<generator uri="https://mizik.eu/picogen" version="0.1">Picogen</generator>
<link href="gemini://mizik.eu/feed.xml" rel="self" type="application/atom+xml" />
<link href="gemini://mizik.eu/" rel="alternate" type="text/plain" />
<updated>2024-01-05T11:52:20.604051+01:00</updated>
<id>gemini://mizik.eu/blog/feed.xml</id>
<title>Blog</title>
<entry>
<title>Thinkpad X330</title>
<link href="gemini://mizik.eu/blog/thinkpad-x330/" rel="alternate" type="text/plain" title="Thinkpad X330" />
<published>2024-01-04T00:00:00+01:00</published>
<updated>2024-01-04T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/thinkpad-x330/</id>
<content><![CDATA[I am a very happy user of a X330 for almost a year now, and I would like to share my thoughts with you.
For those who don't know, X330 is a manually modified X230. There are plenty of modifications available, and I decided to not have all of them as I don't need them. The important fact is, that the resulting modified device is most often called X330, because one of the most principal updates is of course replacement of the atrocious 12.5" HD panel for a new 13" one. Hence the name X330. You can get more details and specs on the web page of the original mod creator
=> here
.
I went for the 16:10 panel, because I really wanted to get back that T22 display chassis feeling and as a programmer, I always can use more vertical space. I also upgraded CPU to 4 core 35W i7-3612QE with a new cooler and wifi card to AX210. I was very happy with ThinkLight LED color change to 2700K yellow to get rid of the blue light. Last mod I chose was the external antenna. I was thinking a long time about the keyboard replacement, because that was something I wanted for a long time, but 10 years on ThinkPad chicklet keyboards changed my muscle memory and I also really like the first chicklet keyboards (2.1 millimeter travel) before Lenovo continuously butchered them to the point when they are just as bad as any other, maybe even worse (X1 carbon gen 11). I don't care about speakers and I don't need two wifi cards therefore I skipped those. Charging port replacement was not recommended to me, because the original port is much better at enduring the day-to-day beating. That was a bummer, because most of the devices in my household use USB-C. Local modder, that made the modifications for me also said, that the lid reinforcement is not necessary, so I opted out of that one too.
The new display is of average quality. Nothing special, but compared to the original panel, it is a blast. It provides 300 nits of brightness, which is just ok for any indoor use. CPU is on par with current modern models when it comes to standard daily "office" work. The energy consumption is of course something different. I can get 4 hours of standard work out of the middle-sized 64Wh battery, but my setup is rather minimalistic, mostly terminal based and the rest is programming IDE and browser use, so I would expect less in case one would use it on watching YouTube videos. External antenna with new wifi card is ok-ish. I was expecting much better signal reception, but it is just a little bit better, but now having a big antenna sticking out of the chassis.
Well, for 500 hundred euros (if you have a spare X230 at home), I have a laptop with 13" 2K display, 16 GB RAM and 4 core CPU, that is able enough to be my daily driver even in case of an Android or Flutter development and that requires a considerable amount of CPU and RAM resources. It has a great keyboard with long key travel and good tactility. It has a USB3, smartcard reader, secondary ssd disk in mSATA slot, RJ45 slot and full sized SD card reader. And of course, battery that could be easily switched on the fly during the day, replaceable RAM, SSD, or wifi card. All this in 10 years old laptop. I don't have any lags or performance issues whatsoever. I am just a very happy user. The only sad thing is, that they don't do such great and capable devices anymore.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Minimalism, Laptop" />
<summary>
I am a very happy user of a X330 for almost a year now, and I would like to share my thoughts with you.
<title>Is OpenBSD for you?</title>
<link href="gemini://mizik.eu/blog/is-openbsd-for-you/" rel="alternate" type="text/plain" title="Is OpenBSD for you?" />
<published>2023-03-13T00:00:00+01:00</published>
<updated>2023-03-13T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/is-openbsd-for-you/</id>
<content><![CDATA[This blog post is a step by step wizard for those who think about using OpenBSD as a primary OS and daily driver, but don't know if it meets the requirements. I am trying to focus on desktop/laptop use in this case. First thing most people would probably ask is, if they will be able to run their current personal setup after migrating to OpenBSD, or at least, if there is a working alternative for those apps/functionalities which are not available. So here is the software and hardware list of things you need to consider.
current
version and choose the components based on what is already supported
login_fingerprint
=> openports.pl
=> VMM
which has support for BSD and Linux VMs, but not for Windows. There is also no support for graphics yet.
=> used in a virtual machine using VMM
though
=> rEFInd
will work. Windows will be OK with it. In the case of Linux, you have to be sure that GRUB won't re-enable itself during the distribution upgrade procedure. There is also another Linux option. You can
=> recompile your kernel with EFI stub enabled
. Then your kernel will also act as a boot loader. This is convenient especially when you are using modular distributions like Gentoo, where compiling a kernel is well supported and grub won't even be installed.
Performance is much worse than other operating systems. It's a
=> toll for simplicity and additional security
ffmpeg
xrandr
, so the same as Linux
sndioctl
sysctl
then configured and controlled via terminal using video
and ffmpeg
apmd
and obsdfreqd
ifconfig
So, who is the average user of this operating system?
What is then the mainstream OpenBSD hardware setup you may ask? How should I use it to have the least number of issues and go with the flow?
<author>
<name>Marián Mižik</name>
</author>
<category term="OpenBSD, Laptop" />
<summary>
This blog post is a step by step wizard for those who think about using OpenBSD as a primary OS and daily driver, but don't know if it meets the requirements. I am trying to focus on desktop/laptop use in this case. First thing most people would probably ask is, if they will be able to run their current personal setup after migrating to OpenBSD, or at least, if there is a working alternative for those apps/functionalities which are not available. So here is the software and hardware list of things you need to consider.
<title>How to optimize performance on desktop OpenBSD</title>
<link href="gemini://mizik.eu/blog/how-to-optimize-performance-on-openbsd-desktop/" rel="alternate" type="text/plain" title="How to optimize performance on desktop OpenBSD" />
<published>2023-03-10T00:00:00+01:00</published>
<updated>2023-03-10T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/how-to-optimize-performance-on-openbsd-desktop/</id>
<content><![CDATA[If there is something I don't like on OpenBSD, then it is lack of information when it comes to problem solving. The main reason, of course, is the size of the OpenBSD community. But even when I try to target the community on the main communication channels like IRC, or Mastodon, I often don't get the answer I am looking for. Therefore, I decided to do it another way. Research the topic, make a blog post, publish it and let people only comment on what is wrong and what is missing. For most people, it is more fun to correct someone, than to prepare the full response to the question.
The first problem which I will cover in this article is that OpenBSD is slow. You won't notice that much on the server without heavy IO/load/multiprocessing, but you will definitely feel the huge performance gap on a desktop. You can feel it even if your setup is completely minimalistic like mine (dwm + mostly terminal). The boot of the OS is several times slower than Linux/Windows. I have also measured application starts and usage against a Gentoo Linux deployed on the same machine. The machines were Thinkpad X230, Thinkpad X1C6 and an Alderlake high performance desktop. Tested Applications were Chromium, Firefox, Libreoffice, Gimp and IntelliJIdea, which are most of the time the only applications I use out of terminal. Results were from 50% to several hundred percent worse in the case of OpenBSD. Internet browsing is also slower on both main browsers. I have done the tests on wired connection, because it is known that wireless performance on OBSD is worse. These measures were not super exact, but they support the point. If you want some less real world and more precise tests supporting the claim, check this
IO & FFS. This is probably the biggest reason for bad desktop performance. FFS is slower than modern filesystems and IO operations are drastically slower. So, in the case of applications that work with significant amounts of small files or caches, the performance will be bad. These applications often fight this problem with parallelisation, but process management is also slower on OBSD, which makes the resulting performance even worse. There is a detailed test from 2018 in
regarding IO. I would guess it is still relevant even 5 years later, as there wasn't much work done on FFS between 2018-2023. Not sure about general IO performance. FreeBSD, for example, adopted ZFS to mitigate these issues. The current official statement regarding adopting some modern filesystem is that there is no need for it. So be prepared for some more years with FFS.
HyperThreading is disabled by default. This is a security precaution. In the Linux world it is also recommended to do it, but it is not forced as a default option. You can enable SMT in OpenBSD too, if you want. But it won't make much of a difference overall.
Kernel. OpenBSD is all about security, but also about simplicity. A small dev team means you have to choose wisely what new complexity you want to add, because then it will have to be maintained. This is why the FFS is still the default and only primary filesystem. That is also the reason why the OBSD kernel is a tick kernel. Most of the modern kernels are tickless and therefore
, but by going tickless, you are adding more complexity. The same applies to the locking mechanism. It is still the same tradeoff question. But afaik, there have been steady improvements during the past years. At least in the case of locking.
Wifi. There is no 802.11ac and 802.11ax support. Some drivers declare compatibility with it, but they run in N or G mode after connecting. Full support for 802.11ax or even 802.11ac probably won't come in future years due to the small number of developers focusing on drivers and also due to the fact that 802.11ac and 802.11ax specifications are much more complex and therefore difficult to implement. You can check the state of support for your chipset in the official
=> handbook
Security. Everything that process wants from the Kernel or the OS in general is checked and controlled in a more strict way. More checks and locks means more time to deliver CPU time or resources which the process asked for. This then becomes the rolling snowball. Especially in modern robust multiprocessing software. This is not a bug, but a feature in OpenBSD and therefore, one should not expect that performance will be prioritized in this case.
There is no real solution to this problem. Most of the issues we went through boil down to being that way by design, or there is no manpower/will to adopt more robust alternatives, which would increase maintenance cost and code complexity. It would be great if the OpenBSD performance would be on par with Linux, but it won't happen. If the performance has higher priority than simplicity and additional security in your case, then you should probably use a different OS. But if you're here to stay like I do, then there are some partial improvements you can apply:
softdep
in your /etc/fstab
. Before you do so, read the
of turning soft updates on.
noatime
in your /etc/fstab
/tmp
and ~/.cache
dirs
=> reconfiguration from standard FFS to ramdisks
hw.smt=1
/etc/login.conf
apmd
(power management) and set to auto or max performance
glxinfo | grep "direct rendering"
layers.acceleration.force-enable
in about:configgfx.webrenderer.enable
in about:configh264ify
browser extension to force switch to H264 encoding as it has better playback performance
ytfzf
to browse youtube from terminal
pointed out, that using apmd has no sense nowadays, because CPU speed is by default set to maximum and the frequency scheduling should be done on the hardware side. (sometimes badly)
also mentioned, that there is a significant performance increase for GTK4 applications coming to OpenBSD 7.3 due to some shaders re-computing optimisations. So using Gnome might be an option soon.
provided up-to-date status for wifi drivers.
explains pros and cons of using noatime and softdep in
<author>
<name>Marián Mižik</name>
</author>
<category term="OpenBSD, Laptop" />
<summary>
If there is something I don't like on OpenBSD, then it is lack of information when it comes to problem solving. The main reason, of course, is the size of the OpenBSD community. But even when I try to target the community on the main communication channels like IRC, or Mastodon, I often don't get the answer I am looking for. Therefore, I decided to do it another way. Research the topic, make a blog post, publish it and let people only comment on what is wrong and what is missing. For most people, it is more fun to correct someone, than to prepare the full response to the question.
<title>My first year with OpenBSD</title>
<link href="gemini://mizik.eu/blog/my-first-year-with-openbsd/" rel="alternate" type="text/plain" title="My first year with OpenBSD" />
<published>2022-08-08T00:00:00+02:00</published>
<updated>2022-08-08T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/my-first-year-with-openbsd/</id>
<content><![CDATA[Last year in March, I made
of OpenBSD and finally decided to migrate from Linux. At least in the case of my servers. But somehow I stuck with it on my personal laptop too, thanks to a lucky coincidence. Here is my migration story and my 5 cents about using OpenBSD as a daily driver on all my personal machines.
Because OpenBSD is much more secure, consistent, minimalistic, well documented and stable than Linux. At least in case of development cycle and usage of core OS, of course. So if you gravitate towards Unix principles, small binaries,
=> KISS
and you don't need cutting edge performance (most of you don't) than you should try it too.
I decided to migrate what could be migrated and leave my laptop and working computer on Linux because of no support for several software stacks I needed daily in my work. Then, thanks to Covid and some events in work, I was able to stick with OpenBSD on laptop too, because I started to do 90% of work related things on my work desktop. So I decided to reboot to Linux if necessary for those missing 10% and stay on OpenBSD. So thanks to this I was about to move my 2 personal VPS servers, home internet infrastructure and my laptop to OpenBSD for good.
The hardest part was my main server. I migrated my personal email from postfix+dovecot+rspamd to smtpd+dovecot+rspamd, iptables based firewall to pf, nginx to httpd+relayd, certbot setup to acme-client and I rewrote my backup script to use openrsync. The rest of self-hosted stuff was one to one migration (xmpp server, note-taking server, rss server, caldav+carddav server, personal budget server and others). All migrations to core OpenBSD utilities needed to be done from scratch using no howtos, only official man pages and internet support. But it went surprisingly well considering the fact, that it was the first time I worked with these software utilities. The main reason for this was, that config file syntax for all internal OpenBSD software is very similar and that man pages are written well.
After setting up the main node, the secondary machine was just a piece of cake. The only thing I struggled with was to configure smtpd as a backup mx relay. Funny enough, it was a one-liner, but I could get the syntax right for 2 hours because of 2 silly mistakes.
