dataswamp.org.solene.rss.xml - sfeed_tests - sfeed tests and RSS and Atom files
(HTM) git clone git://git.codemadness.org/sfeed_tests
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
dataswamp.org.solene.rss.xml (105978B)
---
1 <?xml version="1.0" encoding="UTF-8"?>
2 <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
3 <channel>
4 <title>Solene's percent %</title>
5 <description></description>
6 <link>https://dataswamp.org/~solene/</link>
7 <atom:link href="https://dataswamp.org/~solene/rss.xml" rel="self" type="application/rss+xml" />
8 <item>
9 <title>Nginx as a TCP/UDP relay</title>
10 <description>
11 <![CDATA[
12 <h1> Introduction</h1>
13 <p>In this tutorial I will explain how to use Nginx as a TCP or UDP relay as an alternative to Haproxy or Relayd. This mean nginx will be able to accept requests on a port (TCP/UDP) and relay it to another backend without knowing about the content. It also permits to negociates a TLS session with the client and relay to a non-TLS backend. In this example I will explain how to configure Nginx to accept TLS requests to transmit it to my Gemini server Vger, Gemini protocol has TLS as a requirement.
14 </p>
15 <p>I will explain how to install and configure Nginx and how to parse logs to obtain useful information. I will use an OpenBSD system for the examples.
16 </p>
17 <p>It is important to understand that in this context Nginx is not doing anything related to HTTP.
18 </p>
19 <h1> Installation</h1>
20 <p>On OpenBSD we need the package nginx-stream, if you are unsure about which package is required on your system, search which package provide the file ngx_stream_module.so . To enable Nginx at boot, you can use rcctl enable nginx.
21 </p>
22 <p><a href='http://nginx.org/en/docs/stream/ngx_stream_core_module.html'>Nginx stream module core documentation</a></p>
23 <p><a href='http://nginx.org/en/docs/stream/ngx_stream_log_module.html'>Nginx stream module log documentation</a></p>
24 <h1> Configuration</h1>
25 <p>The default configuration file for nginx is /etc/nginx/nginx.conf , we will want it to listen on port 1965 and relay to 127.0.0.1:11965.
26 </p>
27 <pre><code>worker_processes 1;
28
29 load_module modules/ngx_stream_module.so;
30
31 events {
32 worker_connections 5;
33 }
34
35 stream {
36 log_format basic '$remote_addr $upstream_addr [$time_local] '
37 '$protocol $status $bytes_sent $bytes_received '
38 '$session_time';
39
40 access_log logs/nginx-access.log basic;
41
42 upstream backend {
43 hash $remote_addr consistent;
44 server 127.0.0.1:11965;
45 }
46 server {
47 listen 1965 ssl;
48 ssl_certificate /etc/ssl/perso.pw:1965.crt;
49 ssl_certificate_key /etc/ssl/private/perso.pw:1965.key;
50 proxy_pass backend;
51 }
52 }
53 </code></pre>
54 <p>In the previous configuration file, the backend defines the destination, multiples servers could be defined, with weights and timeouts, there is only one in this example.
55 </p>
56 <p>The server block will tell on which port Nginx should listen and if it has to handle TLS (which is named ssl because of history), usual TLS configuration can be used here, then for a request, we have to tell to which backend Nginx have to relay the connections.
57 </p>
58 <p>The configuration file defines a custom log format that is useful for TLS connections, it includes remote host, backend destination, connection status, bytes transffered and duration.
59 </p>
60 <h1> Log parsing</h1>
61 <h2> Using awk to calculate time performance</h2>
62 <p>I wrote a quite long shell command parsing the log defined earlier that display the number of requests, and median/min/max session time.
63 </p>
64 <pre><code>$ awk '{ print $NF }' /var/www/logs/nginx-access.log | sort -n | awk '{ data[NR] = $1 } END { print "Total: "NR" Median:"data[int(NR/2)]" Min:"data[2]" Max:"data[NR] }'
65 Total: 566 Median:0.212 Min:0.000 Max:600.487
66 </code></pre>
67 <h2> Find bad clients using awk</h2>
68 <p>Sometimes in the logs there are clients that obtains a status 500, meaning the TLS connection haven't been established correctly. It may be some scanner that doesn't try a TLS connection, if you want to get statistics about those and see if it would be worth to block them if they do too many attempt, it is easy to use awk to get the list.
69 </p>
70 <pre><code>awk '$(NF-3) == 500 { print $1 }' /var/www/logs/nginx-access.log
71 </code></pre>
72 <h2> Using goaccess for real time log visualization</h2>
73 <p>It is also possible to use the program Goaccess to view logs in real time with many information, it is really an awesome program.
74 </p>
75 <pre><code>goaccess --date-format="%d/%b/%Y" \
76 --time-format="%H:%M:%S" \
77 --log-format="%h %r [%d:%t %^] TCP %s %^ %b %L" /var/www/logs/nginx-access.log
78 </code></pre>
79 <p><a href='https://goaccess.io/'>Goaccess official website</a></p>
80 <h1> Conclusion</h1>
81 <p>I was using relayd before trying Nginx with stream module, while relayd worked fine it doesn't provide any of the logs Nginx offer. I am really happy with this use of Nginx because it is a very versatile program that shown to be more than a http server over time. For a minimal setup I would still recommend lighter daemon such as relayd.
82 </p>
83
84 ]]>
85 </description>
86 <guid>https://dataswamp.org/~solene/2021-02-24-nginx-stream.html</guid>
87 <link>https://dataswamp.org/~solene/2021-02-24-nginx-stream.html</link>
88 <pubDate>Wed, 24 Feb 2021 00:00:00 GMT</pubDate>
89 </item>
90 <item>
91 <title>Port of the week: catgirl irc client</title>
92 <description>
93 <![CDATA[
94 <h2> Introduction</h2>
95 <p>In this Port of the Week I will introduce you to the IRC client catgirl. While there are already many IRC clients available (and good ones), there was a niche that wasn't filled yet, between minimalism (ii, irCII) and full featured clients (irssi, weechat) in the terminal world. Here comes catgirl, a simple IRC client coming with enough features to be comfortable to use for heavy IRC users.
96 </p>
97 <p>Catgirl has the following features: tab completion, split scrolling, URL detection, nick coloring, ignores filter. On the other hand, it doesn't support non-TLS networks, CCTP, multi networks or dynamic configuration. If you want to use catgirl with multiples networks, you have to run it once per network.
98 </p>
99 <p>Catgirl will be available as a package in OpenBSD starting with version 6.9.
100 </p>
101 <p>OpenBSD security bonus: catgirl features a very good use of unveil to reduce file system access to the minimum required (configuration+logs+certs), reducing the severity of an exploit. It also has a restricted mode when using the -R parameter that reduce features like notifications or url handling and tight the pledge list (allowing systems calls).
102 </p>
103 <p><a href='https://git.causal.agency/catgirl/about/'>Catgirl official website</a></p>
104 <p><a href='static/catgirl.png'><img src='static/catgirl.png' alt='Catgirl screenshot' width='60%' /></a></p>
105 <h2> Configuration</h2>
106 <p>A simple configuration file to connect to the irc.tilde.chat server would look like the following file that must be stored under ~/.config/catgirl/tilde
107 </p>
108 <pre><code>nick = solene_nickname
109 real = Solene
110 host = irc.tilde.chat
111 join = #foobar-channel
112 </code></pre>
113 <p>You can then run catgirl and use the configuration file but passing the config file name as parameter.
114 </p>
115 <pre><code>$ catgirl tilde
116 </code></pre>
117 <h2> Usage and tips</h2>
118 <p>I recommend reading catgirl man page, everything is well explained there. I will cover most basics needs here.
119 </p>
120 <p><a href='https://git.causal.agency/catgirl/about/catgirl.1'>Catgirl man page</a></p>
121 <p>Catgirl only display one window at a time, it is not possible to split the display, but if you scroll up you will see the last displayed lines and the text stream while keeping the upper part displaying the history, it is a neat way to browse the history without cutting yourself from what's going on in the channel.
122 </p>
123 <p>Channels can be browsed from keyboard using Ctrl+N or Ctrl+P like in Irssi or by typing /window NUMBER, with number being the buffer number. Alt+NUMBER could also be used to switch directly to buffer NUMBER.
124 </p>
125 <p>Searches in buffer could be used by typing a word in your input and using Ctrl+R to search backward or Ctrl+S for searching forward (given you are in the history of course).
126 </p>
127 <p>Finally, my most favorite feature which is missing in minimal clients is Alt+A, jumping to next buffers I have to read (also yes, catgirl keep a line with information about how many messages in channels since last time you didn't read them). Even better, when you press alt+A while there is nothing to read, you jump back to the channel you manually selected last, this allow to quickly read what you missed and return to the channel you spend all your time on.
128 </p>
129 <h2> Conclusion</h2>
130 <p>I really love this IRC client, it replaced Irssi that I used for years really easily because most of the key bindings are the same, but I am also very happy to use a client that is a lot safer (on OpenBSD). It can be used with tmux for persistence but also connect to multiple servers and make it manageable.
131 </p>
132
133 ]]>
134 </description>
135 <guid>https://dataswamp.org/~solene/2021-02-22-potw-catgirl.html</guid>
136 <link>https://dataswamp.org/~solene/2021-02-22-potw-catgirl.html</link>
137 <pubDate>Mon, 22 Feb 2021 00:00:00 GMT</pubDate>
138 </item>
139 <item>
140 <title>Full list of services offered by a default OpenBSD installation</title>
141 <description>
142 <![CDATA[
143 <h1> Introduction</h1>
144 <p>This article is about giving a short description of EVERY service available as part of an OpenBSD default installation (= no package installed).
145 </p>
146 <p>From all this list, only the following list is started by default: openssh, ntpd syslogd and smtpd (listening on localhost only).
147 </p>
148 <h1> Service list </h1>
149 <p>I extracted the list of base install services by looking at /etc/rc.conf.
150 </p>
151 <pre><code>$ grep _flags /etc/rc.conf | cut -d '_' -f 1
152 </code></pre>
153 <h2> amd</h2>
154 <p>This daemon is used to automatically mount a remote NFS server when someone wants to access it, it can provide a replacement in case the file system is not reachable. More information using "info amd".
155 </p>
156 <p><a href='https://man.openbsd.org/amd'>amd man page</a></p>
157 <h2> apmd</h2>
158 <p>This is the daemon responsible for frequency scaling. It is important to run it on workstation and especially on laptop, it can also trigger automatic suspend or hibernate in case of low battery.
159 </p>
160 <p><a href='https://man.openbsd.org/apmd'>apmd man page</a></p>
161 <p><a href='https://man.openbsd.org/apm'>apm man page</a></p>
162 <h2> bgpd</h2>
163 <p>This is a BGP daemon that is used by network routers to exchanges about routes with others routers. This is mainly what makes the Internet work, every hosting company announces their IP ranges and how to reach them, in returns they also receive the paths to connect to all others addresses.
164 </p>
165 <p><a href='http://www.openbgpd.org'>OpenBGPD website</a></p>
166 <h2> bootparamd</h2>
167 <p>This daemon is used for diskless setups on a network, it provides information about the client such as which NFS mount point to use for swap or root devices.
168 </p>
169 <p><a href='https://man.openbsd.org/diskless'>Information about a diskless setup</a></p>
170 <h2> cron</h2>
171 <p>This is a daemon that will read from each user cron tabs and the system crontabs to run scheduled commands. User cron tabs are modified using crontab command.
172 </p>
173 <p><a href='https://man.openbsd.org/cron'>Cron man page</a></p>
174 <p><a href='https://man.openbsd.org/crontab.1'>Crontab command</a></p>
175 <p><a href='https://man.openbsd.org/crontab.5'>Crontab format</a></p>
176 <h2> dhcpd</h2>
177 <p>This is a DHCP server used to automatically provide IPv4 addresses on an network for systems using a DHCP client.
178 </p>
179 <h2> dhcrelay</h2>
180 <p>This is a DHCP requests relay, used to on a network interface to relay the requests to another interface.
181 </p>
182 <h2> dvmrpd</h2>
183 <p>This daemon is a multicast routing daemon, in case you need multicast spanning to deploy it outside of your local LAN. This is mostly replaced by PIM nowadays.
184 </p>
185 <h2> eigrpd</h2>
186 <p>This daemon is an Internal gateway link-state routing protocol, it is like OSPF but compatible with CISCO.
187 </p>
188 <h2> ftpd</h2>
189 <p>This is a FTP server providing many features. While FTP is getting abandoned and obsolete (certainly because it doesn't really play well with NAT) it could be used to provide read/write anonymous access on a directory (and many other things).
190 </p>
191 <p><a href='https://man.openbsd.org/ftpd'>ftpd man page</a></p>
192 <h2> ftpproxy</h2>
193 <p>This is a FTP proxy daemon that one is supposed to run on a NAT system, this will automatically add PF rules to connect an incoming request to the server behind the NAT. This is part of the FTP madness.
194 </p>
195 <h2> ftpproxy6</h2>
196 <p>Same as above but for IPv6. Using IPv6 behind a NAT make no sense.
197 </p>
198 <h2> hostapd</h2>
199 <p>This is the daemon that turns OpenBSD into a WiFi access point.
