wip

crowdsec is a separate adventure.

README.md

@@ -20,12 +20,14 @@ docker run --rm -it -p 8080:8080 wip hugo serve --bind 0.0.0.0 --port 8080
        should be a laser printer, as inkjet is stupid.
  - [ ] A truly FOSS eink reader.
  - [ ] VIM Bindings everywhere please
+ - [ ] trying to use a MIDI controller as a piano on Linux is insanity
 
 ### Digital Soverignty
  - [x] how to host a blog
  - [ ] how to securely "self-host" using a VPS, portainer and traefik
  - [x] how to configure neomutt
  - [ ] how to securely host a mail server
+ - [ ] how to private tracker with a NAS
 
 ### Old sillyblog
  - [x] Avr memory model

content/about.md

@@ -3,10 +3,10 @@ title: About gtz blog
 author: Asger Gitz-Johansen
 ---
 
-I am a software engineer from Denmark working at [GomSpace](https://gomspace.com/home.aspx).
+I am a software engineer from Denmark working at [GomSpace](https://gomspace.com/home.aspx). This is just my simple
-This is just my simple blog that I use for letting out "blogging-steam".
+blog that I use for letting out "blogging-steam". I write GNU/Linux based tutorials and sometimes I write opinion
-I write GNU/Linux based tutorials and sometimes I write opinion pieces.
+pieces. These posts are mostly for my own sake, but I hope you find my stuff useful.
-I hope you find my stuff useful.
+
 If you want more from me, check my links:
 
  - [GitHub](https://github.com/sillydan1)