Redoing my home internet infrastructure was another big task. I used my old Thinkpad X201 as a home/media server, but I also got X230 that was collecting dust since 2020 because I moved to X1 Carbon I got at work. So I decided to upgrade from X201 to X230. Mainly because I wanted to use the machine as a firewall, router and DNS server too and X230 (IvyBridge) is the first generation to provide USB 3.0, which helped as I was about to use a USB to RJ45 dongle to provide a second ethernet port. So the hardware and base install was easy. I only had to check, that my spare ethernet dongle was supported by OpenBSD. Then I followed
. That gave me 80-90% of what I needed. The rest was manual and internet search and try-fail mechanism.
The laptop was the easiest one from all 4, because I already had it up and running as a daily driver since that March review I mentioned at the beginning of this article. I only went through everything one more time to check if I have everything setup as well as possible.
Pros
No maintenance at all. Every now and then I run: doas syspatch && doas pkg_add -u && doas sysmerge
and twice a year I run sysupgrade
to upgrade to new master version. Everything is rock-solid. I never needed a service restart or machine reboot. Nothing is hanging. It just runs.
PF firewall is very performant. I got through 2 massive automated scanning/port-knocking situations without even registering the performance downgrade.
Clean and unified configuration file placement and syntax.
Automatically secured by pledge and unveil together with chroot in some cases.
Cons
Slow. You won't probably notice on servers that much if they are not busy enough, but you will definitely notice on desktop/laptop. Also, my router throughput on gbit lan is only around 400mbps, which for me is ok, but in case someone need full speed on his gigabit or even 10 gbps connection, then OpenBSD probably won't deliver. Check this
OS for benchmark comparison.
VPS providers offering OpenBSD are limited. There are maybe 5 available, and sometimes there are issues. At least for the 2 I am using:
=> Vultr
and
. In case of OpenBSD Amsterdam, you will get multiple scheduled downtimes a year. In case of Vultr, after every major OS upgrade, my VPS freezed after a couple of hours/days. In 2 cases I needed hard VPS restart through admin console. In the third case, I needed technical support to update VPS template to the newest version, because of changes specific to the new major OpenBSD version I upgraded to.
Missing freedom to choose something on GitHub and install it. Specially if it is C/C++ based, because of the toolchain differences and binary incompatibility. I don't feel this problem that much, because of how minimalistic my setups mostly are, but I can imagine it may be a problem for many people.
Battery life is half of what you get on Linux. 60% at best. Not sure what everything is the issue. Probably something from every corner. HW drivers not very power efficient. Peripherals not turning off. Power management daemon (apm) not as optimal as it could be in automatic mode. Kernel is not tickless... I got worse battery life on both my laptops with APM set statically to minimum CPU frequency, than generic default mode on Linux.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="OpenBSD, Laptop, VPS, Self-host" />
<summary>
Last year in March, I made
of OpenBSD and finally decided to migrate from Linux. At least in the case of my servers. But somehow I stuck with it on my personal laptop too, thanks to a lucky coincidence. Here is my migration story and my 5 cents about using OpenBSD as a daily driver on all my personal machines.
<title>Does my setup suck less than few years ago?</title>
<link href="gemini://mizik.eu/blog/does-my-setup-suck-less-than-few-years-ago/" rel="alternate" type="text/plain" title="Does my setup suck less than few years ago?" />
<published>2021-11-21T00:00:00+01:00</published>
<updated>2021-11-21T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/does-my-setup-suck-less-than-few-years-ago/</id>
<content><![CDATA[I used to be xfce user for very long time. But I am suckless for several years now. Let's find out if it is good for me and/or if it may be good for you too.
When I was at Uni, I was sporting custom alpha build of Compiz/Beryl. Mostly for fun, and of course, to see everybody going nuts when seeing how I rotate my 3D cube to switch between desktops :D But later on, I got too much work and I had to optimize for performance and not for showing off. I switched to Xfce and stayed for very long. As time went by, I found out I was continuously removing things. I removed wallpaper, transparency, window decorations, side panel, login screen. People were laughing that soon I won't have nothing to be shown, but I felt better. This went side by side with moving more to a terminal world. One day I found out I can use any WM/DM because I do not really rely on anything specific anymore. I tried i3 tiling WM for several times and always went back. I just didn't need tiling concept to be honest, because 90% of time, I have had only one window on fullscreen and what I strived for more, was to be able to get specific app on foreground without searching through alt+tab. I ended app creating shell wrappers for all of my apps I used on daily basis and put a keyboard shortcut on it. Wrapper looks for example like this:
wmctrl -xa Firefox || firefox-bin &
so basically what it does is checking if there already exist a window of specific app (in this case firefox), if yes, put it to foreground, if no, start fresh instance. I very rarely have multiple instances of some app running at one time, so this setup was great for me. I got 20+ apps made like this and started to switch to what I wanted instantly.
Around this time I had some long shifts at work and sometimes needed some focus break. One time I decided to re-style my lock screen to some "h4x0r" mode, where you won't see yourself typing. I tried to style the default lock screen, but then found
=> slock
. Lock screen app written in pure C with 300 something lines made by community called suckless. I instantly fall in love with it, but break was already too long, so I didn't dive in to suckless world immediately.
The only thing I missed every time I left xfce for something more lightweight was settings app. The easy way to switch monitors (I got many presentations those days), font sizes, plug and play devices and so on. So I decided to create DM/WM independent set of scripts for everything I used from xfce settings. There was always the same paradigm repeating. You have several choices you frequently use, and you want to pick between them. So what script should do is show the options and let user choose. Preferably using keyboard only and in some non-intrusive way. I found
=> dmenu
. Exactly what I wanted. I went through the man pages and realized it is a suckless app again and that it is the default app launcher for dwm, suckless window manager. You can guess what I did :) But first I finished my scripts. For example this one is to switch monitors:
choices="LAPTOP\nHDMI" chosen=$(echo -e "$choices" | dmenu -i -p 'SWITCH DISPLAY TO: ') case "$chosen" in LAPTOP) xrandr --output VIRTUAL1 --off --output eDP1 --primary --mode 2560x1440 --pos 0x0 --rotate normal --output DP1 --off --output HDMI2 --off --output HDMI1 --off --output DP2 --off ;; HDMI) xrandr --output VIRTUAL1 --off --output eDP1 --off --output DP2 --off --output HDMI2 --off --output HDMI1 --primary --preferred --pos 0x0 --rotate normal ;; esac
then I set dmenu as my default app launcher in xfce and created new to-do item: "try dwm".
It took a year or two until I marked that to-do item as "complete". Mostly because
=> dwm
was not something I needed very much. I also didn't like the fact, that it has no config file by default. You are supposed to change configuration in config.h itself. This applies to all suckless apps by the way. But in case of something like window manager, you will start to notice. So I tried it several times, but went back at the end of the day. Real commitment to switch came continuously with my constant drive to minimize. What I wanted to achieve was to be able to run my setup (OS+WM+apps) on any hardware, old one that I can buy for little or no money, or possibly an opensource one, like the
=> MNT Reform
. You can not expect high performance specs from such devices. But I also didn't want to compromise the usability and speed. So I switched, read complete man pages, went through all the available patches and applied the ones that provided functionality I needed. I had everything I wanted from a WM in one weekend. It takes 11MB of RAM right now, and it is not even fresh start. Uptime on this laptop is 46 days. I also realized after some months, that I really don't need to change the config at all. I run dwm for several years now, and I think I changed the config two or three times after it stabilized at the beginning.
Default terminal emulator in dwm is
=> st
. It stands for Simple Terminal. And simple it is for sure. It has no support for scrolling, del and backspace buttons doesn't do what you would expect from them, lines in TUI apps are not continuous, no tabs, no context menu. You can imagine. I tried hard with this one. Finally, I settled with
, which by default has scrolling support, command output copying, or url launching. I only changed his color preferences back to default st colors, default font size, default cursor shape and fixed the delete button. Everything in config.h of course. Besides that I like it very much. Memory footprint is again ridiculously small as you can imagine. By the way, default ways to add scrolling support into st is either by using suckless
=> scroll
utility, which is experimental and abandoned, or
, which is a bit bloated and often not going well with other patches. Last but not least, if you want tabs support, you can use
=> tabbed
utility from suckless. It is very simple window wrapper providing general tab functionality for any app, not only st.
Suckless web browser is the last one I use. I experiment with
=> surf
for month or so. I am still trying to aggregate the minimal amount of functionality I need to switch over. I already have tab support through
=> tabbed
,
through /etc/hosts, inverted colors using custom css added to ~/.surf/styles/default.css. Keyboard shortcuts are vim-like by default. The last thing I need is tagging links with characters, so I can browse through the links with keyboard only. Browser is webkit based, so it is possible, that some pages will not work, but it is definitely ok for standard web browsing. You will still probably need some mainstream browser as a backup.
My base system with running X server, WM and with all my daily apps opened (web browser, terminal, rss reader, music player, instant messenger, to-do app, email client and file manager) takes only 800 MB RAM give or take. And that's mind-blowing in current modern world, where even low-end laptops needs to be sold with 8GB RAM, because otherwise they won't be usable when using windows or ubuntu with mainstream set of GUI apps. I like my current setup very much, but 10 years ago, it wouldn't be for me yet. As it is not for most of the people. Too many compilations, patches, code changes and tinkering. But when set up, it is rock steady, fast, lightweight and never goes in your way.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Linux, Minimalism" />
<summary>
I used to be xfce user for very long time. But I am suckless for several years now. Let's find out if it is good for me and/or if it may be good for you too.
<title>Two decades since first project delivery</title>
<link href="gemini://mizik.eu/blog/two-decades-since-first-project-delivery/" rel="alternate" type="text/plain" title="Two decades since first project delivery" />
<published>2021-10-26T00:00:00+02:00</published>
<updated>2021-10-26T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/two-decades-since-first-project-delivery/</id>
<content><![CDATA[It was 10th of October 2001 when I delivered my first paid order. I was a teenager on high school and it wasn't very special for me that day. I was happy for the pocket money, but much more important was, that on the same day, I started dating my first girl ever and I was completely fallen in love :). Surprisingly, that relationship lasted 5 years, and it almost looked like it would be my only one, but years passed, rivers has flown and at the end of 2021, I am equally happy for both of these happenings. First made me a developer and second made me a stronger person. But this article is in the first place tribute to the most important people of those 2 decades.
Computers for me was love at first sight. We couldn't afford one, but I got a book called "ABC about PC" and I read it maybe 3-4 times. It explained basic architecture, Von Neumann model, PC history, PC components and their histories. Fun fact is, that the author of the book was a university professor at the school where I later went and I even had him on some classes. But back to the story... So I was around 12 years old and my regular dialogs with parents were like... ME: I really want a PC mom. MOM: You know we can't afford it now. ME: But mom, it doesn't have to be new one. I am ok with some older model, it doesn't need to be even Pentium. 486 would cut it. I got even promised some nice price on DX2 at the shop downtown. It has shitty unstable VLB bus, but I am ok with it. MOM: No son... So what I did was spending my pocket money in the internet cafe bars, where instead of internet browsing, I brought a floppy disk, loaded my work and continue where I finished last time. Finally, after some months, I build my first own static website. And next year, when first good local provider of free web hosting emerged, I uploaded it and started my online presence, which was later enhanced by functionalities backed by PHP. Altogether, I got huge number of 3 programming jobs during the high school. Web pages for 2 local companies and one NGO. Few months after I started my Uni studies, I got permanent programming job and it never stopped since.
Apart from the book, I mostly got inspired by people. So let's tell the same story from another perspective. Through the relationships with friends-programmers.
Vincent
Name of the first one is Vincent. A classmate with an old computer and older brothers. Their home was the first place where I saw raw HTML and what it comes of it when rendered in a browser. I must have been very annoying visitor, always asking, always begging for more and I also wanted to play some games of course. So noone could blame them, that I wasn't invited that much :) But those couple of experiences were enough to spark my interest. I borrow a book about HTML from a library. I read it in 2 days and then I read it couple more times next weeks and after some months I even understood it completely. The result of this first encounter was my website I wrote about in previous chapter. When I started to be more proficient in programming, it was also easier to speak with Winnie and exchange ideas and knowledge. It was not one-sided anymore. Later on, we both were very enthusiastic about creating animations and games in Adobe Flash and its ActionScript, but then our paths split and I went deeper to programming and he went deeper to graphics and design. He is now a senior UX guy, and I am a code guy.
George S.
George was also a high school classmate of mine. He was more eager to go down the rabbit hole than Vincent when it comes to more advanced programming. We both started to play with PHP to bring some "magic" to our static web sites and later he introduced me to Java. George wasn't particularly helpful as a person, who would join you to solve your problems. He would let you sweat blood most of the time even if he would know how to help. What he was great at though, was opening new doors and telling what he saw behind it with upmost enthusiasm. So after getting somehow proficient in PHP, I bought 2 java books and started right away. One more reason why Java was such an eye opener for me was, that it was my 4th programming language after JavaScript, ActionScript and PHP. Therefore, I started to grasp some general programming concepts, best practices and design patterns without actually knowing those names or what they mean in broader context. What also greatly helped was the fact, that I finally had my brand-new PC around this time. It was AMD Duron 900Mhz beast with 256MB RAM and 30GB HDD :)
Vladimir
Next important person in my IT life was my University classmate Vlado. We later also became room mates and then flat mates and we were almost 30 when our paths finally split to different cities and places. 10 years with one person almost every day, that creates some special kind of family-like bonding. We coded a lot, and we made a lot together. We also crippled some of the services, machines and jobs on the way. Well, you can't make an omelette without breaking eggs. And god it was fun. Learning by trying, together with someone else, mostly with no deadlines and responsibility. We boldly went where we had never been before. Again and again. That was also the reason, why we haven't finished some jobs we took. But lesson learned and later I knew when to say yes to a new opportunity. We still work together from time to time, but exclusively on Linux administration stuff, though.
