diff options
Diffstat (limited to '_posts')
24 files changed, 889 insertions, 14 deletions
diff --git a/_posts/2009-02-07-techtalk-einen-gameboy-auf-dem-pc.md b/_posts/2009-02-07-techtalk-einen-gameboy-auf-dem-pc.md index 2c556d6..f02d62a 100644 --- a/_posts/2009-02-07-techtalk-einen-gameboy-auf-dem-pc.md +++ b/_posts/2009-02-07-techtalk-einen-gameboy-auf-dem-pc.md @@ -103,19 +103,13 @@ UPDATE (30.4.2009): ### Emulatoren -- <a href="https://de.wikipedia.org/wiki/Emulator">Emulator</a> auf -Wikipedia -- <a href="https://emulator-zone.com/">Emulator Zone</a> Eine -Übersicht über Spielkonsolenemulatoren. -- _VisualBoyAdvance (toter Link entfernt)_ -Homepage des Emulators "VisualBoyAdvance" +- <a href="https://de.wikipedia.org/wiki/Emulator">Emulator</a> auf Wikipedia +- <a href="https://emulator-zone.com/">Emulator Zone</a> Eine Übersicht über Spielkonsolenemulatoren. +- _VisualBoyAdvance (toter Link entfernt)_ Homepage des Emulators "VisualBoyAdvance" - [SourceForge-Projektseite vom Emulator](https://sourceforge.net/projects/vba/) ### Spiele -- <a href="https://de.wikipedia.org/wiki/ROM_%28Spielmodul%29">ROM</a> -auf Wikipedia -- _PDRoms / Gameboy (toter Link entfernt)_ -Legale ROMs für den GameBoy -- _PDRoms / GameBoy Advance (toter Link entfernt)_ -Legale ROMs für den GameBoy Advance +- <a href="https://de.wikipedia.org/wiki/ROM_%28Spielmodul%29">ROM</a> auf Wikipedia +- _PDRoms / Gameboy (toter Link entfernt)_ Legale ROMs für den GameBoy +- _PDRoms / GameBoy Advance (toter Link entfernt)_ Legale ROMs für den GameBoy Advance diff --git a/_posts/2021-03-23-winvm.md b/_posts/2021-03-23-winvm.md index 528d636..3ee73f4 100644 --- a/_posts/2021-03-23-winvm.md +++ b/_posts/2021-03-23-winvm.md @@ -4,6 +4,7 @@ title: Windows VM under Devuan with QEMU / libvirt date: 2021-03-23 20:32 +0100 categories: tech description: How to run a Windows VM under Devuan with QEMU / libvirt +lang: en --- So, I'm running Devuan Beowulf (Debian Buster based). Recently, I was in the need of running a diff --git a/_posts/2021-04-25-networkstuff.md b/_posts/2021-04-25-networkstuff.md index 3152f3f..7b2cff6 100644 --- a/_posts/2021-04-25-networkstuff.md +++ b/_posts/2021-04-25-networkstuff.md @@ -4,6 +4,7 @@ title: Network stuff date: 2021-04-25 21:50 +0200 categories: tech description: "I do some experiments with networking stuff. Proxmox and running OpenWRT in a VM." +lang: en --- Been a long time. diff --git a/_posts/2021-06-03-fakir-teardown.md b/_posts/2021-06-03-fakir-teardown.md index 1de8bf9..75f609d 100644 --- a/_posts/2021-06-03-fakir-teardown.md +++ b/_posts/2021-06-03-fakir-teardown.md @@ -3,6 +3,7 @@ layout: post title: Fakir Robert Teardown date: 2021-06-03 20:39 +0200 description: Ein Teardown eines alten Staubsauger-Roboters +lang: de --- Da ich mir demnächst mal einen neuen gebrauchten Saugroboter holen werde, diff --git a/_posts/2021-06-27-wpa-enterprise-unifi.md b/_posts/2021-06-27-wpa-enterprise-unifi.md index 61c49a7..36b9e6e 100644 --- a/_posts/2021-06-27-wpa-enterprise-unifi.md +++ b/_posts/2021-06-27-wpa-enterprise-unifi.md @@ -4,6 +4,7 @@ title: WPA Enterprise mit Unifi Access Points date: 2021-06-27 20:28 +0200 categories: tech description: "Wie man WPA Enterprise einrichtet, mit Unifi WiFi Access Points und Software, die unter Linux läuft" +lang: de --- Ich hab mal einen kurzen Artikel geschrieben, wie man WPA Enterprise diff --git a/_posts/2021-09-22-problems-updating-proxmox.md b/_posts/2021-09-22-problems-updating-proxmox.md index 3885b79..7353d67 100644 --- a/_posts/2021-09-22-problems-updating-proxmox.md +++ b/_posts/2021-09-22-problems-updating-proxmox.md @@ -2,6 +2,7 @@ layout: post title: Network gone after updating Proxmox date: 2021-09-22 20:59 +0200 +lang: en --- So, after upgrading Proxmox from version 6.x to 7.x, the network diff --git a/_posts/2021-10-28-rant-devuan-upgrade.md b/_posts/2021-10-28-rant-devuan-upgrade.md index 100dd3b..c3da9b0 100644 --- a/_posts/2021-10-28-rant-devuan-upgrade.md +++ b/_posts/2021-10-28-rant-devuan-upgrade.md @@ -3,6 +3,7 @@ layout: post title: 'Rant: Devuan Upgrade' date: 2021-10-28 19:58 +0200 categories: tech +lang: en --- Gna. So I upgraded my Devuan installation from Beowulf to Chimaera. Process was a bit tricky, diff --git a/_posts/2022-01-20-server-stuff.md b/_posts/2022-01-20-server-stuff.md index 40d39a1..f5f053f 100644 --- a/_posts/2022-01-20-server-stuff.md +++ b/_posts/2022-01-20-server-stuff.md @@ -3,7 +3,7 @@ layout: post title: Server stuff date: 2022-01-20 18:55 +0100 category: tech -language: en +lang: en description: "I experiment with SPF, DMARC and DKIM." --- diff --git a/_posts/2022-04-03-backporting-pipewire-in-devuan.md b/_posts/2022-04-03-backporting-pipewire-in-devuan.md index 1d20df2..c0a9fe3 100644 --- a/_posts/2022-04-03-backporting-pipewire-in-devuan.md +++ b/_posts/2022-04-03-backporting-pipewire-in-devuan.md @@ -3,7 +3,7 @@ layout: post title: Backporting Pipewire in Devuan date: 2022-04-03 17:45 +0200 category: tech -language: en +lang: en --- **Update 2023-09-07**: With Devuan