200 </p>
201 <p><a href='https://man.openbsd.org/hostapd'>hostapd man page</a></p>
202 <p><a href='https://man.openbsd.org/hostapd.conf'>hostapd configuration file man page</a></p>
203 <h2> hotplugd</h2>
204 <p>hotplugd is an amazing daemon that will trigger actions when devices are connected or disconnected. This could be scripted to automatically run a backup if some conditions are met like an usb disk inserted matching a known name or mounting a drive.
205 </p>
206 <p><a href='https://man.openbsd.org/hotplugd'>hotplugd man page</a></p>
207 <h2> httpd</h2>
208 <p>httpd is a HTTP(s) daemon which supports a few features like fastcgi support, rewrite and SNI. While it doesn't have all the features a web server like nginx has, it is able to host some PHP programs such as nextcloud, roundcube mail or mediawiki.
209 </p>
210 <p><a href='https://man.openbsd.org/httpd.conf'>httpd man page</a></p>
211 <p><a href='https://man.openbsd.org/httpd.conf'>httpd configuration file man page</a></p>
212 <h2> identd</h2>
213 <p>Identd is a daemon for the Identification Protocol which returns the login name of an user who initiatied a connection, this can be used on IRC to authenticate which user started an IRC connection.
214 </p>
215 <h2> ifstated</h2>
216 <p>This is a daemon monitoring the state of network interfaces and which can take actions upon changes. This can be used to trigger changes in case of an interface losing connectivity. I used it to trigger a route change to a 4G device in case a ping over uplink interface was failing.
217 </p>
218 <p><a href='https://man.openbsd.org/ifstated'>ifstated man page</a></p>
219 <p><a href='https://man.openbsd.org/ifstated.conf'>ifstated configuration file man page</a></p>
220 <h2> iked</h2>
221 <p>This daemon is used to provide IKEv2 authentication for IPSec tunnel establishment.
222 </p>
223 <p><a href='https://www.openbsd.org/faq/faq17.html'>OpenBSD FAQ about VPN</a></p>
224 <h2> inetd</h2>
225 <p>This daemon is often forgotten but is very useful. Inetd can listen on TCP or UDP port and will run a command upon connection on the related port, incoming data will be passed as standard input of the program and program standard output will be returned to the client. This is an easy way to turn a program into a network program, it is not widely used because it doesn't scale well as the whole process of running a new program upon every connection can push a system to its limit.
226 </p>
227 <p><a href='https://man.openbsd.org/inetd'>inetd man page</a></p>
228 <h2> isakmpd</h2>
229 <p>This daemon is used to provide IKEv1 authentication for IPSec tunnel establishment.
230 </p>
231 <h2> iscsid</h2>
232 <p>This daemon is an iSCSI initator which will connect to an iSCSI target (let's call it a network block device) and expose it locally as a /dev/vcsi device. OpenBSD doesn't provide a target iSCSI daemon in its base system but there is one in ports.
233 </p>
234 <h2> ldapd</h2>
235 <p>This is a light LDAP server, offering version 3 of the protocol.
236 </p>
237 <p><a href='https://man.openbsd.org/ldap'>ldap client man page</a></p>
238 <p><a href='https://man.openbsd.org/ldapd'>ldapd daemon man page</a></p>
239 <p><a href='https://man.openbsd.org/ldapd.conf'>ldapd daemon configuration file man page</a></p>
240 <h2> ldattach</h2>
241 <p>This daemon allows to configure programs that are exposed as a serial port, such as gps devices.
242 </p>
243 <h2> ldomd</h2>
244 <p>This daemon is specific to the sparc64 platform and provide services for dom feature.
245 </p>
246 <h2> lockd</h2>
247 <p>This daemon is used as part of a NFS environment to support file locking.
248 </p>
249 <h2> ldpd</h2>
250 <p>This daemon is used by MPLS routers to get labels.
251 </p>
252 <h2> lpd</h2>
253 <p>This daemon is used to manage print access to a line printer.
254 </p>
255 <h2> mountd</h2>
256 <p>This daemon is used by remote NFS client to give them information about what the system is currently offering. The command showmount can be used to see what mountd is currently exposing.
257 </p>
258 <p><a href='https://man.openbsd.org/mountd'>mountd man page</a></p>
259 <p><a href='https://man.openbsd.org/showmount.8'>showmount man page</a></p>
260 <h2> mopd</h2>
261 <p>This daemon is used to distribute MOP images, which seem related to alpha and VAX architectures.
262 </p>
263 <h2> mrouted</h2>
264 <p>Similar to dvmrpd.
265 </p>
266 <h2> nfsd</h2>
267 <p>This server is used to service the NFS requests from NFS client. Statistics about NFS (client or server) can be obtained from the nfsstat command.
268 </p>
269 <p><a href='https://man.openbsd.org/nfsd'>nfsd man page</a></p>
270 <p><a href='https://man.openbsd.org/nfsstat.1'>nfsstat man page</a></p>
271 <h2> npppd</h2>
272 <p>This daemon is used to establish connection using PPP but also to create tunnels with L2TP, PPTP and PPPoE. PPP is used by some modems to connect to the Internet.
273 </p>
274 <h2> nsd</h2>
275 <p>This daemon is an authoritative DNS nameserver, which mean it is holding all information about a domain name and about the subdomains. It receive queries from recursive servers such as unbound / unwind etc... If you own a domain name and you want to manage it from your system, this is what you want.
276 </p>
277 <p><a href='https://man.openbsd.org/nsd'>nsd man page</a></p>
278 <p><a href='https://man.openbsd.org/nsd.conf'>nsd configuration file man page</a></p>
279 <h2> ntpd</h2>
280 <p>This daemon is a NTP service that keep the system clock at the correct time, it can use ntp servers or sensors (like GPS) as time source but also support using remote servers to challenge the time sources. It can acts a daemon to provide time to other NTP client.
281 </p>
282 <p><a href='https://man.openbsd.org/ntpd'>ntpd man page</a></p>
283 <h2> ospfd</h2>
284 <p>It is a daemon for the OSPF routing protocol (Open Shortest Path First).
285 </p>
286 <h2> ospf6d</h2>
287 <p>Same as above for IPv6.
288 </p>
289 <h2> pflogd</h2>
290 <p>This daemon is receiving packets from PF matching rules with a "log" keyword and will store the data into a logfile that can be reused with tcpdump later. Every packet in the logfile contains information about which rule triggered it so it is very practical for analysis.
291 </p>
292 <p><a href='https://man.openbsd.org/pflogd'>pflogd man page</a></p>
293 <p><a href='https://man.openbsd.org/tcpdump.8'>tcpdump</a></p>
294 <h2> portmap</h2>
295 <p>This daemon is used as part of a NFS environment.
296 </p>
297 <h2> rad</h2>
298 <p>This daemon is used on IPv6 routers to advertise routes so client can automatically pick up routes.
299 </p>
300 <h2> radiusd</h2>
301 <p>This daemon is used to offer RADIUS protocol authentication.
302 </p>
303 <h2> rarpd</h2>
304 <p>This daemon is used for diskless setups in which it will help associating an ARP address to an IP and hostname.
305 </p>
306 <p><a href='https://man.openbsd.org/diskless'>Information about a diskless setup</a></p>
307 <h2> rbootd</h2>
308 <p>Per the man page, it says « rbootd services boot requests from Hewlett-Packard workstation over LAN ».
309 </p>
310 <h2> relayd</h2>
311 <p>This daemon is used to accept incoming connections and distribute them to backend. It supports many protocols and can act transparently, its purpose is to have a front end that will dispatch connections to a list of backend but also verify backend status. It has many uses and can also be used in addition to httpd to add HTTP headers to a request, or apply conditions on HTTP request headers to choose a backend.
312 </p>
313 <p><a href='https://man.openbsd.org/relayd'>relayd man page</a></p>
314 <p><a href='https://man.openbsd.org/relayctl'>relayd control tool man page</a></p>
315 <p><a href='https://man.openbsd.org/relayd.conf'>relayd configuration file man page</a></p>
316 <h2> ripd</h2>
317 <p>This is a routing daemon using an old protocol but widely supported.
318 </p>
319 <h2> route6d</h2>
320 <p>Same as above but for IPv6.
321 </p>
322 <h2> sasyncd</h2>
323 <p>This daemon is used to keep IPSec gateways synchronized in case of a fallback required. This can be used with carp devices.
324 </p>
325 <h2> sensorsd</h2>
326 <p>This daemon gathers monitoring information from the hardware like temperature or disk status. If a check exceeds a threshold, a command can be run.
327 </p>
328 <p><a href='https://man.openbsd.org/sensorsd'>sensorsd man page</a></p>
329 <p><a href='https://man.openbsd.org/sensorsd.conf'>sensorsd configuration file man page</a></p>
330 <h2> slaacd</h2>
331 <p>This service is a daemon that will automatically pick up auto IPv6 configuration on the network.
332 </p>
333 <h2> slowcgi</h2>
334 <p>This daemon is used to expose a CGI program as a fastcgi service, allowing httpd HTTP server to run CGI. This is an equivalent of inetd but for fastcgi.
335 </p>
336 <p><a href='https://man.openbsd.org/slowcgi'>slowcgi man page</a></p>
337 <h2> smtpd</h2>
338 <p>This daemon is the SMTP server that will be used to deliver mails locally or to remote email server.
339 </p>
340 <p><a href='https://man.openbsd.org/smtpd'>smtpd man page</a></p>
341 <p><a href='https://man.openbsd.org/smtpd.conf'>smtpd configuration file man page</a></p>
342 <p><a href='https://man.openbsd.org/smtpctl'>smtpd control command man page</a></p>
343 <h2> sndiod</h2>
344 <p>This is the daemon handling sound from various sources. It also support sending local sound to a remote sndiod server.
345 </p>
346 <p><a href='https://man.openbsd.org/sndiod'>sndiod man page</a></p>
347 <p><a href='https://man.openbsd.org/sndioctl.1'>sndiod control command man page</a></p>
348 <p><a href='https://man.openbsd.org/mixerctl'>mixerctl man page to control an audio device</a></p>
349 <p><a href='https://www.openbsd.org/faq/faq13.html'>OpenBSD FAQ about multimedia devices</a></p>
350 <h2> snmpd</h2>
351 <p>This daemon is a SNMP server exposing some system metrics to SNMP client.
352 </p>
353 <p><a href='https://man.openbsd.org/snmpd'>snmpd man page</a></p>
354 <p><a href='https://man.openbsd.org/snmpd.conf'>snmpd configuration file man page</a></p>
355 <h2> spamd</h2>
356 <p>This daemon acts as a fake server that will delay or block or pass emails depending on some rules. This can be used to add IP to a block list if they try to send an email to a specific address (like a honeypot), pass emails from servers within an accept list or delay connections for unknown servers (grey list) to make them and reconnect a few times before passing the email to the SMTP server. This is a quite effective way to prevent spam but it becomes less relevant as sender use whole ranges of IP to send emails, meaning that if you want to receive an email from a big email server, you will block server X.Y.Z.1 but then X.Y.Z.2 will retry and so on, so none will pass the grey list.
357 </p>
358 <h2> spamlogd</h2>
359 <p>This daemon is dedicated to the update of spamd whitelist.
360 </p>
361 <h2> sshd</h2>
362 <p>This is the well known ssh server. Allow secure connections to a shell from remote client. It has many features that would gain from being more well known, such as restrict commands per public key in the ~/.ssh/authorized_keys files or SFTP only chrooted accesses.
363 </p>
364 <p><a href='https://man.openbsd.org/sshd'>sshd man page</a></p>
365 <p><a href='https://man.openbsd.org/sshd_config.5'>sshd configuration file man page</a></p>
366 <h2> statd</h2>
367 <p>This daemon is used in NFS environment using lockd in order to check if remote hosts are still alive.
368 </p>
369 <h2> switchd</h2>
370 <p>This daemon is used to control a switch pseudo device.
371 </p>
372 <p><a href='https://man.openbsd.org/switch.4'>switch pseudo device man page</a></p>
373 <h2> syslogd</h2>
374 <p>This is the logging server that receives messages from local programs and store them in the according logfile. It can be configured to pipe some messages to command, program like sshlockout uses this method to learn about IP that must be blocked, but can also listen on the network to aggregates logs from other machines. The program newsyslog is used to rotate files (move a file, compress it and allow a new file to be created and remove too old archives). Script can use the command logger to send text to syslog.
375 </p>
376 <p><a href='https://man.openbsd.org/syslogd'>syslogd man page</a></p>
377 <p><a href='https://man.openbsd.org/syslog.conf.5'>syslogd configuration file man page</a></p>
378 <p><a href='https://man.openbsd.org/newsyslog.8'>newsyslog man page</a></p>
379 <p><a href='https://man.openbsd.org/logger.1'>logger man page</a></p>
380 <h2> tftpd</h2>
381 <p>This daemon is a TFTP server, used to provide kernels over the network for diskless machines or push files to appliances.
382 </p>
383 <p><a href='https://man.openbsd.org/diskless'>Information about a diskless setup</a></p>
384 <h2> tftpproxy</h2>
385 <p>This daemon is used to manipulate the firewall PF to relay TFTP requests to a TFTP server.
