Nextcloud Dangling in the Works

Good Morning from my Robotics Lab! This is Shadow_8472, with a stubborn-project update. Let’s get started!

Nextcloud as a project comes with a lot of strings and hooks. Every time I sit down to work on it, the feature creep closes in: multiple volumes for speed and capacity, MariaDB container so SQLite doesn’t choke serving clients, a pod for MariaDB to live in alongside Nextcloud, Redis for RAM caching (Out of my scope, but worth a mention), Ansible Vault for password management (automation tool I’d need a month to learn), podman secrets, Philomena image board software – not to mention the volumes I learned about the other week! As noted in previously, the container I’m using from docker.io can take care of itself, but it will work a lot better with even a few of these things.

In my ideal configuration, all my containers’ persistent data lives on GoldenOakLibry so my old, red laptop can take over on critical Podman containers when ButtonMash is booted to Debian for photo scanning duty. The big, hanging question then is if GoldenOakLibry’s internal HDD’s absolutely need to spin up to serve shares hosted on NAS volumes mounted from an external SSD.

HDD: Hard Disk Drive
NAS: Network Attached Storage
SSD: Solid State Drive

My initial tests involved verifying that a drive could be mounted externally, then rebooting the NAS. I was expecting either a 1 or a 50 second wait, but instead I kept hitting “Stale file handle” errors when I tried mounting the external share. My second round of trials a week or two later exhausted search pages worth of results to learn how NFS shares change a few invisible details when restarted. Either something wasn’t ready when needed during boot, or my client just needs a while to refresh those details. It works in the long run, and external shares are not dependent on internal disk spinup. Time to move on.

Having solved the last known problem, I started layering the bits I had solved while frustrated with the USB share. I prepared three Podman volumes: two for Nextcloud prioritizing high-capacity and speed, respectively, and one for an SQL database. A pod housing MariaDB (the SQL database) and Nextcloud containers mounts these volumes (!). Podman secrets safely injects the database password so MariaDB and Nextcloud can work together – not strictly necessary for my application, but a good habit to get in in case I go in the direction of creating images from existing containers. Once the cloud is running, I want to try adding an image board to view the pictures.

(!) NFS –as it turns out– does not appreciate a number of the acrobatics rootless Podman performs with Namespaces. I don’t have the specifics memorized, but when Podman makes a container, the host’s user ID is mapped to root within that container. Podman then assigns variations of the host’s user ID to non-root users within the container as defined by a namespace. The NFS protocol wasn’t designed with namespaces in mind. To NFS, it looks like you’re trying to access another user’s files – possibly without permission. While this reportedly doesn’t stop rootless Podman from working well over NFS over normal circumstances, there are a bunch of search results talking about the snag when working with container images over NFS. Based off my experiences for this post, the same appears to hold true for volumes.

Takeaway

As much as I wanted this to be the last installment, this issue is a post in and of itself, and I’m getting burned out again over trying to come back to it. I’ll try coming back to this in around a month or so.

Final Question

Have you successfully used Podman volumes over NFS? Please, do tell me all about it in the comments below or on my Socials.

I Studied Podman Volumes

Good Morning from my Robotics Lab! This is Shadow_8472 with a side project of the week. Let’s get started!

Nextcloud has been a wish list item since I gave up using Google’s ecosystem (Drive, Calendar, Office, etc.). This open source almost-drag-and-drop alternative proved above my skill level at first, but I’ve learned a lot about server management and running OCI “Docker” containers in Podman in the years since.

Demo of Nextcloud

Nextcloud was relatively simple to demo: one non-privileged port forwarded. During my self-guided tour, I was amazed at the potential power there. In addition to its calendar, office, and file storage functions I expected, its recommended suite apps include email, chat, and contacts servers – with more apps available for download.

As much as I can see myself moving in right now, it’s important that I master how its persistent data is stored. Ideally, everything would live on GoldenOakLibry, my home network storage configured with RAID 5. But I hate waiting for HDD spin-up. If it had an SSD out the back (it has two USB ports), I could mount a directory there from a Nextcloud container and back it up to deep storage on a weekly or monthly basis. At the same time, I may want the capacity of the main disks if Nextcloud turns out to be good for hosting the family’s photo archive.

The solution: use two “volume” structures like I started looking at last week. They work similarly to directly mounting directories as I’ve been doing in theory, but are abstracted similar to containers. See my Tangent heading later on for more information.