Daedelus Pipewire is in the diff --git a/_posts/2024-08-02-use-a-second-signal-account-kinda.md b/_posts/2024-08-02-use-a-second-signal-account-kinda.md index 90b7687..a9753ba 100644 --- a/_posts/2024-08-02-use-a-second-signal-account-kinda.md +++ b/_posts/2024-08-02-use-a-second-signal-account-kinda.md @@ -2,6 +2,7 @@ layout: post title: Use a second Signal account (kinda) date: 2024-08-02 18:48 +0200 +last_modified_at: 2025-05-29 16:50 +0200 lang: en categories: ["tech"] description: "How to use a second Signal account on your Smartphone" @@ -52,3 +53,9 @@ already, so not a huge disadvantage). But hey, maybe this is still useful for some people. +**Update 2025-05-29** + +Actually, you can also use multiple accounts on the Desktop client. +Since it's just an Electron app (?), you only need a second Launcher +with the executable and arguments being +`/opt/Signal/signal-desktop --user-data-dir=<whatever you want> %U`. diff --git a/_posts/2024-09-04-convention-report-east-12-2024.md b/_posts/2024-09-04-convention-report-east-12-2024.md index 7c71898..31785a8 100644 --- a/_posts/2024-09-04-convention-report-east-12-2024.md +++ b/_posts/2024-09-04-convention-report-east-12-2024.md @@ -3,6 +3,7 @@ layout: post title: 'Convention Report: EAST 12 (2024)' date: 2024-09-04 20:00 +0200 description: My convention report of the furry convention "EAST 12" in 2024 +lang: en --- It's time for another convention report. I've been going to the EAST convention since EAST 7 (except EAST 10, which was diff --git a/_posts/2025-01-01-2024-review.md b/_posts/2025-01-01-2024-review.md new file mode 100644 index 0000000..80cf09d --- /dev/null +++ b/_posts/2025-01-01-2024-review.md @@ -0,0 +1,40 @@ +--- +layout: post +title: '2024: Review' +date: 2025-01-01 10:47 +0100 +lang: "en" +categories: "life" +description: "I muse over what I did in 2024" +--- + +So, already wanted to do this yesterday, but I think today works as well. +Reviewing the previous year, this happened: + +- Started the year at Furvester +- Went to eight suitwalks +- Went to five local furmeets (without suitwalk) +- Decided to let go of my long hair (much less vacuuming needed now! + Also, less fussing about my hair beig fuzzy) +- Went to two CSDs +- Went to [Awoostria]({% post_url 2024-07-31-awoostria-2024 %}) +- Went to [EAST]({% post_url 2024-09-04-convention-report-east-12-2024 %}) +- Had a good run at learning Swedish, but suddenly in the middle of the year the interest dropped +- Same with guitar +- Played around with [Darktable](https://www.darktable.org/) for a bit, trying to learn photo editing, + got either bored or overwhelmed at it [1], and dropped it again (you notice a pattern???) +- Played around with GPG (by setting up WKD) [2], HomeAssistant, + [Chromebook]({% post_url 2024-12-01-new-device-acquired-chromebook %}), + [Tailscale]({% post_url 2024-12-08-trying-out-tailscale %}), + [PostmarketOS]({% post_url 2024-12-17-postmarketos-first-impressions %}), + [Large Language Models](https://github.com/LostRuins/koboldcpp/) +- Repaired something + [on my car]({% post_url 2024-11-28-selbstwirksamkeit-ich-hab-was-am-auto-repariertcd-website-blog-uvokchee-de %}) + myself +- Struggled with work again, not quite satisfied with my job at times +- Had health problems several times this year + +[1] Especially the overwhelmed part came when trying to edit RAW photos, and + the saturation was way too low. No idea what I was missing, maybe I + was trying to shoot for the moon in the first try? \ +[2] Number of GPG encrypted or signed mails send/received then: zero. + It was a fun exercise, though. diff --git a/_posts/2025-01-01-my-static-blog-now-has-activitypub.md b/_posts/2025-01-01-my-static-blog-now-has-activitypub.md new file mode 100644 index 0000000..1a5af4d --- /dev/null +++ b/_posts/2025-01-01-my-static-blog-now-has-activitypub.md @@ -0,0 +1,19 @@ +--- +layout: post +title: My Static Blog now has ActivityPub +date: 2025-01-01 18:56 +0100 +last_modified_at: 2025-01-01 19:34 +0100 +categories: ["tech"] +lang: "en" +description: "A short praise for Hatsu, thanks to which my posts now appear in the Fediverse." +--- + +Thanks to [Hatsu](https://github.com/importantimport/hatsu), my blog now has ActivityPub support. +Or so I hope. This is mostly a test post to see if it works. + +edit: +Derp. Should've mentioned the handle. +Basically, it's catch-all, but to avoid confusing the Fediverse, you should go with +[blog.uvokchee.de@blog.uvokchee.de](https://blog.uvokchee.de/users/blog.uvokchee.de). +Actually, for the search field, anything will work. +This is a weird restriction of Hatsu, it appears (because the account name is the site). diff --git a/_posts/2025-01-12-migrating-dns-servers.md b/_posts/2025-01-12-migrating-dns-servers.md new file mode 100644 index 0000000..a0bf09b --- /dev/null +++ b/_posts/2025-01-12-migrating-dns-servers.md @@ -0,0 +1,289 @@ +--- +layout: post +title: Migrating DNS providers +lang: en +categories: tech +date: 2025-01-12 16:49 +0100 +last_modified_at: 2025-01-15 19:57 +0100 +redirect_from: /2025/01/2025-01-12-migrating-dns-servers.html +description: "An in-depth look into how to switch DNS providers without downtime." +--- + +**Update 2025-01-15:** Add links to tools, add clarification for DNSSEC tool, +add clarification for validation errors/warnings. + +## Preface + +[As I posted on Mastodon](https://furry.engineer/@uvok/113780013806190576), + +* the DNS registrar (where you register the domain at), +* the DNS hoster / provider (which is responsible for answering DNS requests for + your domain) and +* the (web) hosting service + +can be three different entities, even though for most beginner projects these +are the same. + +I either bought or migrated my domain over to [INWX](https://www.inwx.de/en) +quite some while ago. However, their web interface for editing records is a bit +clunky. And while they do provide an API, it's a bit awkward (XML based, and +yes, there are ready-made packages for various programming languages). [^1] + +With [DN42](https://blog.uvokchee.de/dn42.html), I already used +[PowerDNS](https://doc.powerdns.com/authoritative/) a lot. I actually just use +edit-zone and edit the zone[^2] in an editor, that's my preferred way. Definitely +preferred to some web interface. It would be nice to do this to my main domains +as well. Also, this is another nice "have a technical task to procrastinate +other stuff" thing ;3. Well, I like playing with tech. This is by no means +essential. + +## Glossary + +Quick and dirty glossary, for the purpose of reading this article. It's not +100% accurate and complete, but should be enough to understand the article. + +* **Domain Name**: Basically "the name of a server" (what you see in the address + bar of the browser, e.g. "blog.uvokchee.de"). +* **DNS**: The "Domain Name System". Very simplified, translates domain names + to IP addresses (which computers use to connect to each other). + To be more precise, it's like a lookup in a database (-> DNS record). +* **TLD**: Top-Level Domain. It's "the last part of the domain name" (e.g. + ".de"). +* **Registry**: These run the TLDs. +* **Registrar**: These sell you domain names from the registries. As an "end + user", you can't talk to a registry yourself. +* **DNSSEC**: DNS is a plain-text, insecure protocol, from way back when the + internet consisted of a handful of trustworthy people. DNSSEC tries to prevent + malicious parties from sending wrong information in response to DNS requests. + It does so by signing the responses with a cryptographic key, of which the + public part is stored in the registry. +* **NSEC, NSEC3**: Basically these are "negative replies", i.e. "this domain + does not exist". These are signed as well. If not present, malicious parties + could send back replies to sites they don't want to be reachable as "doesn't + exist" all the time. +* **Zone**: A zone file contains all the -> DNS records for a specific domain. +* **DNS record**: Like "a row in the database" which belongs to your domain. Can + be an address, but also things like text, PGP keys, pointer to other domain + names, etc.. +* **TTL**: Time To Live. The time (in seconds) a reply to a DNS request may be + cached by a server. For example, a TTL of 3600 seconds means that a (caching) + DNS server can cache a record for 1 hour before checking with the + -> authoritative server again. +* **Authoritative Server:** The DNS server that holds the official and most + up-to-date records for a specific domain. + * **Primary**: The primary source of truth. + * **Secondary**: Mirrors the information from the primary. There can be more + than one. +* **Recursion**: DNS is hierarchical. There are fixed "root servers" which serve + the nameservers for all the TLDs. The TLDs provide the nameservers for the + domains "below them". A recursive server "walks along this path" to answer + requests. At some point, it arrives at the authoritative server. +* **Bogus reply**: A reply with invalid signature, either because it has been + tampered with, or because of wrong configuration. +* **AXFR**: A request type for a -> Domain zone transfer. +* **Domain Zone Transfer**: The process of copying the contents of a zone from + one DNS server to another. + +## Migration and DNSSEC + +So, why not migrate my domain over to my PowerDNS setup? Well, I want some +availability, and I don't trust myself enough not to fuck things up. When my +server is shut down, DNS requests should still be answered. But hey, that's +where secondaries come in! So, I manage the zone on my server, as primary, and +let another provider mirror its contents. These will actually "serve the zone". + +Now, only… there's the "problem" of DNSSEC, in conjunction with the DNS +propagation time and TTLs. If I simply set the nameservers (in the de zone) to +a newly created zone by PowerDNS, the DNSSEC keys will be either not present, +or different. I can't set *additional* keys at INWX easily, I can only switch +to manual keys (by switching off DNSSEC first). Which would lead to a downtime +of up to one day, because people requesting records from my domain (such as +myself) would receive bogus replies in that time. I want to avoid that. + +## Steps for migration + +But, I think I found a solution for that. This are the steps which I had to take +for the registrar INWX and my uvokchee.de domain. The process might be different +for other TLDs and other registrars. + +1. Download the zone data from the INWX web interface +1. Create the zone in PowerDNS and set various settings + + #!