386 </p>
387 <h2> unbound</h2>
388 <p>This daemon is a recursive DNS server, this is the kind of server listed in /etc/resolv.conf whose responsibility is to translate a fully qualified domain name into the IP address behind, asking one server at a time, for example, to ask www.dataswamp.org server, it is required to ask the .org authoritative server where is the authoritative server for dataswamp (within .org top domain), then dataswamp.org DNS server will be asked what is the address of www.dataswamp.org. It can also keep queries in cache and validates the queries and replies, it is a good idea to have such a server on a LAN with many client to share the queries cache.
389 </p>
390 <p><a href='https://man.openbsd.org/unbound'>unbound man page</a></p>
391 <p><a href='https://man.openbsd.org/unbound.conf'>unbound configuration file man page</a></p>
392 <h2> unwind</h2>
393 <p>This daemon is a local recursive DNS server that will make its best to give valid replies, it is designed for nomad users that may encounter hostile environments like captive portals or dhcp offered DNS server preventing DNSSEC to work etc.. Unwind polls a few DNS sources (recursive from root servers, provided by dns, stub or DNS over TLS server from configuration file) regularly and choose the fastest. It will also act as a local cache and can't listen on the network to be used by other clients. It also supports a list of blocked domains as input.
394 </p>
395 <p><a href='https://man.openbsd.org/unwind'>unwind man page</a></p>
396 <p><a href='https://man.openbsd.org/unwind.conf'>unwind configuration file man page</a></p>
397 <p><a href='https://man.openbsd.org/unwindctl'>unwind control command man page</a></p>
398 <h2> vmd</h2>
399 <p>This is the daemon that allow to run virtual machines using vmm. As of OpenBSD 6.9 it is capable of running OpenBSD and Linux guests without graphical interface and only one core.
400 </p>
401 <p><a href='https://man.openbsd.org/vmd'>vmd man page</a></p>
402 <p><a href='https://man.openbsd.org/vm.conf'>vmd configuration file man page</a></p>
403 <p><a href='https://man.openbsd.org/vmctl'>vmd control command man page</a></p>
404 <p><a href='https://man.openbsd.org/vmm'>vmm driver man page</a></p>
405 <p><a href='https://www.openbsd.org/faq/faq16.html'>OpenBSD FAQ about virtualization</a></p>
406 <h2> watchdogd</h2>
407 <p>This daemon is used to trigger watchdog timer devices if any.
408 </p>
409 <h2> wsmoused</h2>
410 <p>This daemon is used to provide a mouse support to the console.
411 </p>
412 <h2> xenodm</h2>
413 <p>This daemon is used to start the X server and allow users to authenticate themselves and log in their session.
414 </p>
415 <p><a href='https://man.openbsd.org/xenodm'>xenodm man page</a></p>
416 <h2> ypbind</h2>
417 <p>This daemon is used with a Yellow Page (YP) server to keep and maintain a binding information file.
418 </p>
419 <h2> ypldap</h2>
420 <p>This daemon offers a YP service using a LDAP backend.
421 </p>
422 <h2> ypserv</h2>
423 <p>This daemon is a YP server.
424 </p>
425
426 ]]>
427 </description>
428 <guid>https://dataswamp.org/~solene/2021-02-16-openbsd-base-services.html</guid>
429 <link>https://dataswamp.org/~solene/2021-02-16-openbsd-base-services.html</link>
430 <pubDate>Tue, 16 Feb 2021 00:00:00 GMT</pubDate>
431 </item>
432 <item>
433 <title>What security does a default OpenBSD installation offer?</title>
434 <description>
435 <![CDATA[
436 <h1> Introduction</h1>
437 <p>In this text I will explain what makes OpenBSD secure by default when you install it. Do not take this for a security analysis, but more like a guide to help you understand what is done by OpenBSD to have a secure environment. The purpose of this text is not to compare OpenBSD to other OSes but to say what you can honestly expects from OpenBSD.
438 </p>
439 <p>There are no security without a threat model, I always consider the following cases: computer stolen at home by a thief, remote attacks trying to exploit running services, exploit of user network clients.
440 </p>
441 <h1> Security matters</h1>
442 <p>Here is a list of features that I consider important for an operating system security. While not every item from the following list are strictly security features, they help having a strict system that prevent software to misbehave and lead to unknown lands.
443 </p>
444 <p>In my opinion security is not only about preventing remote attackers to penetrate the system, but also to prevent programs or users to make the system unusable.
445 </p>
446 <h2> Pledge / unveil on userland</h2>
447 <p>Pledge and unveil are often referred together although they can be used independently. Pledge is a system call to restrict the permissions of a program at some point in its source code, permissions can't be get back once pledge has been called. Unveil is a system call that will hide all the file system to the process except the paths that are unveiled, it is possible to choose what permissions is allowed for the paths.
448 </p>
449 <p>Both a very effective and powerful surgical security tools but they require some modification within the source code of a software, but adding them requires a deep understanding on what the software is doing. It is not always possible to forbid some system calls to a software that requires to do almost anything, software designed with privilege separation are better candidate for a proper pledge addition because each part has its own job.
450 </p>
451 <p>Some software in packages have received pledge or/and unveil support, like Chromium or Firefox for the most well known.
452 </p>
453 <p><a href='https://www.openbsd.org/papers/bsdcan2019-unveil/index.html'>OpenBSD presentation about Unveil (BSDCan2019)</a></p>
454 <p><a href='https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf'>OpenBSD presentation of Pledge and Unveil (BSDCan2018)</a></p>
455 <h2> Privilege separation</h2>
456 <p>Most of the base system services used within OpenBSD runs using a privilege separation pattern. Each part of a daemon is restricted to the minimum required. A monolithic daemon would have to read/write files, accept network connections, send messages to the log, in case of security breach this allows a huge attack surface. By separating a daemon in multiple parts, this allow a more fine grained control of each workers, and using pledge and unveil system calls, it's possible to set limits and highly reduce damage in case a worker is hacked.
457 </p>
458 <h2> Clock synchronization</h2>
459 <p>The daemon server is started by default to keep the clock synchronized with time servers. A reference TLS server is used to challenge the time servers. Keeping a computer with its clock synchronized is very important. This is not really a security feature but you can't be serious if you use a computer on a network without its time synchronized.
460 </p>
461 <h2> X display not as root</h2>
462 <p>If you use the X, it drops privileges to _x11 user, it runs as unpriviliged user instead of root, so in case of security issue this prevent an attacker of accessing through a X11 bug more than what it should.
463 </p>
464 <h2> Resources limits</h2>
465 <p>Default resources limits prevent a program to use too much memory, too many open files or too many processes. While this can prevent some huge programs to run with the default settings, this also helps finding file descriptor leaks, prevent a fork bomb or a simple daemon to steal all the memory leading to a crash.
466 </p>
467 <h2> Genuine full disk encryption</h2>
468 <p>When you install OpenBSD using a full disk encryption setup, everything will be locked down by the passphrase at the bootloader step, you can't access the kernel or anything of the system without the passphrase.
469 </p>
470 <h2> W^X</h2>
471 <p>Most programs on OpenBSD aren't allowed to map memory with Write AND Execution bit at the same time (W^X means Write XOR Exec), this can prevents an interpreter to have its memory modified and executed. Some packages aren't compliant to this and must be linked with a specific library to bypass this restriction AND must be run from a partition with the "wxallowed" option.
472 </p>
473 <p><a href='https://www.openbsd.org/papers/hackfest2015-w-xor-x.pdf'>OpenBSD presentation « Kernel W^X Improvements In OpenBSD »</a></p>
474 <h2> Only one reliable randomness source</h2>
475 <p>When your system requires a random number (and it does very often), OpenBSD only provides one API to get a random number and they are really random and can't be exhausted. A good random number generator (RNG) is important for many cryptography requirements.
476 </p>
477 <p><a href='https://www.openbsd.org/papers/hackfest2014-arc4random/index.html'>OpenBSD presentation about arc4random</a></p>
478 <h2> Accurate documentation</h2>
479 <p>OpenBSD comes with a full documentation in its man pages. One should be able to fully configure their system using only the man pages. Man pages comes with CAVEATS or BUGS sections sometimes, it's important to take care about those sections. It is better to read the documentation and understand what has to be done in order to configure a system instead of following an outdated and anonymous text available on the Internet.
480 </p>
481 <p><a href='https://man.openbsd.org/'>OpenBSD man pages online</a></p>
482 <p><a href='https://www.openbsd.org/papers/eurobsdcon2018-mandoc.pdf'>EuroBSDcon 2018 about « Better documentation »</a></p>
483 <h2> IPSec and Wireguard out of the box</h2>
484 <p>If you need to setup a VPN, you can use IPSec or Wireguard protocols only using the base system, no package required.
485 </p>
486 <h2> Memory safeties</h2>
487 <p>OpenBSD has many safeties in regards to memory allocation and will prevent use after free or unsafe memory usage very aggressively, this is often a source of crash for some software from packages because OpenBSD is very strict when you want to use the memory. This helps finding memory misuses and will kill software misbehaving.
488 </p>
489 <h2> Dedicated root account</h2>
490 <p>When you install the system, a root account is created and its password is asked, then you create an user that will be member of "wheel" group, allowing it to switch user to root with root's password. doas (OpenBSD base system equivalent of sudo) isn't configured by default. With the default installation, the root password is required to do any root action. I think a dedicated root account that can be logged in without use of doas/sudo is better than a misconfigured doas/sudo allowing every thing only if you know the user password.
491 </p>
492 <h2> Small network attack surface</h2>
493 <p>The only services that could be enabled at installation time listening on the network are OpenSSH (asked at install time with default = yes), dhclient (if you choose dhcp) and slaacd (if you use ipv6 in automatic configuration).
494 </p>
495 <h2> Encrypted swap</h2>
496 <p>By default the OpenBSD swap is encrypted, meaning if programs memory are sent to the swap nobody can recover it later.
497 </p>
498 <h2> SMT disabled</h2>
499 <p>Due to a heavy number of security breaches due to SMT (like hyperthreading), the default installation disable half the logical cores to prevent any data leak.
500 </p>
501 <p><a href='https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)'>Meltdown: one of the first security issue related to speculative execution in the CPU</a></p>
502 <h2> Micro and Webcam disabled</h2>
503 <p>With the default installation, both microphone and webcam won't actually record anything except blank video/sound until you set a sysctl for this.
504 </p>
505 <h3> Maintainability, release often, update often</h3>
506 <p>The OpenBSD team publish a new release a new version every six months and only last two releases receives security updates. This allows to upgrade often but without pain, the upgrade process are small steps twice a year that help keep the whole system up to date. This avoids the fear of a huge upgrade and never doing it and I consider it a huge security bonus. Most OpenBSD around are running latest versions.
507 </p>
508 <h3> Signify chain of trust</h3>
509 <p>Installer, archives and packages are signed using signify public/private keys. OpenBSD installations comes with the release and release n+1 keys to check the packages authenticity. A key is used only six months and new keys are received in each new release allowing to build a chain of trust. Signify keys are very small and are published on many medias to double check when you need to bootstrap this chain of trust.
510 </p>
511 <p><a href='https://www.openbsd.org/papers/bsdcan-signify.html'>Signify at BSDCan 2015</a></p>
512 <h2> Packages</h2>
513 <p>While most of the previous items were about the base system or the kernel, the packages also have a few tricks to offer.
514 </p>
515 <h3> Chroot by default when available</h3>
516 <p>Most daemons that are available offering a chroot feature will have it enabled by default. In some circumstances like for Nginx web server, the software is patched by the OpenBSD team to enable chroot which is not an official feature.
517 </p>
518 <h3> Dedicated users for services</h3>
519 <p>Most packages that provide a server also create a new dedicated user for this exact service, allowing more privilege separation in case of security issue in one service.
520 </p>
521 <h3> Installing a service doesn't enable it</h3>
522 <p>When you install a service, it doesn't get enabled by default. You will have to configure the system to enable it at boot. There is a single /etc/rc.conf.local file that can be used to see what is enabled at boot, this can be manipulated using rcctl command. Forcing the user to enable services makes the system administrator fully aware of what is running on the system, which is good point for security.
523 </p>
524 <p><a href='https://man.openbsd.org/rcctl'>rcctl man page</a></p>
525 <h1> Conclusion</h1>
526 <p>Most of the previous "security features" should be considered good practices and not features. Many good practices such as the following could be easily implemented into most systems: Limiting users resources, reducing daemon privileges, memory usage strictness, providing a good documentation, start the least required services and provide the user a clean default installation.
527 </p>
528 <p>There are also many other features that have been added and which I don't fully understand, and that I prefer letting the reader take notice.
529 </p>
530 <p><a href='https://www.openbsd.org/papers/bsdtw.pdf'>« Mitigations and other real security features » by Theo De Raadt</a></p>
531 <p><a href='https://www.openbsd.org/innovations.html'>OpenBSD innovations</a></p>
532 <p><a href='https://www.openbsd.org/events.html'>OpenBSD events, often including slides or videos</a></p>
533
534 ]]>
535 </description>
536 <guid>https://dataswamp.org/~solene/2021-02-14-openbsd-default-security.html</guid>
537 <link>https://dataswamp.org/~solene/2021-02-14-openbsd-default-security.html</link>
538 <pubDate>Sun, 14 Feb 2021 00:00:00 GMT</pubDate>
539 </item>
540 <item>
541 <title>Firejail on Linux to sandbox all the things</title>
542 <description>
543 <![CDATA[
544 <h2> Introduction</h2>
545 <p>Firejail is a program that can prepare sandboxes to run other programs. This is an efficient way to keep a software isolated from the rest of the system without need of changing its source code, it works for network, graphical or daemons programs.
