ALL files from the folder, which may be large. To avoid size +- If a device needs to modify files in a Folder, the devices will need + to sync ALL files from the folder, which may be large. To avoid size restraints, split large folders into smaller folders for syncing. -- Syncing can be slow due to the clients/servers initially connecting or +- Syncing can be slow due to the clients/servers initially connecting or re-connecting after sleeping. -- Multiple personal devices are required and require the user to own or rent - them as no third-party servers are involved in the storage of data. - -Overall, I've had a great experience with Syncthing so far. I've had no data -loss, syncing has been quick and easy when changes are made to files, device -connections are reliable, and I love the freedom of controlling the clients and -servers as I choose. - -Not to mention that I appreciate that I - or someone else - could pull the -Syncthing [source code](https://github.com/syncthing) and continue -development/support if the Syncthing Foundation decides to stop developing the -software or sells the business. +- Multiple personal devices are required and require the user to own or + rent them as no third-party servers are involved in the storage of + data. + +Overall, I've had a great experience with Syncthing so far. I've had no +data loss, syncing has been quick and easy when changes are made to +files, device connections are reliable, and I love the freedom of +controlling the clients and servers as I choose. + +Not to mention that I appreciate that I - or someone else - could pull +the Syncthing [[https://github.com/syncthing][source code]] and continue +development/support if the Syncthing Foundation decides to stop +developing the software or sells the business. diff --git a/blog/2022-10-22-alpine-linux.org b/blog/2022-10-22-alpine-linux.org index 3d04041..c5fdf1a 100644 --- a/blog/2022-10-22-alpine-linux.org +++ b/blog/2022-10-22-alpine-linux.org @@ -1,264 +1,301 @@ -+++ -date = 2022-10-22 -title = "Alpine Linux: My New Server OS" -description = "In this post, I explain Alpine Linux's benefits as a server OS and explain my current setup." -+++ - -## Alpine Linux - -[Alpine Linux](https://alpinelinux.org) is a very small distro, built on musl -libc and busybox. It uses ash as the default shell, OpenRC as the init -system, and apk as the package manager. According to their website, an Alpine -container "requires no more than 8 MB and a minimal installation to disk -requires around 130 MB of storage." An actual bare metal machine is recommended -to have 100 MB of RAM and 0-700 MB of storage space. - -Historically, I've used Ubuntu's minimal installation image as my server OS for -the last five years. Ubuntu worked well and helped as my original server -contained an nVidia GPU and no onboard graphics, so quite a few distros won't -boot or install without a lot of tinkering. - -Alpine has given me a huge increase in performance across my Docker apps and -Nginx websites. CPU load for the new server I'm using to test Alpine hovers -around 0-5% on average with an Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz. - -The only services I haven't moved over to Alpine are Plex Media Server and -Syncthing, which may increase CPU load quite a bit depending on how many -streams are running. - -### Installation - -In terms of installation, Alpine has an incredibly useful -[wiki](https://wiki.alpinelinux.org/wiki/Installation) that will guide a user -throughout the installation and post-installation processes, as well as various -other articles and guides. - -To install Alpine, find an appropriate [image to -download](https://alpinelinux.org/downloads/) and flash it to a USB using -software such as Rufus or Etcher. I opted to use the Standard image for my -x86_64 architecture. - -Once the USB is ready, plug it into the machine and reboot. -Note that you may have to use a key such as `Esc` or `F1-12` to access the -boot menu. -The Alpine Linux terminal will load quickly and for a login. - -To log in to the installation image, use the `root` account; there is no +#+title: Alpine Linux: My New Server OS +#+date: 2022-10-22 + +** Alpine Linux +:PROPERTIES: +:CUSTOM_ID: alpine-linux +:END: +[[https://alpinelinux.org][Alpine Linux]] is a very small distro, built +on musl libc and busybox. It uses ash as the default shell, OpenRC as +the init system, and apk as the package manager. According to their +website, an Alpine container "requires no more than 8 MB and a minimal +installation to disk requires around 130 MB of storage." An actual bare +metal machine is recommended to have 100 MB of RAM and 0-700 MB of +storage space. + +Historically, I've used Ubuntu's minimal installation image as my server +OS for the last five years. Ubuntu worked well and helped as my original +server contained an nVidia GPU and no onboard graphics, so quite a few +distros won't boot or install without a lot of tinkering. + +Alpine has given me a huge increase in performance across my Docker apps +and Nginx websites. CPU load for the new server I'm using to test Alpine +hovers around 0-5% on average with an Intel(R) Core(TM) i3-6100 CPU @ +3.70GHz. + +The only services I haven't moved over to Alpine are Plex Media Server +and Syncthing, which may increase CPU load quite a bit depending on how +many streams are running. + +*** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +In terms of installation, Alpine has an incredibly useful +[[https://wiki.alpinelinux.org/wiki/Installation][wiki]] that will guide +a user throughout the installation and post-installation processes, as +well as various other articles and guides. + +To install Alpine, find an appropriate +[[https://alpinelinux.org/downloads/][image to download]] and flash it +to a USB using software such as Rufus or Etcher. I opted to use the +Standard image for my x86_64 architecture. + +Once the USB is ready, plug it into the machine and reboot. Note that +you may have to use a key such as =Esc= or =F1-12= to access the boot +menu. The Alpine Linux terminal will load quickly and for a login. + +To log in to the installation image, use the =root= account; there is no password. Once logged-in, execute the setup command: -```sh +#+begin_src sh setup-alpine -``` +#+end_src -The setup script will ask a series of questions to configure the system. Be sure -to answer carefully or else you may have to re-configure the system after boot. +The setup script will ask a series of questions to configure the system. +Be sure to answer carefully or else you may have to re-configure the +system after boot. -- Keyboard Layout (Local keyboard language and usage mode, e.g., us and variant -of us-nodeadkeys.) +- Keyboard Layout (Local keyboard language and usage mode, e.g., us and + variant of us-nodeadkeys.) - Hostname (The name for the computer.) -- Network (For example, automatic IP address discovery with the "DHCP" -protocol.) -- DNS Servers (Domain Name Servers to query. For privacy reasons, it is NOT -recommended to route every local request to servers like Google's 8.8.8.8 .) +- Network (For example, automatic IP address discovery with the "DHCP" + protocol.) +- DNS Servers (Domain Name Servers to query. For privacy reasons, it is + NOT recommended to route every local request to servers like Google's + 8.8.8.8 .) - Timezone -- Proxy (Proxy server to use for accessing the web. Use "none" for direct -connections to the internet.) -- Mirror (From where to download packages. Choose the organization you trust -giving your usage patterns to.) -- SSH (Secure SHell remote access server. "Openssh" is part of the default -install image. Use "none" to disable remote login, e.g. on laptops.) -- NTP (Network Time Protocol client used for keeping the system clock in sync -with a time-server. Package "chrony" is part of the default install image.) -- Disk Mode (Select between diskless (disk="none"), "data" or "sys", as -described above.) - -Once the setup script is finished, be sure to reboot the machine and remove the -USB device. - -```sh +- Proxy (Proxy server to use for accessing the web. Use "none" for + direct connections to the internet.) +- Mirror (From where to download packages. Choose the organization you + trust giving your usage patterns to.) +- SSH (Secure SHell remote access server. "Openssh" is part of the + default install image. Use "none" to disable remote login, e.g. on + laptops.) +- NTP (Network Time Protocol client used for keeping the system clock in + sync with a time-server. Package "chrony" is part of the default + install image.) +- Disk Mode (Select between diskless (disk="none"), "data" or "sys", as + described above.) + +Once the setup script is finished, be sure to reboot the machine and +remove the USB device. + +#+begin_src sh reboot -``` - -### Post-Installation - -There are many things you can do once your Alpine Linux system is up and -running, and it largely depends on what you'll use the machine for. -I'm going to walk through my personal post-installation setup for my web server. - -#### Upgrade the System - -First, login as `root` in order to update and upgrade the system: - -```sh +#+end_src + +*** Post-Installation +:PROPERTIES: +:CUSTOM_ID: post-installation +:END: +There are many things you can do once your Alpine Linux system is up and +running, and it largely depends on what you'll use the machine for. I'm +going to walk through my personal post-installation setup for my web +server. + +**** Upgrade the System +:PROPERTIES: +:CUSTOM_ID: upgrade-the-system +:END: +First, login as =root= in order to update and upgrade the system: + +#+begin_src sh apk -U upgrade -``` - -#### Adding a User +#+end_src -I needed to add a user so that I don't need to log in as root. -Note that if you're used to using the `sudo` command, you will now need to -use the `doas` command on Alpine Linux. +**** Adding a User +:PROPERTIES: +:CUSTOM_ID: adding-a-user +:END: +I needed to add a user so that I don't need to log in as root. Note that +if you're used to using the =sudo= command, you will now need to use the +=doas= command on Alpine Linux. -```sh +#+begin_src sh apk add doas adduser <username> adduser <username> wheel -``` +#+end_src You can now log out and log back in using the newly-created user: -```sh +#+begin_src sh exit -``` +#+end_src -#### Enable Community Packages +**** Enable Community Packages +:PROPERTIES: +:CUSTOM_ID: enable-community-packages +:END: +In order to install more common packages that aren't found in the =main= +repository, you will need to enable the =community= repository: -In order to install more common packages that aren't found in the `main` -repository, you will need to enable the `community` repository: - -```sh +#+begin_src sh doas nano /etc/apk/repositories -``` +#+end_src -Uncomment the community line for whichever version of Alpine you're running: +Uncomment the community line for whichever version of Alpine you're +running: -```sh +#+begin_src sh /media/usb/apks http://dl-cdn.alpinelinux.org/alpine/v3.16/main http://dl-cdn.alpinelinux.org/alpine/v3.16/community #http://dl-cdn.alpinelinux.org/alpine/edge/main #http://dl-cdn.alpinelinux.org/alpine/edge/community #http://dl-cdn.alpinelinux.org/alpine/edge/testing -``` - -#### Install Required Packages +#+end_src -Now that the community packages are available, you can install any packages you -need. In my case, I installed the web server packages I need for my services: +**** Install Required Packages +:PROPERTIES: +:CUSTOM_ID: install-required-packages +:END: +Now that the community packages are available, you can install any +packages you need. In my case, I installed the web server packages I +need for my services: -```sh +#+begin_src sh doas apk add nano nginx docker docker-compose ufw -``` - -#### SSH +#+end_src -If you didn't install OpenSSH as part of the installation, you can do so now: +**** SSH +:PROPERTIES: +:CUSTOM_ID: ssh +:END: +If you didn't install OpenSSH as part of the installation, you can do so +now: -```sh +#+begin_src sh doas apk add openssh -``` +#+end_src -Next, either create a new key or copy your SSH key to the server from your -current machines: +Next, either create a new key or copy your SSH key to the server from +your current machines: -```sh +#+begin_src sh # Create a new key ssh-keygen -``` +#+end_src If you need to copy an existing SSH key from a current machine: -```sh +#+begin_src sh # Copy key from existing machines ssh-copy-id <username>@<ip_address> -``` +#+end_src -#### Firewall +**** Firewall +:PROPERTIES: +:CUSTOM_ID: firewall +:END: +Lastly, I installed =ufw= above as my firewall. To set up, default to +deny incoming and allow outgoing connections. Then selectively allow +other ports or apps as needed. -Lastly, I installed `ufw` above as my firewall. -To set up, default to deny incoming and allow outgoing connections. -Then selectively allow other ports or apps as needed. - -```sh +#+begin_src sh doas ufw default deny incoming doas ufw default allow outgoing doas ufw allow SSH doas ufw allow "WWW Full" doas ufw allow 9418 # Git server port -``` - -#### Change Hostname +#+end_src -If you don't like the hostname set during installation, you just need to edit -two files. First, edit the simple hostname file: +**** Change Hostname +:PROPERTIES: +:CUSTOM_ID: change-hostname +:END: +If you don't like the hostname set during installation, you just need to +edit two files. First, edit the simple hostname file: -```sh +#+begin_src sh doas nano /etc/hostname -``` +#+end_src -```sh +#+begin_src sh <hostname> -``` +#+end_src -Next, edit the `hosts` file: +Next, edit the =hosts= file: -```sh +#+begin_src sh doas nano /etc/hosts -``` - -```sh -127.0.0.1 <hostname>.local <hostname> localhost.local localhost -::1 <hostname> <hostname>.local -``` - -## Nginx Web Server - -To set up my web server, I simply created the `www` user and created the +#+end_src + +#+begin_src sh +127.0.0.1 <hostname>.local <hostname> localhost.local localhost +::1 <hostname> <hostname>.local +#+end_src + +** Nginx Web Server +:PROPERTIES: +:CUSTOM_ID: nginx-web-server +:END: +To set up my web server, I simply created the =www= user and created the necessary files. -```sh +#+begin_src sh doas adduser -D -g 'www' www mkdir /www doas mkdir /www doas chown -R www:www /var/lib/nginx/ doas chown -R www:www /www -``` +#+end_src -If you're running a simple webroot, you can alter the main `nginx.conf` file. -Otherwise, you can drop configuration files in the following directory. You -don't need to enable or symlink the configuration file like you do in other -systems. +If you're running a simple webroot, you can alter the main =nginx.conf= +file. Otherwise, you can drop configuration files in the following +directory. You don't need to enable or symlink the configuration file +like you do in other systems. -```sh +#+begin_src sh doas nano /etc/nginx/http.d/example_website.conf -``` +#+end_src -Once the configuration is set and pointed at the `/www` directory to serve -files, enable the Nginx service: +Once the configuration is set and pointed at the =/www= directory to +serve files, enable the Nginx service: -```sh +#+begin_src sh # Note that 'default' must be included or Nginx will not start on boot doas rc-update add nginx default -``` - -## Docker Containers - -Docker works exactly the same as other systems. Either execute a `docker run` -command or create a `docker-compose.yml` file and do `docker-compose up -d`. - -## Git Server - -I went in-depth on how to self-host a git server in another post: -[Self-Hosting a Personal Git Server](/blog/git-server/). - -However, there are a few differences with Alpine. First note that in order to -change the `git` user's shell, you must do a few things a little different: - -```sh +#+end_src + +** Docker Containers +:PROPERTIES: +:CUSTOM_ID: docker-containers +:END: +Docker works exactly the same as other systems. Either execute a +=docker run= command or create a =docker-compose.yml= file and do +=docker-compose up -d=. + +** Git Server +:PROPERTIES: +:CUSTOM_ID: git-server +:END: +I went in-depth on how to self-host a git server in another post: +[[/blog/git-server/][Self-Hosting a Personal Git Server]]. + +However, there are a few differences with Alpine. First note that in +order to change the =git= user's shell, you must do a few things a +little different: + +#+begin_src sh doas apk add libuser doas touch /etc/login.defs doas mkdir /etc/default doas touch /etc/default/useradd doas lchsh git -``` - -## Thoughts on Alpine - -So far, I love Alpine Linux. I have no complaints about anything at this point, -but I'm not completely finished with the migration yet. Once I'm able to upgrade -my hardware to a rack-mounted server, I will migrate Plex and Syncthing over to -Alpine as well - possibly putting Plex into a container or VM. - -The performance is stellar, the `apk` package manager is seamless, and system -administration tasks are effortless. My only regret is that I didn't -install Alpine sooner. +#+end_src + +** Thoughts on Alpine +:PROPERTIES: +:CUSTOM_ID: thoughts-on-alpine +:END: +So far, I love Alpine Linux. I have no complaints about anything at this +point, but I'm not completely finished with the migration yet. Once I'm +able to upgrade my hardware to a rack-mounted server, I will migrate +Plex and Syncthing over to Alpine as well - possibly putting Plex into a +container or VM. + +The performance is stellar, the =apk= package manager is seamless, and +system administration tasks are effortless. My only regret is that I +didn't install Alpine sooner. diff --git a/blog/2022-10-30-linux-display-manager.org b/blog/2022-10-30-linux-display-manager.org index 9852535..3fe59cb 100644 --- a/blog/2022-10-30-linux-display-manager.org +++ b/blog/2022-10-30-linux-display-manager.org @@ -1,78 +1,85 @@ -+++ -date = 2022-10-30 -title = "How to Disable or Change the Display Manager on Void Linux" -description = "Learn how to change the default dm on Void Linux or disable it completely." -+++ - -## Display Manager Services - -In order to change the [display -manager](https://en.wikipedia.org/wiki/Display_manager) on Void Linux - or any -other Linux distro - you need to identify the currently enabled display manager. - -### Disabling the Current Display Manager - -Void Linux only has one ISO available for download with a pre-built display -manager at the time of this post: the XFCE ISO. If you've installed this -version, the pre-assigned display manager is `lxdm`. If you installed another -display manager, replace `lxdm` in the following command with the display -manager you have installed. - -To disable `lxdm`, simply remove the service symlink: - -```sh +#+title: How to Disable or Change the Display Manager on Void Linux +#+date: 2022-10-30 + +** Display Manager Services +:PROPERTIES: +:CUSTOM_ID: display-manager-services +:END: +In order to change the +[[https://en.wikipedia.org/wiki/Display_manager][display manager]] on +Void Linux - or any other Linux distro - you need to identify the +currently enabled display manager. + +*** Disabling the Current Display Manager +:PROPERTIES: +:CUSTOM_ID: disabling-the-current-display-manager +:END: +Void Linux only has one ISO available for download with a pre-built +display manager at the time of this post: the XFCE ISO. If you've +installed this version, the pre-assigned display manager is =lxdm=. If +you installed another display manager, replace =lxdm= in the following +command with the display manager you have installed. + +To disable =lxdm=, simply remove the service symlink: + +#+begin_src sh sudo rm /var/service/lxdm -``` - -### Enabling a New Display Manager - -If you want to enable a new display manager, you can do so after `lxdm` is -disabled. Make sure to replace `<new_display_manager>` with your new DM, such as -`gdm`, `xdm`, etc. +#+end_src +*** Enabling a New Display Manager +:PROPERTIES: +:CUSTOM_ID: enabling-a-new-display-manager +:END: +If you want to enable a new display manager, you can do so after =lxdm= +is disabled. Make sure to replace =<new_display_manager>= with your new +DM, such as =gdm=, =xdm=, etc. -```sh +#+begin_src sh sudo ln -s /etc/sv/<new_display_manager> /var/service -``` +#+end_src -## Set Up `.xinitrc` +** Set Up =.xinitrc= +:PROPERTIES: +:CUSTOM_ID: set-up-.xinitrc +:END: +Depending on your setup, you may need to create a few X files, such as +=~/.xinitrc=. For my personal set-up, I created this file to launch the +i3wm as my desktop. -Depending on your setup, you may need to create a few X files, such as -`~/.xinitrc`. For my personal set-up, I created this file to launch the i3wm as -my desktop. - -```sh +#+begin_src sh nano ~/.xinitrc -``` +#+end_src -```sh +#+begin_src sh #!/bin/sh exec i3 -``` - -If you run a desktop other than i3, simply replace `i3` with the shell command -that launches that desktop. +#+end_src -## Set Up Your Shell Profile +If you run a desktop other than i3, simply replace =i3= with the shell +command that launches that desktop. -Finally, in order to automatically launch an X session upon login, you will need -to edit the `.bash_profile` (bash) or `.zprofile` (zsh) files for your -shell: +** Set Up Your Shell Profile +:PROPERTIES: +:CUSTOM_ID: set-up-your-shell-profile +:END: +Finally, in order to automatically launch an X session upon login, you +will need to edit the =.bash_profile= (bash) or =.zprofile= (zsh) files +for your shell: -```sh +#+begin_src sh nano ~/.zprofile -``` +#+end_src -Add the following snippet to the end of the shell profile file. This will -execute the `startx` command upon login. +Add the following snippet to the end of the shell profile file. This +will execute the =startx= command upon login. -```sh +#+begin_src sh if [ -z "${DISPLAY}" ] && [ "${XDG_VTNR}" -eq 1 ]; then - exec startx + exec startx fi -``` +#+end_src -Alternatively, you can ignore this step and simply choose to manually execute -`startx` upon login. This can be useful if you have issues with your desktop or -like to manually launch different desktops by choice. +Alternatively, you can ignore this step and simply choose to manually +execute =startx= upon login. This can be useful if you have issues with +your desktop or like to manually launch different desktops by choice. diff --git a/blog/2022-11-07-matrix-synapse.org b/blog/2022-11-07-matrix-synapse.org index 0c0d43f..493957a 100644 --- a/blog/2022-11-07-matrix-synapse.org +++ b/blog/2022-11-07-matrix-synapse.org @@ -1,103 +1,114 @@ -+++ -date = 2022-11-07 -title = "Self-Hosting Matrix Synapse on Alpine Linux" -description = "A short guide on how I was able to get Synapse working on Alpine Linux." -+++ - -## Synpase - -If you're reading this, you likely know that -[Synapse](https://github.com/matrix-org/synapse/) is a popular -[Matrix](https://matrix.org/) home server software that allows users to run -their own Matrix home server. - -This post is a short guide describing how I was able to get Synapse working in a -minimally-usable state on Alpine Linux. - -## Installation Process - -### Dependencies - -First, since there is no Alpine-specific package for Synapse, we need to ensure -that Alpine has the required dependencies for the Python-based installation -method. - -```sh +#+title: Self-Hosting Matrix Synapse on Alpine Linux +#+date: 2022-11-07 + +** Synpase +:PROPERTIES: +:CUSTOM_ID: synpase +:END: +If you're reading this, you likely know that +[[https://github.com/matrix-org/synapse/][Synapse]] is a popular +[[https://matrix.org/][Matrix]] home server software that allows users +to run their own Matrix home server. + +This post is a short guide describing how I was able to get Synapse +working in a minimally-usable state on Alpine Linux. + +** Installation Process +:PROPERTIES: +:CUSTOM_ID: installation-process +:END: +*** Dependencies +:PROPERTIES: +:CUSTOM_ID: dependencies +:END: +First, since there is no Alpine-specific package for Synapse, we need to +ensure that Alpine has the required dependencies for the Python-based +installation method. + +#+begin_src sh doas apk -U update doas apk add python3 py3-virtualenv -``` +#+end_src Next, we need to set up a Python virtual environment for Synapse: -```sh +#+begin_src sh mkdir -p ~/synapse && cd ~/synapse virtualenv -p python3 ~/synapse/env source ~/synapse/env/bin/activate pip install --upgrade pip pip install --upgrade setuptools pip install matrix-synapse -``` - -### Running Synapse - -Once installed, running Synapse is easy. Simply execute the following command, -replacing `example.com` with the domain name that will be used with this -home server. This will generate the configuration files needed to run the -server. - -```sh +#+end_src + +*** Running Synapse +:PROPERTIES: +:CUSTOM_ID: running-synapse +:END: +Once installed, running Synapse is easy. Simply execute the following +command, replacing =example.com= with the domain name that will be used +with this home server. This will generate the configuration files needed +to run the server. + +#+begin_src sh python -m synapse.app.homeserver \ --server-name example.com \ --config-path homeserver.yaml \ --generate-config \ --report-stats=no -``` +#+end_src Once the configuration is generated, we can start up the Synapse server: -```sh +#+begin_src sh synctl start -``` +#+end_src -### Configuring Synapse +*** Configuring Synapse +:PROPERTIES: +:CUSTOM_ID: configuring-synapse +:END: +To make any change to Synapse, we need to edit the =YAML= configuration +file: -To make any change to Synapse, we need to edit the `YAML` configuration file: - -```sh +#+begin_src sh nano ~/synapse/homeserver.yaml -``` +#+end_src -For now, we just need to ensure the `server_name` is accurate. However, there -are a lot of other configuration options found in the [Configuring -Synapse](https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html) -documentation that can be enabled/disabled at any point. +For now, we just need to ensure the =server_name= is accurate. However, +there are a lot of other configuration options found in the +[[https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html][Configuring +Synapse]] documentation that can be enabled/disabled at any point. -```yaml +#+begin_src yaml server_name: "example.com" -``` +#+end_src Make sure to restart Synapse when you make changes to the configuration: -```sh +#+begin_src sh synctl restart -``` - -### Nginx Reverse-Proxy +#+end_src -To ensure that Synapse is reachable from the public, we need to connect our -domain to the Synapse server. -In my case, I use a Nginx reverse-proxy for this purpose. +*** Nginx Reverse-Proxy +:PROPERTIES: +:CUSTOM_ID: nginx-reverse-proxy +:END: +To ensure that Synapse is reachable from the public, we need to connect +our domain to the Synapse server. In my case, I use a Nginx +reverse-proxy for this purpose. To use Nginx, we need to create a reverse-proxy configuration file: -```sh +#+begin_src sh doas nano /etc/nginx/http.d/example.com.conf -``` +#+end_src -If you already have TLS certificates for this domain (`example.com`), you can -simply use the SSL configuration and point toward your TLS certificates. +If you already have TLS certificates for this domain (=example.com=), +you can simply use the SSL configuration and point toward your TLS +certificates. -```conf +#+begin_src conf server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -128,22 +139,23 @@ server { } server { - if ($host = example.com) { - return 301 https://$host$request_uri; - } + if ($host = example.com) { + return 301 https://$host$request_uri; + } server_name example.com; listen 80; - return 404; + return 404; } -``` +#+end_src -If you need to generate TLS certificates (I recommend -[Certbot](https://certbot.eff.org/)), you'll need a more minimal Nginx conf file -before you can use the TLS-enabled example above. Instead, use this -configuration file during the Certbot certificate generation process: +If you need to generate TLS certificates (I recommend +[[https://certbot.eff.org/][Certbot]]), you'll need a more minimal Nginx +conf file before you can use the TLS-enabled example above. Instead, use +this configuration file during the Certbot certificate generation +process: -```conf +#+begin_src conf server { server_name example.com; location / { @@ -151,62 +163,67 @@ server { } listen 80; } -``` +#+end_src Once you're done editing the Nginx conf file, restart Nginx: -```sh +#+begin_src sh doas rc-service nginx restart -``` +#+end_src -If you still need to generate TLS certificates, run `certbot` now and obtain the -certificates. Certbot will ask if you want to use a webroot or spin up a -temporary web server. I **highly** recommend using the temporary web server due -to the many issues with using a webroot. +If you still need to generate TLS certificates, run =certbot= now and +obtain the certificates. Certbot will ask if you want to use a webroot +or spin up a temporary web server. I *highly* recommend using the +temporary web server due to the many issues with using a webroot. -You will need to stop Nginx in order to user the temporary web server option -with Certbot: +You will need to stop Nginx in order to user the temporary web server +option with Certbot: -```sh +#+begin_src sh # Stop Nginx so certbot can spin up a temp webserver for cert generation doas rc-service nginx stop doas certbot certonly -v doas rc-service nginx start -``` - -### Open Firewall & Router Ports - -If you use a firewall on the server, open the `8448` port for discovery and -federation, as well as the normal web server ports if you're using a reverse -proxy. If you want additional services, such as voice calls, you will need -to read the Synapse documentation to see which ports need to be opened for those -features. +#+end_src + +*** Open Firewall & Router Ports +:PROPERTIES: +:CUSTOM_ID: open-firewall-router-ports +:END: +If you use a firewall on the server, open the =8448= port for discovery +and federation, as well as the normal web server ports if you're using a +reverse proxy. If you want additional services, such as voice calls, you +will need to read the Synapse documentation to see which ports need to +be opened for those features. Here's an example of the Universal Firewall (UFW) software: -```sh +#+begin_src sh # Matrix port doas ufw allow 8448 # Standard web server ports doas ufw allow "Nginx Full" -``` - -Remember to forward any Synapse ports, such as `8448`, `80`, and `443`, in your -Router from the internet to your server's IP address. +#+end_src -### Adding Matrix Users +Remember to forward any Synapse ports, such as =8448=, =80=, and =443=, +in your Router from the internet to your server's IP address. -Finally, if you didn't enable public registration in the `homeserver.yaml` file, -you can manually create users via the command-line: +*** Adding Matrix Users +:PROPERTIES: +:CUSTOM_ID: adding-matrix-users +:END: +Finally, if you didn't enable public registration in the +=homeserver.yaml= file, you can manually create users via the +command-line: -```sh +#+begin_src sh cd ~/synapse register_new_matrix_user -c homeserver.yaml -``` +#+end_src -Remember that the format for federated Matrix usernames is -`@username:example.com` when logging in to client applications. +Remember that the format for federated Matrix usernames is +=@username:example.com= when logging in to client applications. -Once Synapse is running, and you have a username, you are ready to log in to a -Matrix client and start sending messages, joining rooms, and utilizing your very -own Matrix server. +Once Synapse is running, and you have a username, you are ready to log +in to a Matrix client and start sending messages, joining rooms, and +utilizing your very own Matrix server. diff --git a/blog/2022-11-11-nginx-tmp-errors.org b/blog/2022-11-11-nginx-tmp-errors.org index da00714..2aaf82d 100644 --- a/blog/2022-11-11-nginx-tmp-errors.org +++ b/blog/2022-11-11-nginx-tmp-errors.org @@ -1,58 +1,61 @@ -+++ -date = 2022-11-11 -title = "Fixing Permission Errors in /var/lib/nginx" -description = "A quick fix for Nginx permission errors on the tmp directory." -+++ +#+title: Fixing Permission Errors in /var/lib/nginx" description +#+date: 2022-11-11 -*This is a brief post so that I personally remember the solution as it has -occurred multiple times for me.