Imran's Blog

Reworking dad's site (again)

2024-01-27T00:00:00+00:00

I decided to rework my dad's site again. But first some history:

# </a> Site version 1</h3>

Dad uploads documents via ftp to hosting company.</li>
Files are now public and viewable.</li> </ol>
This was his workflow for years. The problems started when he relocated to our home country and had to pay for renewal of service. The hosting company does not accept payment from our home country, and the conversion makes the cost too unreasonable. This is when my dad asked me to pay for him since I am still in North America. Since this is (and most probably will stay) static files, I thought why not take advantage of free hosting provided by forges for static pages. This led to site version 2.
# </a> Site version 2</h3>

Dad uploads documents to my local server via sftp.</li>
Something listens for file changes.</li>
That something then makes a git commit and pushes it.</li>
The forge of choice then publishes this to their static hosting site.</li> </ol>
For the forge, I ended up going with GitLab. I already had a GitLab account I was using some other stuff. GitLab has a nice feature where you can give another account a developer role</a>. This ensures the following about that account:

Can not perform destructive actions on the repository.</li>
Can not change any GitLab Pages settings.</li>
Can push code.</li> </ol>
This let me create a bot account that can whose credentials would come in handy for step 3 and GitLab CI would take care of 4. Also, in some crazy scenario, if someone was able to access that account's ssh keys or account, generating garbage commits is all they would be able to do.
My dad is unable to use (or understand) ssh keys, so his account would need to be able to login via password. I also did not want someone who got access to his account to be able to mess with the users home directory, where the ssh keys and git repository exists. The solution was a sftp chroot and bind mount. With step 2 remaining, I decided to create my own program for it. I covered this in a previous post</a>.
This ended up with its own issues</a> which led to site 2.1.
# </a> Site version 2.1</h3>
This is like version 2 except instead of going over the public network step 1 is now done via tailscale (plain wireguard out of the question for similar reasons to why ssh keys aren't viable).
And voilà! I now have my dads work backed up in git while being invisible to him and it's cheaper than paying the hosting company from version 1. All is well except one big issue. I have broken my dads workflow and subsequently reduced his enjoyment (and frequency) of working on the site.
The biggest difference between version 1 and 2, is the feedback after uploading files. My dad works on his site by editing the html and then viewing the results AFTER uploading the files. This works well enough for him and he was happy with it. I ruined it with version 2. In version 2 there is a couple minutes delay as the changes make their way through git and GitLabs CI to for publishing. I am unsure if caching is in play here, but it would also add to the feedback time.
I should be able to do better (and I did! hence this post), which led to site version 3.
# </a> Site version 3 (now with 100% more nix)</h3>
My requirements for site version 3 were:

Immediate feedback from version 1</li>
All the good stuff from version 2</li> </ol>
This led me to the following solution:

Cheap VPS</li>
Caddy for serving files and SSL certificates</li>
sftp/bind mount/etc from version 2</li> </ol>
The reasons I do not want to host this on my local server is that I have a residential connection and that connection's public IP changes from time to time. I didn't want to complicate this by throwing in dynamic DNS as well.
For the cheap VPS I went with Hetzner which offers a 2 core ARM virtual server with 4GB of ram, 40GB of disk space and 20TB of egress for € 3.3 a month.
I composed site version 2 out of a bunch of custom systemd jobs, a custom binary, a custom user account and some custom ssh configuration. The remaining thing that needs to change is to include caddy for hosting the files out of the sftp chroot. I did not want to manage a bunch of bespoke configuration files and settings, which led me to Nix and Guix.
I chose Nix for a couple reasons. Hetzner already provides Nix ISO's in their web UI. Nix builds upon systemd (which also allows it to infect other host distributions). I am a fan that Guix uses guile as opposed to its own bespoke language, but I am already spending enough innovation tokens on Nix to give up systemd too.
I won't bore you with what Nix/Guix is, but the nice thing is that I now have a file that can recreate the site version 3 from scratch on a new system. I am quite suprised by just how easy the process was. I hit one snag with my custom ssh configuration.
services.openssh = { enable = true; settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "no"; extraConfig = '' Match User <dads account> ChrootDirectory <dads sftp jail directory> ForceCommand internal-sftp PasswordAuthentication yes MaxAuthTries 6 Match all ''; }; </code></pre>
By setting `PasswordAuthentication</code> to false</code>, Nix` `disables unix authentication for PAM</a>. This means that <dads account></code> will never be able to login with the password I set. I rectified it by adding this line to my configuration.nix:`
# Allows the sftp stuff about to work security.pam.services.sshd.unixAuth = lib.mkForce true; </code></pre> # </a> Thoughts on Nix/Guix</h3> I like them. Some time during setup, I managed to get to a wonky state where all environment variables were unset. This caused every nix command to fail saying something about an undefined nix path environment variable. I started panicking but then some googling said to set variable to the nix store, and the rollback command worked and I was back to a golden state. The like hit when I wanted to view metrics on the VPS using prometheus/grafana. The diff to add that to my configuration: diff --git a/configuration.nix b/configuration.nix index 4dc89e6..7c33b0c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -93,6 +93,7 @@ systemd.services.tailscaled.serviceConfig = { Environment = [ "TS_NO_LOGS_NO_SUPPORT=true" + "TS_PERMIT_CERT_UID=caddy" # let caddy get https certs ]; LogNamespace = "shadow-realm"; }; @@ -123,6 +124,17 @@ ''; }; + + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9100; + }; + }; + }; + # Allows the sftp stuff about to work security.pam.services.sshd.unixAuth = lib.mkForce true; security.doas.enable = true; @@ -227,6 +239,14 @@ file_server root * <sftp jail> ''; + virtualHosts."<tailscale host name>".extraConfig = '' + handle /metrics/node { + rewrite * /metrics + reverse_proxy localhost:${toString config.services.prometheus.exporters.node.port} + } + ''; }; # I don't want to install home manager for this </code></pre> This small diff ensures the following: Node exported up and running</li> Caddy and tailscale work together to ensure HTTPS on the private tailscale url</li> Caddy makes node exporter metrics available under /metrics/node</li> </ol> I then had to go to my local server (running arch btw) and install prometheus and grafana. I had two options: Use containers (which I am starting to hate and deserve their own rant blog post)</li> Use system packages</li> </ol> I opted for option 2, and made sure to copy the prometheus configuration to my git repository of rag tag files needed to recreate this server. Compared to using Nix it feels so archaic. It's not all sunshines and rainbows though, there are things I am not a fan of: (Nix) Most tutorials are out of date</li> (Nix) NixLang is ¯\_(ツ)_/¯ (could lua have worked?)</li> (Guix) Harder stance on Free packages (but it's super easy to add your own channel/packages)</li> </ol> Those are incredibly minor compared to the value these projects provide. In the future I am hoping to get rid of containers/docker on my local server and replace it entirely with Guix, and moving my desktop to one of them.



WTF Ubiquiti
2024-01-23T00:00:00+00:00
This is a rant.</p>
My previous AP was the Unifi AP AC-lite.
I bought it close to 10 years ago now.
I set it up once and never touched it again, until I had to change my SSID</a>.</p>
I decided to buy the UC6+ as the price is right, I already have POE available, it should</em> just be a straight upgrade.
The setup went smoother than last time.
I now have 2 access points so using the mobile app was actually viable.
I put in the SSID/password and a new username/password combination for login (after dodging the create cloud account prompt).
The new AP rebooted, I unplugged the old AP, everything was fine and dandy.</p>
SIKE!</p>
</p>
For some stupid ass reason (adoption?) the AP (at IP 10.0.0.3) spams for the host unifi</code> 85 THOUSAND TIMES a day.
That is almost one look up every second.
For reference the blurred out entry below the AP is my main computer at a modest 3 thousand requests.
At least program in some exponential back off.</p>
According to the ubiquiti subreddit this is no big issue and it's okay for the AP make these requests.
For reference the previous AP never did this.
This is newer behaviour on newer firmware.
To make this device shut up, a controller must pair and adopt it.
As pointed out in the linked blog post at the start, I do not have a unifi controller.</p>
The docker image for the all in one controller is no longer maintained, but it still works.
I had to jump through the same hoops making it clear that I do not want a cloud account.
The AP shut up after adoption, but then started trying to phone home to the mothership at trace.svc.ui.com</code>.
It continues to try and do that every 5 minutes.</p>
The real kicker comes when you shut down the controller.
The AP which is no longer able to communicate with the controller (even though it's in dumb standalone mode) will continue to spam requests to unifi</code> (every 5 seconds) and trace.svc.ui.com</code> (every 5 minutes).</p>
I don't want to fight with my network hardware.
I don't it to phone "home".
I don't want it part of a cloud offering.
I just need it to take the public connection from my ISP and make it available to my devices.</p>
I guess this is my fault for buying ubiquiti, but they used to be so good and there is no real pro-sumer alternative.
The silver lining to all this is that I can flash the AP with OpenWrt</a> but I'll need to get a USB/UART adapter.</p>


Year in review
2023-12-31T00:00:00+00:00
I thought I should do a recap for this year.
Though also for some typing practice.</p>
I started this year unemployed, and still burned out from the last job.
I do not remember the states of my finances, but I do get a new job later on</p>
In no particular order:</p>

    #
</a>
Momo</h3>
I got my cat Momo.
She is on the opposite end of the personality spectrum compared to Yar.
She is confident and unfazed by new people.
She even purrs at the vet.</p>
She is also overweight and wants to eat everything.
I had to buy some fancy food bowls that specifically open for registered chips.
It has been an ordeal trying to keep the cats from each others food.
Momo is not allowed to eat Yar's food as she is fat and needs to lose weight.
Yar is not allowed to eat Momo's food as he has allergies and requires medication.</p>
She loves to play with toys.
Though so did Yar when he was her age (2).
He no longer cares much about them at 4.
We will see if she follows a similar route.</p>

    #
</a>
Hogwarts Legacy</h3>
This game sucked ass.
Complete waste of $102 CAD.
I wish I never bought and played it.
It shouldn't even be in this post but I want to vent about just how much of a let down that game is.
Incredible IP wasted on a subpar game.</p>

    #
</a>
My Partner</h3>
She left Canada to pursue her PhD in the states.
I am hoping to move there too to support her.
She has been having a rough time, but I think she will pull through.</p>