546 </p>
547 <p>You may want to sandbox programs you run in order to protect your system for any issue that could happen within the program (security breach, code mistake, unknown errors), like Steam once had a "rm -fr /" issue, using a sandbox that would have partially saved a part of the user directory. Web browsers are major tools nowadays and yet they have access to the whole system and have many security issues discovered and exploited in the wild, running it in a sandbox can reduce the data a hacker could exfiltrate from the computer. Of course, sandboxing comes with an usability tradeoff because if you only allow access to the ~/Downloads/ directory, you need to put files in this directory if you want to upload them, and you can only download files into this directory and then move them later where you really want to keep your files.
548 </p>
549 <h2> Installation</h2>
550 <p>On most Linux systems you will find a Firejail package that you can install. If your distribution doesn't provide a Firejail package, it seems the installing from sources process is quite easy, and as the project is written in C with limited dependencies it may be easy to get the build process done.
551 </p>
552 <p>There are no service to enable and no kernel parameters to add. Apparmor or SELinux features in kernel can be used to integrates into Firejail profiles if you want to.
553 </p>
554 <h2> Usage</h2>
555 <h3> Start a program</h3>
556 <p>The simplest usage is to run a command by adding Firejail before the command name.
557 </p>
558 <pre><code>$ Firejail firefox
559 </code></pre>
560 <h3> Use a symlink</h3>
561 <p>Firejail has a neat feature to allow starting software by their name without calling Firejail explicitly, if you create a symbolic link in your $PATH using a program name but targeting Firejail, when you call that name Firejail will automatically now what you want to start. The following example will run firefox when you call the symbolic link.
562 </p>
563 <pre><code>export PATH=~/bin/:$PATH
564 $ ln -s /usr/bin/firejail ~/bin/firefox
565 $ firefox
566 </code></pre>
567 <h3> Listing sandboxes</h3>
568 <p>There is a Firejail --list command that will tell you about all sandboxes running and what are their parameters. As a first column the identifier is available for more Firejail features.
569 </p>
570 <pre><code>$ firejail --list
571 6108:solene::/usr/bin/firejail /usr/bin/firefox
572 </code></pre>
573 <h3> Limit bandwidth per program</h3>
574 <p>Firejail also has a neat feature that allows to limit the bandwidth available only for one sandbox environment. Reusing previous list output, I will reduce firefox bandwidth, the number are in kB/s.
575 </p>
576 <pre><code>$ firejail --bandwidth=6108 set wlan0 1000 40
577 </code></pre>
578 <p>You can find more information about this feature in the "TRAFFIC SHAPING" section of the Firejail man page.
579 </p>
580 <h3> Restrict network access</h3>
581 <p>If for some reason you want to start a program with absolutely no network access, you can run a program and deny it any network.
582 </p>
583 <pre><code>$ firejail --net=none libreoffice
584 </code></pre>
585 <h2> Conclusion</h2>
586 <p>Firejail is a neat way to start software into sandboxes without requiring any particular setup. It may be more limited and maybe less reliable than OpenBSD programs who received unveil() features but it's a nice trade off between safety and required work within source code (literally none). It is a very interesting project that proves to work easily on any Linux system, with a simple C source code with little dependencies. I am not really familiar with Linux kernel and its features but Firejail seems to use seccomp-bpf and namespace, I guess they are complicated to use but powerful and Firejail comes here as a wrapper to automate all of this.
587 </p>
588 <p>Firejail has been proven to be USABLE and RELIABLE for me while my attempts at sandboxing Firefox with AppArmor were tedious and not optimal. I really recommend it.
589 </p>
590 <h2> More resources</h2>
591 <p><a href='https://firejail.wordpress.com/'>Official project website with releases and security information</a></p>
592 <p><a href='https://github.com/netblue30/firejail'>Firejail sources and documentation</a></p>
593 <p><a href='https://github.com/chiraag-nataraj/firejail-profiles'>Community profiles 1</a></p>
594 <p><a href='https://github.com/nyancat18/fe'>Community profiles 2</a></p>
595
596 ]]>
597 </description>
598 <guid>https://dataswamp.org/~solene/2021-02-14-linux-firejail.html</guid>
599 <link>https://dataswamp.org/~solene/2021-02-14-linux-firejail.html</link>
600 <pubDate>Sun, 14 Feb 2021 00:00:00 GMT</pubDate>
601 </item>
602 <item>
603 <title>Bandwidth limiting on OpenBSD 6.8</title>
604 <description>
605 <![CDATA[
606 <p>This is a February 2021 update of a text originally published in April 2017.
607 </p>
608 <h2> Introduction</h2>
609 <p>I will explain how to limit bandwidth on OpenBSD using its firewall PF (Packet Filter) queuing capability. It is a very powerful feature but it may be hard to understand at first. What is very important to understand is that it's technically not possible to limit the bandwidth of the whole system, because once data is getting on your network interface, it's already there and got by your router, what is possible is to limit the upload rate to cap the download rate.
610 </p>
611 <p><a href='https://man.openbsd.org/pf.conf#QUEUEING'>OpenBSD pf.conf man page about queuing</a></p>
612 <h2> Prerequisites</h2>
613 <p>My home internet access allows me to download at 1600 kB/s and upload at 95 kB/s. An easy way to limit bandwidth is to calculate a percent of your upload, that should apply that ratio to your download speed as well (this may not be very precise and may require tweaks).
614 </p>
615 <p>PF syntax requires bandwidth to be defined as kilo-bits (kb) and not kilo-bytes (kB), multiplying by 8 allow to switch from kB to kb.
616 </p>
617 <h2> Configuration</h2>
618 <p>Edit the file /etc/pf.conf as root and add the following before any pass/match/drop rules, in the example my main interface is em0.
619 </p>
620 <pre><code># we define a main queue (requirement)
621 queue main on em0 bandwidth 1G
622
623 # set a queue for everything
624 queue normal parent main bandwidth 200K max 200K default
625 </code></pre>
626 <p>And reload with `pfctl -f /etc/pf.conf` as root. You can monitor the queue working with `systat queue`
627 </p>
628 <pre><code>QUEUE BW/FL SCH PKTS BYTES DROP_P DROP_B QLEN
629 main on em0 1000M fifo 0 0 0 0 0
630 normal 1000M fifo 535424 36032467 0 0 60
631 </code></pre>
632 <h2> More control (per user / protocol)</h2>
633 <p>This is only a global queuing rule that will apply to everything on the system. This can be greatly extended for specific need. For example, I use the program "oasis" which is a daemon for a peer to peer social network, sometimes it has upload burst because someone is syncing against my computer, I use the following rule to limit the upload bandwidth of this user.
634 </p>
635 <pre><code># within the queue rules
636 queue oasis parent main bandwidth 150K max 150K
637
638 # in your match rules
639 match on egress proto tcp from any to any user oasis set queue oasis
640 </code></pre>
641 <p>Instead of an user, the rule could match a "to" address, I used to have such rules when I wanted to limit my upload bandwidth for uploading videos through peertube web interface.
642 </p>
643
644 ]]>
645 </description>
646 <guid>https://dataswamp.org/~solene/2021-02-07-limit.html</guid>
647 <link>https://dataswamp.org/~solene/2021-02-07-limit.html</link>
648 <pubDate>Sun, 07 Feb 2021 00:00:00 GMT</pubDate>
649 </item>
650 <item>
651 <title>How to set a system wide bandwidth limit on Linux systems</title>
652 <description>
653 <![CDATA[
654 <p>In these times of remote work / home office, you may have a limited bandwidth shared with other people/device. All software doesn't provide a way to limit bandwidth usage (package manager, Youtube videos player etc...).
655 </p>
656 <p>Fortunately, Linux has a very nice program very easy to use to limit your bandwidth in one command. This program is « Wondershaper » and is using the Linux QoS framework that is usually manipulated with "tc", but it makes it VERY easy to set limits.
657 </p>
658 <p><a href='https://www.linux.com/training-tutorials/qos-linux-tc-and-filters/'>What are QoS, TC and Filters on Linux</a></p>
659 <p>On most distributions, wondershaper will be available as a package with its own name. I found a few distributions that didn't provide it (NixOS at least), and some are providing various wondershaper versions.
660 </p>
661 <p>To know if you have the newer version, a "wondershaper --help" may provide information about "-d" and "-u" flags, the older version doesn't have this.
662 </p>
663 <p>Wondershaper requires the download and upload bandwidths to be set in kb/s (kilo bits per second, not kilo bytes). I personally only know my bandwidth in kB/s which is a 1/8 of its kb/s equivalent. My home connection is 1600 kB/s max in download and 95 kB/s max in upload, I can use wondershaper to limit to 1000 / 50 so it won't affect much my other devices on my network.
664 </p>
665 <pre><code># my network device is enp3s0
666 # new wondershaper
667 sudo wondershaper -a enp3s0 -d $(( 1000 * 8 )) -u $(( 50 * 8 ))
668
669 # old wondershaper
670 sudo wondershaper enp3s0 $(( 1000 * 8 )) $(( 50 * 8 ))
671 </code></pre>
672 <p>I use a multiplication to convert from kB/s to kb/s and still keep the command understandable to me. Once a limit is set, wondershaper can be used to clear the limit to get full bandwidth available again.
673 </p>
674 <pre><code># new wondershaper
675 sudo wondershaper -c -a enp3s0
676
677 # old wondershaper
678 sudo wondershaper clear enp3s0
679 </code></pre>
680 <p>There are so many programs that doesn't allow to limit download/upload speeds, wondershaper effectiveness and ease of use are a blessing.
681 </p>
682
683 ]]>
684 </description>
685 <guid>https://dataswamp.org/~solene/2021-02-06-wondershaper.html</guid>
686 <link>https://dataswamp.org/~solene/2021-02-06-wondershaper.html</link>
687 <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
688 </item>
689 <item>
690 <title>Filtering TCP connections by operating system on OpenBSD</title>
691 <description>
692 <![CDATA[
693 <h3> Introduction</h3>
694 <p>In this text I will explain how to filter TCP connections by operating system using OpenBSD Packet filter.
695 </p>
696 <p><a href='https://man.openbsd.org/pf.conf#OPERATING_SYSTEM_FINGERPRINTING'>OpenBSD pf.conf man page about OS Fingerprinting</a></p>
697 <h3> Explanations</h3>
698 <p>Every operating system has its own way to construct some SYN packets, this is called Fingerprinting because it permits to identify which OS sent which packet. This must be clear it's not a perfect filter and may be easily get bypassed if you want to.
699 </p>
700 <p>Because if some packets required to identify the operating system, only TCP connections can be filtered by OS. The OS list and SYN values can be found in the file /etc/pf.os.
701 </p>
702 <h3> How to setup</h3>
703 <p>The keyword "os $value" must be used within the "from $address" keyword. I use it to restrict the ssh connection to my server only to OpenBSD systems (in addition to key authentication).
704 </p>
705 <pre><code># only allow OpenBSD hosts to connect
706 pass in on egress inet proto tcp from any os OpenBSD to (egress) port 22
707
708 # allow connections from $home IP whatever the OS is
709 pass in on egress inet proto tcp from $home to (egress) port 22
710 </code></pre>
711 <p>This can be a very good way to stop unwanted traffic spamming logs but should be used with cautiousness because you may incidentally block legitimate traffic.
712 </p>
713
714 ]]>
715 </description>
716 <guid>https://dataswamp.org/~solene/2021-02-06-openbsd-pf-os-filtering.html</guid>
717 <link>https://dataswamp.org/~solene/2021-02-06-openbsd-pf-os-filtering.html</link>
718 <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
719 </item>
720 <item>
721 <title>Using pkgsrc on OpenBSD</title>
722 <description>
723 <![CDATA[
724 <p>This quick article will explain how to install pkgsrc packages on an OpenBSD installation. This is something regulary asked on #openbsd freenode irc channel. I am not convinced by the relevant use of pkgsrc under OpenBSD but why not :)
725 </p>
726 <p>I will cover an unprivileged installation that doesn't require root. I will use packages from 2020Q4 release, I may not update regularly this text so you will have to adapt to your current year.
727 </p>
728 <pre><code>$ cd ~/
729 $ ftp https://cdn.NetBSD.org/pub/pkgsrc/pkgsrc-2020Q4/pkgsrc.tar.gz
730 $ tar -xzf pkgsrc.tar.gz
731 $ cd pkgsrc/bootstrap
732 $ ./bootstrap --unprivileged
733 </code></pre>
734 <p>From now you must add the path ~/pkg/bin to your $PATH environment variable. The pkgsrc tree is in ~/pkgsrc/ and all the relevant files for it to work are in ~/pkg/.
735 </p>
736 <p>You can install programs by searching directories of software you want in ~/pkgsrc/ and run "bmake install", for example in ~/pkgsrc/chat/irssi/ to install irssi irc client.
737 </p>
738 <p>I'm not sure X11 software compiles well, I got issues compiling dbus as a dependency of x11/xterm and I got compilation errors, maybe clashing with Xenocara from base system... I don't really want to investigate more about this though.