Martin Z.
Martin was first person I met, who actually understood programming on the fundamental level. It was natural for him to write nice, structured, best practice code. He was my tech-lead for 4 years in the one company and briefly also colleague in another. Most of the senior/advanced programming knowledge I know today has come directly or indirectly from him. Either from face2face lesson, or from code reviews he used to do for me, or from me studying his code and later into our relationship also from some suboptimal technical/human decisions he made during his struggle to keep the code base in best possible shape. Until this day, he would be my number one person to choose if I would be building coding dream team :).
George M.
A bright mind of another generation. He came fast, stayed briefly and left soon for both of us :) We have spent 2 years working together, then he left for a bigger world, but we stayed in regular contact. I tried to share all of my knowledge with him and many times it wasn't even IT related. He was able to grasp the concepts like noone else I ever knew. During those 4 years we know each other, he was able to maybe quadruple his skills. Although I don't think that "big world" helped him to get happier as a person, it is always pleasure to have some drink with him when he is around. It may look that our relationship was strongly one-sided but it's not true. The energy he brought pushed me hard to refresh my tech stack, habits, tools and reconsider new ideas. He came to my life at right time. And his leave made me struggle for quite some to regain some significant work drive. Definitely in top 3 dream team choice.
Martin H.
Last, but certainly not least, is my current colleague Martin. When he came to the job interview with me, he was still on high school. Completely different personality-wise than me, but still, he strongly reminded me myself in his age. It has always been pleasure to work with him. He already has his master degree done for a few years, so long time passed. We worked together on many big projects as lead developers and I enjoyed them, even in hard times, mostly thanks to his attitude, knowledge and great ideas. Over the years he became strong competitor for the No. 1 spot for my dream team. Who knows if the previous Martin Z. is not the number one only because of melancholic reasons...
So here we are. At the end of nostalgic journey. Thank a lot to all of you guys. It was and still is a pleasure. Who knows what will next 20 years bring. I personally hope for some good stuff :)]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Personal" />
<summary>
It was 10th of October 2001 when I delivered my first paid order. I was a teenager on high school and it wasn't very special for me that day. I was happy for the pocket money, but much more important was, that on the same day, I started dating my first girl ever and I was completely fallen in love :). Surprisingly, that relationship lasted 5 years, and it almost looked like it would be my only one, but years passed, rivers has flown and at the end of 2021, I am equally happy for both of these happenings. First made me a developer and second made me a stronger person. But this article is in the first place tribute to the most important people of those 2 decades.
<title>Strong vs Weak data linking</title>
<link href="gemini://mizik.eu/blog/strong-vs-weak-data-linking/" rel="alternate" type="text/plain" title="Strong vs Weak data linking" />
<published>2021-09-18T00:00:00+02:00</published>
<updated>2021-09-18T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/strong-vs-weak-data-linking/</id>
<content><![CDATA[I have been using a customized zettelkasten method for my personal knowledge database since university, but recently I have deleted all strong (hard) links from the data and I like it. Here is why...
Zettelkasten is basically a card index. Like the ones you could find in most of the bureaus and doctor offices in the past. Every card has some unique identification, some data, and is stored in the drawer. The drawer keeps together cards with some common semantics. That can be a starting letter, or field of work, address, or whatever else. On top of this, zettelkasten has added strong links. So you are adding IDs of some related cards to the footnote of the other card. This helped people in the past to find more content without necessity of going through it all.
In modern days, we have digitalized paper cards and organized them into the databases. Databases have this great ability to be queried based on the information that database tables contain. One additional data we can provide to our cards are weak links. In the world of social media, you would call them #tags. These keywords are adding additional semantic information to the data and of course, they can be queried too.
I started my zettelkasten in digital era, but before raise of major social networks. On the other hand, as an IT student, I was still familiar with the concept of weak linking. I also knew, I would be able to query my data with them, so I started adding tags since the beginning as a secondary linking mechanism. I used strong links (IDs of other cards in the footnote) as a primary one to do it the zettelkasten way, and also I thought it would be nice to have them, especially when they could be used as an interactive hyperlink (just like when reading stuff on the web)
When you have some data collection, and you want to keep it up to date and relevant, you have to go through it from time to time (for me maybe once a year), and add/remove links and keywords, to keep maximum relevant links alive and without false positives. Thanks to this, you can get more precise results when using the dataset. And as we know from Pulp Fiction movie, it takes time and effort :) So I began to analyse how important it is for me to have both strong and weak links in my data.
I have around 10k cards these days. This is not much, but not that little too. My empiric analysis shown, that I almost exclusively use full-text search and tag search to get subset of relevant content and I get very accurate results. I almost never used to continue to relating cards via hyperlinks, especially because after the search I already have all relevant card titles in front of me on one screen, and I am able to seek to the stuff I am looking for faster this way, than to move through the hyperlinks down the rabbit holes.
Relying on weak links only can cut you off from some types of content, that are semantically far from the subset you filtered, but in some cases, still relevant to be shown. I have had this problem from time to time. I remembered I have some other piece of information there and had to alter my query to find it. If I had much bigger set of cards (e.g. 100k), or my memory would be worse, I wouldn't get it. This problem can be worse if you would have much more data than me, data with many semantics, or your querying is not strong enough, like for example you don't know how to create complex queries, or your software is not able to query with logical operands like AND, OR and using parenthesis. Luckily, I don't have these issues. I would say, even without advanced queries, most of the people wouldn't encounter "missing cards" problem, if they have up to date and robust enough weak links.
Currently, I am confident, that setting up personal/work knowledge database using only weak linking is optimal for up to 15-20k cards if the data are homogenous enough and well maintained. You can save a couple of days a year of manual data and link optimizations. Also, your way of thinking about linking information between each other will be simplified, because you have to consider only one mechanism.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Personal, Zettelkasten" />
<summary>
I have been using a customized zettelkasten method for my personal knowledge database since university, but recently I have deleted all strong (hard) links from the data and I like it. Here is why...
<title>Howto setup your personal XMPP server</title>
<link href="gemini://mizik.eu/blog/how-to-setup-your-personal-xmpp-server/" rel="alternate" type="text/plain" title="Howto setup your personal XMPP server" />
<published>2021-08-04T00:00:00+02:00</published>
<updated>2021-08-04T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/how-to-setup-your-personal-xmpp-server/</id>
<content><![CDATA[There are several good reasons to have your own chat server instance. Some are philosophical like federalization of internet, some practical like keeping your data safe and only for yourself, some ethical like creating secure communication node for those who for any reason can not host their own. Or maybe you would like to know how the basic architectural patterns of client-server and server-server communication works. So let's dive in.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
Nowadays, you have three main open protocols with several implementations on both client and server side. IRC, Matrix and XMPP. I am going to oversimplify here, so those of you, who have some knowledge regarding these protocols, feel free to skip this section.
For those who don't know IRC, it's like that 90s old school internet chat, where you would log in and hang out in some chat room. It supports one on one chats and there are even clients for mobile phones, but you are not able to share files, there is no delayed message delivery after you come back online, it does not support automated federation and so on.
On the other hand, Matrix, or rather its main implementation Element (formerly Riot.IM) is much more robust and modern. It supports end-to-end encryption, file exchange, audio and video calls, it is HTTP based, and messages are instantly saved and redistributed inside federated servers. An open source Slack or Skype on steroids. But it requires PostgresSQL server, some web server as a reverse proxy, and it is very heavy on using space/database resources. Specially when you use it to federate with other servers.
And this is why I like and choose XMPP. I don't need all the bells and whistles, and I really want it to be light on system resources. I need to chat and share files, I want it simple and working. I have my own instance for my family, I federate with the people from work, some other developers and friends, that do have accounts somewhere, or they host their own instances like I do.
There are many options! Openfire, ejabberd, Prosody, MongooseIM, Metronome IM... Check them out,
. I am using Prosody for several years. It is Lua based, super lightweight (memory consumption under 50MB most of the time), simple to configure and it is supported on OpenBSD.
are straightforward, just use default package manager of your operating system, so for example:
apt install prosody yum install prosody pkg_add prosody
is great. When you kick off from default config, you only need to change the VirtuaHost line to your custom domain and create users using prosodyctl command line tool like so:
prosodyctl adduser mranderson@cooldomain.xyz
and server is now up and running. It is not a very usable setup though. So here are the steps for a good one:
If you have a firewall, you need to
To support SSL, you need to get certificates for example from Let's Encrypt and then add their paths to the main config. Don't forget to add a certbot post_hook that will always copy the certs after the renewal procedure from /etc/letsencrypt/live to your specific location:
certificates = "certs" https_certificate = "/etc/prosody/certs/cooldomain.xyz.crt" https_key = "/etc/prosody/certs/cooldomain.xyz.key"
_xmpp-client._tcp 600 IN SRV 5 0 5222 cooldomain.xyz. _xmpp-server._tcp 600 IN SRV 5 0 5269 cooldomain.xyz. upload 600 IN A 45.77.54.222 proxy 600 IN A 45.77.54.222
modules_enabled = { "roster"; -- Allow users to have a roster "saslauth"; -- Authentication for clients and servers "tls"; -- Add support for secure TLS on c2s/s2s connections "dialback"; -- s2s dialback support "disco"; -- Automatic service discovery by clients "carbons"; -- Deliver to all clients with the same account logged in "pep"; -- Enables users to publish their avatar, mood, activity... "private"; -- Private XML storage (for room bookmarks, etc.) "blocklist"; -- Allow users to block communications with other users "vcard4"; -- User profiles (stored in PEP) "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "mam"; -- Archive messages on server for delayed delivery "csi_simple"; -- Simple Mobile optimizations "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" "websocket"; -- XMPP over WebSockets "http_files"; -- Serve static files from a directory over HTTP "http_upload"; -- enable files sharing between users "groups"; -- Shared roster support "smacks"; -- Keep chat alive when the network drops for a few seconds "server_contact_info"; -- Publish contact information for this service "proxy65"; -- Enables file transfer service for clients behind NAT }
In my case (OpenBSD), modules "http_upload" and "smacks" were not in the default installation and I had to download them and link them manually. If it is your case too, you can find all prosody modules
=> here
. My path to modules dir is /usr/local/lib/prosody/modules/. If you don't know yours, just search filesystem for some core module like "mod_motd.lua" using "mlocate" package for example. Best practice for adding custom modules is not to put them to system modules directory, but into separate folder and specify the folder in the config like so:
plugin_paths = { "/usr/local/lib/prosody-custom-modules" }
Component "upload.cooldomain.xyz" "http_upload" http_upload_file_size_limit = 20971520 http_max_content_size = 31457280 Component "proxy.cooldomain.xyz" "proxy65" proxy65_ports = { 5000 }
And here you go! Enjoy the self-hosted communication ride :) Full config resulting from this howto can be downloaded here]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
There are several good reasons to have your own chat server instance. Some are philosophical like federalization of internet, some practical like keeping your data safe and only for yourself, some ethical like creating secure communication node for those who for any reason can not host their own. Or maybe you would like to know how the basic architectural patterns of client-server and server-server communication works. So let's dive in.
<title>Howto setup your personal CalDAV/CardDAV server</title>
<link href="gemini://mizik.eu/blog/how-to-setup-your-personal-caldav-carddav-server/" rel="alternate" type="text/plain" title="Howto setup your personal CalDAV/CardDAV server" />
<published>2021-07-01T00:00:00+02:00</published>
<updated>2021-07-01T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/how-to-setup-your-personal-caldav-carddav-server/</id>
<content><![CDATA[Do you like to backup or share your calendar and contacts, but you don't want to rely on proprietary companies and solutions built into your phones? You don't like to share such information? You don't want to be restricted to specific number of calendars, events or contacts? You want to be sure your provider won't close the service and lock you out from your data? Then it is time to self-host your own CalDAV and CardDAV service!
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
CalDAV and CardDAV are protocols specified in
=> RFC4791
,
=> RFC6638
and
=> RFC6352
. As years passed, more RFCs came to fill the gaps. They are free to be implemented and provide ability to synchronize calendars, events, contacts and tasks between server and multiple clients (devices). They are supported by both Android and iOS devices and there is plenty of software for every major OSes (BSDs, Linux, Windows, MacOS) that can handle these protocols.
I personally use
=> Radicale
on server,
=> Vdirsyncer
with
=> khal
and
=> khard
on desktop and
=> DAVx5
on Android. Check this
for plethora of other options.
Radicale - because it is memory efficient, python based, maintained, BSD&Linux friendly, simple and well documented. It implements only subset of all possible specs and RFCs that bundled up throughout the time, but for me, it always delivered and always worked with any client I used.
Khal+Khard+Vdirsyncer - because it is powerfull TUI combo and I like terminal applications. It is
=> not hard
to set up, it
too, which is my email client of choice.
are straightforward, just use default package manager, or directly python installer 'pip'
python3 -m pip install --upgrade radicale
is great. It takes you step by step through all standard scenarios like running
, running
, or even as a
=> WSGI service
, which is my case.