* +/This is a brief post so that I personally remember the solution as it +has occurred multiple times for me./ -## The Problem - -After migrating to a new server OS, I started receiving quite a few permission -errors like the one below. These popped up for various different websites I'm -serving via Nginx on this server, but did not prevent the website from loading. +** The Problem +:PROPERTIES: +:CUSTOM_ID: the-problem +:END: +After migrating to a new server OS, I started receiving quite a few +permission errors like the one below. These popped up for various +different websites I'm serving via Nginx on this server, but did not +prevent the website from loading. I found the errors in the standard log file: -```sh +#+begin_src sh cat /var/log/nginx/error.log -``` +#+end_src -```sh +#+begin_src sh 2022/11/11 11:30:34 [crit] 8970#8970: *10 open() "/var/lib/nginx/tmp/proxy/3/00/0000000003" failed (13: Permission denied) while reading upstream, client: 169.150.203.10, server: cyberchef.example.com, request: "GET /assets/main.css HTTP/2.0", upstream: "http://127.0.0.1:8111/assets/main.css", host: "cyberchef.example.com", referrer: "https://cyberchef.example.com/" -``` +#+end_src -You can see that the error is `13: Permission denied` and it occurs in the -`/var/lib/nginx/tmp/` directory. In my case, I had thousands of errors where -Nginx was denied permission to read/write files in this directory. +You can see that the error is =13: Permission denied= and it occurs in +the =/var/lib/nginx/tmp/= directory. In my case, I had thousands of +errors where Nginx was denied permission to read/write files in this +directory. So how do I fix it? -## The Solution - -In order to resolve the issue, I had to ensure the `/var/lib/nginx` -directory is owned by Nginx. Mine was owned by the `www` user and Nginx was not -able to read or write files within that directory. This prevented Nginx from -caching temporary files. +** The Solution +:PROPERTIES: +:CUSTOM_ID: the-solution +:END: +In order to resolve the issue, I had to ensure the =/var/lib/nginx= +directory is owned by Nginx. Mine was owned by the =www= user and Nginx +was not able to read or write files within that directory. This +prevented Nginx from caching temporary files. -```sh +#+begin_src sh # Alpine Linux doas chown -R nginx:nginx /var/lib/nginx # Other Distros sudo chown -R nginx:nginx /var/lib/nginx -``` +#+end_src -You *may* also be able to change the `proxy_temp_path` in your Nginx config, but -I did not try this. Here's a suggestion I found online that may work if the -above solution does not: +You /may/ also be able to change the =proxy_temp_path= in your Nginx +config, but I did not try this. Here's a suggestion I found online that +may work if the above solution does not: -```sh +#+begin_src sh nano /etc/nginx/http.d/example.com.conf -``` +#+end_src -```conf +#+begin_src conf server { ... @@ -62,15 +65,15 @@ server { ... } -``` +#+end_src -Finally, restart Nginx and your server should be able to cache temporary files -again. +Finally, restart Nginx and your server should be able to cache temporary +files again. -```sh +#+begin_src sh # Alpine Linux (OpenRC) doas rc-service nginx restart # Other Distros (systemd) sudo systemctl restart nginx -``` +#+end_src diff --git a/blog/2022-11-27-server-build.org b/blog/2022-11-27-server-build.org index cbc4855..dd3a0b2 100644 --- a/blog/2022-11-27-server-build.org +++ b/blog/2022-11-27-server-build.org @@ -1,113 +1,124 @@ -+++ -date = 2022-11-27 -title = "Building a Custom Rack-Mount Server" -description = "I finally built my own custom rack-mounted server after years of indecision." -+++ - -## The Dilemma - -For years, I have been using desktops and a Raspberry Pi as the backbone of my -homelab. I have always wanted to move toward a single dedicated server that -could handle all of my tasks, but was often put off by the complexity of the -choices (and financial roadblocks at some times). - -However, after purchasing a small server rack this past year, I have been -researching to see what kind of rack-mounted server I could buy. I initially -bought a Dell R720XD loaded up with everything I could ever want in a server - -but I did not care for it. It was far too loud, and the age of the CPU/RAM was -something I wanted to improve upon. - -After returning the R720XD, I decided that I wanted to build my own server with -modern, consumer-grade PC components. This time, I am very happy with the -results of my server. - -## Components - +#+title: Building a Custom Rack-Mount Server +#+date: 2022-11-27 + +** The Dilemma +:PROPERTIES: +:CUSTOM_ID: the-dilemma +:END: +For years, I have been using desktops and a Raspberry Pi as the backbone +of my homelab. I have always wanted to move toward a single dedicated +server that could handle all of my tasks, but was often put off by the +complexity of the choices (and financial roadblocks at some times). + +However, after purchasing a small server rack this past year, I have +been researching to see what kind of rack-mounted server I could buy. I +initially bought a Dell R720XD loaded up with everything I could ever +want in a server - but I did not care for it. It was far too loud, and +the age of the CPU/RAM was something I wanted to improve upon. + +After returning the R720XD, I decided that I wanted to build my own +server with modern, consumer-grade PC components. This time, I am very +happy with the results of my server. + +** Components +:PROPERTIES: +:CUSTOM_ID: components +:END: I'll start by listing all the components I used for this server build: -- **Case**: [Rosewill RSV-R4100U 4U Server Chassis Rackmount -Case](https://www.rosewill.com/rosewill-rsv-r4100u-black/p/9SIA072GJ92825) -- **Motherboard**: [NZXT B550](https://nzxt.com/product/n7-b550) -- **CPU**: AMD Ryzen 7 5700G with Radeon Graphics -- **GPU**: N/A - I specifically chose one of the few AMD CPUs that support -onboard graphics. -- **RAM**: 64GB RAM (2x32GB) _Max of 128GB RAM on this motherboard_ -- **Boot Drive**: Western Digital 500GB M.2 NVME SSD -- **HDD Bay**: - - 10TB WD White _(shucked, moved from previous server)_ - - 8TB WD White _(shucked, moved from previous server)_ - - 2 x 8TB WD Red Plus _(Black Friday lined up perfectly with this build, so I - grabbed two of these)_ -- **PSU**: Corsair RM850 PSU -- **Extras**: +- *Case*: + [[https://www.rosewill.com/rosewill-rsv-r4100u-black/p/9SIA072GJ92825][Rosewill + RSV-R4100U 4U Server Chassis Rackmount Case]] +- *Motherboard*: [[https://nzxt.com/product/n7-b550][NZXT B550]] +- *CPU*: AMD Ryzen 7 5700G with Radeon Graphics +- *GPU*: N/A - I specifically chose one of the few AMD CPUs that support + onboard graphics. +- *RAM*: 64GB RAM (2x32GB) /Max of 128GB RAM on this motherboard/ +- *Boot Drive*: Western Digital 500GB M.2 NVME SSD +- *HDD Bay*: + - 10TB WD White /(shucked, moved from previous server)/ + - 8TB WD White /(shucked, moved from previous server)/ + - 2 x 8TB WD Red Plus /(Black Friday lined up perfectly with this + build, so I grabbed two of these)/ +- *PSU*: Corsair RM850 PSU +- *Extras*: - Corsair TM3Q Thermal Paste - - Noctua 120mm fan _(replacement for front case fan)_ - - 2 x Noctua 80mm fans _(replacement for rear case fans)_ + - Noctua 120mm fan /(replacement for front case fan)/ + - 2 x Noctua 80mm fans /(replacement for rear case fans)/ - CableMatters 6Gbps SATA Cables -## Building the Server - -This took quite a while for me to build (in my opinion of time), totaling -around 3 hours from start to finish. The case has some peculiar construction, so -you have to completely remove the ODD & HDD cages to install the motherboard and -other components first. - -Now, I've never built a computer of any kind before, so I was quite -nervous. Personally, the only challenging part was getting the CPU cooler to -screw into the motherboard without sliding the thermal paste around too much -underneath. I'm still not entirely sure if I did a great job of it, but -nothing's broken yet. - -The main components were all fine and simple. -However, installing the hard drives is slightly tedious as I need to power -off the server and completely unscrew the HDD cage to install or remove any -drives. -Additionally, the drives are screwed directly into the metal cage with small -screws, which are quite a bit different from the HDD trays I'm used to in -other machines. - -Seeing that the cases with hot-swap bays were 3-4x the price, I'm okay dealing -with the tedium of removing the cage to install new drives. - -## Software - -I'm not going to dive into the software as I have done so in other recent posts. -However, I wanted to note that I am using Alpine Linux on this server and -hosting most services inside Docker. No virtual machines (VMs) and very few -bare-metal services. - -## The Results - -How did my build turn out? Well, after migrating my other servers and their -services over, I found that my server is blazing fast. The heaviest of my -applications, Plex, is handled with ease. Even 4k streaming seems to be -effortless. - -I am very happy with the results and will likely continue to improve on this -server as the years go by rather than buying another used server online. - -### Mistakes I Made - -This post wouldn't be complete unless I wrote about the mistakes I made while -building. The only real mistake I made beyond a "whoops I dropped a screw" -related to airflow and fan direction. - -While installing the two new hard drives that showed up on 2022-11-30 and -getting ready to install the case in my rack, I noticed that the hard drive -temperatures were quite high. - -I used the `smartctl` command for each of my drives (`/dev/sda` through -`/dev/sdd`): - -```sh +** Building the Server +:PROPERTIES: +:CUSTOM_ID: building-the-server +:END: +This took quite a while for me to build (in my opinion of time), +totaling around 3 hours from start to finish. The case has some peculiar +construction, so you have to completely remove the ODD & HDD cages to +install the motherboard and other components first. + +Now, I've never built a computer of any kind before, so I was quite +nervous. Personally, the only challenging part was getting the CPU +cooler to screw into the motherboard without sliding the thermal paste +around too much underneath. I'm still not entirely sure if I did a great +job of it, but nothing's broken yet. + +The main components were all fine and simple. However, installing the +hard drives is slightly tedious as I need to power off the server and +completely unscrew the HDD cage to install or remove any drives. +Additionally, the drives are screwed directly into the metal cage with +small screws, which are quite a bit different from the HDD trays I'm +used to in other machines. + +Seeing that the cases with hot-swap bays were 3-4x the price, I'm okay +dealing with the tedium of removing the cage to install new drives. + +** Software +:PROPERTIES: +:CUSTOM_ID: software +:END: +I'm not going to dive into the software as I have done so in other +recent posts. However, I wanted to note that I am using Alpine Linux on +this server and hosting most services inside Docker. No virtual machines +(VMs) and very few bare-metal services. + +** The Results +:PROPERTIES: +:CUSTOM_ID: the-results +:END: +How did my build turn out? Well, after migrating my other servers and +their services over, I found that my server is blazing fast. The +heaviest of my applications, Plex, is handled with ease. Even 4k +streaming seems to be effortless. + +I am very happy with the results and will likely continue to improve on +this server as the years go by rather than buying another used server +online. + +*** Mistakes I Made +:PROPERTIES: +:CUSTOM_ID: mistakes-i-made +:END: +This post wouldn't be complete unless I wrote about the mistakes I made +while building. The only real mistake I made beyond a "whoops I dropped +a screw" related to airflow and fan direction. + +While installing the two new hard drives that showed up on 2022-11-30 +and getting ready to install the case in my rack, I noticed that the +hard drive temperatures were quite high. + +I used the =smartctl= command for each of my drives (=/dev/sda= through +=/dev/sdd=): + +#+begin_src sh doas smartctl -a /dev/sda | grep Temperature_Celsius -``` +#+end_src -The results were unusual - all four drives were idling at ~44-46 degrees -Celsius. The only drive that was cooler was my 10TB drive, which was at 38 -degrees Celsius. I noted that this 10TB drive was also closest to the case fan. +The results were unusual - all four drives were idling at ~44-46 degrees +Celsius. The only drive that was cooler was my 10TB drive, which was at +38 degrees Celsius. I noted that this 10TB drive was also closest to the +case fan. -```sh +#+begin_src sh ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE # /dev/sda 194 Temperature_Celsius 0x0002 147 147 000 Old_age Always - 44 (Min/Max 22/46) @@ -117,18 +128,19 @@ ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_ 194 Temperature_Celsius 0x0002 144 144 000 Old_age Always - 45 (Min/Max 19/61) # /dev/sdd 194 Temperature_Celsius 0x0002 171 171 000 Old_age Always - 38 (Min/Max 14/56) -``` +#+end_src -After looking to see if I could fit more fans into the case, I noticed that the -120mm fan used for intake from the front of the case was actually pushing air -out of the case by mistake. This fan sits right in front of the hard drive bay. +After looking to see if I could fit more fans into the case, I noticed +that the 120mm fan used for intake from the front of the case was +actually pushing air out of the case by mistake. This fan sits right in +front of the hard drive bay. -Once I flipped the fan around to act as an intake fan, the temperatures dropped -immediately! They are now idling at ~31-33 degrees Celsius. A single fan -spinning the wrong way caused my drives to idle 10-15 degrees higher than they -should have. +Once I flipped the fan around to act as an intake fan, the temperatures +dropped immediately! They are now idling at ~31-33 degrees Celsius. A +single fan spinning the wrong way caused my drives to idle 10-15 degrees +higher than they should have. -```sh +#+begin_src sh ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE # /dev/sda 194 Temperature_Celsius 0x0002 209 209 000 Old_age Always - 31 (Min/Max 14/56) @@ -138,7 +150,8 @@ ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_ 194 Temperature_Celsius 0x0002 203 203 000 Old_age Always - 32 (Min/Max 21/48) # /dev/sdd 194 Temperature_Celsius 0x0002 196 196 000 Old_age Always - 33 (Min/Max 22/46) -``` +#+end_src -This was a silly error to make, but I'm glad I found it today before I screwed -the case into the rack and made things a lot more tedious to fix. +This was a silly error to make, but I'm glad I found it today before I +screwed the case into the rack and made things a lot more tedious to +fix. diff --git a/blog/2022-11-29-nginx-referrer-ban-list.org b/blog/2022-11-29-nginx-referrer-ban-list.org index 2f71666..6eb8ad8 100644 --- a/blog/2022-11-29-nginx-referrer-ban-list.org +++ b/blog/2022-11-29-nginx-referrer-ban-list.org @@ -1,26 +1,24 @@ -+++ -date = 2022-11-29 -title = "Creating a Referrer Ban List on Nginx" -description = "A quick explanation detailing my own way of banning referral domains on Nginx." -+++ +#+title: Creating a Referrer Ban List on Nginx +#+date: 2022-11-29 -## Creating the Ban List - -In order to ban list referral domains or websites with Nginx, you need to -create a ban list file. -The file below will accept regexes for different domains or websites you -wish to block. +** Creating the Ban List +:PROPERTIES: +:CUSTOM_ID: creating-the-ban-list +:END: +In order to ban list referral domains or websites with Nginx, you need +to create a ban list file. The file below will accept regexes for +different domains or websites you wish to block. First, create the file in your nginx directory: -```sh +#+begin_src sh doas nano /etc/nginx/banlist.conf -``` +#+end_src -Next, paste the following contents in and fill out the regexes with whichever -domains you're blocking. +Next, paste the following contents in and fill out the regexes with +whichever domains you're blocking. -```conf +#+begin_src conf # /etc/nginx/banlist.conf map $http_referer $bad_referer { @@ -31,21 +29,23 @@ map $http_referer $bad_referer { # Put regexes for undesired referrers here "~news.ycombinator.com" 1; } -``` - -## Configuring Nginx +#+end_src -In order for the ban list to work, Nginx needs to know it exists and how to -handle it. For this, edit the `nginx.conf` file. +** Configuring Nginx +:PROPERTIES: +:CUSTOM_ID: configuring-nginx +:END: +In order for the ban list to work, Nginx needs to know it exists and how +to handle it. For this, edit the =nginx.conf= file. -```sh +#+begin_src sh doas nano /etc/nginx/nginx.conf -``` +#+end_src -Within this file, find the `http` block and add your ban list file location to -the end of the block. +Within this file, find the =http= block and add your ban list file +location to the end of the block. -```conf +#+begin_src conf # /etc/nginx/nginx.conf http { @@ -54,29 +54,31 @@ http { # Include ban list include /etc/nginx/banlist.conf; } -``` - -## Enabling the Ban List - -Finally, we need to take action when a bad referral site is found. To do so, -edit the configuration file for your website. For example, I have all website -configuration files in the `http.d` directory. You may have them in the -`sites-available` directory on some distributions. - -```sh +#+end_src + +** Enabling the Ban List +:PROPERTIES: +:CUSTOM_ID: enabling-the-ban-list +:END: +Finally, we need to take action when a bad referral site is found. To do +so, edit the configuration file for your website. For example, I have +all website configuration files in the =http.d= directory. You may have +them in the =sites-available= directory on some distributions. + +#+begin_src sh doas nano /etc/nginx/http.d/example.com.conf -``` +#+end_src -Within each website's configuration file, edit the `server` blocks that are -listening to ports 80 and 443 and create a check for the `$bad_referrer` -variable we created in the ban list file. +Within each website's configuration file, edit the =server= blocks that +are listening to ports 80 and 443 and create a check for the +=$bad_referrer= variable we created in the ban list file. -If a matching site is found, you can return any [HTTP Status -Code](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes) you want. Code -403 (Forbidden) is logical in this case since you are preventing a client -connection due to a banned domain. +If a matching site is found, you can return any +[[https://en.wikipedia.org/wiki/List_of_HTTP_status_codes][HTTP Status +Code]] you want. Code 403 (Forbidden) is logical in this case since you +are preventing a client connection due to a banned domain. -```conf +#+begin_src conf server { ... @@ -87,42 +89,46 @@ server { ... } -``` - -## Restart Nginx +#+end_src +** Restart Nginx +:PROPERTIES: +:CUSTOM_ID: restart-nginx +:END: Lastly, restart Nginx to enable all changes made. -```sh +#+begin_src sh doas rc-service nginx restart -``` - -## Testing Results +#+end_src -In order to test the results, let's curl the contents of our site. To start, -I'll curl the site normally: +** Testing Results +:PROPERTIES: +:CUSTOM_ID: testing-results +:END: +In order to test the results, let's curl the contents of our site. To +start, I'll curl the site normally: -```sh +#+begin_src sh curl https://cleberg.net -``` +#+end_src The HTML contents of the page come back successfully: -```html +#+begin_src html <!doctype html>...</html> -``` +#+end_src Next, let's include a banned referrer: -```sh +#+begin_src sh curl --referer https://news.ycombinator.com https://cleberg.net -``` +#+end_src -This time, I'm met with a 403 Forbidden response page. That means we are -successful and any clients being referred from a banned domain will be met -with this same response code. +This time, I'm met with a 403 Forbidden response page. That means we are +successful and any clients being referred from a banned domain will be +met with this same response code. -```html +#+begin_src html <html> <head><title>403 Forbidden</title></head> <body> @@ -130,4 +136,4 @@ with this same response code. <hr><center>nginx</center> </body> </html> -``` +#+end_src diff --git a/blog/2022-12-01-nginx-compression.org b/blog/2022-12-01-nginx-compression.org index 2a22d76..c3669dd 100644 --- a/blog/2022-12-01-nginx-compression.org +++ b/blog/2022-12-01-nginx-compression.org @@ -1,40 +1,44 @@ -+++ -date = 2022-12-01 -title = "Enable GZIP Compression on Nginx" -desciption = "Enable gzip compression on Nginx to server small text-based resources faster." -+++ +#+title: Enable GZIP Compression on Nginx +#+date: 2022-12-01 -## Text Compression +** Text Compression +:PROPERTIES: +:CUSTOM_ID: text-compression +:ID: 24C2F6E7-129E-42F3-91F0-A6C6C519FA01 +:END: +Text compression allows a web server to serve text-based resources +faster than uncompressed data. This can speed up things like First +Contentful Paint, Tie to Interactive, and Speed Index. -Text compression allows a web server to serve text-based resources faster than -uncompressed data. This can speed up things like First Contentful Paint, Tie to -Interactive, and Speed Index. +** Enable Nginx Compression with gzip +:PROPERTIES: +:CUSTOM_ID: enable-nginx-compression-with-gzip +:ID: C018C991-E253-4779-A702-AEB69614499F +:END: +In order to enable text compression on Nginx, we need to enable it +within the configuration file: -## Enable Nginx Compression with gzip - -In order to enable text compression on Nginx, we need to enable it within the -configuration file: - -```sh +#+begin_src sh nano /etc/nginx/nginx.conf -``` +#+end_src -Within the `http` block, find the section that shows something like the block -below. This is the default gzip configuration I found in my `nginx.conf` file on -Alpine Linux 3.17. Yours may look slightly different, just make sure that -you're not creating any duplicate gzip options. +Within the =http= block, find the section that shows something like the +block below. This is the default gzip configuration I found in my +=nginx.conf= file on Alpine Linux 3.17. Yours may look slightly +different, just make sure that you're not creating any duplicate gzip +options. -```conf +#+begin_src conf # Enable gzipping of responses. #gzip on; # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. gzip_vary on; -``` +#+end_src Remove the default gzip lines and replace them with the following: -```conf +#+begin_src conf # Enable gzipping of responses. gzip on; gzip_vary on; @@ -42,33 +46,38 @@ gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; -``` - -## Explanations of ngx_http_gzip_module Options - -Each of the lines above enables a different aspect of the gzip response for -Nginx. Here are the full explanations: +#+end_src +** Explanations of ngx_http_gzip_module Options +:PROPERTIES: +:CUSTOM_ID: explanations-of-ngx_http_gzip_module-options +:ID: C180752B-E1B9-49A5-B180-84488068A76A +:END: +Each of the lines above enables a different aspect of the gzip response +for Nginx. Here are the full explanations: -- `gzip` – Enables or disables gzipping of responses. -- `gzip_vary` – Enables or disables inserting the “Vary: Accept-Encoding” -response header field if the directives gzip, gzip_static, or gunzip are active. -- `gzip_min_length` – Sets the minimum length of a response that will be -gzipped. The length is determined only from the “Content-Length” response header field. -- `gzip_proxied` – Enables or disables gzipping of responses for proxied -requests depending on the request and response. The fact that the request is -proxied is determined by the presence of the “Via” request header field. -- `gzip_types` – Enables gzipping of responses for the specified MIME types in -addition to “text/html”. The special value “*” matches any MIME type (0.8.29). -Responses with the “text/html” type are always compressed. -- `gzip_disable` – Disables gzipping of responses for requests -with “User-Agent” header fields matching any of the specified regular -expressions. - - The special mask “msie6” (0.7.12) corresponds to the regular expression “MSIE -[4-6]\.”, but works faster. Starting from version 0.8.11, “MSIE 6.0; ... SV1” is -excluded from this mask. +- =gzip= -- Enables or disables gzipping of responses. +- =gzip_vary= -- Enables or disables inserting the "Vary: + Accept-Encoding" response header field if the directives gzip, + gzip_static, or gunzip are active. +- =gzip_min_length= -- Sets the minimum length of a response that will + be gzipped. The length is determined only from the "Content-Length" + response header field. +- =gzip_proxied= -- Enables or disables gzipping of responses for + proxied requests depending on the request and response. The fact that + the request is proxied is determined by the presence of the "Via" + request header field. +- =gzip_types= -- Enables gzipping of responses for the specified MIME + types in addition to "text/html". The special value “*” matches any + MIME type (0.8.29). Responses with the "text/html" type are always + compressed. +- =gzip_disable= -- Disables gzipping of responses for requests with + "User-Agent" header fields matching any of the specified regular + expressions. + - The special mask "msie6" (0.7.12) corresponds to the regular + expression "MSIE [4-6].", but works faster. Starting from version + 0.8.11, "MSIE 6.0; ... SV1" is excluded from this mask. -More information on these directives and their options can be found on the -[Module -ngx_http_gzip_module](https://nginx.org/en/docs/http/ngx_http_gzip_module.html) -page in Nginx's documentation. +More information on these directives and their options can be found on +the [[https://nginx.org/en/docs/http/ngx_http_gzip_module.html][Module +ngx_http_gzip_module]] page in Nginx's documentation. diff --git a/blog/2022-12-07-nginx-wildcard-redirect.org b/blog/2022-12-07-nginx-wildcard-redirect.org index 88c76c0..81b12bc 100644 --- a/blog/2022-12-07-nginx-wildcard-redirect.org +++ b/blog/2022-12-07-nginx-wildcard-redirect.org @@ -1,25 +1,26 @@ -+++ -date = 2022-12-07 -title = "Redirect Nginx Subdomains & Trailing Content with Regex" -description= "You can easily redirect Nginx traffic from subdomains and TLDs to a new domain while preserving trailing content." -+++ - -## Problem - -I recently migrated domains and replaced the -old webpage with a simple info page with instructions to users on how -to edit their bookmarks and URLs to get to the page they were seeking. - -This was not ideal as it left the work up to the user and may have caused -friction for users who accessed my RSS feed. - -## Solution - -Instead, I finally found a solution that allows me to redirect both subdomains -AND trailing content. For example, both of these URLs now redirect properly -using the logic I'll explain below: - -```txt +#+title: Redirect Nginx Subdomains & Trailing Content with Regex +#+date: 2022-12-07 + +** Problem +:PROPERTIES: +:CUSTOM_ID: problem +:END: +I recently migrated domains and replaced the old webpage with a simple +info page with instructions to users on how to edit their bookmarks and +URLs to get to the page they were seeking. + +This was not ideal as it left the work up to the user and may have +caused friction for users who accessed my RSS feed. + +** Solution +:PROPERTIES: +:CUSTOM_ID: solution +:END: +Instead, I finally found a solution that allows me to redirect both +subdomains AND trailing content. For example, both of these URLs now +redirect properly using the logic I'll explain below: + +#+begin_src txt # Example 1 - Simple base domain redirect with trailing content https://domain1.com/blog/alpine-linux/ -> https://domain2.com/blog/alpine-linux/ @@ -27,23 +28,25 @@ https://domain1.com/blog/alpine-linux/ -> https://domain2.com/blog/alpine-linux/ https://libreddit.domain1.com/r/history/comments/7z8cbg/new_discovery_mode_turns_video_game_assassins/ -> https://libreddit.domain2.com/r/history/comments/7z8cbg/new_discovery_mode_turns_video_game_assassins/ -``` +#+end_src Go ahead, try the URLs if you want to test them. -### Nginx Config +*** Nginx Config +:PROPERTIES: +:CUSTOM_ID: nginx-config +:END: +To make this possible. I needed to configure a proper redirect scheme in +my Nginx configuration. -To make this possible. I needed to configure a proper redirect scheme in my -Nginx configuration. - -```sh +#+begin_src sh doas nano /etc/nginx/http.d/domain1.conf -``` +#+end_src -Within this file, I had one block configured to redirect HTTP requests to HTTPS -for the base domain and all subdomains. +Within this file, I had one block configured to redirect HTTP requests +to HTTPS for the base domain and all subdomains. -```conf +#+begin_src conf server { listen [::]:80; listen 80; @@ -59,13 +62,14 @@ server { return 404; } -``` +#+end_src -For the base domain, I have another `server` block dedicated to redirecting all -base domain requests. You can see that the `rewrite` line is instructing Nginx -to gather all trailing content and append it to the new `domain2.com` URL. +For the base domain, I have another =server= block dedicated to +redirecting all base domain requests. You can see that the =rewrite= +line is instructing Nginx to gather all trailing content and append it +to the new =domain2.com= URL. -```conf +#+begin_src conf server { listen [::]:443 ssl http2; listen 443 ssl http2; @@ -77,20 +81,21 @@ server { ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; } -``` +#+end_src -Finally, the tricky part is figuring out how to tell Nginx to redirect while -keeping both a subdomain and trailing content intact. I found that the easiest -way to do this is to give it a `server` block of its own. +Finally, the tricky part is figuring out how to tell Nginx to redirect +while keeping both a subdomain and trailing content intact. I found that +the easiest way to do this is to give it a =server= block of its own. -Within this block, we need to do some regex on the `server_name` line before we -can rewrite anything. This creates a variable called `subdomain`. +Within this block, we need to do some regex on the =server_name= line +before we can rewrite anything. This creates a variable called +=subdomain=. -Once the server gets to the `rewrite` line, it pulls the `subdomain` variable -from above and uses it on the new `domain2.com` domain before appending the -trailing content (`$request_uri`). +Once the server gets to the =rewrite= line, it pulls the =subdomain= +variable from above and uses it on the new =domain2.com= domain before +appending the trailing content (=$request_uri=). -```conf +#+begin_src conf server { listen [::]:443 ssl http2; listen 443 ssl http2; @@ -102,18 +107,17 @@ server { ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; } -``` +#+end_src -That's all there is to it. With this, I simply restarted Nginx and watched the -redirections work in-action. +That's all there is to it. With this, I simply restarted Nginx and +watched the redirections work in-action. -```sh +#+begin_src sh doas rc-service nginx restart -``` - +#+end_src -Looking back on it, I wish I had done this sooner. Who knows how many people -went looking for my sites or bookmarks and gave up when they saw the redirect -instructions page. +Looking back on it, I wish I had done this sooner. Who knows how many +people went looking for my sites or bookmarks and gave up when they saw +the redirect instructions page. Oh well, it's done now. Live and learn. diff --git a/blog/2022-12-17-st.org b/blog/2022-12-17-st.org index 30d46ba..d47993b 100644 --- a/blog/2022-12-17-st.org +++ b/blog/2022-12-17-st.org @@ -1,89 +1,100 @@ -+++ -date = 2022-12-17 -title = "Simple Terminal" -description = "An easy guide on how to build st on Fedora Workstation." -+++ - -## st - -[st](https://st.suckless.org) standards for Simple Terminal, a simple terminal -implementation for X made by the [suckless](https://suckless.org) team. - -This post walks through the dependencies needed and process to build and install -`st` on Fedora Workstation. - -### Obtain Files - -To start, obtain the source files for `st` via `git clone`. - -```sh +#+title: Simple Terminal +#+date: 2022-12-17 + +** st +:PROPERTIES: +:CUSTOM_ID: st +:END: +[[https://st.suckless.org][st]] standards for Simple Terminal, a simple +terminal implementation for X made by the +[[https://suckless.org][suckless]] team. + +This post walks through the dependencies needed and process to build and +install =st= on Fedora Workstation. + +*** Obtain Files +:PROPERTIES: +:CUSTOM_ID: obtain-files +:END: +To start, obtain the source files for =st= via =git clone=. + +#+begin_src sh mkdir ~/suckless && cd ~/suckless git clone https://git.suckless.org/st && cd st -``` - -### Dependencies +#+end_src -Once you have the files and are in the `st` directory, ensure the following -packages are installed. +*** Dependencies +:PROPERTIES: +:CUSTOM_ID: dependencies +:END: +Once you have the files and are in the =st= directory, ensure the +following packages are installed. -```sh +#+begin_src sh sudo dnf update && sudo dnf upgrade sudo dnf install gcc patch libX11-devel libXft-devel -``` - -### Building +#+end_src +*** Building +:PROPERTIES: +:CUSTOM_ID: building +:END: Before building, ensure that you read the README file. -```sh +#+begin_src sh cat README -``` +#+end_src -Once you've read the instructions, open the `config.mk` file and ensure it -matches your setup. If you're not sure, leave the default options within the -file. +Once you've read the instructions, open the =config.mk= file and ensure +it matches your setup. If you're not sure, leave the default options +within the file. -Finally, you can build `st` with the following command. Ensure you run as root -(e.g., `sudo`) or else you may not end up with a usable application file. +Finally, you can build =st= with the following command. Ensure you run +as root (e.g., =sudo=) or else you may not end up with a usable +application file. -```sh +#+begin_src sh sudo make clean install -``` - -### Customization (Patches) +#+end_src -Note that customizing `st` requires you to modify the source files or to -download one of the [available patches](https://st.suckless.org/patches/) for -suckless.org. +*** Customization (Patches) +:PROPERTIES: +:CUSTOM_ID: customization-patches +:END: +Note that customizing =st= requires you to modify the source files or to +download one of the [[https://st.suckless.org/patches/][available +patches]] for suckless.org. -If you've already installed `st` and want to customize or install a patch, start -by uninstalling the current program. +If you've already installed =st= and want to customize or install a +patch, start by uninstalling the current program. -```sh +#+begin_src sh cd ~/suckless/st sudo make uninstall -``` +#+end_src -Next, grab the `<path>.diff` file from the page of the patch you chose. For -example, I will be using the -[defaultfontsize](https://st.suckless.org/patches/defaultfontsize/) patch in the below example. +Next, grab the =<path>.diff= file from the page of the patch you chose. +For example, I will be using the +[[https://st.suckless.org/patches/defaultfontsize/][defaultfontsize]] +patch in the below example. -```sh +#+begin_src sh wget https://st.suckless.org/patches/defaultfontsize/st-defaultfontsize-20210225-4ef0cbd.diff -``` +#+end_src -Once the file is downloaded inside the `st` folder, apply the patch and -re-install the program. You may need to install the `patch` command if you don't -have it installed already (you should have installed it above). +Once the file is downloaded inside the =st= folder, apply the patch and +re-install the program. You may need to install the =patch= command if +you don't have it installed already (you should have installed it +above). -```sh +#+begin_src sh patch -i st-defaultfontsize-20210225-4ef0cbd.diff sudo make clean install -``` +#+end_src -Once installed, you can use the default font size patch to launch `st` with any -font size you wish: +Once installed, you can use the default font size patch to launch =st= +with any font size you wish: -```sh +#+begin_src sh st -z 16 -``` +#+end_src diff --git a/blog/2022-12-23-alpine-desktop.org b/blog/2022-12-23-alpine-desktop.org index 66a5938..8967da7 100644 --- a/blog/2022-12-23-alpine-desktop.org +++ b/blog/2022-12-23-alpine-desktop.org @@ -1,89 +1,95 @@ -+++ -date = 2022-12-23 -title = "Alpine Linux as a Desktop OS" -description = "Documenting my steps to a useable Alpine Linux desktop experience." -+++ - -## Isn't Alpine Linux for Servers? - -This is a question I see a lot when people are presented with an example of -Alpine Linux running as a desktop OS. - -While Alpine is small, fast, and minimal, that doesn't stop it from functioning -at a productive level for desktop users. - -This post is documentation of how I installed and modified Alpine Linux to -become my daily desktop OS. - -## Installation - -Note that I cover the installation of Alpine Linux in my other post, so I -won't repeat it here: [Alpine Linux: My New Server OS](/blog/alpine-linux/). - -Basically, get a bootable USB or whatever you prefer with Alpine on it, boot the -ISO, and run the setup script. - -```sh +#+title: Alpine Linux as a Desktop OS +#+date: 2022-12-23 + +** Isn't Alpine Linux for Servers? +:PROPERTIES: +:CUSTOM_ID: isnt-alpine-linux-for-servers +:END: +This is a question I see a lot when people are presented with an example +of Alpine Linux running as a desktop OS. + +While Alpine is small, fast, and minimal, that doesn't stop it from +functioning at a productive level for desktop users. + +This post is documentation of how I installed and modified Alpine Linux +to become my daily desktop OS. + +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +Note that I cover the installation of Alpine Linux in my other post, so +I won't repeat it here: [[/blog/alpine-linux/][Alpine Linux: My New +Server OS]]. + +Basically, get a bootable USB or whatever you prefer with Alpine on it, +boot the ISO, and run the setup script. + +#+begin_src sh setup-alpine -``` +#+end_src -Once you have gone through all the options and installer finishes without -errors, reboot. +Once you have gone through all the options and installer finishes +without errors, reboot. -```sh +#+begin_src sh reboot -``` - -## Initial Setup - -Once Alpine is installed and the machine has rebooted, login is as root -initially or `su` to root once you log in as your user. -From here, you should start by updating and upgrading the system in case the -ISO was not fully up-to-date. - -```sh +#+end_src + +** Initial Setup +:PROPERTIES: +:CUSTOM_ID: initial-setup +:END: +Once Alpine is installed and the machine has rebooted, login is as root +initially or =su= to root once you log in as your user. From here, you +should start by updating and upgrading the system in case the ISO was +not fully up-to-date. + +#+begin_src sh # Update and upgrade system apk -U update && apk -U upgrade # Add an editor so we can enable the community repository apk add nano -``` +#+end_src -You need to uncomment the `community` repository for your version of Alpine -Linux. +You need to uncomment the =community= repository for your version of +Alpine Linux. -For v3.17, the `repositories` file should look like this: +For v3.17, the =repositories= file should look like this: -```sh +#+begin_src sh nano /etc/apk/repositories -``` +#+end_src -```conf +#+begin_src conf #/media/sda/apks http://mirrors.gigenet.com/alpinelinux/v3.17/main http://mirrors.gigenet.com/alpinelinux/v3.17/community #http://mirrors.gigenet.com/alpinelinux/edge/main #http://mirrors.gigenet.com/alpinelinux/edge/community #http://mirrors.gigenet.com/alpinelinux/edge/testing -``` +#+end_src -```sh +#+begin_src sh # Add the rest of your packages apk add linux-firmware iwd doas git curl wget # Add yourself to the wheel group so you can use the doas command adduser $USER wheel -``` - -## Window Manager (Desktop) +#+end_src -The [Sway installation guide](https://wiki.alpinelinux.org/wiki/Sway) has -everything you need to get Sway working on Alpine. +** Window Manager (Desktop) +:PROPERTIES: +:CUSTOM_ID: window-manager-desktop +:END: +The [[https://wiki.alpinelinux.org/wiki/Sway][Sway installation guide]] +has everything you need to get Sway working on Alpine. -However, I'll include a brief list of the commands I ran and their purpose for -posterity here. +However, I'll include a brief list of the commands I ran and their +purpose for posterity here. -```sh +#+begin_src sh # Add eudev and set it up apk add eudev setup-devd udev @@ -120,21 +126,21 @@ apk add \ # Install optional dependencies: swaylock swaylockd \ # lockscreen tool swaybg \ # wallpaper daemon swayidle # idle management (DPMS) daemon -``` +#+end_src -Once you have the packages installed and set-up, you need to export the -`XDG_RUNTIME_DIR` upon login. To do this, edit your `.profile` file. +Once you have the packages installed and set-up, you need to export the +=XDG_RUNTIME_DIR= upon login. To do this, edit your =.profile= file. -If you use another shell, such as `zsh`, you need to edit that shell's profile -(e.g., `~/.zprofile`)! +If you use another shell, such as =zsh=, you need to edit that shell's +profile (e.g., =~/.zprofile=)! -```sh +#+begin_src sh nano ~/.profile -``` +#+end_src Within the file, paste this: -```sh +#+begin_src sh if test -z "${XDG_RUNTIME_DIR}"; then export XDG_RUNTIME_DIR=/tmp/$(id -u)-runtime-dir if ! test -d "${XDG_RUNTIME_DIR}"; then @@ -142,19 +148,22 @@ if test -z "${XDG_RUNTIME_DIR}"; then chmod 0700 "${XDG_RUNTIME_DIR}" fi fi -``` +#+end_src Once that's complete, you can launch Sway manually. -```sh +#+begin_src sh dbus-run-session -- sway -``` - -## Personal Touches +#+end_src -I also added the following packages, per my personal preferences and situation. +** Personal Touches +:PROPERTIES: +:CUSTOM_ID: personal-touches +:END: +I also added the following packages, per my personal preferences and +situation. -```sh +#+begin_src sh doas apk add brightnessctl \ # Brightness controller zsh \ # Shell firefox \ # Browser @@ -164,91 +173,98 @@ doas apk add brightnessctl \ # Brightness controller neomutt \ # CLI email client thunderbird \ # GUI email client gnupg # GPG key manager -``` - -From here, I use my Syncthing storage to pull all the configuration files I -stored from prior desktops, such as [my -dotfiles](https://git.sr.ht/~cmc/dotfiles). - -## Resolving Issues - -### WiFi Issues - -I initially tried to set up my Wi-Fi the standard way with `iwd`, but it didn't -work. - -Here is what I initially tried (I did all of this as `root`): - -```sh +#+end_src + +From here, I use my Syncthing storage to pull all the configuration +files I stored from prior desktops, such as +[[https://git.sr.ht/~cmc/dotfiles][my dotfiles]]. + +** Resolving Issues +:PROPERTIES: +:CUSTOM_ID: resolving-issues +:END: +*** WiFi Issues +:PROPERTIES: +:CUSTOM_ID: wifi-issues +:END: +I initially tried to set up my Wi-Fi the standard way with =iwd=, but it +didn't work. + +Here is what I initially tried (I did all of this as =root=): + +#+begin_src sh apk add iwd rc-service iwd start iwctl station wlan0 connect <SSID> # This will prompt for the password rc-update add iwd boot && rc-update add dbus boot -``` +#+end_src -Then, I added the Wi-Fi entry to the bottom of the networking interface file: +Then, I added the Wi-Fi entry to the bottom of the networking interface +file: -```sh +#+begin_src sh nano /etc/network/interfaces -``` +#+end_src -```conf +#+begin_src conf auto wlan0 iface wlan0 inet dhcp -``` +#+end_src Finally, restart the networking service: -```sh +#+begin_src sh rc-service networking restart -``` +#+end_src -My Wi-Fi interface would receive an IP address from the router, but it could -not ping anything in the network. -To solve the Wi-Fi issues, I originally upgraded to Alpine's `edge` -repositories, which was unnecessary. +My Wi-Fi interface would receive an IP address from the router, but it +could not ping anything in the network. To solve the Wi-Fi issues, I +originally upgraded to Alpine's =edge= repositories, which was +unnecessary. -Really, the solution was to enable the `NameResolvingService=resolvconf` in -`/etc/iwd/main.conf`. +Really, the solution was to enable the =NameResolvingService=resolvconf= +in =/etc/iwd/main.conf=. -```sh +#+begin_src sh doas nano /etc/iwd/main.conf -``` +#+end_src -```conf +#+begin_src conf [Network] NameResolvingService=resolvconf -``` +#+end_src Once I finished this process, my Wi-Fi is working flawlessly. -### Sound Issues - -Same as with the Wi-Fi, I had no sound and could not control the mute/unmute or -volume buttons on my laptop. +*** Sound Issues +:PROPERTIES: +:CUSTOM_ID: sound-issues +:END: +Same as with the Wi-Fi, I had no sound and could not control the +mute/unmute or volume buttons on my laptop. -To resolve this, I installed -[pipewire](https://wiki.alpinelinux.org/wiki/PipeWire). +To resolve this, I installed +[[https://wiki.alpinelinux.org/wiki/PipeWire][pipewire]]. -```sh +#+begin_src sh # Add your user to the following groups addgroup $USER audio addgroup $USER video # Install pipewire and other useful packages apk add pipewire wireplumber pipewire-pulse pipewire-jack pipewire-alsa -``` +#+end_src -Finally, I needed to add `/usr/libexec/pipewire-launcher` to my -`.config/sway/config` file so that Pipewire would run every time I launched -sway. +Finally, I needed to add =/usr/libexec/pipewire-launcher= to my +=.config/sway/config= file so that Pipewire would run every time I +launched sway. -```sh +#+begin_src sh nano ~/.config/sway/config -``` +#+end_src -```conf +#+begin_src conf # Run pipewire audio server exec /usr/libexec/pipewire-launcher @@ -257,10 +273,10 @@ bindsym XF86AudioRaiseVolume exec --no-startup-id pactl set-sink-volume @DEFAULT bindsym XF86AudioLowerVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ -5% bindsym XF86AudioMute exec --no-startup-id pactl set-sink-mute @DEFAULT_SINK@ toggle bindsym XF86AudioMicMute exec --no-startup-id pactl set-source-mute @DEFAULT_SOURCE@ toggle -``` +#+end_src -Note that I do not use bluetooth or screen sharing, so I won't cover those -options in this post. +Note that I do not use bluetooth or screen sharing, so I won't cover +those options in this post. -Other than these issues, I have a working Alpine desktop. No other complaints -thus far! +Other than these issues, I have a working Alpine desktop. No other +complaints thus far! diff --git a/blog/2023-01-03-recent-website-changes.org b/blog/2023-01-03-recent-website-changes.org index 6988da8..7a9b309 100644 --- a/blog/2023-01-03-recent-website-changes.org +++ b/blog/2023-01-03-recent-website-changes.org @@ -1,82 +1,93 @@ -+++ -date = 2023-01-03 -title = "Recent Website Changes" -description = "A quick review on this website's recent changes." -+++ - -## The State of This Website - -Over the years, this website has changed URLs, styles, content focus, and much -more. However, it seems that I am never done, as I am yet again changing this -page to fit my current needs and wants. - -While this site was already minimal (~12kb), it contained a lot of disorganized -content and some poorly chosen color schemes. - -The recent updates attempt to fix these items while focusing on what I truly -care about here: the content within each page. - -## Recent Changes - -I've made quite a few changes to the style of this website today, both in the -CSS and in the HTML. +#+title: Recent Website Changes +#+date: 2023-01-03 + +** The State of This Website +:PROPERTIES: +:CUSTOM_ID: the-state-of-this-website +:END: +Over the years, this website has changed URLs, styles, content focus, +and much more. However, it seems that I am never done, as I am yet again +changing this page to fit my current needs and wants. + +While this site was already minimal (~12kb), it contained a lot of +disorganized content and some poorly chosen color schemes. + +The recent updates attempt to fix these items while focusing on what I +truly care about here: the content within each page. + +** Recent Changes +:PROPERTIES: +:CUSTOM_ID: recent-changes +:END: +I've made quite a few changes to the style of this website today, both +in the CSS and in the HTML. Here are some of the key takeaways from today's changes: -1. Reduce the width of the website from `60em` to `40em`. -2. Remove breadcrumb navigation and replaced with a simple "Return Home" link -when visiting anything other than the homepage. -3. Remove syntax highlighting from code blocks. CSS now loads from a single -file. -4. Move blog posts on the homepage to the top, pushing tertiary content down. -5. Update font-family from `monospace` to `sans-serif` for readability. - -## Future Focus - -### Accessibility - -My main focus amidst all the changes this past year was accessibility. -I tried to improve the accessibility of all pages on this site as well as I -know how. -For example, I added aria labels to identify different navigation menus in -November. - -I want to continue this in 2023 and learn more about the accessibility features -I can utilize to help those who may need them. - -### Content First - -Beyond accessibility, I am making a concerted effort to bring the content of -this site to the forefront and push the tertiary information (e.g., About Me, -Services, etc.) down below the content. - -Further, I want to review and edit previous blog posts for grammar, accuracy, -dead links, and more. Where necessary, I may even add a blurb at the top of old -posts that are no longer accurate or helpful. - -### Style - -As always, I will be searching for ways to reduce distractions and bring a -minimalistic approach to this site. While there are certainly more drastic -measures I could take, such as making this a [Shinobi -Website](https://shinobi.bt.ht) or a [No CSS Website](https://nocss.club), I -prefer to keep some modern features here. - -Two ideas have been floating around in my head, but I am not sure how I feel -about these approaches yet: - -1. Going all-in with Emacs org-mode and creating a script to auto-publish all my -blog posts from org-mode to plain HTML files and then letting my CSS style it -after the fact. -2. Focus on publishing for Gemini or Gopher and then utilize a conversion -program to translate the pages to HTML. - -## Looking Back - -As I sit here and finalize the changes, as well as this post, I am happy with -the current state of this website. It's certainly a long way from my first -attempts (parallax background images, anyone?) and it's good to see the -progress. - -I can only hope and work hard to ensure that I make more meaningful progress by -this time next year. +1. Reduce the width of the website from =60em= to =40em=. +2. Remove breadcrumb navigation and replaced with a simple "Return Home" + link when visiting anything other than the homepage. +3. Remove syntax highlighting from code blocks. CSS now loads from a + single file. +4. Move blog posts on the homepage to the top, pushing tertiary content + down. +5. Update font-family from =monospace= to =sans-serif= for readability. + +** Future Focus +:PROPERTIES: +:CUSTOM_ID: future-focus +:END: +*** Accessibility +:PROPERTIES: +:CUSTOM_ID: accessibility +:END: +My main focus amidst all the changes this past year was accessibility. I +tried to improve the accessibility of all pages on this site as well as +I know how. For example, I added aria labels to identify different +navigation menus in November. + +I want to continue this in 2023 and learn more about the accessibility +features I can utilize to help those who may need them. + +*** Content First +:PROPERTIES: +:CUSTOM_ID: content-first +:END: +Beyond accessibility, I am making a concerted effort to bring the +content of this site to the forefront and push the tertiary information +(e.g., About Me, Services, etc.) down below the content. + +Further, I want to review and edit previous blog posts for grammar, +accuracy, dead links, and more. Where necessary, I may even add a blurb +at the top of old posts that are no longer accurate or helpful. + +*** Style +:PROPERTIES: +:CUSTOM_ID: style +:END: +As always, I will be searching for ways to reduce distractions and bring +a minimalistic approach to this site. While there are certainly more +drastic measures I could take, such as making this a +[[https://shinobi.bt.ht][Shinobi Website]] or a [[https://nocss.club][No +CSS Website]], I prefer to keep some modern features here. + +Two ideas have been floating around in my head, but I am not sure how I +feel about these approaches yet: + +1. Going all-in with Emacs org-mode and creating a script to + auto-publish all my blog posts from org-mode to plain HTML files and + then letting my CSS style it after the fact. +2. Focus on publishing for Gemini or Gopher and then utilize a + conversion program to translate the pages to HTML. + +** Looking Back +:PROPERTIES: +:CUSTOM_ID: looking-back +:END: +As I sit here and finalize the changes, as well as this post, I am happy +with the current state of this website. It's certainly a long way from +my first attempts (parallax background images, anyone?) and it's good to +see the progress. + +I can only hope and work hard to ensure that I make more meaningful +progress by this time next year. diff --git a/blog/2023-01-05-mass-unlike-tumblr-posts.org b/blog/2023-01-05-mass-unlike-tumblr-posts.org index 387ec36..ed6a90a 100644 --- a/blog/2023-01-05-mass-unlike-tumblr-posts.org +++ b/blog/2023-01-05-mass-unlike-tumblr-posts.org @@ -1,31 +1,37 @@ -+++ -date = 2023-01-05 -title = "How to Easily Mass Unlike Tumblr Posts With Javascript" -description = "A quick Javascript snippet that allows you to quickly unlike your Tumblr likes." -+++ - -## The Dilemma - -The dilemma I had was pretty simple: I wanted to unlike all the posts I have -liked on Tumblr so that I could follow a new focus on blogs and start fresh. -Otherwise, Tumblr will keep recommending content based on your previous likes. - -## The Solution - -I searched the web for a while and noted that most solutions referenced Tumblr -setting and dashboard pages that no longer exist. Additionally, I did not want -to install a third party extension to do this, as some suggested. - -Luckily, I used Javascript for a while a few years ago and figured it would be -easy enough to script a solution, as long as Tumblr had a system for the unlike -buttons. - -### Identifying Unlike Buttons - -Tumblr's unlike buttons are structured as you can see in the following code -block. All unlike buttons have an `aria-label` with a value of `Unlike`. - -```html +#+title: How to Easily Mass Unlike Tumblr Posts With Javascript +#+date: 2023-01-05 + +** The Dilemma +:PROPERTIES: +:CUSTOM_ID: the-dilemma +:END: +The dilemma I had was pretty simple: I wanted to unlike all the posts I +have liked on Tumblr so that I could follow a new focus on blogs and +start fresh. Otherwise, Tumblr will keep recommending content based on +your previous likes. + +** The Solution +:PROPERTIES: +:CUSTOM_ID: the-solution +:END: +I searched the web for a while and noted that most solutions referenced +Tumblr setting and dashboard pages that no longer exist. Additionally, I +did not want to install a third party extension to do this, as some +suggested. + +Luckily, I used Javascript for a while a few years ago and figured it +would be easy enough to script a solution, as long as Tumblr had a +system for the unlike buttons. + +*** Identifying Unlike Buttons +:PROPERTIES: +:CUSTOM_ID: identifying-unlike-buttons +:END: +Tumblr's unlike buttons are structured as you can see in the following +code block. All unlike buttons have an =aria-label= with a value of +=Unlike=. + +#+begin_src html <button class="TRX6J" aria-label="Unlike"> <span class="EvhBA B1Z5w ztpfZ" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" height="21" width="23" @@ -34,33 +40,36 @@ block. All unlike buttons have an `aria-label` with a value of `Unlike`. </svg> </span> </button> -``` - -### Running a Script to Unlike All Likes +#+end_src -To run this script, you will need to load the [Likes | -Tumblr](https://www.tumblr.com/likes) page while logged in to your account. +*** Running a Script to Unlike All Likes +:PROPERTIES: +:CUSTOM_ID: running-a-script-to-unlike-all-likes +:END: +To run this script, you will need to load the +[[https://www.tumblr.com/likes][Likes | Tumblr]] page while logged in to +your account. -Further, be sure to scroll down to the bottom and force Tumblr to load more -posts so that this script unlikes more posts at a time. +Further, be sure to scroll down to the bottom and force Tumblr to load +more posts so that this script unlikes more posts at a time. -Once you are logged in and the page is loaded, open the Developer Tools and be -sure you're on the "Console" tab. It should look something like this (this is -in Firefox, Chromium should be similar): +Once you are logged in and the page is loaded, open the Developer Tools +and be sure you're on the "Console" tab. It should look something like +this (this is in Firefox, Chromium should be similar): - +#+caption: Firefox Dev !Tools +[[https:///img.cleberg.net/blog/20230105-mass-unlike-tumblr-posts/dev_console.png]] -All you need to do is paste the following snippet into the dev console. This -code will collect all unlike buttons (`elements`) and then click each button to -unlike it. +All you need to do is paste the following snippet into the dev console. +This code will collect all unlike buttons (=elements=) and then click +each button to unlike it. -Optionally, you can comment-out the line `elements[i].click();` and uncomment -the `console.log()` lines to simply print out information without performing any -actions. This can be useful to debug issues or confirm that the code below isn't -doing anything you don't want it to. +Optionally, you can comment-out the line =elements[i].click();= and +uncomment the =console.log()= lines to simply print out information +without performing any actions. This can be useful to debug issues or +confirm that the code below isn't doing anything you don't want it to. -```javascript +#+begin_src javascript const elements = document.querySelectorAll('[aria-label="Unlike"]'); // console.log(elements); // 👉 [button] @@ -68,20 +77,24 @@ for (let i=0; i < elements.length; i++) { // console.log(elements[i]); elements[i].click(); } -``` - -## Results - -The results were quick for my situation, as it unliked ~200 posts within 2-3 -seconds. I am not sure how this will perform on larger sets of likes (or if -Tumblr has a limit to unliking posts). - -You can see the below screenshot showing that I pasted the snippet into the -console, pressed Enter, and then the posts are automatically unliked. - - - -Thinking about this further, I would bet that this would be fairly simple to -package into a browser add-on so that users could install the add-on, go to -their Likes page, and click a button to run the script. Food for thought. +#+end_src + +** Results +:PROPERTIES: +:CUSTOM_ID: results +:END: +The results were quick for my situation, as it unliked ~200 posts within +2-3 seconds. I am not sure how this will perform on larger sets of likes +(or if Tumblr has a limit to unliking posts). + +You can see the below screenshot showing that I pasted the snippet into +the console, pressed Enter, and then the posts are automatically +unliked. + +#+caption: Script !Results +[[https:///img.cleberg.net/blog/20230105-mass-unlike-tumblr-posts/script_results.png]] + +Thinking about this further, I would bet that this would be fairly +simple to package into a browser add-on so that users could install the +add-on, go to their Likes page, and click a button to run the script. +Food for thought. diff --git a/blog/2023-01-08-fedora-remove-login-manager.org b/blog/2023-01-08-fedora-remove-login-manager.org index 2de6260..eedb47b 100644 --- a/blog/2023-01-08-fedora-remove-login-manager.org +++ b/blog/2023-01-08-fedora-remove-login-manager.org @@ -1,44 +1,47 @@ -+++ -date = 2023-01-08 -title = "Remove the Login Manager from Fedora i3" -description = "Quickly remove Fedora i3's login manager to launch your desktop manually." -+++ - -## Fedora i3's Login Manager - -Since I use the i3 spin of Fedora Workstation, I don't like to have a login -manager installed by default. As of the current version of Fedora i3, the -default login manager is LightDM. - -If this is no longer the case, you can search for currently-installed packages -with the following command and see if you can identify a different login -manager. - -```sh +#+title: Remove the Login Manager from Fedora i3 +#+date: 2023-01-08 + +** Fedora i3's Login Manager +:PROPERTIES: +:CUSTOM_ID: fedora-i3s-login-manager +:END: +Since I use the i3 spin of Fedora Workstation, I don't like to have a +login manager installed by default. As of the current version of Fedora +i3, the default login manager is LightDM. + +If this is no longer the case, you can search for currently-installed +packages with the following command and see if you can identify a +different login manager. + +#+begin_src sh sudo dnf list installed -``` - -## Removing the Login Manager +#+end_src +** Removing the Login Manager +:PROPERTIES: +:CUSTOM_ID: removing-the-login-manager +:END: In order to remove the login manager, simply uninstall the package. -```sh +#+begin_src sh sudo dnf remove lightdm -``` - -## Launching i3 Manually +#+end_src -In order to launch i3 manually, you need to set up your X session properly. -To start, create or edit the `~/.xinitrc` file to include the following at -the bottom. +** Launching i3 Manually +:PROPERTIES: +:CUSTOM_ID: launching-i3-manually +:END: +In order to launch i3 manually, you need to set up your X session +properly. To start, create or edit the =~/.xinitrc= file to include the +following at the bottom. -```config +#+begin_src config exec i3 -``` +#+end_src -Now, whenever you log in to the TTY, you can launch your desktop with the -following command. +Now, whenever you log in to the TTY, you can launch your desktop with +the following command. -```sh +#+begin_src sh startx -``` +#+end_src diff --git a/blog/2023-01-21-running-flatpak-apps-easily.org b/blog/2023-01-21-running-flatpak-apps-easily.org index 0948411..1608eb1 100644 --- a/blog/2023-01-21-running-flatpak-apps-easily.org +++ b/blog/2023-01-21-running-flatpak-apps-easily.org @@ -1,45 +1,50 @@ -+++ -date = 2023-01-21 -title = "Running Flatpak Apps with Symlinks" -description = "Run flatpak apps faster and easier with a simple symlink solution." -+++ +#+title: Running Flatpak Apps with Symlinks +#+date: 2023-01-21 -## Running Flatpak Apps Should Be Faster +** Running Flatpak Apps Should Be Faster +:PROPERTIES: +:CUSTOM_ID: running-flatpak-apps-should-be-faster +:END: +If you're like me and use Flatpak for those pesky apps that cannot run +on your system for one reason or another, you likely get annoyed with +opening a terminal and manually running the Flatpak app with the lengthy +=flatpak run ...= command. -If you're like me and use Flatpak for those pesky apps that cannot run on your -system for one reason or another, you likely get annoyed with opening a terminal -and manually running the Flatpak app with the lengthy `flatpak run ...