739 </p>
740
741 ]]>
742 </description>
743 <guid>https://dataswamp.org/~solene/2021-02-06-pkgsrc-on-openbsd.html</guid>
744 <link>https://dataswamp.org/~solene/2021-02-06-pkgsrc-on-openbsd.html</link>
745 <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
746 </item>
747 <item>
748 <title>Enable multi-factor authentication on OpenBSD</title>
749 <description>
750 <![CDATA[
751 <h1> Introduction</h1>
752 <p>In this article I will explain how to add a bit more security to your OpenBSD system by adding a requirement for user logging into the system, locally or by ssh. I will explain how to setup 2 factor authentication (2FA) using TOTP on OpenBSD
753 </p>
754 <p><a href='https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm'>What is TOTP (Time-based One time Password)</a></p>
755 <p>When do you want or need this? It adds a burden in term of usability, in addition to your password you will require a device that will be pre-configured to generate the one time passwords, if you don't have it you won't be able to login (that's the whole point). Let's say you activated 2FA for ssh connection on an important server, if you get your private ssh key stolen (and without password, bouh!), the hacker will not be able to connect to the SSH server without having access to your TOTP generator.
756 </p>
757 <h1> TOTP software</h1>
758 <p>Here is a quick list of TOTP software
759 </p>
760 <p>- command line: oathtool from package oath-toolkit
761 </p>
762 <p>- GUI and multiplatform: KeepassXC
763 </p>
764 <p>- Android: FreeOTP+, andOTP, OneTimePass etc.. (watched on F-droid)
765 </p>
766 <h1> Setup</h1>
767 <p>A package is required in order to provide the various programs required. The package comes with a README file available at /usr/local/share/doc/pkg-readmes/login_oath with many explanations about how to use it. I will take lot of information from there for the local login setup.
768 </p>
769 <pre><code># pkg_add login_oath
770 </code></pre>
771 <p>You will have to add a new login class, depending on what of the kind of authentication you want. You can either provide password OR TOTP, or set password AND TOTP (in the form of TOTP_CODE/password as the password to type). From the README file, add what you want to use:
772 </p>
773 <pre><code># totp OR password
774 totp:\
775 :auth=-totp,passwd:\
776 :tc=default:
777
778 # totp AND password
779 totppw:\
780 :auth=-totp-and-pwd:\
781 :tc=default:
782 </code></pre>
783 <p>If you have a /etc/login.conf.db file, you have to run cap_mkdb on /etc/login.conf to update the file, most people don't need this, it only helps a bit in regards to performance when you have many many rules in /etc/login.conf.
784 </p>
785 <h1> Local login</h1>
786 <p>Local login means logging on a TTY or in your X session or anything requiring your system password. You can then modify the users you want to use TOTP by adding them to the according login class with this command.
787 </p>
788 <pre><code># usermod -L totp some_user
789 </code></pre>
790 <p>In the user directory, you have to generate a key and give it the correct permissions.
791 </p>
792 <pre><code>$ openssl rand -hex 20 > ~/.totp-key
793 $ chmod 400 .totp-key
794 </code></pre>
795 <p>The .totp-key contains the secret that will be used by the TOTP generator, but most generator will only accept it in encoded as base32. You can use the following python3 command to convert the secret into base32.
796 </p>
797 <pre><code>python3 -c "import base64; print(base64.b32encode(bytes.fromhex('YOUR SECRET HERE')).decode('utf-8'))"
798 </code></pre>
799 <h1> SSH login</h1>
800 <p>It is possible to require your users to use TOTP or a public key + TOTP. When your refer to "password" in ssh, this will be the same password as for login, so it can be the plain password for regular user, the TOTP code for users in totp class, and TOTP/password for users in totppw.
801 </p>
802 <p>This allow fine grained tuning for login options. The password requirement in SSH can be enabled per user or globally by modifying the file /etc/ssh/sshd_config.
803 </p>
804 <p><a href='https://man.openbsd.org/sshd_config#AuthenticationMethods'>sshd_config man page about AuthenticationMethods</a></p>
805 <pre><code># enable for everyone
806 AuthenticationMethods publickey,password
807
808 # for one user
809 Match User solene
810 AuthenticationMethods publickey,password
811 </code></pre>
812 <p>Let's say you enabled totppw class for your user and you use "publickey,password" in the AuthenticationMethods in ssh. You will require your ssh private key AND your password AND your TOTP generator.
813 </p>
814 <p>Without doing any TOTP, by using this setting in SSH, you can require users to use their key and their system password in order to login, TOTP will only add more strength to the requirements to connect, but also more complexity for people who may not be comfortable with such security levels.
815 </p>
816 <h1> Conclusion</h1>
817 <p>In this text we have seen how to enable 2FA for your local login and for login over ssh. Be careful to not lock you out of your system by losing the 2FA generator.
818 </p>
819
820 ]]>
821 </description>
822 <guid>https://dataswamp.org/~solene/2021-02-06-openbsd-2fa.html</guid>
823 <link>https://dataswamp.org/~solene/2021-02-06-openbsd-2fa.html</link>
824 <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
825 </item>
826 <item>
827 <title>NixOS review: pros and cons</title>
828 <description>
829 <![CDATA[
830 <p>Hello, in this article I would like to share my thoughts about the NixOS Linux distribution. I've been using it daily for more than six months as my main workstation at work and on some computer at home too. I also made modest contributions to the git repository.
831 </p>
832 <p><a href='https://nixos.org/'>NixOS official website</a></p>
833 <h2> Introduction</h2>
834 <p>NixOS is a Linux distribution built around Nix tool. I'll try to explain quickly what Nix is but if you want more accurate explanations I recommend visiting the project website. Nix is the package manager of the system, Nix could be used on any Linux distribution on top of the distribution package manager. NixOS is built from top to bottom from Nix.
835 </p>
836 <p>This makes NixOS a system entirely different than what one can expect from a regular Linux/Unix system (with the exception of Guix sharing the same idea with a different implementation). NixOS system configuration is stateless, most of the system is in read-only and most of paths you know doesn't exist. The directory /bin/sh only contains "sh" which is a symlink.
837 </p>
838 <p>The whole system configuration: fstab, packages, users, services, crontab, firewall... is configured from a global configuration file that defines the state of the system.
839 </p>
840 <p>An example of my configuration file to enable graphical interface with Mate as a desktop and a french keyboard layout.
841 </p>
842 <pre><code>services.xserver.enable = true;
843 services.xserver.layout = "fr";
844 services.xserver.libinput.enable = true;
845 services.xserver.displayManager.lightdm.enable = true;
846 services.xserver.desktopManager.mate.enable = true;
847 </code></pre>
848 <p>I could add the following lines into the configuration to add auto login into my graphical session.
849 </p>
850 <pre><code>services.xserver.displayManager.autoLogin.enable = true;
851 services.xserver.displayManager.autoLogin.user = "solene";
852 </code></pre>
853 <h2> Pros</h2>
854 <p>There are a lot of pros. The system is really easy to setup, installing a system (for a reinstall or replicate an installation) is very easy, you only need to get the configuration.nix file from the other/previous system. Everything is very fast to setup, it's often only a few lines to add to the configuration.
855 </p>
856 <p>Every time the system is rebuilt from the configuration file, a new grub entry is made so at boot you can choose on which environment you want to boot. This make upgrades or tries very easy to rollback and safe.
857 </p>
858 <p>Documentation! The NixOS documentation is very nice and is part of the code. There is a special man page "configuration.nix" in the system that contains all variables you can define, what values to expect, what is the default and what it's doing. You can literally search for "steam", "mediawiki" or "luks" to get information to configure your system.
859 </p>
860 <p><a href='https://nixos.org/learn.html'>All the documentation</a></p>
861 <p>Builds are reproducible, I don't consider it a huge advantage but it's nice to have it. This allow to challenge a package mirror by building packages locally and verifying they provide the exact same package on the mirror.
862 </p>
863 <p>It has a lot of packages. I think the NixOS team is pretty happy to share their statistics because, if I got it right, Nixpkgs is the biggest and up to date repository alive.
864 </p>
865 <p><a href='https://search.nixos.org/packages'>Search for a package</a></p>
866 <h2> Cons</h2>
867 <p>When you download a pre compiled Linux program that isn't statically built, it's a huge pain to make it work on NixOS. The binary will expect some paths to exist at usual places but they won't exist on NixOS. There are some tricks to get them work but it's not always easy. If the program you want isn't in the packages, it may not be easy to use it. Flatpak can help to get some programs if they are not in the packages though.
868 </p>
869 <p><a href='https://nixos.wiki/wiki/Packaging/Binaries'>Running binaries</a></p>
870 <p>It takes disk space, some libraries can exist at the same time with small compilation differences. A program can exist with different version at the same time because of previous builds still available for boot in grub, if you forget to clean them it takes a lot of memory.
871 </p>
872 <p>The whole system (especially for graphical environments) may not feel as polished as more mainstream distributions putting a lot of efforts into branding and customization. NixOS will only install everything and you will have a quite raw environment that you will have to configure. It's not a real cons but in comparison to other desktop oriented distributions, NixOS may not look as good out of the box.
873 </p>
874 <h2> Conclusion</h2>
875 <p>NixOS is an awesome piece of software. It works very well and I never had any reliability issue with it. Some services like xrdp are usually quite complex to setup but it worked out of the box here for me.
876 </p>
877 <p>I see it as a huge Lego© box with which you can automate the building of the super system you want, given you have the schematics of its parts. Once you need a block you don't have in your recipes list, you will have a hard time.
878 </p>
879 <p>I really classify it into its own category, in comparison to Linux/BSD distributions and Windows, there is the NixOS / Guix category with those stateless systems for which the configuration is their code.
880 </p>
881
882 ]]>
883 </description>
884 <guid>https://dataswamp.org/~solene/2021-01-22-nixos-personal-review.html</guid>
885 <link>https://dataswamp.org/~solene/2021-01-22-nixos-personal-review.html</link>
886 <pubDate>Fri, 22 Jan 2021 00:00:00 GMT</pubDate>
887 </item>
888 <item>
889 <title>Vger security analysis</title>
890 <description>
891 <![CDATA[
892 <p>I would like to share about Vger internals in regards to how the security was thought to protect vger users and host systems.
893 </p>
894 <p><a href='https://tildegit.org/solene/vger'>Vger code repository</a></p>
895 <h2> Thinking about security first</h2>
896 <p>I claim about security in Vger as its main feature, I even wrote Vger to have a secure gemini server that I can trust. Why so? It's written in C and I'm a beginner developer in this language, this looks like a scam.
897 </p>
898 <p>I chose to follow the best practice I'm aware of from the very first line. My goal is to be sure Vger can't be used to exfiltrate data from the host on which it runs or to allow it to run arbirary command. While I may have missed corner case in which it could crash, I think a crash is the worse that can happen with Vger.
899 </p>
900 <h3> Smallest code possible</h3>
901 <p>Vger doesn't have to manage connections or TLS, this was a lot of code already removed by this design choice. There are better tools which are exactly made for this purpose, so it's time to reuse other people good work.
902 </p>
903 <h3> Inetd and user</h3>
904 <p>Vger is run by inetd daemon, allowing to choose the user running vger. Using a dedicated user is always a good idea to prevent any harm in case of issue, but it's really not sufficient to protect vger to behave badly.
905 </p>
906 <p>Another kind of security benefit is that vger runtime isn't looping like a daemon awaiting new connections. Vger accept a request, read a file if exist and gives its result and terminates. This is less error prone because no variable can be reused or tricked after a loop that could leave the code in an inconsistent or vulnerable state.
907 </p>
908 <h3> Chroot</h3>
909 <p>A critical vger feature is the ability to chroot into a directory, meaning the directory is now seen as the root of the file system (/var/gemini would be seen as /) and prevent vger to escape it. In addition to the chroot feature, the feature allow vger to drop to an unprivileged user.
910 </p>
911 <pre><code> /*
912 * use chroot() if an user is specified requires root user to be
913 * running the program to run chroot() and then drop privileges
914 */
915 if (strlen(user) > 0) {
916
917 /* is root? */
918 if (getuid() != 0) {
919 syslog(LOG_DAEMON, "chroot requires program to be run as root");
920 errx(1, "chroot requires root user");
921 }
922 /* search user uid from name */
923 if ((pw = getpwnam(user)) == NULL) {
924 syslog(LOG_DAEMON, "the user %s can't be found on the system", user);
925 err(1, "finding user");
926 }
927 /* chroot worked? */
928 if (chroot(path) != 0) {
929 syslog(LOG_DAEMON, "the chroot_dir %s can't be used for chroot", path);
930 err(1, "chroot");
931 }
932 chrooted = 1;
933 if (chdir("/") == -1) {
934 syslog(LOG_DAEMON, "failed to chdir(\"/\")");
935 err(1, "chdir");
936 }
937 /* drop privileges */
938 if (setgroups(1, &pw->pw_gid) ||
939 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
940 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) {
941 syslog(LOG_DAEMON, "dropping privileges to user %s (uid=%i) failed",
942 user, pw->pw_uid);
943 err(1, "Can't drop privileges");
944 }
945 }
946 </code></pre>
947 <h3> No use of third party libs</h3>
948 <p>Vger only requires standard C includes, this avoid leaving trust to dozens of developers using fragile or barely tested code.