With this purpose in mind, we ordered a USB–SATA adapter and dug up our MineOS SSD from once upon a time. I archived around 411 GB worth of Minecraft worlds to free up space. I got the poor idea to try compressing it to both .tar.gz and .zip, two widely used compression formats which turn out to be implementations of the same algorithm. GoldenOakLibry had ZIP, but not TAR, so I tarballed/compressed it to 393.5 GB over an hour vs the NAS struggled to produce a 393.77 GB .zip over a full day. With a savings that small, I’m probably best off curating it uncompressed – especially if I have family members interested in seeing it again.

RAID 5: A hard drive redundancy scheme resistant to a single drive failure. In my case: four matching disks with three drives’ worth of usable space.

TAR: Tape ARchive: An early archive tool often paired with the GNU Zip compression program.

To Do List

Regretfully, I have to split this topic just as it’s getting good. I was running a test to see if GoldenOakLibry can respond on the USB share without spinning up, but creating new network shares is not a skill I can perform reliably yet. I had it working once, rebooted, and now it won’t re-connect like the proven ones. If for whatever reason I can’t get GoldenOakLibry to share from MineOS’s SSD without spinning up, I’ll have to mount it internally to ButtonMash and play the BIOS game to disable booting to it.

Even if I was making good enough time with the USB share, I’d still need to study up on databases. The lightweight one included with the Nextcloud container I’m working with is meant for browser traffic only, and I want to try out its clients.

Tangent

I started with the working theory that volumes needed to be started and stopped like containers, and I would therefore need one of Podman’s signature pods to manage them alongside Nextcloud’s. It’s basically a container for organizing and running containers on a homelab scale. I rigged up a script to automate my attempts with it, but eventually realized that volumes are passive, and I had just learned the wrong tool for the job. I’m sure I’ll make use of it eventually.

Final Question

I’d like to open up the discussion. Two big choices remain: Where do I host my fast Nextcloud SSD (GoldenOakLibry or ButtonMash), and how do I host my archive pictures (Nextcloud, Mediawiki, something else)?

I look forward hearing your answers in the comments below or on my Socials.

My Podman Containers Boot With Systemd

Good Morning from my Robotics Lab! This is Shadow_8472 and today I am reasonably sure my Podman containers won’t be randomly going down anymore. Let’s get started!

I enjoy using Podman as a stand-in for Docker, but its rootless approach to running containers inherently challenges sysadmins facing Docker’s help and tutorial legacy. The most problematic difference I’ve experienced has been keeping containers running long-term. Months ago, I learned how to enable account lingering. This allows Podman containers without something remaining logged in as their respective users. I’ve been living with manually restarting containers as needed. Well, since I decided to enable automatic security updates, starting containers automatically would be prudent before expecting other family members to rely on them.

Against all odds, my initial search this past Wednesday yielded a blog article from Red Hat about integrating Podman containers into Systemd [1] to start them at boot. It was posted the day before.

Podman and Systemd

I trust Red Hat to not post malicious commands, but it’s still a good idea to learn about strange commands before running them. Red Hat’s tutorial starts with making a new user, enabling linger, and running a containerized web server. The first important command I ran was

$ podman stop httpd && podman rm -a && podman volume prune

This command appears to thoroughly clean out Podman. I’ve mounted volumes from the host before to persist data, but there’s a more flexible volume structure I only learned about just now when researching for another section I had to spin off into a near-future post. I haven’t used them yet, but I’m sure they’ll be useful once I learn how to use them.

$ podman generate systemd --new --files --name httpd

This command makes a new systemd file. The –new option recreates the container fresh each time it’s brought online. –files sends the configuration to a file instead of the terminal. –name must be the name of a running container or pod.

$ cp -Z container-httpd.service ~/.config/systemd/user/

The file generated previously goes in a directory where systemd will find it when used with the –user flag. The -Z flag matches permissions with the destination directory. The tutorial finishes with a daemon-reload followed by starting and enabling the user’s service.

Takeaway

This is a resource for my bookmarks. That is all.

Final Question

I took the opportunity during this project to put a Minetest server on ButtonMash, but I’m having difficulty obtaining permissions. I can see its logs in Cockpit-Podman, but I don’t have access to the server command line. How am I supposed to get started with adminning Minetest?

I look forward hearing your answers in the comments below or on my Socials.

