From Ghost to Hugo

Ghost has been a bit of a wild ride over the last two years. What I’d started with would now be considered ghost-legacy which was their 0.11.x series of releases. For a little while I’d actually been able to comfortable package it in the ArchLinux User Repository. I’d abandoned packaging when ghost-cli became a requirement. Without a package I resorted to excessively using the --no-setup stage blockers and become increasingly frustrated with the quirky and aggressive release schedule of ghost and ghost-cli.

From Vultr to Packet

After spending several years relatively happy with Vultr it was time to finally dig into the 'bring your own OS' features that announced a while back. Turned out to have all the features necessary for me to transition, but does currently require some physical intervention to get working in the way that makes sense to me. Overall the experience has been wonderful and I'm happy to have a new provider for my remote systems.

GPG Agent as SSH Agent

It is possible to use your gpg-agent as an ssh-agent to provide for a consistent UX when unlocking your private keys. Secondarily you set a masking password that is shorter than your original ssh key-pair password. Assuming you're relying on a gpg-agent for your system already, this is a way to roll functionality into a single daemon.

Audit SMB activity with VFS Modules

We have a central instance of smbd that we allow users to have home directories on, as well as project specific shares. It’s a beefy ZFS on Linux instance that we call “tank” in reference to Jeff Bonwick’s discussion of the humble ZFS beginnings within Sun. We run a backup strategy between it and a couple other trailing-mirrored instances that we’ve positioned around the facility. We have a desire to be able to review everything a user did in terms of interaction with tank. This can be accomplished via something called a “Stackable VFS Module”.

The Two Cultures by C.P. Snow

A lecture called The Two Cultures had been referenced several times in discussions that I’ve found interesting, so I snagged a modern print of the essay to spend some time with. I’ve read the print from 1959 instead of the follow up print from 1963. This text is based on a talk, so its delivery is conversational. I was surprised at how many more interesting cultural topics were discussed in the text. It may be shameful to admit that I sort of expected a diatribe from a scientist about the luddites of literary/cultural academia… but it was even keel and more focused on generally how this rift impacts all of society.

Blindsight & Echopraxia by Peter Watts

Frequenting /r/printsf sometimes you’ll see someone talking about a text you enjoyed with references to sampling other authors. Peter Watts kept showing up so eventually I wanted to sample the work he is most lauded for (currently Blindsight). Blindsight and its sidequel Exchopraxia were released in omnibus form as Firefall. These were impressive texts, but when looking more into him I became enamored with the nuggets of lore spread around his website. The writing, the typesetting, the tendencies to include legitimate references to academic discussion supporting his fictional spins… this guy has a knack for upholding the hard side of science fiction.

{Wire}guard from your ISP

People are getting into a recent uproar about entities like facebook and cambridge analytica while willing putting their information into these ecosystems. We should instead be considerably more concerned about the unwilling surveillance we’re a part of from our ISP. Recently the guardian and some discussion pushed me to finally look into applying wireguard to something like the home network design. So in this we're going to install wireguard on an edgemax router, bring up a wireguard tunnel to a VPN service, send all DNS queries over that tunnel, and send selective hosts or subnets Internet bound traffic over that tunnel.

Pass, with friends

Pass is a simple way to manage passwords locally, and with git one can collaborate on a password database with friends. To use pass with friends you must have pass, git, ssh, and gpg configured. We'll get into how to structure your pass databases for multiple projects and sharing them with multiple people.

ZFS Performance Focused Parameters

We’ve recently gotten some significantly larger storage systems and after running some 50T pools with basically all the defaults it felt like time to dig into what common options are used to chase performance. The intended use for these systems is ultimately CIFS/NFS targets for scientists who are running simulations that generate small (1M) to large (100G) files. I’m not being rigorous and offering any benchmarks, just digging into documented performance parameters and explaining the rational.

Selective Powertop tunables via Systemd

If you've got an intel system and want to have your powertop tunables selectively stick then you can't rely on the auto-tune feature. If you do, you'll notice some subsystems are not available right when you want them (e.g. a mouse). It's better to profile and selectively apply the configurations that make sense for your use.

ECC Certificates and mTLS with Nginx

If you want to be truly paranoid about authentication to services, you can implement your own Public Key Infrastructure (PKI). Many large organizations that are privacy focused have developed a digital/physical PKI strategy, for example the DoD’s Common Access Card. OpenSSL is a software that can be used to setup a “simple” PKI, however it’s command complexity is easy to get lost within. In this guide we’ll set up a “simple” PKI that we’ll use to authenticate users with, while still using the legitimately issued Let’s Encrypt Domain Validation certificates.

BTRFS Maintenance and the SSD parameter

I stumbled across a discussion about using the ssd parameter as a mount option with BTRFS and realized that I was very likely afflicted by what was being discussed in the mailing list. I'd not anticipated any maintenance operations that would be necessary when starting to use BTRFS as a daily driver, but IRC and the community was incredibly helpful.

