G's Blog

SelfHost

Weekly Music Review and Fixing an error ( #100DaysToOffload Day 29)

So this “review” is technically a week late. After the last post i neglected to pick up the new album and did not realize until the end of the week.

So for the last week i've been listening to Daze of the Future by Mr. 45. If you recall i picked this album from the surprise me section of Bandcamp and i must say i was very pleased with it. It's a bit more on the dark side which is part of what i enjoyed about it. I guess i don't have much else to say about it than that. It's some good (dark)synthwave music which is just what i'm into these days.

Onto the next one which i've already picked up to avoid the same situation as last time. This week i'll be listening to Calypso Drip FM by Gryff. This is a debut album which makes it that much more worth a listen. I picked it for 2 reasons.

  1. The cover is very inviting.
  2. The description of the inspiration for this album is something i can really appreciate.

Lets see where it goes.

As some of you may know i run my own Git using Sourcehut. See Part 1 and Part 2 of my adventure getting it setup.

Well a little while ago i messed up the actual Git part. What caused the mess up was letting it fall too many versions behind and got me to this mess. You can see my posts and “solution” at the bottom of that. I'll summarize. When the latest version was trying to apply the DB migrations it was running into a situation of needing a later migration applied before the “next” one. So my “solution to this was to force re-order the process. This did get everything to apply but left me in such a state that i needed to re-force that order with each update. It would result in this

upgrading git.sr.ht 100%
INFO  [alembic.runtime.migration] Context impl PostgresqlImpl.
INFO  [alembic.runtime.migration] Will assume transactional DDL.
INFO  [alembic.runtime.migration] Context impl PostgresqlImpl.
INFO  [alembic.runtime.migration] Will assume transactional DDL.
ERROR [alembic.util.messaging] Requested revision d42e577c5dcd overlaps with other requested revisions c167cf8a1271
FAILED: Requested revision d42e577c5dcd overlaps with other requested revisions c167cf8a1271
error: command failed to execute correctly

I lived with this for a while then it hit me. That revision must be stored somewhere in the DB and i just need to correct that and all should be good. It was truly that simple. In the git.sr.ht DB there is a alembic_version table. This table should only contain 1 row. The latest migration applied. In my case it contained 2. So the real solution was to delete the 2nd row(the one not matching up with the latest revision). Once this was done everything went just fine with the next update of git.sr.ht. So the moral of this story is to keep things up-to-date. Especially when something is considered in alpha status.

That is all for now.

Until next time. Be safe!

@mgrondin@youdabomb.social

#Music #Tech #SelfHost

Until next time. Stay safe!

G @mgrondin@youdabomb.social

A Quick and Dirty DNS server using FreeBSD ( #100DaysToOffload Day 28)

In today's post i'm going to show you how to setup up something i should have done a long time ago. Knowing now how easy it could be. What is this thing? Setting up a in-home DHCP/DNS server. At first i was just looking for a DNS server thinking like a Pi-Hole but i knew i wanted to use FreeBSD as the OS. I want to use BSD's more mainly just to learn about them not because i think they are better(yet). FreeBSD is my choice simply because i've had the best experience with it. This would work from any of the BSD's but some step might differ a little. So Looking around i found out that the “Pi-Hole” only runs on linux. Looking a little further i found out that a Pi-Hole really is just a DNS server plus a block list. Doing this also means i don't have to maintain a host file on each device i own.

Enter dnsmasq

This little piece of software is just what i was looking for. Plus it's also a DHCP and TFTP server. And it's native to BSD's(It can also be found on linux).

The setup was quite easy. I am using a Raspberry Pi Model B rev 2(A second one i had laying around) for now but this is going to be upgraded to something else as it does struggle a little. But it is very usable and any slow downs are only noticeable when the TTL of the DNS record expires.

So step one was to flash the SD card with the FreeBSD image this i did using dd from my linux PC

dd if=FreeBSD-12.1-RELEASE-arm-armv6-RPI-B.img of=/dev/sdX

Pop that in the Pi and boot it up. I always do the initial Pi boot up with it connected to a display just in case something goes wrong and plus then i don't have to try and look at DHCP lease tables to find out what the IP address of it is.

After initial boot next task should be to change the default password(s) for root account and freebsd account. You can do that using the same passwd command as on linux.