949 </p>
950 <h3> OpenBSD specific code</h3>
951 <p>In addition to all the previous security practices, OpenBSD is offering a few functions to help restricting a lot what Vger can do.
952 </p>
953 <p>The first function is pledge, allowing to restrict the system calls that can happen within the code itself. The current syscalls allowed in vger are related to the categories "rpath" and "stdio", basically standard input/output and reading files/directories only. This mean after pledge() is called, if any syscall not in those two categories is used, vger will be killed and a pledge error will be reported in the logs.
954 </p>
955 <p>The second function is unveil, which will basically restrict access to the filesystem to anything but what you list, with the permission. Currently, vger only allows file access in read-only mode in the base directory used to serve files.
956 </p>
957 <p>Here is an extract of the code relative to the OpenBSD specific code. With unveil available everywhere chroot wouldn't be required.
958 </p>
959 <pre><code> #ifdef __OpenBSD__
960 /*
961 * prevent access to files other than the one in path
962 */
963 if (chrooted) {
964 eunveil("/", "r");
965 } else {
966 eunveil(path, "r");
967 }
968 /*
969 * prevent system calls other parsing queryfor fread file and
970 * write to stdio
971 */
972 if (pledge("stdio rpath", NULL) == -1) {
973 syslog(LOG_DAEMON, "pledge call failed");
974 err(1, "pledge");
975 }
976 #endif
977 </code></pre>
978 <h2> The least code before dropping privileges</h2>
979 <p>I made my best to use the least code possible before reducing Vger capabilities. Only the code managing the parameters is done before activating chroot and/or unveil/pledge.
980 </p>
981 <pre><code>int
982 main(int argc, char **argv)
983 {
984 char request [GEMINI_REQUEST_MAX] = {'\0'};
985 char hostname [GEMINI_REQUEST_MAX] = {'\0'};
986 char uri [PATH_MAX] = {'\0'};
987 char user [_SC_LOGIN_NAME_MAX] = "";
988 int virtualhost = 0;
989 int option = 0;
990 char *pos = NULL;
991
992 while ((option = getopt(argc, argv, ":d:l:m:u:vi")) != -1) {
993 switch (option) {
994 case 'd':
995 estrlcpy(chroot_dir, optarg, sizeof(chroot_dir));
996 break;
997 case 'l':
998 estrlcpy(lang, "lang=", sizeof(lang));
999 estrlcat(lang, optarg, sizeof(lang));
1000 break;
1001 case 'm':
1002 estrlcpy(default_mime, optarg, sizeof(default_mime));
1003 break;
1004 case 'u':
1005 estrlcpy(user, optarg, sizeof(user));
1006 break;
1007 case 'v':
1008 virtualhost = 1;
1009 break;
1010 case 'i':
1011 doautoidx = 1;
1012 break;
1013 }
1014 }
1015
1016 /*
1017 * do chroot if an user is supplied run pledge/unveil if OpenBSD
1018 */
1019 drop_privileges(user, chroot_dir);
1020 </code></pre>
1021 <h2> The Unix way</h2>
1022 <p>Unix is made of small component that can work together as small bricks to build something more complex. Vger is based on this idea by delegating the listening daemon handling incoming requests to another software (let's say relayd or haproxy). And then, what's left from the gemini specs once you delegate TLS is to take account of a request and return some content, which is well suited for a program accepting a request on its standard input and giving the result on standard ouput. Inetd is a key here to make such a program compatible with a daemon like relayd or haproxy. When a connection is made into the TLS listening daemon, a local port will trigger inetd that will run the command, passing the network content to the binary into its stdin.
1023 </p>
1024 <h2> Fine grained CGI</h2>
1025 <p>CGI support was added in order to allow Vger to make dynamic content instead of serving only static files. It has a fine grained control, you can allow only one file to be executable as a CGI or a whole directory of files. When serving a CGI, vger forks, a pipe is opened between the two processes and a process is using execlp to run the cgi and transmit its output to vger.
1026 </p>
1027 <h2> Using tests</h2>
1028 <p>From the beginning, I wrote a set of tests to be sure that once a kind of request or a use case work I can easily check I won't break it. This isn't about security but about reliability. When I push a new version on the git repository, I am absolutely confident it will work for the users. It was also an invaluable help for writing Vger.
1029 </p>
1030 <p>As vger is a simple binary that accept data in stdin and output data on stdout, it is simple to write tests like this. The following example will run vger with a request, as the content is local and within the git repository, the output is predictable and known.
1031 </p>
1032 <pre><code>printf "gemini://host.name/autoidx/\r\n" | vger -d var/gemini/
1033 </code></pre>
1034 <p>From here, it's possible to build an automatic test by checking the checksum of the output to the checksum of the known correct output. Of course, when you make a new use case, this requires manually generating the checksum to use it as a comparison later.
1035 </p>
1036 <pre><code>OUT=$(printf "gemini://host.name/autoidx/\r\n" | ../vger -d var/gemini/ -i | md5)
1037 if ! [ $OUT = "770a987b8f5cf7169e6bc3c6563e1570" ]
1038 then
1039 echo "error"
1040 exit 1
1041 fi
1042 </code></pre>
1043 <p>At this time, vger as 19 use case in its test suite.
1044 </p>
1045 <p>By using the program `entr` and a Makefile to manage the build process, it was very easy to trigger the testing process while working on the source code, allowing me to check the test suite only by saving my current changes. Anytime a .c file is modified, entr will trigger a make test command that will be displayed in a dedicated terminal.
1046 </p>
1047 <pre><code>ls *.c | entr make test
1048 </code></pre>
1049 <p>Realtime integration tests? :)
1050 </p>
1051 <h1> Conclusion</h1>
1052 <p>By using best practices, reducing the amount of code and using only system libraries, I am quite confident about Vger good security. The only real issue could be to have too many connections leading to a quite high load due to inetd spawning new processes and doing a denial of services. This could be avoided by throttling simultaneous connection in the TLS daemon.
1053 </p>
1054 <p>If you want to contribute, please do, and if you find a security issue please contact me, I'll be glad to examine the issue.
1055 </p>
1056
1057 ]]>
1058 </description>
1059 <guid>https://dataswamp.org/~solene/2021-01-14-vger-security.html</guid>
1060 <link>https://dataswamp.org/~solene/2021-01-14-vger-security.html</link>
1061 <pubDate>Thu, 14 Jan 2021 00:00:00 GMT</pubDate>
1062 </item>
1063 <item>
1064 <title>Free time partitionning</title>
1065 <description>
1066 <![CDATA[
1067 <p>Lately I wanted to change the way I use my free time. I define my free time as: not working, not sleeping, not eating. So, I estimate it to six hours a day in work day and fourteen hours in non worked day.
1068 </p>
1069 <p>With the year 2020 being quite unusual, I was staying at home most of the time without seeing the time passing. At the end of the year, I started to mix the duration of weeks and months which disturbed me a lot.
1070 </p>
1071 <p>For a a few weeks now, I started to change the way I spend my free time. I thought it was be nice to have a few separate activies in the same day to help me realizing how time is passing by.
1072 </p>
1073 <h1> Activity list</h1>
1074 <p>Here is the way I chose to distribute my free time. It's not a strict approach, I measure nothing. But I try to keep a simple ratio of 3/6, 2/6 and 1/6.
1075 </p>
1076 <h2> Recreation: 3/6</h2>
1077 <p>I spend a lot of time in recreation time. A few activies I've put into recreation:
1078 </p>
1079 <ul>
1080
1081 <li>video games</li>
1082 <li>movies</li>
1083 <li>reading novels</li>
1084 <li>sports</li>
1085 </ul>
1086
1087 <h2> Creativity: 2/6</h2>
1088 <p>Those activies requires creativy, work and knowledge:
1089 </p>
1090 <ul>
1091
1092 <li>writing code</li>
1093 <li>reading technical books</li>
1094 <li>playing music</li>
1095 <li>creating content (texts, video, audio etc..)</li>
1096 </ul>
1097
1098 <h2> Chores: 1/6</h2>
1099 <p>Yes, obviously this has to be done on free time... And it's always better to do it a bit everyday than accumulating it until you are forced to proceed.
1100 </p>
1101 <h1> Conclusion</h1>
1102 <p>I only started for a few weeks now but I really enjoy doing it. As I said previously, it's not something I stricly apply, but more a general way to spend my time and not stick for six hours writing code in a row from after work to going to sleep. I really feel my life is better balanced now and I feel some accomplishments for the few activies done every day.
1103 </p>
1104 <h1> Questions / Answers</h1>
1105 <blockquote> Some asked asked me if I was planning in advance how I spend my time.</blockquote>
1106 <p>The answer is no. I don't plan anything but when I tend to lose focus on what I'm doing (and this happen often), I think about this time repartition method and then I think it may be time to jump on another activity and I pick something in another category. Now I think about it, that was very often that I was doing something because I was bored and lacking idea of activities to occupy myself, with this current list I no longer have this issue.
1107 </p>
1108
1109 ]]>
1110 </description>
1111 <guid>https://dataswamp.org/~solene/2021-01-06-free-time-partition.html</guid>
1112 <link>https://dataswamp.org/~solene/2021-01-06-free-time-partition.html</link>
1113 <pubDate>Wed, 06 Jan 2021 00:00:00 GMT</pubDate>
1114 </item>
1115 <item>
1116 <title>Toward a simpler lifestyle</title>
1117 <description>
1118 <![CDATA[
1119 <p>I don't often give my own opinion on this blog but I really feel it is important here.
1120 </p>
1121 <p>The matter is about ecology, fair money distribution and civilization. I feel I need to share a bit about my lifestyle, in hope it will have a positive impact on some of my readers. I really think one person can make a change. I changed myself, only by spending a few moments with a member of my family a few years ago. That person never tried to convince me of anything, they only lived by their own standard without never offending me, it was simple things, nothing that would make that person a paria in our society. But I got curious about the reasons and I figurated it myself way later, now I understand why.
1122 </p>
1123 <p>My philisophy is simple. In a life in modern civilization where everything is going fast, everyone cares about opinions other have about them and ultra communication, step back.
1124 </p>
1125 <p>Here are the various statement I am following, this is something I self defined, it's not absolute rules.
1126 </p>
1127 <ul>
1128
1129 <li>Be yourself and be prepare to assume who you are. If you don't have the latest gadget you are not "has been", if you don't live in a giant house, you didn't fail your career, if you don't have a top notch shiny car nobody should ever care.</li>
1130 <li>Reuse what you have. It's not because a cloth has a little scratch that you can't reuse it. It's not because an electronic device is old that you should replace it.</li>
1131 <li>Opensource is a great way to revive old computers</li>
1132 <li>Reduce your food waste to 0 and eat less meat because to feed animals we eat this requires a huge food production, more than what we finally eat in the meat</li>
1133 <li>Travel less, there are a lot to see around where I live than at the other side of the planet. Certainly not go on vacation far away from home only to enjoy a beach under the sun. This also mean no car if it can be avoided, and if I use a car, why not carpooling?</li>
1134 <li>Avoid gadgets (electronic devices that bring nothing useful) at all cost. Buy good gears (kitchen tools, workshop tools, furnitures etc...) that can be repaired. If possible buy second hand. For non-essential gears, second hand is mandatory.</li>
1135 <li>In winter, heat at 19°C maximum with warm clothes while at home.</li>
1136 <li>In summer, no A/C but use of extern isolation and vines along the home to help cooling down. And fans + water while wearing lights clothes to keep cool.</li>
1137 </ul>
1138
1139 <p>While some people are looking for more and more, I do seek for less. There are not enough for everyone on the planet, so it's important to make sacrifices.
1140 </p>
1141 <p>Of course, it is how I am and I don't expect anyone to apply this, that would be insane :)
1142 </p>
1143 <p>Be safe and enjoy this new year! <3
1144 </p>
1145 <p><a href='https://www.lowtechmagazine.com/'>Lowtech Magazine, articles about doing things using simple technology</a></p>
1146
1147 ]]>
1148 </description>
1149 <guid>https://dataswamp.org/~solene/2021-01-04-simple-lifestyle.html</guid>
1150 <link>https://dataswamp.org/~solene/2021-01-04-simple-lifestyle.html</link>
1151 <pubDate>Mon, 04 Jan 2021 00:00:00 GMT</pubDate>
1152 </item>
1153 <item>
1154 <title>[FR] Pourquoi j'utilise OpenBSD</title>
1155 <description>
1156 <![CDATA[
1157 <p>Dans ce billet je vais vous livrer mon ressenti sur ce que j'aime dans OpenBSD.
1158 </p>
1159 <h3> Respect de la vie privée</h3>
1160 <p>Il n'y a aucune télémétrie dans OpenBSD, je n'ai pas à m'inquiéter pour le respect de ma vie privée. Pour rappel, la télémétrie est un mécanisme qui consiste à remonter des informations de l'utilisateur afin d'analyser l'utilisation du produit.
1161 </p>
1162 <p>De plus, le défaut du système a été de désactiver entièrement le micro, à moins d'une intervention avec le compte root, le microphone enregistre du silence (ce qui permet de ne pas le bloquer quant à des droits d'utilisation). A venir dans 6.9, la caméra suit le même chemin et sera désactivée par défaut. Il s'agit pour moi d'un signal fort quant à la nécessité de protéger l'utilisateur.