    #
</a>
Side stuff</h3>
Activity on my usent downloader has stalled since starting a new job.
It's hard to find time in the day to both gym and have time left over for programming after work.</p>
I have managed to rework my dad's site stuff for a third time, this time with NixOS.
There should be an upcoming blog post about it.</p>
The hard part, as mentioned before, is finding the time now that I employed again.</p>

    #
</a>
My old team</h3>
I got to meet my old team in person.
I quit right before there the company get together post COVID.
They are a nice and fun bunch but "stuck" at a crap company that pays too much 😉.</p>

    #
</a>
My new team</h3>
I started a new job and met my new team in person too!
The name of the place is Psiphon and they work in internet cencorship circumnavigation.
Smart folks that work primarily in go.
If there is one thing I am grateful for it's that I wont have to touch ruby again for a long time.</p>
Work culture at the company is unique, hands off and low meetings.
The company places a lot of trust in the employees to get the job done and I hope I don't betray that trust.
Not fired yet.</p>


Written in Dvorak
2023-10-26T00:00:00+00:00
These past weeks I have been learning to touch type Dvorak.
I have been using the lovely tool gtypist</code></a>.</p>
I wrote this entire post using the layout.
My typing speed took a considerable hit.
I average about 80 words per minute with QWERTY, but now I am down to 15.
Here's to hoping that it gets better with practice.</p>
Also this is messing with my vim muscle memory.
This took a considerable time to type out.</p>


ZFS, video files and compression
2023-09-07T00:00:00+00:00
Did this earlier this week and thought I would share.
My server stores video files for TV shows and movies I have watched.
Other types of files exist but it's almost entirely video files.
These take up quite a bit of space.</p>
The server consists of a single zpool, aptly named "mediafiles".
ZFS supports compression, but the default is to have it off.
Enabling compression is a single command away (man zfs-set</code> and man zfsprops</code>).
One thing to note, compression works going forward.
This means that existing files are not compressed, but any new files written to the pool will be.
If you do want to retroactively compress files, you will need to rewrite your files to disk (by moving and unmoving).</p>
This is what I did for my 12 TB of data.
If you are smarter than, or me from the future you would know this is an astoundingly stupid idea.
This is why:</p>

If you read the man page properly, a file has to be compressible by 7/8 of its original size for ZFS to consider it for compression</li>
Video files are already compressed, the codec determines the compression.</li>
</ol>
This means, that after I had put 12 TB of write load on my zpool, my compression remained at 1.00x.</p>
❯ doas zfs get all | rg compress
</span>mediafiles                  compressratio         1.00x                  -
</span>mediafiles                  compression           zstd                   local
</span></code></pre>
Yay 🤦.</p>


Lazy days are the best
2023-07-29T00:00:00+00:00
Today had nice weather.
Instead of doing anything I spent the day sunbathing with my cats.</p>
Lazy days are the best.</p>


Advertising Works
2023-03-02T00:00:00+00:00
It's no secret that I despise ads</a>.
I go out of my way to block them where and when I can.
I run a Pi-hole on my network, run uBlock Origin (and some other) extensions in my browser.
I avoid any product mentioned in a YouTube sponsored segment (y'all already know which ones I'm talking about).</p>
One ad (that I've noticed so far) has managed to affect me and caused me to buy it's product.
I was in the grocery store the other day and found myself in the ice cream aisle.
I saw a box of Klondike Reese's ice cream bars.
I have never had a Klondike before this.
Instantly I thought of the tagline "What would you do for a Klondike bar?".
I have never seen a Klondike ad on TV/radio/movie, but I had seen tonnes of memes with the tagline in it.
It has its own page on Know Your Meme</a>.
It's also referred to in some music</a>.
I thought to myself "why not? Let's see if it lives up to the hype" and grabbed a box.</p>
It wasn't until I got home that I realized I had fallen for an ad.
I had fallen for an ad through memes, of all things!
For the record, it did not live up to the hype.</p>


Not enough ram
2023-01-18T00:00:00+00:00
I use a thinkpad flex 14 AMD laptop hooked up to my TV so that I can work in my living room.
This is to keep my cat happy, who for whatever reason, hates my office room.</p>
This thing has about six gigabytes of ram in it and I am constantly running into linux's oom (out of memory) killer.
I am not doing anything crazy either, in fact at the time of writing this blog post this is the output of free -h</code></p>
               total        used        free      shared  buff/cache   available
</span>Mem:           5.7Gi       3.6Gi       581Mi       120Mi       1.6Gi       1.7Gi
</span>Swap:             0B          0B          0B
</span></code></pre>
The processes I am running:</p>

KDE</li>
firefox</li>
kitty</li>
tmux</li>
neovim</li>
</ol>
Of these the biggest offender is firefox (4 tabs open by the way), the reason being web developers have lost the sauce.
Tabs are taking up more than 100mb a pop.</p>
WTF?</p>


Put some effort in for goodness sake
2022-12-06T00:00:00+00:00
Incredibly simple trick to figure out how lazy the programmers behind a company are, just view the transactional emails sent by said company as text instead of html.</p>
I made the switch over to plaintext email</a> a little over a year ago and it's just sad seeing how programmers at billion dollar companies drop the ball on this.
There will be stray html tags like <ul></code> or <li></code> inside the email, the formatting is just horrendous. Or my personal favourite, from Charles Schwab, a nicely formatted message saying that the content belongs solely to the html message.</p>


    
</div>
If you view the raw message, you will see the access code nested inside a HUGE chunk of useless html.</p>


    
</div>
This 6 digit code needed for login is somehow magically only for html emails 🙄.</p>

    #
</a>
How is this lazy/bad?</h3>
Sending multipart emails is stupid simple, every web framework has an easy way to send email that has an argument for plaintext and html message bodies.
For example here is django</a>'s documentation, and here is rails</a>'.
The effort to support plaintext is negligible.
Yet somehow nearly every company and their development team manages to fuck it up.</p>
Y'all get paid too much money to be half-assing things like this.</p>


Thankful for offline documentation
2022-12-02T00:00:00+00:00
I am on a transatlantic flight from Europe to Canada.
Internet is not available.
Well, technically it's available, but it it's rated at 120mb for 60 Swiss Francs which is  outside of my price range.</p>
Before the flight I downloaded the first day's first part problem from Advent of Code</a> (AoC).
I wanted to practice both go and rust (and ideally zig as well).
I am not well versed in any of these languages, and when working on side projects I need to google. A lot.
As mentioned in the opening paragraph that is impossible for me.
This is when I discovered that both of these wonderful languages (skipped zig for now) have their documentation available offline.</p>
For go, you can use go doc</code> and there is tab completion (at least on arch with fish) that lets you explore the entirety of the standard library through your console.
For rust,  there is rustup doc</code> which opens the standard library in your browser via local files.
This also includes a couple handy books, like the cargo book and rustc book as well as rust by example (though some of the links still link to the web).
It also has a functioning search which came in handy.
I could not find a zig counterpart (at least from man zig</code> and zig --help</code>).</p>
After creating a solution in both go and rust, I ended up committing the target directory.
I git rm</code>'d it and wanted to add a top level rule to prevent myself from repeating this mistake for future problems for AoC.
The problem was I forgot what the glob syntax was, which I could not google, but there exists man 5 gitignore</code> which had everything I needed in it.</p>
The other thing I realized is my phone is pretty useless without data.
I have a single game on it that works offline and some songs downloaded on Spotify.
The game is pretty boring and can in no way fill up 8 hours of flight time.
The songs I have already heard a hundred times over.
For everything else it's dead weight in my pocket.</p>
A future action item for myself might be to have more offline activities to do as I forgot to pack my books.
This experience makes me thankful for useful man pages and offline docs.
It's near impossible to do anything offline nowadays thanks to everything being a SaaS.
It also makes me a bit sad that my computer and phone are just expensive web portals.</p>


Italian coffee kind of sucks
2022-11-26T00:00:00+00:00
I have always wanted to go to Italy, namely for the food and the coffee</a>.
Imagine my surprise when I went to Italy (Rome + Naples) and found the coffee to not live up to its hype.</p>

    #
</a>
Why does it suck?</h3>
Saying it sucks is a bit harsh but here are the main reasons why I did not enjoy it:</p>

They use robusta beans</li>
Italians like their dark roast (even at specialty shops)</li>
</ol>

    #
</a>
What's wrong with robusta?</h3>
Robusta generally tastes reminds of Tim Hortons/Starbucks coffee.
It's woody, burnt, just dark and unpleasant.</p>
I prefer lighter roast arabica coffee.
These tend to have that fruity fermented flavour.</p>

    #
</a>
What about specialty shops?</h3>
Italy is traditional country and has been slow to adopt to the third wave coffee movement.
That said, there are still some specialty shops that you can find but as mentioned above the beans are darkly roasted, to appeal to the classic flavour Italians like.</p>

    #
</a>
What do you like about Italian coffee?</h3>

The culture</li>
The price</li>
</ol>
The biggest culture shock is that you pay after you have consumed your coffee.
You line up at the counter and place your order then go pay at the register when you finish.
Though there are some stores where you first need to buy ticket which you hand to the barista.
I have not found an easy way to discern between these two systems.</p>
Cappuccino is for the morning, eaten with a pastry.
Then espresso (a café) for the rest of the day.
You generally have an espresso after dinner as dessert.</p>
Back home I make myself a latte in the morning and have a decaf espresso in the evening.
I am going to start incorporating some form of sugar in the morning (maybe on the weekends) assuming I can fit it into my calorie budget.</p>


Status update, August 2022
2022-08-29T00:00:00+00:00
Damn it has been a long time since I have posted anything on my blog.
The biggest difference between then and now is that I have quit my job.</p>

    #
</a>
Why?</h3>
I was not happy.
For those who know me, it's no secret that I don't enjoy web development.
Doubly so, if its with rails.
I feel like I have not learnt anything new despite being at the job for two years.
Web development isn't a technically deep field, once you know how to throw objects in a database and how to display them there's not much left to do.</p>
I am in a position where not having employment for a while is not a big deal.
This means that I can spend my time doing what I want to do, instead of using it primarily for work.
Coupled with the fact that I have my citizenship and new passport, I want to enjoy as much time off work as possible.</p>

