💾 Archived View for perso.pw › blog › rss.xml captured on 2024-02-05 at 09:32:49.

View Raw

More Information

⬅️ Previous capture (2023-12-28)

➡️ Next capture (2024-03-21)

🚧 View Differences

-=-=-=-=-=-=-

<?xml version="1.0" encoding="UTF-8"?> 
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Solene'%</title>
    <description></description>
    <link>gemini://perso.pw/blog/</link>
    <atom:link href="gemini://perso.pw/blog/rss.xml" rel="self" type="application/rss+xml" />
    <item>
  <title>Hosting Shaarli on OpenBSD</title>
  <description>
    <![CDATA[
<pre># Introduction

This guide explains how to install the PHP web service Shaarli on OpenBSD.

Shaarli is a bookmarking service and RSS feed reader, you can easily add new links and associate a text / tag and share it with other or keep each entry private if you prefer.

=> https://github.com/shaarli/Shaarli Shaarli GitHub Project page

# Setup

The software is pretty easy to install using base system httpd and PHP (included latest version available as of time of writing).

## Deploy Shaarli

Download the latest version of Shaarli available on their GitHub project.

=> https://github.com/shaarli/Shaarli/releases Shaarli releases on GitHub

Extract the archive and move the directory `Shaarli` in `/var/www/`.

Change the owner of the following directories to the user `www`.  It's required for Shaarli to work properly.  For security’s sake, don't chown all the files to Shaarli, it's safer when a program can't modify itself.

chown www /var/www/Shaarli/{cache,data,pagecache,tmp}


## Install the packages

We need a few packages to make it work, I'm using php 8.3 in the example, but you can replace with the current version you want:

pkg_add php--%8.3 php-curl--%8.3 php-gd--%8.3 php-intl--%8.3


By default, on OpenBSD the PHP modules aren't enabled, you can do it with:

for i in gd curl intl opcache; do ln -s "/etc/php-8.3.sample/${i}.ini" /etc/php-8.3/ ; done


Now, enable and start PHP service:

rcctl enable php83_fpm

rcctl start php83_fpm


If you want Shaarli to be able to do outgoing connections to fetch remote content, you need to make some changes in the chroot directory to make it work, everything is explained in the file `/usr/local/share/doc/pkg-readmes/php-INSTALLED.VERSION`.

## Configure httpd

This guide won't cover the setup for TLS as it's always the same procedure, and it may depend on how you prefer to generate the TLS certificates.

Create the file `/etc/httpd.conf` and add the following content, make sure to replace all the caps text with real values:

server "YOUR_HOSTNAME_HERE" {

listen on * port 80

# don't rewrite for assets (fonts, images)

location "/tpl/*" {

root "/Shaarli/"

}

location "/doc/*" {

root "/Shaarli/"

}

location "/cache/*" {

root "/Shaarli/"

}

location "*.php" {

fastcgi socket "/run/php-fpm.sock"

root "/Shaarli"

}

location "*index.php*" {

root "/Shaarli"

fastcgi socket "/run/php-fpm.sock"

}

location match "/(.*)" {

request rewrite "/index.php%1"

}

location "/*" {

root "/Shaarli"

}

}


Enable and start httpd

rcctl enable httpd

rcctl start httpd


## Configure your firewall

If you configured PF to block by default, you have to open the ports 80 and also 443 if you enable HTTPS.

# Installing Shaarli

Now you should have a working Shaarli upon opening `http://YOUR_HOSTNAME_HERE/index.php/`, all lights should be green, and you are now able to configure the instance as you wish.

# Conclusion

Shaarli is a really handy piece of software, especially for active RSS readers who may have a huge stream of news to read.  What's cool is the share service, and you may allow some people to subscribe to your own feed.
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/shaarli-openbsd.gmi</guid>
  <link>gemini://perso.pw/blog//articles/shaarli-openbsd.gmi</link>
  <pubDate>Tue, 23 Jan 2024 00:00:00 GMT</pubDate>
</item>
<item>
  <title>This blog is AI free</title>
  <description>
    <![CDATA[
<pre># Introduction

Hi!  This is a short informative blog post about Artificial Intelligence.

I just got approached by a company who wants to help me to add some generative AI in my blog workflow to "boost the quality" of my content.

I like generative AI and I think it's an interesting tool, but I have just no interest using it for my blog.

# This blog content is made by a human

We need some kind of label "not AI powered" :D I'll add something like that on my template

There is one exception as I wrote one blog post about machine learning, and obviously the pictures in it were generated/colored by a program to demonstrate the tools.

# Why no AI?

I have no incentive adding an AI in the process of writing, I do mistakes, I may make poor sentences and I have my own style for the best of the worst.  I think throwing an AI into this would just make the result bland.

For a pretty similar reason, I keep my custom website generator and template instead of using a program like Hugo with an awesome template because I need to have this "authentic" feeling for my blog.

This blog is my own space, it represents who I am.</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/no-ai.gmi</guid>
  <link>gemini://perso.pw/blog//articles/no-ai.gmi</link>
  <pubDate>Thu, 18 Jan 2024 00:00:00 GMT</pubDate>
</item>
<item>
  <title>Overcoming imposter syndrome in IT</title>
  <description>
    <![CDATA[
<pre># Introduction

You certainly know about the Imposter Syndrome (I'll refer to it as IS), unfortunately it's a very common problem in IT.

=> https://en.wikipedia.org/wiki/Impostor_syndrome Wikipedia: Imposter Syndrome

=> static/impostersyndrome.png Imposter Syndrome explained in picture

The picture above was downloaded from https://mrscliffnotes.com/2021/03/02/on-the-imposter-syndrome/

As I finally (almost) got rid of my own Imposter Syndrome, I wanted to share my experience and tips that helped me overcome it.

# Keeping track of your work and knowledge

It's hard to stay confident in your own skills when you feel you accomplished nothing in your life or career.  I would recommend everyone to always keep a very detailed CV/Résumé up-to-date, with all the projects you worked on.  When you feel in doubt about your own skills, just check this list, and you will certainly be surprised about what you achieve in the past.

If you are a developer, looking at your projects histories in git/mg/svn/whatever is also a nice way to review your own past work.  There are dedicated git tools to write such nice reports, even across multiple repositories.

When I look back at my blog index, I realize how many things I learned.  I forgot about most of the previous content and topics I wrote about!  This is my own list, it's really helpful to me.

# Meet other professionals

It seems IS exists because it's hard to differentiate "low value general knowledge" and what we know and should know as a technician, knowledge that makes us a professional in our job.  In IT it's really hard to evaluate a work/product/service, compared to let's say, a sculpted piece of wood.  I'm not saying sculpting wood is easy, but at least it doesn't require an audit by a dedicated team to know if it was nicely done in the state of the art.

My confidence got better when I started spending time with the new colleagues when joining a new company.  Being able to know how the other worked helped me to evaluate my own work, it was also the opportunity to ask them to review my work and methods.  Honest feedback from a competent person is invaluable.

By spending more time with my colleagues, I was finally able to establish some kind of reference to auto-evaluate my work more accurately.

Moving to a new job is also the opportunity to meet real slackers with poor skills, and in most cases you will notice they don't even care.  After all, if they got a job and their boss is happy, your work will just be better, so there is no reason to not stay confident in yourself.

# Stay confident

This seems boring and obvious, but you need to stay confident in yourself to start building some confidence.  If you succeeded in a project in the past, there is no reason for you to fail in another project later.

Being able to overcome failures is an important part of the process.  It's common for anyone to fail at something, but instead of lamenting about it, see it as the opportunity to improve yourself for the next time.  There is a lot more to learn from failures than from successes.

# Tip of the Iceberg

When you see someone's work/article/video, you may be impressed by it and feel bad that you would never be able to achieve something similar because it's "too hard".  But did you ever think that you only saw the tip of the iceberg, and that you dismissed all the hard work and researches done in order to succeed?