` command. - -In the past, I manually created aliases in my `.zshrc` file for certain apps. -For example, an alias would look like the example below. +In the past, I manually created aliases in my =.zshrc= file for certain +apps. For example, an alias would look like the example below. This would allow me to run the command fast within the terminal, but it wouldn't allow me to run it in an application launcher. -```sh +#+begin_src sh # ~/.zshrc alias librewolf = "flatpak run io.gitlab.librewolf-community" -``` - -However, I now use a much faster and better method that integrates with the -tiling WMs I use and their application launchers - `dmenu` and `bemenu`. +#+end_src -## Creating Symlinks for Flatpak Apps +However, I now use a much faster and better method that integrates with +the tiling WMs I use and their application launchers - =dmenu= and +=bemenu=. -Let's use the example of Librewolf below. I can install the application like so: +** Creating Symlinks for Flatpak Apps +:PROPERTIES: +:CUSTOM_ID: creating-symlinks-for-flatpak-apps +:END: +Let's use the example of Librewolf below. I can install the application +like so: -```sh +#+begin_src sh flatpak install flathub io.gitlab.librewolf-community -``` +#+end_src -Once installed, I can create a symlink to link the flatpak app to my new symlink -in a location commonly included in your PATH. In this case, I chose `/usr/bin`. -You may need to choose a different location if `/usr/bin` isn't in your PATH. +Once installed, I can create a symlink to link the flatpak app to my new +symlink in a location commonly included in your PATH. In this case, I +chose =/usr/bin=. You may need to choose a different location if +=/usr/bin= isn't in your PATH. -```sh +#+begin_src sh ln -s /var/lib/flatpak/exports/bin/io.gitlab.librewolf-community /usr/bin/librewolf -``` +#+end_src -Once complete, you should be able to launch the app using the command name you -chose above in the symlink (`librewolf`) from a terminal or from your -application launcher! +Once complete, you should be able to launch the app using the command +name you chose above in the symlink (=librewolf=) from a terminal or +from your application launcher! diff --git a/blog/2023-01-23-random-mullvad-wireguard.org b/blog/2023-01-23-random-mullvad-wireguard.org index 200b498..c87f05a 100644 --- a/blog/2023-01-23-random-mullvad-wireguard.org +++ b/blog/2023-01-23-random-mullvad-wireguard.org @@ -1,47 +1,49 @@ -+++ -date = 2023-01-23 -title = "Connecting to a Random Mullvad Wireguard Host" -description = "Read to see how I used a shell script to randomly connect to a Mullvad Wireguard host each time I run the script." -+++ +#+title: Connecting to a Random Mullvad Wireguard Host +#+date: 2023-01-23 -## Mullvad Wireguard - -If you're using an OS that does not support one of Mullvad's apps, you're -likely using the Wireguard configuration files instead. +** Mullvad Wireguard +:PROPERTIES: +:CUSTOM_ID: mullvad-wireguard +:END: +If you're using an OS that does not support one of Mullvad's apps, +you're likely using the Wireguard configuration files instead. If not, the first step is to visit Mullvad's -[Wireguard configuration -files](https://mullvad.net/en/account/#/wireguard-config) page and download a -ZIP of the configuration files you want to use. +[[https://mullvad.net/en/account/#/wireguard-config][Wireguard +configuration files]] page and download a ZIP of the configuration files +you want to use. -Personally, I downloaded all configuration files across the world and chose my -connections using the script below. +Personally, I downloaded all configuration files across the world and +chose my connections using the script below. -Once the files are downloaded, unzip them and move them to your preferred -location: +Once the files are downloaded, unzip them and move them to your +preferred location: -```sh +#+begin_src sh cd Downloads unzip mullvad_wireguard_linux_all_all.zip mkdir ~/mullvad && mv ~/Downloads/*.conf ~/mullvad/ -``` - -## Creating a Script to Connect to a Random Host +#+end_src -Once you have a folder of Wireguard configuration files from Mullvad, you can -create a script to randomly connect to any one of the locations. +** Creating a Script to Connect to a Random Host +:PROPERTIES: +:CUSTOM_ID: creating-a-script-to-connect-to-a-random-host +:END: +Once you have a folder of Wireguard configuration files from Mullvad, +you can create a script to randomly connect to any one of the locations. -Start by creating a shell script - mine is called `vpn.sh`. +Start by creating a shell script - mine is called =vpn.sh=. -```sh +#+begin_src sh nano ~/vpn.sh -``` +#+end_src -Within this script, you can paste the following info. Note that I specify `us-*` -in my script, which means that it will only consider US-based VPN locations. You -can alter this or simply change it `*` to consider all locations. +Within this script, you can paste the following info. Note that I +specify =us-*= in my script, which means that it will only consider +US-based VPN locations. You can alter this or simply change it =*= to +consider all locations. -```sh +#+begin_src sh #!/bin/sh ls /home/$USER/mullvad/us-* |sort -R |tail -n 1 |while read file; do @@ -52,19 +54,19 @@ ls /home/$USER/mullvad/us-* |sort -R |tail -n 1 |while read file; do printf "\n\nPrinting new IP info:\n" curl https://am.i.mullvad.net/connected done -``` +#+end_src -Once you've modified the script to your liking, add executable permissions -and run the script: +Once you've modified the script to your liking, add executable +permissions and run the script: -```sh +#+begin_src sh chmod +x ~/vpn.sh ~/vpn.sh -``` +#+end_src The output should look like the following: -```txt +#+begin_src txt doas (user@host) password: # ... The script will process all of the iptables and wg commands here @@ -73,42 +75,45 @@ Created Mullvad wireguard connection with file: /home/user/mullvad/us-nyc-wg-210 Printing new IP info: You are connected to Mullvad (server country-city-wg-num). Your IP address is 12.345.678.99 -``` +#+end_src That's all there is to it. You can see your new location and IP via the -`printf` and `curl` commands included in the script. - -You can also go to the [Connection Check | -Mullvad](https://mullvad.net/en/check/) page to see if you are fully connected -to Mullvad and if any leaks exist. +=printf= and =curl= commands included in the script. - +You can also go to the [[https://mullvad.net/en/check/][Connection Check +| Mullvad]] page to see if you are fully connected to Mullvad and if any +leaks exist. -## Disconnecting from the Wireguard Connection +#+caption: Mullvad Connection Check +[[https://img.cleberg.net/blog/20230123-random-mullvad-wireguard/mullvad_check.png]] -If you forget which connection you're using, you can execute the following -command to see where Wireguard is currently connected: +** Disconnecting from the Wireguard Connection +:PROPERTIES: +:CUSTOM_ID: disconnecting-from-the-wireguard-connection +:END: +If you forget which connection you're using, you can execute the +following command to see where Wireguard is currently connected: -```sh +#+begin_src sh wg show -``` +#+end_src This command will show you the Wireguard interfaces and should output a -connection like so: `interface: us-lax-wg-104`. +connection like so: =interface: us-lax-wg-104=. Once you have this, just disconnect using that files' full path: -```sh +#+begin_src sh wg-quick down /home/user/mullvad/us-lax-wg-104.conf -``` +#+end_src -I have a TODO item on figuring out how to easily export an environment variable -that contains the configuration file's full name, so that I can just execute the -following: +I have a TODO item on figuring out how to easily export an environment +variable that contains the configuration file's full name, so that I can +just execute the following: -```sh +#+begin_src sh # Ideal situation if I can export the $file variable to the environment wg-quick down $file -``` +#+end_src If you have an idea on how to do this, email me! diff --git a/blog/2023-01-28-self-hosting-wger-workout-manager.org b/blog/2023-01-28-self-hosting-wger-workout-manager.org index 4e1730d..a4314c3 100644 --- a/blog/2023-01-28-self-hosting-wger-workout-manager.org +++ b/blog/2023-01-28-self-hosting-wger-workout-manager.org @@ -1,27 +1,33 @@ -+++ -date = 2023-01-28 -title = "Self-Hosting Wger Workout Manager" -description = "A walkthrough on how to host Wger with Docker on Linux." -+++ - -## Wger: The Self-Hosted Workout Manager - -[Wger Workout Manager](https://wger.de) is a fitness tracking tool for those who -enjoy self-hosting their data. You can also register an account on their main -website if you'd prefer to try without self-hosting. - -### Features - -I didn't see a full listing of features anywhere, so I compiled this list of my -own after installing wger: - -#### Dashboard - -- Dashboard view of Workout Schedule, Nutrition Plan, Weight Graph, & last 5 -Weight Logs - -#### Training - +#+title: Self-Hosting Wger Workout Manager +#+date: 2023-01-28 + +** Wger: The Self-Hosted Workout Manager +:PROPERTIES: +:CUSTOM_ID: wger-the-self-hosted-workout-manager +:END: +[[https://wger.de][Wger Workout Manager]] is a fitness tracking tool for +those who enjoy self-hosting their data. You can also register an +account on their main website if you'd prefer to try without +self-hosting. + +*** Features +:PROPERTIES: +:CUSTOM_ID: features +:END: +I didn't see a full listing of features anywhere, so I compiled this +list of my own after installing wger: + +**** Dashboard +:PROPERTIES: +:CUSTOM_ID: dashboard +:END: +- Dashboard view of Workout Schedule, Nutrition Plan, Weight Graph, & + last 5 Weight Logs + +**** Training +:PROPERTIES: +:CUSTOM_ID: training +:END: - Workout Log - Workout Schedule - Calendar (shows weight logs and Bad/Neutral/Good days) @@ -30,72 +36,83 @@ Weight Logs - Public templates - Exercises -#### Nutrition - +**** Nutrition +:PROPERTIES: +:CUSTOM_ID: nutrition +:END: - Nutrition plans - BMI calculator - Daily calories calculator - Ingredient overview -#### Body Weight - +**** Body Weight +:PROPERTIES: +:CUSTOM_ID: body-weight +:END: - Weight overview -### Documentation - +*** Documentation +:PROPERTIES: +:CUSTOM_ID: documentation +:END: In order to self-host wger, I opted to use the Docker version of the application. You can read the README within the -[wger-project/docker](https://github.com/wger-project/docker) project on GitHub -for information and installation instructions. +[[https://github.com/wger-project/docker][wger-project/docker]] project +on GitHub for information and installation instructions. -### Installation +*** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +To start the installation, I created a folder for wger and started +creating the three necessary files: -To start the installation, I created a folder for wger and started creating the -three necessary files: - -```sh +#+begin_src sh mkdir ~/wger && mkdir ~/wger/config touch ~/wger/docker-compose.yml && \ touch ~/wger/config/prod.env && \ touch ~/wger/config/nginx.conf -``` +#+end_src -Once you have the folders and files created, you will need to copy the contents -of the `docker-compose.yml`, `prod.env`, and `nginx.conf` from the GitHub link -above. +Once you have the folders and files created, you will need to copy the +contents of the =docker-compose.yml=, =prod.env=, and =nginx.conf= from +the GitHub link above. A few notes to explain the changes I made to the default files: -- I updated the `ALLOW_REGISTRAION` variable in `prod.env` to `False` after I -created an account via my LAN connection, **before** I connected this app to a -publicly-available domain. -- I uncommented and updated `CSRF_TRUSTED_ORIGINS` to be equal to the public -version of this app: `https://wger.example.com`. -- I updated the port within `docker-compose.yml`, within the `nginx` block. The -port I updated this to will be reflected in my nginx configuration file on the -server (NOT the wger nginx.conf file). - -### Deploy - +- I updated the =ALLOW_REGISTRAION= variable in =prod.env= to =False= + after I created an account via my LAN connection, *before* I connected + this app to a publicly-available domain. +- I uncommented and updated =CSRF_TRUSTED_ORIGINS= to be equal to the + public version of this app: =https://wger.example.com=. +- I updated the port within =docker-compose.yml=, within the =nginx= + block. The port I updated this to will be reflected in my nginx + configuration file on the server (NOT the wger nginx.conf file). + +*** Deploy +:PROPERTIES: +:CUSTOM_ID: deploy +:END: Once all files are created and modified to your needs, simply start the container. -```sh +#+begin_src sh docker-compose up -d -``` +#+end_src -You can now visit the website on your LAN by going to `localhost:YOUR_PORT` or -by the server's IP, if you're not on the same machine that is running the -container. +You can now visit the website on your LAN by going to +=localhost:YOUR_PORT= or by the server's IP, if you're not on the same +machine that is running the container. -If you wish to connect this app to a public domain name, you'll need to point an -`A` DNS record from the domain to your server's public IP. You'll then need to -create a configuration file for whichever web server or reverse proxy you're -using. +If you wish to connect this app to a public domain name, you'll need to +point an =A= DNS record from the domain to your server's public IP. +You'll then need to create a configuration file for whichever web server +or reverse proxy you're using. -Wger's README suggests the following reverse proxy configuration for Nginx: +Wger's README suggests the following reverse proxy configuration for +Nginx: -```conf +#+begin_src conf upstream wger { # This port should match the port in the `nginx` block of docker-compose.yml # If the container is running on this same machine, replace this with @@ -122,27 +139,32 @@ server { ssl_certificate /path/to/https/certificate.crt; ssl_certificate_key /path/to/https/certificate.key; } -``` - -## Thoughts on Wger +#+end_src +** Thoughts on Wger +:PROPERTIES: +:CUSTOM_ID: thoughts-on-wger +:END: I'm still playing around with the app itself, but it seems to be a solid all-around workout manager, weight log, and food log. -I like that the weight log graph is fluid and updates quickly. You can also -import or export data in CSV format if you'd like to move your data elsewhere. - -The workout manager is slightly odd, as it requires you to enter sets and reps -for each exercise when you enter it into the plan. Then, when you add a log -entry for performing a workout, you then add what you actually performed, in -terms of reps and weight. +I like that the weight log graph is fluid and updates quickly. You can +also import or export data in CSV format if you'd like to move your data +elsewhere. -I haven't tried the food log yet and I likely will not, at least for a -while. -I have no need for a food log or calorie tracker at the moment. +The workout manager is slightly odd, as it requires you to enter sets +and reps for each exercise when you enter it into the plan. Then, when +you add a log entry for performing a workout, you then add what you +actually performed, in terms of reps and weight. -### Screenshot Example +I haven't tried the food log yet and I likely will not, at least for a +while. I have no need for a food log or calorie tracker at the moment. +*** Screenshot Example +:PROPERTIES: +:CUSTOM_ID: screenshot-example +:END: You can see an example of a dashboard with placeholder data here: - +#+caption: wger dashboard +[[https://img.cleberg.net/blog/20230128-wger/wger.png]] diff --git a/blog/2023-02-02-exploring-hare.org b/blog/2023-02-02-exploring-hare.org index e187041..c934b7d 100644 --- a/blog/2023-02-02-exploring-hare.org +++ b/blog/2023-02-02-exploring-hare.org @@ -1,162 +1,189 @@ -+++ -date = 2023-02-02 -title = "Exploring the Hare Programming Language" -description = "Walking back through my first project using the Hare programming language." -aliases = ["/blog/testing-out-hare"] -+++ - -## A Quick Note - -By no means am I a professional developer, so this post will be rather short. -I won't be going into depth on the specification or anything that technical. - -Instead, I will simply be talking about how I (a relatively basic hobbyist -programmer) have been playing with Hare and what intrigues me about the -language. - -## Hare - -The [Hare](https://harelang.org) programming language is a straightforward -language that should look familiar if you've ever programmed with C, Rust, -or other languages that aim to build software at the system-level. +#+title: Exploring the Hare Programming Language +#+date: 2023-02-02 + +** A Quick Note +:PROPERTIES: +:CUSTOM_ID: a-quick-note +:END: +By no means am I a professional developer, so this post will be rather +short. I won't be going into depth on the specification or anything that +technical. + +Instead, I will simply be talking about how I (a relatively basic +hobbyist programmer) have been playing with Hare and what intrigues me +about the language. + +** Hare +:PROPERTIES: +:CUSTOM_ID: hare +:END: +The [[https://harelang.org][Hare]] programming language is a +straightforward language that should look familiar if you've ever +programmed with C, Rust, or other languages that aim to build software +at the system-level. The Hare homepage states the following: -> Hare is a systems programming language designed to be simple, stable, and -> robust. Hare uses a static type system, manual memory management, and -> minimal runtime. It is well-suited to writing operating systems, system -> tools, compilers, networking software, and other low-level, high performance -> tasks. +#+begin_quote +Hare is a systems programming language designed to be simple, stable, +and robust. Hare uses a static type system, manual memory management, +and minimal runtime. It is well-suited to writing operating systems, +system tools, compilers, networking software, and other low-level, high +performance tasks. -I have found this all to be true while playing with it for the first time today. -In the next few sections, I'm going to walk through my installation and first -program. +#+end_quote -### Installation +I have found this all to be true while playing with it for the first +time today. In the next few sections, I'm going to walk through my +installation and first program. -I'm currently running Alpine Linux on my Thinkpad, so the installation was quite -easy as there is a package for Hare in the `apk` repositories. +*** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +I'm currently running Alpine Linux on my Thinkpad, so the installation +was quite easy as there is a package for Hare in the =apk= repositories. -```sh +#+begin_src sh doas apk add hare hare-doc -``` +#+end_src -However, I was able to install Hare from scratch on Fedora Linux a short while -ago, which was also very easy to do. If you need further instructions and Hare -doesn't have a package on your system, take a look at the [Hare -Installation](https://harelang.org/installation/) page. - -### Creating a Test Project +However, I was able to install Hare from scratch on Fedora Linux a short +while ago, which was also very easy to do. If you need further +instructions and Hare doesn't have a package on your system, take a look +at the [[https://harelang.org/installation/][Hare Installation]] page. +*** Creating a Test Project +:PROPERTIES: +:CUSTOM_ID: creating-a-test-project +:END: In order to play with the language, I created -[hare-test](https://git.sr.ht/~cmc/hare-projects) and will be -putting any of my Hare-related adventures in here. +[[https://git.sr.ht/~cmc/hare-projects][hare-test]] and will be putting +any of my Hare-related adventures in here. + +#+begin_quote +*Update:* I also created a simple Hare program for creating a file from +user input: +[[https://git.sr.ht/~cmc/hare-projects/tree/main/item/files/files.ha][files.ha]] -> **Update:** I also created a simple Hare program for creating a file from user -> input: -> [files.ha](https://git.sr.ht/~cmc/hare-projects/tree/main/item/files/files.ha) +#+end_quote -Luckily, Hare doesn't require any complex set-up tools or build environment. -Once you have Hare installed, you simply need to create a file ending with `.ha` -and you can run a Hare program. +Luckily, Hare doesn't require any complex set-up tools or build +environment. Once you have Hare installed, you simply need to create a +file ending with =.ha= and you can run a Hare program. -I created a file called `rgb.ha` in order to test out the random number +I created a file called =rgb.ha= in order to test out the random number generation and passing parameters between functions. -```sh +#+begin_src sh nano rgb.ha -``` +#+end_src -Within this file, I was able to easily import a few of the [standard library -modules](https://harelang.org/tutorials/stdlib/): `fmt`, `math::random`, and -`datetime`. +Within this file, I was able to easily import a few of the +[[https://harelang.org/tutorials/stdlib/][standard library modules]]: +=fmt=, =math::random=, and =datetime=. With these modules, I created two functions: -1. `main`: This function calls the `generate_rgb` function and then prints out -the returned values. -2. `generate_rgb`: This function uses the current Unix epoch time to generate a -pseudo-random value and uses this value to create three more random values -between 0 and 255. These three numbers represent a color in RGB format. +1. =main=: This function calls the =generate_rgb= function and then + prints out the returned values. +2. =generate_rgb=: This function uses the current Unix epoch time to + generate a pseudo-random value and uses this value to create three + more random values between 0 and 255. These three numbers represent a + color in RGB format. -> **Note**: Some syntax coloring may look odd, as Zola currently doesn't have a -> syntax highlighting theme for Hare. Instead, I'm using the C theme, which may -> not be exactly accurate when coloring the code below. +#+begin_quote +*Note*: Some syntax coloring may look odd, as Zola currently doesn't +have a syntax highlighting theme for Hare. Instead, I'm using the C +theme, which may not be exactly accurate when coloring the code below. -```c +#+end_quote + +#+begin_src C use datetime; use fmt; use math::random; export fn main() void = { - const rgb = generate_rgb(); - fmt::printfln("RGB: ({}, {}, {})", rgb[0], rgb[1], rgb[2])!; + const rgb = generate_rgb(); + fmt::printfln("RGB: ({}, {}, {})", rgb[0], rgb[1], rgb[2])!; }; fn generate_rgb() []u64 = { - // Use the current Unix epoch time as the seed value - let datetime = datetime::epochunix(&datetime::now()); + // Use the current Unix epoch time as the seed value + let datetime = datetime::epochunix(&datetime::now()); - // Generate initial pseudo-random value - // You must cast the datetime from int to u64 - let x = random::init(datetime: u64); + // Generate initial pseudo-random value + // You must cast the datetime from int to u64 + let x = random::init(datetime: u64); - // Generate RGB values between (0, 255) using pseudo-random init value - let r = random::u64n(&x, 255); - let g = random::u64n(&x, 255); - let b = random::u64n(&x, 255); + // Generate RGB values between (0, 255) using pseudo-random init value + let r = random::u64n(&x, 255); + let g = random::u64n(&x, 255); + let b = random::u64n(&x, 255); - // Structure data as array and return - let rgb_array: [3]u64 = [r, g, b]; - return rgb_array; + // Structure data as array and return + let rgb_array: [3]u64 = [r, g, b]; + return rgb_array; }; -``` - -### Running a Program +#+end_src -Once you have a Hare file written and ready to run, you simply need to run it: +*** Running a Program +:PROPERTIES: +:CUSTOM_ID: running-a-program +:END: +Once you have a Hare file written and ready to run, you simply need to +run it: -```sh +#+begin_src sh hare run file.ha -``` +#+end_src You can also compile the program into an executable: -```sh +#+begin_src sh hare build -o example file.ha ./example -``` - -### Initial Thoughts - -#### Documentation Improvements Would Help - -While I was able to piece everything together eventually, the biggest downfall -right now in Hare's documentation. For such a new project, the documentation is -in a great spot. However, bare specifications don't help as much as a brief -examples section would. - -For example, it took me a while to figure out what the `u64n` function was -looking for. I could tell that it took two parameters and the second was my max -value (255), but couldn't figure out what the first value should be. Eventually, -I inspected the `random.ha` file in the [Hare source -code](https://git.sr.ht/~sircmpwn/hare/tree/master/item/math/random/random.ha) -and found the test suite that helped me discover that it needed an `init()` -value in the form of `&var`. - -#### More Basic Modules - +#+end_src + +*** Initial Thoughts +:PROPERTIES: +:CUSTOM_ID: initial-thoughts +:END: +**** Documentation Improvements Would Help +:PROPERTIES: +:CUSTOM_ID: documentation-improvements-would-help +:END: +While I was able to piece everything together eventually, the biggest +downfall right now in Hare's documentation. For such a new project, the +documentation is in a great spot. However, bare specifications don't +help as much as a brief examples section would. + +For example, it took me a while to figure out what the =u64n= function +was looking for. I could tell that it took two parameters and the second +was my max value (255), but couldn't figure out what the first value +should be. Eventually, I inspected the =random.ha= file in the +[[https://git.sr.ht/~sircmpwn/hare/tree/master/item/math/random/random.ha][Hare +source code]] and found the test suite that helped me discover that it +needed an =init()= value in the form of =&var=. + +**** More Basic Modules +:PROPERTIES: +:CUSTOM_ID: more-basic-modules +:END: This is another point that comes from Hare being new and awaiting more -contributions, but there are some basic functions that I would personally enjoy -seeing in Hare, such as one to convert decimal (base 10) values to hexadecimal -(base 16). - -If I'm feeling comfortable with my math, I may work on the list of functions I -want and see if any can make it into the Hare source code. - -#### Overall Thoughts - -Overall, I actually really enjoy Hare. It's not as tedious to get a project up -and running as Rust, but it's also simpler and more user-friendly than learning -C. I am going to continue playing with it and see if I can make anything of -particular value. +contributions, but there are some basic functions that I would +personally enjoy seeing in Hare, such as one to convert decimal +(base 10) values to hexadecimal (base 16). + +If I'm feeling comfortable with my math, I may work on the list of +functions I want and see if any can make it into the Hare source code. + +**** Overall Thoughts +:PROPERTIES: +:CUSTOM_ID: overall-thoughts +:END: +Overall, I actually really enjoy Hare. It's not as tedious to get a +project up and running as Rust, but it's also simpler and more +user-friendly than learning C. I am going to continue playing with it +and see if I can make anything of particular value. diff --git a/blog/2023-05-22-burnout.org b/blog/2023-05-22-burnout.org index b5a898a..8630153 100644 --- a/blog/2023-05-22-burnout.org +++ b/blog/2023-05-22-burnout.org @@ -1,43 +1,48 @@ -+++ -date = 2023-05-22 -title = "Burnout" -description = "Dealing with burnout." -+++ - -## RE: Burnout - -I recently read [Drew DeVault's post on burnout](https://drewdevault.com/2023/05/01/2023-05-01-Burnout.html) -around the same time I was pulling out of a burnout rut myself earlier this month. -Finally, seeing the light at the end of my burnout tunnel made me want to -write my first post back on this topic. - -## Busy Seasons on Busy Seasons - +#+title: Burnout +#+date: 2023-05-22 + +** RE: Burnout +:PROPERTIES: +:CUSTOM_ID: re-burnout +:END: +I recently read +[[https://drewdevault.com/2023/05/01/2023-05-01-Burnout.html][Drew +DeVault's post on burnout]] around the same time I was pulling out of a +burnout rut myself earlier this month. Finally, seeing the light at the +end of my burnout tunnel made me want to write my first post back on +this topic. + +** Busy Seasons on Busy Seasons +:PROPERTIES: +:CUSTOM_ID: busy-seasons-on-busy-seasons +:END: My career deals with busy seasons, generally driven by client demand. -This last year, I dealt with a harsh busy season from Aug to Oct 2022 to -issue a few SOC reports for the period ending 2022-09-30. -Immediately following that, I had to pivot and found another busy season -from Oct to Jan for financial statement audits ending on 2022-12-31. -Then again, supporting other clients from Jan to Mar 2023, followed by my -current client workload aiming for SOC reports due on 2023-06-30. - -The result? A busy season that has lasted from August 2022 through today. I -will likely be rushing throughout the next month or two before I have a brief -break and need to focus on the 2023-09-30 SOC reports again. While auditing and -consulting always involve a busy season, this is the first time I've -had one last 9+ months without a break. - -While it's been tough, I have a handful of breaks pre-planned throughout this -next cycle and should be able to moderate the level of commitment required for -each client. - -## Refocusing - -Outside of work, I finally have time to work on hobbies such as this website, -programming, athletics, games, etc. - -You may have noticed my absence if you're in the same channels, forums, and -rooms that I am, but I should finally be active again. - -I'm hoping to break an item out of my backlog soon and start working on building -a new project or hack around with a stale one. +This last year, I dealt with a harsh busy season from Aug to Oct 2022 to +issue a few SOC reports for the period ending 2022-09-30. Immediately +following that, I had to pivot and found another busy season from Oct to +Jan for financial statement audits ending on 2022-12-31. Then again, +supporting other clients from Jan to Mar 2023, followed by my current +client workload aiming for SOC reports due on 2023-06-30. + +The result? A busy season that has lasted from August 2022 through +today. I will likely be rushing throughout the next month or two before +I have a brief break and need to focus on the 2023-09-30 SOC reports +again. While auditing and consulting always involve a busy season, this +is the first time I've had one last 9+ months without a break. + +While it's been tough, I have a handful of breaks pre-planned throughout +this next cycle and should be able to moderate the level of commitment +required for each client. + +** Refocusing +:PROPERTIES: +:CUSTOM_ID: refocusing +:END: +Outside of work, I finally have time to work on hobbies such as this +website, programming, athletics, games, etc. + +You may have noticed my absence if you're in the same channels, forums, +and rooms that I am, but I should finally be active again. + +I'm hoping to break an item out of my backlog soon and start working on +building a new project or hack around with a stale one. diff --git a/blog/2023-06-08-goaccess-geoip.org b/blog/2023-06-08-goaccess-geoip.org index a214831..fd49a08 100644 --- a/blog/2023-06-08-goaccess-geoip.org +++ b/blog/2023-06-08-goaccess-geoip.org @@ -1,46 +1,51 @@ -+++ -date = 2023-06-08T22:05:00Z -title = "Inspecting Nginx Logs with GoAccess and MaxMind GeoIP Data" -description = "" -+++ - -## Overview - -[GoAccess](https://goaccess.io/) is an open source real-time web log analyzer -and interactive viewer that runs in a terminal in *nix systems or through your -browser. - -## Installation - -To start, you'll need to install GoAccess for your OS. Here's an example for -Debian-based distros: - -```bash +#+title: Inspecting Nginx Logs with GoAccess and MaxMind GeoIP Data +#+date: 2023-06-08 + +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +[[https://goaccess.io/][GoAccess]] is an open source real-time web log +analyzer and interactive viewer that runs in a terminal in *nix systems +or through your browser. + +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +To start, you'll need to install GoAccess for your OS. Here's an example +for Debian-based distros: + +#+begin_src sh sudo apt install goaccess -``` +#+end_src -Next, find any number of the MaxMind GeoIP database files on GitHub or another -file hosting website. We're going to use P3TERX's version in this example: +Next, find any number of the MaxMind GeoIP database files on GitHub or +another file hosting website. We're going to use P3TERX's version in +this example: -```bash +#+begin_src sh wget https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-City.mmdb -``` +#+end_src Be sure to save this file in an easy to remember location! -## Usage - -In order to utilize the full capabilities of GoAccess and MMDB, start with the -command template below and customize as necessary. This will export an HTML -view of the GoAccess dashboard, showing all relevant information related to -that site's access log. You can also omit the `-o output.html` parameter if you -prefer to view the data within the CLI instead of creating an HTML file. - -With the addition of the GeoIP Database parameter, section `16 - Geo Location` -will be added with the various countries that are associated with the collected -IP addresses. - -```bash +** Usage +:PROPERTIES: +:CUSTOM_ID: usage +:END: +In order to utilize the full capabilities of GoAccess and MMDB, start +with the command template below and customize as necessary. This will +export an HTML view of the GoAccess dashboard, showing all relevant +information related to that site's access log. You can also omit the +=-o output.html= parameter if you prefer to view the data within the CLI +instead of creating an HTML file. + +With the addition of the GeoIP Database parameter, section +=16 - Geo Location= will be added with the various countries that are +associated with the collected IP addresses. + +#+begin_src sh zcat /var/log/nginx/example.access.log.