/bin/bash + zone="example.com" + pdnsutil create-zone $zone + pdnsutil set-kind $zone primary + pdnsutil secure-zone $zone + pdnsutil set-presigned $zone + pdnsutil set-meta $zone ALLOW-AXFR-FROM <ip of secondaries> + # optional? see below for a discussion + pdnsutil set-nsec3 $zone $parameters +1. Filter and import the zone. PowerDNS will actually complain about the NSEC3 + records otherwise once you open the zone in your editor. + + # any other regex that filters only NSEC3 records, but not RRSIG NSEC3, + # work as well + grep -vw "IN NSEC3" ./dl-zone.txt > imp-zone.txt + pdnsutil load-zone $zone ./imp-zone.txt + + This should keep the RRSIGs for the NSEC3 records. This doesn't help with + the errors I receive later, though… + +1. Set up the secondaries. I went with [Hurricane + Electric](https://dns.he.net/), but I had to write them an e-mail. I couldn't + add the zone as secondary myself, because the web interface requires the + nameservers in the parent zone (?) already to be set to HE, but I wanted a + zero-downtime migration. +1. Wait for the DNS provider to AXFR. +1. (optional) check with [dnsviz](https://dnsviz.net/) whether you get any + errors. You should set the nameserver on the "Analyze" tab, and then set the + "Additional trusted keys:" to what `dig example.com DNSKEY` tells you. At + this point, I got warnings/errors regarding the "Denial of existence" / + NSEC3 records, and some errors because the RRSIGs can't be checked. (Once + you set a manual nameserver, the tool doesn't seem to check for the parent + zone anymore? I'm unclear on that). +1. Try to set the new nameservers (nsx.he.net) in the registry (e.g. DENIC) via + the INWX web interface ("external nameservers"). +1. Receive an "UPDATE FAILED". Read the error message. + + ERROR: 53300102912 Nameserver error [ERROR: 118 Inconsistent set of NS + RRs (NS, IP, NS host names) (ns5.he.net, 2001:470:500::2, ['ns.inwx.de', + 'ns2.inwx.de', 'ns3.inwx.eu'])] + + Realize you fucked up. + You need to set the new nameservers within your own zone first. This seems + to be a requirement for DENIC at any case. +1. Add the NS entries to the HE nameservers within your zone in the INWX web + interface. [^4] +1. Download and import the zone file again. Wait for the AXFR. +1. Retry sending the nameservers to the registry. Wait until success. +1. At this point, I checked again with dnsviz. With the default options, + everything was fine. However, when I enabled the "Denial of existence:" + option, I received some *extremely scary looking error messages*. I can only + guess this is because PowerDNS can't generate these records? I *have no + clue*. Any useful information will be gladly accepted. I choose to ignore it. + + NSEC3 proving non-existence of l2v1y.7t5is.uvokchee.de/A: No RRSIG covering the RRset was returned in the response. See RFC 4035, Sec. 3.1.1. (216.218.130.2, 216.218.131.2, 216.218.132.2, 2001:470:100::2, 2001:470:200::2, 2001:470:300::2, UDP_-_EDNS0_4096_D_KN) + NSEC3 proving non-existence of uvokchee.de/CNAME: No RRSIG covering the RRset was returned in the response. See RFC 4035, Sec. 3.1.1. (216.218.130.2, 216.218.131.2, 216.218.132.2, 2001:470:100::2, 2001:470:200::2, 2001:470:300::2, UDP_-_EDNS0_4096_D_KN) + + As of 2015-01-11, I read the [PowerDNS + docs](https://doc.powerdns.com/authoritative/dnssec/migration.html#from-existing-dnssec-non-powerdns-setups-pre-signed) + again. Specifically, I need to set `pdnsutil set-nsec3 $zone <whatever + NSEC3PARAM says>`. Then, PowerDNS gives back SERVFAILs, because, of course, + PowerDNS can't sign the reply, because it doesn't have the keys to sign the + NSEC3 replies (??? I guess ???). So now, instead of sending back an unsigned + reply, it sends back an error. + + I imported the RRSIGs for these NSEC3 records, though, at least in a second + attempt. I tried all combinations of `(set-nsec3|unset-nsec3)` and `(import + NSEC3-RRSIG|don't import NSEC3-RRSIG)`. All variants failed. I have no clue + how this is supposed to work cleanly. [^7] + + **Update 2025-01-15**: The GitHub issue linked below (#9263) actually + contains a "solution"/workaround for this. The order of commands needs to be + 1) Import, 2) set-nsec3, 3) rectify, 4) set-presigned. + +1. Wait at least 24 hours (TTLs, DNS propagation time). +1. Let PowerDNS output its own keys it generated for the zone. Unfortunately, + `pdnsutil export-zone-dnskey $zone $keynr` *does not output a completely + valid record*, nor does `pdnsutil export-zone-ds $zone`. These outputs are + missing the TTLs in the