For instance, maybe that person spent hundreds of hours making a two minutes video: the result looks incredible to you, and it's only two minutes, so you immediately think "I would never be able to do this myself", but what if you had hundreds hours and the skills to do it?  Could you?

# Do they know?

If you ever feel bad listening to someone's story that makes you feel incompetent and useless, you could think: "do they know how to do [this], and [this]?". ([this] being someone you know)

> Yes, they are a programming compiler expert, but do they know like me how to cook?  Do they know how to change a car wheel?  Do they know how to grow vegetables?

# Conclusion

I'm not a psychologist, a personal coach or an imposter syndrome specialist.  But I've been able to work around it, and I'm now gradually getting rid of it for good.  It's really refreshing!

It's important to not feel over-confident in the process, there is a balance to keep, but don't think about it too early ;)

Have fun, you are awesome in your own way, like everyone else!
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/dealing-with-imposter-syndrome.gmi</guid>
  <link>gemini://perso.pw/blog//articles/dealing-with-imposter-syndrome.gmi</link>
  <pubDate>Sun, 14 Jan 2024 00:00:00 GMT</pubDate>
</item>
<item>
  <title>2024 plans and 2023 retrospective</title>
  <description>
    <![CDATA[
<pre># Hello!

It happens that I occasionally write a blog post to give some news about my own projects and life(style), this is such a blog post!

# 2023's projects

2023 was a special year for me, I've been terribly sick early January, and this motivated me to change a lot of things in my life.  I stuck to this idea the whole year and I still continue to lurk for changing things in my life.

## Work

I left the company I was working for, and started to work as a freelance DevSecOps/DevOps. The word "Sysadmin" would be the best job title for me, but people like buzzwords and nobody talk about system administrators anymore.

Since the end of the year, I also work as a technical writer for a VPN provider (that I consider ethical), and it makes me think that in the future, I may have a career shift to being a technical writer "only".

## The blog

Since 2023, I have a page on Patreon allowing my readers to support me financially, in exchange for a few days of early access for most blog posts.  This is an advantage to reward my supporters without being a loss for all other readers.  Patreon helps me a lot as it allows me to plan on a monthly income and spend more time on my blog or contributing to open source projects. I also added other payments option as some wanted to support me using more free (as in freedom) methods like liberapay, BTC or XMR.

The blog also received a few technical changes, mostly in the HTML rendering like captions on pictures or headers numbering.  I'm quite pleased with the result right now, and the use of GemText (from Gemini) markup was a right choice a few years ago as it gives a simple structure enforcing clarity (of course it's bad if you need a complex layout).

The content finally got a proper license: CC-BY-4.0, I'm an open source person, but my own content was under no license, what a shame for all this time...

## Open Source

Last year, I started using Qubes OS as it's the best operating system for my needs (a blog post will cover this "soon") and I got involved into the community and in testing the 4.2 release that got out a few weeks ago by now.

I'm still contributing to OpenBSD, but not as much as I want, simply because of lack of hardware (and a bit of time), but this is now solved after my deal with NovaCustom.  I still maintain the packages updates build cluster.

In 2023, I entirely dropped NixOS, but I preferred to not write a blog post about it to avoid a flame war, but maybe I'll write one.  In a few words, I didn't like the governance issues of the project, it seems company driven to me and from my point of view it's harmful for the open source project.  The technology is awesome, but the "core team" struggles to get somewhere.  I'll investigate more Guix as I always enjoyed this project, and they proved they are a reliable and solid project able to maintain their pace over time.

## The OpenBSD Webzine

It's my favorite pet project, even though it's a lot of work to publish a single issue.

Working with Prahou for the special Halloween issue was really fun as instead of writing the content, I had to give some direction to keep the issue on rails for being a Webzine issue, while being able to enjoy it like any other reader as I didn't make the content itself.

# 2024's project

## Lifestyle

For no reasons, I decided to experiment vegetarian diet up to end of February (I still eat eggs, milk, butter, cheese or rarely fish).  I'm bad at cooking, I don't enjoy it much but mostly because I have no idea what to cook.  This forces me to learn about new food and recipes I was not aware of.  Buying a recipes book is definitely a must for this :-).  I never really enjoyed meat, and it's possible that I may keep the vegetarian diet for a longer time.

## Open source

This is the year of the comeback on OpenBSD, I really enjoy contributing to it, helping the community and reviewing some ports I care of.

I'll also continue contributing to Qubes OS, this niche operating system deserves some more contributors.

## The blog

I'll try to stick to a weekly blog post schedule.  Of course, I also need to work in parallel, and sometimes I'm just out of ideas :-)

## Work

Let's see what 2024 will bring for me!

# Best wishes!

I'd like to thank all my readers.  I regularly receive emails about your enjoyments, or typos reports, or suggestions to improve the content, this really drives me continuing writing.
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/plans-for-2024.gmi</guid>
  <link>gemini://perso.pw/blog//articles/plans-for-2024.gmi</link>
  <pubDate>Tue, 09 Jan 2024 00:00:00 GMT</pubDate>
</item>
<item>
  <title>NovaCustom NV41 laptop review</title>
  <description>
    <![CDATA[
<pre># Disclaimer

Hello!  Today, I present you a quite special blog post, resulting from a partnership with the PC Manufacturer NovaCustom.  I offered them to write an honest review for their product and also share my feedback as a user, in exchange for a NV41 laptop.  This is an exceptional situation, I insist that it's not a sponsorship, I actually needed a laptop for my freelance work, and it turns they agreed.  In our agreements, I added that I would return the laptop in the case I wouldn't like it, I don't want to generate electronic wastes and company's money for nothing.

I have no plans to turn my blog into an advertisement platform and do this on a regular basis.  Stars aligned well here, NovaCustom is making the only modern laptop Qubes OS certified, and the CEO is a very open source friendly person.

# Introduction

The real introduction now :-)

In this blog post, I'll share my experience using a NV41 laptop from NovaCustom, I tried many operating systems on it for a while, run some benchmarks, and ultimately used Qubes OS on it for a month and half for my freelance work.

=> https://novacustom.com/ NovaCustom official website
=> https://novacustom.com/product/nv41-series/ NV41 Laptop store webpage

# The machine itself

=> static/review/laptop-stand.jpg The laptop on a stand, running Ubuntu 23.10

This is a 14-inch laptop, the best form factor in my opinion for being comfortable when used for a long time while being easy to carry.

It looks great with its metal look with blueish reflection and the engraved logo "NV" on the cover (logo can be customized).

The frame feels solid and high-end, I'm not afraid to carry it or manipulate it.  Compared to my ThinkPad T470, that's a change, I always fear to press its plastic frame too much when carrying with a single hand.

The power button is on the right side, this is quite unusual, but it looks great, there are LED around the power plug near the power button that tells the state of the system (running, off, sleeping) and if the battery is running low or charging.

It's running the open-source Firmware Dasharo coreboot, and optionally the security oriented firmware Heads can be installed.

=> https://dasharo.com/ Dasharo coreboot official website
=> https://osresearch.net/ Heads open source firmware official website

## Packaging and unboxing

The machine came in a box containing a box containing the actual box with the laptop inside, it was greatly packaged.

=> static/review/laptop-package.jpg Laptop still wrapped in the protections, all the boxes are in the background

The laptop screen had a removable sleeve that can be reused, I appreciated this as it's smart because it's possible to put it back in case you don't use the laptop for a long time or want to sell it later.

The box contained the laptop, the power supply and the power plug, the full length of the power supply is 2 meters which is great, I hate laptops chargers that only have 1 meter of cable.

=> static/review/laptop-unbox.jpg The laptop, power supply, power plug and other (manual, screen cleaner…)

## Hardware

The specifications of the hardware I received are the following:



The default wireless card is an Intel AX-200/201 compatible with Wi-Fi 6 and Bluetooth 5.2, but I received the blob-free card which was convenient for most operating systems as it doesn't need a firmware (works out of the box on Guix for instance).

