💾 Archived View for perso.pw › blog › rss.xml captured on 2022-03-01 at 16:00:57.
⬅️ Previous capture (2022-01-08)
-=-=-=-=-=-=-
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Solene'%</title>
<description></description>
<link>gemini://perso.pw/blog/</link>
<atom:link href="gemini://perso.pw/blog/rss.xml" rel="self" type="application/rss+xml" />
<item>
<title>Reed-alert: five years later</title>
<description>
<![CDATA[
<pre># Introduction
I wrote the program reed-alert five years ago, I've been using it since its first days, here is some feed back about it.
The software reed-alert is meant to be used by system administrators who want to monitor their infrastructures and get alerts when things go wrong. I got a lot more experience in the monitoring field over time and I wanted to share some thoughts about this project.
=> https://tildegit.org/solene/reed-alert reed-alert source code
# Reed-alert
## The name
The software name is a pun I found in a Star Trek Enterprise episode.
=> https://memory-alpha.fandom.com/wiki/Red_alert#Notable_uses Reed alert pun origins
## Project finished
The code didn't receive many commits over the last years, I consider the program to be complete with regard to features, but new probes could be added, or bug fixes could be done. But the core of the software itself is perfect to me.
The probes are small parts of code allowing to monitor extra states, like http return code, working ping, service started etc... It's already easy to extend reed-alert using a shell command returning 0 or not 0 to define a custom probe.
## Reliability
I don't remember having a single issue with reed-alert since I've set it up on my server. It's run by a cron job every 10 minutes, this mean a common lisp interpreter is loading the code, evaluating the configuration file, running the check commands and alerts commands if required, and stops. I chose a serviceless paradigm for reed-alert as it make the code and usage a lot simpler. With a running service, it could fail, leak memory, be exploited and certainly many other bugs I can't think of.
Reed-alert is simple as it only need a common lisp interpreter, the most notable sbcl and ecl interpreters are absolutely reliable and change very little over time. Some unix standard commands are required for some checks or default alerts, such as ping, service, mail or curl but this defers all the work to well established binaries.
The source code is minimal with 179 lines for reed-alert core and 159 lines for the probes, a total of 338 lines of code (including empty lines and comments), hacking on reed-alert is super easy and always a lot of fun for me. For whatever reason, my common lisp software often work at first try when I add new features, so it's always pleasant to work on them.
## Awesome features
One aspect of reed-alert that may disturb users at first is the choice of common lisp code as a configuration file, this may look complicated at first, but a simple configuration doesn't require more common lisp knowledge than what is explained in reed-alert documentation. But it gives all its power when you need to loop over a data entry to run checks, allowing to make reed-alert dynamic instead of handwriting all the configuration.
The use of common lisp as configuration has other advantages, it's possible to chain checks to easily prevent some checks to be done in case a condition is failing. Let me give a few examples for this:
(=> mail disk-usage :path "/" :limit 60 :desc "partition /")
(=> mail disk-usage :path "/var" :limit 70 :desc "partition /var")
(=> mail disk-usage :path "/home" :limit 95 :desc "partition /home")
(=> mail service :name "dovecot")
(=> mail service :name "spamd")
(=> mail service :name "dkimproxy_out")
(=> mail service :name "smtpd")
(=> mail service :name "ntpd")
(=> mail number-of-processes :limit 140)
;; check dataswamp server is working
(=> mail ping :host "dataswamp.org" :desc "Dataswamp")
;; check webzine related web servers
(and
(=> mail ping :host "openports.pl" :desc "Liaison Grifon.fr")
(=> mail curl-http-status :url "https://webzine.puffy.cafe" :desc "Webzine Puffy.cafe" :timeout 10)
(=> mail curl-http-status :url "https://puffy.cafe" :desc "Puffy.cafe" :timeout 10)
(=> mail ssl-expiration :host "webzine.puffy.cafe" :seconds (* 7 24 60 60))
(=> mail ssl-expiration :host "puffy.cafe" :seconds (* 7 24 60 60)))
;; check openports.pl is working
(and
(=> mail ping :host "46.23.90.152" :desc "Openports.pl ping")
(=> mail curl-http-status :url "http://46.23.90.152" :desc "Packages OpenBSD http" :timeout 10))
;; check www.openbsd.org website is replying under 10 seconds
(=> mail curl-http-status :url "https://www.openbsd.org" :desc "OpenBSD.org" :timeout 10)
;; check if a XML file is created regularly and valid
(=> mail file-updated :path "/var/www/htdocs/solene/openbsd-current.xml" :limit 1440)
(=> mail command :command (format nil "xmllint /var/www/htdocs/solene/openbsd-current.xml") :desc "XML openbsd-current.xml is not valid")
;; monitoring multiple gopher servers
(loop for host in '("grifon.fr" "dataswamp.org" "gopherproject.org")
do
(=> mail command
:try 6
:command (format nil "echo '/is-alive?done-by-solene-at-libera' | nc -w 3 ~a 70" host)
:desc (concatenate 'string "Gopher " host)))
(quit)
# Conclusion
I wrote a simple software using an old programming language (Common LISP ANSI is from 1994), the result is that it's reliable over time, require no code maintenance and is fun to code on.