Radicale instance on my OpenBSD machine, which is syncing 8 clients through both CalDAV and CardDAV, with several hundred contacts and several thousand calendar events, doesn't take more than 30MB RAM. It runs behind the web server, so I don't need to care about managing custom high ports on my firewall, or SSL certificates. Check more benefits in my older article regarding this topic. During several years I use it in "production" I never had to restart or maintain it in any way. But I need to say, my scenario is very simple. One address book and one calendar for every person in my family plus one shared calendar. Give it a try and let me know if it works for you too :)]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
Do you like to backup or share your calendar and contacts, but you don't want to rely on proprietary companies and solutions built into your phones? You don't like to share such information? You don't want to be restricted to specific number of calendars, events or contacts? You want to be sure your provider won't close the service and lock you out from your data? Then it is time to self-host your own CalDAV and CardDAV service!
<title>Stoicism in modern world</title>
<link href="gemini://mizik.eu/blog/stoicism-in-modern-world/" rel="alternate" type="text/plain" title="Stoicism in modern world" />
<published>2021-06-06T00:00:00+02:00</published>
<updated>2021-06-06T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/stoicism-in-modern-world/</id>
<content><![CDATA[I practice Stoicism more or less successfully for more than a decade. I would like to share with you brief practical cheatsheet, that will show you what (I think) Stoicism is about in real world situations and how can it help you to be better person and live better life.
Stoicism is a philosophy. A way of living. Created by ancient greeks, popularized by ancient romans and used throughout following centuries until these days. I don't want to talk history, or the academic/dogmatic stuff here, check the
for detailed overview. I just want to summarize my "real life scenario" stoic rules:
First rule is self explanatory. You, your actions and personal integrity is the only thing you can fully rely on. If you believe in monotheistic religion, then you can wrap this rule with a God formula like so: All temporal things are less important than my moral integrity based on God's commands.
Common denominator for second, third, fourth and fifth rule is: If something is not fully under your control, then you should consider it not worthy of making you feel bad (anxious, sad, nervous, depressive...) and the only thing you have under your control is yourself. So it applies on everything else. On moments that happened and still make you emotional, on situations that are about to happen and their outcome make you nervous or anxious, on actions of other people and things that may happen randomly on daily basis, like dangerous drivers, rude people, selfish actions, bad weather, broken love, or tragedies.
Sixth and seventh rule is about being minimalistic. If you read these lines, there are high chances you live a life where you don't really need to care about your basic needs. If you consider
, you need to solve only top 3 to 4 floors in your life and it is up to you how you'll do it. Do you need a house, car, computer, phone, vacation twice a year, 550 friends on social networks, admiration from your virtual or living friends? Desires are subjective and individual, but the lesser is the amount you will define as a needed, the sooner you will achieve the goal and the easier it will be to maintain it, therefore feeling fulfilled. Therefore try to declutter your life from things and people, especially if they have time, energy and money demanding maintenance.
Last two are about checking your status and progress. Developers would call it code review. People who believe in God may call it prayer or conscience questioning. Scientologists will call it an Audit. Output is the same, you need to track and evaluate past life situations if you want to be conscious of your actions, of your progress when trying to achieve your goal. In case of Stoicism, the goal is to be a wise, kind, strong and helpful person.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Personal, Philosophy, Minimalism" />
<summary>
I practice Stoicism more or less successfully for more than a decade. I would like to share with you brief practical cheatsheet, that will show you what (I think) Stoicism is about in real world situations and how can it help you to be better person and live better life.
<title>Finally ready to leave ThinkPad family</title>
<link href="gemini://mizik.eu/blog/finally-ready-to-leave-thinkpad-family/" rel="alternate" type="text/plain" title="Finally ready to leave ThinkPad family" />
<published>2021-06-02T00:00:00+02:00</published>
<updated>2021-06-02T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/finally-ready-to-leave-thinkpad-family/</id>
<content><![CDATA[After almost 20 years of using Thinkpads, I feel ready to leave this family. I took some effort and focus. It came as a side effect really. But I am very happy for it.
I bought my first ThinkPad when I started my uni studies. It was
and it was love at first site. Look how slim the display bezel is, how they maximized the keyboard size, key travel and feel was great, body was super sturdy, fan was almost always off... When you compare it to laptops of that era, it was several steps ahead if you didn't care about graphic performance, which was embarrassing really with its 8MB S3 Savage :). I have been using it for many years and after brief romance with Fujtisu Siemens Amilo Pro V3205, I was sure I needed to go back. How disappointed I was, when I realized, that in 2012 I can't get ThinkPad without touchpad, that the keybord is chicklet style now, that display bezels are thicker than they were on my T22 from 10 years ago, that the display ratio is not 4:3 anymore and that overall feel is much cheaper. But I had that opportunity to choose one as my working laptop, so I went for it.
X1 Carbon Gen.1 was what I chose but I returned it after 3 days. It was complete no go for me for so many reasons. Too shallow Keyboard, missing PCMCIA, always throttling, fan was noisy, performance was sluggish. I decided to give it one more try and opted for X230. I got back my PCMCIA, almost no throttling, key travel was much deeper. In fact, I really started to like the chicklet keyboard with X230. I missed the removed seventh row, but got used to it after a while. Performance was great with an i7-3520M CPU, 16GB RAM and SATA3 SSD. It still felt a lot cheaper when considered build quality, but I stayed with it. Repearability was almost on par with T22 (only cpu was not replacable). In fact I use this laptop until now as a personal laptop. Since 2018, my primary work laptop is ThinkPad X1C6. I really don't like where Lenovo is going with Thinkpads since they bought it out from IBM. As many traditionalist, I didn't want to loose replacable battery and internals, keyboard key travel and performance just to be not 21mm thick but 15mm. But I struggled with being too addicted to trackpoint and good keyboard.
During the pandemic I decided to improve my abilities to control laptop with keyboard only. I switched from Xfce to dwm (I've been using i3 in the past for a long time, so it wasn't that much of a stretch), I installed vimium browser plugin and finished implementation of several TUI apps I missed. For several months now, the only GUI application I use on regular basis is browser. And I have no app that I control primarily with mouse. This setup gave me 2 advantages:
My memory and cpu footprint is much smaller, therefore my X230 come much closer performance wise to modern laptops even under heavier load when using current setup. This gives me couple more years with my old iron until I will need any replacement.
I use mouse sporadically now, which means, missing trackpoint is not such a big blocker for me anymore. It widens my possibilities in future.
Constant pursuit of minimalism brought advantages in yet another aspect of my life. I am again a bit faster in using computer, which I don't need to replace for few more years to stay performant. This will save my money and our environment too. As a bonus I can choose from much broader spectrum of laptops when it finally be needed. But I am still a bit nostalgic, I was one of those, who really believed Lenovo would make an exception for once and create the ultimate "Retro ThinkPad" for its 25th aniversary. Basically to make a little bit thinner, oldschool (T22/X60 like) laptop with modern hardware inside, that would serve me good for another decade. But who knows... maybe they'll make it right on 30th ;)]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Personal, Laptop, Thinkpad, Minimalism" />
<summary>
After almost 20 years of using Thinkpads, I feel ready to leave this family. I took some effort and focus. It came as a side effect really. But I am very happy for it.
<title>OpenBSD review by Gentoo Linux user</title>
<link href="gemini://mizik.eu/blog/openbsd-review-by-gentoo-user/" rel="alternate" type="text/plain" title="OpenBSD review by Gentoo Linux user" />
<published>2021-03-29T00:00:00+02:00</published>
<updated>2021-03-29T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/openbsd-review-by-gentoo-user/</id>
<content><![CDATA[I was never really a distrohopper, I use to stick with things that work for me. I need to use my system most of the day and squeeze maximum from it both in work and during personal free time, because I don't have much to spare. Most of the time, the only reason why I change things is to further minimalize and optimize my workflow. But there is one exception. I always loved OpendBSD and I was coming back to it every couple of years since I switched from Windows to Linux. I got that feeling, that OpenBSD is the right system for me, but it never showed up that way during the practical usage :D So every now and then I install it and try to emulate my current personal workflow on it. You know, just to reevaluate the state of progress and usability. Everytime until now I decided to stay with Gentoo/Linux because of so many missing things. So how does OpenBSD (version 6.8 as current stable) feel in hands of Gentoo Linux oldtimer in 2021?
Installation is text based and straightforward. The are only three things you need to understand as a Linux user during the installation process.
This time I had problems with getting network up for some reason. I was installing on laptop and I was aware of the fact, that I won't have the wifi drivers available during the installation. But the installation failed to work with cable connection too. I had to drop to root console during the installation and run dhclient manually. Besides that, everything went smoothly and most of the default options were good for me as usual.
Result of the default installation is a full featured desktop with X, graphical login and window manager (you will most likely replace the default wm though). I went for my standard choice dwm and my default set of tools and apps. I wanted to get it done as soon as possible, so I skipped compiling everything from ports as a Gentoo user would do and I used binary packages. Everything was playing nicely together. You can see from all the details, that it is finetuned as a whole, not only independent set of pieces that you can combine to your needs. Everything is runnning fine and even dark GTK theme is applied on all places. Man pages are awesome and in many cases better than on Linux. However, I haven't found the community very helpful if you are asking questions out of scope of the standard FAQ or core system and tools (i used mainly the freenode's #openbsd IRC channel). I was missing practical examples in manual pages as much as I do in Linux man pages though. There is also a little
=> howto
for people coming from Linux. Nice and nifty detail is, that BSD ifconfig can handle both wep and wpa, so you won't need wpa_supplicant most of the times and it gives you the signal strength status too!
OpenBSD is somewhat more familiar to a Gentoo user than to a traditional Linux distro user. There is a make config (mk.conf), ability to install from sources, package flavours and subpackages (gentoo use flags) and so on. But if you stay with binary packages, you will feel moreless home also with the standard linux/unix knowledge.
Last couple of times I was testing OBSD, it was on my longtime workhorse Thinkpad X230, but this time I used my work laptop as a primary device and its X1C6 (X1 Carbon Gen.6) which is a 4 core device with very fast nvme disk. This is probably the reason why OpenBSD feels brutally slugish this time. Linux is able to get much more from the HW specs than OpenBSD and it is very visible in every aspect of the device use. Boot takes ages, ports compilation takes ages, application starts takes ages, video doesn't run smoothly for FHD resolution and above, sound plays behind the video and so on. I have applied every possible optimisation I found on the internet:
Looks like some of it is unability to use multiple cores correctly, another is prehistoric filesystem and third one is security measures applied by default. But for example, I run Firefox with Firejail on Gentoo. Such setup should be close to what OpenBSD applies on Firefox by default (pledge, unveil and chroot) and the performance difference is still huge. When I tried to ask, I only got some stupid default answers like: "If you don't like it, don't use it", or: "It is still fast enough", or: "It is a bit slower because it is very very secure".
I already mentioned prehistoric UFS (FFS) filesystem. You also can feel how smaller the dev count is behind OBSD on how many packages there are and how fast the updates arrive. You will find out, that default gcc version is ancient 4.2.1 (afaik licencing issues), but you can install less ancient 8.4.0 as egcc package. On the other hand, you can achieve setups suitable for most standard usecases.
Neither performance nor old stuff broke my effort. I was able to setup my full personal workflow. It is very minimalistic though, mostly
and TUI apps like ranger, profanity, irssi, mocp, some of my own TUI tools and so on. I realised how much more minimalistic my personal setup is compared to 3-4 years ago when I tried last time. I failed with work workflow setup though, but this time, it was a hard battle. OpenBSD already has up to date Java SDKs in the packages! It even has IntelliJIdea and other tools which does not support BSDs by default and therefore you must rely on someones porting effort. So this time I was able to setup my Python related environments, my Java related environments and my Cordova/Ionic setup too. Unfortunatelly, there is no support for Android, Dart, Flutter and some other frameworks I need on daily basis for my work. But even if I was able to set it up, I am not sure if I would justify the amount of compilation performance downgrade.
So there you go, in most cases you will find out, that you can not just pull something from github, compile it and run. You need to tinker with makefiles, search internet for compilation errors and debug the issues. And I shouldn't forget the completely missing support for bluetooth. I don't really care about this one, but it can be a dealbreaker for someone else.
Let's talk about something positive now! OpenBSD is slick. That means less attack surface and lots of legacy code removed. If you stick with the default services like httpd, smtpd, relayd and so on, you will get small, simple, hardened and battletested pieces from which you can build very secure result. Most of the core software and services are patched with Pledge and Unveil, which you can very vaguely compare to SELinux or AppArmor, but Pledge/Unveil are very simple and compiled into the software. You can rely on strong randomization builtin throughout the system. Xorg is running rootless with privelege separation code. Mainstream browsers and popular apps are pledged and unveiled too as mentioned in previous paragraphs.
I failed again. But this time I tinkered with it for almost a month and used it as my daily driver for personal usage throughout it. I spent much more time learning and trying and became much more convinced, that I would be happy to use this OS as my primary driver. Therefore I decided to at least migrate my personal Linux server to OpenBSD to stay in touch with this OS. I migrated postfix email server to smtpd, nginx based web server setup to httpd and relayd, iptables firewall and my custom scripts to PF and everything else I had on the Linux machine. And it was a success! I tried to do it in as much "OpenBSD way" as possible. I had to change many configurations because I used some of the features that were not supported by the core services, but at the end, I am very happy owner of a full featured OBSD server installation that was able to suit all my needs. It is definitely great option for a secure rocksteady and hardened server setup, where most of the daemons and services are chooted by default and secured via pledge and unveil to provide maximum security with minimum effort.