There are options to remove the webcam or add a slider to it, a screen privacy filter or secure screws+tape for the packaging to be sure the laptop hasn't been intercepted during transit.

You can also choose the keyboard layout from a large list, or even have your own layout.

Kudos to NovaCustom for guaranteeing the sell of replacement parts for at least 7 years after you buy them a laptop!  They also provide a PDF will full details about the internals.

### Hybrid CPU

This is my very first Hybrid CPU, it has 4 Performance cores capable of hyperthreading, and 8 Efficient cores that should draw less power at the expense of being slower.

I made a benchmark, only on Qubes OS, to compare the different cores to a Ryzen 5 5600X and my T470 i5-7300U.

=> https://openbenchmarking.org/result/2311253-NE-2311251NE63&hni=1&hlc=1&ppt=D Phoronix benchmark link
=> https://forum.qubes-os.org/t/hybrid-cpu-benchmarking-performance-when-pinning-to-specific-cores/22251 Qubes OS forum: Hybrid CPU benchmarking performance when pinning to specific cores

If your operating system doesn't know (Linux does) how to make use of E/P cores (like OpenBSD or FreeBSD), it will use them like if they were similar, so no worry here.  However, the performance and battery saving aren't optimized because the system won't balance the load at the right place.

TL;DR: the P cores compete with my desktop Ryzen 5 5600X! And the E cores are faster than the i5-7300U!  Linux and Xen (in Qubes OS) does a great job at balancing the workload at the right place, so you don't have to worry about pinning a specific task to a P or E core pool.

### Coil whine noise

I think this deserves an entry because it's a plague on many modern computers.  If you don't know about it, it's an electric noise that happens under certain conditions.  On my T470, it's when charging the battery.

I've been able to get some coil whine noise, only if I forced the CPU frequency to the maximum in the operating system, instead of letting the computer scaling the frequency.  This resulted in no performance improvement and some coil whine noise.

In my daily "normal" use with Linux or Qubes OS, I never heard a coil whine.  But on OpenBSD for which the frequency management is still not good with these modern CPUs (intel p-state support isn't great) there is a constant noise.  However, using obsdfreqd reduced the noise to almost nothing, but still appeared a bit on CPU load.

There is a specific topic where coil whine on this laptop was discussed, a fix was provided by NovaCustom using heat pads (sent for free for their customers) placed at a specific place.  I don't think this should be required except if your operating system has a poor support for frequency scaling.

=> https://forum.qubes-os.org/t/otherss-who-bought-a-nv41-and-have-noise-issues/20436 Qubes OS forum: NV41 coil whine topic

### Screen

The screen coloring is excellent, which is expected as it covers 98% of sRGB palette, it's really bright, and I rarely turn the brightness more than 50%. I didn't try to use it outdoor, but the brightness at full level should allow reading the screen.

However, it has a noticeable ghosting which make it annoying for playing video games (that's not really the purpose of this model though), or if you are really sensitive to it.  I'm used to a 144 Hz display on my desktop and I became really sensitive to refresh rate.  However, I have to admit the ghosting isn't really annoying for productivity work, development or browsing the web.  Watching a video is fine too.

One slightly annoying limitation is that it's not possible to open the screen more than a 140° angle, this sounds reasonable, but I got used to my T470 screen able to open at ~180°.  This is not a real issue, but if you have a weird setup in which you store your laptop vertically against your desktop AND with the screen opened, you won't be able to use the screen.

### Sound system

I've been surprised by the speakers, the audio quality is good up to ~80% of the max volume, but then the quality drops when you set it too high.

I have no way to measure it, but the speakers appear to be quite loud compared to my other laptops when set to 100%, I don't recommend doing it though due to quality drop, but it can be handy sometimes.

The headphones port works fine, there are no noises, and it's able to drive my DT 770 Pro 80 ohm.

I’ve been able to figure an equalizer setting improving the audio to be pretty good (that's subjective). I’m absolutely not an audio expert, but it sounded a lot better for pop, rock, metal or piano.



The idea is to lower the trebles instead of pushing the bass which quickly saturate.  Depending on what you listen to and your tastes, you could try +1 or +2 db for the four first settings, but it may produce saturated sounds.

### Cooling

I think the cooling system is one of the best part of the laptop, it's always running at 10% of its speed and is inaudible.

=> static/review/laptop-under.jpg Laptop view from below

Under a huge load, the fan can be heard, but it's still less loud than my idling silent desktop...

There is a special key combination (Fn+1) that triggers the turbo fan mode, forcing them to run at 100%, it is recommended if the laptop is used to run at full CPU 24/7 or for a very long period of time, however, this is as loud as a 1U rack server! For a more comprehensive comparison, let's say it is as annoying as a microwave device.

I was surprised that the laptop never burned my knees, although under heavy load for 30 minutes it felt a bit too hot to keep it on my bare skin without fabric between, that's a genuine lap-top laptop, compatible with short skirts :D.

### Keyboard

The keyboard isn't bad, but not good either.  Typing on it is pleasant, but it's no match against my mechanical keyboards.  The touch is harder than on my Lenovo T470 laptop, I think it feels like most modern laptop keyboards.

Check the layout for the keys like "home", "end", "page up/down", on mine they are tiny keys near the arrows, this may not be to your taste.

The type is quite silent, and there are 5 levels of back-light, I don't really like this feature, so I turned it off, but it's there if you like it.

There are NO indicators for the status of caps lock or num lock (neither for scroll lock, but do people really use it?), this can be annoying for some users.

### Touchpad

The touchpad may be a no-go for many, there are no extra physical buttons but you can physically click on the bottom area to make/hold a click.  It also features no trackpoint (the little joystick in the middle of the keyboard).

However, it has a large surface and can make use of multitouch clicks.  While I was annoyed at first because I was used to ThinkPad's extra physical buttons, over time I got used to multitouch click (click is different depending on the number of fingers used), or the "split-area" click, where a click in a bottom left does a left click, in the middle it does a middle click, and in the bottom right it does a right click.

It reacts well to movements and clicks and does the job, it's not the greatest touchpad I ever used, but it's good enough.

Unfortunately, it's not possible for NovaCustom to propose a variant touchpad featuring extra physical buttons.

### Suspend and Resume

The suspend/resume feature works as expected on Linux and Qubes OS.

Closing the lid correctly triggers the suspend function, opening it resumes the system.

### Webcam

Nothing special to say about it, it's like most laptop webcams, it has a narrow angle and the image quality is good enough to show your face during VoIP meetings.

### Battery life (short version)

I tested the battery using different operating systems (OpenBSD, Qubes OS, Fedora, Ubuntu) and different methods, there are more details later in the text, but long story short, you can expect the following:



### I/O ports

On the I/O, the laptop is well-equipped.  I appreciated seeing an Ethernet port on a modern laptop.

On the left side:



=> static/review/laptop-left.jpg Left side of the laptop

On the right side:



=> static/review/laptop-right.jpg Right side of the laptop

The rear of the laptop is fully used for the cooling system, and there are nothing on the front (Hopefully! I hate connecting headphones on the front side).

=> static/review/laptop-rear.jpg Back of the laptop
=> static/review/laptop-front.jpg Front of the laptop

## Dasharo coreboot firmware

The laptop ships by Dasharo coreboot firmware (that's the correct name for nowadays devices when we speak of the BIOS), it's an open-source firmware that allows to manage your own secure boot keys, disable some Intel features like "ME"

I guess their website will be a better place to understand what it's doing compared to a proprietary firmware.

=> https://www.dasharo.com/ Dasharo official website

## NovaCustom

NovaCustom is building laptops based on Clevo (a manufacturer doing high-end laptop frames, but they rarely sell directly) while ensuring compatibility with Linux systems, especially Qubes OS for this specific model as it's certified (it guarantees the laptop and all its features will work correctly).

They contribute to dasharo development for their own laptops.

They ship their product worldwide, and as I heard from some users, the custom support is quite reactive.