=> https://en.wikipedia.org/wiki/Common_Lisp Common Lisp on Wikipedia
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/five-years-of-reed-alert.gmi</guid>
<link>gemini://perso.pw/blog//articles/five-years-of-reed-alert.gmi</link>
<pubDate>Thu, 10 Feb 2022 00:00:00 GMT</pubDate>
</item>
<item>
<title>Harden your NixOS workstation</title>
<description>
<![CDATA[
<pre># Introduction
Coming from an OpenBSD background, I wanted to harden my NixOS system for better security. As you may know (or not), security mitigations must be thought against a security threat model. My model here is to prevent web browsers to leak data, prevent services to be exploitable remotely and prevent programs from being exploited to run malicious code.
NixOS comes with a few settings to improve in these areas, I'll share a sample of configuration to increase the default security. Unrelated to security defense itself, but you should absolutely encrypt your filesystem, so in case of physical access to your computer no data could be extracted.
# Use the hardened profile
There are a few profiles available by default in NixOS which are files with a set of definitions and one of them is named "hardened" because it enables many security measures.
=> https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix Link to the hardened profile definition
Here is a simplified list of important changes:
imports =
[
./hardware-configuration.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
];
# enable firewall and block all ports
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [];
networking.firewall.allowedUDPPorts = [];
# disable coredump that could be exploited later
# and also slow down the system when something crash
systemd.coredump.enable = false;
# required to run chromium
security.chromiumSuidSandbox.enable = true;
# enable firejail
programs.firejail.enable = true;
# create system-wide executables firefox and chromium
# that will wrap the real binaries so everything
# work out of the box.
programs.firejail.wrappedBinaries = {
firefox = {
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
};
chromium = {
executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium";
profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
};
};
# enable antivirus clamav and
# keep the signatures' database updated
services.clamav.daemon.enable = true;
services.clamav.updater.enable = true;
Rebuild the system, reboot and enjoy your new secure system.
# Going further: network filtering
If you want to absolutely control your network connections, I'd absolutely recommend the service OpenSnitch. This is a daemon that will listen to all the network done on the system and allow you to allow/block connections per executable/source/destination/protocol/many parameters.
OpenSnitch comes with a GUI app called opensnitch-ui which is mandatory, if the ui is not running, no filtering is done. When the ui is running, every time a new connection is not matching an existing rule, you will be prompted with information telling you what executable is trying to do on which protocol with which host, then you can decide how long you allow this (or block).
Just use `services.opensnitch.enable = true;` in the system configuration and run opensnitch-ui program in your graphical session. To have persistent rules, open opensnitch-ui, go in the Preferences menu and tab Database, choose "Database type: File" and pick a path to save it (it's a sqlite database).
From this point, you will have to allow / block all network done on your system, it can be time-consuming at first, but it's user-friendly enough and rules can be done like "allow this entire executable" so you don't have to allow every website visited by your web browser (but you could!). You may be surprised by the amount of traffic done by non networking programs. After some time, the rule set should be able to cope with most of your needs without needing to add new entries.
=> https://github.com/evilsocket/opensnitch/wiki/Getting-started OpenSnitch wiki: getting started
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/nixos-hardened.gmi</guid>
<link>gemini://perso.pw/blog//articles/nixos-hardened.gmi</link>
<pubDate>Thu, 13 Jan 2022 00:00:00 GMT</pubDate>
</item>
<item>
<title>How to pin a nix-shell environment using niv</title>
<description>
<![CDATA[
<pre># Introduction
In the past I shared a bit about Nix nix-shell tool, allowing to have a "temporary" environment with a specific set of tools available. I'm using it on my blog to get all the dependencies required to rebuild it without having to remember what programs to install.
But while this method was practical, as I'm running NixOS development version (called unstable channel), I have to download the new versions of the dependencies every time I use the nix shell. This is long on my DSL line, and also a waste of bandwidth.
There is a way to pin the version of the packages, so I always use the exact same environment, whatever the version of my nix.
# Use niv tool
Let's introduce you to niv, a program to manage nix dependencies, for this how-to I will only use a fraction of its features. We just want it to init a directory with a default configuration pinning the nixpkgs repository to a branch / commit ID, and we will tell the shell to use this version.
=> https://github.com/nmattia/niv niv project GitHub homepage
Let's start by running niv (you can get niv from nix package manager) in your directory:
niv init
It will create a nix/ directory with two files: sources.json and sources.nix, looking at the content is not fascinating here (you can take a look if you are curious though). The default is to use the latest nixpkgs release. # Create a shell.nix file My previous shell.nix file looked like this:
with (import <nixpkgs> {});
mkShell {
buildInputs = [
gnumake sbcl multimarkdown python3Full emacs-nox toot nawk mandoc libxml2
];
}
Yes, I need all of this for my blog to work because I have texts in org-mode/markdown/mandoc/gemtext/custom. The blog also requires toot (for mastodon), sbcl (for the generator), make (for building and publishing). Now, I will make a few changes to use the nix/sources.nix file to tell it where to get the nixpkgs information, instead of <nixpkgs> which is the system global.
let
sources = import ./nix/sources.nix;
pkgs = import sources.nixpkgs {};
in
with pkgs;
pkgs.mkShell {
buildInputs = [
gnumake sbcl multimarkdown python3Full emacs-nox
toot nawk mandoc libxml2
];
}
That's all! Now, when I run nix-shell in the directory, I always get the exact same shell and set of packages every day. # How to update? Because it's important to update from time to time, you can easily manage this using niv, it will bump the latest commit id of the branch of the nixpkgs repository:
niv update nixpkgs -b master
When a new release is out, you can switch to the new branch using:
niv modify nixpkgs -a branch=release-21.11
# Using niv with configuration.nix
It's possible to use niv to pin the git revision you want to use to build your system, it's very practical for many reasons like following the development version on multiple machines with the exact same revision. The snippet to use sources.nix for rebuilding the system is a bit different.