Work Cited

[1] A. Oliveira, “Configure a container to start automatically as a systemd service,”redhat.com,Feb. 21, 2023. [Online]. Available: https://www.redhat.com/sysadmin/container-systemd-persist-reboot [Accessed Feb. 27, 2023].

My PiHole is “Half Baked”

Good Morning from my Robotics Lab! This is Shadow_8472, and today I am installing PiHole. With luck, I’ll have be configuring some of its other functions to augment my home’s network as well. Let’s get started!

PiHole, Take II

I can rant about the evils of Google ‘til boredom do its part. However, this search engine is between inconvenient and impossible to ignore, given its impressive list of “hobbies” from STEM projects to smartphones. It’s an open secret few care to think about that their empire is built off user exploitation. I installed ad blocker browser plugins over their aggression last presidential election cycle.

Earlier this month, I read about Manifest v3, the new browser-plugin interface library created by Google. Their precautions against spyware just so happen to cripple ad blockers, among other legitimate plugins. This walking conflict of interest is set to roll out January, 2023, and Firefox is going along with it.

When a browser loads a web page, it asks a DNS service to translate the page’s URL into an IP address. It then finds, loads, and renders the page at that IP. This may involve loading other pages –such as ads– as elements of the original page. Network ad blockers protect you by fudging bad URL’s addresses.

Objectives

My main goal this week is to kill ads across my home network. Follow-up objectives include advanced PiHole features and a private DNS for even better protection.

Night 1

My first attempt at PiHole was messy. I set up PiHole OCI/“Docker” containers across my two servers – ButtonMash and my old laptop. Like before, the main router skipped IP’s on me. I had it repaired within an hour thanks to my same laptop functioning as a workstation with a static IP. With the router upgrade to my upstairs workstation, I easily archived its settings and outfitted it with its own wider network static IP – complete with a netmask wide enough to chase down its rogue counterpart should it shift again (Did I have laptop’s static IP netmask configured incorrectly this whole time?!).

Surprise! The expanded subnet didn’t work because the rogue router had its own subnet mask I was outside of. The dance was too involved for a play by play, but I only really felt helpless while trying to avoid hiking around to different workstations to clean up after this failed networking spell. As I reassembled the router for normal operation, I reasoned out that my router’s firmware is hardwired not to consider a DNS coming from a LAN connection, like I’m trying to do.

Flashing open source firmware is out of the question. For one, I wouldn’t know how to fix it and don’t have a replacement. Two: apparently its chipset manufacturer isn’t a fan of open source – the help thread I spotted recommended contacting OP’s government representative if he wanted to do anything about it.

Night 2

I did a bit of research before dismantling the network again. DHCP settings include optional fields for DNS requests. This should let me direct computers straight to PiHole instead of relaying the request in a convoluted workaround involving a NAT table and possibly causing a network loop.

This means each router is now a separate task. The responsible thing to do now is ensure my subnet router can behave before working on the main one. It’s not long before I fry my DNS settings. Navigation around my local network remains unaffected, but I eventually resort to restoring my backup from yesterday, re-applying the static IP, and updating the backup.

My best bet from here is to finalize my PiHole install. My initial container creation was the absolute minimum: port 80 web interface, port 53/TCP+UDP. There’s a lengthy list of environment variables to browse.

A Few Days Later

Jackpot! My mind cleared enough before bed to skim PiHole Docker’s documentation on GitHub. It has a list of example deployments – including a shell script. I converted it for Podman, entered my environment variables, and –during debugging– axed the logic for relaying logs as it was causing problems and I can view them directly with Cockpit-Podman.

PiHole User

But where to land it? I’ll eventually integrate as I master Caddy. Leaving the container running as root lets it use the proper ports, but I know better. Thanks to discoveries I spun off into last week’s project, I can now make more underprivileged, Cockpit-enabled users than I will ever need by using loopback the address (127.0.0.1/8).

The run script was easy to copy over to my new PiHole user. I gave it the directories it wanted as mountable volumes and shifted ports around until I was happy. I took the time to tidy up my firewall, combining a couple related entries and reclosing the normal DNS port.

I remember having issues with Vaultwarden’s stability over the course of days to weeks. The problem was occasionally annoying as Bitwarden only requires its home server when modifying the password vault, but PiHole will be sorely missed the moment it goes down. The one place I found the solution was in the official Podman troubleshooting guide on their GitHub [1]:

loginctl allow-linger userName

I sadly could not verify this was my previous, solution to my Vaultwarden long-term issues, but it’s not entirely unfamiliar, and it’s my best-informed guess.