*.gz | goaccess \ --geoip-database=/home/user/GeoLite2-City.mmdb \ --date-format=%d/%b/%Y \ @@ -48,18 +53,22 @@ zcat /var/log/nginx/example.access.log.*.gz | goaccess \ --log-format=COMBINED \ -o output.html \ /var/log/nginx/example.access.log - -``` - -### Example Output +#+end_src +*** Example Output +:PROPERTIES: +:CUSTOM_ID: example-output +:END: See below for an example of the HTML output: - +#+caption: GoAccess HTML +[[https://img.cleberg.net/blog/20230608-goaccess/goaccess-dashboard.png]] -You can also see the GeoIP card created by the integration of the MaxMind -database information. +You can also see the GeoIP card created by the integration of the +MaxMind database information. - +#+caption: GoAccess GeoIP +[[https://img.cleberg.net/blog/20230608-goaccess/goaccess-geoip.png]] -That's all there is to it! -Informational data is provided in an organized fashion with minimal effort. +That's all there is to it! Informational data is provided in an +organized fashion with minimal effort. diff --git a/blog/2023-06-08-self-hosting-baikal-server.org b/blog/2023-06-08-self-hosting-baikal-server.org index d35e5b3..14a616b 100644 --- a/blog/2023-06-08-self-hosting-baikal-server.org +++ b/blog/2023-06-08-self-hosting-baikal-server.org @@ -1,34 +1,34 @@ -+++ -date = 2023-06-08T21:48:00Z -title = "Self-Hosting Baïkal Server (CalDAV & CardDAV)" -description = "A quick guide on install Baïkal with docker-compose." -+++ - -## What is Baïkal? - -[Baïkal](https://sabre.io/baikal/) is a lightweight CalDAV + CardDAV server -that you can self-host on your own machine. -While I have tried (& failed) to get this CalDAV + CardDAV server running -before, it was quite easy this time. -Not really sure what I did differently this time, but I'm documenting my -process here to ensure I don't forget. - -## Installation - -First, create a folder on your server and open a `docker-compose.yml` file for -editing: - -```bash +#+title: Self-Hosting Baïkal Server +#+date: 2023-06-08 + +** What is Baïkal? +:PROPERTIES: +:CUSTOM_ID: what-is-baïkal +:END: +[[https://sabre.io/baikal/][Baïkal]] is a lightweight CalDAV + CardDAV +server that you can self-host on your own machine. While I have tried (& +failed) to get this CalDAV + CardDAV server running before, it was quite +easy this time. Not really sure what I did differently this time, but +I'm documenting my process here to ensure I don't forget. + +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +First, create a folder on your server and open a =docker-compose.yml= +file for editing: + +#+begin_src sh mkdir baikal && cd baikal nano docker-compose.yml -``` +#+end_src -Within this file, you'll need to paste the information below. You can customize -the `ports` section to use any port on your server to pass through to port 80 in -the container. You can also edit the `volumes` section to use docker volumes -instead of local folders. +Within this file, you'll need to paste the information below. You can +customize the =ports= section to use any port on your server to pass +through to port 80 in the container. You can also edit the =volumes= +section to use docker volumes instead of local folders. -```conf +#+begin_src conf version: "2" services: baikal: @@ -39,61 +39,68 @@ services: volumes: - ./config:/var/www/baikal/config - ./data:/var/www/baikal/Specific -``` +#+end_src -Once finished with editing, save and close the file. Then, launch the docker -container: +Once finished with editing, save and close the file. Then, launch the +docker container: -```bash +#+begin_src sh sudo docker-compose up -d -``` - -## Intial Setup - -As long as no issues came up when starting the container, you should be able -to visit the server's set-up page at `http://<server_ip>:<port>`. -The application will ask you to create an administrator account and choose -the database type for your storage. -Personally, I opted to use SQLite. - -Make sure the administrator credentials are adequate to protect against +#+end_src + +** Intial Setup +:PROPERTIES: +:CUSTOM_ID: intial-setup +:END: +As long as no issues came up when starting the container, you should be +able to visit the server's set-up page at =http://<server_ip>:<port>=. +The application will ask you to create an administrator account and +choose the database type for your storage. Personally, I opted to use +SQLite. + +Make sure the administrator credentials are adequate to protect against common attacks. -## Creating Users - -Once you've set up the application, you will be greeted by the Dashboard page, -which will show the version of the app, status of the admin/CalDAV/CardDAV -services, and the number of users, calendars, events, address books, and -contacts. +** Creating Users +:PROPERTIES: +:CUSTOM_ID: creating-users +:END: +Once you've set up the application, you will be greeted by the Dashboard +page, which will show the version of the app, status of the +admin/CalDAV/CardDAV services, and the number of users, calendars, +events, address books, and contacts. - +#+caption: Baïkal Dashboard +[[https://img.cleberg.net/blog/20230608-baikal/baikal-dashboard.png]] -To create a new user, navigate to the `Users and resources` page. This process -is as simple as entering a username, password, and email. +To create a new user, navigate to the =Users and resources= page. This +process is as simple as entering a username, password, and email. -Once a user has been created, you can create any number of calendars and address -books for user, as well as inspect their information. +Once a user has been created, you can create any number of calendars and +address books for user, as well as inspect their information. -## Setting Up a Public URL +** Setting Up a Public URL +:PROPERTIES: +:CUSTOM_ID: setting-up-a-public-url +:END: +Once your application is working locally, you can open access remotely +via a URL by using a reverse-proxy like Nginx. -Once your application is working locally, you can open access remotely via a URL -by using a reverse-proxy like Nginx. +As a prerequisite, you must own a domain name and set up DNS records to +point a domain name to the server hosting Baïkal. -As a prerequisite, you must own a domain name and set up DNS records -to point a domain name to the server hosting Baïkal. +Start by navigating to your web server's configuration directory and +create a new file for this application. -Start by navigating to your web server's configuration directory and create a -new file for this application. - -```bash +#+begin_src sh cd /etc/nginx/sites-available/ nano dav -``` +#+end_src -Within this file, paste in the configuration from below and change -`dav.example.com` to match the URL you'll be using. +Within this file, paste in the configuration from below and change +=dav.example.com= to match the URL you'll be using. -```conf +#+begin_src conf server { if ($host ~ ^[^.]+\.example\.com$) { return 301 https://$host$request_uri; @@ -123,35 +130,37 @@ server { include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } -``` +#+end_src -For Nginx on Ubuntu, you'll need to symlink the configuration file to the -`sites-enabled` directory and then restart Nginx. +For Nginx on Ubuntu, you'll need to symlink the configuration file to +the =sites-enabled= directory and then restart Nginx. -```bash +#+begin_src sh sudo ln -s /etc/nginx/sites-available/dav /etc/nginx/sites-enabled/dav sudo systemctl restart nginx.service -``` - -At this point, the Baïkal server should be available over the internet at the -URL configured above! +#+end_src -## Configuring Clients +At this point, the Baïkal server should be available over the internet +at the URL configured above! -Lastly, configuring clients and applications is essential to making sure the DAV -server is being fully utilized. +** Configuring Clients +:PROPERTIES: +:CUSTOM_ID: configuring-clients +:END: +Lastly, configuring clients and applications is essential to making sure +the DAV server is being fully utilized. -You can also use the `Users and resources` page to inspect a user's personal -link to their calendars and address books by clicking the info (i) button. It -will show a URI like -`/dav.php/calendars/your-user/default/`. +You can also use the =Users and resources= page to inspect a user's +personal link to their calendars and address books by clicking the info +(i) button. It will show a URI like +=/dav.php/calendars/your-user/default/=. -However, I found that the following URL works for most applications: -`/dav.php/principals/your-user/`. +However, I found that the following URL works for most applications: +=/dav.php/principals/your-user/=. -I used the `principals` URL above for Thunderbird (calendar, tasks, and -contacts), as well as iOS (calendar, tasks, and contacts) and everything works -flawlessly so far. +I used the =principals= URL above for Thunderbird (calendar, tasks, and +contacts), as well as iOS (calendar, tasks, and contacts) and everything +works flawlessly so far. -Syncing is quick between the server and clients, and I haven't seen any +Syncing is quick between the server and clients, and I haven't seen any disruptions in the service or data integrity. diff --git a/blog/2023-06-18-unifi-ip-blocklist.org b/blog/2023-06-18-unifi-ip-blocklist.org index 25f66e2..21dfd1d 100644 --- a/blog/2023-06-18-unifi-ip-blocklist.org +++ b/blog/2023-06-18-unifi-ip-blocklist.org @@ -1,37 +1,40 @@ -+++ -date = 2023-06-18 -title = "Block IP Addresses and Subnets with Unifi Network Firewall" -description = "A short tutorial on how to create IP Groups in Unifi's Network application and block them via the firewall." -+++ - -## Identifying Abusive IPs - -If you're like me and use Unifi network equipment at the edge of the network you -manage, you may know that Unifi is only somewhat decent at identifying and -blocking IPs that represent abusive or threat actors. - -While Unifi has a [threat -management](https://help.ui.com/hc/en-us/articles/360006893234-UniFi-Gateway-Threat-Management) -tool inside their Network application, it can be lacking in functionality and -identification. For example, I have my UDM Pro set to identify and block almost -all categories of threats available within the Unifi settings. However, I -regularly identify abusive actors on my web server via the server logs. - -In addition, I have identified IP addresses and subnets directly within Unifi's -logs that the UDM did not block for whatever reason. - -This guide is meant to be another step in the process to manually block abusive -IP addresses or subnets that you have identified but are not being automatically -blocked yet. - -## Create an IP Group Profile - -To start, login to the Unifi machine's web GUI and navigate to the Network app > -Settings > Profiles. - -Within this page, choose the `IP Groups` tab and click `Create New`. - - +#+title: Block IP Addresses and Subnets with the Unifi Network Firewall +#+date: 2023-06-18 + +** Identifying Abusive IPs +:PROPERTIES: +:CUSTOM_ID: identifying-abusive-ips +:END: +If you're like me and use Unifi network equipment at the edge of the +network you manage, you may know that Unifi is only somewhat decent at +identifying and blocking IPs that represent abusive or threat actors. + +While Unifi has a +[[https://help.ui.com/hc/en-us/articles/360006893234-UniFi-Gateway-Threat-Management][threat +management]] tool inside their Network application, it can be lacking in +functionality and identification. For example, I have my UDM Pro set to +identify and block almost all categories of threats available within the +Unifi settings. However, I regularly identify abusive actors on my web +server via the server logs. + +In addition, I have identified IP addresses and subnets directly within +Unifi's logs that the UDM did not block for whatever reason. + +This guide is meant to be another step in the process to manually block +abusive IP addresses or subnets that you have identified but are not +being automatically blocked yet. + +** Create an IP Group Profile +:PROPERTIES: +:CUSTOM_ID: create-an-ip-group-profile +:END: +To start, login to the Unifi machine's web GUI and navigate to the +Network app > Settings > Profiles. + +Within this page, choose the =IP Groups= tab and click =Create New=. + +#+caption: Network Profiles +[[https://img.cleberg.net/blog/20230618-unifi-ip-blocklist/unifi_profiles.png]] Each IP Group profile can be used as one of three options: @@ -39,39 +42,48 @@ Each IP Group profile can be used as one of three options: 2. IPv4 Address/Subnet 3. IPv6 Address/Subnet -In this example, I'm creating an IPv4 Address/Subnet group and adding a few -different IP addresses and a subnet. -Once you've added all IP addresses and subnets, click the `Apply` button -that should appear at the bottom. +In this example, I'm creating an IPv4 Address/Subnet group and adding a +few different IP addresses and a subnet. Once you've added all IP +addresses and subnets, click the =Apply= button that should appear at +the bottom. - +#+caption: Network Profile IPs +[[https://img.cleberg.net/blog/20230618-unifi-ip-blocklist/abusive_ips.png]] -At this point, the IPv4 Address/Subnet has been created but not yet used. +At this point, the IPv4 Address/Subnet has been created but not yet +used. -## Drop IP Group Profile via the Unifi Firewall +** Drop IP Group Profile via the Unifi Firewall +:PROPERTIES: +:CUSTOM_ID: drop-ip-group-profile-via-the-unifi-firewall +:END: +To instruct the Unifi machine to block the profile we just created, we +need to navigate to the Network app > Settings > Firewall & Security. -To instruct the Unifi machine to block the profile we just created, we need -to navigate to the Network app > Settings > Firewall & Security. +Within this screen, find the Firewall Rules table and click +=Create Entry=. This entry should contain the following settings: -Within this screen, find the Firewall Rules table and click `Create Entry`. This -entry should contain the following settings: +- Type: =Internet In= +- Description: =<Your Custom Rule>= +- Rule Applied: =Before Predefined Rules= +- Action: =Drop= +- Source Type: =Port/IP Group= +- IPv4 Address Group: =<Name of the Group Profile You Created Above>= -- Type: `Internet In` -- Description: `<Your Custom Rule>` -- Rule Applied: `Before Predefined Rules` -- Action: `Drop` -- Source Type: `Port/IP Group` -- IPv4 Address Group: `<Name of the Group Profile You Created Above>` +Customize the remaining configurations to your liking, and then save and +enable the firewall rule. -Customize the remaining configurations to your liking, and then save and enable -the firewall rule. +#+caption: Firewall Rule +[[https://img.cleberg.net/blog/20230618-unifi-ip-blocklist/firewall_drop_rule.png]] - +Once enabled, the Unifi machine will be able to drop all incoming +connections from the defined IP addresses and subnets within the created +profile. -Once enabled, the Unifi machine will be able to drop all incoming connections -from the defined IP addresses and subnets within the created profile. +#+begin_quote +As a personal aside to this topic, I'm looking for a convenient way to +update the firewall rules or profiles remotely (within the LAN) from the +web server to accelerate this process. If you have an idea on how to +automatically update Unifi IP groups or firewall rules, let me know! -> As a personal aside to this topic, I'm looking for a convenient way to update -> the firewall rules or profiles remotely (within the LAN) from the web server -> to accelerate this process. If you have an idea on how to automatically update -> Unifi IP groups or firewall rules, let me know! +#+end_quote diff --git a/blog/2023-06-20-audit-review-cheatsheet.org b/blog/2023-06-20-audit-review-cheatsheet.org index 37abafa..6d964fa 100644 --- a/blog/2023-06-20-audit-review-cheatsheet.org +++ b/blog/2023-06-20-audit-review-cheatsheet.org @@ -1,75 +1,81 @@ -+++ -date = 2023-06-20 -title = "Cheatsheet: Review Audit Test Results" -description = "A handy cheatsheet for reviewing audit testing on FSA and SOC report engagements." -+++ +#+title: Audit Review Checklist +#+date: 2023-06-20 -## Overview -This post is a *very* brief overview on the basic process to review audit -test results, focusing on work done as part of a financial statement audit -(FSA) or service organization controls (SOC) report. +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +This post is a /very/ brief overview on the basic process to review +audit test results, focusing on work done as part of a financial +statement audit (FSA) or service organization controls (SOC) report. -While there are numerous different things to review and look for - all varying -wildly depending on the report, client, and tester - this list serves as a solid -base foundation for a reviewer. +While there are numerous different things to review and look for - all +varying wildly depending on the report, client, and tester - this list +serves as a solid base foundation for a reviewer. -I have used this throughout my career as a starting point to my reviews, and it -has worked wonders for creating a consistent and objective template to my -reviews. The goal is to keep this base high-level enough to be used on a wide -variety of engagements, while still ensuring that all key areas are covered. - -## Cheatsheet +I have used this throughout my career as a starting point to my reviews, +and it has worked wonders for creating a consistent and objective +template to my reviews. The goal is to keep this base high-level enough +to be used on a wide variety of engagements, while still ensuring that +all key areas are covered. +** Cheatsheet +:PROPERTIES: +:CUSTOM_ID: cheatsheet +:END: 1. [ ] Check all documents for spelling and grammar. 2. [ ] Ensure all acronyms are fully explained upon first use. -3. [ ] For all people referenced, use their full names and job titles upon -first use. -4. [ ] All supporting documents must cross-reference to the lead sheet and -vice-versa. +3. [ ] For all people referenced, use their full names and job titles + upon first use. +4. [ ] All supporting documents must cross-reference to the lead sheet + and vice-versa. 5. [ ] Verify that the control has been adequately tested: - - [ ] **Test of Design**: Did the tester obtain information regarding how - the control should perform normally and abnormally (e.g., emergency - scenarios)? - - [ ] **Test of Operating Effectiveness**: Did the tester inquire, observe, - inspect, or re-perform sufficient evidence to support their - conclusion over the control? Inquiry alone is not adequate! -6. [ ] For any information used in the control, whether by the control operator -or by the tester, did the tester appropriately document the source (system or -person), extraction method, parameters, and completeness and accuracy (C&A)? - - [ ] For any reports, queries, etc. used in the extraction, did the tester - include a copy and notate C&A considerations? -7. [ ] Did the tester document the specific criteria that the control is being -tested against? -8. [ ] Did the tester notate in the supporting documents where each criterion - was satisfied? -9. [ ] If testing specific policies or procedures, are the documents adequate? - - [ ] e.g., a test to validate that a review of policy XYZ occurs - periodically should also evaluate the sufficiency of the policy itself, if - meant to cover the risk that such a policy does not exist and is not - reviewed. + - [ ] *Test of Design*: Did the tester obtain information regarding + how the control should perform normally and abnormally (e.g., + emergency scenarios)? + - [ ] *Test of Operating Effectiveness*: Did the tester inquire, + observe, inspect, or re-perform sufficient evidence to support + their conclusion over the control? Inquiry alone is not adequate! +6. [ ] For any information used in the control, whether by the control + operator or by the tester, did the tester appropriately document the + source (system or person), extraction method, parameters, and + completeness and accuracy (C&A)? + - [ ] For any reports, queries, etc. used in the extraction, did the + tester include a copy and notate C&A considerations? +7. [ ] Did the tester document the specific criteria that the control is + being tested against? +8. [ ] Did the tester notate in the supporting documents where each + criterion was satisfied? +9. [ ] If testing specific policies or procedures, are the documents + adequate? + - [ ] e.g., a test to validate that a review of policy XYZ occurs + periodically should also evaluate the sufficiency of the policy + itself, if meant to cover the risk that such a policy does not + exist and is not reviewed. 10. [ ] Does the test cover the appropriate period under review? - - [ ] If the test is meant to cover only a portion of the audit period, do - other controls exist to mitigate the risks that exist for the remainder of - the period? -11. [ ] For any computer-aided audit tools (CAATs) or other automation -techniques used in the test, is the use of such tools explained and -appropriately documented? -12. [ ] If prior-period documentation exists, are there any missing pieces of -evidence that would further enhance the quality of the test? -13. [ ] Was any information discovered during the walkthrough or inquiry phase -that was not incorporated into the test? -14. [ ] Are there new rules or expectations from your company's internal -guidance or your regulatory bodies that would affect the audit approach for this -control? -15. [ ] Was an exception, finding, or deficiency identified as a result of this -test? - - [ ] Was the control deficient in design, operation, or both? - - [ ] What was the root cause of the finding? - - [ ] Does the finding indicate other findings or potential fraud? - - [ ] What's the severity and scope of the finding? - - [ ] Do other controls exist as a form of compensation against the - finding's severity, and do they mitigate the risk within the control - objective? - - [ ] Does the finding exist at the end of the period, or was it resolved - within the audit period?
\ No newline at end of file + - [ ] If the test is meant to cover only a portion of the audit + period, do other controls exist to mitigate the risks that exist + for the remainder of the period? +11. [ ] For any computer-aided audit tools (CAATs) or other automation + techniques used in the test, is the use of such tools explained and + appropriately documented? +12. [ ] If prior-period documentation exists, are there any missing + pieces of evidence that would further enhance the quality of the + test? +13. [ ] Was any information discovered during the walkthrough or inquiry + phase that was not incorporated into the test? +14. [ ] Are there new rules or expectations from your company's internal + guidance or your regulatory bodies that would affect the audit + approach for this control? +15. [ ] Was an exception, finding, or deficiency identified as a result + of this test? + - [ ] Was the control deficient in design, operation, or both? + - [ ] What was the root cause of the finding? + - [ ] Does the finding indicate other findings or potential fraud? + - [ ] What's the severity and scope of the finding? + - [ ] Do other controls exist as a form of compensation against the + finding's severity, and do they mitigate the risk within the + control objective? + - [ ] Does the finding exist at the end of the period, or was it + resolved within the audit period? diff --git a/blog/2023-06-23-byobu.org b/blog/2023-06-23-byobu.org index abc783d..389df63 100644 --- a/blog/2023-06-23-byobu.org +++ b/blog/2023-06-23-byobu.org @@ -1,43 +1,48 @@ -+++ -date = 2023-06-23T19:15:28 -title = "Byobu" -description = "A quick look at byobu, a text based window manager." -+++ +#+title: Byobu +#+date: 2023-06-23 -## Byobu +** Byobu +:PROPERTIES: +:CUSTOM_ID: byobu +:END: +[[https://www.byobu.org][byobu]] is a command-line tool that allows you +to use numerous screens within a single terminal emulator instance. More +specifically, it's a text based window manager, using either =screen= or +=tmux=. -[byobu](https://www.byobu.org) is a command-line tool that allows you to use -numerous screens within a single terminal emulator instance. More specifically, -it's a text based window manager, using either `screen` or `tmux`. +This post is mostly just a self-reference as I explore byobu, so I may +come back later and update this post with more content. -This post is mostly just a self-reference as I explore byobu, so I may come back -later and update this post with more content. +*** Screenshot +:PROPERTIES: +:CUSTOM_ID: screenshot +:END: +Take a look below at my current multi-window set-up in byobu while I +write this blog post: -### Screenshot +#+caption: byobu +[[https://img.cleberg.net/blog/20230623-byobu/byobu.png]] -Take a look below at my current multi-window set-up in byobu while I write this -blog post: +** Keybindings +:PROPERTIES: +:CUSTOM_ID: keybindings +:END: +You can open the help menu with either of the following commands; they +will both open the same manpage: - - -## Keybindings - -You can open the help menu with either of the following commands; they will both -open the same manpage: - -```sh +#+begin_src sh byobu --help # or man byobu -``` +#+end_src -While the manpage contains a ton of information about the functionality of -byobu (such as status notifications, sessions, and windows), the first location -to explore should be the keybindings section. +While the manpage contains a ton of information about the functionality +of byobu (such as status notifications, sessions, and windows), the +first location to explore should be the keybindings section. The keybindings are configured as follows: -```txt +#+begin_src txt byobu keybindings can be user defined in /usr/share/byobu/keybindings/ (or within .screenrc if byobu-export was used). The common key bindings are: @@ -65,4 +70,4 @@ Ctrl-a R - Reload profile Ctrl-a ! - Toggle key bindings on and off Ctrl-a k - Kill the current window Ctrl-a ~ - Save the current window's scrollback buffer -``` +#+end_src diff --git a/blog/2023-06-23-self-hosting-convos-irc.org b/blog/2023-06-23-self-hosting-convos-irc.org index 2f62061..b86d01b 100644 --- a/blog/2023-06-23-self-hosting-convos-irc.org +++ b/blog/2023-06-23-self-hosting-convos-irc.org @@ -1,40 +1,43 @@ -+++ -date = 2023-06-23T20:50:00 -title = "Self-Hosting Convos IRC Web Client" -description = "" -+++ +#+title: Self-Hosting Convos: IRC Web Client +#+date: 2023-06-23 -## Convos - -[Convos](https://convos.chat/) is an always-online web client for IRC. It -has a few features that made it attractive to me as a self-hosted option: +** Convos +:PROPERTIES: +:CUSTOM_ID: convos +:END: +[[https://convos.chat/][Convos]] is an always-online web client for IRC. +It has a few features that made it attractive to me as a self-hosted +option: - Extremely simple Docker Compose installation method. -- Runs in the background and monitors chats even while you're not logged in. +- Runs in the background and monitors chats even while you're not logged + in. - Neatly organized sidebar for conversation and client settings. - Ability to connect to different hosts and create profiles for hosts. -- By default, registration is closed to the public. You can enable public - registration on the Settings page or generate invitation links on the - Users page. -- Customization of the client theme, organization name and URL, admin email, - and video service. - -## Docker Installation - -To install Convos, simply create a directory and a `docker-compose.yml` file: - -```sh +- By default, registration is closed to the public. You can enable + public registration on the Settings page or generate invitation links + on the Users page. +- Customization of the client theme, organization name and URL, admin + email, and video service. + +** Docker Installation +:PROPERTIES: +:CUSTOM_ID: docker-installation +:END: +To install Convos, simply create a directory and a =docker-compose.yml= +file: + +#+begin_src sh mkdir ~/convos && cd ~/convos nano docker-compose.yml -``` +#+end_src -With the `docker-compose.yml` file open, paste the configuration below into -the file. -You can customize the host port to be something unique, such as `21897:3000`. -You can also change the `data` folder to be a docker volume instead, if you -prefer. +With the =docker-compose.yml= file open, paste the configuration below +into the file. You can customize the host port to be something unique, +such as =21897:3000=. You can also change the =data= folder to be a +docker volume instead, if you prefer. -```config +#+begin_src config version: '3' services: @@ -47,118 +50,124 @@ services: environment: - CONVOS_REVERSE_PROXY=1 restart: always -``` +#+end_src -Save the `docker-compose.yml` file and bring the container up: +Save the =docker-compose.yml= file and bring the container up: -```sh +#+begin_src sh sudo docker-compose up -d -``` +#+end_src -At this point, Convos is available at `<server_ip>:3000` but not available -to the public. +At this point, Convos is available at =<server_ip>:3000= but not +available to the public. -## Nginx Reverse Proxy +** Nginx Reverse Proxy +:PROPERTIES: +:CUSTOM_ID: nginx-reverse-proxy +:END: +If you're using Nginx, you can create a configuration file for the +convos application. Start by opening the file: -If you're using Nginx, you can create a configuration file for the convos -application. -Start by opening the file: - -```sh +#+begin_src sh nano /etc/nginx/sites-available/convos -``` +#+end_src -Within the nginx configuration file, paste the following content and be sure -to update `convos.example.com` to match your domain and `127.0.0.1:3000` to -match the port you opened in the `docker-compose.yml` file. +Within the nginx configuration file, paste the following content and be +sure to update =convos.example.com= to match your domain and +=127.0.0.1:3000= to match the port you opened in the +=docker-compose.yml= file. -```config +#+begin_src config # Host and port where convos is running upstream convos_upstream { server 127.0.0.1:3000; } server { - if ($host ~ ^[^.]+\.example\.com$) { - return 301 https://$host$request_uri; - } - - listen [::]:80; - listen 80; - server_name convos.example.com; - return 404; + if ($host ~ ^[^.]