content/posts/avr-memory-model.md

@@ -69,7 +69,7 @@ gdb: > x/16xb my_heap_object
 ```
 
 The first bytes at address `0x800100` are `0a` and `00`. These bytes are the *free-list* entry and explains how "big"
-the object is. When reading this, we have to remember that the model is littleengine-based (meaning that the bytes are
+the object is. When reading this, we have to remember that the model is little endian-based (meaning that the bytes are
 switched), 
 so we actually have the value of `0x000a`, meaning `10` in decimal. This makes a lot of sense, since we allocated 5
 `int`s, that is of size 2 (16bit integers). 

content/posts/computation-in-nature.md

@@ -9,17 +9,17 @@ categories = ['opinion']
 ## Disclaimer
 
 This was written as a student project as part of our ethics course, where we had to write an opinion piece on anything
-we wanted in the field of computer science. Note that this was before *LLM*'s was a thing.
+we wanted in the field of computer science. Note that this was before *LLM*'s was a thing. I also apologize if the
+wording is off - this was written in an afternoon as a rush-job. I still think it's an interesting read though.
 
 # Computation in Nature
 
 > "If you ever think your code is bad, just remember that CPUs are just rocks that we tricked into thinking"
 
-**Does the nature compute, or the computation is something that only the humans are
+**Does nature compute, or is computation something that only humans are doing? If so, what is it about?**
-doing? If so, what is it about?**
 
 To answer this question, we would need to define what the terms used in it even means.  If you look up the definition
-of the word ’compute’ on Merriam Websters dictionary, you will find that it primarily means _"to determine
+of the word ’compute’ on Merriam Websters dictionary, you find that it primarily means _"to determine
 especially by mathematical means"_. This definition mentions a usage of mathematics, which suggests a close bond
 between these concepts.  What would it mean to determine something? I would argue that it means to make a decision
 based on either prior experience, data or calculations. This implies that computation have a focus on deciding
@@ -33,20 +33,20 @@ mentions that flower petals rarely exceeds a quantity of five. We even see the f
 seeds](http://popmath.org.uk/rpamaths/rpampages/sunflower.html).
 
 An example of computation in nature is actually very easy to find. Take a rabbit, or any other smaller prey. A rabbit
-is constantly observing and reacting to the sorrounding environment, otherwise it will get eaten by predators or fall
+is constantly observing and reacting to the sorrounding environment, otherwise it gets eaten by predators or fall
 into a lake and drown or any other scenario involving death. You could argue that the rabbit is constantly asking
 questions about what to: _"Should I run away?"_, _"Should I keep eating?"_, _"Should I be eating this?"_ etc. The
 rabbit may not be consciously aware of these queries, but nevertheless, it is answering to them through actions.
 
 In Empiricism, the concept of a mind being a blank slate (in this case we are talking about a human mind, not
-a rabbit’s) and experiences gets remembered is very much applicable here. This trait means that a human mind
+a rabbit’s), which remembers experiences throughout it's life is very much applicable here. This trait means that a
-has a memory, i.e. It can remember old conclusions and recall them when desired. We can actually prove that this
+human mind has a memory, i.e. It can remember old conclusions and recall them when desired. We can actually prove that
-trait is not exclusive to humans, since we can observe other mammals (and even fish and reptiles) demonstrating
+this trait is not exclusive to humans, since we can observe other mammals (and even fish and reptiles) demonstrating
-the usage of memory. A prime example is the elephant.
+the usage of memory. A prime example is the elephant, but pretty much any animal applies here.
 
-In Rationalism, we see a similar pattern of using the method of deduction to find conclusions and deduct new
+In Rationalism, we see a similar pattern that mimics memory - using the method of deduction to find conclusions and
-conclusions (memory). However, if you were to believe the Rationalists, getting the data needed for computation
+deduct new conclusions. However, if you were to believe the Rationalists, getting the data needed for computation
-in nature, may be a tricky task. We previously had an assumption, that we could trust our senses and that other
+in nature, may be a tricky task. We previously had an assumption that we could trust our senses and that other
 creatures also had senses. In Rationalism the only thing we can trust is the fact that we are doubting. Since we
 can’t say anything about if the rabbit is doubting everything. This is where the rabbit example breaks down a
 little, but we are not completely stuck here. Humans are mammals and mammals are a type of animal. Animals are
@@ -78,7 +78,7 @@ to because of the time era he was in and that AI as a field was not as big (if a
 
 Turing finishes the article with the notion that there is still a lot of work to be done in the field of AI and it
 is a fun contrast to see what arguments and thoughts a mind like his had back in the fifties, compared to modern
-AI can offer.  Will humans ever be able to create a truly conscious artificial mind? And will we ever be able to
+AI can offer. Will humans ever be able to create a truly conscious artificial mind? And will we ever be able to
 test it properly?
 
 If you believe the Mathematical Realists, mathematics is a thing that exists independently of humans, and can be

content/posts/how-to-portainer.md

@@ -10,7 +10,7 @@ In this post, we will be going over how to set up a [portainer](https://www.port
 and how to use it. This is ideal if you want to host a personal website, a [blog](/posts/how-to-blog), a personal
 [github](git.gtz.dk) or whatever your development heart desire.
 If you choose to follow along, by the end of it, you will have an environment where you can just add or remove docker
-based services at a whim.
+based services at a whim using a nice web-based interface.
 
 I assume that you already know about `docker` and `docker compose` yaml syntax. If you don't, may I recommend the
 wonderful official [docker tutorial](https://docs.docker.com/get-started/workshop/) - once you're done with that come
@@ -21,20 +21,29 @@ management and interaction with the terminal both during the setup process and d
 
 ## Server
 
-The very first thing to get is a server. This can either be the machine you're currently using if you don't want to mess
+The very first thing to get is a server. This can either be the machine you're currently using if you don't want
-around on the public internet, or it could be an actual desktop you have set up with a public IP. Or it could be a VPS
+to mess around on the public internet, or it could be an actual desktop you have set up with a public IP. Or
-(Virtual Private Server) - which is just a fancy word for a "cloud computer" that someone else hosts and powers, and you
+it could be a VPS (Virtual Private Server) - which is just a fancy word for a "cloud computer" that someone
-just get an SSH connection to it. Any VPS provider will work, but [digital ocean](https://www.digitalocean.com/) is very
+else hosts and powers, and you just get an SSH connection to it. Any VPS provider will work, but [digital
-affordable and easy to use. As long as you get a VPS and avoid a *webhotel*, you should be fine (side note: webhotels
+ocean](https://www.digitalocean.com/) or [linode](https://www.linode.com/) are very affordable and easy to use
-are a scam and you shouldn't ever use them - especially not if you're tech-savvy enough to read this blog).
+VPS providers. As long as you get a VPS and avoid a *webhotel*, you should be fine (side note: web hotels are a
+scam and you shouldn't ever use them - especially not if you're tech-savvy enough to read this blog).
 
 Once you have your server, [install](https://docs.docker.com/engine/install/) docker on it. Preferably the latest
 version.
 
 ## Traefik and Portainer
 
-The very first thing to get done is set up portainer and traefik. This is done by creating a new `docker-compose.yml`
+Traefik is a load balancer / application proxy that makes it easy for you to route network traffic into your various
-file on your server. Just to keep things tidy, you should make a directory for all you are going to do here.
+services on your server. By using traefik, you can have multiple docker containers, each providing their own service on
+a single server, and traefik just routes user traffic based on the URL request, or ports used.
+
+Portainer is a web-based docker container management GUI (Graphical User Interface) - if you've tried Docker Desktop,
+think if portainer as a web-based version of that.
+
+Getting traefik and portainer up and runinng is done by creating a new `docker-compose.yml` file on your server
+and adding them as individual services. Just to keep things tidy, you should make a directory for all you are
+going to do here. Do the following on your server.
 
