fireglows blog [testing]

Testing the writefreely software.

Create a new udev rule to run a script when a token is removed: /etc/udev/rules.d/10-securitytoken-lock.rules

# locks the screen when any token is removed

ACTION=="remove", \
ENV{ID_SECURITY_TOKEN}=="1", \
RUN+="/usr/local/bin/lockscreen.sh"

This works for YubiKey 4 and the Solokey dongles. To verify that a USB device is passing the ID_SECURITY_TOKEN variable, monitor udev while plugging/unplugging: udevadm monitor --environment --udev

After the rule is saved, tell udev to reload with sudo udevadm control --reload-rules.

Next, create the script that actually locks the session: /usr/local/bin/lockscreen.sh

#!/bin/sh

exec loginctl lock-sessions

Make it executable: chmod +x /usr/local/bin/lockscreen.sh, change file ownership: sudo chown root:root /usr/local/bin/lockscreen.sh.

Apart from not having to interact with the X session directly, this also locks my KeePassXC database when the key is removed, and any other active ttys that I might have forgotten about.

Next up: usbguard, pam_u2f, and xsecurelock

This tutorial describes how to use ddclient on OpenBSD to update a hostname dynamic.example.com on a Knot DNS server, ns1.example.com. ddclient will run as a daemon and watch a PPPoE interface for changes to its public IP address, and update the zone accordingly.

Server setup

We will add a new TSIG key to knot.conf which will be allowed to update the zone that holds the dynamic hostname. The path names in this section assume FreeBSD locations (/usr/local/etc/knot).

First, generate a TSIG key with keymgr:

keymgr -t  KEY_NAME hmac-sha512
# hmac-sha512:KEY_NAME:i5WLSkKquUlyZpYb869QGjd18pQzMqlAdew+PwJzCIdq6U/2WX9+HBsLJL+dTEPg/dtLizthuOZkXlyVz3qfIw==
key:
  - id: KEY_NAME
    algorithm: hmac-sha512
    secret: i5WLSkKquUlyZpYb869QGjd18pQzMqlAdew+PwJzCIdq6U/2WX9+HBsLJL+dTEPg/dtLizthuOZkXlyVz3qfIw==

keymgr gives us the key in two formats, the first line, starting with a #-sign, is in the format that knsupdate expects, the rest is the key formatted in knot.conf syntax.

Add the key to your existing key: section of knot.conf, or create the section: /usr/local/etc/knot/knot.conf

[...]
key:
  - id: first_key
    algorithm: hmac-sha512
    secret: SSBjYW4ndCBiZWxpZXZlIHlvdSBhY3R1YWxseSBkaWQgdGhhdAo=

  - id: KEY_NAME
    algorithm: hmac-sha512
    secret: i5WLSkKquUlyZpYb869QGjd18pQzMqlAdew+PwJzCIdq6U/2WX9+HBsLJL+dTEPg/dtLizthuOZkXlyVz3qfIw==
[...]

add a new ACL for the key:

[...]
acl:
  - id: acl_ACL_NAME
    key: KEY_NAME
    action: [update]
[...]

and add the ACL to the zone, or the template:

[...]
template:
  - id: default
    [...]
    # gate: update
    acl: [acl_ACL_NAME]
    [...]

zone:
  - domain: example.com
    template: default

Check the configuration with knotc conf-check and reload knot with knotc reload:

knot# knotc conf-check
Configuration is valid
knot# knotc reload
Reloaded

Client setup

Install ddclient and knot:

pkg_add ddclient knot

knot installs the knsupdate program, which we will use to update the zone.

Next, adjust /etc/ddclient/ddclient.conf so the ddclient program will use the IP address from pppoe0, and use knsupdate to update the zone:

/etc/ddclient/ddclient.conf

[...]
use=if, if=pppoe0

protocol=nsupdate
ttl=30
login=/usr/local/bin/knsupdate
server=ns1.example.com
password=/etc/ddclient/alpha.knsupdate
zone=example.com
dynamic.example.com

Insert into /etc/ddclient/alpha.knsupdate the first format of the key that keymgr returned (No leading #):

/etc/ddclient/alpha.knsupdate

hmac-sha512:KEY_NAME:i5WLSkKquUlyZpYb869QGjd18pQzMqlAdew+PwJzCIdq6U/2WX9+HBsLJL+dTEPg/dtLizthuOZkXlyVz3qfIw==