DNS Port Forwarding

With PiHole secured in its own, easily accessible account, I soon experienced how picky DNS requests are about using the privileged port 53. All my attempts at manually telling OpenWRT to use port 5300 failed. I expect the the story will be the same if I try with on my main router.

I found the solution where Woody from b-woody.com blogged about almost the exact same project last May [2]: port forward port 53 to port 5300. Paranoid about goofing my firewall over command line I ran my version of Woody’s commands past r/TechSupport’s Discord channel. Moderator Donjuanal confirmed my omission of a trailing “:toaddr=”, but questioned my blind use of tcp, explaining how DNS clients default to udp for speed.

sudo firewall-cmd --zone=public --add-forward-port=port=53:proto=udp:toport=5300 --permanent

Even with this measure in place, I had to access the web console and tick Settings>DNS>Interface settings>Potentially dangerous options>Permit all origins before my local requests made it through. This may need to be addressed later.

Takeaway

I am so glad to have PiHole installed, even if it doesn’t appear to be doing much more than the uBlock Origin Firefox plugin. I’m researching the next segment though, and I estimate another week or more worth of work before it is configured alongside a private DNS server. Worth noting is that Firefox is leaving in the features ad block requires, despite potential security concerns. This is as good enough stopping point.

Final Question

Do you use PiHole? I’d be happy to hear about your experience.

I look forward hearing your answers on in the comments below or on my Socials.

Works Cited

[1] eriksjolund, “Podman\ Troubleshooting\ A list of common issues and solutions for Podman,” github.com, Nov. 19, 2022. [Online]. Available: https://github.com/containers/podman/blob/main/troubleshooting.md [Accessed Jan. 30, 2023].

[2] Woody, “Run PiHole in a rootless Podman container,” b-woody.com, May 12, 2022.[Online]. Available: https://b-woody.com/posts/2022-05-12-pihole-on-a-rootless-podman-container/ [Accessed Jan. 30, 2023].

[3] Can You Block It, “CAN YOU BLOCK IT?\ AN SIMPLE AD BLOCK TESTER” canyoublokit.com, 2021. [Online]. Available: https://canyoublockit.com/ [Accessed Jan. 30, 2023].

I Glitched Cockpit and Discovered Multi-user Login

Good Morning from my Robotics Lab! This is Shadow_8472 with a side project for the week. Let’s get started!

My mother needed an extra browser, so I installed Firefox hardened it a little. I took the liberty of adding the Bitwarden plugin, encouraging her to make an account on my self-hosted instance. Remembering my failure so far to diagnose the “Network Error” blocking log in, I spared the time to learn how new Bitwarden clients are slightly incompatible with old Vaultwarden servers.

I easily could have updated Vaultwarden with maybe a note on the blog Discord. Instead, I felt like adding VaultwardenUsr@localhost to Cockpit with “Add new host.” This stunt worked at the cost of forwarding shadow8472@ButtonMash to VaultwardenUsr@ButtonMash when to logging in. Relogging didn’t help, and the hosts list saw VaultwardenUsr as the primary login – disallowing me from removing it, and as a remote login – blocking my attempts to add my real primary account back in with the same stunt.

While exploring this bug, I logged into my old laptop server and linked its Cockpit back into ButtonMash without getting forwarded to VaultwardenUsr. At this point, I submitted a bug report to Cockpit’s GitHub. I soon found the malformed host list at /etc/cockpit/machines.d/99-webui.json. I backed it up, purged the malformed entry, and updated GitHub with my workaround.

Out of curiosity, I added VaultwardenUsr@192.168.0.— as an alternate host. This sends packets for an extra detour, but it works as required. Only after all this did I update my Vaultwarden image from Docker Hub and deploy a new container from it using the same command as the last two successful times.

Note: While working on next week’s project, I logged into VaultwardenUsr@127.0.0.1 and other loopback IP’s with no problems. It’s just name@localhost that causes problems.

Takeaway

1 day for the win! My push for PiHole and supporting network projects has been intense lately, so it’s great to have a smaller project where I still learn while by doing something important.

Final Question

Have you ever misused a software feature successfully? What challenges did you face before getting it to work how you had in mind?

look forward hearing your answers on in the comments below or on my Socials.