second column, at least with PowerDNS 4.7.3 in the + Debian stable repos. You have to add those yourself. I saw some tools like + dnsviz break when you enter the records as-is. + + **Important**, I had to temporarily run `unset-presigned $zone` (see + below) before running `pdnsutil export-zone-ds`, so PowerDNS actually outputs + the hash of the new key(s)! Otherwise it will only show the current keys + signature. Otherwise, you may also use online tools that convert the DNSKEY + to a DS record. +1. Have a copy of the *current* DS / DNSKEY records as well (`dig` is your + friend). +1. Set the DNSSEC from "auto" to "manual" in the INWX web interface. + * Delete all keys from the domain. + * Add DNSSEC again for the domain, in manual mode. + * Add DNSKEY and DS records of the old keys. + * Add key, insert DNSKEY and DS records emitted by pdnsutil for the new + key. + + As far as I know, this will be sent to the parent zone. [^8] +1. After I got an email from INWX confirming the new DNSSEC entries, I ran + dnsviz again and nearly got an heart attack, because there were a lot of + errors and red exclamation marks. Actually, the DNSSEC was still valid (i.e. + not returning bogus records). The tool only complained about + + The DS RRset for the zone included algorithm 13 (ECDSAP256SHA256), but no + RRSIG with algorithm 13 covering the RRset was returned in the response. + + I *think* dnsviz expects both `RRSIG`s, i.e. both keys must sign the replies? + That shouldn't have an effect on the reachability, otherwise the tool would + report BOGUS records? + + **Update 2025-01-15**: Yep. As stated in the IETF document linked in the + references: + + > Current reading is that an algorithm rollover requires a full validation + > with all algorithms involved, whereas a key rollover will work whenever + > data can be validated using either key ([RFC4035], section 2.2). + + N.B.: So if you *really* want to avoid that, you need to tell PowerDNS to + create an KSK/ZSK pair (with the same parameters?) and use these, and only + later switch over to algorithm 13. +1. Wait at least 24 hours (TTLs, DNS propagation time). - Depending on the + previous DS records TTL. +1. Switch to automatic signing by PowerDNS. I guess at this point you must or should + * stop PowerDNS, [^5] + * `pdnsutil unset-presigned $zone`, + * `pdnsutil unset-nsec3 $zone`, + * edit the zone (clearing out the RRSIGs you imported. If I understood + the PowerDNS docs correctly, there will be trouble [^6] if you don't. Oh, + don't forget the NSEC3PARAM record, any leftover (C)DNSKEYS and (C)DS, + while also increasing the serial (otherwise the AXFR might not take + place), [^9] + * `pdnsutil rectify-zone $zone` + * start PowerDNS, + * (optional) notify the secondaries +1. At this point, you should be done. And I *guess* at this point you could + already delete the other DS/DNSKEY via the registrar? + +By the way, I'll choose to use NSEC instead of NSEC3. NSEC3 seems like too much +of a headache for me, also, domain names are not secrets. + +## Further references + +* [PowerDNS docs](https://doc.powerdns.com/authoritative/) +* IETF Draft: [Changing DNS Operators for DNSSEC signed + Zones](https://datatracker.ietf.org/doc/html/draft-koch-dnsop-dnssec-operator-change-06) +* [DNSSEC visualizer](https://dnsviz.net/) +* [Verisign Labs DNSSEC debugger](https://dnssec-debugger.verisignlabs.com/) + +## Footnotes + +[^1]: Okay, it's not like I edit my records that often. + +[^2]: + For the purposes of this blog article, I think you can freely substitute + zone with domain in your head, I probably won't use the words correctly 100% of + the time either. + +[^4]: + I think that shouldn't to any damage. DNS recursion should always ask the parent + zone? + +[^5]: + Avoiding a spurious notify or AXFR directly after editing? No idea if needed. + +[^6]: such as duplicate RRSIG replies. + +[^7]: + There are two GitHub issues similar to this: + [#9263](https://github.com/PowerDNS/pdns/issues/9263) and + [#8892](https://github.com/PowerDNS/pdns/issues/8892). + +[^8]: + Actually, I have no idea why INWX wants me to enter both the DS and the + DNSKEY. Only the DS gets entered in the DENIC servers. + +[^9]: + e.g. `:g/\<\(RRSIG\|NSEC3PARAM\|DS\|CDS\|DNSKEY\|CDNSKEY\)\>/d` in vim. +<!-- vim: set ft=markdown tw=80 ai tabstop=4 shiftwidth=4 expandtab: --> + diff --git a/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md b/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md new file mode 100644 index 0000000..3a43f1a --- /dev/null +++ b/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md @@ -0,0 +1,134 @@ +--- +layout: post +title: 'DN42: Put it in a box (Linux network namespace)' +date: 2025-02-02 17:10 +0100 +last_modified_at: 2025-06-18 19:12 +0200 +lang: "en" +categories: "tech" +description: "I explain how I put my Autonomous System in a network namespace." +--- + +What did I do the previous week? What robbed me of my sleep at night, keeping my +thoughts churning? Let's look at "doing containers the hard way". + +For