2018 September Assorted Links

Little late... I've been dragging my feet as on writing as I've become irritated (maybe for the final time) in the direction Ghost is headed. I've been mucking about with Hugo and am trying to decide on exactly how I want things to look before transitioning. Culture Might »

GPG Agent as SSH Agent

This will be a pretty curt post, intent is to remember how this was done. The rationale here is: maintain physially separate ssh keypairs outside of GPG, mainly because as much as gpg is trusted the gpg-agent, documentation, and associated configuration files are a little confusing. Utilize the »

2018 August Assorted Links

Couple days late due to some travel, but this one was larger than my first attempt. Culture There was an interesting article about bloat in our current web experience titled the The Bullshit Web which was pretty dang interesting, especially for those of us who are between 30 »

Audit SMB activity with VFS Modules

We have a central instance of smbd that we allow users to have home directories on, as well as project specific shares. It's a beefy ZFS on Linux instance that we call "tank" in reference to Jeff Bonwick's discussion of the humble ZFS beginnings within Sun. »

2018 July Assorted Links

Stumbled across Chris Stucchio a while back and saw that he would dump interesting links into a round up style blog post, have always felt like that was a good way to keep tabs on interesting articles. I'm lazily attempting to shoehorn everything I find into packet of »

The Two Cultures by C.P. Snow

Background A lecture called The Two Cultures had been referenced several times in discussions that I've found interesting, so I snagged a modern print of the essay to spend some time with. I've read the print from 1959 instead of the follow up print from 1963. This text »

Blindsight & Echopraxia by Peter Watts

Background Frequenting /r/printsf sometimes you'll see someone talking about a text you enjoyed with references to sampling other authors. Peter Watts kept showing up so eventually I wanted to sample the work he is most lauded for (currently Blindsight). Blindsight and its sidequel Exchopraxia were released in »

{wire}guard from your ISP

WireGuard aims to be as easy to configure and deploy as SSH. You establish a VPN connection by simply exchanging public keys, and the rest is transparently handled by WireGuard. There are many other technologies, however wireguard is uniquley interesting for: cryptokey routing: the first principles simply mapping »

-keyboard+sadness, failing autodetect in initramfs

On some servers I've struggled to get early keyboard support out of the initramfs when you need to type your password. Not everyone likely "lives" like me where I unplug keyboards from systems (particularly at home) to keep things tidy. However this seems to manifest sometimes »

Pass, with friends

pass is a simple way to manage password locally, and with git one can collaborate on a password database with friends. The two fundamental technologies pass and gpg have a lot of resources online, but when I went looking to set up a team with pass I found »

ZFS Performance Focused Parameters

We've recently gotten some significantly larger storage systems and after running some 50T pools with basically all the defaults it felt like time to dig into what common options are used to chase performance. The intended use for these systems is ultimately CIFS/NFS targets for scientists who »

Selective Powertop tunables via Systemd

Originally in the archlinux metal to desktop guide I advised using the powertop --auto-tune via a systemd unit, however this can be obnoxious if you've got peripherals (like usb based keyboards or mice) that you don't want powering off constantly. For this laptop (T470s) I unplugged from the »

ECC Certificates and mTLS with Nginx

If you want to be truly paranoid about authentication to services, you can implement your own Public Key Infrastructure (PKI). Many large organizations that are privacy focused have developed a digital/physical PKI strategy, for example the DoD's Common Access Card. OpenSSL is a software that can be »

UBNT LACP & STP defaults that Bite

We've plunged into building out a fairly large laboratory network using Ubiquiti's ES-16-XG and ES-48-Lite. By default these switches have some defaults that can bite you. LACP isn't a default The first is when you set up Link Aggregation the default is to use the older static protocol »

No Keyboard for LUKS at initramfs boot

We've been plagued with this issue on and off for a little while now, after spending some time talking to dreisner on IRC I've now understood how to root cause and solve the problem. On some of our servers we won't have keyboard support at early boot when »

Installing pacaur, the best AUR helper

Update: spyhawk, the author of pacaur announced the project will be discontinued. I have found a new home in enckse's awesome naaman ArchLinux has the wonderful resource of the AUR which is a community-driven repository for Arch users. If something isn't packaged in the project repositories, chances are »