 ```sh
 # Make the config directory in your $HOME dir - this is where 
@@ -49,15 +58,16 @@ cd ~/config
 touch docker-compose.yml
 ```
 
-It might be a good idea to initialize the `control` directory as a (local) `git` project. That way you will always have
+It might be a good idea to initialize the `config` directory as a (local) `git` project. That way you will always have
 a history of what you have been done, and what you did when you (inevitably) break things. This I will leave up to you
-though (probably gitignore the `portainer-data` directory).
+though (you should gitignore the `portainer-data` directory, since that's managed by portainer and may contain a bunch
+of stuff you don't want).
 
-Inside the new `docker-compose.yml` file, you should put the following content (open the file using your favorite
+Inside the new `docker-compose.yml` file, you should put the following content. Simply open the file using your favorite
-terminal text editor).
+terminal text editor and paste the following. Note! Don't start the stack yet - we still need to configure a bunch of
+things.
 
 ```yaml
-# docker-compose.yml
 services:
   traefik:
     image: traefik:latest
@@ -84,6 +94,9 @@ services:
       - traefik.http.routers.traefik-secure.service=traefik
       - traefik.http.routers.traefik-secure.middlewares=user-auth@file
       - traefik.http.routers.traefik-secure.service=api@internal
+    environment:
+      - "CF_DNS_API_TOKEN="  # ADD YOUR OWN DNS API TOKEN HERE
+      - "CF_ZONE_API_TOKEN="  # ADD YOUR OWN DNS API TOKEN HERE
 
   portainer:
     image: portainer/portainer-ce:alpine
@@ -115,25 +128,145 @@ are common to both of them, we set the initial niceties, such as the `container_
 and set their shared network to be the externally defined `proxy` network. Both services need (read-only) access to the
 system time for various reasons, so we volume mount `/etc/localtime` to their respective internal `/etc/localtime`. They
 also both need access to the system docker socket, so we also volume mount that in (again, read-only). Then we map the
-various configuration files in (we will soon make these).
+various configuration directories to their respective services.
 
 If you haven't used `traefik` before, you might be scratching your head on the `labels` that we set on each of the
-services. This is how you configure services to integrate into traefik, enabling you to route your various containers to
+services. This is just how you configure services to integrate into traefik, enabling you to route your various
-various subdomains, integrate middlewares such as forcing HTTPS and setting load-balancer settings etc.
+containers to various subdomains, integrate middle-wares such as forcing HTTPS and setting load-balancer settings etc.
 
-Let's add the configuration files, shall we?
+The `CF_DNS_API_TOKEN` and `CF_ZONE_API_TOKEN` tokens are our cloudflare API keys. If you're using a different DNS
+provider, you should check the [traefik documentation](https://doc.traefik.io/traefik/https/acme/#providers) to see if
+your provider is supported, and change the environment variable names accordingly.
 