Replace "{ pkgs, config, ... }:" with:
{
sources ? import ./nix/sources.nix,
pkgs ? import sources.nixpkgs {},
config, ...
}:
Of course, you need to run "niv init" in /etc/nixos/ before if you want to manage your system with niv.
# Extra tip: automatically run nix-shell with direnv
It's particularly comfortable to have your shell to automatically load the environment when you cd into a project requiring a nix-shell, this is doable with the direnv program.
=> https://nixos.org/guides/declarative-and-reproducible-developer-environments.html#declarative-reproducible-envs nixos documentation about direnv usage
=> https://direnv.net/ direnv project homepage
This can be done in 3 steps after you installed direnv in your profile:
1. create a file .envrc in the directory with the content "use nix" (without double quotes of course)
2. execute "direnv allow"
3. create the hook in your shell, so it knows how to do with direnv (do this only once)
=> https://direnv.net/docs/hook.html How to hook direnv in your shell
Everytime you will cd into the directory, nix-shell will be automatically started.
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/nix-niv-shell.gmi</guid>
<link>gemini://perso.pw/blog//articles/nix-niv-shell.gmi</link>
<pubDate>Wed, 12 Jan 2022 00:00:00 GMT</pubDate>
</item>
<item>
<title>My plans for 2022</title>
<description>
<![CDATA[
<pre>Greetings dear readers, I wish you a happy new year and all the best. Like I did previously at the new year time, although it's not a yearly exercise, I would like to talk about the blog and my plan for the next twelve months.
# About me
Let's talk about me first, it will make sense for the blog part after. I plan to find a new job, maybe switch into the cybersecurity field or work in some position allowing me to contribute to an open source project, it's not that easy to find, but I have hope.
This year, I will work at getting new skills, this should help me find jobs, but I also think I've been a resting a bit about learning over the last two years. My plan is to dedicate 45 minutes every day to learn about a topic. I already started doing so with some security and D language readings.
# About the blog
With regular learning time, I'm not sure yet if I will have much desire to write here as often as I did in 2021. I'm absolutely sure the publication rate will drop, but I will try to maintain a minimum, because I'm learning I will want to share some ideas, experiences or knowledge hopefuly.
I'm thanksful to readers community I have, I often get feedback by email or IRC or mastodon about my posts, so I can fix them, extend them or rework them if I was wrong. This is invaluable to me, it helps me to make connections to other people, and it's what make life interesting.
# Podcast
In December 2021, I had the chance to be interviewed by the people of the BSDNow podcast, I'm talking about how I got into open source, about my blog but also about the old laptop challenge I made last year.
=> https://www.bsdnow.tv/435 Access to the podcast link on BSDNow
Thanks everyone! Let's have fun with computers!</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/2022-new-year.gmi</guid>
<link>gemini://perso.pw/blog//articles/2022-new-year.gmi</link>
<pubDate>Sat, 08 Jan 2022 00:00:00 GMT</pubDate>
</item>
<item>
<title>My NixOS configuration</title>
<description>
<![CDATA[
<pre># Introduction
Let me share my NixOS configuration file, the one in /etc/nixos/configuration.nix that describe what is installed on my Lenovo T470 laptop.
The base of NixOS is that you declare every user, services, network and system settings in a file, and finally it configures itself to match your expectations. You can also install global packages and per-user packages. It makes a system environment reproducible and reliable.
# The file
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# run garbage collector at 19h00 everyday
# and remove stuff older than 60 days
nix.gc.automatic = true;
nix.gc.dates = "19:00";
nix.gc.persistent = true;
nix.gc.options = "--delete-older-than 60d";
# clean /tmp at boot
boot.cleanTmpDir = true;
# latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
# sync disk when buffer reach 6% of memory
boot.kernel.sysctl = {
"vm.dirty_ratio" = 6;
};
# allow non free stuff
nixpkgs.config.allowUnfree = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "t470";
time.timeZone = "Europe/Paris";
networking.networkmanager.enable = true;
# wireguard VPN
networking.wireguard.interfaces = {
wg0 = {
ips = [ "192.168.5.1/24" ];
listenPort = 1234;
privateKeyFile = "/root/wg-private";
peers = [
{ # server
publicKey = "MY PUB KEY";
endpoint = "SERVER:PORT";
allowedIPs = [ "192.168.5.0/24" ];
}];
};
};
# firejail firefox by default
programs.firejail.wrappedBinaries = {
firefox = {
executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
};
};
# azerty keyboard <3
i18n.defaultLocale = "fr_FR.UTF-8";
console = {
# font = "Lat2-Terminus16";
keyMap = "fr";
};
# clean logs older than 2d
services.cron.systemCronJobs = [
"0 20 * * * root journalctl --vacuum-time=2d"
];
# nvidia prime offload rendering for eGPU
hardware.nvidia.modesetting.enable = true;
hardware.nvidia.prime.sync.allowExternalGpu = true;
hardware.nvidia.prime.offload.enable = true;
hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0";
hardware.nvidia.prime.intelBusId = "PCI:0:2:0";
services.xserver.videoDrivers = ["nvidia" ];
# programs
programs.steam.enable = true;
programs.firejail.enable = true;
programs.fish.enable = true;
programs.gamemode.enable = true;
programs.ssh.startAgent = true;
# services
services.acpid.enable = true;
services.thermald.enable = true;
services.fwupd.enable = true;
services.vnstat.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.desktopManager.xfce.enable = false;
services.xserver.desktopManager.gnome.enable = false;
# Configure keymap in X11
services.xserver.layout = "fr";
services.xserver.xkbOptions = "eurosign:e";
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# Enable touchpad support
services.xserver.libinput.enable = true;
users.users.solene = {
isNormalUser = true;
shell = pkgs.fish;
packages = with pkgs; [
gajim audacity chromium dmd dtools
kate kdeltachat pavucontrol rclone rclone-browser
zim claws-mail mpv musikcube git-annex
];
extraGroups = [ "wheel" "sudo" "networkmanager" ];
};
# my gaming users running steam/lutris/emulators
users.users.gaming = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = [ "networkmanager" "video" ];
packages = with pkgs; [ lutris firefox ];
};
users.users.aria = {
isNormalUser = true;
shell = pkgs.fish;
packages = with pkgs; [ aria2 ];
};
# global packages
environment.systemPackages = with pkgs; [
ncdu kakoune git rsync restic tmux fzf
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
networking.firewall.allowedUDPPorts = [ ];
# user aria can only use tun0
networking.firewall.extraCommands = "
iptables -A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
iptables -A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner 1002 -j REJECT
";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/my-nixos.gmi</guid>
<link>gemini://perso.pw/blog//articles/my-nixos.gmi</link>
<pubDate>Tue, 21 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>Restrict users to a network interface on Linux</title>
<description>
<![CDATA[
<pre># Introduction
If for some reasons you want to prevent a system user to use network interfaces except one, it's doable with a couple of iptables commands.