+\.example\.com$) { + return 301 https://$host$request_uri; + } + + listen [::]:80; + listen 80; + server_name convos.example.com; + return 404; } server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name convos.example.com; - access_log /var/log/nginx/convos.access.log; - error_log /var/log/nginx/convos.error.log; - - location / { - proxy_pass http://convos_upstream; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - client_max_body_size 0; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Request-Base "$scheme://$host/"; - } - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name convos.example.com; + access_log /var/log/nginx/convos.access.log; + error_log /var/log/nginx/convos.error.log; + + location / { + proxy_pass http://convos_upstream; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 0; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Request-Base "$scheme://$host/"; + } + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } -``` +#+end_src -Once the file is saved, link it to the `sites-enabled` directory and restart -Nginx. +Once the file is saved, link it to the =sites-enabled= directory and +restart Nginx. -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/convos /etc/nginx/sites-enabled/convos sudo systemctl restart nginx.service -``` - -## Screenshots +#+end_src -See the screenshots below for an example of the Convos homepage and an +** Screenshots +:PROPERTIES: +:CUSTOM_ID: screenshots +:END: +See the screenshots below for an example of the Convos homepage and an excerpt of the chat screen. -There are numerous themes to choose from; the theme shown in the images +There are numerous themes to choose from; the theme shown in the images below is Dracula. -![Convos Home](https://img.cleberg.net/blog/20230623-convos/convos_home.png -"Convos Home") - -![Convos Chat](https://img.cleberg.net/blog/20230623-convos/convos_chat.png -"Convos Chat") +#+caption: Convos Home +[[https://img.cleberg.net/blog/20230623-convos/convos_home.png%20%22Convos%20Home%22]] -## Registering a Nickname +#+caption: Convos Chat +[[https://img.cleberg.net/blog/20230623-convos/convos_chat.png%20%22Convos%20Chat%22]] -Hop into the server channel so that you can message NickServ. In the case of -Convos, the default sever is libera.chat. -Simply click the `libera` conversation at the top of the sidebar to open it. -Once the chat is open, you can claim a nickname by typing: +** Registering a Nickname +:PROPERTIES: +:CUSTOM_ID: registering-a-nickname +:END: +Hop into the server channel so that you can message NickServ. In the +case of Convos, the default sever is libera.chat. Simply click the +=libera= conversation at the top of the sidebar to open it. Once the +chat is open, you can claim a nickname by typing: -```txt +#+begin_src txt /nick <nick> -``` +#+end_src -If the nickname is available, and you'd like to register the nickname to +If the nickname is available, and you'd like to register the nickname to yourself, you'll need to type another command: -```txt +#+begin_src txt /msg NickServ REGISTER <password> <email> -``` +#+end_src -On libera.chat, the server will send a confirmation email with a command +On libera.chat, the server will send a confirmation email with a command that you must message in IRC to verify registration of the nickname: -```txt +#+begin_src txt /msg NickServ VERIFY REGISTER <nick> <verification_code> -``` +#+end_src -Once entered, the server should confirm registration of the nickname to the -supplied email with the password specified. +Once entered, the server should confirm registration of the nickname to +the supplied email with the password specified. diff --git a/blog/2023-06-28-backblaze-b2.org b/blog/2023-06-28-backblaze-b2.org index 1ec395c..df14501 100644 --- a/blog/2023-06-28-backblaze-b2.org +++ b/blog/2023-06-28-backblaze-b2.org @@ -1,16 +1,16 @@ -+++ -date = 2023-06-28T16:00:00 -title = "Getting Started with Backblaze B2 Cloud Storage" -description = "A simple tutorial to create a Backblaze B2 account for free and back up data from Linux." -+++ +#+title: Getting Started with Backblaze B2 Cloud Storage +#+date: 2023-06-28 -## Overview +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +Backblaze [[https://www.backblaze.com/b2/cloud-storage.html][B2 Cloud +Storage]] is an inexpensive and reliable on-demand cloud storage and +backup solution. -Backblaze [B2 Cloud Storage](https://www.backblaze.com/b2/cloud-storage.html) is -an inexpensive and reliable on-demand cloud storage and backup solution. - -The service starts at $5/TB/month ($0.005/GB/month) with a download rate of -$0.01/GB/month. +The service starts at $5/TB/month ($0.005/GB/month) with a download rate +of $0.01/GB/month. However, there are free tiers: @@ -20,162 +20,188 @@ However, there are free tiers: - The first 2500 Class B transactions each day are free. - The first 2500 Class C transactions each day are free. -You can see which API calls fall into categories A, B, or C here: -[Pricing Organized by API -Calls](https://www.backblaze.com/b2/b2-transactions-price.html). - -For someone like me, who wants an offsite backup of their server's `/home/` -directory and various other server configs that fall under 10 GB total, -Backblaze is a great solution from a financial perspective. - -## Create An Account - -To start with Backblaze, you'll need to [create a free -account](https://www.backblaze.com/b2/sign-up.html) - no payment method is -required to sign up. - -Once you have an account, you can test out the service with their web GUI, their -mobile app, or their CLI tool. I'm going to use the CLI tool below to test a -file upload and then sync an entire directory to my Backblaze bucket. - -## Create a Bucket - -Before you can start uploading, you need to create a bucket. If you're familiar -with other object storage services, this will feel familiar. If not, it's pretty -simple to create one. +You can see which API calls fall into categories A, B, or C here: +[[https://www.backblaze.com/b2/b2-transactions-price.html][Pricing +Organized by API Calls]]. + +For someone like me, who wants an offsite backup of their server's +=/home/= directory and various other server configs that fall under 10 +GB total, Backblaze is a great solution from a financial perspective. + +** Create An Account +:PROPERTIES: +:CUSTOM_ID: create-an-account +:END: +To start with Backblaze, you'll need to +[[https://www.backblaze.com/b2/sign-up.html][create a free account]] - +no payment method is required to sign up. + +Once you have an account, you can test out the service with their web +GUI, their mobile app, or their CLI tool. I'm going to use the CLI tool +below to test a file upload and then sync an entire directory to my +Backblaze bucket. + +** Create a Bucket +:PROPERTIES: +:CUSTOM_ID: create-a-bucket +:END: +Before you can start uploading, you need to create a bucket. If you're +familiar with other object storage services, this will feel familiar. If +not, it's pretty simple to create one. As their webpage says: -> A bucket is a container that holds files that are uploaded into B2 Cloud -> Storage. The bucket name must be globally unique and must have a minimum of 6 -> characters. A limit of 100 buckets may be created per account. An unlimited -> number of files may be uploaded into a bucket. - -Once you click the `Create a Bucket` button on their webpage or mobile app, you -need to provide the following: - -- Bucket Unique Name -- Files in Bucket are: `Private` or `Public` -- Default Encryption: `Disable` or `Enable` -- Object Lock: `Disable` or `Enable` - -For my bucket, I created a private bucket with encryption enabled and object -lock disabled. - -Once your bucket is created, you can test the upload/download feature on their -web GUI or mobile app! At this point, you have a fully functional bucket and -account. - -## Linux CLI Tool +#+begin_quote +A bucket is a container that holds files that are uploaded into B2 Cloud +Storage. The bucket name must be globally unique and must have a minimum +of 6 characters. A limit of 100 buckets may be created per account. An +unlimited number of files may be uploaded into a bucket. -### Installation +#+end_quote -To install the `b2` CLI tool, you'll need to download it from the [CLI -Tools](https://www.backblaze.com/docs/cloud-storage-command-line-tools) page. -I recommend copying the URL from the link that says `Linux` and using wget to -download it, as shown below. +Once you click the =Create a Bucket= button on their webpage or mobile +app, you need to provide the following: -Once downloaded, make the file executable and move it to a location on your -`$PATH`, so that you can execute that command from anywhere on the machine. - -```sh +- Bucket Unique Name +- Files in Bucket are: =Private= or =Public= +- Default Encryption: =Disable= or =Enable= +- Object Lock: =Disable= or =Enable= + +For my bucket, I created a private bucket with encryption enabled and +object lock disabled. + +Once your bucket is created, you can test the upload/download feature on +their web GUI or mobile app! At this point, you have a fully functional +bucket and account. + +** Linux CLI Tool +:PROPERTIES: +:CUSTOM_ID: linux-cli-tool +:END: +*** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +To install the =b2= CLI tool, you'll need to download it from the +[[https://www.backblaze.com/docs/cloud-storage-command-line-tools][CLI +Tools]] page. I recommend copying the URL from the link that says +=Linux= and using wget to download it, as shown below. + +Once downloaded, make the file executable and move it to a location on +your =$PATH=, so that you can execute that command from anywhere on the +machine. + +#+begin_src sh wget <b2_cli_url> chmod +x b2_linux mv b2_linux /usr/bin/b2 -``` - -### Log In +#+end_src -The first step after installation is to log in. To do this, execute the -following command and provide your `<applicationKeyId>` and `<applicationKey>`. +*** Log In +:PROPERTIES: +:CUSTOM_ID: log-in +:END: +The first step after installation is to log in. To do this, execute the +following command and provide your =<applicationKeyId>= and +=<applicationKey>=. -If you don't want to provide these values in the command itself, you can simply -execute the base command and it will request them in an interactive prompt. +If you don't want to provide these values in the command itself, you can +simply execute the base command and it will request them in an +interactive prompt. -```sh +#+begin_src sh # if you want to provide the keys directly: b2 authorize-account [<applicationKeyId>] [<applicationKey>] # or, if you don't want your keys in your shell history: b2 authorize-account -``` +#+end_src -### Upload a Test File - -In order to test the functionality of the CLI tool, I'll start by uploading -a single test file to the bucket I created above. -We can do this with the `upload_file` function. +*** Upload a Test File +:PROPERTIES: +:CUSTOM_ID: upload-a-test-file +:END: +In order to test the functionality of the CLI tool, I'll start by +uploading a single test file to the bucket I created above. We can do +this with the =upload_file= function. The command is issued as follows: -```sh +#+begin_src sh b2 upload_file <bucket_name> <local_file> <remote_file> -``` +#+end_src In my situation, I executed the following command with my username. -```sh +#+begin_src sh b2 upload_file my_unique_bucket /home/<user>/test.md test.md -``` +#+end_src -To confirm that the file was uploaded successfully, list the files in your -bucket: +To confirm that the file was uploaded successfully, list the files in +your bucket: -```sh +#+begin_src sh b2 ls <bucket_name> -``` +#+end_src -```txt +#+begin_src txt test.md -``` - -### Sync a Directory +#+end_src -If you have numerous files, you can use the `sync` function to perform -functionality similar to `rsync`, where you can check what's in your bucket -and sync anything that is new or modified. +*** Sync a Directory +:PROPERTIES: +:CUSTOM_ID: sync-a-directory +:END: +If you have numerous files, you can use the =sync= function to perform +functionality similar to =rsync=, where you can check what's in your +bucket and sync anything that is new or modified. The command is issued as follows: -```sh +#+begin_src sh b2 sync <source file location> <B2 bucket destination> -``` +#+end_src -In my case, I can sync my user's entire home directory to my bucket without -specifying any of the files directly: +In my case, I can sync my user's entire home directory to my bucket +without specifying any of the files directly: -```sh +#+begin_src sh b2 sync /home/<user>/ "b2://<bucketName>/home/<user>" -``` - -## Caveats - -### Timing of Updates to the Web GUI - -When performing actions over a bucket, there is a slight delay in the web -GUI when inspecting a bucket or its file. -Note that simple actions such as uploading or deleting files may have a -delay of a few minutes up to 24 hours. -In my experience (<10 GB and ~20,000 files), any actions took only a few -minutes to update across clients. - -### Symlinks - -Note that symlinks are resolved by b2, so if you have a link from -`/home/<user>/nas-storage` that symlinks out to a `/mnt/nas-storage` folder -that has 10TB of data, `b2` will resolve that link and start uploading all 10TB -of data linked within the folder. - -If you're not sure if you have any symlinks, a symlink will look like this -(note the `->` symbol): - -```sh +#+end_src + +** Caveats +:PROPERTIES: +:CUSTOM_ID: caveats +:END: +*** Timing of Updates to the Web GUI +:PROPERTIES: +:CUSTOM_ID: timing-of-updates-to-the-web-gui +:END: +When performing actions over a bucket, there is a slight delay in the +web GUI when inspecting a bucket or its file. Note that simple actions +such as uploading or deleting files may have a delay of a few minutes up +to 24 hours. In my experience (<10 GB and ~20,000 files), any actions +took only a few minutes to update across clients. + +*** Symlinks +:PROPERTIES: +:CUSTOM_ID: symlinks +:END: +Note that symlinks are resolved by b2, so if you have a link from +=/home/<user>/nas-storage= that symlinks out to a =/mnt/nas-storage= +folder that has 10TB of data, =b2= will resolve that link and start +uploading all 10TB of data linked within the folder. + +If you're not sure if you have any symlinks, a symlink will look like +this (note the =->= symbol): + +#+begin_src sh > ls -lha lrwxrwxrwx 1 root root 20 Jun 28 13:32 nas -> /mnt/nas-storage/ -``` +#+end_src You can recursively find symlink in a path with the following command: -```sh +#+begin_src sh ls -lR /path/to/search | grep '^l' -``` +#+end_src diff --git a/blog/2023-06-30-self-hosting-voyager-lemmy-client.org b/blog/2023-06-30-self-hosting-voyager-lemmy-client.org index 5eaacce..2530e07 100644 --- a/blog/2023-06-30-self-hosting-voyager-lemmy-client.org +++ b/blog/2023-06-30-self-hosting-voyager-lemmy-client.org @@ -1,54 +1,57 @@ -+++ -date = 2023-06-30 -title = "Self Hosting Voyager - A Lemmy Web Client" -description = "A guide on how to self-host your own instance of Voyager, a mobile-first Lemmy web client." -+++ - -## Installation Guide - -[Voyager](https://github.com/aeharding/voyager) is a mobile-first Lemmy web -client, based on iOS design standards. It follows very closely to Apollo's -design. - -This post is a guide showing how I was able to build and launch my own instance -of Voyager via Docker Compose. - -### Clone the Repository - +#+title: Self-Hosting Voyager: A Lemmy Web Client +#+date: 2023-06-30 + +** Installation Guide +:PROPERTIES: +:CUSTOM_ID: installation-guide +:END: +[[https://github.com/aeharding/voyager][Voyager]] is a mobile-first +Lemmy web client, based on iOS design standards. It follows very closely +to Apollo's design. + +This post is a guide showing how I was able to build and launch my own +instance of Voyager via Docker Compose. + +*** Clone the Repository +:PROPERTIES: +:CUSTOM_ID: clone-the-repository +:END: Start by cloning the repository and entering it: -```sh +#+begin_src sh git clone https://github.com/aeharding/voyager cd voyager -``` - -### Build the Image +#+end_src -With this repository, you can build the image yourself without any further -configuration. -When complete, it'll give you the image ID for you to run. +*** Build the Image +:PROPERTIES: +:CUSTOM_ID: build-the-image +:END: +With this repository, you can build the image yourself without any +further configuration. When complete, it'll give you the image ID for +you to run. -```sh +#+begin_src sh sudo docker build . # Successfully built 5f00723cb5be -``` +#+end_src -With the image ID above, you can run the container and pass the requested port -`5314` through or use a custom port, if you wish. +With the image ID above, you can run the container and pass the +requested port =5314= through or use a custom port, if you wish. -You can also set the `CUSTOM_LEMMY_SERVERS` environment variable if you want to -add to the default suggested login servers. -This must be set with a comma separated list of suggested servers. -The first instance in the list will be the default view for logged-out users. +You can also set the =CUSTOM_LEMMY_SERVERS= environment variable if you +want to add to the default suggested login servers. This must be set +with a comma separated list of suggested servers. The first instance in +the list will be the default view for logged-out users. -I will be using a `docker-compose.yml` file to run this container, instead of a -`docker run` command. +I will be using a =docker-compose.yml= file to run this container, +instead of a =docker run= command. -```sh +#+begin_src sh nano docker-compose.yml -``` +#+end_src -```conf +#+begin_src conf version: "2" services: voyager: @@ -58,67 +61,69 @@ services: - "<custom_port>:5314" environment: - CUSTOM_LEMMY_SERVERS=lemmy.dbzer0.com,lemmy.world,lemmy.ml,beehaw.org -``` +#+end_src -```sh +#+begin_src sh sudo docker-compose up -d -``` - -The web app will now be available at the following address: -`<machine_ip>:<custom_port>`. -If you are running it on your local device, try `localhost:<custom_port>`. +#+end_src -### Reverse Proxy +The web app will now be available at the following address: +=<machine_ip>:<custom_port>=. If you are running it on your local +device, try =localhost:<custom_port>=. -If you want to visit this app via an external URL or domain name, you'll need to -set up a reverse proxy. -The example below uses Nginx as a reverse proxy. +*** Reverse Proxy +:PROPERTIES: +:CUSTOM_ID: reverse-proxy +:END: +If you want to visit this app via an external URL or domain name, you'll +need to set up a reverse proxy. The example below uses Nginx as a +reverse proxy. -Simply create the configuration file, paste the contents below, save the file, -symlink the file, and restart Nginx. +Simply create the configuration file, paste the contents below, save the +file, symlink the file, and restart Nginx. -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/voyager -``` +#+end_src -```conf +#+begin_src conf server { - if ($host ~ ^[^.]+\.example\.com$) { - return 301 https://$host$request_uri; - } - - listen [::]:80; - listen 80; - server_name voyager.example.com; - return 404; + if ($host ~ ^[^.]+\.example\.com$) { + return 301 https://$host$request_uri; + } + + listen [::]:80; + listen 80; + server_name voyager.example.com; + return 404; } server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name voyager.example.com; - access_log /var/log/nginx/voyager.access.log; - error_log /var/log/nginx/voyager.error.log; - - location / { - proxy_http_version 1.1; - proxy_pass http://localhost:5314; - proxy_set_header Host $host; - } - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name voyager.example.com; + access_log /var/log/nginx/voyager.access.log; + error_log /var/log/nginx/voyager.error.log; + + location / { + proxy_http_version 1.1; + proxy_pass http://localhost:5314; + proxy_set_header Host $host; + } + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } -``` +#+end_src -```sh +#+begin_src sh sudo ln sudo ln -s /etc/nginx/sites-available/voyager /etc/nginx/sites-enabled/voyager sudo systemctl restart nginx.service -``` +#+end_src -The site will now be available at the `server_name` you specified above! +The site will now be available at the =server_name= you specified above! -You can visit my instance at [voyager.cleberg.net](https://voyager.cleberg.net) -for an example. +You can visit my instance at +[[https://voyager.cleberg.net][voyager.cleberg.net]] for an example. diff --git a/blog/2023-07-12-mullvad-wireguard-lan.org b/blog/2023-07-12-mullvad-wireguard-lan.org index ef6a045..1838862 100644 --- a/blog/2023-07-12-mullvad-wireguard-lan.org +++ b/blog/2023-07-12-mullvad-wireguard-lan.org @@ -1,31 +1,32 @@ -+++ -date = 2023-07-12T19:31:00 -title = "Enabling LAN Access in Mullvad Wireguard Conf Files" -description = "" -+++ - -## Download Configuration Files from Mullvad - -To begin, you'll need [Wireguard configuration files from -Mullvad](https://mullvad.net/account/wireguard-config). -You can choose any of the options as you download them. -For example, I enabled the kill switch, selected all countries, and selected a -few content filters. - -Once downloaded, unzip the files and move them to the Wireguard folder on your -system. - -```sh +#+title: Enabling LAN Access in Mullvad Wireguard Conf Files +#+date: 2023-07-12 + +** Download Configuration Files from Mullvad +:PROPERTIES: +:CUSTOM_ID: download-configuration-files-from-mullvad +:END: +To begin, you'll need +[[https://mullvad.net/account/wireguard-config][Wireguard configuration +files from Mullvad]]. You can choose any of the options as you download +them. For example, I enabled the kill switch, selected all countries, +and selected a few content filters. + +Once downloaded, unzip the files and move them to the Wireguard folder +on your system. + +#+begin_src sh cd ~/Downloads unzip mullvad_wireguard_linux_all_all.zip doas mv *.conf /etc/wireguard/ -``` - -### Configuration File Layout +#+end_src +*** Configuration File Layout +:PROPERTIES: +:CUSTOM_ID: configuration-file-layout +:END: The default configuration files will look something like this: -```conf +#+begin_src conf [Interface] # Device: <redacted> PrivateKey = <redacted> @@ -38,43 +39,50 @@ PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m ad PublicKey = <redacted> AllowedIPs = <redacted> Endpoint = <redacted> -``` +#+end_src -> Note: If you didn't select the kill switch option, you won't see the `PostUp` -> and `PreDown` lines. -> In this case, you'll need to modify the script below to simply append those -> lines to the `[Interface]` block. +#+begin_quote +Note: If you didn't select the kill switch option, you won't see the +=PostUp= and =PreDown= lines. In this case, you'll need to modify the +script below to simply append those lines to the =[Interface]= block. -## Editing the Configuration Files +#+end_quote -Once you have the files, you'll need to edit them and replace the `PostUp` and -`PreDown` lines to enable LAN access. +** Editing the Configuration Files +:PROPERTIES: +:CUSTOM_ID: editing-the-configuration-files +:END: +Once you have the files, you'll need to edit them and replace the +=PostUp= and =PreDown= lines to enable LAN access. -I recommend that you do this process as root, since you'll need to be able to -access files in `/etc/wireguard`, which are generally owned by root. -You can also try using `sudo` or `doas`, but I didn't test that scenario so you -may need to adjust, as necessary. +I recommend that you do this process as root, since you'll need to be +able to access files in =/etc/wireguard=, which are generally owned by +root. You can also try using =sudo= or =doas=, but I didn't test that +scenario so you may need to adjust, as necessary. -```sh +#+begin_src sh su -``` +#+end_src -Create the Python file that we'll be using to update the Wireguard configuration -files. +Create the Python file that we'll be using to update the Wireguard +configuration files. -```sh +#+begin_src sh nano replace.py -``` +#+end_src -Within the Python file, copy and paste the logic below. -This script will open a directory, loop through every configuration file within -the directory, and replace the `PostUp` and `PreDown` lines with the new +Within the Python file, copy and paste the logic below. This script will +open a directory, loop through every configuration file within the +directory, and replace the =PostUp= and =PreDown= lines with the new LAN-enabled iptables commands. -> Note: If your LAN is on a subnet other than `192.168.1.0/24`, you'll need to -> update the Python script below appropriately. +#+begin_quote +Note: If your LAN is on a subnet other than =192.168.1.0/24=, you'll +need to update the Python script below appropriately. + +#+end_quote -```python +#+begin_src python import os import fileinput @@ -83,35 +91,35 @@ print("--- starting ---") dir = "/etc/wireguard/" for file in os.listdir(dir): - print(os.path.join(dir, file)) - for line in fileinput.input(os.path.join(dir, file), inplace=True): - if "PostUp" in line: - print("PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") - elif "PreDown" in line: - print("PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") - else: - print(line, end="") + print(os.path.join(dir, file)) + for line in fileinput.input(os.path.join(dir, file), inplace=True): + if "PostUp" in line: + print("PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") + elif "PreDown" in line: + print("PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT") + else: + print(line, end="") print("--- done ---") -``` +#+end_src -Once you're done, save and close the file. You can now run the Python script -and watch as each file is updated. +Once you're done, save and close the file. You can now run the Python +script and watch as each file is updated. -```sh +#+begin_src sh python3 replace.py -``` +#+end_src -To confirm it worked, you can `cat` one of the configuration files to inspect -the new logic and connect to one to test it out. +To confirm it worked, you can =cat= one of the configuration files to +inspect the new logic and connect to one to test it out. -```sh +#+begin_src sh cat /etc/wireguard/us-chi-wg-001.conf -``` +#+end_src The configuration files should now look like this: -```conf +#+begin_src conf [Interface] # Device: <redacted> PrivateKey = <redacted> @@ -124,19 +132,20 @@ PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m ad PublicKey = <redacted> AllowedIPs = <redacted> Endpoint = <redacted> -``` +#+end_src -If you connect to a Wireguard interface, such as `us-chi-wg-001`, you can test -your SSH functionality and see that it works even while on the VPN. +If you connect to a Wireguard interface, such as =us-chi-wg-001=, you +can test your SSH functionality and see that it works even while on the +VPN. -```sh +#+begin_src sh wg-quick up us-chi-wg-001 ssh user@lan-host -``` +#+end_src To confirm your VPN connection, you can curl Mullvad's connection API: -```sh +#+begin_src sh curl https://am.i.mullvad.net/connected # You are connected to Mullvad (server us-chi-wg-001). Your IP address is <redacted> -``` +#+end_src diff --git a/blog/2023-07-19-plex-transcoder-errors.org b/blog/2023-07-19-plex-transcoder-errors.org index 743204e..554e3fe 100644 --- a/blog/2023-07-19-plex-transcoder-errors.org +++ b/blog/2023-07-19-plex-transcoder-errors.org @@ -1,62 +1,68 @@ -+++ -date = 2023-07-19T17:00:00 -title = "How to Fix Plex Error: 'Conversion failed. The transcoder failed to start up.'" -description = "Read to learn how to fix a common Plex error where the transcoder crashes due to SRT subtitle files." -+++ - -## Plex Transcoder Error +#+title: How to Fix Plex Error: 'Conversion failed. The transcoder failed to start up.' +#+date: 2023-07-19 +** Plex Transcoder Error +:PROPERTIES: +:CUSTOM_ID: plex-transcoder-error +:END: Occasionally, you may see an error in your Plex client that references a -failure with the transcoder conversion process. -The specific error wording is: +failure with the transcoder conversion process. The specific error +wording is: -```txt +#+begin_src txt Conversion failed. The transcoder failed to start up. -``` - -## Debugging the Cause +#+end_src -In order to get a better look at what is causing the error, I'm going to observe -the Plex console while the error occurs. -To do this, open the Plex web client, go to `Settings` > `Manage` > `Console`. -Now, try to play the title again and watch to see which errors occur. +** Debugging the Cause +:PROPERTIES: +:CUSTOM_ID: debugging-the-cause +:END: +In order to get a better look at what is causing the error, I'm going to +observe the Plex console while the error occurs. To do this, open the +Plex web client, go to =Settings= > =Manage= > =Console=. Now, try to +play the title again and watch to see which errors occur. -In my case, you can see the errors below are related to a subtitle file (`.srt`) -causing the transcoder to crash. +In my case, you can see the errors below are related to a subtitle file +(=.srt=) causing the transcoder to crash. -```txt +#+begin_src txt Jul 19, 2023 16:49:34.945 [140184571120440] Error — Couldn't find the file to stream: /movies/Movie Title (2021)/Movie Title (2021).srt Jul 19, 2023 16:49:34.947 [140184532732728] Error — [Req#7611/Transcode/42935159-67C1-4192-9336-DDC6F7BC9330] Error configuring transcoder: TPU: Failed to download sub-stream to temporary file Jul 19, 2023 16:49:35.225 [140184532732728] Warning — [Req#760d/Transcode] Got a request to stop a transcode session without a valid session GUID. Jul 19, 2023 16:49:45.561 [140184532732728] Info — [Req#7648] AutoUpdate: no updates available Jul 19, 2023 16:51:23.402 [140184510081848] Info — Library section 1 (Movies) will be updated because of a change in "/movies/Movie Title (2021)/Movie Title (2021).srt" -``` +#+end_src -## Solving the Error +** Solving the Error +:PROPERTIES: +:CUSTOM_ID: solving-the-error +:END: +In my case, I simply removed the subtitle file because it was not +critical to keep. You may also avoid this by turning off subtitles if +you don't want to delete the file. -In my case, I simply removed the subtitle file because it was not critical to -keep. -You may also avoid this by turning off subtitles if you don't want to delete the -file. - -```sh +#+begin_src sh rm -rf "/movies/Movie Title (2021)/Movie Title (2021).srt" -``` +#+end_src -Once the subtitle is removed from the directory or subtitles are turned off, -try to play the title again. -At this point, it should play without error. -If not, reopen or refresh your Plex client and the Plex server: +Once the subtitle is removed from the directory or subtitles are turned +off, try to play the title again. At this point, it should play without +error. If not, reopen or refresh your Plex client and the Plex server: -```sh +#+begin_src sh sudo systemctl restart plexmediaserver.service -``` - -## Related Discussion +#+end_src -Looking at [a related Plex forum post](https://forums.plex.tv/t/subtitles-crashing-plex-transcoder-samsung-q80-tv-with-or-without-hardware-transcode/741441/2), -it seems that `.srt` subtitles are the core issue here. -However, Plex does not seem to have a resolution that fixes these errors. +** Related Discussion +:PROPERTIES: +:CUSTOM_ID: related-discussion +:END: +Looking at +[[https://forums.plex.tv/t/subtitles-crashing-plex-transcoder-samsung-q80-tv-with-or-without-hardware-transcode/741441/2][a +related Plex forum post]], it seems that =.srt= subtitles are the core +issue here. However, Plex does not seem to have a resolution that fixes +these errors. Unfortunately, I would suggest converting subtitle formats, burning the -subtitles into the title, or simply removing subtitles when they cause crashes. +subtitles into the title, or simply removing subtitles when they cause +crashes. diff --git a/blog/2023-08-18-agile-auditing.org b/blog/2023-08-18-agile-auditing.org index 7753ecf..530c4e7 100644 --- a/blog/2023-08-18-agile-auditing.org +++ b/blog/2023-08-18-agile-auditing.org @@ -1,152 +1,172 @@ -+++ -date = 2023-08-18T17:11:38+00:00 -title = "Agile Auditing: An Introduction" -description = "A quick introduction to Agile, Scrum, and Kanban for audit engagement teams." -+++ - -## What is Agile Auditing? - -[Agile](https://en.wikipedia.org/wiki/Agile_software_development), the -collaborative philosophy behind many software development methods, has been -picking up steam as a beneficial tool to use in the external and internal -auditing world. - -This blog post will walk through commonly used terms within Agile, Scrum, -and Kanban in order to translate these terms and roles into audit-specific -terms. +#+title: Agile Auditing: An Introduction +#+date: 2023-08-18 + +** What is Agile Auditing? +:PROPERTIES: +:CUSTOM_ID: what-is-agile-auditing +:END: +[[https://en.wikipedia.org/wiki/Agile_software_development][Agile]], the +collaborative philosophy behind many software development methods, has +been picking up steam as a beneficial tool to use in the external and +internal auditing world. + +This blog post will walk through commonly used terms within Agile, +Scrum, and Kanban in order to translate these terms and roles into +audit-specific terms. Whether your team is in charge of a financial statement audit, an -attestation (SOC 1, SOC 2, etc.), or a unique internal audit, the terms used -throughout this post should still apply. - -## Agile +attestation (SOC 1, SOC 2, etc.), or a unique internal audit, the terms +used throughout this post should still apply. +** Agile +:PROPERTIES: +:CUSTOM_ID: agile +:END: To start, I'll take a look at Agile. -> The Agile methodology is a project management approach that involves -> breaking the project into phases and emphasizes continuous collaboration -> and improvement. Teams follow a cycle of planning, executing, and evaluating. +#+begin_quote +The Agile methodology is a project management approach that involves +breaking the project into phases and emphasizes continuous collaboration +and improvement. Teams follow a cycle of planning, executing, and +evaluating. -While this approach may seem familiar to what audit teams have historically -done, an audit team must make distinct changes in their mentality and how -they approach and manage a project. +#+end_quote -### Agile Values +While this approach may seem familiar to what audit teams have +historically done, an audit team must make distinct changes in their +mentality and how they approach and manage a project. -The Agile Manifesto, written in 2001 at a summit in Utah, contain a set of four -main values that comprise the Agile approach: +*** Agile Values +:PROPERTIES: +:CUSTOM_ID: agile-values +:END: +The Agile Manifesto, written in 2001 at a summit in Utah, contain a set +of four main values that comprise the Agile approach: 1. Individuals and interactions over processes and tools. 