-## Keycloak
+Since the configuration directories are currently empty, the setup won't work yet. Let's add the traefik configuration
+files first:
 
-## TODOs
+```sh
- - [ ] 2FA the control dashboards through keycloak
+cd ~/config/traefik-data
- - [x] geoblocking the control dashboards
+mkdir -p configurations
- - [ ] start the article with a demo of what we'll be making
+touch traefik.yml
- - MAYBE:
+touch configurations/dynamic.yml
-   - [ ] portainer introduction (maybe)
+```
-   - [ ] traefik introduction (maybe)
-   - [ ] add a "skip if you already know portainer and traefik"
 
+The `traefik.yml` file contains your general traefik configuration. This is where you register certificates, enforce
+HTTPS and set general settings. The content we're interested in having is the following:
+
+```yaml
+api:
+  dashboard: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+  websecure:
+    address: ":443"
+    http:
+      middlewares:
+        - secureHeaders@file
+      tls:
+        certResolver: letsencrypt
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: your-email-here
+      storage: acme.json
+      keyType: EC384
+      dnsChallenge:
+        provider: cloudflare
+        delayBeforeCheck: 0
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /configurations/dynamic.yml
+```
+
+The first `api` section is pretty self-explanatory enables the web-ui dashboard. You can choose not to do
+this if you don't want the traefik web dashboard. The `entryPoints` section is a bit more interesting. This
+is where we enforce that all HTTP web-requests on port `80` will be redirected to port `443` using transport
+layer security (TLS). You might notice that we specifically mention `letsencrypt` here, this leads us
+to the `certificatesResolvers` section. Since I am using [cloudflare](https://www.cloudflare.com/)
+as my DNS (Domain Name Service) provider, I can also use them as my TLS certificate provider as
+they provide this service. This is a complex topic and if you're interested, I recommend reading
+[this](https://blog.cloudflare.com/introducing-automatic-ssl-tls-securing-and-simplifying-origin-connectivity/)
+blog post by cloudflare themselves. Boiling all this jargan down, we are just using cloudflare as a middleman to
+help us get the little lock icon in the browser when someone visits our website(s). I've set the certificates to
+automatically update, so I don't have to worry about it ever again.
+
+The `providers` settings refer to where traefik can route internet traffic to. We simply register `docker` as a service
+provider as well as the configurations we define in `configurations/dynamic.yml`. Let's take a look at the content of
+that file.
+
+```yaml
+http:
+  middlewares:
+    secureHeaders:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+    user-auth:
+      basicAuth:
+        users:
+          - "administrator:<password>"  # ADD YOUR ADMIN PASSWORD HERE ()
+
+tls:
+  options:
+    default:
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+      minVersion: VersionTLS12
+```
+
+Starting in the `http.middlewares` section, we first register a TLS middleware that we call `secureHeaders` (note that
+this is the middleware referred in `traefik.yml`) - skipping past the details, this middleware simply adds security
+headers to each request. Our second middleware, `user-auth` is the authentication method to gain access to the traefik
+dashboard. Here we set the username `username` and you should generate the password using the `htpasswd` command. This
+command should be available through the `apache2-utils` package on ubuntu systems, and `extra/apache` on Arch. Simply
+copy / paste the generated hashed password into your yaml file.
+
+```sh
+# -n = output to stdout -B = use bcrypt
+# Make sure to replace 'administrator' if you want a different username
+htpasswd -nB administrator
+```
+
+## Starting Everything
+
+We should now have everything set up and ready for starting! Simply navigate to the `~/control` directory and start the
+docker compose stack.
+
+```sh
+# Start the containers (detached)
+docker compose up -d
+
+# Follow along with the logs
+docker compose logs -f
+```
+
+Hopefully there shouldn't be any errors, but if there are, make doubly sure that your TLS settings are set correctly,
+as that's likely to be the thing to mess up (ask me how I know). If you need additional assistance, the [official
+traefik docs](https://doc.traefik.io/traefik/) are a great resource. Portainer is fairly fool-proof, so I don't expect
+that to cause you any problems.
+
+## TODO
+ - [ ] DNS records, ACME challenges, TXT records, Wildcard A records, CAA records - jesus there's so much shit I've forgotten
+
+{{< centered image="/6616144.png" >}}
 
 ```yaml
 services:
@@ -181,5 +314,3 @@ networks:
     external: true
   keycloak:
 ```
-
-{{< centered image="/6616144.png" >}}