Will I ever switch from Gentoo to OpenBSD on my desktop and laptop? Not very likely. I like the Gentoo approach to ports more than the OBSD one and I value my time too much to battle with my OS everytime it gets into my way because I am using something that is not supported or thinked of by most of the people creating software worldwide. But never say never, Linux is getting bloated more and more and one day, it may be less effort to have OBSD as a main minimalistic OS than Linux.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="OpenBSD" />
<summary>
I was never really a distrohopper, I use to stick with things that work for me. I need to use my system most of the day and squeeze maximum from it both in work and during personal free time, because I don't have much to spare. Most of the time, the only reason why I change things is to further minimalize and optimize my workflow. But there is one exception. I always loved OpendBSD and I was coming back to it every couple of years since I switched from Windows to Linux. I got that feeling, that OpenBSD is the right system for me, but it never showed up that way during the practical usage :D So every now and then I install it and try to emulate my current personal workflow on it. You know, just to reevaluate the state of progress and usability. Everytime until now I decided to stay with Gentoo/Linux because of so many missing things. So how does OpenBSD (version 6.8 as current stable) feel in hands of Gentoo Linux oldtimer in 2021?
<title>Howto proxy your self-hosted services using web server</title>
<link href="gemini://mizik.eu/blog/how-to-proxy-your-self-hosted-services-using-web-server/" rel="alternate" type="text/plain" title="Howto proxy your self-hosted services using web server" />
<published>2021-02-12T00:00:00+01:00</published>
<updated>2021-02-12T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/how-to-proxy-your-self-hosted-services-using-web-server/</id>
<content><![CDATA[Many services available for self-hosting provide promised functionality, but let you take care of security and/or authentication. These are the cases when web server comes to the rescue with its ability to create a layer between internet and your service, which will provide additional features like authentication, upgrade to https with valid certificate, DoS prevention using fail2ban, or ability to communicate with service using custom (sub)domain. These features were explained in the previous article.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
The theory is simple. There is your self-hosted service listening on some (most likely high) port. This port is open to the public internet so you can connect and communicate with the service. We will block this port from public visibility using firewall and then create new virtual host on your web server. In case of apache or nginx it will be new file in /etc/[nginx|apache2]/sites-available/. Don't forget to enable the file by creating a symlink to /etc/[nginx|apache2]/sites-enabled and reload the web server. We are going to proxy, so the important part of the file for us is the 'location' section. We are not going to define the root clause where the web application exists on the file system like usual, but we are going to define 'proxy_pass' atribute that basicaly says, that all the traffic coming to this location should be forwarded to the value of the 'proxy_pass' attribute. And of course, everything what comes back will be forwarded back to the client. There are other attributes that configure and alternate this default logic. Let's have a look on such configuration example (nginx):
location / { proxy_pass_header Server; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_connect_timeout 300; proxy_send_timeout 300; send_timeout 300; keepalive_timeout 300; proxy_http_version 1.1; proxy_pass http://127.0.0.1:13000; }
Let's go over the configuration details to check what is going on:
proxy_pass_header - tell which headers should be kept unchanged as they come from self-hosted service. In case of our example configuration, we are saying that 'Server' header should not be altered by web server as we want to show information about the service that runs behind the proxy.
proxy_set_header - tells which headers should be set by web server and how. In our case, we are settings standard proxy headers so the destination service will know about some original information and also will be aware, that it is running behind the proxy. If you don't plan to use web server authentication and your service is going to take care of it, be sure you are forwarding those headers too. For example, if your service use http basic, then you need to add another proxy_set_header like so:
proxy_set_header HTTP_AUTHORIZATION $http_authorization;
the rest of atributes are self-explanatory. Setting bunch of timeouts and http version.
if your service use server sent events (SSE), you need to add several other configuration options:
proxy_set_header Connection ''; chunked_transfer_encoding off; proxy_buffering off; proxy_cache off; proxy_read_timeout 24h;
most of them will be applicable in case of websocket communication too. The reason behind them is, that both technologies use long lasting open connections and are used as a persistent communication channel between client and server. Web server proxy should keep them open and mustn't apply any alterations or cache.
If you want to add an authentication to your newly proxied self-hosted service, just add 2 more configuration options:
auth_basic "password is required"; auth_basic_user_file /etc/nginx/htpasswd-file-for-service;
Now you have enabled 'http basic' authentication. User will have to provide login and password to continue through the proxy. The 'htpasswd-file-for-service' is a plain text file with the login:password tuples. It should have htpasswd format. Generation of such file is easy, just call:
htpasswd -c /etc/nginx/htpasswd-file-for-service peter
If you already have a centralised user database and you want to use it instead of static file, it is possible using additional web server modules. For example, nginx has support for
=> mysql
or
=> ldap
.
So the final virtual host file may look like the one below.
server { listen 80; server_name servicex.mizik.sk; return 301 https://$host$request_uri; } server { listen 443; server_name servicex.mizik.sk; charset utf-8; ssl on; ssl_certificate /etc/letsencrypt/live/servicex.mizik.sk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/servicex.mizik.sk/privkey.pem; ssl_dhparam /etc/nginx/ssl/dhparams.pem; location / { proxy_pass http://localhost:18000/; proxy_pass_header Server; proxy_set_header X-Script-Name /; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Remote-User $remote_user; auth_basic "password for servicex is required"; auth_basic_user_file /etc/nginx/htpasswd-servicex; } }
Remember, that you can define multiple 'location' sections, therefore you can have 'location /' for static web page and 'location /comments' where you will proxy to some self-hosted commenting solution. This will make it nice and clean and also you will workaround cross site and CSP issues.
Using this simple setup you will get unified and standardized access to your self-hosted services. They will look the same from the outside until user will get through the authentication to the specific API of the service. Check other web server modules to find out which other features may be globally applied to you self-hosted service APIs.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
Many services available for self-hosting provide promised functionality, but let you take care of security and/or authentication. These are the cases when web server comes to the rescue with its ability to create a layer between internet and your service, which will provide additional features like authentication, upgrade to https with valid certificate, DoS prevention using fail2ban, or ability to communicate with service using custom (sub)domain. These features were explained in the previous article.
<title>Howto degoogle your Android phone</title>
<link href="gemini://mizik.eu/blog/howto-degoogle-your-android-phone/" rel="alternate" type="text/plain" title="Howto degoogle your Android phone" />
<published>2021-01-18T00:00:00+01:00</published>
<updated>2021-01-18T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/howto-degoogle-your-android-phone/</id>
<content><![CDATA[There are many reasons to degoogle your phone and there are 2 main ways how to do it. The hardcore way and the second one, for the sake of this article, can be called the "gracefull degradation way". Both of them end with your stock android OS replaced by a custom ROM that will lack all of the the Google apps and background services.
Degoogle is a process made of multiple steps which require some effort, maybe some money, but definitely time and attention. Degoogling your phone is no exception. You will have to get used to new apps, maybe mourn some nice features. You will be more incompatible with the mainstream people that will send you links to Google services and you wouldn't be able to log in, or use native app to handle the link. They will search for you on Messenger and/or Twitter and won't be able to get in touch with you using their default standard ways. Being different than masses always takes its toll. It is your call if the benefits are bigger than problems that this action causes. For me its worth it. I like that when I tail logcat on my phone and I don't use it, it stays still, because there is almost no background stuff going on. I like that my data are not being checked or processed. I like that I can backup them, migrate them, I like my 2+ days battery life and I don't like being dependent on something/someone.
So you decided to degoogle? Then you already took the red pill once. Now it is time to make the decision again :) Android OS itself is open source, although, it is developed mostly by Google, so it is made according to Google's plans. Unfortunately, there are many important APIs that are not opensourced and huge amount of apps rely on them. Libraries like Play Services, Google Maps API, Google Cloud Messaging, Network location provider API and so on. Taking the red pill means, you will replace your stock rom for the custom one and won't install any of the Google's proprietary apps. Your phone will be functioning well and battery life will get better, you will use F-Droid or other free store as your app store. But if you will need some app that is only on Google Play, downloading and installing the apk manually won't work if that app will try to use any of that missing APIs. It will most likely stop working during the start, or it will return some kind of error message. This is many times true for mobile banking apps, big companies apps or official government apps.
Thank god there is a blue pill, the "gracefull degradation way". It is called MicroG. What this set of apps does? They are basically replacing Google's proprietary libraries by impersonating them. They publish the same APIs so the apps relying on it won't crash. In some cases, the MicroG alternative really does the same and returns meaningful data, in other cases it returns dummy data just to comply to given API. Last thing needed to make this all work is to persuade everyone that the MicroG app is really Google app. This means to provide the google package name with a valid signature. This can not be done by Microg itself. It needs an OS level patch called "signature spoofing" that will allow any app to ask for a permission to directly access signing certificate. Some custom ROMs has this patch applied, some does not. The most popular and widely known custom ROM is LineageOS (before called Cyanogenmod), bude unfortunately, they do not have signature spoofing turned on and they denied proposed PR from MicroG team. More information regarding this topic is
=> here
. This is why MicroG offers custom LineageOS builds with signature spoofing turn on and all MicroG apps preinstalled.
What does it all mean for you? For example let your device be good old Google Nexus 6 (codename shamu). Go to the
for shamu and download the ROM zip. Then go to the
for shamu and download the img file. And that's it! Now you can follow the standard
=> LineageOS installation instructions
for shamu. The only difference will be, that you won't use the img and zip linked in that manual but you will use the previously downloaded twrp img file during recovery flash procedure and the MicroG LineageOS build zip during the ROM installation. Congratulations! Now you have a degoogled Android phone ready to serve you well.
Now you may say. Ok, I have booted up the device and have nothing besides calls, sms and camera. Let's quickly cover how to setup the device to standard use. You already have browser and photo apps in the initial installation too.
Your new app store is F-Droid. Application is part of the initial installation. Open the app, search and install whatever application you need. We will list a few now.
My default email client of choice on Android is K-9 mail. It supports POP, IMAP, SMTP, multiple accounts, unified inbox and GPG to name a few.
I use "Silence" for sms, as it gives you encryption options and it has amoled pure black theme which I use throughout the system.
NewPipe is my youtube client, it doesn't need the Google account, because it is not using the official API, it only scraps the web itself
Tibor Kaputa, a fellow Slovak developer, has a beautiful set of basic apps. He called them "Simple Mobile Tools". I use almost all of them. I use Simple Calculator, Simple Calendar Pro, Simple Clock, Simple Contacts, Simple File Manager, Simple Flashlight, Simple Gallery Pro and there are others. They are clean, nice to use, they require only necessary privileges, they don't track you, they are ads free and they are open source. If you like them, don't hesitate to
=> support
him and then download Simple Thank You app, that will allow you to set unified theme for all of the apps.
There are some more advanced apps I use. For example Termux as a terminal emulator, OpenVPN for Android, Scrambled Exif as a tool to strip image meta information before I share it out from my phone and so one. F-Droid has thousands of apps and they will cover most if not all of your needs.
There is another alternative called /e/. Man behind this project is Gaël Duval, former founder of good old Mandrake Linux. /e/ has a bit different strategy. They are trying to provide the whole ecosystem so even non tech people that care about privacy can have all of the things I wrote above in one interconnected functioning ecosystem, which replaces Google but is privacy friendly. Basically, from OS point of view, it is a fork of LineageOS with signature spoofing turned on and with MicroG installed. (they were the main sponsor of MicroG project in 2020!) From the app point of view, they forked many of the favourite open source apps, gave them unified look and feel and reimplemented/preconfigured them to be able to connect to /e/ ecosystem of services like email, calendar, contacts, notes, cloud storage for images, videos, backups and so on. They even sell new and refurbished smartphones with warranty and with /e/ already preinstalled. I haven't studied it much so I can't speak for the final result they deliver. I just wanted to point out another alternative, that may suit your needs. You can read more on
=> their pages
.
LineageOS (or other custom ROMs) comes with some apps preinstalled. These apps can not be uninstalled using GUI settings. But you can uninstall them from command line using adb:
connect your phone and ensure you have developer tools and debugging enabled
in terminal type: adb shell
now you are in the phone shell and you can execute uninstall command:
pm uninstall -k --user 0 com.android.gallery3d
Replace com.android.gallery3d with package name of the app you want to uninstall. You can find it in the app info screen.
Also, there may be a situation, when you need to keep some application that you don't want installed and you would like to block its internet access. You can do so with NetGuard. This app act as firewall, but it doesn't require root privileges, because it does not utilize iptables, but rather acts as a VPN service. Because of that, whole OS traffic is comming through the app and app can then restrict traffic based on your rules. Unfortunatelly, this can be applied only if you don't use real VPN, as Android won't let you run two VPNs simultaneously.
It is much easier to degoogle your phone these days than it was in the past. Up to date and easy to follow step by step installation manuals of LineageOS together with MicroG are the reasons why it is available to much broader spectrum of people. If privacy matters something to you and you're not frequent Google Play Store downloader or mobile gamer, this setup is arguably the best what you can get in the Android world. Of course, you have also other options, for example running mobile linux distribution like Mobian, Manjaro ARM, or OpenSUSE. You will need a very specific device for these distros though. (e.g. PinePhone, Librem5 or some phones from the Nexus and Pixel family) and the resulting usability is drastically behind the average Android experience.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Android, Degoogle, MicroG" />
<summary>
There are many reasons to degoogle your phone and there are 2 main ways how to do it. The hardcore way and the second one, for the sake of this article, can be called the "gracefull degradation way". Both of them end with your stock android OS replaced by a custom ROM that will lack all of the the Google apps and background services.