2. Working software over comprehensive documentation. 3. Customer collaboration over contract negotiation. 4. Responding to change over following a plan. -Beyond the four values, [twelve -principles](https://agilemanifesto.org/principles.html) were also written as -part of the summit. +Beyond the four values, +[[https://agilemanifesto.org/principles.html][twelve principles]] were +also written as part of the summit. -In order to relate these values to an audit or attestation engagement, we -need to shift the focus from software development to the main goal of an -engagement: completing sufficient audit testing to address to relevant risks -over the processes and controls at hand. +In order to relate these values to an audit or attestation engagement, +we need to shift the focus from software development to the main goal of +an engagement: completing sufficient audit testing to address to +relevant risks over the processes and controls at hand. Audit Examples: -- Engagement teams must value the team members, client contacts, and their - interactions over the historical processes and tools that have been used. -- Engagement teams must value a final report that contains sufficient +- Engagement teams must value the team members, client contacts, and + their interactions over the historical processes and tools that have + been used. +- Engagement teams must value a final report that contains sufficient audit documentation over excessive documentation or scope creep. -- Engagement teams must collaborate with the audit clients as much as - feasible to ensure that both sides are constantly updated with current - knowledge of the engagement's status and any potential findings, rather - than waiting for pre-set meetings or the end of the engagement to communicate. -- Engagement teams must be able to respond to change in an engagement's - schedule, scope, or environment to ensure that the project is completed in - a timely manner and that all relevant areas are tested. - - In terms of an audit department's portfolio, they must be able to - respond to changes in their company's or client's environment and be - able to dynamically change their audit plan accordingly. - -## Scrum - -The above section discusses the high-level details of the Agile philosophy -and how an audit team can potentially mold that mindset into the audit world, -but how does a team implement these ideas? +- Engagement teams must collaborate with the audit clients as much as + feasible to ensure that both sides are constantly updated with current + knowledge of the engagement's status and any potential findings, + rather than waiting for pre-set meetings or the end of the engagement + to communicate. +- Engagement teams must be able to respond to change in an engagement's + schedule, scope, or environment to ensure that the project is + completed in a timely manner and that all relevant areas are tested. + - In terms of an audit department's portfolio, they must be able to + respond to changes in their company's or client's environment and be + able to dynamically change their audit plan accordingly. + +** Scrum +:PROPERTIES: +:CUSTOM_ID: scrum +:END: +The above section discusses the high-level details of the Agile +philosophy and how an audit team can potentially mold that mindset into +the audit world, but how does a team implement these ideas? There are many methods that use an Agile mindset, but I prefer -[Scrum](https://en.wikipedia.org/wiki/Scrum_(software_development)). Scrum -is a framework based on Agile that enables a team to work through a project -through a series of roles, ceremonies, artifacts, and values. +[[https://en.wikipedia.org/wiki/Scrum_(software_development)][Scrum]]. +Scrum is a framework based on Agile that enables a team to work through +a project through a series of roles, ceremonies, artifacts, and values. Let's dive into each of these individually. -### Scrum Team - -A scrum project is only as good as the team running the project. Standard -scrum teams are separated into three distinct areas: - -1. **Product Owner (Client Contact)**: The client contact is the audit - equivalent of the product owner in Scrum. They are responsible for - partnering with the engagement or audit team to ensure progress is being - made, priorities are established, and clear guidance is given when - questions or findings arise within each sprint. -2. **Scrum Master (Engagement Lead)**: The engagement or audit team lead is - responsible for coaching the team and the client contact on the scrum - process, tracking team progress against plan, scheduling necessary - resources, and helping remove obstacles. -3. **Scrum Developers (Engagement Members)**: The engagement or audit team - is the set of team members responsible for getting the work done. These - team members will work on each task, report progress, resolve obstacles, - and collaborate with other team members and the client contact to ensure - goals are being met. - -### Scrum Ceremonies - +*** Scrum Team +:PROPERTIES: +:CUSTOM_ID: scrum-team +:END: +A scrum project is only as good as the team running the project. +Standard scrum teams are separated into three distinct areas: + +1. *Product Owner (Client Contact)*: The client contact is the audit + equivalent of the product owner in Scrum. They are responsible for + partnering with the engagement or audit team to ensure progress is + being made, priorities are established, and clear guidance is given + when questions or findings arise within each sprint. +2. *Scrum Master (Engagement Lead)*: The engagement or audit team lead + is responsible for coaching the team and the client contact on the + scrum process, tracking team progress against plan, scheduling + necessary resources, and helping remove obstacles. +3. *Scrum Developers (Engagement Members)*: The engagement or audit team + is the set of team members responsible for getting the work done. + These team members will work on each task, report progress, resolve + obstacles, and collaborate with other team members and the client + contact to ensure goals are being met. + +*** Scrum Ceremonies +:PROPERTIES: +:CUSTOM_ID: scrum-ceremonies +:END: Scrum ceremonies are events that are performed on a regular basis. -1. **Sprint Planning**: The team works together to plan the upcoming sprint - goal - and which user stories (tasks) will be added to the sprint to achieve - that goal. -2. **Sprint**: The time period, typically at least one week and no more than one - month in length, where the team works on the stories and anything in the - backlog. -3. **Daily Scrum**: A very short meeting held each day, typically 15 minutes, to - quickly emphasize alignment on the sprint goal and plan the next 24 hours. - Each team member may share what they did the day before, what they'll do - today, and any obstacles to their work. -4. **Sprint Review**: At the end of each sprint, the team will gather and - discuss the progress, obstacles, and backlog from the previous sprint. -5. **Sprint Retrospective**: More specific than the sprint review, the - retrospective is meant to discuss what worked and what did not work - during the sprint. This may be processes, tools, people, or even things - related to the Scrum ceremonies. - -One additional ceremony that may be applicable is organizing the backlog. -This is typically the responsibility of the engagement leader and is meant -to prioritize and clarify what needs to be done to complete items in the -backlog. - -### Artifacts - -While artifacts are generally not customizable in the audit world (i.e., -each control test must include some kind of working paper with evidence -supporting the test results), I wanted to include some quick notes on +1. *Sprint Planning*: The team works together to plan the upcoming + sprint goal and which user stories (tasks) will be added to the + sprint to achieve that goal. +2. *Sprint*: The time period, typically at least one week and no more + than one month in length, where the team works on the stories and + anything in the backlog. +3. *Daily Scrum*: A very short meeting held each day, typically 15 + minutes, to quickly emphasize alignment on the sprint goal and plan + the next 24 hours. Each team member may share what they did the day + before, what they'll do today, and any obstacles to their work. +4. *Sprint Review*: At the end of each sprint, the team will gather and + discuss the progress, obstacles, and backlog from the previous + sprint. +5. *Sprint Retrospective*: More specific than the sprint review, the + retrospective is meant to discuss what worked and what did not work + during the sprint. This may be processes, tools, people, or even + things related to the Scrum ceremonies. + +One additional ceremony that may be applicable is organizing the +backlog. This is typically the responsibility of the engagement leader +and is meant to prioritize and clarify what needs to be done to complete +items in the backlog. + +*** Artifacts +:PROPERTIES: +:CUSTOM_ID: artifacts +:END: +While artifacts are generally not customizable in the audit world (i.e., +each control test must include some kind of working paper with evidence +supporting the test results), I wanted to include some quick notes on associating scrum artifact terms with an audit. -1. **Product Backlog**: This is the overall backlog of unfinished audit +1. *Product Backlog*: This is the overall backlog of unfinished audit tasks from all prior sprints. -2. **Sprint Backlog**: This is the backlog of unfinished audit tasks from +2. *Sprint Backlog*: This is the backlog of unfinished audit tasks from one individual sprint. -3. **Increment**: This is the output of each sprint - generally this is best - thought of as any documentation prepared during the sprint, such as risk - assessments, control working papers, deficiency analysis, etc. - -## Kanban - -Last but not least, Kanban is a methodology that relies on boards to -categorize work into distinct, descriptive categories that allow an agile or -scrum team to effectively plan the work of a sprint or project. - -See Atlassian's [Kanban](https://www.atlassian.com/agile/kanban) page for -more information. +3. *Increment*: This is the output of each sprint - generally this is + best thought of as any documentation prepared during the sprint, such + as risk assessments, control working papers, deficiency analysis, + etc. + +** Kanban +:PROPERTIES: +:CUSTOM_ID: kanban +:END: +Last but not least, Kanban is a methodology that relies on boards to +categorize work into distinct, descriptive categories that allow an +agile or scrum team to effectively plan the work of a sprint or project. + +See Atlassian's [[https://www.atlassian.com/agile/kanban][Kanban]] page +for more information. diff --git a/blog/2023-09-15-gitweb.org b/blog/2023-09-15-gitweb.org index 9179d70..22c4c27 100644 --- a/blog/2023-09-15-gitweb.org +++ b/blog/2023-09-15-gitweb.org @@ -1,39 +1,44 @@ -+++ -date = 2023-09-16T03:10:37+00:00 -title = "GitWeb via Nginx" -description = "A short guide on how to serve GitWeb via Nginx." -+++ +#+title: GitWeb via Nginx +#+date: 2023-09-16 -## Overview +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +[[https://git-scm.com/book/en/v2/Git-on-the-Server-GitWeb][GitWeb]] is a +simple web-based visualizer for git repositories. By default, GitWeb +will only run with the =lighttpd= or =webrick= web servers. -[GitWeb](https://git-scm.com/book/en/v2/Git-on-the-Server-GitWeb) is a simple -web-based visualizer for git repositories. -By default, GitWeb will only run with the `lighttpd` or `webrick` web servers. - -However, this guide will show you how to keep GitWeb running in the background -and display information for all repositories in a chosen directory. +However, this guide will show you how to keep GitWeb running in the +background and display information for all repositories in a chosen +directory. See below for the final result: - - -## Install Dependencies +#+caption: Gitweb +[[https://img.cleberg.net/blog/20230915-gitweb/gitweb.png]] +** Install Dependencies +:PROPERTIES: +:CUSTOM_ID: install-dependencies +:END: To start, you'll need install the following packages: -```sh +#+begin_src sh sudo apt install git gitweb fcgiwrap nginx -``` - -## Configure Nginx +#+end_src +** Configure Nginx +:PROPERTIES: +:CUSTOM_ID: configure-nginx +:END: Once installed, create an Nginx configuration file. -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/git.example.com -``` +#+end_src -```conf +#+begin_src conf server { listen 80; server_name example.com; @@ -52,23 +57,26 @@ server { index index.cgi; } } -``` +#+end_src -To make the configuration active, you need to symlink it and then restart Nginx. +To make the configuration active, you need to symlink it and then +restart Nginx. -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/git.example.com /etc/nginx/sites-enabled/git.example.com sudo systemctl restart nginx.service -``` - -The GitWeb application should now be available via the URL you set in the Nginx -configuration above. +#+end_src -## Customize GitWeb +The GitWeb application should now be available via the URL you set in +the Nginx configuration above. -If you need to, you can customize many things about Gitweb by editing the -[gitweb.conf](https://git-scm.com/docs/gitweb.conf) file. +** Customize GitWeb +:PROPERTIES: +:CUSTOM_ID: customize-gitweb +:END: +If you need to, you can customize many things about Gitweb by editing +the [[https://git-scm.com/docs/gitweb.conf][gitweb.conf]] file. -```sh +#+begin_src sh sudo nano /etc/gitweb.conf -``` +#+end_src diff --git a/blog/2023-09-19-audit-sql-scripts.org b/blog/2023-09-19-audit-sql-scripts.org index 76be926..3ab4b2a 100644 --- a/blog/2023-09-19-audit-sql-scripts.org +++ b/blog/2023-09-19-audit-sql-scripts.org @@ -1,23 +1,25 @@ -+++ -date = 2023-09-20T01:12:51+00:00 -title = "Useful SQL Scripts for Auditing Logical Access" -description = "A handful of SQL scripts in different dialects to gather user permissions on a database." -+++ +#+title: Useful SQL Scripts for Auditing Logical Access +#+date: 2023-09-20 -## Overview +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +When you have to scope a database into your engagement, you may be +curious how to best extract the information from the database. While +there are numerous different methods to extract this type of +information, I'm going to show an example of how to gather all users and +privileges from three main database types: Oracle, Microsoft SQL, and +MySQL. -When you have to scope a database into your engagement, you may be curious -how to best extract the information from the database. While there are -numerous different methods to extract this type of information, I'm going to -show an example of how to gather all users and privileges from three main -database types: Oracle, Microsoft SQL, and MySQL. +** Oracle +:PROPERTIES: +:CUSTOM_ID: oracle +:END: +You can use the following SQL script to see all users and their +privileges in an Oracle database: -## Oracle - -You can use the following SQL script to see all users and their privileges -in an Oracle database: - -```sql +#+begin_src sql SELECT grantee AS "User", privilege AS "Privilege" @@ -33,38 +35,43 @@ FROM dba_tab_privs WHERE grantee IN (SELECT DISTINCT grantee FROM dba_tab_privs); -``` - -This script queries the `dba_sys_privs` and `dba_tab_privs` views to -retrieve system and table-level privileges respectively. It then combines -the results using `UNION ALL` to show all users and their associated -privileges. Please note that this method does not extract information from -the `dba_role_privs` table - use the method below for that data. +#+end_src -Please note that you might need appropriate privileges (e.g., DBA privileges) -to access these views, and you should exercise caution when querying system -tables in a production Oracle database. +This script queries the =dba_sys_privs= and =dba_tab_privs= views to +retrieve system and table-level privileges respectively. It then +combines the results using =UNION ALL= to show all users and their +associated privileges. Please note that this method does not extract +information from the =dba_role_privs= table - use the method below for +that data. -### Alternative Oracle Query +Please note that you might need appropriate privileges (e.g., DBA +privileges) to access these views, and you should exercise caution when +querying system tables in a production Oracle database. -You can also extract each table's information separately and perform -processing outside the database to explore and determine the information +*** Alternative Oracle Query +:PROPERTIES: +:CUSTOM_ID: alternative-oracle-query +:END: +You can also extract each table's information separately and perform +processing outside the database to explore and determine the information necessary for the audit: -```sql +#+begin_src sql SELECT * FROM sys.dba_role_privs; SELECT * FROM sys.dba_sys_privs; SELECT * FROM sys.dba_tab_privs; SELECT * FROM sys.dba_users; -``` +#+end_src -## Microsoft SQL +** Microsoft SQL +:PROPERTIES: +:CUSTOM_ID: microsoft-sql +:END: +You can use the following SQL script to see all users and their +privileges in a Microsoft SQL Server database +([[https://stackoverflow.com/a/30040784][source]]): -You can use the following SQL script to see all users and their privileges -in a Microsoft SQL Server database -([source](https://stackoverflow.com/a/30040784)): - -```sql +#+begin_src sql /* Security Audit Report 1) List all access provisioned to a sql user or windows user/group directly @@ -209,42 +216,47 @@ ORDER BY perm.[permission_name], perm.[state_desc], obj.type_desc--perm.[class_desc] -``` - -## MySQL +#+end_src -You can use the following SQL script to see all users and their privileges -in a MySQL database: +** MySQL +:PROPERTIES: +:CUSTOM_ID: mysql +:END: +You can use the following SQL script to see all users and their +privileges in a MySQL database: -```shell +#+begin_src shell mysql -u root -p -``` +#+end_src Find all users and hosts with access to the database: -```sql +#+begin_src sql SELECT * FROM information_schema.user_privileges; -``` - -This script retrieves user information and their associated database-level -privileges from the `information_schema.user_privileges` table in MySQL. It -lists various privileges such as SELECT, INSERT, UPDATE, DELETE, CREATE, and -more for each user and database combination. +#+end_src -Please note that you may need appropriate privileges (e.g., `SELECT` -privileges on `information_schema.user_privileges`) to access this -information in a MySQL database. Additionally, some privileges like GRANT -OPTION, EXECUTE, EVENT, and TRIGGER may not be relevant for all users and -databases. +This script retrieves user information and their associated +database-level privileges from the =information_schema.user_privileges= +table in MySQL. It lists various privileges such as SELECT, INSERT, +UPDATE, DELETE, CREATE, and more for each user and database combination. -### Alternative MySQL Query +Please note that you may need appropriate privileges (e.g., =SELECT= +privileges on =information_schema.user_privileges=) to access this +information in a MySQL database. Additionally, some privileges like +GRANT OPTION, EXECUTE, EVENT, and TRIGGER may not be relevant for all +users and databases. -You can also grab individual sets of data from MySQL if you prefer to join them -after extraction. I have marked the queries below with `SELECT ...` and excluded -most `WHERE` clauses for brevity. You should determine the relevant privileges -in-scope and query for those privileges to reduce the length of time to query. +*** Alternative MySQL Query +:PROPERTIES: +:CUSTOM_ID: alternative-mysql-query +:END: +You can also grab individual sets of data from MySQL if you prefer to +join them after extraction. I have marked the queries below with +=SELECT ...= and excluded most =WHERE= clauses for brevity. You should +determine the relevant privileges in-scope and query for those +privileges to reduce the length of time to query. -```sql +#+begin_src sql -- Global Permissions SELECT ... FROM mysql.user; @@ -263,4 +275,4 @@ WHERE db = @db_name; -- Password Configuration SHOW GLOBAL VARIABLES LIKE 'validate_password%'; SHOW VARIABLES LIKE 'validate_password%'; -``` +#+end_src diff --git a/blog/2023-10-04-digital-minimalism.org b/blog/2023-10-04-digital-minimalism.org index ebcc6a8..36c7718 100644 --- a/blog/2023-10-04-digital-minimalism.org +++ b/blog/2023-10-04-digital-minimalism.org @@ -1,82 +1,93 @@ -+++ -date = 2023-10-05T02:10:47+00:00 -title = "Digital Minimalism" -description = "Some personal reflections on digital minimalism." -+++ - -I've written [a note about minimalism](/notes/minimalism) before, but I wanted -to dedicate some time to reflect on digital minimalism and how I've been able -to minimize the impact of digital devices in my life. - -> These changes crept up on us and happened fast, before we had a chance to step -> back and ask what we really wanted out of the rapid advances of the past -> decade. We added new technologies to the periphery of our experience for minor -> reasons, then woke one morning to discover that they had colonized the core -> of our daily life. We didn’t, in other words, sign up for the digital world in -> which we’re currently entrenched; we seem to have stumbled backward into it. -> *(Digital Minimalism, 2019)* - -## The Principles of Digital Minimalism - -As noted in Cal Newport's book, *Digital Minimalism*, there are three main +#+title: Digital Minimalism +#+date: 2023-10-05 + +I've written [[/notes/minimalism][a note about minimalism]] before, but I wanted to dedicate some time +to reflect on digital minimalism and how I've been able to minimize the impact +of digital devices in my life. + +#+begin_quote +These changes crept up on us and happened fast, before we had a chance to step +back and ask what we really wanted out of the rapid advances of the past +decade. We added new technologies to the periphery of our experience for minor +reasons, then woke one morning to discover that they had colonized the core of +our daily life. We didn't, in other words, sign up for the digital world in +which we're currently entrenched; we seem to have stumbled backward into +it. + +/(Digital Minimalism, 2019)/ +#+end_quote + +** The Principles of Digital Minimalism +:PROPERTIES: +:CUSTOM_ID: the-principles-of-digital-minimalism +:END: +As noted in Cal Newport's book, /Digital Minimalism/, there are three main principles to digital minimalism that I tend to agree with: 1. Clutter is costly. - - Digital minimalists recognize that cluttering their time and attention - with too many devices, apps, and services creates an overall negative - cost that can swamp the small benefits that each individual item - provides in isolation. + - Digital minimalists recognize that cluttering their time and attention with + too many devices, apps, and services creates an overall negative cost that + can swamp the small benefits that each individual item provides in + isolation. 2. Optimization is important. - - Digital minimalists believe that deciding a particular technology - supports something they value is only the first step. To truly extract - its full potential benefit, it’s necessary to think carefully about how - they’ll use the technology. + - Digital minimalists believe that deciding a particular technology supports + something they value is only the first step. To truly extract its full + potential benefit, it's necessary to think carefully about how they'll use + the technology. 3. Intentionality is satisfying. - - Digital minimalists derive significant satisfaction from their general - commitment to being more intentional about how they engage with new - technologies. This source of satisfaction is independent of the specific - decisions they make and is one of the biggest reasons that minimalism - tends to be immensely meaningful to its practitioners. - -## Taking Action - -In order to put the logic into practice, I've created a few new habits and + - Digital minimalists derive significant satisfaction from their general + commitment to being more intentional about how they engage with new + technologies. This source of satisfaction is independent of the specific + decisions they make and is one of the biggest reasons that minimalism tends + to be immensely meaningful to its practitioners. + +** Taking Action +:PROPERTIES: +:CUSTOM_ID: taking-action +:END: +In order to put the logic into practice, I've created a few new habits and continued performing old habits that are working well: -### Using Devices With Intention - -- I already rarely use "social media", mostly limited to forums such as Hacker -News and Tildes, so I've just tweaked my behavior to stop looking for content in -those places when I'm bored. -- Use devices with intention. Each time I pick up a digital device, there should -be an intention to use the device to improve my current situation. No more -endless scrolling or searching for something to interest me. - -### Prevent Distractions - -- Disable (most) notifications on all devices. I spent 15-30 minutes going -through the notifications on my phone, watch, and computer to ensure that only a -select few apps have the ability to interrupt me: Calendar, Messages, Phone, -Reminders, & Signal. +*** Using Devices With Intention +:PROPERTIES: +:CUSTOM_ID: using-devices-with-intention +:END: +- I already rarely use "social media", mostly limited to forums such as Hacker + News and Tildes, so I've just tweaked my behavior to stop looking for content + in those places when I'm bored. +- Use devices with intention. Each time I pick up a digital device, there should + be an intention to use the device to improve my current situation. No more + endless scrolling or searching for something to interest me. + +*** Prevent Distractions +:PROPERTIES: +:CUSTOM_ID: prevent-distractions +:END: +- Disable (most) notifications on all devices. I spent 15-30 minutes going + through the notifications on my phone, watch, and computer to ensure that only + a select few apps have the ability to interrupt me: Calendar, Messages, Phone, + Reminders, & Signal. - Disable badges for any apps except the ones mentioned in the bullet above. -- Set-up focus profiles across devices so that I can enable different modes, -such as Personal when I only want to see notifications from people I care about -or Do Not Disturb, where absolutely nothing can interrupt me. -- Clean up my home screens. This one was quite easy as I already maintain a -minimalist set-up, but I went extreme by limiting my phone to just eight apps on -the home screen and four in the dock. If I need another app, I'll have to search -or use the app library. -- Remove the work profile from my phone. This was a tough decision as having my -work profile on my device definitely makes my life easier at times, but it also -has quite a negative effect when I'm "always online" and can see the -notifications and team activity 24/7. I believe creating a distinct barrier -between my work and personal devices will be beneficial in the end. - -### Creating Alternative Activities - -This is the most difficult piece, as most of my hobbies and interests lie in the -digital world. However, I'm making a concerted effort to put devices down unless -necessary and force myself to perform other activities in the physical world +- Set-up focus profiles across devices so that I can enable different modes, + such as Personal when I only want to see notifications from people I care + about or Do Not Disturb, where absolutely nothing can interrupt me. +- Clean up my home screens. This one was quite easy as I already maintain a + minimalist set-up, but I went extreme by limiting my phone to just eight apps + on the home screen and four in the dock. If I need another app, I'll have to + search or use the app library. +- Remove the work profile from my phone. This was a tough decision as having my + work profile on my device definitely makes my life easier at times, but it + also has quite a negative effect when I'm "always online" and can see the + notifications and team activity 24/7. I believe creating a distinct barrier + between my work and personal devices will be beneficial in the end. + +*** Creating Alternative Activities +:PROPERTIES: +:CUSTOM_ID: creating-alternative-activities +:END: +This is the most difficult piece, as most of my hobbies and interests lie in the +digital world. However, I'm making a concerted effort to put devices down unless +necessary and force myself to perform other activities in the physical world instead. I've started with a few basics that are always readily available to me: @@ -87,12 +98,13 @@ I've started with a few basics that are always readily available to me: - Participate in a hobby, such as photography, birding, disc golf, etc. - Let yourself be bored and wander into creativity. -## Making Progress - -I'll be taking notes as I continue down this journey and hope to see positive -trends. I've always been a minimalist in the physical world and it feels -refreshing to filter out the clutter that has come to dominate my digital life +** Making Progress +:PROPERTIES: +:CUSTOM_ID: making-progress +:END: +I'll be taking notes as I continue down this journey and hope to see positive +trends. I've always been a minimalist in the physical world and it feels +refreshing to filter out the clutter that has come to dominate my digital life over the years. I'm excited to see where this journey leads. - diff --git a/blog/2023-10-11-self-hosting-authelia.org b/blog/2023-10-11-self-hosting-authelia.org index 0a9830d..139f6a6 100644 --- a/blog/2023-10-11-self-hosting-authelia.org +++ b/blog/2023-10-11-self-hosting-authelia.org @@ -1,54 +1,59 @@ -+++ -date = 2023-10-11T02:53:29+00:00 -title = "Self-Hosting Authelia" -description = "A simple tutorial to get Authelia running on a self-hosted server." -+++ - -## Overview - -[Authelia](https://www.authelia.com/) is an open-source authentication service -that allows you to place a portal between end users on the internet and -self-hosted services on your server. - -You can require one factor (username+password) or two factor authentication for +#+title: Self-Hosting Authelia +#+date: 2023-10-11 + +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +[[https://www.authelia.com/][Authelia]] is an open-source authentication service that allows you to place a +portal between end users on the internet and self-hosted services on your +server. + +You can require one factor (username+password) or two factor authentication for any such user before allowing them to access a specific service on your domain. -This guide will walk through a standard installation of Authelia for -`example.com`, using `auth.example.com` as Authelia's authentication domain and -`teddit.example.com` as the website we want to protect behind the authentication +This guide will walk through a standard installation of Authelia for +=example.com=, using =auth.example.com= as Authelia's authentication domain and +=teddit.example.com= as the website we want to protect behind the authentication portal. -## Prerequisites - +** Prerequisites +:PROPERTIES: +:CUSTOM_ID: prerequisites +:END: This guide assumes you have the following already set-up: - A registered domain with DNS pointing to your server. -- A subdomain for Authelia (`auth.example.com`) and a subdomain to protect via -Authelia (`app.example.com`). +- A subdomain for Authelia (=auth.example.com=) and a subdomain to + protect via Authelia (=app.example.com=). - A working Nginx web server. - Docker and docker-compose installed. -## Installation - -This guide will walk through each installation step one-by-one, starting with -the container and finishing by cleaning up external access via an Nginx reverse +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +This guide will walk through each installation step one-by-one, starting with +the container and finishing by cleaning up external access via an Nginx reverse proxy. -### Docker-Compose - -To start, create a directory for Authelia and create a `docker-compose.yml` -file. +*** Docker-Compose +:PROPERTIES: +:CUSTOM_ID: docker-compose +:END: +To start, create a directory for Authelia and create a +=docker-compose.yml= file. -```sh +#+begin_src sh mkdir ~/authelia nano ~/authelia/docker-compose.yml -``` +#+end_src -Within this file, paste the following content. If you prefer a different local -port, modify the port on the left side of the colon on the `9091:9091` line. Be -sure to modify the `TZ` variable to your timezone. +Within this file, paste the following content. If you prefer a different local +port, modify the port on the left side of the colon on the =9091:9091= line. Be +sure to modify the =TZ= variable to your timezone. -```yml +#+begin_src yml version: '3.3' services: @@ -61,50 +66,52 @@ services: - 9091:9091 environment: - TZ=America/Chicago -``` +#+end_src Start the container with docker-compose: -```sh +#+begin_src sh sudo docker-compose up -d -``` +#+end_src -After the first start, the container will automatically exit and require you to +After the first start, the container will automatically exit and require you to modify the app's configuration files before continuing. Read on to learn more. -### Authelia Configuration +*** Authelia Configuration +:PROPERTIES: +:CUSTOM_ID: authelia-configuration +:END: +To configure Authelia before we restart the container, we need to open the +=config= directory and modify the files. Start by editing the +=configuration.yml= file, where all of Authelia's settings are stored. -To configure Authelia before we restart the container, we need to open the -`config` directory and modify the files. Start by editing the -`configuration.yml` file, where all of Authelia's settings are stored. - -My personal preference is to copy the original configuration file to a backup +My personal preference is to copy the original configuration file to a backup file and edit a fresh copy. -```sh +#+begin_src sh sudo cp ~/authelia/config/configuration.yml ~/authelia/config/configuration.yml.bk sudo nano ~/authelia/config/configuration.yml -``` +#+end_src -Within the blank `configuration.yml` file, paste the following information. You -will need to make quite a few updates, so be sure to read each line carefully +Within the blank =configuration.yml= file, paste the following information. You +will need to make quite a few updates, so be sure to read each line carefully and modify as necessary. The major required changes are: -- Any instances of `example.com` should be replaced by your domain. -- `jwt_secret` - Use the `pwgen 40 1` command to generate a secret for yourself. -- `access_control` - Set the Authelia domain to bypass here, as well as any -subdomains you want to protect. -- `session` > `secret` - Use the `pwgen 40 1` command to generate a secret for -yourself. -- `regulation` - Set the variables here to restrict login attempts and bans. -- `storage` > `encryption_key` - Use the `pwgen 40 1` command to generate a -secret for yourself. -- `smtp` - If you have access to an SMTP service, set up the information here to -active outgoing emails. - -```yml +- Any instances of =example.com= should be replaced by your domain. +- =jwt_secret= - Use the =pwgen 40 1= command to generate a secret for yourself. +- =access_control= - Set the Authelia domain to bypass here, as well as any + subdomains you want to protect. +- =session= > =secret= - Use the =pwgen 40 1= command to generate a secret for + yourself. +- =regulation= - Set the variables here to restrict login attempts and bans. +- =storage= > =encryption_key= - Use the =pwgen 40 1= command to generate a + secret for yourself. +- =smtp= - If you have access to an SMTP service, set up the information here to + active outgoing emails. + +#+begin_src yml # yamllint disable rule:comments-indentation --- ############################################################################### @@ -193,25 +200,27 @@ notifier: skip_verify: false minimum_version: TLS1.2 ... -``` - -### Authelia Users +#+end_src +*** Authelia Users +:PROPERTIES: +:CUSTOM_ID: authelia-users +:END: Next, create the users file for authentication. -```sh +#+begin_src sh sudo nano ~/authelia/config/users_database.yml -``` +#+end_src -Within the file, you will need to create an entry for each user that needs -access to Authelia. The `my_username` entry will be the username used on the +Within the file, you will need to create an entry for each user that needs +access to Authelia. The =my_username= entry will be the username used on the login page. -To generate the password, go to [Argon2 Hash Generator](https://argon2.online), -generate a random salt, and make sure the rest of the settings match the -`authentication_backend` section of `configuration.yml` file. +To generate the password, go to [[https://argon2.online][Argon2 Hash Generator]], generate a random salt, +and make sure the rest of the settings match the =authentication_backend= +section of =configuration.yml= file. -```yml +#+begin_src yml users: my_username: displayname: "My User" @@ -222,225 +231,233 @@ users: groups: - admins - dev -``` +#+end_src Once the app is configured, restart the container from scratch. -```sh +#+begin_src sh cd ~/authelia sudo docker-compose down && sudo docker-compose up -d -``` - -### Nginx: Authelia Domain +#+end_src -Once the container is running and configured, the final step is to configure +*** Nginx: Authelia Domain +:PROPERTIES: +:CUSTOM_ID: nginx-authelia-domain +:END: +Once the container is running and configured, the final step is to configure external access to the server via Nginx reverse proxy. Start by creating the Authelia domain. -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/auth -``` +#+end_src -Within this file, paste the following information and be sure to update -`example.com` to your domain. Make sure the `$upstream_authelia` variable +Within this file, paste the following information and be sure to update +=example.com= to your domain. Make sure the =$upstream_authelia= variable matches the location of your Authelia container. -```conf +#+begin_src conf server { - if ($host ~ ^[^.]+\.example\.com$) { - return 301 https://$host$request_uri; - } - - listen [::]:80; - listen 80; - server_name auth.example.com; - return 404; + if ($host ~ ^[^.]+\.example\.com$) { + return 301 https://$host$request_uri; + } + + listen [::]:80; + listen 80; + server_name auth.example.com; + return 404; } server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name auth.example.com; - access_log /var/log/nginx/auth.access.log; - error_log /var/log/nginx/auth.error.log; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location / { - set $upstream_authelia http://127.0.0.1:9091; - proxy_pass $upstream_authelia; - client_body_buffer_size 128k; - - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - - send_timeout 5m; - proxy_read_timeout 360; - proxy_send_timeout 360; - proxy_connect_timeout 360; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 64 256k; - } + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name auth.example.com; + access_log /var/log/nginx/auth.access.log; + error_log /var/log/nginx/auth.error.log; + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + set $upstream_authelia http://127.0.0.1:9091; + proxy_pass $upstream_authelia; + client_body_buffer_size 128k; + + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + } } -``` +#+end_src -Next, symlink the file and restart Nginx. If there are errors, be sure to +Next, symlink the file and restart Nginx. If there are errors, be sure to resolve those before moving on. -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/auth /etc/nginx/sites-enabled/auth sudo systemctl restart nginx.service -``` +#+end_src -### Nginx: Protected Domain(s) +*** Nginx: Protected Domain(s) +:PROPERTIES: +:CUSTOM_ID: nginx-protected-domains +:END: +Now that Authelia is accessible externally, you need to configure the domain you +intend to protect with Authelia. In this example, I'm protecting +=teddit.example.com=. -Now that Authelia is accessible externally, you need to configure the domain you -intend to protect with Authelia. In this example, I'm protecting -`teddit.example.com`. - -Similar to the process above, paste the content and update the relevant +Similar to the process above, paste the content and update the relevant variables. -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/teddit -``` +#+end_src -```conf +#+begin_src conf server { - if ($host ~ ^[^.]+\.example\.com$) { - return 301 https://$host$request_uri; - } - - listen [::]:80; - listen 80; - server_name teddit.example.com; - return 404; + if ($host ~ ^[^.]+\.example\.com$) { + return 301 https://$host$request_uri; + } + + listen [::]:80; + listen 80; + server_name teddit.example.com; + return 404; } server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name teddit.example.com; - access_log /var/log/nginx/teddit.access.log; - error_log /var/log/nginx/teddit.error.log; - - add_header X-Content-Type-Options "nosniff"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options "DENY"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - add_header Referrer-Policy "no-referrer"; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location /authelia { - internal; - set $upstream_authelia http://127.0.0.1:9091/api/verify; - proxy_pass_request_body off; - proxy_pass $upstream_authelia; - proxy_set_header Content-Length ""; - - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - client_body_buffer_size 128k; - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - - send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - } - - location / { - set $upstream_teddit http://127.0.0.1:8686; - proxy_pass $upstream_teddit; - - auth_request /authelia; - auth_request_set $target_url https://$http_host$request_uri; - auth_request_set $user $upstream_http_remote_user; - auth_request_set $email $upstream_http_remote_email; - auth_request_set $groups $upstream_http_remote_groups; - proxy_set_header Remote-User $user; - proxy_set_header Remote-Email $email; - proxy_set_header Remote-Groups $groups; - - error_page 401 =302 https://auth.example.com/?rd=$target_url; - - client_body_buffer_size 128k; - - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - - send_timeout 5m; - proxy_read_timeout 360; - proxy_send_timeout 360; - proxy_connect_timeout 360; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection upgrade; - proxy_set_header Accept-Encoding gzip; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 64 256k; - } + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name teddit.example.com; + access_log /var/log/nginx/teddit.access.log; + error_log /var/log/nginx/teddit.error.log; + + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "DENY"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Referrer-Policy "no-referrer"; + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location /authelia { + internal; + set $upstream_authelia http://127.0.0.1:9091/api/verify; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + } + + location / { + set $upstream_teddit http://127.0.0.1:8686; + proxy_pass $upstream_teddit; + + auth_request /authelia; + auth_request_set $target_url https://$http_host$request_uri; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $email $upstream_http_remote_email; + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Remote-User $user; + proxy_set_header Remote-Email $email; + proxy_set_header Remote-Groups $groups; + + error_page 401 =302 https://auth.example.com/?rd=$target_url; + + client_body_buffer_size 128k; + + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + proxy_set_header Accept-Encoding gzip; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + } } -``` +#+end_src Same as before, symlink the file and restart Nginx. -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/teddit /etc/nginx/sites-enabled/teddit sudo systemctl restart nginx.service -``` - -## Results +#+end_src -When visiting the protected domain, you will now be redirected to your +** Results +:PROPERTIES: +:CUSTOM_ID: results +:END: +When visiting the protected domain, you will now be redirected to your authentication domain and presented with the Authelia login portal. - +#+caption: Authelia Portal +[[https://img.cleberg.net/blog/20231010-authelia/authelia_portal.png]] -Once you've successfully authenticated, you can visit your authentication domain -directly and see that you're currently authenticated to any domain protected by +Once you've successfully authenticated, you can visit your authentication domain +directly and see that you're currently authenticated to any domain protected by Authelia. - +#+caption: Authelia Success +[[https://img.cleberg.net/blog/20231010-authelia/authelia_success.png]] diff --git a/blog/2023-10-15-alpine-ssh-hardening.org b/blog/2023-10-15-alpine-ssh-hardening.org index 2ba483d..03a3ba7 100644 --- a/blog/2023-10-15-alpine-ssh-hardening.org +++ b/blog/2023-10-15-alpine-ssh-hardening.org @@ -1,60 +1,74 @@ -+++ -date = 2023-10-16T00:20:45+00:00 -title = "SSH Hardening for Alpine Linux" -description = "A quick guide to hardening SSH on Alpine Linux." -+++ - -## Overview +#+title: SSH Hardening for Alpine Linux +#+date: 2023-10-16 +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: This guide follows the standard -[ssh-audit](https://www.ssh-audit.com/hardening_guides.html) hardening guide, -tweaked for Alpine Linux. - -## Hardening Guide +[[https://www.ssh-audit.com/hardening_guides.html][ssh-audit]] hardening +guide, tweaked for Alpine Linux. -These steps must be performed as root. You can try to use `doas` or `sudo`, -but there may be issues. +** Hardening Guide +:PROPERTIES: +:CUSTOM_ID: hardening-guide +:END: +These steps must be performed as root. You can try to use =doas= or +=sudo=, but there may be issues. 1. Re-generate the RSA and ED25519 keys -```sh + +#+begin_src sh rm /etc/ssh/ssh_host_* ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" -``` -2. Remove small Diffie-Hellman moduli -```sh +#+end_src + +2. [@2] Remove small Diffie-Hellman moduli + +#+begin_src sh awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli -``` -3. Enable the RSA and ED25519 HostKey directives in the /etc/ssh/sshd_config -file -```sh +#+end_src + +3. [@3] Enable the RSA and ED25519 HostKey directives in the + /etc/ssh/sshd_config file + +#+begin_src sh sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config -``` -4. Restrict supported key exchange, cipher, and MAC algorithms -```sh +#+end_src + +4. [@4] Restrict supported key exchange, cipher, and MAC algorithms + +#+begin_src sh echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf -``` -5. Include the /etc/ssh/sshd_config.d directory -```sh +#+end_src + +5. [@5] Include the /etc/ssh/sshd_config.d directory + +#+begin_src sh echo -e "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config -``` -6. Restart OpenSSH server -```sh -rc-service sshd restart -``` +#+end_src + +6. [@6] Restart OpenSSH server -## Testing SSH +#+begin_src sh +rc-service sshd restart +#+end_src -You can test the results with the `ssh-audit` python script. +** Testing SSH +:PROPERTIES: +:CUSTOM_ID: testing-ssh +:END: +You can test the results with the =ssh-audit= python script. -```sh +#+begin_src sh pip3 install ssh-audit ssh-audit localhost -``` +#+end_src -If everything succeeded, the results will show as all green. If anything is -yellow, orange, or red, you may need to tweak additional settings. +If everything succeeded, the results will show as all green. If anything +is yellow, orange, or red, you may need to tweak additional settings. -![ssh audit](https://img.cleberg.net/blog/20231015-ssh-hardening/ssh-audit.png -"ssh-audit") +#+caption: ssh audit +[[https://img.cleberg.net/blog/20231015-ssh-hardening/ssh-audit.png%20%22ssh-audit%22]] diff --git a/blog/2023-10-17-self-hosting-anonymousoverflow.org b/blog/2023-10-17-self-hosting-anonymousoverflow.org index 725316c..1acfb95 100644 --- a/blog/2023-10-17-self-hosting-anonymousoverflow.org +++ b/blog/2023-10-17-self-hosting-anonymousoverflow.org @@ -1,33 +1,37 @@ -+++ -date = 2023-10-17T15:44:45.601627917+00:00 -title = "Self-Hosting AnonymousOverflow" -description = "A quick guide to self-hosting AnonymousOverflow." -+++ - -## Overview - -I recently launched an instance of AnonymousOverflow at -[ao.cleberg.net](https://ao.cleberg.net) and wanted to write a brief post on how -easy it is to install with Docker Compose and Nginx. - -This guide uses Ubuntu server, Docker Compose, and Nginx as a reverse proxy. - -## Installation - -### Docker Compose - -To install AnonymousOverflow, start by creating a directory for the application -and create its `docker-compose.yml` file. - -```sh +#+title: Self-Hosting AnonymousOverflow +#+date: 2023-10-17 + +** Overview +:PROPERTIES: +:CUSTOM_ID: overview +:END: +I recently launched an instance of AnonymousOverflow at [[https://ao.cleberg.net][ao.cleberg.net]] and +wanted to write a brief post on how easy it is to install with Docker Compose +and Nginx. + +This guide uses Ubuntu server, Docker Compose, and Nginx as a reverse +proxy. + +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +*** Docker Compose +:PROPERTIES: +:CUSTOM_ID: docker-compose +:END: +To install AnonymousOverflow, start by creating a directory for the +application and create its =docker-compose.yml= file. + +#+begin_src sh mkdir ~/anonymousoverflow && cd ~/anonymousoverflow nano docker-compose.yml -``` +#+end_src Within this file, paste the following information. Be sure to change the -`APP_URL`, `JWT_SIGNING_SECRET`, and `ports` to match your needs. +=APP_URL=, =JWT_SIGNING_SECRET=, and =ports= to match your needs. -```yaml +#+begin_src yaml version: '3' services: @@ -40,92 +44,93 @@ services: ports: - '9380:8080' restart: 'always' -``` +#+end_src -Save and exit the file when complete. You can now launch the container and -access it via your local network. +Save and exit the file when complete. You can now launch the container +and access it via your local network. -```sh +#+begin_src sh sudo docker-compose up -d -``` - -### Nginx Reverse Proxy +#+end_src -If you want to access this service outside the local network, I recommend using -Nginx as a reverse proxy. +*** Nginx Reverse Proxy +:PROPERTIES: +:CUSTOM_ID: nginx-reverse-proxy +:END: +If you want to access this service outside the local network, I +recommend using Nginx as a reverse proxy. Let's start by creating a configuration file. -```sh +#+begin_src sh sudo nano /etc/nginx/sites-available/ao -``` +#+end_src -Within this file, paste the following content and repace `ao.example.com` with -your URL. You may need to update the SSL certificate statements if your -certificates are in a different location. +Within this file, paste the following content and repace +=ao.example.com= with your URL. You may need to update the SSL +certificate statements if your certificates are in a different location. -```conf +#+begin_src conf server { - if ($host ~ ^[^.]+\.cleberg\.net$) { - return 301 https://$host$request_uri; - } - - listen [::]:80; - listen 80; - server_name ao.example.com; - return 404; + if ($host ~ ^[^.]+\.cleberg\.net$) { + return 301 https://$host$request_uri; + } + + listen [::]:80; + listen 80; + server_name ao.example.com; + return 404; } server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name ao.example.com; - access_log /var/log/nginx/ao.access.log; - error_log /var/log/nginx/ao.error.log; - - add_header X-Content-Type-Options "nosniff"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options "DENY"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - add_header Referrer-Policy "no-referrer"; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location / { - set $upstream_ao http://127.0.0.1:9380; - proxy_pass $upstream_ao; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection upgrade; - proxy_set_header Accept-Encoding gzip; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 64 256k; - } + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name ao.example.com; + access_log /var/log/nginx/ao.access.log; + error_log /var/log/nginx/ao.error.log; + + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "DENY"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Referrer-Policy "no-referrer"; + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + set $upstream_ao http://127.0.0.1:9380; + proxy_pass $upstream_ao; + + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + proxy_set_header Accept-Encoding gzip; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + } } -``` +#+end_src Save and exit the file when complete. On Ubuntu, you will need to symlink the -configuration file before it will be recognized by Nginx. Once complete, -simply restart the web server. +configuration file before it will be recognized by Nginx. Once complete, simply +restart the web server. -```sh +#+begin_src sh sudo ln -s /etc/nginx/sites-available/ao /etc/nginx/sites-enabled/ao sudo systemctl restart nginx.service -``` +#+end_src -The website will now be available publicly. Visit -[my instance](https://ao.cleberg.net) for an example. +The website will now be available publicly. Visit [[https://ao.cleberg.net][my instance]] for an example. diff --git a/blog/2023-11-08-scli.org b/blog/2023-11-08-scli.org index 9c0bf89..16c723d 100644 --- a/blog/2023-11-08-scli.org +++ b/blog/2023-11-08-scli.org @@ -1,146 +1,153 @@ -+++ -date = 2023-11-08T21:37:00.307616604+00:00 -title = "Installing scli on Alpine Linux (musl)" -description = "" -+++ - -[scli](https://github.com/isamert/scli) is a command-line tool that allows you -to connect to your Signal messenger account. This program utilizes a two-pane -display that shows you chats on the left and the focused conversation on the -right. - -This guide will show you how to install `scli` and its dependencies on Alpine -Linux, which requires some extra work due to musl. - -If you're using a non-musl system, you can likely following the `scli` README -and download the packaged binaries for an easier installation process. +#+title: Installing scli on Alpine Linux (musl) +#+date: 2023-11-08 -## Dependencies +[[https://github.com/isamert/scli][scli]] is a command-line tool that allows you to connect to your Signal messenger +account. This program utilizes a two-pane display that shows you chats on the +left and the focused conversation on the right. -In order to use `scli`, you need a few dependencies: - -- `openjdk17-jre` - Used as a dependency for the `signal-cli` tool. Version may -vary. -- `signal-cli` - Used as the backbone of the `scli` tool. -- `findutils` - Replaces the standard Busybox version of `xargs`. -- `urwid` - A console user interface library for Python. -- `urwid-readline` - For GNU emacs-like keybinds on the input line. -- `qrencode` - Displays a QR code in the terminal to link the device using your -phone. Not necessary if you're only linking on desktop and can copy/paste the -connection URL. +This guide will show you how to install =scli= and its dependencies on Alpine +Linux, which requires some extra work due to musl. -Let's start by installing the packages available via Alpine's repositories. Be -sure to install the latest version of `openjdk`. If you run into Java-related -issues, uninstall `openjdk` and install an older version. +If you're using a non-musl system, you can likely following the =scli= README +and download the packaged binaries for an easier installation process. -```sh +** Dependencies +:PROPERTIES: +:CUSTOM_ID: dependencies +:END: +In order to use =scli=, you need a few dependencies: + +- =openjdk17-jre= - Used as a dependency for the =signal-cli= tool. + Version may vary. +- =signal-cli= - Used as the backbone of the =scli= tool. +- =findutils= - Replaces the standard Busybox version of =xargs=. +- =urwid= - A console user interface library for Python. +- =urwid-readline= - For GNU emacs-like keybinds on the input line. +- =qrencode= - Displays a QR code in the terminal to link the device + using your phone. Not necessary if you're only linking on desktop and + can copy/paste the connection URL. + +Let's start by installing the packages available via Alpine's +repositories. Be sure to install the latest version of =openjdk=. If you +run into Java-related issues, uninstall =openjdk= and install an older +version. + +#+begin_src sh doas apk add openjdk17-jre findutils qrencode -``` +#+end_src -Next, let's install `signal-cli`. Be sure to export the version of `signal-cli` -that you want. I use version `0.12.4` below, but that may be outdated by the -time you're reading this. +Next, let's install =signal-cli=. Be sure to export the version of +=signal-cli= that you want. I use version =0.12.4= below, but that may +be outdated by the time you're reading this. -```sh +#+begin_src sh export VERSION="0.12.4" wget https://github.com/AsamK/signal-cli/releases/download/v"${VERSION}"/signal-cli-"${VERSION}".tar.gz doas tar xf signal-cli-"${VERSION}".tar.gz -C /opt doas ln -sf /opt/signal-cli-${VERSION}"/bin/signal/cli /usr/local/bin -``` +#+end_src -Finally, install the `urwid` packages using the Python packaging utility. +Finally, install the =urwid= packages using the Python packaging +utility. -```sh +#+begin_src sh pip3 install urwid urwid-readline -``` - -## Installation +#+end_src -Now that we have all of the dependencies we need, we can install `scli`. Start -by simply cloning the repository. +** Installation +:PROPERTIES: +:CUSTOM_ID: installation +:END: +Now that we have all of the dependencies we need, we can install =scli=. +Start by simply cloning the repository. -```sh +#+begin_src sh git clone https://github.com/isamert/scli -``` +#+end_src -When I cloned this repository on 2023-11-08, I found a bug in the logic that -required a fix. You must edit the `scli` file and replace the one instance of -`RLIMIT_OFILE` with `RLIMIT_NOFILE`. +When I cloned this repository on 2023-11-08, I found a bug in the logic +that required a fix. You must edit the =scli= file and replace the one +instance of =RLIMIT_OFILE= with =RLIMIT_NOFILE=. -```sh +#+begin_src sh cd scli nano scli -``` +#+end_src -Once complete, you can move this program to anywhere on your `$PATH`. I chose -the following directory. +Once complete, you can move this program to anywhere on your =$PATH=. I +chose the following directory. -```sh +#+begin_src sh doas mv scli /usr/local/bin/scli -``` +#+end_src -## Initial Setup +** Initial Setup +:PROPERTIES: +:CUSTOM_ID: initial-setup +:END: +Now that everything is installed, we can login and configure the client. +Start by generating a connection link. -Now that everything is installed, we can login and configure the client. Start -by generating a connection link. - -```sh +#+begin_src sh signal-cli link -n "YOUR-DEVICE-NICKNAME" | tee >(xargs -L 1 qrencode -t utf8) -``` +#+end_src -This will generate a connection link and related QR code for you to use to link -the devices together. Once complete, **wait patiently** for the connection -process to finish. +This will generate a connection link and related QR code for you to use +to link the devices together. Once complete, *wait patiently* for the +connection process to finish. -Once it completes, it will exit and return you to the prompt. From here, you -need to perform an initial `receive` command to start things off. The `USERNAME` -variable should be your phone number, such as `+15551237890`. +Once it completes, it will exit and return you to the prompt. From here, +you need to perform an initial =receive= command to start things off. +The =USERNAME= variable should be your phone number, such as +=+15551237890=. -```sh +#+begin_src sh signal-cli -u USERNAME receive -``` +#+end_src -Also be sure to test the daemon to ensure it works properly. If no errors occur, -it's working. If you run into errors because you're not running a DBUS session, -see my notes below. +Also be sure to test the daemon to ensure it works properly. If no +errors occur, it's working. If you run into errors because you're not +running a DBUS session, see my notes below. -```sh +#+begin_src sh signal-cli -u USERNAME daemon -``` +#+end_src -Once the initial reception is complete, you are ready to use `scli`. +Once the initial reception is complete, you are ready to use =scli=. -This process will differ depending on your desktop environment (DE). If you are -running a DE, you likely have a DBUS session running already and can simply -launch the program. +This process will differ depending on your desktop environment (DE). If +you are running a DE, you likely have a DBUS session running already and +can simply launch the program. -However, if you're like me and running your computer straight on the TTY without -a DE, you'll need to start a DBUS session for this program. +However, if you're like me and running your computer straight on the TTY +without a DE, you'll need to start a DBUS session for this program. -```sh +#+begin_src sh # If you're not running a DBUS session yet, you need to start one for scli dbus-run-session -- scli # OR - If you're already running a DBUS session, simply run scli scli -``` - -## Configuration +#+end_src -Lastly, there are a number of configuration options that you can pass via the -command or in the `~/.config/sclirc` file. See the Github README for more -information on configuration options. +** Configuration +:PROPERTIES: +:CUSTOM_ID: configuration +:END: +Lastly, there are a number of configuration options that you can pass +via the command or in the =~/.config/sclirc= file. See the Github README +for more information on configuration options. -```sh +#+begin_src sh nano ~/.config/sclirc -``` +#+end_src -```conf +#+begin_src conf # ~/.config/sclirc wrap-at = 80 enable-notifications = true -``` +#+end_src -That's it! Following this guide, I have a functional `scli` program that +That's it! Following this guide, I have a functional =scli= program that successfully sends messages to my contacts and myself! |