    #
</a>
What comes next?</h3>
For now, a lot of rest and relaxation.
It's possible to enjoy the sun instead of wasting it indoors working.
I do have some side projects that I want to work on, focused on learning things I did not get the oppurtunity to work on at my previous employment.</p>
I will be trying to write more, as now I have enough time to do so.
Plus it gives me motivation to actually complete the projects that I write about.
The act of writing things down supposedly increases the chances that those things will actually get done.</p>
My funds will deplete, and I will need to seek employment again, but until then I want to complete as much of my projects done as possible, as well as some well deserved travelling done.</p>


Status Update
2022-05-02T00:00:00+00:00
Well it's been a sold three months since my last blog entry.
Not a lot has happened, but at the same time some stuff has.</p>
Most importantly, I, at long last, have gotten my Canadian citizenship.
This has been 14 years in the making.
I am now awaiting for the processing of my passport application so that I can have that sweet Canadian traveling privilege.</p>
With relation to my blog, there is nothing that I have felt like blogging about.
I sold my condo and moved into a rental.
I wanted to write up a post about all the lessons learnt from that ordeal, but I could not bring myself to do so.
I do not like writing, and there is nothing interesting that I have done.
This is why this post is just a status update.</p>

    #
</a>
Real world stuff</h2>

I own a couch now (technically a love seat, since a couch would not fit through my door).</li>
I own a coffee table, as well as a cabinet for the bathroom.</li>
The gym is going well, muscle is starting to come back

bench is at a plate 25</li>
squat is at 2 plates</li>
deadlift is at 3 plates</li>
overhead shoulder press is at 35</li>
</ol>
</li>
</ol>
My weight is gradually coming down.
My goal is to have all my covid weight gone by next year.
My right arm is pretty weak compared to my left, this makes sense given my injuries.
My grip strength is preventing me from attempting higher weights (at least for deadlift).</p>
I want to get a second cat.
I worry that Yar gets bored during the day.
I can't play with him during work, and I am too exhausted after the gym.
His previous owners donated him to the humane society because he didn't place nice with other pets, so getting another cat is probably not the best idea.</p>

    #
</a>
Digital stuff</h2>
I am constantly fidgeting with my lua scripts for neovim, it's quite fun.
I want to use fennel instead but have been procrastinating.
There's the overhead of running a VM inside of neovim, but I can also use the AOT compilation to just output lua files.</p>
I have had the pleasure of using Go at my day job.
After years of python and ruby, it's a breath of fresh air.
Plus it feels like a modern day C, which earns it a lot of brownie points in my book.</p>
Rust seems cool, but is just so darn overcomplicated.
I want to like it, but there are a couple things that just rub me the wrong way:</p>

It feels more like C++ than C</li>
cargo</code> feels like npm</code>.
To do anything useful you'll need to cargo add</code> your way through a lot of things.
It does not help that every guide for rust encourages this behaviour.</li>
Code in the wild is unreadable.</li>
The rust fan's rub me the wrong way and treat the language the "end all be all" of programming languages.</li>
</ol>
The whole cargo</code> aspect of rust is also what makes it hard to include in existing projects (e.g. linux).
Offline and reproducible builds are important and modern languages just poop all over it.</p>
I have been trying to contribute packages to Guix, as well as use it more.
It's a neat piece of tech, but not as popular as it's counterpart, nix.
Part of my dislike of rust also comes from trying to package binaries for it, see the above point about reproducibility.</p>
A language that excites me is Zig.
It seems to embody everything I love in a programming language, fingers crossed for the 1.0 launch.
I have an idea or two of what I would like to build with it, but between work and gym, I don't have much time or energy to do anything in my free time.</p>


Lessons learnt from exposing my server to the internet part 2
2022-02-26T00:00:00+00:00
Not too long ago, I had written about how I exposed my ssh port onto the internet</a> (for use by my dad).
I had also written about how I started experiencing attacks on said port and what I did to harden against it</a>.
This is the next (fingers crossed, last) step in my hardening of my server from the outside world.</p>
What had happened was a determined script kiddie wanted in to my server.
This person was trying to brute force, from seemingly infinite IP addresses.
Using an IP lookup, they were coming from cloud providers such as digital ocean and alibaba cloud.
The script kiddie was smart enough to figure out that I banned on every third failure, so they changed their attack to try twice before switching ips.
This brute force attempt went for days.
As far as I can tell they were not able to gain access to my system, after all I had disabled login passwords so without a trusted ssh key nothing was to be had.
My ssshguard blacklist grew from <10 to almost 1000 ips.
Since this was taking up precious CPU cycles and disk space (from logging all these attempts) I decided to move to more extreme measures.</p>
I changed sshguard to blacklist after a single failed attempt and to remember blocked ips for 100x longer.
This solution worked for a while, but then it ended up banning my own dad.
My dad (as mentioned before) is not tech savvy.
This means that he will (and did) mess up his password, or switch around his username.
From a security POV it's damn near impossible to tell the difference between an unlucky user trying to login versus an attacker trying to gain access to your system.
I resorted to whitelisting his IP for his specific user, and removed his IP from the sshguard blacklist (and iptables rules).
This would work until a) his IP changed or b) he inevitably messes up his password again and ends up banned again.
Neither is a perfect solution.</p>
I had given some thought to setting up wireguard or similar VPN solution and having my dad use that, but remember a ssh key was too much for him.
Then I came across tailscale</a>.
The beauty about tailscale is that they have a generous free tier (which also allows sharing machines to other free accounts).
They also have incredibly simple to setup clients for every os.
Within a 10 minute call I was able to get my dad setup and have him access my server.
This means that I no longer need to have an ssh port exposed nor have sshguard running.
Using tailscale also means that I can ease up on my draconian sshd configurations and allow my dad more login attempts and longer login grace period, all without having to worry about attackers taking advantage of it.</p>
Another killer feature of tailscale is that you can write tests</a> inside your access control configuration to ensure that no changes break any assumptions the tests test for.
In my case I use them to ensure that my dad can access port 22 and nothing else on my server (I have a couple other ports that I use that I do not want him to have access to).</p>
All in all, I am kind of sad that I had to end relying on such a solution, but malicious actors are why we can't have nice things.
Also major props to tailscale for having an install process and a client so simple that my father can install and use it without constant help.</p>


The pain of updating my SSID with Unifi (AP AC-lite)
2022-01-14T00:00:00+00:00
As the title suggests, I have a Unifi AP AC-lite that I use to serve wireless in my home, paired with an EdgeRouter PoE.
This is my story of trying to change my wireless SSID.</p>

    #
</a>
Step 1. The mobile app</h2>
Unifi provides a mobile app that should, supposedly, make managing your ubiquiti network easier.
I installed it with hopes of this being a quick and simple process (spoiler alert: it wasn't).</p>
The first thing the mobile app asks for is to connect to your ubiquiti controller (and ubiquiti account).
I do not have a ubiquiti controller (or account).
The app does present another option of connecting to a standalone AP (which I do have). </p>
Upon selecting this option it presents you with a screen saying the AP needs to be in factory setup mode (glowing white ring) for the app to connect to it.
The catch-22 here is that if I reset my AP, how is my phone (and thus the app) going to connect to my network as the AP?
The AP is my sole method of providing wifi in my household.</p>
When you factory reset the AP, it has a default network it broadcasts that requires it MAC address to connect to.
You can scan QR code on the back of the AP to speed up this process.
After resetting my AP, the app refused to connect to it even with the code scan process.
As of now I no longer have a useable wireless network in my home.</p>
I google'd around for folks who were experiencing a similar issue and found this</a> post.
Turns out my AP was running firmware version 3.something.
To use the app I would need to update to the latest firmware version.
To do this I had to ssh into my AP (default username/password is ubnt</code>/ubnt</code>) and run the commands listed in the link.
After upgrading my firmware, the app still failed to connect/find the AP.
Yippee.</p>

    #
</a>
Step 2. Unifi controller</h2>
At this point, my remaining option was to get the unifi controller/application running.
The unifi controller is a chunky boy.
An AUR package is available as unifi</a> and look at those dependencies.
You need mongodb and java to run it.
The build of mongodb fails with the following error</a>.
At this point it's around 1 a.m. and my patience is running thin.
I found a docker image</a> provided by the lovely folks at LinuxServer.io</a>.
This came with some special instructions around setting the inform url (since docker internal IPs are not the same your network IPs).</p>
And boom, at long last I updated my SSID 🥲.</p>

    #
</a>
Conclusion</h2>
This whole processed sucked ass.
No other way to put it.
Ubiquiti want you to use their app, they want you to use their controller application, they want you to have an account.
All I want, is just to access my router's or AP's interface and change my wireless network name. </p>


Converting my init.vim to lua
2021-12-14T00:00:00+00:00
I use neovim as my main driver for all my coding and text editing needs.
They released version 0.5 (up to 0.6 now) which supports having your vim configuration in lua (5.1 via LuaJIT) instead of in vimscript</a>.</p>
I've never used lua before but it's a nice small language. LuaJIT is also crazy fast.
You can find most of what you need to know with either :h lua</code> and some syntax reference</a>.
One of the nicest changes is the ability to use maps for storing configuration for plugins. For example the following ale</a> configuration:</p>
let </span>g:ale_fixers = {
</span>\   </span>'*'</span>: [</span>'remove_trailing_lines'</span>, </span>'trim_whitespace'</span>],
</span>\   </span>'python'</span>: [</span>'autopep8'</span>, </span>'black'</span>, </span>'isort'</span>],
</span>\   </span>'javascript'</span>: [</span>'eslint'</span>],
</span>\   </span>'vue'</span>: [</span>'eslint'</span>],
</span>\   </span>'dhall'</span>: [</span>'dhall-format'</span>],
</span>\   </span>'go'</span>: [</span>'gofmt'</span>],
</span>\   </span>'rust'</span>: [</span>'rustfmt'</span>]
</span>\</span>}
</span></code></pre>
Becomes this:</p>
vim</span>.</span>g</span>.</span>ale_fixers </span>= </span>{
</span>    [</span>"*"</span>] </span>= </span>{ </span>"remove_trailing_lines"</span>, </span>"trim_whitespace" </span>}</span>,
</span>    </span>python </span>= </span>{ </span>"autopep8"</span>, </span>"black"</span>, </span>"isort" </span>}</span>,
</span>    </span>javascript </span>= </span>{ </span>"eslint" </span>}</span>,
</span>    </span>vue </span>= </span>{ </span>"eslint" </span>}</span>,
</span>    </span>dhall </span>= </span>{ </span>"dhall-format" </span>}</span>,
</span>    </span>go </span>= </span>{ </span>"gofmt" </span>}</span>,
</span>    </span>rust </span>= </span>{ </span>"rustfmt" </span>}
</span>}
</span></code></pre>
Some rough spots still exist (e.g. auto commands) but there is a nice vim.cmd</code> escape hatch that can still take regular vimscript. Super excited to see what else is in store for this project!</p>