My Phone is Sadly Not ROM-Flashable (Stylo 5)

Good Morning from my Robotics Lab! This is Shadow_8472, and today I am exploring my options when it comes to making good on Degoogling my LG Stylo 5 smartphone. Let’s get started!

Not a Feasible Project?

I tried. I really tried. The plight of someone awakened to Big Tech’s abuses of power is near-hopeless in the face of Android and iOS. Google and Apple’s duopoly is thanks to their extensive walled gardens. Google’s open gates admit smartphone manufacturers the world over who all but worship the search giant for money. Users who wish for an existence free from the oppressive “quality control” rules of these gardens are left to brave a harsh, digital wilderness.

Unlike the more traditional desktop platform, the smartphone wilderness is still in its pioneer days. Special preparation must be undertaken before embarkation. Like the wagon trains of old, safe passage is limited to groups. There simply aren’t enough people interested in a free (as in freedom) smartphone experience for groups with technical experience to blaze trails for every model. Few people are talking about the Stylo 5.

I may have enough experience to produce a working custom ROM, but it’s been an exhausting topic to research. Even if I did produce a working ROM, keeping it updated would monopolize the rest of my time. This project direction is not for me. For the experience I really want, I need to pick a ROM and buy hardware based on that.

Just because I’ve abandoned hopes of ROM flashing the Stylo 5 doesn’t mean I can’t re-evaluate my short and medium term plans. Whatever I do, I will need a tool called Android Debug Bridge (ADB) for administrative access to the unit.

I teased an update issue last week on my Manjaro workstation. It looks like there were some significant changes to package names. I had to uninstall a conflicting package to proceed [1], but I lost Prusa Slic3r in the process and had to reinstall it from another source. Afterwords, I found the packages for ADB had already been installed. I played with them a little, but nothing conclusive has come of it yet.

What Do I Actually Want?

I took my project to Reddit’s r/degoogle and got a reality check [2]. User Bubba1601 confirmed my researched suspicion that the Stylo 5 cannot be flashed. Between users Lisse2000 and cd109876, I learned that updates are secure against custom ROM’s for security reasons. Others recommended a Google Pixel as a way to get away from Google because it’s the only line GrapheneOS supports – again for a good reason: the Pixel is one of the few phones that lets you re-lock your boot loader, reducing the possible attack surface.

I was additionally cautioned against thinking too much of the Librem 5, an open-hardware/software Linux phone with an American-made option. Follow-up research showed that while it’s well on the way to being a viable alternative, it’s only enthusiast grade at best so far as I can tell. The premium $2,000 price tag is a bit above what I can afford with pocket change, so this is one project for the long-term dream board once I finalize monetization without compromising my values.

Given that I have to work with the Stylo 5, what CAN I do? User qUxUp was the only one to actually stay on the original topic – and I quote:

1. Use as many as possible FOSS apps instead of google play apps (you can get most from fdroid).
2. Disable what you don't need with adb.
3. Use nextdns to block the services that you don't want to interact with your phone.

I have heard of all of these in one shape or another. ADB is a bit more invasive than I want to wield on a system I care about, but the DuckDuckGo Privacy App (not sponsored) has a VPN to stop unwanted trackers from leaving the device. I’ve been fairly careful since growing sour towards Google, but DuckDuckGo’s app has helped me identify and remove an innocent-looking app or two when they phoned home despite me not interacting with them anymore.

r/degoogle moderator BlueJayMordecai gave the following advice in a pinned post:

“It's okay to change [how you want to DeGoogle] at a later time if you feel you want to go further into repalcements [sic] or go lighter if you realize there's that one tool that can't yet be replaced. [3]”

My threat model is shaped by my understanding of how Biblical end-time prophecy is playing out. I see large companies developing schemes to mistreat their positions for profit. Left unchecked, I can see these being used to more efficiently persecute Christians who disobey future civil laws requiring worship contrary to what the Bible plainly teaches. That and the 2020 political ads on YouTube were aggressive enough to move me to action. In short: I am wary Big Tech intrusion in the short term, but I expect government abuse of the same or similar technologies to slowly grow in the coming decades.

I also know that technology shifts can be disruptive. If I focus primarily on new hardware and software before relying on it, my preexisting technology becomes an already deployed backup when the new stuff breaks. If I do not understand something and it’s my only copy, I leave it as status quo. This has led to the awkward situation of using a tablet I know has junk left deep in its OS, while being downright paranoid of a phone over the same exact junk with maybe only minor differences.