1163 </p>
1164 <h3> Navigateurs web sécurisés</h3>
1165 <p>Avec l'ajout des fonctionnalités de sécurité (pledge et surtout unveil) dans les sources de Firefox et Chromium, je suis plus sereine quant à leur utilisation au quotidien. À l'heure actuelle, l'utilisation d'un navigateur web est quasiment incontournable, mais ils sont à la fois devenus extrêmement complexes et mal maîtrisés. L'exécution de code côté client via Javascript qui a de plus en plus de possibilité, de performances et de nécessités, ajouter un peu de sécurité dans l'équation était nécessaire. Bien que ces ajouts soient parfois un peu dérangeants à l'utilisation, je suis vraiment heureuse de pouvoir en bénéficier.
1166 </p>
1167 <p>Avec ces sécurités ajoutés (par défaut), les navigateurs cités précédemment ne peuvent pas parcourir les répertoires en dehors de ce qui leur est nécessaire à leur bon fonctionnement plus les dossiers ~/Téléchargements/ et /tmp/. Ainsi, des emplacements comme ~/Documents ou ~/.gnupg sont totalement inaccessibles ce qui limite grandement les risques d'exfiltration de données par le navigateur.
1168 </p>
1169 <p>On pourrait refaire grossièrement la même fonctionnalité sous Linux en utilisant AppArmor mais l'intégration est extrêmement compliquée (là où c'est par défaut sur OpenBSD) et un peu moins efficace, il est plus facile d'agir au bon moment depuis le code plutôt qu'en encapsulant le programme entier d'un groupe de règles.
1170 </p>
1171 <h3> Pare-feu PF</h3>
1172 <p>Avec PF, il est très simple de vérifier le fichier de configuration pour comprendre les règles en place sur le serveur ou un ordinateur de bureau. La centralisation des règles dans un fichier et le système de macros permet d'écrire des règles simples et lisibles.
1173 </p>
1174 <p>J'utilise énormément la fonctionnalité de gestion de bande passante pour limiter le débit de certaines applications qui n'offrent pas ce réglage. C'est très important pour moi n'étant pas la seule utilisatrice du réseau et ayant une connexion assez lente.
1175 </p>
1176 <p>Sous Linux, il est possible d'utiliser les programmes trickle ou wondershaper pour mettre en place des limitations de bande passante, par contre, iptables est un cauchemar à utiliser en tant que firewall!
1177 </p>
1178 <h3> C'est stable</h3>
1179 <p>A part à l'utilisation sur du matériel peu répandu, OpenBSD est très stable et fiable. Je peux facilement atteindre deux semaines d'uptime sur mon pc de bureau avec plusieurs mises en veille par jour. Mes serveurs OpenBSD tournent 24/24 sans problème depuis des années.
1180 </p>
1181 <p>Je dépasse rarement deux semaines puisque je dois mettre à jour le système de temps en temps pour continuer les développements sur OpenBSD :)
1182 </p>
1183 <h3> Peu de maintenance</h3>
1184 <p>Garder à jour un système OpenBSD est très simple. Je lance les commandes syspatch et pkg_add -u tous les jours pour garder mes serveurs à jour. Une mise à jour tous les six mois est nécessaire pour monter en version mais à part quelques instructions spécifiques qui peuvent parfois arriver, une mise à jour ressemble à ça :
1185 </p>
1186 <pre><code># sysupgrade
1187 [..attendre un peu..]
1188 # pkg_add -u
1189 # reboot
1190 </code></pre>
1191 <h3> Documentation de qualité</h3>
1192 <p>Installer OpenBSD avec un chiffrement complet du disque est très facile (il faudra que j'écrive un billet sur l'importance de chiffrer ses disques et téléphones).
1193 </p>
1194 <p>La documentation officielle expliquant l'installation d'un routeur avec NAT est parfaitement expliquée pas à pas, c'est une référence dès qu'il s'agit d'installer un routeur.
1195 </p>
1196 <p>Tous les binaires du système de base (ça ne compte pas les packages) ont une documentation, ainsi que leurs fichiers de configuration.
1197 </p>
1198 <p>Le site internet, la FAQ officielle et les pages de man sont les seules ressources nécessaires pour s'en sortir. Elles représentent un gros morceau, il n'est pas toujours facile de s'y retrouve mais tout y est.
1199 </p>
1200 <p>Si je devais me débrouiller pendant un moment sans internet, je préférerais largement être sur un système OpenBSD. La documentation des pages de man suffit en général à s'en sortir.
1201 </p>
1202 <p>Imaginez mettre en place un routeur qui fait du trafic shaping sous OpenBSD ou Linux sans l'aide de documents extérieurs au système. Personnellement je choisis OpenBSD à 100% pour ça :)
1203 </p>
1204 <h3> Facilité de contribution</h3>
1205 <p>J'adore vraiment la façon dont OpenBSD gère les contributions. Je récupère les sources sur mon système et je procède aux modifications, je génère un fichier de diff (différence entre avant/après) et je l'envoie sur la liste de diffusion. Tout ça peut être fait en console avec des outils que je connais déjà (git/cvs) et des emails.
1206 </p>
1207 <p>Parfois, les nouveaux contributeurs peuvent penser que les personnes qui répondent ne sont vraiment pas sympa. **Ce n'est pas vrai**. Si vous envoyez un diff et que vous recevez une critique, cela signifie déjà qu'on vous accorde du temps pour vous expliquer ce qui peut être amélioré. Je peux comprendre que cela puisse paraître rude pour certaines personnes, mais ce n'est pas ça du tout.
1208 </p>
1209 <p>Cette année, j'ai fait quelques modestes contributions aux projets OpenIndiana et NixOS, c'était l'occasion de découvrir comment ces projets gèrent les contributions. Les deux utilisent github et la manière de faire est très intéressante, mais la comprendre demande beaucoup de travail car c'est relativement compliqué.
1210 </p>
1211 <p><a href='https://www.openindiana.org'>Site officiel d'OpenIndiana</a></p>
1212 <p><a href='https://nixos.org'>Site officiel de NixOS</a></p>
1213 <p>La méthode de contribution nécessite un compte sur Github, de faire un fork du projet, cloner le fork en local, créer une branche, faire les modifications en local, envoyer le fork sur son compte github et utiliser l'interface web de github pour faire un "pull request". Ça c'est la version courte. Sur NixOS, ma première tentative de faire un pull request s'est terminée par une demande contenant six mois de commits en plus de mon petit changement. Avec une bonne documentation et de l'entrainement c'est tout à fait surmontable. Cette méthode de travail présente certains avantages comme le suivi des contributeurs, l'intégration continue ou la facilité de critique de code, mais c'est rebutoire au possible pour les nouveaux.
1214 </p>
1215 <h3> Packages top qualité</h3>
1216 <p>Mon opinion est sûrement biaisée ici (bien plus que pour les éléments précédents) mais je pense sincèrement que les packages d'OpenBSD sont de très bonne qualité. La plupart d'entre eux fonctionnent "out of the box" avec des paramètres par défaut corrects.
1217 </p>
1218 <p>Les packages qui nécessitent des instructions particulières sont fournis avec un fichier "readme" expliquant ce qui est nécessaire, par exemple créer certains répertoires avec des droits particuliers ou comment mettre à jour depuis une version précédente.
1219 </p>
1220 <p>Même si par manque de contributeurs et de temps (en plus de certains programmes utilisant beaucoup de linuxismes pour être faciles à porter), la plupart des programmes libres majeurs sont disponibles et fonctionnent très bien.
1221 </p>
1222 <p>Je profite de l'occasion de ce billet pour critiquer une tendance au sein du monde Open Source.
1223 </p>
1224 <ul>
1225
1226 <li>les programmes distribués avec flatpak / docker / snap fonctionnent très bien sur Linux mais sont hostiles envers les autres systèmes. Ils utilisent souvent des fonctionnalités spécifiques à Linux et les méthodes de compilation sont tournées vers Linux. Cela complique grandement le portage de ces applications vers d'autres systèmes.</li>
1227 <li>les programmes avec nodeJS: ils nécessitent parfois des centaines voir des milliers des libs et certaines sont mêmes un peu bancales. C'est vraiment compliqué de faire fonctionner ces programmes sur OpenBSD. Certaines libs vont même jusqu'à embarquer du code rust ou à télécharger un binaire statique sur un serveur distant sans solution de compilation si nécessaire ou sans regardant si ce binaire est disponible dans $PATH. On y trouve des aberrations incroyables.</li>
1228 <li>les programmes nécessitant git pour compiler: le système de compilation dans les ports d'OpenBSD fait de son mieux pour faire au plus propre. L'utilisateur dédié à la création des packages n'a pas du tout accès à internet (bloqué par le pare-feu avec une règle par défaut) et ne pourra pas exécuter de commande git pour récupérer du code. Il n'y a aucune raison pour que la compilation d'un programme nécessite de télécharger du code au milieu de l'étape de compilation!</li>
1229 </ul>
1230
1231 <p>Évidemment je comprends que ces trois points ci-dessus existent car cela facilite la vie des développeurs, mais si vous écrivez un programme et que vous le publiez, ce serait très sympa de penser aux systèmes non-linux. N'hésite pas à demander sur les réseaux sociaux si quelqu'un veut tester votre code sur un autre système que Linux. On adore les développeurs "BSD friendly" qui acceptent nos patches pour améliorer le support OpenBSD.
1232 </p>
1233 <h3> Ce que j'aimerais voir évoluer</h3>
1234 <p>Il y a certaines choses où j'aimerais voir OpenBSD s'améliorer. Cette liste est personnelle et reflète pas l'opinion des membres du projet OpenBSD.
1235 </p>
1236 <ul>
1237
1238 <li>Meilleur support ARM</li>
1239 <li>Débit du Wifi</li>
1240 <li>Meilleures performances (mais ça s'améliore un peu à chaque version)</li>
1241 <li>Améliorations de FFS (lors de crashs j'ai parfois des fichiers dans lost+found)</li>
1242 <li>Un pkg_add -u plus rapide</li>
1243 <li>Support du décodage vidéo matériel</li>
1244 <li>Meilleur support de FUSE avec une possibilité de monter des systèmes CIFS/samba</li>
1245 <li>Plus de contributeurs</li>
1246 </ul>
1247
1248 <p>Je suis consciente de tout le travail nécessaire ici, et ce n'est certainement pas moi qui vais y faire quelque chose. J'aimerais que cela s'améliore sans toutefois me plaindre de la situation actuelle :)
1249 </p>
1250 <p>Malheureusement, tout le monde sait qu'OpenBSD évolue par un travail acharné et pas en envoyant une liste de souhaits aux développeurs :)
1251 </p>
1252 <p>Quand on pense à ce qu'arrive à faire une petite équipe (environ 150 développeurs impliqués sur les dernières versions) en comparaison d'autres systèmes majeurs, je pense qu'on est assez efficace!
1253 </p>
1254
1255 ]]>
1256 </description>
1257 <guid>https://dataswamp.org/~solene/2021-01-04-pourquoi-openbsd.html</guid>
1258 <link>https://dataswamp.org/~solene/2021-01-04-pourquoi-openbsd.html</link>
1259 <pubDate>Mon, 04 Jan 2021 00:00:00 GMT</pubDate>
1260 </item>
1261 <item>
1262 <title>[FR] Méthodes de publication de mon blog sur plusieurs médias</title>
1263 <description>
1264 <![CDATA[
1265 <p>On me pose souvent la question sur la façon dont je publie mon blog, comment j'écris mes textes et comment ils sont publiés sur trois médias différents. Cet article est l'occasion pour moi de répondre à ces questions.
1266 </p>
1267 <p>Pour mes publications j'utilise le générateur de site statique "cl-yag" que j'ai développé. Son principal travail est de générer les fichiers d'index d'accueil et de chaque tags pour chacun des médias de diffusion, HTML pour http, gophermap pour gopher et gemtext pour gemini. Après la génération des indexs, pour chaque article publié en HTML, un convertisseur va être appelé pour transformer le fichier d'origine en HTML afin de permettre sa consultation avec un navigateur internet. Pour gemini et gopher, l'article source est simplement copié avec quelques méta-données ajoutées en haut du fichier comme le titre, la date, l'auteur et les mots-clés.
1268 </p>
1269 <p>Publier sur ces trois format en même temps avec un seul fichier source est un défi qui requiert malheureusement de faire des sacrifices sur le rendu si on ne veut pas écrire trois versions du même texte. Pour gopher, j'ai choisi de distribuer les textes tel quel, en tant que fichier texte, le contenu peut être du markdown, org-mode, mandoc ou autre mais gopher ne permet pas de le déterminer. Pour gémini, les textes sont distribués comme .gmi qui correspondent au type gemtext même si les anciennes publications sont du markdown pour le contenu. Pour le http, c'est simplement du HTML obtenu via une commande en fonction du type de données en entrée.
1270 </p>
1271 <p>J'ai récemment décidé d'utiliser le format gemtext par défaut plutôt que le markdown pour écrire mes articles. Il a certes moins de possibilités que le markdown, mais le rendu ne contient aucune ambiguïté, tandis que le rendu d'un markdown peut varier selon l'implémentation et le type de markdown (tableaux, pas tableaux ? Syntaxe pour les images ? etc...)