Next you really should set a static IP on any server and also set a hostname to do that on FreeBSD you edit /etc/rc.confand add these lines

hostname="hyperion"
ifconfig_ue0="inet 192.168.2.6 netmask 255.255.255.0"
defaultrouter="192.168.2.1"

ue0 above is the name of the network interface. This could be different on your system. You can find the interface name using the ifconfig command.

Now i know i could have these changes take effect with a few command but i always reboot when making changes like this.

What i always do next is somewhat optional but HIGHLY recommended. Make SSH use public key authentication. I'll assume you know how to do this and move onto the setup of the actual DHCP/DNS server. At this point i would also disconnect the Pi from the display, Place it in it's final resting place and do the rest of the setup over SSH.

The only package we need to install is dnsmasq

pkg install dnsmasq

Once that is installed it's a matter of configuring it. dnsmasq is a caching DNS server by default but can also be a DHCP and TFTP server. I decided to also use it as the DHCP server on my network to ensure that all clients use it as DNS server. dnsmasq parses /etc/hosts and turns those into DNS records/responses.

Here is my config


# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

no-resolv
server=9.9.9.10
server=149.112.112.10
dhcp-range=192.168.2.20,192.168.2.150,24h
dhcp-option=3,192.168.2.1
dhcp-authoritative

# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
dhcp-option=vendor:MSFT,2,1i

cache-size=300
conf-dir=/usr/local/etc/dnsmasq.d

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore

# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers

Most of those options are explained or self-explanatory so i'll explain the less obvious ones.

no-resolv by default dnsmasq gets it's list of upstream dns servers to pass onto clients by reading /etc/resolv.conf this disables that and makes it get it's upstream server from it's own config file.

server=9.9.9.10
server=149.112.112.10

These are the 2 upstream DNS server i use. They are provided by Quad9. These are the unsecured non-blocking servers as i will supply my own blocking list.

So then in /etc/resolve.conf you just need to have nameserver 127.0.0.1

and then disable resolvconf by creating /etc/resolvconf.conf with the following content

resolvconf=NO

dhcp-option=3,192.168.2.1 this sets DHCP option 3(Default gateway) for all clients to 192.168.2.1 dhcp-authoritative This makes dnsmasq forcefully become the only DHCP server on the network so it will takeover leases from other servers(if i understand that correctly)

I've left the addresses reservation lines because i may use them someday.

conf-dir=/usr/local/etc/dnsmasq.d this makes dnsmasq parse all files under that folder

in that folder i have the block list found here

This list get updated everyday and is a large list blocking AD and malware domains.

So with that all in place all that is left to do is to enable/start the service

To enable add this to /etc/rc.conf

dnsmasq_enable="YES"

Then to start it right now

service dnsmasq start

That's it the server is now running and will answer DHCP and DNS requests. Any clients you have set with static network configurations you will need to update the DNS server on those to point to this newly setup server.

The other thing i did was create a small script to update the block list everyday and restart dnsmasq.


#!/usr/local/bin/bash
wget -O /usr/local/etc/dnsmasq.d/dnsmasq.blacklist.txt https://raw.githubusercontent.com/notracking/hosts-blocklists/master/dnsmasq/dnsmasq.blacklist.txt
service dnsmasq restart

and add that to /etc/crontab

0 1 * * * root /root/upblocklist.sh >/dev/null 2>&1

I have that set to go at 1AM every day as the blocklist repo is updated right around 12am in my time zone. You'll have to adjust this so you grab it after it's been updated.

And that is it. Like i said the Pi model B is not the best deivce to do this with. I think anything more recent with more than 1 CPU core would work just fine. My plan is to get a Rock64.

Well i hope this post was helpful to someone.

Until next time Stay safe!

@mgrondin@youdabomb.social

#Tech #BSD #Selfhost

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Weekly music review and a new service offering (#100DaysToOffLoad Day 26)

So this week i have been listening to Cataclysm by Electric Dragon. To no surprise i have been enjoying every minute. This artist is a bit darker than most other Synthwave artists i've listened to but that's what makes it so great. It's like being down in the under belly having a party.

I'm not sure where the inspiration came for this album but i suspect that 2020 had a general impact on it. Most of the songs make reference to the end of days in some way but it's put together in such a way that is very enjoyable. I'll be listening to this one again for sure and you should as well.

Now for next weeks album we are going to stick in the Synthwave genre but a little different still.

This album is by a band that has interested me for a while but i never really checked it out.

The band is called Master Boot Record. I think you can see why the name would interest me.