Lessons learnt from exposing my server to the internet
2021-11-04T00:00:00+00:00
My previous post</a> was about how I setup a SFTP server for my dad.
This post is going to be about all the things I learned about exposing your server to the internet.</p>

    #
</a>
Unable to login</h2>
About a week after I exposed my server via SFTP to the world, I wanted to log in to my server to do some maintenance.
Much to my shock, my server was unresponsive to my regular ssh commands.</p>
This is when the panic started setting in.
My server lives in my home close to my desktop computer.
The server appeared to be still on, the lights were still on and the fans were still spinning.
I resisted the urge to reboot it and try to ssh again, as I wanted to know why</strong> I could not ssh in.</p>
I temporarily repurposed my second monitor on my desktop and plugged in an extra keyboard that I had.
The standard login prompt greeted me, which meant the server was not dead and I was able to login.</p>
I checked the status of the ssh process with a systemctl status sshd</code> and (un)surprisingly it's dead.
The next step was to figure out why it's dead.
This started with looking at the logs via journalctl -b -t sshd</code></p>
Loads of similar lines
</span>---
</span>Oct 08 11:04:33 server sshd[245607]: Unable to negotiate with 86.111.187.162 port 36589: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:33 server sshd[245610]: Unable to negotiate with 86.111.187.162 port 36596: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:33 server sshd[245618]: Unable to negotiate with 86.111.187.162 port 36605: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:33 server sshd[245622]: Unable to negotiate with 86.111.187.162 port 36616: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:34 server sshd[245628]: Unable to negotiate with 86.111.187.162 port 36623: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:34 server sshd[245632]: Unable to negotiate with 86.111.187.162 port 36634: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:34 server sshd[245636]: Unable to negotiate with 86.111.187.162 port 36647: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span>Oct 08 11:04:34 server sshd[245640]: Unable to negotiate with 86.111.187.162 port 36652: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie>
</span></code></pre>
Oh.</p>
Looked like folks over the internet were having a blast trying to break into the server.
The first step I needed to take was to free up my monitor and keyboard and go back to the comfort of working from my desktop.
A simple systemctl start sshd</code> was all that was needed.</p>

    #
</a>
Remediation</h2>
It's clear that I need to harden my ssh setup.
I already the following setup:</p>

root login disabled</li>
password logins disabled (with the exception being the SFTP user)</li>
</ol>
From the logs, looks like no one has even figured out username for the ftp user and the password for it's a long generated one via Bitwarden.
The first thing I did was reduce MaxAuthTries</code> to 1.
The reasoning was pretty simple, either you know how to get in or you don't.</p>
The next steps were to consult the arch wiki</a>!</p>
Turned out I had already taken most of the necessary steps.
I was just missing a rate limiting/blacklisting solution.
I settled on using sshguard</code> combined with ufw</code>.
I verified with my dad that he could still login and do his work.</p>
Fingers crossed, this would be the last time I would have to deal with something like this.</p>

    #
</a>
Results</h2>
My server has been up and running ever since with no issue to ssh.
I have also installed netdata</code></a> and made it accessible solely over the local network.
This is just to give me a birds eye view of what is going on with my server without having to ssh in.</p>
Taking a quick look at logs shows me that sshguard is working as intended</p>
Nov 03 14:27:28 server sshguard[1006]: Attack from "176.111.173.238" on service SSH with danger 10.
</span>Nov 03 14:27:28 server sshguard[1006]: Blocking "176.111.173.238/32" forever (REDACTED)
</span></code></pre>


SFTP is super awesome
2021-09-27T00:00:00+00:00
My dad has a site that he has been working on since the windows 3.1 days.
It's static site and up until now he had been paying a little over a hundred dollars a year to have it hosted.</p>
This came up during the winter of last year, where he had to pay for a renewal for his domain as well as his hosting.
The hosting company did not accept payment from where he's located, so he asked me to handle the payments on his behalf.
This is when I realized that he has been overpaying for a service that you can get without paying (e.g GitLab pages).
There was no getting away from the cost of the domain name, that's just the nature of having your own domain, but hosting (for static sites) can be costless.</p>
His current workflow was to make changes on his computer then upload the files via ftp to the hosting platform.
These files are served out of the ftp directory to the web.</p>
Getting my dad to use git was a no go from the start.
As much as I like it and use it everyday for personal and professional use, it isn't beginner friendly.
In fact there's a good chunk of professional programmers that cannot use it properly either.
On top of learning the git commands and workflow he would also need to understand ssh keys which are not that easy to explain either (or why they are important).
Especially coming from the old ftp workflow.</p>

    #
</a>
The solution</h1>
I still wanted to his site backed by git.
I think it's a great idea as it gives us source control instead of just files that live on his hard drive.
Having a git repository also lets me take advantage of the free hosting that GitLab pages provides.</p>
This means I would need to be able to provide a ftp like interface that ties into a git repository.
My first thought was that I need something that I can watch a directory for file system events, and after a set delay execute some commands.
Watchman</a> exists but its a little heavy handed for what I needed.</p>
I decided to write my own tool dcmd</code></a>.
This also gave me a convenient excuse to dabble in rust some more.</p>
This would cover the committing + pushing part of our solution.
All that I had to do was to provide ftp interface that pointed to the relevant part of the git project.</p>
I originally wanted to use vsftp</code> as it's included in arch's community repository.
At moment it seems to not be working (core dumps on access) as well as out of date.
The other thing I did not like about vsftp</code> is that it's underlying protocol is ftp and ftp is not secure (sends password over plain text).</p>
This is where SFTP comes in.</p>
It's provided by default by OpenSSH and as the S</code> indicates it's more secure.
I would need to do the following to get it setup</p>

Create a SFTP user</li>
Create a chroot jail for the user</li>
Create a symlink in the jail that maps to the static files in the git repository</li>
Edit my sshd_config</code> file to use the jail</li>
</ol>
Now I mentioned before that my dad is not familiar with ssh (and ssh keys) so I would need a password for him.
On my server I disable password logins for security.
I thought this would be a problem but turns out we can have both out of the box.
All I needed to add to my configuration was this:</p>
<Rest of config>
</span>
</span>Match User <my sftp user>
</span>        ChrootDirectory <path to my jail>
</span>        ForceCommand internal-sftp
</span>        PasswordAuthentication yes
</span>Match all
</span></code></pre>
This forces the SFTP user to the jail and allows it to login using a password.
I had concerns that this would also grant ssh access to my machine but turns out it does not:</p>
❯ ssh <user>@<host>
</span><user>@<hosts>'s password:
</span>This service allows sftp connections only.
</span>Connection to <host> closed.
</span></code></pre>
Even if the password gets leaked I can be sure that my server remains secured (and why the title of this post is about SFTP being awesome).</p>
The last thing I wanted to do is limit the blast radius if somehow the git credentials were compromised.
Basically I do not want to lose any commits or have the repository deleted.
For this I ended up creating a "bot" account on GitLab (just a fresh account) and gave it its own ssh keys.
This bot would then have developer (not maintainer) access to the git project.
This means the bot can push directly to the repository and have CI run and deploy to pages, but it can't change repository settings or force push.</p>
The one other thing I was missing a systemd service file for dcmd</code> that would ensure it keeps running.
This was simple enough (I've done it before for other things) and there's a crap ton of resources on the internet for it (including the systemd man pages) so I won't be pasting the service file here.</p>
The last thing to do before handing the credentials over to my dad was to make sure that this whole setup actually worked.</p>
I SFTP'd in with the user I had set up and this is when I found out that you can't symlink to directories out of the chroot jail.
This kind of makes sense and it would not be a good jail if the user could access files outside of it.</p>
A bind mount remedied this problem.</p>
mount --bind src_dir target_dir
</span></code></pre>
Bind mounts basically copies a directory over to another place, but they point to the same files in the file system.
This means that if the files are added/removed in the SFTP directory they are also modified in the git repository.
This lets dcmd</code> do its job and create a commit and push it.</p>
My dad confirmed that the credentials worked for him and he can go back to his old workflow.
The difference this time is his work is now preserved somewhere else other than his computer and he gets to save some money! :D</p>
This was a super fun side project and I can already think of some improvements to dcmd</code> if I ever want dabble in rust some more.
It's a nice feeling when I can use my expertise/skills to help out my dad.</p>


Going back to the gym
2021-09-14T00:00:00+00:00
The province that I am in lifted covid restrictions for the gym.
I used to work out a lot before covid, during the pandemic I have co-opted more of a sedentary lifestyle.</p>
I signed up for a new membership as soon as possible to the closest gym.
The first workout (per body part) always sucks.</p>

The weights that I am able to lift is far below what I used to be able to do</li>
I am going to be sore for days after the workout and the worked out body parts will be quite useless</li>
</ol>
Despite the pain, it's a pleasant experience.
It has a huge improvement on my mood, though going outside might also contribute to that.
I am super hoping that the government does not lock things down now that vaccine administration is nearing 80ish percent.</p>
My old gym goal used to be a 600 lb deadlift before I was 30.
I think it might be doable to achieve by 35 (sitting pretty at 135 lbs at the moment).</p>
Oh and in other happier news, the vertigo has gone (more like I just got used to it)!
At the least it has not affected any of my workouts and I hope it remains that way.</p>


Vertigo
2021-06-28T00:00:00+00:00
For the first time in my life I have gotten vertigo.
It's not clear from where I got it, or how.
All I know is that it sucks quite a bit.</p>
Here's to hoping it passes soon and my body adjusts to my new sense of balance.</p>


Django Rest Framework
2021-05-12T00:00:00+00:00
In one of my previous roles I had to use Django Rest Framework</a> (drf)
to make APIs and I enjoyed it. It fit my mental model for building robust APIs.</p>
My mental model is as follows:</p>

A user sends a request</li>
Check auth</li>
Check request body (do we have the right fields/structure)</li>
Perform basic validation (types)</li>
Perform business logic validation</li>
Persist to data store</li>
</ol>
drf makes this super easy with its serializers. Views + permissions take care of auth in most cases and serializers do the rest.</p>
A small amount noob traps do exist.</p>