Modern TLS with Nginx and LetsEncrypt

With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been that easy to get these things sorted, but there have been significant efforts recently to reduce »

Dynamic DNS via EdgeOS and Cloudflare

Dynamic DNS is an essential tool if you're your provider is unwilling to provide you with a static address. On almost all residential connections with the large providers you're not going to be able to obtain a static address unless you convert over to one of their business »

Home Network, a Design

I've written before about network hardware selection, where I surmise that Ubiquiti's EdgeMax products are what I typically rely on when building out a network. Here I'll lay out what I think is a good design for a home network using some of the inexpensive EdgeMax and Unifi »

Limiting Exposure via SSH ProxyJump

ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It's a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. »

Project Fi, ArchLinux, Thinkpad T470s

It has been a personal desire to have mobile broadband connectivity with a laptop and not have a requirement for peripherals like MiFi or PAM, for half a decade. When I first experienced using a Panasonic Toughbook it had a Qualcomm Gobi that was an insane challenge to »

Painless CIFS targets via systemd

With Linux as my primary environment daily, I need to be able to consume CIFS shares in a variety of different environments. Systemd has some amenities that allow you to continue using the conventional file system table but with helpful coordination that doesn't require user intervention. article assumptions: »

Linux on the T470s

Trying to find a modern laptop that works well with Linux is quite difficult. I seemed like for a long time as long as you avoided the baddies like Broadcom networking controllers you were able to find a decent machine to hack on. Then awful technology like optimus »

Running a Ghost Blog

Update: Ghost has released the 1.0 series of their software. This guide was originally writtent for "Ghost Legacy", but has now been updated for Ghost 1.0. Formerly in ArchLinux you could use an AUR package that did a lot of work for you, but »

Handful of Days in Vegas

I've had the opportunity to visit Las Vegas several times in recent years due to it being a popular local to host conferences. I don't gamble or sit poolside, so I'm typically looking to find other forms of activities. Personally, I'd not choose Las Vegas as a destination, »

Travel Pack, Accessories, and Anecdotes

For our first trip overseas we needed to select a pack, accessories, and put everything together anticipating things we'd never done before. I'll try to cover what we thought we'd anticipate, what we experienced, and lessons we learned from the journey. We took a trip to Iceland, Scotland, »

ArchLinux Metal to Server with ZFS

In this I will outline a highly simplified install procedure that will allow you to go from inert metal to a machine that has a powerful data persistence and containerization environment on it. Arch has several principles, the one your should be the most aware of is versatility »

ArchLinux Metal to Desktop Environment

In this I will outline a highly simplified install procedure that will allow you to go from inert metal to a machine that has a graphical desktop environment on it. Arch has several principles, the one your should be the most aware of is versatility which directly translates »

Running a Matrix Homeserver

Setting up your own anchor in the matrix ecosystem so that you can be a participant in this new decentralized communications topology. article assumptions: You know what matrix is You are running ArchLinux You understand the basics of systemd and systemd-nspawn You're familiar with letsencrypt You know how »

Network Hardware Selection

Having deployed several networks of varying size and complexity, an offered opinion on the advantages and disadvantages of choosing Ubiquiti for your next deployment. article assumptions: You're growing tired of that ddwrt or tomato router you've felt so cool operating for the last several years. You're considering segmentation »

Self Managed Storage

As our digital legacies continue to grow with advanced capture systems, its important to consider taking some control over assuring how that legacy is perpetuated. article assumptions: You're looking into local storage for yourself, and you've outgrown your desktop/external strategy. The 'cloud' is not big or 'private' »

Distribution Purity via Vultr

Choosing a hosting provider when you want the familiarity and trust of your native distribution resources is actually quite difficult. Many of the juggernaut providers offer features that require them to have control over your kernel and boot-loader. article assumptions: You want to use VPS as a medium »

MPD, Pulseaudio, and SELinux

There is, as of Fedora 24, no golden pathway for getting MPD to work with an external DAC via alsa and your internal audio via pulseaudio. article assumptions: You're using mpd for playback on both your system speakers (laptop) and external speakers (DAC) You want to use pulse »