My main focus has been on restricting Google from my desktop experience because that is what I have had the resources to experiment with enough to understand. I am rapidly approaching the point where I will need to accept those bitter terms of service before further study will be of benefit to me. It’s just a matter of time before I’m out of excuses.

Takeaway

While researching big or important topics, I sometimes find myself with topics that stall, take sharp turns, or any one of an array of surprises that result in an unsatisfactory state when it comes time for my writeup. I took my phone to the carrier’s store, and while they are more than willing to unlock a phone so it can go to a different carrier, they either don’t have the tools or aren’t allowed to unlock the boot loader or assist in enabling Developer Mode (needed for ADB) without consenting to Google Services’ terms. At least the store was mostly empty, because I had to try.

There is much to be said about having hardware sitting on your desk, staring you in the face every day. The Stylo 5 has driven me to at least think about custom Android every couple months or so. Perhaps one of these times, I will finally allow this project to rest in deployment.

Final Question

What are your choices when it comes to reducing Big Tech’s influence on your life?

I look forward hearing your answers on in the comments below or on my Discord server.

Works Cited

[1] A. Rojas, “wxWidgets 3.2 update may need manual intervention,”archlinux.org, July 14, 2022. [Online]. Available:https://archlinux.org/news/wxwidgets-32-update-may-need-manual-intervention/ [Accessed: July 25, 2022].

[2] u/Shadow_8472 and others, “No known degoogled ROM for my phone and I’m not ready to maintain one. What CAN I do? (LG Stylo 5),” reddit.com, July 22, 2022. [Online]. Available:https://www.reddit.com/r/degoogle/comments/w5hmq2/no_known_degoogled_rom_for_my_phone_and_im_not/ [Accessed: July 25, 2022].

[3] u/BlueJayMordecai, “Why You Should DeGoolge & Intro DeGoogleing Techniques,” reddit.com, July 20, 2020. [Online]. Available:https://www.reddit.com/r/degoogle/comments/huk4rp/why_you_should_degoogle_intro_degoogling/

I Installed Android (Again, Pi 400)

Good Morning from my Robotics Lab! This is Shadow_8472 with a side project of the week. Let’s get started!

Free, but not Free

Mobile computers are decades to years behind desktops, and usable free (as in freedom) and open source experiences lag behind accordingly. Android may be branded as open source, but Google did not build their Play Store into the platform’s primary draw by allowing a “free” experience. OEM’s (Original Equipment Manufacturers) making Android devices must play by the search giant’s rules or be prepared to start from scratch.

That iron grip on Android –tight as it may be– still affords room for hobbyist level projects. LineageOS will get compatible devices booted to Android without the need to compile AOSP (Android Open Source Project) yourself. Another project, the difficult-to-search-for /e/, takes the concept farther by removing many of the lingering hooks back to Google infrastructure and making an attempt at a cohesive end-user experience.

Raspberry Pi 400 (Tablet Edition)

A while back, I installed an unofficial build of LineageOS on my Raspberry Pi 400 as a precursor to installing a custom AOSP ROM on a phone. This first attempt was accidentally AndroidTV edition, leading to confusion and sadness. I re-installed it for last week’s blog, but even seeing it ask more phone/tablet-type questions than before didn’t feel like enough to base even a short blog on.

I hesitated when sideloading the F-Droid appstore last week. I couldn’t find their GPG keys to verify the download against, but I learned something in the process. Additional research this week still hasn’t yielded their keys, but I’ve learned that it might involve adding a key repository – sort of like how I couldn’t just start downloading images when I installed Podman on my laptop. However, I want to end up with /e/ instead, so I don’t feel the need to be as careful learning how to add a trusted key repository. Instead, I’ll just keep it offline.

About the only large challenge I solved was getting F-Droid’s install file onto LineageOS. Normally, I would just mount it and drop a file where it needs to go. That wasn’t an option here because I didn’t know where it belonged and the directories above it had locked down permissions. The simplest solution was to just move it over with a USB drive. It installed cleanly from there, and I ran out of time from working on long-term projects and shorter projects bloating beyond this week’s scope.

Takeaway

If you ever hit a road block learning to a safety measure, listen to it. Take reasonable alternate actions to remain safe and try to learn a bit about how to pass it correctly each time.

Final Question

What subjects have you had to conquer a chip at a time?