=> https://novacustom.com/ NovaCustom official website

# Operating system support

Now I shared about the hardware part, let's see how it behaves with many operating systems!

## Linux distributions

I guess most users will use a Linux system on this laptop, so let's start by testing some popular distributions:

### Fedora

=> https://fedoraproject.org/ Fedora project official website

=> static/review/fedora-fs8.png Screenshot of Fedora 39 running GNOME

Fedora Linux support (tested with Fedora 39) was excellent, GNOME worked fine.  The Wi-Fi network worked immediately even during the installer, Bluetooth was working as well with my few devices.  Changing the screen brightness from the GNOME panel was working.  However, after a Dasharo update, the keyboard slider in GNOME stopped working, it's a known bug that also affects System76 laptops if I've read correctly, this may be an issue with the Linux driver itself.

The touchpad was working on multitouch out of the box, suspending and resuming the laptop never produced any issue.

Enabling Secure Boot worked out of the box with Fedora, which is quite enjoyable.

### Ubuntu

=> https://ubuntu.com/ Ubuntu company official website

Ubuntu 23.10 support was excellent as well, it's absolutely identical to the Fedora report above.

Note: if you use VLC from the Snap store, it won't have hardware decoded acceleration and will use a lot of CPU (and draw battery, and waste watts for nothing), I guess it's an Ubuntu issue here.  VLC from Flatpak worked fine, as always.

### Alpine Linux

=> https://www.alpinelinux.org/ Alpine Linux project official website

Alpine Linux support (tested with Alpine 3.18.4) was excellent, I installed GNOME and everything worked out of the box.  The Atheros card worked without firmware (this is expected for a blob free device), CPU scheduling was correctly handled for Efficient/Performance cores as the provided kernel is quite recent.

The touchpad default behavior was to click left/right/middle depending on the number of fingers used to click, suspend and resume worked fine, playing video games was also easy thanks to flatpak and Steam.

It's possible to enable Secure Boot by generating your own keys.

=> https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot Alpine Linux wiki: UEFI Secure Boot

### Guix

=> https://guix.gnu.org/ Guix project official website

=> static/review/guix-fs8.png Screenshot of Guix running GNOME

Guix support is mixed.  I've been able to install it with no issue, thanks to the blob-free atheros network interface, it worked without having to use guix-nonfree repository (that contains firmware).

However, I was surprised to notice that the graphical acceleration wasn't working, it seems that Intel Xe GPU aren't blob free.  This only mean you can't plan video games or that any kind of GPU related encoding/decoding won't work, but this didn't prevent GNOME to work fine.

Suspend and resume was OK, and the touchpad worked out-of-the-box in multi-tap mode.

Secure Boot didn't work, and I have no idea how a Secure Boot setup with your own keys would look like on Guix, but it's certainly achievable with enough Grub-foo.

### Trisquel

=> https://trisquel.info Trisquel GNU/Linux official project website

Trisquel is a 100% libre GNU/Linux distribution, this mean it doesn't provide proprietary software or drivers, and no device firmware.

I've been able to install Trisquel and use it, the Wi-Fi was working out of the box because of the blob-free Atheros card.

The main components of the system: CPU / Memory / Storage were correctly detected, the default kernel isn't too old, and it was able to make use of the Efficient/Performance core of the CPU.

When not using the laptop, I was able to suspend it to reduce the battery usage, and then resume instantly the session when I needed, this worked flawlessly.

The touchpad was working great using the "3 zones" mode in which you tap on the touchpad in the left/center/right bottom of it to make a left/middle/right click, this is actually as convenient as using 1, 2 or 3 fingers depending on the click you want to make, this is something that could be configured though.

Sound was working out of the box, the audio jack is also working fine when plugging in headphones.

There is one issue with the webcam, when trying to use it, X crashes instantly. This may be an issue in Trisquel software stack because it works fine on other OS.

A major issue right now is the lack of graphical hardware acceleration, I'm not sure if it's due to the i7-1260P integrated GPU needing a proprietary firmware or if the linux-libre kernel didn't catch up with this GPU yet.

## Qubes OS

=> https://www.qubes-os.org Qubes OS project official website

=> static/review/qubes-os.png Qubes OS 4.2 desktop screenshot

Qubes OS support (tested with 4.1, 4.2-RC2 to RC5 and 4.2) is excellent, this is exactly what I expected for a Qubes OS certified laptop (the only modern and powerful certified laptop as of January 2024!).

=> https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements Qubes OS documentation: Hardware certification requirements

Qubes OS is my main OS as I use it for writing this blog, for work (freelancer with different clients) and general use except gaming, so I needed a reliable system that would be fast, with a pretty good battery life.

So far, I never experienced issues except one related to the Atheros Wi-Fi card (this is not the stock Wi-Fi device): 1 time out of 10 when I suspend and resume, the card is missing, and I need to restart the qube sys-net to have it again.  I didn't try with the latest Dasharo update though, it may be solved.

Watching 1080p videos x265 10 bits encoded is smooth and only draw ~40% of a CPU, without any kind of GPU accelerated decoding.

The battery life when using the system to write emails, browse the Internet and look at some videos was of 3 hours, if I only do stuff in LibreOffice offline it lasts 5h30.

I'm able to have smooth videoconferences with the integrated webcam and a USB headset, this kind of task may be the most CPU consuming popular job that Qubes OS need, and it worked well.

The 64 GB are very appreciated, I "only" have 32 GB on my desktop computer, but sometimes it lacks memory...  64 GB allows to not ever think about memory anymore.

The touchpad is working fine, by default on the split-area behavior (left/middle/right click depending on the touchpad area you click on).

There is a single USB controller that drives the webcam and card reader + the USB ports, including a USB-c docked that would be connected on either the thunderbolt or USB-c ports.  The thunderbolt device is on a separate controller, but if you attach it to a qube (that is not sys-usb), you lose all USB connectivity from a dock connected to it (there is still the other plain USB-c port).  The qube sys-usb isn't even required to run if you don't use any USB devices (this saves many headaches and annoying times).

Connecting a usb-c dock on the thunderbolt port allows to have USB passthrough with sys-usb, an additional ethernet port and external screen working with sound, it's also capable of charging the computer.  Whereas the simple usb-c port can only carry USB devices or the integrated ethernet port of my dock, it should be able to support a screen but I guess it's not working on Qubes OS.  I didn't try adding more than one screen on either ports, I guess it should work on the thunderbolt port.

## BSD systems

I tried OpenBSD and FreeBSD with the laptop.  I always have bad luck with NetBSD, so I preferred to not try it, and DragonFly BSD support should be pretty close to FreeBSD for which it didn't work well.

### OpenBSD

=> https://www.openbsd.org OpenBSD project official website

=> static/review/openbsd-fs8.png Screenshot of the OpenBSD 7.4 desktop using GNOME

I tried OpenBSD 7.4 and -current, everything went really well except the Atheros WiFi card that isn't supported, but this was to be expected.  If you want the NV41 with OpenBSD, you need to take the Intel AX-200/201 which is supported by the iwx driver.

=> https://man.openbsd.org/iwx OpenBSD manual page: iwx(4)

Suspend and resume works fine, the touchpad is using the "3 zones" behavior by default where you need to tap left/center/right bottom to make a left/middle/right click.  The webcam and sound card were working fine too.

The GPU is fully supported, you can use it for 3D rendering: I've been able to play a PSP game using PPSSPP emulator.  OpenBSD doesn't support hardware accelerated video encoding/decoding at all, so I didn't test it.

=> static/review/ppsspp-fs8.png WipeOut Pulse emulated in the PSP emulator PPSSPP

### FreeBSD

=> https://www.freebsd.org FreeBSD project official website

I installed FreeBSD 14.0 RC4 with ZFS on root and full disk encryption, the process went fine, I had Wi-Fi at the installer step (thanks to the blob free Atheros card).

However, once I booted into the system, I didn't succeed to get X to run, the GPU isn't supported yet and using VESA display didn't work for me.  Suspend and resume didn't work either.