    #
</a>
Using ModelSerializer</h3>
This is the first trap most people fall into.
ModelSerializers are convenient when prototyping but most of the time the input that you want from a user does not map nicely onto an existing model.
This is true the larger/more complex your web API gets.</p>

    #
</a>
Trying to use the same serializer for update and create</h3>
This is another noob trap that ends up resulting in some crazy complex and hard to follow code.
Most of the time it turns out the logic you want for create operations ends up being quite different from the logic you want when it comes to update operations.
This results in a lot of validation code that depends on the existence of self.instance</code>.</p>
It's trivially easy to switch out</a> which serializer gets used based on action</p>
Using a serializer per action lets you have nicely segregated logic per verb per endpoint.
This makes it super clear what code gets run for POST /something</code> vs PUT /something</code> vs GET /something</code>.
This in turn leads pretty easy maintainability when needing to make a change as you can be sure a change to the behaviour of one action does not impact the others.
Which in turn leads to pretty easy testing, you just need to test each specific serializer plus its validation logic.</p>

    #
</a>
Not using a separate serializer for retrieve vs list</h3>
For reference a retrieve is asking for a single record i.e. GET /things/1</code> and list is asking for more than one record i.e. GET /things</code></p>
Generally the data you want in a detail view (retrieve) is different from the data you want in a list view and your serializers should reflect this.
Detail serializers might need to do a lot of extra look up to get related records to present a nice detailed record.</p>
A mistake I've seen made is folks end up using this same detail serializer for their list operations.
This results in an unholy amount of N+1 queries and abysmal performance.</p>

    #
</a>
Not using a separate serializer for read vs write operations</h3>
This is not quite a noob trap but it does go a long way in the simplification of code.
I find that more often than not you would like to receive data in a field as one type, but when returning the data it needs to be another type. e.g. Take in a foreign key but return a string from the related object.
drf does not make it easy to re-use a field if its a different type on the way out.
The maintainable/easy way out of this predicament is to just use a different serializer for incoming data vs outgoing.</p>

    #
</a>
Conclusion</h3>
The general takeaway from this is that you probably want to avoid using ModelSerializers and don't try to make a single serializer a one size fits all solution.</p>


Covid-19, condos and dogs
2021-04-13T00:00:00+00:00
It has been an interesting year (or two).
Covid has caused a lot of people to adopt new pets, myself included.
Why not? We're all home all the time anyway right?</p>
The issue with this is that I live in a condo (I'll get around to writing about all the joys of owning a condo).
This means if you, or your new dog, ends up making a lot noise (read: barking) all your neighbours suffer.
You can complain to the property manager and they can do something about it, but because of covid, your property manager probably doesn't care.
They didn't care before covid either, but they sure as hell don't now.</p>
These horrible dog owners then cause other issues with their pets.
Like pissing in the elevators.
Pissing on their balconies which then drip down to other units.
Taking a crap in the lobby.
Leaving their dog tied to a pole outside of the condo building while they are off doing w/e.</p>
If you are going to live in a condo, do yourself a favour and find one that has a strict no dog policy.</p>
Imran didn't you say you get a new pet as well?
Yeah, I got a cat.</p>


Upgrading my home server
2021-03-28T00:00:00+00:00
Like most nerds I have a home server that I use to serve media (via Plex) and maybe host some personal projects.</p>

    #
</a>
History</h1>
I built the first version of my server (I think) about 8ish years ago.
It's a simple and cheap setup.
The OS ended up being ubuntu server since it had been quite a while since I dabbled in setting up a distro from scratch.
This was the fastest way to have something up and running.
For storage the OS was on a small SSD plus a 3 TB hard drive for the data.
It had some ASRock motherboard that had a processor built into it and some negligible amount of ram.
It wasn't powerful but it got the job done.
It also started to struggle when streaming shows in 1080p.</p>
The first upgrade was changing the OS.
Though this isn't an "upgrade" I guess.
I switched to using arch instead of ubuntu since a rolling release distro is less hassle to keep updated.</p>
The next "upgrade" was switching from manually installed services to docker.
There was a two reasons for this:</p>

I wanted to learn about docker</li>
I had two python applications that started having clashing versions of dependencies</li>
</ol>
This was my first foray into using docker and was quite pleasant.
No more clashing dependencies and became a lot easier to bring up new services.
Not to mention it helped increased the reproducibility of the server.</p>
A couple years after that I got a i7 4790K + motherboard combo for a decent price.
This was my first major upgrade to it, no longer did it struggle to stream 1080p videos.</p>
A little while later I upgraded the ram to 16 GB because why not?
And soon thereafter I had to upgrade the storage drive since 3 TB was not cutting it anymore.</p>
I managed to grab five 3 TB Western Digital NAS red drives on sale during black Friday.
I decided to go with use a software raid, a coworker recommended ZFS so I went with that.
Creating a zpool with raidz1 was straight forward.</p>

    #
</a>
The present day</h1>
I have started running out of space on the zpool.
For this upgrade I decided on shucking some hard drives since it's hard to get regular hard drives at a competitive price.
For those that do not know what "shucking a hard drive" is, it's when you buy an external hard drive and rip it out of its enclosure.
The drives in these are typically "white label" drives but are still regular drives, just cheaper.</p>
I ended up getting five 14 TB WD easystore drives.
All ended up being white label EDFZ drives.
I ran badblocks</a> on them and verified there were no bad sectors.</p>
The next step was figuring out how I was going to transfer all my data off my old zpool onto this new one.
For reference my motherboard has 6 SATA ports, which are all in use.
One for the SSD and the other five for the 5×3 TB zpool.</p>
I decided to keep all the USB connectors on the drives attached as the motherboard had plenty of free USB ports.
This simplified the transfer process quite a bit.</p>
zpool</span> create new_pool raidz </span><</span>new drives</span>>
</span>zfs</span> snapshot old_pool@now
</span>zfs</span> send old_pool@now </span>| </span>zfs</span> recv</span> -F</span> new_pool
</span>zpool</span> export old_pool new_pool
</span>poweroff
</span># After powering back up
</span>zfs</span> set mountpoint=/old_mountpoint new_pool
</span></code></pre>
In order these commands do the following:</p>

Create a new zpool out of the new drives</li>
Create a snapshot of the data on the old zpool</li>
Send that snapshot over to the new zpool</li>
Let ZFS know I intend to physically disconnect both pools</li>
Turn off the machine

This lets me remove the USB adapters for the new drives and plug them in via SATA after disconnecting the old drives.</li>
</ol>
</li>
Change the mountpoint of the new zpool to be the same as the old zpool so applications can't tell the difference</li>
</ol>
I lucked out and singular drive out of the five needed to have the 3.3v pin taped over.
For why that was necessary I recommend watching this video: https://www.youtube.com/watch?v=1YqMn1pCRd8</a></p>
I super hope I do not have to upgrade again anytime soon!</p>


Running badblocks on a 14tb hard drive
2021-03-15T00:00:00+00:00
This is going to be my first time shucking hard drives.
I managed to get a couple 14tb WD easystores for about 20$/TB.
According to /r/datahoarders it's always a good idea to run badblocks on the
hard drives to make sure there are no faults.</p>
Since this is my first time it's better to err on the side of caution</p>
Well here is how long the command has been running for so far:</p>
</p>

EDIT</p>
The full time was almost a week.
Started at Wednesday 23:00 and finished at Wednesday 22:00</p>


Trying out James Hoffman's donut espresso
2021-03-15T00:00:00+00:00
Last week James Hoffman came out with a video</a> about how to make a tasty donut flavoured espresso drink.
The full recipe is here</a>.</p>
I wanted to try it but I had hard time getting donuts.
I ended up getting some generic donuts from my local grocery store (I forget to take a picture before making the recipe).</p>


    
</div>
Here are the donuts all chopped up and added to the pot, I ended up using oat milk:</p>


    
</div>
And here there are after 30 minutes of soaking and simmering:</p>


    
</div>
After chilling in the fridge over night here is the final filter.
I decided to use a reusable coffee filter.
In the future I would rather use a paper filter as the reusable filter did not survive this experiment. Ironic.</p>


    
</div>
And here is the finished product:</p>


    
</div>

    #
</a>
Thoughts</h3>
Over all pretty fun to make.
The end result was much too rich.
This is perhaps because I got the ratio of donut to milk wrong.
Since the donuts in the package were pretty small I thought I would use 8 donuts.
This was a miscalculation on my part as a Krispy Kreme donut weights in at 49 g (source</a>) and these donuts would be 550/12 (= ~46 g).
My resultant donut infused milk would be twice the concentration that it's supposed to be.</p>
I would not mind doing this again in the future (maybe make a recurring ritual out of it), but next time I should weigh my donuts before infusion.</p>


Python and multiline lambdas
2021-02-04T00:00:00+00:00
The title of this post should</em> be "Shut up about python and multi-line lambdas".
I browse HackerNews a bit more than I should, if I'm being honest.
Every now and again there will be a post involving python on the front page.
Predictably there will always be (at least) one person in the comments moaning about the lack of multi-line lambdas and how it's holding python back from being a "real" language.</p>
In python the lambda keyword is syntactic sugar.
There's no difference between a one line function and a lambda.
Here is the docs on lambdas: https://docs.python.org/3/reference/expressions.html#lambda</a></p>
Let's take a look at this using the python interpreter:</p>
>>> </span>def </span>func1</span>(a)</span>:
</span>...     </span>return </span>a </span>* </span>a
</span>...
</span>>>> </span>func2 </span>= </span>lambda </span>a </span>: a </span>* </span>a
</span>>>> </span>from </span>dis </span>import </span>dis
</span>>>> </span>dis</span>(func1)
</span>  </span>2           0 </span>LOAD_FAST                </span>0 </span>(a)
</span>              </span>2 </span>LOAD_FAST                </span>0 </span>(a)
</span>              </span>4 </span>BINARY_MULTIPLY
</span>              </span>6 </span>RETURN_VALUE
</span>>>> </span>dis</span>(func2)
</span>  </span>1           0 </span>LOAD_FAST                </span>0 </span>(a)
</span>              </span>2 </span>LOAD_FAST                </span>0 </span>(a)
</span>              </span>4 </span>BINARY_MULTIPLY
</span>              </span>6 </span>RETURN_VALUE
</span>>>>
</span></code></pre>
Look at that, they are the same.
They even have the same bytecode.</p>
Keeping in mind that functions are first class objects in python, it should be pretty easy to have a multi-line "lambda":</p>
def </span>some_func</span>(</span>some_list</span>):
</span>    </span>def </span>multiline_lambda</span>(</span>x</span>):
</span>        temp </span>= </span>x </span>+ </span>1
</span>        other_var </span>= </span>other_func</span>(x)
</span>        </span>return </span>temp </span>+ </span>other_var
</span>
</span>    r </span>= </span>map</span>(multiline_lambda</span>, </span>some_list)
</span></code></pre>
Then why, pray tell, does python have all these functional words and concepts without being "properly" functional?
Just to appeal to the masses, which is something Guido van Rossum regrets</a></p>