<title>Howto setup and secure web server</title>
<link href="gemini://mizik.eu/blog/how-to-setup-and-secure-web-server/" rel="alternate" type="text/plain" title="Howto setup and secure web server" />
<published>2021-01-08T00:00:00+01:00</published>
<updated>2021-01-08T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/how-to-setup-and-secure-web-server/</id>
<content><![CDATA[Web server is one of the most basic services you can self-host. Very simple to install, reasonably simple to configure for basic use. Not that hard to setup for more robust usage, but the hardest thing is to run it in secure way. This is also the reason why this episode is a bit longer than usual.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
In the episode 4 we talked about apache, nginx and also some other not that common web server implementations. Today we will focus on nginx. Nginx, together with apache2, takes over
=> two thirds
of the market share. But over the last months and years, apache is loosing its position and nginx is still on the rise. That's also the reason why I will focus on nginx today. All of the topics I will cover in this article apply on Apache2 too, just google the exact syntax variation of the steps.
Basic installation is as simple as 'sudo apt install nginx' in case of debian/ubuntu, but comparably simple in different distros too. Your web server should be now up and running, serving its default welcome page when typing localhost into your browser of choice. Now, there are 3 important places to look at:
/var/www/
First one is /var/www/ directory, which is the default directory to store web content that web server will serve. So you can find there the default info index.html page that was loaded in the browser. If you want to host some web, just create new directory under /var/www and copy the site content. Don't forget to apply correct rights as web server runs under www-data user and this user needs to be able to access those files. You don't need to stick with default directory, web server can serve files from any location if that location has the right permissions. In same cases, administrators even chroot the folders that web server hosts so in case, when it will be compromised, attacker would find himself in the sandbox. But I am not going to cover this option here.
/etc/nginx/sites-available/
This is the directory for virtual host configuration files. Best practice is to have different configuration file for different web pages (or web services). Web server will then execute them as a separate virtual server. Check the default configuration file to see how it look like. In most distros it will have plenty of comments. Check also the /etc/nginx/sites-enabled directory. You will see the symlink to the file in sites-available. That's because nginx serves only those configs that are enabled by creating a symlink to this directory. When you add a new symlink or remove one, you need to reload web server service (service nginx reload) or using the old non-systemd way on some distros: /etc/init.d/nginx reload.
/etc/nginx/nginx.conf
This is the main configuration file. It is the global configuration for web server itself and it will also apply to all configuration files in sites-available too, but they can override these global settings by defining the same configuration option again in their file. Main config imports everything in sites-enabled directory at the end so it is obvious what is the relationship between them and also why only those configs from the sites-available directory that are linked to sites-enabled are actively used.
Ok! Take a look at some basic virtual server configuration file now. Let's create it in /etc/nginx/sites-available/example :
server { listen 80; server_name example.mizik.sk; charset utf-8; root /var/www/example.mizik.sk; index index.html; location / { try_files $uri $uri/ =404; } }
So what do we have here. We are defining server, that listens on port 80 (plain HTTP) and it will react only if the requested host will be example.mizik.sk. Default charset will be utf8, index file should be called index.html (it needs to be defined because it can be also php file or other file type) and root directory will be /var/www/example. Then inside the server section we can define multiple location sections. Configuration options declared inside location section will apply only to the defined location and recursively down from there. In our case, one location section is enough and we are not declaring much, only that first we will try to serve the path as a file, then as a directory. If we will symlink this new file to sites-enabled directory and reload nginx, we will be able to access the page defined in root clause using the hostname in server_name clause. (of course, there should be a valid DNS 'A' record that points example.mizik.sk to the IP of our server). Our web is now up and running!
Now let's talk about more robust but important topic. Securing the default installation and the web pages we are going to host.
HTTPS
All mainstream browsers now almost force web pages to have a valid ssl certificate, otherwise your page may be declared as not secure. Fome time to time, there is some
=> discussion
over the topic of hosting webs only over https and therefore effectively blocking old computers from accessing it as they will not support the new TLS variants or they will have no computing power to do so. I don't consider this a reason to host over plain HTTP. We are talking about les than 0.1%. I am voting for using things as long as possible, but this may not be the situation. Almost everyone can afford secondhand Raspberry pi for a single digit amount of dollars or euro, which will have no problem with loading and rendering web page using latest mainstream browser.
So let's add the 's' to our http, shell we? Nowadays, there are multiple ssl certificate issuers that offer free and automatic way to generate and renew a valid certificate for your domain(s). Best known is
. Just follow the
, install certbot, run the command and you will generate new certificate for your domain(s) in couple of minutes. Then you will have to enable ssl in your virtual host config file under server section and point to the newly generated cert files like so:
ssl on; ssl_certificate /etc/letsencrypt/live/mizik.sk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mizik.sk/privkey.pem;
Then change the port from 80 to 443, reload web server and try it. You should have a valid https connection in the browser. For backwards compatibility, it is good to handle also port 80 and automatically upgrade the connection to https using redirect. Just add another server section above the one you already have:
server { listen 80; server_name example.mizik.sk; return 301 https://$host$request_uri; }
Disable old SSL/TLS versions
HTTPS is useless if it won't provide what promised only because there are security issues that will compromise the encryption. That's why we will disable unsecure versions of SSL and TLS which by default can be used to negotiate encrypted connection. Attacker mask themselves as clients that can connect only using old protocol or cipher and therefore forcing web server to use less secure and outdated version of it. We can reconfigure it to fail in those cases rather then obey. In /etc/nginx/nginx.conf set 'ssl_protocols TLSv1.2 TLSv1.3;' to disable SSLv3, TLSv1.0 and TLSv1.1. All the current browsers and mobile devices support v1.3, so in case you don't care about older (unsupported versions of browsers and mobile OSes) you can stick with 1.3 only, but in time of writing this article, 1.2 is still considered a viable TLS version.
Disable weak cipher suites
We have restricted TLS versions to only secure ones, now we need to do the same for the cipher that will be used in encryption itself. Add/replace these lines in your /etc/nginx/nginx.conf:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on;
Enable SSL stapling
Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked. OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. OCSP stapling addresses a privacy concern with OCSP because the CA no longer receives the revocation requests directly from the client (browser). OCSP stapling also addresses concerns about OCSP SSL negotiation delays by removing the need for a separate network connection to a CA’s responders. To turn on stapling just add/update these two lines in /etc/nginx/nginx.conf.
ssl_stapling on; ssl_stapling_verify on;
Create random and strong Diffie-Hellman
Diffie-Hellman is a key exchange mechanism which allows two parties who have not previously met to securely establish a key which they can use to secure their communications. Don't use pregenerated DH group because it is only 1024 bit and used on millions other servers that kept the original value, which makes them an optimal target for precomputation, and potential eavesdropping. We will generate custom one and with 4096 bits using openssl:
openssl dhparam -out dhparams.pem 4096
then create new directory 'ssl' int /etc/nginx and move the file over there. Don't forget to set the correct rights. pem file itself should be writable only to root. Then add/modify this line in /etc/nginx/nginx.conf:
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
Fight certificate mis-issuance using CAA
By using CAA DNS record you are letting the world (browser) know who should issue your domain SSL/TLS certificate. It prevents mis-issuance of the certificate, where attacker would by some chance be able to generate certificate for your domain signed by a trusted certificate authority. By setting CAA you are restricting to a specific CA you have used. In case of our example and in case of using letsencrypt as an issuer, the record would look like this:
example.mizik.sk. CAA 0 issue "letsencrypt.org"
Many DNS admin web interfaces don't provide ability to set CAA record yet, because it is relatively young specification (2017), but many times if you are able to ask for it directly on provider's support, they will set it for you.
Don't show web server version in responses
Every software has bugs, web server by default present itself with the name and version. Based on this version, attacker may find out what vulnerabilities apply to it, so let's disable sending the version whatsoever by adding 'set server_tokens off;' in /etc/nginx/nginx.conf.
Fight buffer overflow attacks
There are some indications, that by reducing client buffer and body sizes, it will be much harder to exploit any potential buffer overflow bug in the web server by simply reducing amount of data attacker can send in the request. In cases when you are sending bigger data using forms or when you are making proxy for some service, these values won't suffice. But general rule is, start with most restrictive policy and then make changes if necessary. So let's add/modify another 4 lines in /etc/nginx/nginx.conf.
client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k;
Fight MITM attacks using HSTS
HTTP Strict Transport Security (HSTS) is a web server directive that informs browsers how to handle its connection through a response header. This sets the Strict-Transport-Security policy field parameter. It forces those connections over HTTPS encryption, disregarding any script's call to load any resource in that domain over plain HTTP. By setting add_header parameter in the server section of our web configuration in sites-available, web server will send this header for every response it will make.
add_header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
Fight XSS attacks
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP. But we will talk about CSP later. For now, just add another automated response header to your web page configuration like in case of HSTS:
add_header "X-XSS-Protection" "1; mode=block";
Fight clickjacking attacks
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a , , or . Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. So let's add third automated reponse header:
add_header "X-Frame-Options" "DENY";
Fight side-channel attacks
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This is a way to opt out of MIME type sniffing, or, in other words, to say that the MIME types are deliberately configured, so let's add another automated reponse header:
add_header "X-Content-Type-Options" "nosniff";
Disable unused http methods
If you serve only normal web page and not making proxy for some kind of REST API, then it is safe to restrict what HTTP methods can be used in HTTP requests from client. By this setting we will disable using of DELETE HTTP method as a possible attack vector. Add it to the server section of your web page configuration in sites-available.
if ($request_method !~ ^(GET|HEAD|POST)$) { return 444; }
Setup CSP restrictions
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. The implementation is in form of a response http header or tag. In it's value we are able to define from where can browser load specific web page sources like scripts, css, images and so on. Header below will disable all 3rd party resources and enable only those that are hosted together with html files. It will also disable inline definition of scripts and css which is potentially insecure. This should also be our go to configuration. If you have some specific reason why you need to enable some 3rd party resource, or some inline definition of css or script, you can compute a hash of that inline chunk, or define a custom nonce and add it the the header value. For more information, check
. In our case, let's try to stick with full restrictions:
add_header "Content-Security-Policy" "default-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'none'; upgrade-insecure-requests; block-all-mixed-content;";
Fight DoS attacks using Fail2ban
It is possible to prevent DoS attacks too by joining forces with fail2ban and firewall. The implementation consists of three steps. First one is to configure web server to log all suspicious requests to a specific log file. Second is to read this file by fail2ban which will then use the preconfigured hook (jail) to restrict IP of the requesting party using firewall. There are already two nice articles with example configurations, so if you are interested, check
=> this
and
=> this
link.
Finally,
=> ssllabs.com
is really great tool to check if our ssl setup and hardening was successful and correct. Definitely use it.
Last but not least, keeping everything up to date is also crucial, but we got that covered by the automated updates discussed in the episode 3. So here we are with the web server up and running, properly secured and prepared for adventures much bigger than hosting couple of static sites. The hardening above is sufficient for most of the professional use cases.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
Web server is one of the most basic services you can self-host. Very simple to install, reasonably simple to configure for basic use. Not that hard to setup for more robust usage, but the hardest thing is to run it in secure way. This is also the reason why this episode is a bit longer than usual.
<title>Services you can selfhost on you personal Linux VPS</title>
<link href="gemini://mizik.eu/blog/what-service-you-can-host-on-your-personal-linux-vps/" rel="alternate" type="text/plain" title="Services you can selfhost on you personal Linux VPS" />
<published>2020-12-30T00:00:00+01:00</published>
<updated>2020-12-30T00:00:00+01:00</updated>
<id>gemini://mizik.eu/blog/what-service-you-can-host-on-your-personal-linux-vps/</id>
<content><![CDATA[Fourth article of the Linux VPS series covers some of the services you can selfhost and and what are the pros and cons of selfhosting them compared to using established cloud services from big companies.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
One of the most basic and simple services is web server. You can host your personal web page, blog, or even social network like mastodon. Web server can also be used as a proxy, that is hiding other services behind it and providing additional unified security features such as ssl with valid certificate, or simple DoS and tampering prevention with the help of fail2ban. Another nice thing is, that all those proxied services communication ports can be blocked by your firewall as they doesn't need to be visible to the public. When hosting your own web services, you have complete control over your data, access, server settings, modules and so on.
This may be one of the hardest setups if done manually, but the reward would be lower level understanding of how it works and knowledge for making changes or fixing some problems if needed. Mail server setup consists of several parts. MTA (mail transfer agent) that routes, sends and receives the mail (Postfix, qmail...). POP3/IMAP client that provides your email data using specified protocol. (e.g. Dovecot). These two are necessary for standard use. There are some other, that are very important if you want to use it as your daily driver. It is spam filter (spamassassin, rspamd) and antivirus engine (clamav). These will check incoming emails and can inform you or take some actions if configured that way. Last but not least, you can also setup a webmail client to provide another way of access to your email besides POP3 and IMAP. All these things doesn't need to be configured manually and there are ready to go packages like mailcow or iRedMail that will do most of the work for you.
It is obvious why you would like to selfhost your emails. Complete control over your data, no limit for accounts or aliases, nifty ability to use your own domain for emails and so on. The biggest caveat is that sometimes, even if your setup is top-notch with all the bells and whistles regarding security, open relay, authentication mechanisms like DMARC and DKIM, big players like gmail or hotmail may still put your emails to spam folder.
Some people still like to use RSS even though current internet is strongly pushing towards social network news feeds. If you are one of those who still likes to get the news over the RSS but want to keep the data safe, you can self host it using several feature complete packages like Tiny Tiny RSS or FreshRSS. Most of the webpages still does have rss feed even though it is not publicly advertised. For example, in WordPress you only need to append /feed/ after the domain. You can even get RSS to your favourite youtube channel and use it instead of default subscription mechanism. Just use this url:
=> https://www.youtube.com/feeds/videos.xml?channel%5C_id=%5BYOUR%5C_FAVOURITE%5C_CHANNEL%5C_ID
]
Most of us has some sort of task and/or todo apps. And most of us want it with synchronization between our daily used devices. There are at least two well known options. Nerdish taskwarrior and NextCloud/OwnCloud, which will give you much more than tasks and todos. They are complete selfhosted cloud mechanism features virtually all you would want in one package, which has its obvious positives but also drawbacks.