I gave another try with GhostBSD 23.10.1 in hope I did something wrong on FreeBSD 14 RC4 like a misconfiguration as I never had any good experience with FreeBSD on desktop with regard to the setup.  But GhostBSD failed to start X and was continuously displaying its logo on screen, only booting in safe mode allowed me to figure what was wrong.

I was really surprised that the hardware is still "too new" for FreeBSD while OpenBSD support is almost excellent.

## Other

Some less known operating systems were tested as well.

### Haiku

=> https://www.haiku-os.org/ Haiku project official website

=> static/review/haiku.jpg Photography of the laptop running Haiku (live USB)

I booted Haiku revision 57370 live USB, I was actually surprised to have the desktop displayed, and the network interfaces recognized.

Unfortunately, the Atheros card was recognized, but I haven't been able to connect to a scanned network.

The display was using the correct resolution, but it was using software rendering.

The webcam and the touchpad didn't work, I had to connect my USB trackball.

I didn't go as far as installing it.

### OpenIndiana

I tried the freshly released OpenIndiana Hipster 2023.10 liveUSB.

After letting the bootloader display and start the boot process, the init process seemed stuck and was printing errors about CPU every minute.  I haven't been able to get past this step.

# Measurements

I had fun measuring a lot of things like power usage at the outlet, battery duration with many workloads and gaming FPS (Frames per Second, 30 is okayish depending on people, 40 is acceptable, 60 is perfect as it's the refresh rate of the screen).

## Power

I measured the power usage in watts using a watt-o-meter in different situations:



This is actually good in my opinion, to have a comparison point, a standard 24-inch screen usually draw around 40 watts alone.

The power consumption of the laptop itself is within the range of other laptop.  I was happy to see it use no power when the AC is connected but not to the computer, and on idling it's only 1 watt, I have another laptop idling at 7 watts!

## Battery life

I measured the battery life using different methods and sometimes multiple times to verify if it was reliable.

### Linux

One method was to play a 2160p x265 10 bits encoded video using VLC, 1h39 long, with full brightness and no network.



The other method was to play the video game "Risk of Rain Returns" with a USB PS5 controller, and at full brightness, for a given duration (measured at 20 25 minutes).



### OpenBSD

I played a PSP game for 25 minutes using PPSSPP in full screen at full brightness.



## Gaming performance

I did play a bit on the laptop on Linux using Steam on Flatpak.  I tested it on Fedora 39, Ubuntu 23.10 and Alpine Linux 3.18.3, results were identical.

A big surprise while playing was that the fans remained almost silent, they were spinning faster than usual of course, but that didn't require me to increase the moderate volume I used in my gaming session.



=> static/review/bg3.jpg Baldur's Gate 3 (2023)



=> static/review/cs2.jpg Counter Strike 2



=> static/review/rorr-fs8.png Risk of Rain returns



=> static/review/ror2.jpg Risk of Rain 2



I didn't try using an external GPU on the thunderbolt port, but you can expect way better performance as the games were never CPU bound.

# Conclusion

I'm glad I dared asking NovaCustom about this partnership about the NV41, this is exactly the laptop I needed.  It's reliable, no weird features, it's almost full open source (at least for the software stack?), very powerful, and I can buy replacement parts for at least 7 years if I break something.  It's also SILENT, I despise laptop having a high pitch fan noise.

I still have to play with Dasharo coreboot, I'm really new to this open-source firmware world, so I have to learn before trying weird and dangerous things (I would like to try Heads for its anti-evil maid features, it should be possible to install it on Dasharo systems "soon").

Writing this blog post was extremely hard, I had to stay mindful that this must be an HONEST and NEUTRAL review: writing about a product you are happy with leads to some excitement moments and one may forget to share some little annoyance because it's "not _that_ bad", but I did my best to stay neutral when writing. And this is the agreement I had with NovaCustom.

Honesty is an important value to me.  You, dear readers, certainly trust me to some point, I don't want to lose your trust.
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/laptop-review-novacustom-nv41.gmi</guid>
  <link>gemini://perso.pw/blog//articles/laptop-review-novacustom-nv41.gmi</link>
  <pubDate>Wed, 03 Jan 2024 00:00:00 GMT</pubDate>
</item>
<item>
  <title>OpenBSD workstation hardening</title>
  <description>
    <![CDATA[
<pre># Introduction

I wanted to share a list of hardening you can do on your OpenBSD workstation, and explaining the threat model of each change.

=> https://www.openbsd.org OpenBSD official project website

Feel free to pick any tweak you find useful for your use-case, many are certainly overkill for most people, but depending on the context, these changes could make sense for others.

# User configuration

There are some tweaks that could be done in the configuration of a user to improve the security.

## The Least privileges

In order to prevent a program to escalate privileges, remove yourself from the wheel group, and don't set any doas or sudo permission.

If you need root privileges, switch to a TTY using the root user.

## Multiple-factor authentication

In some cases, it may be desirable to have a multiple factor authentication, this mean that in order to log in your system, you would need a TOTP generator (phone app typically, or a password manager such as KeePassXC) in addition to your regular password.

This would protect against people nearby who may be able to guess your system password.

I already wrote a guide explaining how to add TOTP to an OpenBSD login.

=> https://dataswamp.org/~solene/2021-02-06-openbsd-2fa.html Blog post: Multi-factor authentication on OpenBSD

## Home directory permission

The permissions of the user directory should be 700, so only the owner and root could browse it.

Ideally, you should add `umask 077` to your user environment, so every new directory or file permissions will be restricted to your user only.

# Firewall

There are some interesting policies to configure with the help of OpenBSD firewall Packet Filter.

## Block inbound

By default, it's good practice to disable all incoming traffic except the responses to established sessions (so servers can reply to your requests).  This protects against someone on your local network / VPN to access network services that would be listening on the network interfaces.

In `/etc/pf.conf` you would have to replace the default:

block return

pass


By the following:

block all

pass out inet

allow ICMP because it's useful

pass in proto icmp


Then, reload with `pfctl -f /etc/pf.conf`, if you ever need to allow a port on the network, add the according rule in the file.

## Filter outbound

It may be useful and effective to block outbound traffic, but this only work effectively if you know exactly what you need because you will have to allow hosts and remote ports manually.

It would protect against a program trying to exfiltrate data using a non-allowed port/host.

# Disabling network for the desktop user

Disabling network by default is an important mitigation in my opinion.  This will protect against any program your run and try to act rogue, if they can't figure there is a proxy, they won't be able to connect to the Internet.

This could also save you from mistaken commands that would pull stuff from the network like pip, npm and co.  I think it's always great to have a tight control on which program should do networking and which shouldn't.  On Linux this is actually easy to do, but on OpenBSD we can't restrict a single program so a proxy is the only solution.

This can be done by creating a new user named `_proxy` (or whatever the name you prefer) using `useradd -s /sbin/nologin -m _proxy` and adding your SSH key to its authorized_keys file.

Add this rule at the end of your file `/etc/pf.conf` and then reload with `pfctl -f /etc/pf.conf`:

block return out proto {tcp udp} user solene


Now, if you want to allow a program to use the network, you need to:



### Some network fixes

Most programs will react to a proxy configured in a variable named `http_proxy` or `https_proxy` or `all_proxy`, however it's not a good idea to globally define these variables for your user as it would be a lot easier to a program to use the proxy automatically, which is against the essence of this proxy.

#### SSH

By default, you won't be able to ssh to anything except on a local user, we need to proxy every remote ssh connection through the local _proxy user.

In `~/.ssh/config`:

Host localhost

User _proxy

ControlMaster auto

ControlPath ~/.ssh/%h%p%r.sock

ControlPersist 60

Host *.*

ProxyJump localhost


#### Chromium

If you didn't configure GNOME proxy settings, Chromium / Ungoogled Chromium won't use a proxy, except if you add a command line parameter `--proxy-server=socks5://localhost:10000`.