Anyways the album i'll be listening to is Floopy Disk Overdrive. Please go and check it out. If you are more skilled in those things than me maybe you can unlock the secret track. Come back next week for more music.

As a hobbyist self-hoster i'm almost always looking for something else to host. One because i like to see what else is available in terms of self-hostable stuff and two because i just enjoy the setup process.

So when @selea@social.linux.pizza put out a call for someone to take over https://tempmail.linux.pizza (now redirects to my server) i saw it as something i could throw onto my recently uncovered Raspberry Pi model B and i jumped at the chance. So https://tempmail.youdabomb.social is born(Literally just yesterday). What does it offer:

Random Disposable Mailbox ✅
No Access Logs ✅
Mail Deleted after 2 days ✅

2 domains to choose from anon.ymous.xyz nullnvoid.xyz More domains to come later(Maybe...Probably)

It is made possible by Disposable-Mailbox.

So if you want to avoid some spam associated with some websites or just want to be able to use/join a website without giving your regular email well now you can.

Keep in mind that this is running on quite the small device so while it can't handle all of you at once it should be able to service everyone given time. If it's in high enough demand i'll look at upgrading the hardware it's on. For now it should do.

Well that is all for now

Until next time Be Safe!

@mgrondin@youdabomb.social

#Music #Tech #SelfHost #BSD #Raspi

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Google Recaptcha alternative ( #100DaysToOffload day 12)

Today's post will be a quick one. A while ago my work wanted a captcha added to our website forms re prevent spam. The only thing that i knew of at the time was google's recaptcha so that's what i put in place. After i doubled down on my anti-google(really anti-centralized) mission i knew i had to change to something else.

After a while of looking i found secure image

What can i say. It's free. Open source and easy to setup. Supports using a cookie or mysql database. It also offers different types of verification. Either text or math question. The amount of image distortion can also be configured. Overall i really like it. It just works.

Well that's about all for this post.

Until next time. Stay Safe!!

@mgrondin@youdabomb.social

#Tech #SelfHost

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Setting up Git using SourceHut (Part 2 actually getting GIT working)

So this is a follow up to my last post in which i was setting up selfhosted GIT using SourceHut.

In that post i got everything installed and mostly setup with the exception of being able to pull/push to any git repo. That has now been resolved with the help of a few people on the SourceHut mailing list.

The first “issue” was permissions on the logs for GIT. This was not preventing anything from working but was preventing the issues from being logged properly. So first step was to create the logs

touch /var/log/gitsrht-dispatch touch /var/log/gitsrht-keys touch /var/log/gitsrht-shell

Then set the permissions

chown git:git /var/log/git-*

Then i also changed the user for the git.sr.ht service by editing /usr/lib/systemd/system/git.sr.ht.service

Also ensure the folder hosting your repos is owned by the git user not the gitsrht user as my last post indicated.

sudo chown -R git:git /srv/gitrepos/

Next the root cause of the issue was that the git user did not have a proper shell defined. After i set it's shell to /bin/bash it started giving errors in the gitsrht-shell log.

First we had this:

2020/03/14 15:26:32 Looking up repo: pusher ID 0, repo path
/srv/gitrepos/~marcg/Initial_Repo
2020/03/14 15:26:32 Lookup failed: pq: SSL is not enabled on the server
2020/03/14 15:26:32 Looking up redirect
2020/03/14 15:26:32 Lookup failed: pq: SSL is not enabled on the server
2020/03/14 15:26:32 Repository not found.

I suspected the trouble was this Lookup failed: pq: SSL is not enabled on the server

A quick google search suggested adding this ?sslmode=disable to the connection string for the gitsrht database

which worked to remove that error on the next clone attempt the log showed

2020/03/14 15:32:12 Looking up repo: pusher ID 0, repo path
/srv/gitrepos/~marcg/Initial_Repo
2020/03/14 15:32:12 Lookup failed: sql: no rows in result set
2020/03/14 15:32:12 Looking up redirect
2020/03/14 15:32:12 Lookup failed: sql: no rows in result set
2020/03/14 15:32:12 Repository not found.

Which i was informed “could be caused by a faulty redis cache.” I had to ask for guidance here since i'm not familiar with interacting with redis.

I was told the following:

“You can list your keys like this: redis-cli -n 0 KEYS '*' (where the number after n is your redis cache number) And that should delete all keys: redis-cli -n 0 FLUSHDB”

So i did just that and that and now everything works. I am able to clone/push to my git install.