Test the update process with ddclient -force:

gate# ddclient -force
SUCCESS:  updating dynamic.example.com: 1: IP address set to 1.2.3.4

Enable and start the ddclient daemon:

rcctl enable ddclient
rcctl start ddclient

Verify that the IP address has been updated in the DNS:

gate# kdig @ns1.example.com dynamic.example.com.
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35617
;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; dynamic.example.com.                IN      A

;; ANSWER SECTION:
dynamic.example.com.           30      IN      A       1.2.3.4

;; Received 46 B
;; Time 2020-05-04 14:05:53 CEST
;; From 2606:2800:220:1:248:1893:25c8:1946@53(UDP) in 25.6 ms

In May 2019 I migrated to iOS, after years of using Android. The reasons for this were: Unmaintained software (firmware) on Android devices, and Google.

During that time I've discovered the following software to be useful to me:

  • File synchronization: Nextcloud
  • Snippets: Gladys (in-app $, not needed, but the app's awesome). Holds just about anything you share with it. iCloud sync.
  • Notes: Joplin. Synchronized via Nextcloud. End-to-end encryption.
  • ActivityPub: Toot! ($). It's not perfect, but the best we've got.
  • Browser: Safari (it's actually really good), Firefox for the sync data.
  • E-Mail: Built-in. There is a huge issue with 3rd party IMAP apps on iOS: Most of them require your password, to poll the IMAP server in order to send notifications for new mail. Apple really screwed up here, having removed the ability to create APNS (Apple Push Notification Service, the only way to send out-of-app notifications to iOS devices) certificates, so that Mail.app could receive notifications from your Dovecot server. Sharing login credentials to my actual mailbox is, of course, out of the question. There might be ways to mitigate the awfulness of sharing your password somehow with Dovecot, for example with Token-based authentication and ACLs, but I haven't tested this.
  • Passwords: Bitwarden and Pass
  • OTP: OTP Auth (in-app $, not needed). Optional iCloud sync and TouchID.
  • VPN: Wireguard
  • Journal: GitJournal
  • Calculator: Calculator Infinity ($), styled as “Calculator ∞”.
  • Calender: miCal ($)
  • Media: nPlayer ($, free test: nPlayer Lite). Wide variety of transfer protocols supported, even NFS!
  • Terminal: Secure Terminal (in-app $ for more multiple profiles, SFTP). Simple. Good. Supports Ed25519 public keys. Has an SFTP mode for the Files app.
  • QR Creator: QReation. Simple, effective. No annoying stuff like the 1000 other QR apps in the App Store. Can also read.
  • Sharing links via E-Mail: Note to Self Mail (in-app $, not required) (“Notiz an Mich” in German). Easy way to quickly mail yourself something.
  • Notifications: Pushover Notifications (in-app $, required after trail period). Don't really need it that often, but the author is active in OpenBSD and wrote rubywarden, to self-host Bitwarden.
  • Archiving websites: Wallabag 2 Official
  • XMPP: Siskin IM. Haven't really tested this, because nobody talks to me, but it looks promising.
  • Noise/tone generator: White Noise+ (in-app $). Play in background, allow secondary audio. Savable presets.

A $ denotes apps that require a purchase. Some of the features mentioned above are only available after an in-app purchase, such as SFTP for Secure Term.

Most iOS software specializes in synchronization via iCloud, only a handful of apps support self-hosted setups. These include: Nextcloud, Joplin, Firefox, Bitwarden, Pass, GitJournal, Wallabag.

Update: added explanation what APNS is.

OS: Linux Filesystems: ext4 and btrfs Window manager: i3 Launcher: rofi Terminal emulator: kitty Terminal font: Cousine Editor: kak, neovim, subl or vscodium serve as a scratchpad Notes: Joplin MUA: mutt, Trojita, Claws, Thunderbird Browser: Firefox, Vivaldi. Chromium is the google sandbox. Backups: restic File synchronization: Nextcloud and syncthing File browser: Dolphin File indexing: recoll Password manager: KeePassXC and bitwarden

Update: Changed neomutt –> mutt Added kak

Give me the word count for this here document.

Nine words, my my.

There you go. there you go. there you go.

Hello

This thing is being drafted in Typora

Does anbody remember these blogger programs, that could speak to Wordpress or whatever via XMLRPC, in like the middle of the first decade of this century?

Another test to test federation.

Just doing a bit of testing.