CalDav and CardDav protocols will give you the ability to selfhost, store, sync and share you contacts and calendars. There are several "one purpose" options like Davical, Xandikos or Radicale and you will get it from NextCloud/OwnCloud too.
People use VPN for 4 main purposes. First one is creation of private network. That's what it was ment for. Another one is to bypass blockage and firewalls when trying to access some other resource on the internet. Third one is anonymity, especially when it is used many many other users. The last one is to fight your internet/network provider spying efforts. You can use your selfhow VPN server any of it.
When talking about spying by internet provider, another thing you need to do to get rid of it is to not use your providers DNS. Using your VPN to anonymize yourself and asking your providers DNS for IP resolving everytime you are heading someshere on the internet is not the best idea. Luckily is not that hard to setup you own Bind instance. But if you are not into into it, you can still reconfigure your devices to use one of the public DNS server providers like 1.1.1.1 or 8.8.8.8
What about moving your whole family to selfhosted jabber server and leave Facebook messenger or Skype for others? Basic jabber chat server for text messages and file exchange is very simple to setup. Use Prosody for example. It is CPU and RAM efficient with very good documentation. But you can setup even audio and video calls and conferences using Jitsi for example.
If you are developer or at least have something with IT, you would probably know the benefits and use for version control system. Hosting your own git (mercurial, subversion...) is nice alternative to github. Setting up personal selfhosted git accessed only by ssh is piece of cake, but there are several full featured self hosting solutions like Gitea, BitBucket or GitLab.
Oldshool people like me would use rsync or git. Most of the crowd would use NextCloud/OwnCloud with support for ios/android too, and some would look for single purpose, but user friendly alternative like syncthing, that also have its android app on F-Droid.
There is so much you can selfhost and gain the additional value of self reliance, data control, access control. It is also one of the ways to degoogle your internet presence. It will take your time and efforts at the beginning, but maintenance itself doesn't take more than couple of hours a month. If you care about degoogling your phone too, I wrote an howto article about it. But next article of this selfhosting series will be about setup and hardening of your first service: web service.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
Fourth article of the Linux VPS series covers some of the services you can selfhost and and what are the pros and cons of selfhosting them compared to using established cloud services from big companies.
<title>Picotui, the most understandable tui library out there</title>
<link href="gemini://mizik.eu/blog/picotui-the-most-understandable-tui-library-out-there/" rel="alternate" type="text/plain" title="Picotui, the most understandable tui library out there" />
<published>2020-10-04T00:00:00+02:00</published>
<updated>2020-10-04T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/picotui-the-most-understandable-tui-library-out-there/</id>
<content><![CDATA[I have been using several TUI libraries. curses, urwid, Npyscreen and also some non Python ones. The story is always the same. Library is written using catasthrophic api, obsolete paradigms and with no simple way of extending existing code. The code is often very hard to understand. So I went on a quest to find the most understandable one, that will suit my needs.
I crunched throught a bunch of them and then found
=> picotui
. It is very small python TUI library, that does not use curses as a rendering engine, it also does not optimize screen refresh bandwith, but comes with decent set of widgets and whole code is in 9 files. There are also no tests, there is no documentation and also very little comments in the code. I almost forgot, author defines it as an experimental WIP project and based on his activity on github, its development and support is virtually non existent. That being said, after I went through most of the code and after building some examples, I can say, that it is still the best library out there when it comes to extendability and ability to understant basic architectural patterns.
Every widget extends Screen class. Screen defines basic utilities for rendering widgets on the terminal screen. So you get the screen size, tty init and dispose, mouse support toggle, rendering functions for several types of borders and boxes, cursor manipulations, character attributes manipulation functions, character write support and hooks for screen redraw and screen resize. That's basically it. Then you get set of abstract widgets built on top of the Screen class: base widget, focusable widget, editable widget, choice widget and item selection widget. Base widget adds key and mouse input handling, primitive support for events and default loop function. The rest of mentioned widgets extend the base widget and add only very little on top. This is the common abstraction layer for all widget implementations: label, frame, button, check box, radio, list box, popup list, drop down, single and multi line entry, combo box and editor. There is also support for menus and dialogs. There are even some common dialog implementations like confirmation dialog, or single input dialog. The most complex widget is Editor, with its extended variants EditorExt, Viewer, LineEditor or versions with some kind of color support. Editor will let you write text that will be wrapped when you reach end of the widget height. It also handles enter, delete and backspace keys for new line and deletion, but it ends there. No support for home, end or tab keys. You also can not init Editor straight with given text, you will have to split it to lines and you also are responsible for keeping an eye on correct line height and therefore splitting on the right place (not in the middle of the word or url)
Basic logic is the same as in any other TUI library and that is the loop. Loop is an infinite cycle that waits for input. When it comes, it will be processed by your logic, loop iteration then finishes and it waits again for another input. Every widget has its loop, but in most cases, your application will not use the native widget loop, but it will run some kind of your custom wrapping loop function instead, that will choose which widget will consume the input. Second important fact is, that in most cases, you need to manage screen redrawing by yourself. Widgets do redraw themselves when using their native API functions, but in most real world usecases, you will have to redraw some other widgets that relies on the one that consumed the input too. Picotui also lacks any automated layouting system, you will have to statically position (and reposition) every widget on your screen. The current screen size can be obtained from Screen class.
If you are building TUI applicattion that would run locally, or remotely using stable average internet connection. If you care about extendability and simplicity. If you want to understand libraries you are using as a building blocks for your project. If you don't mind learning directly from the code with no dev support available. Then this is the TUI library for you. It will take you day or two to grasp the concepts and functionalities, but then you will be able to work with it as if it is direct part of your project. I have customized it to my liking too. Based on what it delivers, it will be necessary in most real world scenarios. I have wrapped some of the native widgets with borders, added text wrapping support to Editor, switched controlling key bindings to vim like bindings and rewrote two of my personal apps with it, finally understanding how and why it is doing what it does without hours of surfing internet to find the answers.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Linux, TUI" />
<summary>
I have been using several TUI libraries. curses, urwid, Npyscreen and also some non Python ones. The story is always the same. Library is written using catasthrophic api, obsolete paradigms and with no simple way of extending existing code. The code is often very hard to understand. So I went on a quest to find the most understandable one, that will suit my needs.
<title>Howto secure your personal Linux VPS</title>
<link href="gemini://mizik.eu/blog/how-to-secure-your-personal-linux-vps/" rel="alternate" type="text/plain" title="Howto secure your personal Linux VPS" />
<published>2020-09-22T00:00:00+02:00</published>
<updated>2020-09-22T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/how-to-secure-your-personal-linux-vps/</id>
<content><![CDATA[This is the third part of a small "Linux VPS howto" series and it talks about securing the default linux installation.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
So our VPS is up and running. In most cases, what you have now is a minimal installation of a distribution you selected. This is good, because we want to have installed only those packages we really need and nothing more. You can check what is installed/running and remove some additional packages if possible. Probability of an exploitable vulnerability raise with every single installed package, especially if that application can be reached remotely. If I will show any real examples in this article, then consider it to be for Debian/Ubuntu as these two together are prevalent option amongs personal VPS. (I failed to find the article to confirm that claim though).
Important thing in the beginning is to update all installed packages to up to date state by using distro specific (package manager specific) set of commands. For example, in case of Debian it will be: 'apt update && apt upgrade && apt dist-upgrade && apt autoremove && apt clean'. Be aware that hardening steps in this article are valid for VPS where all users are trusted users. In case of multi user machine, where the users can not be trusted, you should apply much more rules and restriction than the ones below and those are not covered in this article.
So you are logged in as root. Change your password to something different than the generated one. Then create another not privileged user with the name of your choice. For example 'john'. You can setup sudo for this user, or stick to classic 'su', it doesn't matter in this case. Now open /etc/ssh/sshd_config, we are going to harden ssh access. Make these changes:
This will change the amount of time in seconds you have to finish login. Default is 2 minutes. Nobody need that much.
Disable ability to login directly as root. It is best practice to not have your privileged user accessible via SSH.
Enable ssh server strict mode. When enabled, system will apply more checks and controls.
Enable additional restrictions during unauthenticated incoming network traffic.
Automatically logout after specified duration of inactivity in seconds. It is a good practice to do so in case you forget to logout manually. But this setting will surely get on your nerves later :)
Disable ability to run X applications remotely via SSH. In most cases you won't need this on your personal VPS.
Disable ability to authenticate using password. Best practice is to login via public keys, as this will effectively disable brute force dictionary attacks on users passwords.
Enable authentication using public keys. When enabled and password login disabled, you need to generate set of private and public keys for every user that will login using ssh. There are plenty of howtos on the internet. for example
=> this one
.
Alow only your newly created user(s) to log in using SSH
Change port on which SSH server listens to some high port. There is a controversy over this setting. If you leave your SSH port on 22, you will be (in most cases) target of significant amount of automated dictionary attacks and it will spam your logs and monitoring outputs. If your SSH is setup correctly those attacks are not harmful, but they will trigger many false positive monitoring alerts and make your logcheck outputs harder to read. This all can be solved by moving SSH to not standard high port. Automated attacks don't scan your machine for SSH, because those scripts don't want to waste time as they need to go through huge amount of IP addresses. They just go for port 22. Problem is, that in possix compliant systems, all ports below 1024 are privileged ports and require to be root to start listening on it, so you can be sure, that service listening on 22 is really your SSH server. If you move it for example to 48277, any local user can spawn daemon listening on that port trying to act as SSH server and potentially read your passwords. But for this, you will have to use passwords to login, also someone will already must have access to your system and also be able to kill already running SSH server, that runs under the root account. I personally always go for high port, because I like to have my monitoring set sensitively and I read all reports coming to my email. With SSH on port 22 I would either get huge amount of false positives, or I would have to restrict SSH monitoring. For more information why not to reconfigure your SSH server to high port, check
=> this link
Default firewall in linux for many years was netfilter/iptables. Currently there is also a successor available called nftables. Both of them have similar syntax and it is hard for an unfamiliar person to master it. So for the sake of this article I will use UFW, which is shortcut for "uncomplicated firewall" and it uses iptables under the hood. Basically, it is an app that simplifies iptable usage for you. First you must install it using distro package manager. Then we will apply default set of rules by executing these commands:
Deny all incoming traffic by default. It is best practice to deny everything that is coming in and allow only specific rules manually.
Make no restrictions for outgoing traffic, because by default we do not fear what is going out. That is because outgoing traffic is initiated either by a service we installed and trust, or by an user we allowed and in case of our setup most likely also impersonate.
Allow incoming traffic on port 48277 we chose as an example for custom high SSH port. If you've chosen different port, or went for default 22, then put here your selected port. This rule is crucial, otherwise we would cut ourselves out from SSH and our remote connection may be lost.
Allow incoming traffic on port 80. Allow this only if you plan to host a web server, or use a web server as a proxy for some other services. Port 80 should be enabled only for backward compatibility with browsers and other clients. Best practice is to serve everything over HTTPS, which is port 443. So if someone requests data using HTTP (port 80), web server should upgrade (redirect) communication to HTTPS at first and then continue to serve whatever client requested. We will take care of it in different article where we will cover web server setup.
Allow incoming traffic on port 443. Allow this only if you plan to host web server.
Firewall is by default disabled after the installation. This will enable it and it will automatically apply all rules we have defined so far. Definition of rules is persistent, so it will survive both firewall restart and OS restart.
Print out current firewall status with all applied rules.
You can do much more with the firewall and it is important to at least know what you are able to do with it. There are many articles talking about ufw capabilities, or you can also use ufw man pages. Definitely check some docs out, because sooner or later you would like to enable your new service, or remove some automatically applied IP block created by fail2ban, which we will cover later in this article.
This is another highly debated step. World already depleted all IPV4 segments, but IPV4 is still dominant. Unfortunatelly, there is much higher rate of suspicious activities on IPV6 than IPV4 and the main rule when trying to secure your VPS is: disable/delete/remove everything you don't need. Therefore I by default always turn IPV6 off if it is not needed. To do so, you need to modify /etc/sysctl.conf file like so:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1 net.ipv6.conf.eth1.disable_ipv6 = 1 net.ipv6.conf.ppp0.disable_ipv6 = 1 net.ipv6.conf.tun0.disable_ipv6 = 1
As you can see, we are disabling ipv6 globally and then also for every network interface present on the machine. Double check what interfaces you have present and modify lines above according to your findings. To turn off IPV6 for UFW, you need to set 'IPV6=no' in /etc/default/ufw. You may need to manually turn it off for other services you will host. For example in case of postfix mail server, you would have to set 'inet_protocols = ipv4' in /etc/postfix/main.cf
Fail2Ban is an intrusion detection and prevention software that protects your VPS from brute-force attacks. It monitors log files and takes actions according to findings and based on how it is configured. It covers automatically many log formats and supports many standard services out there. It mainly consists of actions, filters and jails. Actions define what should be done when something happens. Filters define how to detect that something happened. Jails put actions and filters together with some additional configurations and settings. For now, we have no service installed and exposed to public besides SSH and networking, so fail2ban should target these two by detecting port knocking and ssh connection failures. There are plenty of howtos for most types of jails. For example one for port scan is
=> here
and one for ssh is
=> here
. Don't forget to set the correct sender email address in /etc/fail2ban/jail.d/jail.local
Logcheck is a simple utility that can read many log formats and summarize them into email. Destination email can be configured in /etc/logcheck/logcheck.conf. Log files that logcheck will add to final summarization can be defined in /etc/logcheck/logcheck.logfiles. You can define what in those log files should be ignored and not added to summary. Make sure, that all log files you want to have scanned are readable by logcheck. Logcheck is not executed automatically, you should take care of it by scheduling it using cron.