I love coffee
2021-01-31T00:00:00+00:00
I used to hate coffee.
I never understood why people enjoyed drinking coffee so much and so often.
Among my coworkers and friends it wasn't unheard of someone drinking 8 cups of coffee a day.
Though, to be fair, programmers generally seem to consume an unholy amount of coffee.</p>
To me coffee always tasted bad.
Everyone told me it's an acquired taste and that I would come around, but it just tasted so bad.
Coffee was harsh, bitter and tasted like something burnt so I just avoided it.
This worked well enough in the start of my career but soon I found myself relying on the occasional energy drink for a boost.
Now energy drinks aren't the healthiest thing for you, so one day I started to have coffee instead.
As noted before I REALLY</strong> did not like the taste of coffee.
To make it drinkable for myself I had to basically "drown" the coffee in milk to mask any of the "flavour" and chug it as fast as possible.
The whole process was rather unenjoyable, but hey, at least it's healthier than all the chemicals from energy drinks.</p>
A little while later I found myself working at a company that had a fully automatic coffee machine.
This thing was capable of making anything from regular drip to a sugary mocha.
I think</em> this</a> was the machine, or at least something that had a similar appearance.
I started having the super sugary mochas since they managed to mask the taste the coffee reasonably well and gave me that nice caffeine kick.</p>
Soon after I started working from home on Fridays since I signed up for a recreational sport league and would not be able to make the meet up time if I had to drive from the office.
The problem was when I was working from home I no longer had access to coffee.
I resorted to ordering my coffee from either McDonalds or Starbucks since I had a location for each within walking distance from my home.
This is when I started to notice the costs racking up.
Five to ten dollars for cup of coffee was a bit much.</p>
It's at this point that I started researching how to make coffee at home.
I was keen to continue making milk based drinks as I still didn't like the taste of coffee.
I would need an espresso machine to make lattes at home (switched up from mochas because of the sugar content).
I was not too keen on Nespresso as I tried a sample at one of their stores and damn it tasted bad.
After a lot of research, I concluded that I would need a grinder, a semi automatic machine and fresh roasted beans.</p>
I settled on a Barazta Encore</a>, a Gaggia Classic</a> and beans</a> from 49th parallel (so much for saving money 🤦).
I dialed in my shot and had a taste.
My goodness it's a night and day difference.
What I thought was a drink that's supposed to be harsh, dark and bitter actually tasted clean, bright and florally.
It was delicious and I got hooked.</p>
Now I don't claim that I pulled a god shot from the classic.
Light roasts are quite hard to get right with the hardware I had at the time.
I had even done an OPV mod</a> to bring the pressure to 9 bars.
The stark difference between quality fresh roasted beans and what was (and is) readily available was staggering.</p>
Turns out nearly every place has over roasted the life out of their beans.
You can see this when you walk into a Starbucks or second cup.
The hopper is full with incredibly oily beans (a sign of being over roasted).
All the coffee found on grocery store shelves (even Costco) is over roasted.
The reason is that over roasted beans tend have a longer shelf life than lighter (or properly) roasted beans and keep their "flavour" longer.
This is also the reason why all "mainstream" (I know hipster much) coffee tastes so bad.
It's because all the flavour has been roasted out of the beans.
If the coffee you are buying does not have a roast date on it, it most probably falls into this category.</p>
Turns out I didn't hate coffee per se, I just hated improperly made coffee.
Coffee, when done properly, is delicious and makes for quite the fun hobby.</p>


Replacing my fire TV with a pi + Kodi
2021-01-24T00:00:00+00:00
A while ago I wrote</a> about ads showing up on my TV player, which annoyed me.
To solve this annoyance I repurposed a raspberry pi</a> I had lying around into TV player over the winter holidays.</p>
All I needed to do was be able to access my Plex server and twitch.
One option was to install android</a> on the pi</a> and just use the official apps.
It looks like not even android TV is free from ads anymore (source</a>).</p>
In my previous post I had mentioned wanting to going for an osmc device</a>.
Upon further research I found out osmc actually runs on top of Kodi</a>.
Kodi is an open source (and ad free) piece of software that would be cable of doing what I wanted.
It comes with add-ons</a> for Plex and twitch (and more).
The installation and setup was incredibly straight forward thanks to LibreELEC</a>.
I highly recommend donating to either project if you use them:</p>

LibreELEC: https://libreelec.tv/contribute/</a></li>
Kodi: https://kodi.tv/contribute/donate</a></li>
</ul>
All I had to do was replace my fire TV with the pi.</p>
I am using a wireless keyboard + mouse combo to interact with the pi.
It's possible to use the fire TV remote with the pi (it's just a Bluetooth keyboard).
I live in a condo that has quite a fair amount of Bluetooth devices advertising themselves for pairing so its difficult to find the remote in the pairing list.
I may try again in the future as it's possible due to it being the holidays loads of folks were setting up new devices as well.</p>
For now though good riddance fire TV and good riddance to ads.</p>


I love linux
2021-01-05T00:00:00+00:00
I upgraded to linux 5.10 and noticed that LightDM</a> would fail to start consistently.
I was still able to switch to a different tty and startx</code> manually, after which everything would work fine.</p>
Looking at my journalctl -b</code> was interesting</p>
Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: [drm] fb0: amdgpudrmfb frame buffer device
</span>Jan 05 21:20:04 linux-desktop systemd[1]: lightdm.service: Scheduled restart job, restart counter is at 5.
</span>Jan 05 21:20:04 linux-desktop systemd[1]: Stopped Light Display Manager.
</span>Jan 05 21:20:04 linux-desktop audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=lightdm comm="systemd" exe="/usr/lib/systemd/system>
</span>Jan 05 21:20:04 linux-desktop audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=lightdm comm="systemd" exe="/usr/lib/systemd/systemd>
</span>Jan 05 21:20:04 linux-desktop systemd[1]: lightdm.service: Start request repeated too quickly.
</span>Jan 05 21:20:04 linux-desktop systemd[1]: lightdm.service: Failed with result 'exit-code'.
</span>Jan 05 21:20:04 linux-desktop systemd[1]: Failed to start Light Display Manager.
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring gfx_0.0.0 uses VM inv eng 0 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.0.0 uses VM inv eng 1 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.1.0 uses VM inv eng 4 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.2.0 uses VM inv eng 5 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.3.0 uses VM inv eng 6 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.0.1 uses VM inv eng 7 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.1.1 uses VM inv eng 8 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.2.1 uses VM inv eng 9 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring comp_1.3.1 uses VM inv eng 10 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring kiq_2.1.0 uses VM inv eng 11 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring sdma0 uses VM inv eng 12 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring sdma1 uses VM inv eng 13 on hub 0
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring vcn_dec uses VM inv eng 0 on hub 1
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring vcn_enc0 uses VM inv eng 1 on hub 1
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring vcn_enc1 uses VM inv eng 4 on hub 1
</span>Jan 05 21:20:04 linux-desktop kernel: amdgpu 0000:28:00.0: amdgpu: ring jpeg_dec uses VM inv eng 5 on hub 1
</span>Jan 05 21:20:04 linux-desktop kernel: [drm] Initialized amdgpu 3.40.0 20150101 for 0000:28:00.0 on minor 0
</span>Jan 05 21:20:04 linux-desktop kernel: EDAC amd64: F17h_M70h detected (node 0).
</span>Jan 05 21:20:04 linux-desktop kernel: EDAC amd64: Node 0: DRAM ECC disabled.
</span>Jan 05 21:20:04 linux-desktop kernel: EDAC amd64: F17h_M70h detected (node 0).
</span></code></pre>
It looks like LightDM failed to start 5 times before the amdgpu</code> module initialized.
Looking at my Xorg.0.log</code> file confirmed this:</p>
[     5.874] (EE) open /dev/dri/card0: No such file or directory
</span>[     5.874] (WW) Falling back to old probe method for modesetting
</span>[     5.874] (EE) open /dev/dri/card0: No such file or directory
</span>[     5.874] (EE) Screen 0 deleted because of no matching config section.
</span>[     5.874] (II) UnloadModule: "modesetting"
</span>[     5.874] (EE) Device(s) detected, but none match those in the config file.
</span>[     5.874] (EE)
</span>Fatal server error:
</span>[     5.874] (EE) no screens found(EE)
</span>[     5.874] (EE)
</span>Please consult the The X.Org Foundation support
</span>	at http://wiki.x.org
</span> for help.
</span>[     5.874] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
</span>[     5.874] (EE)
</span>[     5.874] (EE) Server terminated with error (1). Closing log file.
</span></code></pre>
The interesting part being open /dev/dri/card0: No such file or directory</code>.
The fix was actually pretty straightforward as this is a known issue on the ArchWiki</a>.
It's as simple as adding the following to your lightdm.conf</code></p>
   [LightDM]
</span>   logind-check-graphical=true
</span></code></pre>
After a reboot, LightDM is back to working!</p>
I enjoy the fact that:</p>

My operating system lets me debug it</li>
It has ample documentation and an active community around it.</li>
</ol>


Using Dhall to manage my docker-compose.yml
2020-12-27T00:00:00+00:00
I saw Dhall</a> mentioned on a job posting for NoRedInk.
I had never heard of it before but NoRedInk did create Elm</a> and are fond of functional tooling so it piqued my interest.</p>
For reference, Dhall is a simple language.
It's not Turing complete, but it's strongly typed.
It's primarily used for managing configuration files.
It has some helpers to output JSON/YML/bash, but you can also output to plain text.</p>
The website does a good job of showing what it can do and its use cases so I wont dive into those.
Converting my docker-compose.yaml</a> that I use to manage my media server was the first usecase I could think of.</p>
I wont be posting the full source but I hope I convey how much fun I had working with Dhall.</p>