The use case would be to force your user to go through a VPN and make sure it can't reach the Internet if the VPN is not available.
=> https://linux.die.net/man/8/iptables iptables man page
# Iptables
We can use simple rules using the "owner" module, basically, we will allow traffic through tun0 interface (the VPN) for the user, and reject traffic for any other interface.
Iptables is applying first matching rule, so if traffic is going through tun0, it's allowed and otherwise rejected. This is quite simple and reliable.
We will need the user id (uid) of the user we want to restrict, this can be found as third field of /etc/passwd or by running "id the_user".
iptables -A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
iptables -A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner 1002 -j REJECT
Note that instead of --uid-owner it's possible to use --gid-owner with a group ID if you want to make this rule for a whole group.
To make the rules persistent across reboots, please check your Linux distribution documentation.
# Going further
I trust firewall rules to do what we expect from them. Some userland programs may be able to restrict the traffic, but we can't know for sure if it's truly blocking or not. With iptables, once you made sure the rules are persistent, you have a guarantee that the traffic will be blocked.
There may be better ways to achieve the same restrictions, if you know one that is NOT complex, please share!
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/linux-forbid-user-except-vpn.gmi</guid>
<link>gemini://perso.pw/blog//articles/linux-forbid-user-except-vpn.gmi</link>
<pubDate>Mon, 20 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>Playing video games on Linux</title>
<description>
<![CDATA[
<pre># Introduction
While I mostly make posts about playing on OpenBSD, I also do play video games on Linux. There is a lot more choice, but it comes with the price that the choice comes from various sources with pros and cons.
# Commercial stores
There are a few websites where you can get games:
## itch.io
Itch.io is dedicated to indie games, you can find many games running on Linux, most games there are free. Most games could be considered "amateurish" but it's a nice pool from which some gems get out like Celeste, Among Us or Noita.
=> https://itch.io/ itch.io website
## Steam
It is certainly the biggest commercial platform, it requires the steam desktop Client and an account to be useful. You can find many free-to-play video games, (including some open source games like OpenTTD or Wesnoth who are now available on Steam for free) but also paid games. Steam is working hard on their tool to make Windows games running on Linux (based on Wine + many improvements on the graphic stack). The library manager allows Linux games filtering if you want to search native games. Steam is really a big DRM platform, but it also works well.
=> https://store.steampowered.com/ Steam website
## GOG
GOG is a webstore selling video games (many old games from people's childhood but not only), they only require you to have an account. When you buy a game in their store, you have to download the installer, so you can keep/save it, without any DRM beyond the account registration on their website to buy games.
=> https://www.gog.com/ GOG website
## Your packager manager / flatpak
There are many open source video games around, they may be available in your package manager, allowing a painless installation and maintenance.
Flatpak package manager also provides video games, some are recent and complex games that are not found in many package managers because of the huge work required.
=> https://flathub.org/apps/collection/editors-choice-games flathub flatpak repository, games page
## Developer's website
Sometimes, when you want to buy a game, you can buy it directly on the developer's website, it usually comes without any DRM and doesn't rely on a third party vendor. I know I did it for Rimworld, but some other developers offer this "service", it's quite rare though.
## Epic game store
They do not care about Linux.
# Streaming services
It's now possible to play remotely through "cloud computing", using a company's computer with a good graphic card. There are solutions like Nvidia with Geforce Now or Stadia from Google, both should work in a web browser like Chromium.
They require a very decent Internet access with at least 15 MB/s of download speed for a 1080p stream but will work almost anywhere.
# How to manage games
Let me describe a few programs that can be used to manage games libraries.
## Steam
As said earlier, Steam has its own mandatory desktop client to buy/install/manage games.
## Lutris
Lutris is an ambitious open source project, it aims to be a game library manager allowing to mix any kind of game: emulation / Steam / GOG / Itch.io / Epic game Store (through Wine) / Native linux games etc...