My Raspberry Pi 400 Runs Android

Good Morning from my Robotics Lab! This is Shadow_8472 with a side project of the week. Let’s get started!

Android Practice

I have been going without a smartphone for a while because I don’t accept Google’s terms of service. Apple is no better. The only option I’ll be happy with is one with nothing but open source software at its heart.

Unfortunately, 3rd party Android builds like LineageOS are infamously difficult and potentially a little unforgiving to install yourself. I need practice, which is why I installed an unofficial LineageOS build for the Raspberry Pi a couple months ago – right before I made an incomplete mad dash for assembling Button Mash into a proper home server.

I used balena Etcher to safely install a build of Android made for the Raspberry Pi 4 lineup built by Konsta [1].

The initial boot was a bit longer than reasonable, and there were some impressive graphical glitches I have never been able to reproduce since. It was a little wired using a mouse with Android menus – especially since I had no way to switch the mouse buttons to a more comfortable lefty configuration. My greatest impression was that there was nothing to do besides browse settings and the file system.

I wanted something a little more to present today, so I installed F-Droid, an app store for open source apps. The challenge wasn’t so much installation, but loading the .apk installation file where the file browser could see it. I had to plant a directory from within LineageOS and use the find command to locate it. Before moving the SD card back to the Pi 400 again, I changed the owner from root to the number 0 and made sure it had the needed permissions. Installation was smooth after that.

Only while doing this writeup did I realize this build was Android TV based. I expect to revisit this project with the correct installation.

Takeaway

I have no idea if this is supported at all beyond the efforts of KonstaT, or if it’s even anything more than a tech demo. While I would not recommend using a setup like this long term, it is still an excellent learning tool for where I am at right now.

Final Question

Have you ever used Android on something other than a smartphone or tablet?

I look forward to hearing your answers in the comments below or on my Discord server.

Work Cited

[1] Konsta, “Raspberry” konstakang.com, 2022. [Online]. Available: https://konstakang.com/devices/rpi4/. [Accessed May 2, 2022].

Joining the Let’s Encrypt Help Forum

Good Morning from my Robotics Lab! This is Shadow_8472, and today I am finding help towards getting an SSL certificate from Let’s Encrypt. Let’s get started!

The Time to Get Help

Manually setting up an HTTPS secured service from your home is not beginner level by any stretch of the disillusioned imagination. In many ways, it reminds me of installing Linux for the first time. The system as a whole is irreducibly complex; multiple project-sized milestones rely on each other for usefulness, so I won’t see any results basically until I’m done.

So far, ButtonMash is running Rocky Linux 8. I have NGINX installed, but it can’t be properly configured to serve HTML over HTTPS until I have an SSL certificate. SSL certificates are available for free from Let’s Encrypt, but the process for getting and renewing them is reportedly labor intensive once you do know what you’re doing. ACME clients (Automatic Certificate Management Environment) can automate this work, but the installation options alone are exhaustive.

Joining Let’s Encrypt’s Community

I have made a good faith effort to self-educate, but I’ve slowed down to the point where I feel like I’m posting the same thing week after week with dribbles of progress. The documentation has far exceeded my attention span. It’s time to look for help.

Let’s Encrypt –like many well-respected technical projects– has a designated community support forum [1]. It’s just not on Discord or some other platform I’m already on. After weeks of self-research, I made an account and started looking around.

Unsurprisingly, the people I found in such a niche community are more knowledgeable about all things related to security certificates. The more I talk about my project there, the more important concepts are brought to my attention. For example, I keep coming across terms I keep seeing, but have so far remained clueless about. When those come up in conversation I look them up and only ask if I can’t find the answer in a reasonable amount of time.

3D Printing Corner

My brim decision is really backfiring now. I might even say it’s a worse idea than using a raft at this point. For what it’s worth, I made the time to glue a couple of those calibration cubes together. One drop, then press together. My father used a pencil on Sonic during a final dry fit to help for gluing the two halves together.

Side Project

My mother’s new sewing table has a fancy elevator platform to hide away her machine. This week, she got a power cord stuck in its mechanism where a couple clips jammed against it and each other. I was quick to find a 3D printed solution to keep it from happening again once we dislodged it[2]. I settled on a design aimed at holding phone chargers, but it was about the right size when I scaled it up to 200% and told it to use solid infill on the clip. My father and I installed it under the elevator and used a couple Velcro straps to lock the cords in so they don’t fall out.