some time, I had CPU usage problems on my VPS. Looking at `htop`, I always +saw two bird instances and dnsmasq as "offenders". (I run both my clearnet AS as +well as my DN42 AS on this box) [^1]. I was originally going to write a blog article +about that, but it's still in my drafts folder. Here's the gist: + +- All these processes receive "netlink messages". +- Probably the IBGP session for my AS generates lots of these netlink messages. +- The other bird process (for DN42) and dnsmasq suffer from it. + +One possible solution is to put the processes into a container (Docker, Podman, +LXC, LXD, Incus, …). However, I'm on a budget. I have only 40 GB of storage on +my Hetzner VPS and don't want to waste it with duplicate file systems. However, I +can use the *technology* these container (runtimes/engines) use: Linux +namespaces. + +I won't cover the basics here. There are other blog articles from other people +who are *far better* at explaining that (e.g. from +[anracon](https://linux-blog.anracom.com/2017/10/30/fun-with-veth-devices-linux-bridges-and-vlans-in-unnamed-linux-network-namespaces-i/)). + +Suffice to say, I can put DN42 in a box, which put the network in isolation. To +a degree. I still need to communicate with the outside world. I dumped my setup +[in a git repo](https://git.uvok.de/ansible/tree/roles/linux-ns/files). + +[jamesits](https://github.com/Jamesits/systemd-named-netns) provides some nice +templates for setting up a network namespace. I used that template, but tweaked +some parts to they suit me better [^2]. Also, using the Debian systemd files, I +manually created new ones and made sure the processes use the separate namespace. +I admit to never having particularly liked systemd, but at least the service +manager is pretty nice. + +I also felt pretty clever coming up with [this setup +script](https://git.uvok.de/ansible/tree/roles/linux-ns/files/usrlocalbin/dn42-route-namespace.sh) +which gets called by systemd and then calls itself again, but in the newly created +namespace. + +Inside the namespace run: + +- The Wireguard interfaces to my peers, +- Tinc (which I only have because I want to have a broadcast-capable VPN), +- PowerDNS (a separate instance from "the outer VPS one", serving my DN42 domain), +- BIRD2, +- And a looking glass + +*Outside* the namespace run: + +- dnsmasq, which allows me to resolve my DN42 domains "from the clearnet" + (from within a Wireguard net) +- Nginx, which serves my DN42 website + +**Update 2025-06-18**: nginx now runs inside the namespace as well. + +It took me a while and some internet searches to come up with the firewall +rules. On my VPS itself I use ufw, for the network namespace, I *could probably* +make this work as well, but I decided to use "iptables", or rather, the wrapper +scripts which provide the same syntax but use nftables in the background. This +is because with this namespace separation, I don't have to worry about +"cross-leaking" network traffic between DN42 and the clearnet. So the rules get +a lot simpler + +I was happy that both DNS and the website work, when I realized that the default +policy for FORWARD was ALLOW. I found it suitable to set it to DROP, and +suddenly, it didn't work anymore, because I was employing destination NAT: + +``` +*nat +-A PREROUTING -d fd3e:bc05:2d6::80/128 -p tcp --dport 80 -j DNAT --to-destination fcee::1 +-A PREROUTING -d fd3e:bc05:2d6::80/128 -p tcp --dport 443 -j DNAT --to-destination fcee::1 +``` + +This is because the webserver is running on the "outer" VPS, not in the network +namespace (hey, it took me long enough to finish this up as it is). This is +probably a relatively small adjustment. + +With an additional forward rule, everything is happy again: + +``` +*filter +-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT +-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT +``` + +**Update 2025-06-18**: I modified this several times since then. +Since I also need to take care of actual routing/forwarding within DN42, +I now ended up with + +``` +-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT +-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT +-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +``` + +i.e. I don't rely on the source address being fcee::1 anymore. + +Also, I also feel pretty clever for making sure I can access DN42 from my +clearnet: + +``` +*mangle +-A PREROUTING -i eth0 -j MARK --set-mark 0x4242 +COMMIT + +*nat +-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE +COMMIT +``` + +I am actually not sure if the latter needs an "-i (all wg interfaces)" or "! -i +(internal interfaces)" to avoid unnecessary NATting for when I access a service +in the namespace. But nevertheless, I achieved a working state. Best of all, I +can reuse some of the work if I ever want to put my clearnet AS in a namespace, +too. + +[^1]: + An AS is in ["autonomous system"]({% post_url + 2023-08-18-networking-adventure-my-own-ipv6-prefix-and-as %}), [DN42]({% link + dn42.md %}) is a "lab environment" for