Fail2ban, logcheck and also your future monitoring utilities will depend on ability to send emails from your VPS. You don't have to setup whole email server for that, the only thing you need is ability to send mail. For the sake of this series, I will use postfix, because in later articles I will explain how to setup self-hosted email server using postfix. There are many alternatives like sendmail, exim, qmail and others. You can check the differences and make a personal decision. One such article is
=> here
Debian for example, has an automatic, after install, curses based setup, where you will only select to use an 'Internet site' configuration and then define your domain as the system mail name. But everything can be done manually too using two main postfix configuration files: /etc/postfix/main.cf and /etc/postfix/master.cf. It is also good practice to set your mail domain in /etc/mailname file if your distro supports it.
Many distros have the ability to automate package updating. Regularly updated OS is very important when it comes to security, so be sure you are doing so manually or by setting up an automated procedure. In case of debian based distros, it will be package 'unattended-upgrades' with a simple configuration using config files located in /etc/apt/
Some distributions will allow you to check checksum validity of installed packages. Thanks to such mechanism you are able to detect any corrupted and altered files. In case of debian, the package is called debsums. It can even check if package log file is not smaller compared to last check, which can point out to manual log file modification. Be sure to add the debsum log file amongs files that are summarized by logcheck.
Security-Enhanced Linux is a kernel module that can define access controls for the users, applications, processes and files. So for example if you have a database that should run under specific user and accessing only data in specified directory, you can define set of rules that will constrict the running process to obey those rules. It can be configured to run in enforcing or permissive mode. In latter case it will only log detected issues. SELinux uses users and groups in its rules, but these are not your OS users and groups, this is confusing for many and you should remember that. SELinux is a huge topic and is covered in detail in official documentations of every big distro out there.
If you apply everything above, your VPS is secured and you are ready to deploy some useful services. In next article I will talk about what interesting services can be self hosted and why.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
This is the third part of a small "Linux VPS howto" series and it talks about securing the default linux installation.
<title>Howto setup your personal Linux VPS</title>
<link href="gemini://mizik.eu/blog/how-to-setup-your-personal-linux-vps/" rel="alternate" type="text/plain" title="Howto setup your personal Linux VPS" />
<published>2020-08-21T00:00:00+02:00</published>
<updated>2020-08-21T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/how-to-setup-your-personal-linux-vps/</id>
<content><![CDATA[This is the second article of a small series about taking care of your own VPS. This one is about all necessary non admin things to think about when setting the VPS up.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
Domain is almost necessary part when it comes to connecting to your VPS and the services you deploy on your virtual machine. It doesn't really matter what domain you choose. If you don't care, go for the cheapest TLD, if you want something fancy, go for fancy :) Some domain registrators will also give you the ability to manage DNS. If you choose one that does not support such a feature, then you should double check if your VPS provider has such option, otherwise you are stuck with setting up your own DNS server instance, or using 3rd party service to manage DNS.
There is plethora of VPS providers these days. Just choose the one you like. If you're choosing from world wide providers, then you can compare them on several vps comparison portals. Be sure to check the price, SLA, how good is their VPS management website, how good is their support, if they support linux distro you would like to have installed. I personally use local central european provider called
=> Websupport
. They are bit on the expensive side, but they have great admin page, online chat support, they are also a domain registrator, they provide free DNS management, free VPS snapshot feature, their VPS are super stable and they almost never have their IP segments in
. This, together with ability to set reverse DNS record is crucial if you want to host your own email server.
The price of VPS is based on HW params you choose. I personally always target the lowest possible and upgrade if necessary. Almost every provider gives an option to upgrade HW parameters of an existing VPS. Be aware, that not every one gives you the ability to downgrade. One more reason other than price to go for lowest possible settings is also the fact, that then your are forced to care about how carefuly selected and optimized are the services you host. By tweaking them and reading about them, you learn. And one great reason to host your own server besides the privacy, is that you learn the Linux more deeply and in a different way, as in this case you are not only the user, but also an administrator. My VPS never had more than 1vCPU, 1GB RAM and 20GB of space. But it all depends on what services you would like to host. I currently run only one VPS with 512MB RAM and I host email server, webdav, carddav, caldav, task management app, rss feader and aggregator and webserver.
Most of the providers will let you choose the name, distro, HW parameters, additional features and a root password you will use to log in to the machine for the first time. Some providers will give you the option to upload certificate to use for ssh authentication. After submitting the form, you will need to wait some time for VPS to be generated. In most cases it doesn't take longer than couple of minutes. After that you are ready to log in to your machine.
Before you start any work on your VPS, it is good thing to setup at least DNS 'A' record as you already have the VPS public IP. In some cases, it takes several hours to propagate DNS update so let's do it as soon as possible. The VPS IP is in most cases shown in the admin page, but if not, you can get it in terminal using commands 'ip a' or 'ifconfig'. If you are planning to setup reverse DNS, do it now. Reverse DNS are based on PTR records, but most of the providers give you dedicated GUI form for setting it up. If you have opted for any form of monitoring, backup, snapshot generation and so on, you can configure it now if applicable.
Now you should have your VPS set up and running. It is time to secure and harden it before you will start installing any services. I will cover it in next article.]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
This is the second article of a small series about taking care of your own VPS. This one is about all necessary non admin things to think about when setting the VPS up.
<title>Why setup your personal Linux VPS</title>
<link href="gemini://mizik.eu/blog/why-setup-your-personal-linux-vps/" rel="alternate" type="text/plain" title="Why setup your personal Linux VPS" />
<published>2020-07-20T00:00:00+02:00</published>
<updated>2020-07-20T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/why-setup-your-personal-linux-vps/</id>
<content><![CDATA[This article is first from a small series about owning your personal VPS. It is about reasons why you should or should not host services by yourself on personal VPS.
=> Howto setup your personal XMPP server
=> Howto setup your personal CalDAV/CardDAV server
=> Howto proxy your self-hosted services using web server
=> Howto setup and secure web server
=> Services you can selfhost on you personal Linux VPS
=> Howto secure your personal Linux VPS
=> Howto setup your personal Linux VPS
=> Why setup your personal Linux VPS
Setting up an operating system with self hosted services require some knowledge. Debugging problems or optimizing configurations too. If you are interested in Linux, OS in general, networking, firewalls, services, security... then the best way how to learn it is to work with it. Your personal server / play ground is great choice for practical learning.
If you care about privacy of your personal data, then you will have full control if services you use will be self hosted by you, on your machine. You don't need to care about licenses, terms of service, or cyber attacks targetting online services with millions of users. There is much smaller chance of being hacked because of data when you selfhost your services. The reason is, no one cares. It is more efficient to attack services with huge amount of users. Personal data of one individual has no value unless someone is interested directly in you.
You are having full control over you data and also over services you host. You can replace it or make any changes you want. Since you have control over filesystem and databases, there is also higher chance that you can backup, convert, or migrate data between services that have no export/import compatibility.
If tinkering with stuff mentioned above is not going to be fun for you, then you should probably not go for it, unless you have senior knowledge and you just need to get things done for some reason. If this is your first attempt to walk this rocky path, then you should be entusiastic about it, otherwise you probably won't finish it or revert to your current easy digital life after some time.
Taking care of VPS takes time. Especially in the beginning, during learning, setup and configuration phase. If you are interested in it, you will probably optimize and modify stuff on the road as you find out about better or more interesting way of doing things. If you don't have time, better try it later when you'll have some.
Most of the mainstream services are rock stable. Backed by redundancy, clustering, automatic crash recovery, backups and 24/7 care by system admins. If you don't have the experience and knowledge, it will take time to finetune things to be stable. You need to count with that. But don't worry. After that, you are able to get stable enough for daily use without much problems.
After reading information above, if you are still interested in setting up your own personal VPS. Continue to my next article]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="VPS, Linux, Self-host" />
<summary>
This article is first from a small series about owning your personal VPS. It is about reasons why you should or should not host services by yourself on personal VPS.
<title>My journey to become a Gentoo fan</title>
<link href="gemini://mizik.eu/blog/my-journey-to-become-gentoo-fan/" rel="alternate" type="text/plain" title="My journey to become a Gentoo fan" />
<published>2020-06-13T00:00:00+02:00</published>
<updated>2020-06-13T00:00:00+02:00</updated>
<id>gemini://mizik.eu/blog/my-journey-to-become-gentoo-fan/</id>
<content><![CDATA[I started working with linux 17 years ago (in 2003). It was Debian Woody. Kernel version was 2.4.x and everybody was talking about making the big step to 2.6. Linux of that era was complete disaster when it comes to UX, or working "out of the box", but for me it was fun and I also liked that "underground" feeling about it. I didn't understand most of the underlying things, and to be honest, every time I got sick of it, or I wanted to play some games, I just rebooted to Windows XP :)
So there I was, hopping regularly between two systems based on my actual mood and laziness. One day I was sitting on my dorm room balcony together with my room mate. Both of us were volunteering in our university network administration club. I was a web master, room mate was system administrator. He was very eager about that distro he heard of, which does not have any automated installation and you had to locally compile whole system by yourself from scratch, optimised for your cpu architecture, cpu features and custom needs. You could choose between 3 types of initial library collections called stage1, stage2, or stage3, where stage3 was almost complete minimal system and stage1 was almost only a compiler with necessary dependencies to start with. You would have to unpack it, chroot into it and start building your system from ground zero. I was thinking about making the effort to completely move to Linux and this distro sounded intriguing. I didn't know what chroot was, but I got a gap between two semesters and plenty of time as I only got a part time job as a Java programmer. So we shook hands, opened some beers and the mission started right in that moment. I formatted my main drive and smashed my Windows installation CD in half. Ready to begin journey to became pure linux user, to get everything what I needed (and before had only on Windows), installed, configured and running on Linux. I knew it would take many hours to accomplish, but boy! If someone would told me, that the only thing I would have after 40 hours of almost straight work would be successfull boot to TTY, I probably wouldn't take that rocky path.
It took me 9 days of 12+ hours to get most of the stuff ready, but during that week, I absorbed such a huge amount of linux knowledge, that I felt like a Neo from The Matrix. I had super small and optimized kernel compiled with no modules. I got TTY with high resolution and framebuffer. I got optimized and very quick system running with much smaller memory footprint. I learned what was that chroot, and also about init, runlevels, process priorities, I fall in love with portage, overlays, ebuilds, use flags and all the main gentoo concepts. I found out, that I can choose my own init system, cron scheduler, system logger, boot loader, kernel patches. I finally achieved to make an installation where KDE (Qt) a Gnome (Gtk) libraries were not messed up together because of random software dependencies. I knew what software I had in my system and why. I could finally read ps aux and understand most of the lines and I could check what ports are opened and knew the reason for it. First time in my life I was master of my operating system and it felt great.
Nowadays, I can install gento in 3-4 hours. Official Gentoo documentation now tell you to start with stage3 to spare you the agony of trying to grow your system from stage1. (AFAIK it is even not available anymore). My machine is able to compile kernel under 1 minute, which is a huge blast. Imagine waiting for almost 1 hour after every kernel config change, then reboot to only get kernel panic during the startup :) In other words, it is much easier these days to go with gentoo, but the benefits are the same as they were in the past. Last time I checked, the official installations documentation was still superb and up to date.
Since then I had to use many other distros because of school or work and I found out, that even when I had the knowledge how things should work, some distros were fighting against me. It looked like the more user friendly linux distro tries to be, the more it is fighting the power user when he wants to do something manually, or in a custom way. But not on Gentoo's watch. Over more than 12 years, every time I didn't like something, gentoo gave me an elegant way to accomplish the change I was about to make. I wanted plain old simple init system, and it never forced me to use systemd. I hated the instability of pulseaudio in its early versions and gentoo until this day gives me the ability to run on plain alsa. If I had issues with new HW and needed bleeding edge kernel, piece of cake in gentoo. You need different version of some software in the repo? Most of the time you will only pinpoint the preferred version in your portage config file and run install. Want to migrate your system from openssl to libressl because of security? Just change the use flag and rebuild affected packages. I tried other advanced "do it yourself" distros like Slackware or Arch, but for me personally, Gentoo is the one. Especially in current times, when recompiling something is not matter of minutes, but rather seconds.
By the way, that 2 weeks without all the luxury of a graphical user interface gave me one more great experience. I learned how to use terminal alternatives of GUI applications. I had to use lynx for browsing, finch for IM, midnight commander for file management, vim for editing, htop for process maintenance, mutt for mails and so on, because I wasn't able to run X for quite some time :D Funny thing is, that after I got the GUI back, I found out, that in many cases I am faster and more satisfied with TUI solutions than the GUI ones and I am using them until now, but that is completely different story to write about...]]>
<author>
<name>Marián Mižik</name>
</author>
<category term="Gentoo, Linux, Personal" />
<summary>
I started working with linux 17 years ago (in 2003). It was Debian Woody. Kernel version was 2.4.x and everybody was talking about making the big step to 2.6. Linux of that era was complete disaster when it comes to UX, or working "out of the box", but for me it was fun and I also liked that "underground" feeling about it. I didn't understand most of the underlying things, and to be honest, every time I got sick of it, or I wanted to play some games, I just rebooted to Windows XP :)
text/xml
This content has been proxied by September (ba2dc).