Takeaway

I have never been excited about mastering a network backbone. It’s been one of those things that always feels simple enough to reach for, but complex enough to challenge my perseverance. I’m glad I’ve found a place that seems friendly enough.

Final Question

Certbot is the preferred ACME client, but there’s a list with tens of them on it [3]. Someone name-dropped Caddy, but I’ve been studying NGINX. Have you gone through Let’s Encrypt before? If so, what ACME client do you use?

Works Cited

[1] Internet Security Research Group, community.letsencrypt.org, [Online]. Available: https://community.letsencrypt.org/ [Accessed Mar 25, 2022].

[2] TJH5, “Cable Holder,” thingiverse.com,Aug. 13, 2017. [Online]. Available: https://www.thingiverse.com/thing:2481258 [Accessed Mar 25, 2022].

[3] Internet Security Research Group, “ACME Client Implementations,” community.letsencrypt.org, Mar. 6, 2022. [Online]. Available: https://letsencrypt.org/docs/client-options/ [Accessed Mar 25, 2022].

Misadventures in Studying NGINX

Good Morning from my Robotics Lab. This is Shadow_8472, and today I am getting lost while exploring SSL certificates… again. Let’s get started!

Installing NGINX

At last count, I had about six or seven projects I should hook into it, but most of them are on hold because I don’t want some stranger finding his way into my home network and rearranging things without permission. I set up Vaultwarden to manage its own HTTPS connections, and I learned a lot about what SSL is and how it works. But this is not a recommended configuration and I want to learn the proper, more advanced way of doing things.

I ignored plenty of guides’ advice on my path to a Vaultwarden server. They recommend some sort of ingress controller, and I’m currently exploring one called NGINX. I’ve come across quite the debate as to whether to use a container or install it native. The tutorials for the container edition all use Docker, but I’m using Podman and I’m uneasy about root permission nuances between the two projects making things needlessly more challenging, so I installed the package on ButtonMash.

sudo dnf install nginx

To confirm installation, I enabled the web server with a few systemctl commands and opened a port in ButtonMash’s firewall. NGINX now proudly displays its welcome page.

A Web of Dependencies

NGINX does not lend itself to solo study. It is a do-everything solution for networking. With so many use cases from serving HTML pages to load balancing containers, I have spent weeks pouring through tutorials without finding a keystone lesson for my use case. Some of that time was spent looking into some sort of web interface I falsely believed was included. See NGINX Proxy Manager vs. NGINX for details. I will stick with bare NGINX if for now mainly because NGINX Proxy Manager’s website ironically has an expired SSL certificate.

I got lost researching what I would need for a project this week. Proper HTTPS for Vaultwarden is a good choice of target. That will require an SSL certificate, and that means Let’sEncrypt. An SSL certificate requires either a domain name or a subdomain, so that means arranging one of those.

Somewhere along the way, I got lost and visited this blog’s host cPanel in the interest of moving its SSL to Let’sEncrypt. The experience was unexpectedly surreal, like I was paging through a book written in a language I’m trying to learn – there was a flood of jargon, but the bits I recognized made for moments of satisfaction.

3D Printing Corner

I want to glue the Sonic figure I printed, but I’d just as soon have some experience with gluing large, flat surfaces together before I go smashing a larger project together and hoping it sticks (literally). I had the idea to print up eight calibration cubes for practice. I tried some lower infill settings and got inferior, but adequate results. My biggest complaint was how many tries it took for the overall first layer. I had to settle with a couple curling corners, but a perfect print wasn’t the goal anyway. Gluing will have to wait until next week though.

Side Project

Also on the topic of 3D printing, my mother has been into quilting as of late and she commissioned some more bias tape makers like the ones I made during the early stages of the pandemic. I found what I thought was the model on Thingiverse and its description linked a revision that folds it in half again. I used a spreadsheet to scale the model to a couple different sizes.

Takeaway

I feel like I am assembling a jigsaw puzzle without the box. Each piece must be studied and understood before placing it. Half the challenge is knowing what pieces need to be in place before it’s time to begin studying others. Placing more than one at a time is very difficult, but the HTTPS piece interlocks with so many others, its ecosystem doesn’t lend itself to a project of the week format of study like what I have going on here.

Final Question

The most important lesson in tech is to know where to seek help. I had to seek out a new
Discord server familiar with NGINX this week when I should have looked them up a week ago. How long does it take before you look for specialized help?