networking. + +[^2]: + For example, I have no idea why they unmount and mount the netns path + manually. Probably this fixes some bug of an old systemd version? + diff --git a/_posts/2025-03-06-monitoring-with-uptime-kuma.md b/_posts/2025-03-06-monitoring-with-uptime-kuma.md new file mode 100644 index 0000000..0d1a6d1 --- /dev/null +++ b/_posts/2025-03-06-monitoring-with-uptime-kuma.md @@ -0,0 +1,49 @@ +--- +layout: post +title: Monitoring with Uptime Kuma +date: 2025-03-06 18:55 +0100 +lang: en +description: "A short praise for Uptime Kuma, offering uptime monitoring." +--- + +[Recently](https://furry.engineer/@uvok/114026509150081909), I wanted to do add +some kind of monitoring to my servers. The prevalent reason was monitoring my +AS, which I accidentally broke by shutting down one server, or the hosting +provider had an outage (This was because I didn't configure a fallback default +route, but that's another story). + +So, I took a look at the monitoring landscape. And immediately wanted to drop +the idea again, because there were too many choices. And had no intention to +install and test them all, and no energy to read dozens of websites with user +reports. + +But then I said, "wait. Let's not do it the overthinking way again". So I took +the first best/simple thing and chose [Uptime +Kuma](https://github.com/louislam/uptime-kuma). I actually wanted to drop it +right away once I saw it's running on NodeJS (ehhh). But then I decided to spin +up an LXC on my Proxmox anyway. + +And lo and behold, it works: + +{% image +img="https://pics.uvokchee.de/_data/i/upload/2025/03/06/20250306175521-4763fdf7-me.png" +alt="Screenshot of Uptime Kuma - showing the ping times of various servers." +%} + +And it even has a certificate validity check. + +{% image +img="https://pics.uvokchee.de/_data/i/upload/2025/03/06/20250306175521-7805c0bb-me.png" +alt="Screenshot of Uptime Kuma - showing the HTTPS monitor, including the +remaining certificate validity time." +%} + + +It runs in my home network, so I can actually detect whether my AS is reachable +(to a degree). And it brings various notification options, from which I chose +Telegram and Matrix. + +I actually got an outage notification this week, on my Hetzner servers. No idea +what happened there, though, I didn't receive an outage report / notification +from them. + diff --git a/_posts/2025-03-18-games-i-play_ed.md b/_posts/2025-03-18-games-i-play_ed.md new file mode 100644 index 0000000..9e2c805 --- /dev/null +++ b/_posts/2025-03-18-games-i-play_ed.md @@ -0,0 +1,112 @@ +--- +layout: post +title: Computer games I (used to) play +lang: en +categories: game +date: 2025-03-18 10:17 +0100 +description: "I muse over computer games I played recently(-ish)." +--- + +I'm not big on computer games. Usually "I don't have the time" to deal with +them. Or rather, spending so much time on the computer at work, I'm quickly fed +up with sitting on the computer. Also, I get frustrated quickly at times, when +I can't make progress or repeatedly fail. So I usually only play computer games +on vacation. + +So, as for games I played (recently-ish)? Roughly sorted by time last played +ascending: + +- Waaaaaaaaaaaaaaay back in my childhood (in no specific order): + - [Civilization](https://archive.org/details/msdos_sid_meier_civilization) + [^civ1], [^civ2]. Yes, the original one! If I remember correctly, I always + got destroyed sooner or later… - [FreeCiv](https://www.freeciv.org/) is an + open source game inspired by it. + - [3D Pinball Space Cadet](https://alula.github.io/SpaceCadetPinball/). I + spent hours on that one. Never quite succeeding on hitting the targets… + - Anno 1602. I think the first game I searched for cheats to improve my + chances… - [Unknown Horizons](https://unknown-horizons.org) is a similar + game in open source. [^unkhor] + - SimCity 2000 [^simcit] - + [LinCity-NG](https://github.com/lincity-ng/lincity-ng) is a similar open + source game. + - Need For Speed III + - Empire Earth (quite like Age Of Empires, as I found out later) - As far as + open source goes, [0 A.D.](https://play0ad.com/) is probably the closest? + - "Die Völker" (apparently, "Alien Nations" in English, "The Nations" was + actually the sequel. Yeah, what?). I sunk quite some time into that one as + well. + - "Funk-Flitzer", which was on a "Mickey Maus" comic magazine. Go search for + "3-D Ultra Radio Control Racers". + - Worms 2 - [Hedgewars](http://www.hedgewars.org/) seems to be the open source + alternative. + - Moorhuhn, Winter Edition +- Sometime later deep in the past: Minecraft (I stopped way before Microsoft + acquired it), recently followed by [Minetest, or rather, + Luanti](https://www.luanti.org/) (Though, "it's just not the same anymore". + I'm not sure what exactly it is, maybe my changed mindset, maybe I liked the + original soundtrack and game elements more…). +- [Starbound](https://playstarbound.com/), very shortly +- [OpenTTD](https://www.openttd.org/): Trains and buses! Though, admittedly, I + never quite "got it" (why do you