Its website is a place where people can send recipes for installing some games that could be complicated, allowing to automate and distribute in the community ways to install some games. But it makes very easy to install games from GOG. There is a recent feature to handle the Epic game store, but it's currently not really enjoyable and the launcher itself running through wine draw for CPU like madness.
It has nice features such as activating a HUD for displaying FPS, automatically run "gamemode" (disabling screen effects, doing some optimization), easy offloading rendering to graphic card, set locale or switch to qwerty per game etc...
It's really a nice project that I follow closely, it's very useful as a Linux gamer.
=> https://lutris.net/ lutris project website
## Minigalaxy
Minigalaxy is a GUI to manage GOG games, installing them locally with one click, keeping them updated or installing DLC with one click too. It's really simplistic compared to Lutris, but it's made as a simple client to manage GOG games which is perfectly fine.
Minigalaxy can update games while Lutris can't, both can be used on the same installed video games. I find these two are complementary.
=> https://sharkwouter.github.io/minigalaxy/ Minigalaxy project website
## play.it
This tool is a set of script to help you install native Linux video games in your system, depending on their running method (open source engine, installer, emulator etc...).
=> https://www.dotslashplay.it/en/start play.it official website
# Conclusion
It has never been so easy to play video games on Linux. Of course, you have to decide if you want to run closed sources programs or not. Even if some games are closed sources, some fans may have developed a compatible open source engine from scratch to play it again natively given you have access to the "assets" (sets of files required for the game which are not part of the engine, like textures, sounds, databases).
=> https://en.wikipedia.org/wiki/List_of_game_engine_recreations List of game engine recreation (Wikipedia EN)
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/playing-on-linux.gmi</guid>
<link>gemini://perso.pw/blog//articles/playing-on-linux.gmi</link>
<pubDate>Sun, 19 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>OpenVPN on OpenBSD in its own rdomain to prevent data leak</title>
<description>
<![CDATA[
<pre># Introduction
Today I will explain how to establish an OpenVPN tunnel through a dedicated rdomain to only expose the VPN tunnel as an available interface, preventing data leak outside the VPN (and may induce privacy issues). I did the same recently for WireGuard tunnels, but it had an integrated mechanism for this.
Let's reuse the network diagram from the WireGuard text to explain:
+-------------+
| server | tun0 remote peer
| |---------------+
+-------------+ |
| public IP |
| 1.2.3.4 |
| |
| |
/\/\/\/\/\/\/\ |OpenVPN
| internet | |VPN
\/\/\/\/\/\/\/ |
| |
| |
|rdomain 1 |
+-------------+ |
| computer |---------------+
+-------------+ tun0
rdomain 0 (default)
We have our computer and have been provided an OpenVPN configuration file, we want to establish the OpenVPN toward the server 1.2.3.4 using rdomain 1. We will set our network interfaces into rdomain 1 so when the VPN is NOT up, we won't be able to connect to the Internet (without the VPN). # Network configuration Add "rdomain 1" to your network interfaces configuration file like "/etc/hostname.trunk0" if you use a trunk interface to aggregate Ethernet/Wi-Fi interfaces into an automatic fail over trunk, or in each interface you are supposed to use regularly. I suppose this setup is mostly interesting for wireless users. Create a "/etc/hostname.tun0" file that will be used to prepare the tun0 interface for OpenVPN, add "rdomain 0" to the file, this will be enough to create the tun0 interface at startup. (Note that the keyword "up" would work too, but if you edit your files I find it easier to understand the rdomains of each interface). Run "sh /etc/netstart" as root to apply changes done to the files, you should have your network interfaces in rdomain 1 now. # OpenVPN configuration From here, I assume your OpenVPN configuration works. The OpenVPN client/server setup is out of the scope of this text. We will use rcctl to ensure openvpn service is enabled (if it's already enabled this is not an issue), then we will configure it to use rtable 1 to run, this mean it will connect through the interfaces in the rdomain 1. If your OpenVPN configuration runs a script to set up the route(s) (through "up /etc/something..." directive in the configuration file), you will have to by add parameter -T0 to the command route in the script. This is important because openvpn will run in rdomain 1 so calls to "route" will apply to routing table 1, so you must change the route command to apply the changes in routing table 0.
rcctl enable openvpn
rcctl set openvpn rtable 1
rcctl restart openvpn
Now, you should have your tun0 interface in rdomain 0, being the default route and the other interfaces in rdomain 1.
If you run any network program it will go through the VPN, if the VPN is down, the programs won't connect to the Internet (which is the wanted behavior here).
# Conclusion
The rdomain and routing tables concepts are powerful tools, but they are not always easy to grasp, especially in a context of a VPN mixing both (one for connectivity and one for the tunnel). People using VPN certainly want to prevent their programs to not go through the VPN and this setup is absolutely effective in that task.
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/openbsd-openvpn-exit.gmi</guid>
<link>gemini://perso.pw/blog//articles/openbsd-openvpn-exit.gmi</link>
<pubDate>Thu, 16 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>Persistency management of memory based filesystem on OpenBSD</title>
<description>
<![CDATA[
<pre># Introduction
For saving my SSD and also speeding up my system, I store some cache files into memory using the mfs filesystem on OpenBSD. But that would be nice to save the content upon shutdown and restore it at start, wouldn't it?
I found that storing the web browser cache in a memory filesystem drastically improve its responsiveness, but it's hard to make measurements of it.
Let's do that with a simple rc.d script.