    #
</a>
Experiment</h3>
I'll just be focusing on a small part of the docker-compose file, namely the ports.</p>
Let's say this is my compose file</p>
services</span>:
</span>  </span>plex</span>:
</span>    </span>image</span>: </span>linuxserver/plex:latest
</span>    </span>ports</span>:
</span>      - </span>32400:32400
</span>      - </span>32400:32400/udp
</span>    </span>environment</span>:
</span>      </span>VERSION</span>: </span>"latest"
</span></code></pre>
A quick translate over would get us</p>
let plex =
</span>      { image = "linuxserver/plex:latest"
</span>      , ports = [ "32400:32400", "32400:32400/udp" ]
</span>      , environment.VERSION = "latest"
</span>      }
</span>
</span>in  { services.plex = plex }
</span></code></pre>
When passed into dhall</code> gets us this:</p>
>>> dhall --file test.dhall
</span>
</span>{ services.plex
</span>  =
</span>  { environment.VERSION = "latest"
</span>  , image = "linuxserver/plex:latest"
</span>  , ports = [ "32400:32400", "32400:32400/udp" ]
</span>  }
</span>}
</span></code></pre>
dhall-to-yaml</code> produces the following:</p>
>>> dhall-to-yaml --file test.dhall
</span>
</span>services:
</span>  plex:
</span>    environment:
</span>      VERSION: latest
</span>    image: linuxserver/plex:latest
</span>    ports:
</span>      - "32400:32400"
</span>      - "32400:32400/udp"
</span></code></pre>
Which is the exact same file (keys are sorted so the output is deterministic).</p>
I always forget what order the ports should go (host:container) so let's take advantage of Dhall to make it easier on me.
Before I make any changes to the file I'm going to be grabbing the Dhall SHA so I can compare it to my refactored code's SHA, if they are equal then the output has not changed.</p>
>>> dhall hash --file test.dhall
</span>
</span>sha256:db23b00a8e79e084306b72ecc788f0b95579080c883cb72045a3ae6ea43999fd
</span></code></pre>
First lets move ports</code> into it's own variable and verify the hash</p>
let ports
</span>    : List Text
</span>    = [ "32400:32400", "32400:32400/udp" ]
</span>
</span>let plex =
</span>      { image = "linuxserver/plex:latest"
</span>      , ports
</span>      , environment.VERSION = "latest"
</span>      }
</span>
</span>in  { services.plex = plex }
</span></code></pre>
>>> dhall hash --file test.dhall
</span>
</span>sha256:db23b00a8e79e084306b72ecc788f0b95579080c883cb72045a3ae6ea43999fd
</span></code></pre>
OK we can be sure we didn't change our output at all. Don't worry about : List Text</code> that is just a type annotation.</p>
Lets start by making a type that we can store the port mapping in and a function to convert it to text.</p>
let PortMapping
</span>    : Type
</span>    = { host : Natural, container : Natural }
</span>
</span>let PortMapping/show
</span>    : PortMapping -> Text
</span>    = \(pm : PortMapping) ->
</span>        "${Natural/show pm.host}:${Natural/show pm.container}"
</span>
</span></code></pre>
Now we can supply the ports we want in any order and be confident the output order is correct.
Let's update ports</code> to use this new functionality.</p>
let ports
</span>    : List Text
</span>    = [ PortMapping/show { host = 32400, container = 32400 }
</span>      , "${PortMapping/show { host = 32400, container = 32400 }}/udp"
</span>      ]
</span>
</span></code></pre>
Our hash is still sha256:db23b00a8e79e084306b72ecc788f0b95579080c883cb72045a3ae6ea43999fd</code> so we haven't broken anything yet.</p>
This is better but we still need to do some string interpolation if we want to create a UDP port mapping.
The docker documentation</a> says the notation without /udp</code> or /tcp</code> will default to tcp.</p>
Let's create an enum that will represent these two and update our code to use it.</p>
let Port
</span>    : Type
</span>    = < tcp : PortMapping | udp : PortMapping >
</span>
</span>let Port/show
</span>    : Port -> Text
</span>    = \(p : Port) ->
</span>        merge
</span>          { tcp = PortMapping/show
</span>          , udp = \(pm : PortMapping) -> "${PortMapping/show pm}/udp"
</span>          }
</span>          p
</span>
</span>let ports
</span>    : List Text
</span>    = [ Port/show (Port.tcp { host = 32400, container = 32400 })
</span>      , Port/show (Port.udp { container = 32400, host = 32400 })
</span>      ]
</span></code></pre>
Much nicer! And our hash is still producing sha256:db23b00a8e79e084306b72ecc788f0b95579080c883cb72045a3ae6ea43999fd</code>.</p>
Now what would be even nicer is we did not have to specify the port twice if they are the same value.
Let's do that by expanding our Port</code> enum to supply a tcp_mirror</code> and a udp_mirror</code>.</p>
let Port
</span>    : Type
</span>    = < tcp : PortMapping
</span>      | udp : PortMapping
</span>      | tcp_mirror : Natural
</span>      | udp_mirror : Natural
</span>      >
</span>
</span>let Port/show
</span>    : Port -> Text
</span>    = \(p : Port) ->
</span>        let udpPortMapping = \(pm : PortMapping) -> "${PortMapping/show pm}/udp"
</span>
</span>        in  merge
</span>              { tcp = PortMapping/show
</span>              , udp = udpPortMapping
</span>              , tcp_mirror =
</span>                  \(port : Natural) ->
</span>                    PortMapping/show { host = port, container = port }
</span>              , udp_mirror =
</span>                  \(port : Natural) ->
</span>                    udpPortMapping { host = port, container = port }
</span>              }
</span>              p
</span>
</span>let ports
</span>    : List Text
</span>    = [ Port/show (Port.tcp_mirror 32400), Port/show (Port.udp_mirror 32400) ]
</span>
</span>-- sha256:db23b00a8e79e084306b72ecc788f0b95579080c883cb72045a3ae6ea43999fd
</span></code></pre>
We can include the List/map</code> function from Prelude</code></a> so we do not have manually transform our port list.</p>

    #
</a>
Final test.dhall</code></h4>
let List/map = https://prelude.dhall-lang.org/List/map
</span>
</span>let PortMapping
</span>    : Type
</span>    = { host : Natural, container : Natural }
</span>
</span>let PortMapping/show
</span>    : PortMapping -> Text
</span>    = \(pm : PortMapping) ->
</span>        "${Natural/show pm.host}:${Natural/show pm.container}"
</span>
</span>let Port
</span>    : Type
</span>    = < tcp : PortMapping
</span>      | udp : PortMapping
</span>      | tcp_mirror : Natural
</span>      | udp_mirror : Natural
</span>      >
</span>
</span>let Port/show
</span>    : Port -> Text
</span>    = \(p : Port) ->
</span>        let udpPortMapping = \(pm : PortMapping) -> "${PortMapping/show pm}/udp"
</span>
</span>        in  merge
</span>              { tcp = PortMapping/show
</span>              , udp = udpPortMapping
</span>              , tcp_mirror =
</span>                  \(port : Natural) ->
</span>                    PortMapping/show { host = port, container = port }
</span>              , udp_mirror =
</span>                  \(port : Natural) ->
</span>                    udpPortMapping { host = port, container = port }
</span>              }
</span>              p
</span>
</span>let portsList
</span>    : List Port
</span>    = [ Port.tcp_mirror 32400, Port.udp_mirror 32400 ]
</span>
</span>let plex =
</span>      { image = "linuxserver/plex:latest"
</span>      , ports = List/map Port Text Port/show portsList
</span>      , environment.VERSION = "latest"
</span>      }
</span>
</span>in  { services.plex = plex }
</span>
</span>-- sha256:db23b00a8e79e084306b72ecc788f0b95579080c883cb72045a3ae6ea43999fd
</span></code></pre>

    #
</a>
My Conclusion</h2>
Using Dhall is super fun.
I can totally see the usefulness in a shared team environment for managing configurations.
I think I went a bit overboard as my ~120 line compose file is now ~400 lines of Dhall code 😅.
Except now it's statically typed and it will be super easy to add new services to my server (or in context of the experiment, new ports to the Plex service).</p>


Stop showing me ads on my TV player
2020-12-21T00:00:00+00:00
I am a huge fan of dumb TV's made smart via a TV player, something along the likes of an apple TV or a Roku.</p>
The first device that I owned was the first generation of a google chromecast.
It worked decently enough, but it would struggle when trying to play back some of the more higher definition media that I had.</p>
I upgraded from the chromecast to a Roku 3.
It worked splendidly for a while, up until they decided to take up half the home screen with a giant ad.
This pissed me off. I already paid around $100-ish dollars for the damn thing.
And now they want to shove ads down my throat.</p>
I then upgraded to an amazon fire TV. These things were not available in Canada so I had to order it from the states.
It came out to about $150 and also worked fine for a short period of time.
That is until, you guessed it, they started showing ads on the home screen</a>.</p>
I am not against advertising and I understand why it exists and its use in free products.
The issue is that these things are not free (or cheap).
It sucks to pay for something and to have ads shown on top of that.
The shittier part is that ads are sometimes for amazon's own products like prime video or prime music.
I already have amazon prime. Why are you advertising these things to me?
I paid for the hardware and have a subscription on top of that. Why am I getting ads?
How much money is enough money?</p>
This pissed me off enough that I spent my evening trying to get rid of them.
FTVLaunchX</a> is an project that will let you set your launcher to anything else.
There's also aptoide</a> that's worth mentioning (install untrusted apps at your own risk).</p>
When I feel like spending some more money (yet again) for an ad free experience I will go for a vera from https://osmc.tv/</a></p>
Please for goodness sake, stop showing me ads on my TV streamer!
All I need you to do is stream content from my local network to my TV!
If you want to show me ads, at least let me get the hardware without paying, otherwise bugger off.</p>


Goodbye Google Play Music
2020-11-30T00:00:00+00:00
This weekend I spent some time migrating my music off Google Play Music to Spotify.</p>
I am going to miss its auto generated radio stations which helped introduce me to a lot of new music.</p>
The last Google product that I actually enjoyed was Google Inbox, which was subsequently also killed.
With this I am probably not going to be buying into any new Google products.</p>
The lesson learnt is that do not pay for a service that is not the primary income
for that company. Otherwise you do not have any garauntees that they wont kill
the service off once they're bored with it.</p>
Here's to hoping Spotify won't shut down in the immediate future.</p>