I tried to manually modified the dconf database where the "GNOME" settings are to configure the proxy, but I didn't get it to work (it used to work for me, but I can't succeed anymore).

#### Syncthing

If you use syncthing, you need to proxy all its traffic through the SSH tunnel. This is done by setting the environment variable `all_proxy=socks5://localhost:10000` in the program environment.

# Live in a temporary file-system

It's possible to have most of your home directory be a temporary file system living in memory, with a few directories with persistency.

This change would prevent anyone from using temporary files or cache left-over from previous session.

The most efficient method to achieve this is to use the program home-impermanence that I wrote for this use case, it handles a list of files/directories that should be persistent.

=> https://dataswamp.org/~solene/2022-03-15-openbsd-impermanence.html Blog post: Reproducible clean $HOME on OpenBSD using impermanence

If you only want to start fresh using a template (that doesn't evolve on use), you can check the flag `-P` of `mount_mfs` which allows populating the fresh memory based file system using an existing directory.

=> https://man.openbsd.org/mount_mfs OpenBSD man page: mount_mfs(8)

# Disable webcam and microphone

Good news!  I take the opportunity here to remember OpenBSD disables by default the video and audio recording of the various capable devices, instead, they will appear to work but record empty stream of data.

They can be manually enabled by changing the sysctls `kern.audio.record` or `kern.video.record` to 1 when you need to use them.

Some laptop manufacturer offer the option to have a physical switch to disable microphone and webcam, so you can be confident about their state (Framework).  Some other manufacturer also allow to not put any webcam and microphone (NovaCustom, Nitropad).  Finally, open source firmwares like Coreboot can offer a bios setting to disable these peripherals, it should be trustable in my opinion.

# Disabling USB ports

If you need to protect your system from malicious USB devices (usually in an office environment), you should disable them in the BIOS/Firmware if possible.

If it's not possible, then you could still disable the kernel drivers at boot time using this method.

Create the file `/etc/bsd.re-config` and add the content to it:

disable usb

disable xhci


This will disable the support for USB 3 and 2 controllers.  On a desktop computer, you may want to use PS/2 peripherals in these conditions.

# System-wide services

## Clamav antivirus

While this one may make you smile, if there is a chance it saves you once, I think it's still a valuable addition to any kind of hardening.  A downloaded attachment from an email, or rogue JPG file could still harm your system.

OpenBSD ships a fully working clamav service, don't forget to enable freshclam, the viral database updater.

## Auto-update

I already covered it in a previous article about anacron, but in my opinion, auto-updating the packages and base system daily on a computer is the minimum that should be done everywhere.

=> https://dataswamp.org/~solene/2023-06-28-anacron.html#_Useful_examples Anacron: useful OpenBSD examples

# System configuration

## Memory allocation hardening

The OpenBSD malloc system allows you to enable some extra checks, like use after free, heap overflow or guard pages, they can be all enabled at once.  This is really efficient for security as most security exploits relies on memory management issues, BUT it may break software that have memory management issues (there are many of them).  Using this mode will also impact the performance negatively, as the system needs to do more checks for each piece of allocated memory.

In order to enable it, add this to `/etc/sysctl.conf`:

vm.malloc_conf=S


It can be immediately enabled with `sysctl vm.malloc_conf=S`, and disabled by setting no value `sysctl vm.malloc_conf=""`.

The program `ssh` and `sshd` always run with this flag enabled, even if it's disabled system-wide.

# Some ideas to go further

## Specialized proxies

It could be possible to have different proxy users, with each restriction to the remote ports allowed, we could imagine proxies like:



Of course, this is even more tedious than the multipurpose proxy, but at least, it's harder for a program to guess what proxy to use, especially if you don't connect them all at once.

## Run process using dedicated users

I wrote a bit about this in the past, for command line programs, running them in dedicated local users over SSH make sense, as long as it's still practical.

=> https://dataswamp.org/~solene/2019-11-12-dedicated-users-processes.html Dedicated users to run processes

But if you need to run graphical programs, this becomes tricky. Using `ssh -Y` gives the remote program a full access to your display server, which has access to everything else running, not great...  You could still rely on `ssh -X` which enables X11 Security extensions, but you have to trust the implementation, and it comes with issues like no shared clipboard, poor performance and programs crashing when attempting to access a legit resource that is blocked by the security protocol...

In my opinion, the best way to achieve isolation for graphical programs would be to run a dedicated VNC server in the local user, and connect from your own user.  This should be better than running on your own X locally.

## Encrypted home with USB unlocking

In a setup where the computer is used by multiple person, the system encryption may be tedious because everyone have to remember the main passphrase, you have no guarantee one won't write it down on a post-it... In that case, it may be better to have a personal volume, encrypted, for each user.

I don't have an implementation yet, but I got a nice idea.  Adding a volume for a user would look like the following:



This way, you only need to have your USB memory stick plugged in when the system is booting, and it should automatically unlock and mount your personal encrypted volume.  Note that if you want to switch user, you would have to reboot to unlock their drive if  you don't want to mess with the command line.

# Conclusion

It's always possible to harden a system more and more, but the balance between real world security and actual usability should always be studied.

No one will use a too-much hardened system if they can't work on it efficiently, on the other hand, users expect their system to protect them against most common threats.

Depending on one's environment and threat model, it's important to configure their system accordingly.
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/hardened-openbsd-workstation.gmi</guid>
  <link>gemini://perso.pw/blog//articles/hardened-openbsd-workstation.gmi</link>
  <pubDate>Tue, 02 Jan 2024 00:00:00 GMT</pubDate>
</item>
<item>
  <title>Qubes OS backup transfer from old to new computer</title>
  <description>
    <![CDATA[
<pre># Introduction

With the recent release of Qubes OS 4.2, I took the opportunity to migrate to a newer laptop (from a Thinkpad T470 to a NovaCustom NV41) so I had to backup all the qubes from the T470 and restore them on the NV41.

The fastest way to proceed is to create the backups on the new laptop directly from the old one, which is quite complicated to achieve due to Qubes OS compartmentalization.

In this guide, I'll share how I created a qube with a network file server to allow one laptop to send the backups to the new laptop.

=> https://qubes-os.org Qubes OS official project website

Of course, this whole process could be avoided by using a NAS or external storage, but they are in my opinion slower than directly transferring the files on the new machine, and you may not want to leave any trace of your backups.

# Explanation about the setup

As the new laptop has a very fast NVME disk, I thought it would be nice to use it for saving the backups as it will offload a bit of disk activity for the one doing backups, and it shouldn't be slowed down during the restore process even if it has to write and read the backups at the same time.

The setup consists in creating a dedicated qube on the new laptop offering an NFS v4 share, make the routing at the different levels, and mount this disk in a qube on the old laptop, so the backup could be saved there.

I used a direct Ethernet connection between the two computers as it allows to not think much about NFS security

# Preparing the backup receiver

## Storage qube configuration

On the new laptop, create a standalone qube with the name of your choice (I'll refer to it as `nfs`), the following commands have been tested with the fedora-38-xfce template. Make sure to give it enough storage space for the backup.

First we need to configure the NFS server, we need to install the related package first:

$ sudo dnf install nfs-utils


After this, edit the file `/etc/exports` to export the path `/home/user/backup` to other computers, using the following content:

/home/user/backup *(rw,sync)


Create the directory we want to export, and make `user` the owner of it:

install -d -o user /home/user/backup


Now, run the NFS server now and at boot time:

systemctl enable --now nfs-server


You can verify the service started successfully by using the command `systemctl status nfs-server`

You can check the different components of the NFS server are running correctly, if the two following commands have an output this mean it's working:



Allow the NFS server at the firewall level, run the following commands AND add them at the end of `/rw/config/rc.local`:

nft add rule qubes custom-input tcp dport 2049 accept

nft add rule qubes custom-input udp dport 111 accept


## Route the service from the physical LAN

Now the service is running within the qube, we need to allow the remote computer to reach it, by default the network should look like this:

We will make sys-net to nat the UDP port 111 and TCP port 2049 to sys-firewall, which will nat them to the nfs qube, which will already accept connections on those ports.