# Configuration
First, I use a mfs filesystem for my Firefox cache, here is the line in /etc/fstab
/dev/sd3b /home/solene/.cache/mozilla mfs rw,-s400M,noatime,nosuid,nodev 1 0
This mean I have a 400 MB partition using system memory, it's super fast but limited. tmpfs is disabled in the default kernel because it may have issues and is not well enough maintained, so I stick with mfs which is available out of the box. (tmpfs is faster and only use memory when storing file, while mfs reserves the memory chunk at first). # The script We will write /etc/rc.d/persistency with the following content, this is a simple script that will store as a tgz file under /var/persistency every mfs mountpoint found in /etc/fstab when it receives the "stop" command. It will also restore the files at the right place when receiving the "start" command.
STORAGE=/var/persistency/
if [[ "$1" == "start" ]]
then
install -d -m 700 $STORAGE
for mountpoint in $(awk '/ mfs / { print $2 }' /etc/fstab)
do
tar_name="$(echo ${mountpoint#/} | sed 's,/,_,g').tgz"
tar_path="${STORAGE}/${tar_name}"
test -f ${tar_path}
if [ $? -eq 0 ]
then
cd $mountpoint
if [ $? -eq 0 ]
then
tar xzfp ${tar_path} && rm ${tar_path}
fi
fi
done
fi
if [[ "$1" == "stop" ]]
then
install -d -m 700 $STORAGE
for mountpoint in $(awk '/ mfs / { print $2 }' /etc/fstab)
do
tar_name="$(echo ${mountpoint#/} | sed 's,/,_,g').tgz"
cd $mountpoint
if [ $? -eq 0 ]
then
tar czf ${STORAGE}/${tar_name} .
fi
done
fi
All we need to do now is to use "rcctl enable persistency" so it will be run with start/stop at boot/shutdown times. # Conclusion Now I'll be able to carry my Firefox cache across reboots while keeping it in mfs.
hardware.nvidia.modesetting.enable = true;
hardware.nvidia.prime.sync.allowExternalGpu = true;
hardware.nvidia.prime.offload.enable = true;
hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0";
hardware.nvidia.prime.intelBusId = "PCI:0:2:0";
services.xserver.videoDrivers = ["nvidia" ];
A few notes about the previous chunk of config: - only add nvidia to the list of video drivers, at first I was adding modesetting but this was creating troubles - the PCI bus ID can be found with lspci, it has to be translated in decimal, here my nvidia id is 10:0:0 but in lspci it's 0a:00:00 with 0a being 10 in hexadecimal => https://nixos.wiki/wiki/Nvidia#offload_mode NixOS wiki about nvidia offload mode # How to use it The use of offloading is controlled by environment variables. What's pretty cool is that if you didn't connect the eGPU, it will still work (with integrated GPU). ## Running a command We can use glxinfo to be sure it's working, add the environment as a prefix:
__NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia glxinfo
## In Steam Modify the command line of each game you want to run with the eGPU (it's tedious), by:
__NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia %command%
## In Lutris Lutris has a per-game or per-runner setting named "Enable Nvidia offloading", you just have to enable it. # Advanced usage / boot specialisation Previously I only explained how to use the laptop screen and the eGPU as a discrete GPU (not doing display). For some reasons, I've struggled a LOT to be able to use the eGPU display (which gives more performance because it's hitting less thunderbolt limitations). I've discovered NixOS "specialisation" feature, allowing to add an alternative boot entry to start the system with slight changes, in this case, this will create a new "external-display" entry for using the eGPU as the primary display device:
hardware.nvidia.modesetting.enable = true;
hardware.nvidia.prime.sync.allowExternalGpu = true;
hardware.nvidia.prime.offload.enable = true;
hardware.nvidia.prime.nvidiaBusId = "PCI:10:0:0";
hardware.nvidia.prime.intelBusId = "PCI:0:2:0";
services.xserver.videoDrivers = ["nvidia" ];
# external display on the eGPU card
# otherwise it's discrete mode using laptop screen
specialisation = {
external-display.configuration = {
system.nixos.tags = [ "external-display" ];
hardware.nvidia.modesetting.enable = pkgs.lib.mkForce false;
hardware.nvidia.prime.offload.enable = pkgs.lib.mkForce false;
hardware.nvidia.powerManagement.enable = pkgs.lib.mkForce false;
services.xserver.config = pkgs.lib.mkOverride 0
''
Section "Module"
Load "modesetting"
EndSection
Section "Device"
Identifier "Device0"
Driver "nvidia"
BusID "10:0:0"
Option "AllowEmptyInitialConfiguration"
Option "AllowExternalGpus" "True"
EndSection
'';
};
};
With this setup, the default boot is the offloading mode but I can choose "external-display" to use my nvidia card and the screen attached to it, it's very convenient.
I had to force the xserver configuration file because the one built by NixOS was not working for me.
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/nixos-egpu.gmi</guid>
<link>gemini://perso.pw/blog//articles/nixos-egpu.gmi</link>
<pubDate>Sun, 05 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>Using awk to pretty-display OpenBSD packages update changes</title>
<description>
<![CDATA[
<pre># Introduction
You use OpenBSD and when you upgrade your packages you often wonder which one is a rebuild and which one is a real version update? The packages updates are logged in /var/log/messages and using awk it's easy to achieve some kind of report.