That's all for now

G

#tech #selfhost

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Setting up Git using SourceHut

In this post i will document the process of setting up selfhosted git. I decided to go with SourceHut because of it's modular approach making it less resource intensive. There install documentation leaves much to the user so this should be a fun interesting process. I'm going to try to keep this post organized but it might end up all over the place if so i apologize.

SourceHut is broken up into many modules. For my current needs i will only be setting up the core,meta(login) and git modules. More might be added in the future. So lets get started.

SourceHut provides a repository for Archlinux so step 1 is to add that. This is done by editing the /etc/pacman.conf file and adding this

[sr.ht]
Server = https://mirror.sr.ht/archlinux/sr.ht

after that packages can be installed normally

sudo pacman -Sy meta.sr.ht

This will pull in all required dependencies.

Now the fun begins. The SourceHut documentation states that every module comes with a config.example.ini but for the life of me i could not find it so i manually created the path/file /etc/sr.ht/config.ini and got the content from config.example.ini and carried on.

The config file itself in fairly well explained so i wont go into details here. Simply adapt to my needs. A couple options i'm unsure of

site-info sounds like a landing page type which i don't intend on having. Not sure if it can be blank at this point.

privacy-policy because this will pretty much be a personal/private setup i don't plan on having one of these. It's blank by default so i will leave it.

Next is the database related things. SourceHut uses postgresql as a database so first thing is to create a db and user. I use webmin to do most database tasks so i created the sourcehut user and the db metasrht making the sourcehut user it's owner . Then set connection-string property to

connection-string=postgresql://sourcehut@localhost/metasrht

so the create db function can do it's thing in the next step.

python3
>>> from metasrht.app import db
>>> db.create()

This will create the database for the meta module.

Next we should be able to start the meta.sr.ht service I had to make a change at this point to the port used. Making the change both in the systemd service(/usr/lib/systemd/system/meta.sr.ht.service) file and in the module config. This was required because of everything else i run on this server the port was already used.

Once that change was made all that was required to start the service was

sudo systemctl daemon-reload then sudo systemctl start meta.sr.ht sudo systemctl enable meta.sr.ht

So now the meta service is running but can't be accessed as it's running only locally. What we need is to setup a (sub)domain to point to our server then setup webserver(apahe in my case) to serve the application. So my apache config looks like this

<VirtualHost *:80>
   ServerName shmeta.marcg.pizza

   # Default is to force https
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =shmeta.marcg.pizza
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

   <Location "/.well-known/acme-challenge/">
      Options None
      Require all granted
   </Location>
</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost *:443>
   ServerName shmeta.marcg.pizza

   # Path to ErrorLog and access log
   ErrorLog ${APACHE_LOG_DIR}/shmeta.error.log
   CustomLog ${APACHE_LOG_DIR}/shmeta.access.log combined

   # TLS
   # Feel free to use your own configuration for SSL here or simply remove the
   # lines and move the configuration to the previous server block if you
   # don't want to run funkwhale behind https (this is not recommended)
   # have a look here for let's encrypt configuration:
   # https://certbot.eff.org/lets-encrypt/debianstretch-apache.html
   SSLEngine on
   SSLProxyEngine On
   SSLCertificateFile /etc/letsencrypt/live/marcg.pizza/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/marcg.pizza/privkey.pem


   

   # Configure Proxy settings
   # ProxyPreserveHost pass the original Host header to the backend server
   ProxyVia On
   ProxyPreserveHost On
   <IfModule mod_remoteip.c>
      RemoteIPHeader X-Forwarded-For
   </IfModule>

   # Turning ProxyRequests on and allowing proxying from all may allow
   # spammers to use your proxy to send email.
   ProxyRequests Off

   <Proxy *>
      AddDefaultCharset off
      Order Allow,Deny
      Allow from all
   </Proxy>

   <Location "/">
      LimitRequestBody 104857600

      Header set X-Frame-Options "sameorigin"
      Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
      Header set Referrer-Policy "strict-origin-when-cross-origin"
      ProxyPass http://127.0.0.1:5002/
      ProxyPassReverse http://127.0.0.1:5002/
   </Location>

   <Location "/static">
      ProxyPass  "!"
   </Location>
   Alias /static /usr/lib/python3.8/site-packages/metasrht/static
  <Directory /usr/lib/python3.8/site-packages/metasrht/static>
   Require all granted
  </Directory>
</VirtualHost>
</IfModule>

This is probably not the best config as i'm no expert here but it works. It's adapted off the config i use for funkwhale.