+------------------------------------------------+

+--------+ | DESTINATION SYSTEM |

| SOURCE | ethernet | +---------+ +--------------+ +-----+ |

| SYSTEM | <--------> | | sys-net | --> | sys-firewall | --> | nfs | |

+--------+ | +---------+ +--------------+ +-----+ |

+------------------------------------------------+


### sys-net routing

Write the following script inside the `sys-net` qube of the destination system, make sure to update the value of the variable `DESTINATION` with `sys-firewall`'s IP address, it can be found by looking at the qube settings.

!/bin/sh

PORT=111

DESTINATION=10.138.31.246

if ! nft -nn list table ip qubes | grep "chain nat {" ; then

nft add chain qubes nat { type nat hook prerouting priority dstnat\; }

fi

nft add rule qubes custom-input udp dport "${PORT}" accept

nft add rule qubes custom-forward udp dport "${PORT}" accept

nft add rule qubes nat iifname != "vif*" udp dport "${PORT}" dnat "${DESTINATION}"

PORT=2049

nft add rule qubes custom-input tcp dport "${PORT}" accept

nft add rule qubes custom-forward tcp dport "${PORT}" accept

nft add rule qubes nat iifname != "vif*" tcp dport "${PORT}" dnat "${DESTINATION}"


Make the script executable by running the command `chmod +x` on the script file. You will execute them later once the network is safe.

### sys-firewall routing

Write the following script inside the `sys-firewall` qube of the destination system, make sure to update the value of the variable `DESTINATION` with `nfs`'s IP address, it can be found by looking at the qube settings.

!/bin/sh

PORT=111

DESTINATION=10.137.0.10

if ! nft -nn list table ip qubes | grep "chain nat {" ; then

nft add chain qubes nat { type nat hook prerouting priority dstnat\; }

fi

nft add rule qubes custom-input udp dport "${PORT}" accept

nft add rule qubes custom-forward udp dport "${PORT}" accept

nft add rule qubes nat iifname != "vif*" udp dport "${PORT}" dnat "${DESTINATION}"

PORT=2049

nft add rule qubes custom-input tcp dport "${PORT}" accept

nft add rule qubes custom-forward tcp dport "${PORT}" accept

nft add rule qubes nat iifname != "vif*" tcp dport "${PORT}" dnat "${DESTINATION}"


Make the script executable by running the command `chmod +x` on the script file. You will execute them later once the network is safe.

# Backup process

On the source system, we need to have a running qube that will mount the remote NFS server, this can be a disposable qube, an AppVM qube with temporary changes, a standalone etc...

## Mounting qube

On the mounting qube, run the following command to install the NFS tools we need:

dnf install nfs-utils


## Configure both systems network

In this step, you need to configure the network with the direct Ethernet cable, so the two systems can speak to each other, please disconnect from any Wi-Fi connections as you didn't set any security for the file transfer (it's encrypted but still).

You can choose any address as long as the two hosts are in the same subnet, an easy pick could be `192.168.0.2` for the source system, and `192.168.0.3` for the new system.

Now, both systems should be able to ping each other, it's time to execute the scripts in `sys-firewall` and `sys-net` to enable the routing.

On the "mounting" qube, run the following command as root to mount the remote file system:

mount.nvfs4 192.168.0.3:/home/user/backup /mnt


You can verify it worked if the output of `df` shows a line starting by `192.168.0.3:/home/user/backup`, and you can ensure your user can actually write in this remote directory by running `touch /mnt/test` with the regular user `user`.

Now, we can start the backup tool to send the backup to the remote storage.

## Run the backup

In the source system dom0, run the Qubes OS backup tool, choose the qubes you want to transfer, uncheck "Compress backups" (except if you are tight on storage for the new system) and click on "Next".

In the field "Target qube", select the "mounting qube" and set the path to `/mnt/`, choose an encryption passphrase and run the backup.

If everything goes well, you should see a new file named `qubes-backup-YYYY-MM-DDThhmmss` in the directory `/home/user/backups/` of the `nfs` qube.

## Restore the backups

In the destination system dom0, you can run the Restore backup tool to restore all the qubes, if the old `sys-net` and `sys-firewall` have any value, you may want to delete yours first otherwise the restored one will be renamed.

## how to restore dom0 $home

When you backup and restore dom0, only the directory `/home/` is part of the backup, so it's only about the desktop settings themselves and not the Qubes OS system configuration. I actually use versioned files in the salt directories to have reproducible Qubes OS machines because the backups aren't enough.

=> https://dataswamp.org/~solene/2023-06-17-qubes-os-git-bundle.html Blog post: Using git bundle to synchronize a repository between Qubes OS dom0 and an AppVM
=> https://dataswamp.org/~solene/2023-06-04-qubes-os-version-control-dom0.html Blog post: Qubes OS dom0 files workflow using fossil

When you restore dom0, it creates a directory `/home/solene/home-restore-YYYY-MM-DDThhmmss` on the new dom0 that contains the previous `/home/` directory.

Restoring this directory verbatim requires some clever trick as you should not be logged in for the operation!



Your desktop environment should be like you left if during the backup. If you used some specific packages or desktop environment, make sure you also installed the according packages in the new dom0

# Cleaning up

After you restored your backups, you can remove the scripts in `sys-firewall` and `sys-net` and even delete the nfs qube.

# Conclusion

Moving my backup from the old system to the new one was pretty straightforward once the NFS server was established, I was able to quickly have a new working computer that looked identical to the previous one, ready to be used.
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/qubes-os-migrate-vm-between-computers.gmi</guid>
  <link>gemini://perso.pw/blog//articles/qubes-os-migrate-vm-between-computers.gmi</link>
  <pubDate>Wed, 27 Dec 2023 00:00:00 GMT</pubDate>
</item>
<item>
  <title>OpenBSD in a CI environment with sourcehut</title>
  <description>
    <![CDATA[
<pre># Introduction

If you ever required continuous integration pipelines to do some actions in an OpenBSD environment, you certainly figured that most Git "forge" didn't provide OpenBSD as a host environment for the CI.

It turns out that sourcehut is offering many environments, and OpenBSD is one among them, but you can also find Guix, NixOS, NetBSD, FreeBSD or even 9front!

Let's see how this works.

=> https://sourcehut.org/ sourcehut official website
=> https://man.sr.ht/builds.sr.ht/compatibility.md sourcehut: Documentation about host systems offering in CI

Note that the CI is only available to paid accounts, the minimal fee is "$2/month or $20/year".  There are no tiers, so as long as you pay something you have a paid account.  sourcehut is offering a clutter-free web interface, and developing an open source product that is also capable of running OpenBSD in a CI environment, I decided to support them (I really rarely subscribe to any kind of services).

PS: sourcehut supports Mercurial projects too.

# The CI

Upon each CI trigger, a new VM is created, it's possible to define the operating system and version you want for the environment, and then what to do in it.

The CI works when you have a "manifest" file in your project with the path `.build.yml` at the root of your project, it contains all the information about what to do.

=> https://man.sr.ht/builds.sr.ht/ sourcehut: Documentation about manifests and builds

# Secret management

When you run code in a CI, you often need secrets, and most often you require SSH keys if you want to push artefacts.

The SSH key secret is simplified, if sourcehut recognizes a secret to be a private SSH key, it will automatically save it at the right place.

=> https://man.sr.ht/builds.sr.ht/#secrets sourcehut: Documentation about secrets in CI

# Example

Here is a simple example of a manifest file I use to build a website using the static generator hugo, and then push the result on a remote server.

image: openbsd/latest

packages:

- hugo--

- rsync--

secrets:

- f20c67ec-64c2-46a2-a308-6ad929c5d2e7

sources:

- git@git.sr.ht:~solene/my-project

tasks:

- init: |

cd my-project

git clone https://github.com/adityatelange/hugo-PaperMod themes/PaperMod --depth=1

- build: |

cd my-project

echo 'web.perso.pw ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKRj0NK7ZPMQgkgqw8V4JUcoT4GP6CIS2kjutB6xdR1P' | tee -a ~/.ssh/known_hosts

make


On the example above, we can notice different parts:



If you use SSH, don't forget to either use `ssh-keyscan` to generate the content for `~/.ssh/known_hosts`, or add the known fingerprint like me that would require an update if the SSH host key changes.