Moving my blog to zola
2020-11-29T00:00:00+00:00
I decided to move my blog to Zola</a> instead of Docusaurus.
They are both static site generators, but Zola is much faster.</p>
Heres a Docusaurus build:</p>
</p>
And heres a Zola build:</p>
</p>


My first time using rust
2020-11-01T00:00:00+00:00
Replacing one of my shell scripts with a compiled binary using rust.</p>


The wonders of a proxy auto-config (PAC) file
2020-10-12T00:00:00+00:00
How I improved my work from home setup using a proxy auto-config</a> (PAC) file.</p>

My last couple of roles have had me using a MacBook Pro to develop on. I don't
any qualms against mac os and much rather prefer it to a windows , though
ideally I would like to use linux as it's what I use on my desktop computer.</p>
As far as development goes I use the command line whenever I can, so my weapons
of choice end up being (neo)vim and tmux. These work quite well on
mac os (and are installable via homebrew). I have not tried to use these on
windows but I do know its possible via the linux subsystem (at that point I'd
rather be using linux).</p>
When I work from home I attach the mac to a dongle that supplies it
power and an Ethernet connection. I have the power settings set to never let the mac sleep,
even with its lid closed. I can then connect to the mac with the following
command from my desktop.</p>
ssh</span>  user@laptops-ip</span> -t</span> tmux</span> -2</span> attach
</span></code></pre>
This gives me my tmux session from the work mac on my regular desktop. This is
convenient as I do not have a lot of space in my home for a separate work
desk/setup.</p>
I can do almost everything I need to via this setup (slack and related
tools are all accessible via their web ui's) and over all it's been working
pretty well. That is until my latest role.</p>
This new role requires me to have a VPN connection active to access
some internal sites (some of which are sorely needed during development). Up until
now I had been developing as much as can using the ssh method mentioned
above and then switching over to my work laptop to access the restricted internal
sites. After a couple of weeks this grew pretty tiring. I would like a
solution that would:</p>

Let me continue using my existing setup</li>
Not require me to install any work related software on my personal computer</li>
Proxy work related connections through my work computer and nothing else</li>
</ol>

    #
</a>
SOCKS5 Proxy Over SSH</h2>
ssh</code> is quite a wonderful tool and comes with a solution built in for proxy-ing
requests. Lets take a look at man ssh</code>.</p>
man</span> ssh
</span>---
</span>-D </span>[</span>bind_address:</span>]</span>port
</span>     </span>Specifies</span> a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local
</span>     </span>side,</span> optionally bound to the specified bind_address.  Whenever a connection is made to this port, the connection is forwarded
</span>     </span>over</span> the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
</span>     </span>Currently</span> the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only root can forward privileged
</span>     </span>ports.</span>  Dynamic port forwardings can also be specified in the configuration file.
</span>
</span>     </span>IPv6</span> addresses can be specified by enclosing the address in square brackets.  Only the superuser can forward privileged ports.
</span>     </span>By</span> default, the local port is bound in accordance with the GatewayPorts setting.  However, an explicit bind_address may be used
</span>     </span>to</span> bind the connection to a specific address.  The bind_address of “localhost” indicates that the listening port be bound for
</span>     </span>local </span>use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.
</span>---
</span></code></pre>
This would cover my first two requirements pretty well. All I have to run is</p>
ssh -D 1234 user@laptops-ip -C -N
</span></code></pre>
and this opens a SOCKS5 proxy available at localhost:1234</code> on my local machine.
If I update my Firefox settings to use it I can now access my work internal
sites without having to install the VPN locally. The downside is now that ALL</strong>
my Firefox traffic is passing through my work computer. This is where the PAC
file comes into play.</p>

    #
</a>
The PAC File</h2>
The PAC file is pretty simple. It's a single JavaScript file that exposes a
function FindProxyForURL(url, host)</code> that lets Firefox know whether to
proxy a request for a url. More information is available via MDN</a>.
All that's left to do is to update firefox's settings to use it.</p>
</p>
Here is my PAC file</p>
const </span>DIRECT </span>= </span>"DIRECT"</span>;
</span>const </span>SOCKS </span>= </span>"SOCKS5 127.0.0.1:1234"</span>;
</span>
</span>const </span>WORK_URLS </span>= </span>[</span>"*.internal.site"</span>]</span>;
</span>
</span>function </span>FindProxyForURL</span>(</span>url</span>, </span>host</span>) {
</span>  </span>if </span>(WORK_URLS</span>.</span>some</span>((</span>h</span>) </span>=> </span>shExpMatch</span>(host</span>, </span>h))) {
</span>    </span>return </span>SOCKS</span>;
</span>  }
</span>  </span>return </span>DIRECT</span>;
</span>}
</span></code></pre>


Setting up my blog
2020-10-11T00:00:00+00:00
I wanted to use Docusaurus</a> to setup my blog because I might be using it for work and wanted to test it out.
I am also a fan of the fact that it's a static site builder, which means I can use it with a free static site hosting solution.
I decided to go with GitLab Pages</a> because I am already using GitLab and it lets me use a custom domain.</p>

    #
</a>
Setting up the GitLab project</h2>
This was pretty straight forward. I followed this guide</a>.</p>
First I created a simple enough html page.</p>
echo </span>'This is me testing stuff.' </span>></span> index.html
</span></code></pre>
Followed by a .gitlab-ci.yml</code>.</p>
image</span>: </span>alpine:3.12.0
</span>
</span>workflow</span>:
</span>  </span>rules</span>:
</span>    - </span>if</span>: </span>"$CI_COMMIT_BRANCH"
</span>
</span>pages</span>:
</span>  </span>script</span>:
</span>    - </span>mkdir public
</span>    - </span>cp index.html public/index.html
</span>  </span>artifacts</span>:
</span>    </span>paths</span>:
</span>      - </span>public
</span>  </span>rules</span>:
</span>    - </span>if</span>: </span>'$CI_COMMIT_BRANCH == "master"'
</span></code></pre>
Then another quick guide</a> for setting up a custom domain + SSL certificate.</p>
And voilà!</p>
</p>

    #
</a>
Using Docusaurus</h2>
Like most modern JavaScript projects, to actually use Docusaurus I needed to first install an initializer that would setup a project for me.
The install docs</a> mentioned using npx</code> to install and use the initializer.</p>
This was my first time hearing about npx</code> and I wasn't too keen on installing yet another JavaScript tool on my system.</p>
yarn</span> add @docusaurus/init@next
</span>node</span> node_modules/@docusaurus/init/bin/index.js init my-blog classic
</span></code></pre>
This seemed to work well enough, the sole issue was the Docusaurus files were now in a dir called my-blog</code> rather than my project root.</p>
First I needed to cleanup the install files then move everything in my-blog</code> a directory up.</p>
rm</span> -rf</span> node_modules package.json yarn.lock
</span>mv</span> my-blog/</span>*</span> .
</span>rm</span> -rf</span> my-blog
</span></code></pre>
yarn start</code> now showed me the default Docusaurus project page. At this point all that I had to do was to follow the Blog-only mode</a> guide and customize to my needs.</p>
One annoying thing is that the doc</code> directory has to exist with a single .md</code> file in it to prevent Docusaurus from failing to start.</p>

    #
</a>
Updating .gitlab-ci.yml</code></h2>
Updated my CI configuration to use a node image and to cache node_modules</code>/yarn cache</p>
image</span>: </span>node:14.13.1-alpine3.12
</span>
</span>workflow</span>:
</span>  </span>rules</span>:
</span>    - </span>if</span>: </span>"$CI_COMMIT_BRANCH"
</span>
</span>cache</span>:
</span>  </span>key</span>: </span>"$CI_PROJECT_ID"
</span>  </span>paths</span>:
</span>    - </span>node_modules/
</span>    - </span>.yarn/
</span>
</span>pages</span>:
</span>  </span>script</span>:
</span>    - </span>yarn config set cache-folder .yarn
</span>    - </span>yarn install
</span>    - </span>yarn build --out-dir public
</span>  </span>artifacts</span>:
</span>    </span>paths</span>:
</span>      - </span>public
</span>  </span>rules</span>:
</span>    - </span>if</span>: </span>'$CI_COMMIT_BRANCH == "master"'
</span></code></pre>

Imran's Blog

Reworking dad's site (again)

# </a> Site version 1</h3> Dad uploads documents via ftp to hosting company.</li>

# </a> Site version 2</h3> Dad uploads documents to my local server via sftp.</li> Something listens for file changes.</li> That something then makes a git commit and pushes it.</li>

# </a> Site version 3 (now with 100% more nix)</h3> My requirements for site version 3 were:</p> Immediate feedback from version 1</li>

WTF Ubiquiti

Year in review

Written in Dvorak

ZFS, video files and compression

Lazy days are the best

Advertising Works

Not enough ram

Put some effort in for goodness sake

Thankful for offline documentation

Italian coffee kind of sucks

# </a> Why does it suck?</h3> Saying it sucks is a bit harsh but here are the main reasons why I did not enjoy it:</p> They use robusta beans</li>

Status update, August 2022

Status Update

# </a> Real world stuff</h2> I own a couch now (technically a love seat, since a couch would not fit through my door).</li> I own a coffee table, as well as a cabinet for the bathroom.</li>

Lessons learnt from exposing my server to the internet part 2

The pain of updating my SSID with Unifi (AP AC-lite)

Converting my init.vim to lua

Lessons learnt from exposing my server to the internet

# </a> Remediation</h2> It's clear that I need to harden my ssh setup. I already the following setup:</p> root login disabled</li>

SFTP is super awesome

Going back to the gym

Vertigo

Django Rest Framework

Covid-19, condos and dogs

Upgrading my home server

Running badblocks on a 14tb hard drive

Trying out James Hoffman's donut espresso

Python and multiline lambdas

I love coffee

Replacing my fire TV with a pi + Kodi

I love linux

Using Dhall to manage my docker-compose.yml

Stop showing me ads on my TV player

Goodbye Google Play Music

Moving my blog to zola

My first time using rust

The wonders of a proxy auto-config (PAC) file

Setting up my blog