1272 </p>
1273 <p>Lors de l'exécution du générateur de site, tous les indexs sont régénérées, pour les fichiers publiés, la date de modification de celui-ci est comparée au fichier source, si la source est plus récente alors le fichier publié est généré à nouveau car il y a eu un changement. Cela permet de gagner énormément de temps puisque mon site atteint bientôt les 200 articles et copier 200 fichiers pour gopher, 200 pour gemini et lancer 200 programmes de conversion pour le HTML rendrait la génération extrêmement longue.
1274 </p>
1275 <p>Après la génération de tous les fichiers, la commande rsync est utilisée pour mettre à jour les dossiers de sortie pour chaque protocole vers le serveur correspondant. J'utilise un serveur pour le http, deux serveurs pour gopher (le principal n'était pas spécialement stable à l'époque), un serveur pour gemini.
1276 </p>
1277 <p>J'ai ajouté un système d'annonce sur Mastodon en appelant le programme local "toot" configuré sur un compte dédié. Ces changements n'ont pas été déployé dans cl-yag car il s'agit de changements très spécifiques pour mon utilisation personnelle. Ce genre de modification me fait penser qu'un générateur de site statique peut être un outil très personnel que l'on configure vraiment pour un besoin hyper spécifique et qu'il peut être difficile pour quelqu'un d'autre de s'en servir. J'avais décidé de le publier à l'époque, je ne sais pas si quelqu'un l'utilise activement, mais au moins le code est là pour les plus téméraires qui voudraient y jeter un oeil.
1278 </p>
1279 <p>Mon générateur de blog peut supporter le mélange de différents types de fichiers sources pour être convertis en HTML. Cela me permet d'utiliser le type de formatage que je veux sans avoir à tout refaire.
1280 </p>
1281 <p>Voici quelques commandes utilisées pour convertir les fichiers d'entrées (les articles bruts tels que je les écrits) en HTML. On constate que la conversion org-mode vers HTML n'est pas la plus simple. Le fichier de configuration de cl-yag est du code LISP chargé lors de l'exécution, je peux y mettre des commentaires mais aussi du code si je le souhaite, cela se révèle pratique parfois.
1282 </p>
1283 <pre><code>(converter :name :gemini :extension ".gmi" :command "gmi2html/gmi2html data/%IN | tee %OUT")
1284 (converter :name :markdown :extension ".md" :command "peg-markdown -t html -o %OUT data/%IN")
1285 (converter :name :markdown2 :extension ".md" :command "multimarkdown -t html -o %OUT data/%IN")
1286 (converter :name :mmd :extension ".mmd" :command "cat data/%IN | awk -f mmd | tee %OUT")
1287 (converter :name :mandoc :extension ".man"
1288 :command "cat data/%IN | mandoc -T markdown | sed -e '1,2d' -e '$d' | multimarkdown -t html -o %OUT")
1289 (converter :name :org-mode :extension ".org"
1290 :command (concatenate 'string
1291 "emacs data/%IN --batch --eval '(with-temp-buffer (org-mode) "
1292 "(insert-file \"%IN\") (org-html-export-as-html nil nil nil t)"
1293 "(princ (buffer-string)))' --kill | tee %OUT"))
1294 </code></pre>
1295 <p>Quand je déclare un nouvel article dans le fichier de configuration qui détient les méta-données de toutes les publications, j'ai la possibilité de choisir le convertisseur HTML à utiliser si ce n'est pas celui par défaut.
1296 </p>
1297 <pre><code>;; utilisation du convertisseur par défaut
1298 (post :title "Minimalistic markdown subset to html converter using awk"
1299 :id "minimal-markdown" :tag "unix awk" :date "20190826")
1300
1301 ;; utilisation du convertisseur mmd, un script awk très simple que j'ai fait pour convertir quelques fonctionnalités de markdown en html
1302 (post :title "Life with an offline laptop"
1303 :id "offline-laptop" :tag "openbsd life disconnected" :date "20190823" :converter :mmd)
1304 </code></pre>
1305 <p>Quelques statistiques concernant la syntaxe de mes différentes publications, via http vous ne voyez que le HTML, mais en gopher ou gemini vous verrez la source telle quelle.
1306 </p>
1307 <ul>
1308
1309 <li>markdown :: 183</li>
1310 <li>gemini :: 12</li>
1311 <li>mandoc :: 4</li>
1312 <li>mmd :: 2</li>
1313 <li>org-mode :: 1</li>
1314
1315 ]]>
1316 </description>
1317 <guid>https://dataswamp.org/~solene/2021-01-03-fr-blog-workflow.html</guid>
1318 <link>https://dataswamp.org/~solene/2021-01-03-fr-blog-workflow.html</link>
1319 <pubDate>Sun, 03 Jan 2021 00:00:00 GMT</pubDate>
1320 </item>
1321 <item>
1322 <title>My blog workflow</title>
1323 <description>
1324 <![CDATA[
1325 <p>I often have questions about how I write my articles, which format I use and how I publish on various medias. This article is the opportunity to highlight all the process.
1326 </p>
1327 <p>So, I use my own static generator cl-yag which supports generating indexes for whole article lists but also for every tags in html, gophermap format and gemini gemtext. After the generation of indexes, for html every article will be converted into html by running a "converter" command. For gopher and gemini the original text is picked up, some metadata are added at the top of the file and that's all.
1328 </p>
1329 <p>Publishing for all the three formats is complicated and sacrifices must be made if I want to avoid extra work (like writing a version for each). For gopher, I chose to distribute them as simple text file but it can be markdown, org-mode, mandoc or other formats, you can't know. For gemini, it will distribute gemtext format and for http it will be html.
1330 </p>
1331 <p>Recently, I decided to switch to gemtext format instead of markdown as the main format for writing new texts, it has a bit less features than markdown, but markdown has some many implementations than the result can differ greatly from one renderer to another.
1332 </p>
1333 <p>When I run the generator, all the indexes are regenerated, and destination file modification time are compared to the original file modification time, if the destination file (the gopher/html/gemini file that is published) is newer than the original file, no need to rewrite it, this saves a lot of time. After generation, the Makefile running the program will then run rsync to various servers to publish the new directories. One server has gopher and html, another server only gemini and another server has only gopher as a backup.
1334 </p>
1335 <p>I added a Mastodon announcement calling a local script to publish links to new publications on Mastodon, this wasn't merged into cl-yag git repository because it's too custom code depending on local programs. I think a blog generator is as personal as the blog itself, I decided to publish its code at first but I am not sure it makes much sense because nobody may have the same mindset as mine to appropriate this tool, but at least it's available if someone wants to use it.
1336 </p>
1337 <p>My blog software can support mixing input format so I am not tied to a specific format for all its life.
1338 </p>
1339 <p>Here are the various commands used to convert a file from its original format to html. One can see that converting from org-mode to html in command line isn't an easy task. As my blog software is written in Common LISP, the configuration file is also a valid common lisp file, so I can write some code in it if required.
1340 </p>
1341 <pre><code>(converter :name :gemini :extension ".gmi" :command "gmi2html/gmi2html data/%IN | tee %OUT")
1342 (converter :name :markdown :extension ".md" :command "peg-markdown -t html -o %OUT data/%IN")
1343 (converter :name :markdown2 :extension ".md" :command "multimarkdown -t html -o %OUT data/%IN")
1344 (converter :name :mmd :extension ".mmd" :command "cat data/%IN | awk -f mmd | tee %OUT")
1345 (converter :name :mandoc :extension ".man"
1346 :command "cat data/%IN | mandoc -T markdown | sed -e '1,2d' -e '$d' | multimarkdown -t html -o %OUT")
1347 (converter :name :org-mode :extension ".org"
1348 :command (concatenate 'string
1349 "emacs data/%IN --batch --eval '(with-temp-buffer (org-mode) "
1350 "(insert-file \"%IN\") (org-html-export-as-html nil nil nil t)"
1351 "(princ (buffer-string)))' --kill | tee %OUT"))
1352 </code></pre>
1353 <p>When I define a new article to generate from a main file holding the metadata, I can specify the converter if it's not the default one configured.
1354 </p>
1355 <pre><code>;; using default converter
1356 (post :title "Minimalistic markdown subset to html converter using awk"
1357 :id "minimal-markdown" :tag "unix awk" :date "20190826")
1358
1359 ;; using mmd converter, a simple markdown to html converter written in awk
1360 (post :title "Life with an offline laptop"
1361 :id "offline-laptop" :tag "openbsd life disconnected" :date "20190823" :converter :mmd)
1362 </code></pre>
1363 <p>Some statistics about the various format used in my blog.
1364 </p>
1365 <ul>
1366
1367 <li>markdown :: 183</li>
1368 <li>gemini :: 12</li>
1369 <li>mandoc :: 4</li>
1370 <li>mmd :: 2</li>
1371 <li>org-mode :: 1</li>
1372
1373 ]]>
1374 </description>
1375 <guid>https://dataswamp.org/~solene/2021-01-03-blog-workflow.html</guid>
1376 <link>https://dataswamp.org/~solene/2021-01-03-blog-workflow.html</link>
1377 <pubDate>Sun, 03 Jan 2021 00:00:00 GMT</pubDate>
1378 </item>
1379 <item>
1380 <title>Port of the week: Lagrange</title>
1381 <description>
1382 <![CDATA[
1383 <p>Today's Port of the Week is about Lagrange, a gemini web browser.
1384 </p>
1385 <p><a href='https://github.com/skyjake/lagrange'>Lagrange official website</a></p>
1386 <p><a href='https://gemini.circumlunar.space/'>Information about the Gemini protocol</a></p>
1387 <p><a href='https://gemini.circumlunar.space/clients.html'>Curated list of Gemini clients</a></p>
1388 <p>Lagrange is the finest browser I ever used and it's still brand new. I imported it into OpenBSD and so it will be available starting from OpenBSD 6.9 releases.
1389 </p>
1390 <p><a href='static/lagrange.jpg'><img src='static/lagrange.jpg' alt='Screenshot of the web browser in action with dark mode, it supports left and right side panels.' width='60%' /></a></p>
1391 <p>Lagrange is fantastic in the way it helps the user with the content browsed.
1392 </p>
1393 <ul>
1394
1395 <li>Links already visited display the last visited date</li>
1396 <li>Subscription on page without RSS is possible for pages respecting a specific format (most of gemini space does)</li>
1397 <li>Easy management of client certificates, used for authentication</li>
1398 <li>In-page image loading, video watching and sound playing</li>
1399 <li>Gopher support</li>
1400 <li>Table of content displayed generated from headings</li>
1401 <li>Keyboard navigation</li>
1402 <li>Very light (dependencies, memory footprint, cpu usage)</li>
1403 <li>Smooth scrolling</li>
1404 <li>Dark and light modes</li>
1405 <li>Much more</li>
1406 </ul>
1407
1408 <p>If you are interested into Gemini, I highly recommend this piece of software as a browser.
1409 </p>
1410 <p>In case you would like to host your own Gemini content without requiring infrastructure, some community servers are offering hosting through secure sftp transfers.
1411 </p>
1412 <p><a href='http://gmi.si3t.ch/'>Si3t.ch community Gemini hosting</a></p>
1413 <p><a href='https://unbon.cafe/'>Un bon café !</a></p>
1414 <p>Once you get into Gemini space, I recommend the following resources:
1415 </p>
1416 <p><a href='gemini://gemini.circumlunar.space/capcom/'>CAPCOM feed agregator, a great place to meet new authors</a></p>
1417 <p><a href='gemini://gus.guru/'>GUS: a search engine</a></p>
1418
1419 ]]>
1420 </description>
1421 <guid>https://dataswamp.org/~solene/2021-01-02-potw-lagrange.html</guid>
1422 <link>https://dataswamp.org/~solene/2021-01-02-potw-lagrange.html</link>
1423 <pubDate>Sat, 02 Jan 2021 00:00:00 GMT</pubDate>
1424 </item>
1425 <item>
1426 <title>Vger gemini server can now redirect</title>
1427 <description>
1428 <![CDATA[
1429 <p>I added a new feature to Vger gemini server.
1430 </p>
1431 <p><a href='https://tildegit.org/solene/vger'>Vger git repository</a></p>
1432 <p>The protocol supports status code including redirections, Vger had no way to know if an user wanted to redirect a page to another. The redirection litteraly means "You asked for this content but it is now at that place, load it from there".
1433 </p>
1434 <p>To keep it with vger Unix way, a redirection is done using a symbolic link:
1435 </p>
1436 <p>The following command would redirect requests from gemini://perso.pw/blog/index.gmi to gemini://perso.pw/blog/index.gmi:
1437 </p>
1438 <pre><code>ln -s "gemini://perso.pw/capsule/index.gmi" blog/index.gmi
1439 </code></pre>
1440 <p>Unfortunately, this doesn't support globbing, in other words it is not possible to redirect everything from `/blog/` to `/capsule/` without creating a symlink for all previous resources to their new locations.
1441 </p>
1442
1443 ]]>
1444 </description>
1445 <guid>https://dataswamp.org/~solene/2021-01-02-gemini-vger-redirect.html</guid>
1446 <link>https://dataswamp.org/~solene/2021-01-02-gemini-vger-redirect.html</link>
1447 <pubDate>Sat, 02 Jan 2021 00:00:00 GMT</pubDate>
1448 </item>
1449
1450 </channel>
1451 </rss>