# Command line
The typical update line will display the package name, its version, a "->" and the newer version of the installed package. By verifying if the newer version is different from the original version, we can report updated packages.
awk is already installed in OpenBSD, so you can run this command in your terminal without any other requirement.
awk -F '-' '/Added/ && /->/ { sub(">","",$0) ; if( $(NF-1) != $NF ) { $NF=" => "$NF ; print }}' /var/log/messages
The output should look like this (after a pkg_add -u):
Dec 4 12:27:45 daru pkg_add: Added quirks 4.86 => 4.87
Dec 4 13:01:01 daru pkg_add: Added cataclysm dda 0.F.2v0 => 0.F.3p0v0
Dec 4 13:01:05 daru pkg_add: Added ccache 4.5 => 4.5.1
Dec 4 13:04:47 daru pkg_add: Added nss 3.72 => 3.73
Dec 4 13:07:43 daru pkg_add: Added libexif 0.6.23p0 => 0.6.24
Dec 4 13:40:41 daru pkg_add: Added kakoune 2021.08.28 => 2021.11.08
Dec 4 13:43:27 daru pkg_add: Added kdeconnect kde 1.4.1 => 21.08.3
Dec 4 13:46:16 daru pkg_add: Added libinotify 20180201 => 20211018
Dec 4 13:51:42 daru pkg_add: Added libreoffice 7.2.2.2p0v0 => 7.2.3.2v0
Dec 4 13:52:37 daru pkg_add: Added mousepad 0.5.7 => 0.5.8
Dec 4 13:52:50 daru pkg_add: Added munin node 2.0.68 => 2.0.69
Dec 4 13:53:01 daru pkg_add: Added munin server 2.0.68 => 2.0.69
Dec 4 13:53:14 daru pkg_add: Added neomutt 20211029p0 gpgme sasl 20211029p0 gpgme => sasl
Dec 4 13:53:20 daru pkg_add: Added nethack 3.6.6p0 no_x11 3.6.6p0 => no_x11
Dec 4 13:58:53 daru pkg_add: Added ristretto 0.12.0 => 0.12.1
Dec 4 14:01:07 daru pkg_add: Added rust 1.56.1 => 1.57.0
Dec 4 14:02:33 daru pkg_add: Added sysclean 2.9 => 3.0
Dec 4 14:03:57 daru pkg_add: Added uget 2.0.11p4 => 2.2.2p0
Dec 4 14:04:35 daru pkg_add: Added w3m 0.5.3pl20210102p0 image 0.5.3pl20210102p0 => image
Dec 4 14:05:49 daru pkg_add: Added yt dlp 2021.11.10.1 => 2021.12.01
# Limitations
The command seems to mangle the separators when displaying the result and doesn't work well with flavors packages that will always be shown as updated.
At least it's a good start, it requires a bit more polishing but that's already useful enough for me.
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/openbsd-package-update-report.gmi</guid>
<link>gemini://perso.pw/blog//articles/openbsd-package-update-report.gmi</link>
<pubDate>Sat, 04 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>The state of Steam on OpenBSD</title>
<description>
<![CDATA[
<pre># Introduction
There is a very common question within the OpenBSD community, mostly from newcomers: "How can I install Steam on OpenBSD?".
The answer is: You can't, there is no way, this is impossible, period.
# Why?
Steam is a closed source program, while it's now also available on Linux doesn't mean it run on OpenBSD. The Linux Steam version is compiled for linux and without the sources we can't port it on OpenBSD.
Even if Steam was able to be installed and could be launched, games are not made for OpenBSD and wouldn't work either.
On FreeBSD it may be possible to install Windows Steam using Wine, but Wine is not available on OpenBSD because it require some specific Kernel memory management we don't want to implement for security reasons (I don't have the whole story), but FreeBSD also has a Linux compatibility mode to run Linux binaries, allowing to use programs compiled for Linux. This linux emulation layer has been dropped in OpenBSD a few years ago because it was old and unmaintained, bringing more issues than helping.
So, you can't install Steam or use it on OpenBSD. If you need Steam, use a supported operating system.
I wanted to make an article about this in hope my text will be well referenced within search engines, to help people looking for Steam on OpenBSD by giving them a reliable answer.
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/openbsd-steam.gmi</guid>
<link>gemini://perso.pw/blog//articles/openbsd-steam.gmi</link>
<pubDate>Wed, 01 Dec 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>Nethack: end of Sery the Tourist</title>
<description>
<![CDATA[
<pre>Hello, if you remember my previous publications about Nethack and my character "Sery the tourist", I have bad news. On OpenBSD, nethack saves are stored in /usr/local/lib/nethackdir-3.6.0/logfile and obviously I didn't save this when changing computer a few months ago.
I'm very sad of this data loss because I was enjoying a lot telling the story of the character while playing. Sery reached 7th floor while being a Tourist, which is incredible given all the nethack plays I've done and this one was going really well.
I don't know if you readers enjoyed that kind of content, if so please tell me so I may start a new game and write about it.
As an end, let's say Sery stayed too long in 7th floor and the Langoliers came to eat the Time of her reality.
=> https://stephenking.fandom.com/wiki/Langoliers Langoliers on Stephen King wiki fandom
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/nethack-end-of-sery.gmi</guid>
<link>gemini://perso.pw/blog//articles/nethack-end-of-sery.gmi</link>
<pubDate>Sat, 27 Nov 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>Simple network dashboard with vnstat</title>
<description>
<![CDATA[
<pre># Introduction
Hi! If you run a server or a router, you may want to have a nice view of the bandwidth usage and statistics. This is easy and quick to achieve using vnstat software. It will gather data regularly from network interfaces and store it in rrd files, it's very efficient and easy to use, and its companion program vnstati can generate pictures, perfect for easy visualization.