A cool thing is when your CI job failed, the environment will continue to live for at least 10 minutes while offering an SSH access for debug purpose.

=> https://man.sr.ht/builds.sr.ht/build-ssh.md sourcehut: Documentation about SSH into build environments

# Conclusion

I finally found a Git forge that is ethic and supportive of niche operating system.  Its interface may be rude with fewer features, but it loads faster and is cleaner to understand.  The price ($20/year) is higher than the competition (GitHub or GitLab) which can be used freely (up to some point) but they don't offer the CI choice and the elegant workflow sourcehut has.

# Going further

You can self-host a sourcehut instance if you prefer, it's open source and packaged for some Linux distributions.

=> https://man.sr.ht/installation.md sourcehut: Documentation about the deployment process
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/sourcehut-and-openbsd-ci.gmi</guid>
  <link>gemini://perso.pw/blog//articles/sourcehut-and-openbsd-ci.gmi</link>
  <pubDate>Wed, 06 Dec 2023 00:00:00 GMT</pubDate>
</item>
<item>
  <title>Run your own Syncthing relay server on OpenBSD</title>
  <description>
    <![CDATA[
<pre># Introduction

In earlier blog posts, I covered the program Syncthing and its features, then how to self-host a discovery server.  I'll finish the series with the syncthing relay server.

The Syncthing relay is the component that receives file from a peer to transmit it to the other when two peers can't establish a direct connection, by default Syncthing uses its huge worldwide community pool of relays.  However, while data are encrypted, this leaks some information and some relays may be malicious and store files until it could be possible to make use of the content (weakness in encryption algorithm, better computers etc…).

Running your own Syncthing relay server will allow you to secure the whole synchronization between peers.

=> https://relays.syncthing.net/
=> https://docs.syncthing.net/users/strelaysrv.html Syncthing official documentation: relay server

Related blog posts

=> https://dataswamp.org/~solene/2023-10-04-potw-syncthing.html Presenting Syncthing features
=> https://dataswamp.org/~solene/2023-10-18-syncthing-discovery-server.html Blog post about the complementary discovery server

A simple use case for a relay: you have Syncthing configured between a smartphone on its WAN network and a computer behind a NAT, it's unlikely they will be able to communicate to each other directly, they will need a relay to synchronize.

# Setup

On OpenBSD, you will need the binary `strelaysrv` provided by the package `syncthing`.

pkg_add syncthing


There is no rc file to start the relay as a service on OpenBSD 7.3, I added it to -current and will be available from OpenBSD 7.5, create an rc file `/etc/rc.d/syncthing_relay` with the following content:

!/bin/ksh

daemon="/usr/local/bin/strelaysrv"

daemon_flags="-pools=''"

daemon_user="_syncthing"

. /etc/rc.d/rc.subr

rc_bg=YES

rc_reload=NO

rc_cmd $1


The special flag `-pools=''` is there to NOT join the community pool.  If you want to contribute to the pool, remove this flag.

There is nothing else to configure, except enabling the service at boot, and running it, at the exception the need to retrieve an information from its runtime output:

rcctl enable syncthing_relay

rcctl -d start syncthing_relay


In the output, you will have a line looking like this:

2023/11/02 11:07:25 main.go:259: URI: relay://0.0.0.0:22067/?id=SCRGZW4-AAGJH36-M71EAPW-6XK7NXA-5CC1C4R-R2TKL2F-FNFF2OW-ZWA6WK5&networkTimeout=2m0s&pingInterval=1m0s&statusAddr=%3A22070


You need to note down the displayed URI, this is your relay address, just replace `0.0.0.0` by the actual server IP.

# Firewall setup

You need to open the port TCP/22067 for the relay to work, in addition, you can open the port 22070 which can be used to display a JSON with statistics.

To reach the status page, you need to visit the page `http://$SERVER_IP:22070/status`

# Client configuration

On the client Web GUI, click on "Actions" and "Settings" to open the settings panel.

In the "Connections tab", you need to enter the relay URI in the first field "Sync Protocol Listen Addresses", you can add it after `default` by separating the two values with a comma, that would add your own relay in addition to the community pool.  You could entirely replace the value with the relay URI, in such situation, all peers must use the same relay, if they need a relay.

Don't forget to check the option "Enable relaying", otherwise the relay won't be used.

# Conclusion

Syncthing is greatly modular, it's pretty cool to be able to self-host all of its components separately.  In addition, it's also easy to contribute to the community pool if one decides to.

My relay is set up within a VPN where all my networks are connected, so my data are never leaving the VPN.

# Going further

It's possible to use a shared passphrase to authenticate with the remote relay, this can be useful in the situation where the relay is on a public IP, but you only want the nodes holding the shared secret to be able to use it.

=> https://docs.syncthing.net/users/strelaysrv.html#access-control-for-private-relays Syncthing relay server documentation: Access control for private relays
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/syncthing-relay-server.gmi</guid>
  <link>gemini://perso.pw/blog//articles/syncthing-relay-server.gmi</link>
  <pubDate>Mon, 06 Nov 2023 00:00:00 GMT</pubDate>
</item>
<item>
  <title>Read quoted-printable emails with qprint</title>
  <description>
    <![CDATA[
<pre># Introduction

You may already have encountered emails in raw text that contained weird characters sequences like `=E3` or `=09`, especially if you work with patch files embedded as text in emails.

There is nothing wrong with the text itself, or the sender email client.  In fact, this shows the email client is doing the right thing by applying the RFC 1521.  Non-ASCII character should be escaped in some way in emails.

=> https://www.rfc-editor.org/rfc/rfc1521 RFC 1521: MIME part one

This is where qprint enters in action, it can be used to encode using the quoted-printable, or decode such content.  The software can be installed on OpenBSD with the package named `qprint`.

=> https://www.fourmilab.ch/webtools/qprint/ qprint official website

I already introduced qprint in a blog post in a guide about OpenBSD pledge.

# What does quoted-printable look like?

If you search for an email from the OpenBSD mailing list, and display it in raw format, you may encounter this encoding.  There isn't much you can do with the file, it's hard to read and can't be used with the program patch.

=> https://marc.info/?l=openbsd-ports&m=169833007120486&q=raw Email example featuring quoted-printable characters

A sample of the email looks like that:

From italiano-=E6=97=A5=E6=9C=AC=E8=AA=9E (=E3=81=AB=E3=81=BB=E3=82=93=

=E3=81=94) FreeDict+WikDict dictionary ver.

2022.11.18 [itajpn]:

=09

ciao //'=CA=A7ao// <interjection>

=E3=81=93=E3=82=93=E3=81=AB=E3=81=A1=E3=81=AF

=09


If you pipe this content through the command `qprint -d`, you will obtain a much more interesting text:

From italiano-日本語 (にほんご) FreeDict+WikDict dictionary ver.

2022.11.18 [itajpn]:

ciao //'ʧao// <interjection>

こんにちは


There is little use in encoding content with qprint, but it could do it as well.

# Conclusion

If you ever encounter this kind of encoding, now you should be able to figure what it is, and how to read it.

Qprint may not be available on all systems, but compiling it is quite easy, as long as you have a C compiler and make installed.
</pre>
    ]]>
  </description>
  <guid>gemini://perso.pw/blog//articles/potw-qprint.gmi</guid>
  <link>gemini://perso.pw/blog//articles/potw-qprint.gmi</link>
  <pubDate>Mon, 30 Oct 2023 00:00:00 GMT</pubDate>
</item>

  </channel>
</rss>