Modern TLS with Nginx and LetsEncrypt

With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been easier to get these things sorted because there have been significant efforts recently to reduce the barrier. Firstly the Letsencrypt project broke up the cabal of certificate authorities by providing a recognized authority that could issue certificates to verified domain operators without a transaction cost. Secondly, the letsencrypt projects and the EFF collaborated on certbot to provide a fully featured utility for requesting, issuing, and, updating certificates. And, thirdly, the openssl project has been getting a lot more external attention due to recent vulnerabilities being reported in a much more trendy fashion.

Dynamic DNS via EdgeOS and Cloudflare

Dynamic DNS is an essential tool if you're provider is unwilling to provide you with a static address (or has priced it unreasonably). On almost all residential connections with the large providers you're not going to be able to obtain a static address unless you convert over to one of the business contracts, then pay some heft amount like 15USD monthly. EdgeOS can now work with Cloudflare to update DNS records based on your changing WAN interfaces.

Home Network, a novice Design

When you jump beyond the use of a monolithic router/switch to separates it can be a daunting task. Often it is easy to settle into using non-managed switching, which doesn't allow for isolation. In todays age with IoT running rampant having different domains of isolation can be an essential for limiting untrusted but useful devices from ex-filtrating data from your household. Moving to a managed switch platform allows you to do a variety of interesting things for your home network, yet getting started can be a bit daunting.

Limiting Exposure via ssh ProxyJump

ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It's a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. If you're able to run modern openssh you have access to a new feature named ProxyJump, which makes using a jumphost much simpler.

Project Fi, ArchLinux, Thinkpad T470s

It has been a personal desire to have mobile broadband connectivity with a laptop and not have a requirement for peripherals like MiFi or Tethering, for half a decade. When it became possible to get LTE modems in newer model Thinkpads it was time to see if Fi had made data-only SIMs that would work nationally/internationally.

Painless CIFS targets via systemd

Systemd can be leveraged to help manage your CIFS mount-points through its automount features. Once set up it makes for a painless way to on-demand access network targets.

Linux on the T470s

Trying to find a modern laptop that works well with Linux is quite difficult. I've been on a journey with difference manufactures ranging from Panasonic, Dell, HP, Lenovo... It's quite a mess. Thankfully the T4x0s line of laptops form Lenovo have proved to work well (generally) for the last couple generations. Herein is a discussion of selection criteria and some anecdotes for getting things to run smoothly.

Activities near Las Vegas

I’ve had the opportunity to visit Las Vegas several times in recent years due to it being a popular local to host conferences. I don’t gamble or sit poolside, so I’m typically looking to find other forms of activities. Personally, I’d not choose Las Vegas as a destination, but anytime I get a chance to travel I’ll try to find a way to make the most of it.

Five Days in Iceland

As mentioned in a previous post we visited Iceland, Scotland, and England in September of 2016. I wanted to make larger, more media focused posts for each country to dig into the visually appealing things one can discover in each theater.

Planning Iceland, Scotland, England

We had the strong desire to make a trip overseas around the time that I was turning 30. There's a wide world out there, but we'd been piqued by books, films, and whisky, to make a trek along some lines that would put us in North Eastern Scotland for a bit. In this post I'll describe out overall trip planning, anecdotes we learned from execution, and in some follow up posts I'll describe our time in each country more intimately.

Travel Pack, Accessories, and Anecdotes

For our first trip overseas we needed to select a pack, accessories, and put everything together anticipating things we'd never done before. I'll try to cover what we thought we'd anticipate, what we experienced, and lessons we learned from the journey.

Archlinux Metal to Server With ZFS

A simplified installed procedure that will allow you to go from metal to a server that has the next generation file-system ZFS. This guide stays updated as each time I have to do a new install it is consulted. It guide reflects the pathway I take most commonly with servers responsible for housing some sensitive data. Although ZFS is not an in kernel feature, it is a far more mature basis for doing complex, and trustworthy, storage pools on a single host.

Archlinux Metal to Desktop Environment

A simplified installed procedure that will allow you to go from metal to a machine that has a desktop environment. This guide stays updated as each time I have to do a new install it is consulted. It reflect the paths that I generally use for my (and my families) daily driver machines. We'll be focused on a sort of golden path by using the modern, well maintained technology stack of luks, btrfs, systemd, and gnome.

Network Hardware Selection

After several deployments of varying size and complexity, an offered opinion on the advantages and disadvantages of choosing Ubiquiti hardware for your next project. Originally written in early 2017, there are some updates from early 2018 relating to technical/ideological facets that have come up in the last couple years of operating Ubiquiti equipment.

Self Managed Storage

As our digital legacies continue to grow with advanced capture systems, its important to consider taking some control over assuring how that legacy is perpetuated. There are many enterprise grade technologies that are within easy reach of the individual who wants to start building out their home lab. Rather than send monolithic emails to people who inquire about this topic it seemed more appropriate to write out my opinions openly, and maintain them as more experience is gained. This is written from the approach of accomplishing this task 'properly' as I personally see it. People have different initial objectives when considering this project. I'll focus exclusively on storage and backup while ignoring things like streaming/trans-coding, or acquisition.

Distribution Purity via Vultr

Choosing a hosting provider when you want the familiarity and trust of your native distribution resources is actually quite difficult. Many of the juggernaut providers offer features that require them to have control over your kernel and boot-loader.