=> static/vnstat-dashboard.png My simple router network dashboard with vnstat
=> https://humdi.net/vnstat/ vnstat project homepage
# Setup (on OpenBSD)
Simply install vnstat and vnstati packages with pkg_add. All the network interfaces will be added to vnstatd databases to be monitored.
Create a script in /var/www/htdocs/dashboard and make it executable:
cd /var/www/htdocs/dashboard/ || exit 1
vnstati --fiveminutes 60 -o 5.png
vnstati -c 60 -vs -o vs.png
vnstati -c 60 --days 14 -o d.png
vnstati -c 300 --months 5 -o m.png
and create a simple index.html file to display pictures:
<html>
<body>
<div style="display: inline-block;">
<img src="vs.png" /><br />
<img src="d.png" /><br />
<img src="m.png" /><br />
</div>
<img src="5.png" /><br />
</body>
</html>
Add a cron as root to run the script every 10 minutes using _vnstat user:
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
My personal crontab runs only from 8h to 23h because I will never look at my dashboard while I'm sleeping so I don't need to keep it updated, just replace * by 8-23 for the hour field.
# Http server
Obviously you need to serve /var/www/htdocs/dashboard/ from your http server, I won't cover this step in the article.
# Conclusion
Vnstat is fast, light and easy to use, but yet it produces nice results.
As an extra, you can run the vnstat commands (without the i) and use the raw text output to build an pure text dashboard if you don't want to use pictures (or http).
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/simple-bandwidth-dashboard.gmi</guid>
<link>gemini://perso.pw/blog//articles/simple-bandwidth-dashboard.gmi</link>
<pubDate>Thu, 25 Nov 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>OpenBSD and Linux comparison: data transfer benchmark</title>
<description>
<![CDATA[
<pre># Introduction
I had a high suspicion about something but today I made measurements. My feeling is that downloading data from OpenBSD use more "upload data" than on other OS
I originally thought about this issue when I found that using OpenVPN on OpenBSD was limiting my download speed because I was reaching the upload limit of my DSL line, but it was fine on Linux. From there, I've been thinking since then that OpenBSD was using more out data but I never measured anything before.
# Testing protocol
Now that I have an OpenBSD router it was easy to make the measures with a match rule and a label. I'll be downloading a specific file from a specific server a few times with each OS, so I'm adding a rule matching this connection.
match proto tcp from 10.42.42.32 to 145.238.169.11 label benchmark
Then, I've been downloading this file three times per OS and resetting counter after each download and saved the results from "pfctl -s labels" command. => http://ftp.fr.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz OpenBSD comp70.tgz file from an OpenBSD mirror The variance of each result per OS was very low, I used the average of each columns as the final result per OS. # Raw results
OS total packets total bytes packets OUT bytes OUT packets IN bytes IN
----- ------------- ----------- ----------- --------- ---------- --------
OpenBSD 175348 158731602 72068 3824812 10328 154906790
OpenBSD 175770 158789838 72486 3877048 10328 154912790
OpenBSD 176286 158853778 72994 3928988 10329 154924790
Linux 154382 157607418 51118 2724628 10326 154882790
Linux 154192 157596714 50928 2713924 10326 154882790
Linux 153990 157584882 50728 2705092 10326 154879790
# About the results
A quick look will show that OpenBSD sent +42% OUT packets compared to Linux and also +42% OUT bytes, meanwhile the OpenBSD/Linux IN bytes ratio is nearly identical (100.02%).
=> static/network-usage-packets.png Chart showing the IN and OUT packets of Linux and OpenBSD side by side
# Conclusion
I'm not sure what to conclude except that now, I'm sure there is something here requiring investigation.
</pre>
]]>
</description>
<guid>gemini://perso.pw/blog//articles/openbsd-network-usage-mystery.gmi</guid>
<link>gemini://perso.pw/blog//articles/openbsd-network-usage-mystery.gmi</link>
<pubDate>Sun, 14 Nov 2021 00:00:00 GMT</pubDate>
</item>
<item>
<title>How I ended up liking GNOME</title>
<description>
<![CDATA[
<pre># Introduction
Hi! This was a while without much activity on my blog, the reason is that I stabbed through my right index with a knife by accident, the injury was so bad I can barely use my right hand because I couldn't move my index at all without pain. So I've been stuck with only my left hand for a month now. Good news, it's finally getting better :)
Which leads me to the topic of this article, why I ended liking GNOME!
# Why I didn't use GNOME
I will first start about why I didn't use it before. I like to try everything all the time, I like disruption, I like having an hostile (desktop/shell/computer) environment to stay sharp and not being stuck on ideas.
My current setup was using Fvwm or Stumpwm, mostly keyboard driven, with many virtual desktop to spatially regroup different activities. However, with an injured hand, I've been facing a big issue, most of my key binding were for two hands and it seemed too weird for me to change the bindings to work with one hand.
I tried to adapt using only one hand, but I got poor results and using the cursor was not very efficient because stumpwm is hostile to cursor and fvwm is not really great for this either.
# The road to GNOME
With only one hand to use my computer, I found the awesome program ibus-typing-booster to help me typing by auto completing words (a bit like on touchscreen phones), it worked out of the box with GNOME due to the ibus integration working well. I used GNOME to debug the package but ended liking it in my current condition.
How do I like it now, while I was pestling about it a few months ago as I found it very confusing? Because it's easy to use and spared me movements with my hands, absolutely.