So great now we can get to the login page. Next part creating the initial admin user.

The documentation has some step on converting an existing user into an admin but nothing specific on creating the user. I saw 2 options

  1. Turn on registration, create user,turn off registration,make user admin
  2. Use the metasrht-createuser script i saw in the source to create the user

Problem was for some reason that script was not installed with the package ( it should be now ). So what i did was simply create a file and past the content of the script into it. Then execute it like so

python metasrht-createuser.py -t admin <user_name> <user_email>

This will prompt for a password and create the user. To prepare the DB for future migrations/upgrades do

srht-migrate meta.sr.ht stamp head && metasrht-migrate stamp head

Voila now we can login to the meta module.

I noticed another issue before moving on. The audit log was always showing 127.0.0.1 as the source IP on all entries. After much searching and trial and error i found a working solution. I sent a patch for the meta package. Not sure if it will get merged as it may not be the ideal way to do this. It works for me.

Moving on to git.

The git.sr.ht is again installed like any other package

sudo pacman -S git.sr.ht this will install it and it's dependencies

Now we look at config.example.ini and add the [git.sr.ht] and [git.sr.ht::dispatch] sections to our /etc/sr.ht/config.ini making the require changes and setting up oauth from our meta installation.

Now setup the DB

python3
>>> from gitsrht.app import db
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.8/site-packages/gitsrht/app.py", line 7, in <module>
    from gitsrht.repos import GitRepoApi
  File "/usr/lib/python3.8/site-packages/gitsrht/repos.py", line 5, in <module>
    from minio import Minio
  File "/usr/lib/python3.8/site-packages/minio/__init__.py", line 36, in <module>
    from .api import Minio
  File "/usr/lib/python3.8/site-packages/minio/api.py", line 49, in <module>
    import certifi
ModuleNotFoundError: No module named 'certifi'

What's this? A missing dependancie.(I've sent a patch to add it to the package so this may no longer be an issues) No problem lets install it

sudo pacman -S python-certifi

then again

python3
>>> from metasrht.app import db
>>> db.create()

This gave a warning “Unable to ensure delegated scopes are provisioned. Is https://shmeta.marcg.pizza reachable? This may render the API unusable.” Lets see if everything works in the end.

Next prepare the DB for future migrations

srht-migrate git.sr.ht stamp head && gitsrht-migrate stamp head

Setup the folder to hold repos

sudo mkdir /srv/gitrepos or whatever you set in your config

and make the gitsrht user it's owner

sudo chown -R gitsrht:gitsrht /srv/gitrepos/

Now the apache config. Just copy the one for the meta module and adapt the servername and such.

Make sure to add to apache main config and restart apache. Start the git.sr.ht service

Create cron entry or systemd timer to run /usr/bin/gitsrht-periodic every 20 minutes.

Example systemd timer/service

gitsrht-periodic.timer

[Unit]
Description=Run gitsrht-periodic every 20 minutes

[Timer]
OnBootSec=20min
OnUnitActiveSec=20min
Unit=gitsrht-periodic.service

[Install]
WantedBy=timers.target

gitsrht-periodic.service

[Unit]
Description=Nextcloud cron.php job

[Service]
User=gitsrht
ExecStart=/usr/bin/gitsrht-periodic

[Install]
WantedBy=basic.target

Then start/enable the timer.

This also needs to be done for metasrht-daily but have it run daily.

So with all this i now have a working meta module to handle login/users and a “working” git module. I have working in quotations here because altho i can login and create a repo i can't pull/push anything over ssh(did not setup/try over http(s)). I get some errors. Reach out for support i will post an update when i have it working.

And with that

That's all for now. Hope this post made sense. Let me know if you have any questions/comments.

See Part 2 where i get GIT fully working.

G

#tech #selfhost

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Hello Everyone

I have decided to migrate my blog from using Github Pages to self hosting it using WriteFreely. If all goes well i'll be able to boost this on Mastodon.

I will still post sporadically when I have time and something worth sharing.

I will also be migrating my old posts at some point. Probably over the weekend.

That's all for now.

Have a great day.

G

#Tech #Meta #SelfHost #Migration

Until next time. Stay safe!

G @mgrondin@youdabomb.social