have to manually "park" passengers on train + stations, instead of unloading them completely, so they continue taking the + train?) +- [Dwarf Fortress](https://www.bay12games.com/dwarves/). Go with + [LNP](https://dwarffortresswiki.org/index.php/Utility:Lazy_Newb_Pack) if you + wanna give it a try, or the Steam version. +- [Stardew Valley](https://www.stardewvalley.net/) (on Android tablet) +- [Factorio](https://www.factorio.com/) - Shaking my head over the people + arguing over how to perfectly optimize everything ;). I disabled biters in + recent play-throughs, it got to annoying for me. +- [Terraria](https://terraria.org/). Another one where I had to resort to the + Wiki for the bosses. +- [Cattails: Wildwood Story](https://cattailsgame.com/). Got through the main + story, had to resort to YouTube for looking up how to beat the final boss. +- [Turing Complete](https://turingcomplete.game/) +- And, the most recent one, + [dotAge](https://www.michelepirovano.com/dotage.html) + +The latter [^dotnote1] one is a "turn-based village builder", with challenges. I +*guess* I can *kinda* compare it to Dwarf Fortress, as in, it can be incredibly +hard, and you have to build a civilization [^dotdwarf] and take care of it, as +in terms of food and drink, for example. Only you don't have to deal with goblin +or forgotten beast invasion, but, basically, nature. And DF doesn't have tech +research… Okay, maybe they're not comparable after all. + +The first play-throughs are rather rough, since you will only unlock additional +content, such as farming, with play time. So your first villages will cease to +exist quite quickly, I think. That's expected. Probably to show you the failure +modes? + +From personal experience: Don't build some new buildings too quickly. The game +allows you to build them even though they're "useless" at that specific point in +the game, and you need additional tech research to make them usable. + +{% linked_image +img="https://pics.uvokchee.de/_data/i/upload/2025/03/17/20250317185230-40c102c2-me.jpg" +url="https://pics.uvokchee.de/upload/2025/03/17/20250317185230-40c102c2.jpg" +alt="Screenshot of the game dotAge, of fairly early game play." +%} + +[^dotnote1]: + Yes, kinda unfair I only go into detail into one. I wanted to start + "reviewing" only this one, but then thought, "well, might as well list all + games I played so far". Maybe that's a chance for future blog posts. + +[^simcit]: + I didn't like SimCity 3000 as much. And *don't get me started with Cities: + Skylines*. + +[^dotdwarf]: + General advice seems to be not to go over 50 in dotAge. In Dwarf Fortress, + you have to deal with the pesky Nobles instead. Something similar seems to + exist in dotAge as well? + +[^civ1]: Go drop archive.org a small donation, won't you? + +[^civ2]: You can actually still play it thanks to [DOSBox](https://www.dosbox.com/) + +[^unkhor]: + Not sure about the current state. The port to the Godot + engine seems still to be a WIP. Last blog post is quite some time ago, but + the [GitHub repo](https://github.com/unknown-horizons/godot-port) is active. + diff --git a/_posts/2025-04-05-random-thought-smartphones-with-old-technology.md b/_posts/2025-04-05-random-thought-smartphones-with-old-technology.md new file mode 100644 index 0000000..4649817 --- /dev/null +++ b/_posts/2025-04-05-random-thought-smartphones-with-old-technology.md @@ -0,0 +1,20 @@ +--- +layout: post +title: 'Random Thought: Smartphones with old technology' +date: 2025-04-05 20:23 +0200 +lang: en +categories: tech +--- + +How would smartphones look with old technology? What if we never invented flash +storage? (Leave aside the answer "the smartphone would not have been +possible"). Like, what if they were using tapes / tape drives as primary +storage? Or floppy disks? + +<insert AI generated image here - hah, you wish. I'll have none of that on my +blog.> + +This thought was presented to me while listening to the ["Stay +Forever"](https://www.stayforever.de/) podcast, a German-language podcasts about +old games and their technology. + diff --git a/_posts/2025-04-06-i-don-t-get-kubernetes.md b/_posts/2025-04-06-i-don-t-get-kubernetes.md new file mode 100644 index 0000000..28224b4 --- /dev/null +++ b/_posts/2025-04-06-i-don-t-get-kubernetes.md @@ -0,0 +1,38 @@ +--- +layout: post +title: I don't get Kubernetes +date: 2025-04-06 15:59 +0200 +categories: tech +lang: en +--- + +No real content, just me ranting. + +There are [some ;)](https://xeiaso.net/talks/2025/surreal-joy-homelab/) who take +great joy in Kubernetes. I never really understood how I could use it. + +Okay, so, very simplified, K8s let's you say "I wanna run these services (Docker +containers) on my cluster (various computers/servers), optionally with +redundancy"? Well, I only have one "server" in my "homelab", and then 3 VPS or +so. Only one of them runs something in Docker/Podman. + +I *can't imagine*/don't understand how I would run, say, Nextcloud in K8s. I +*want* to know which server is currently running it, and where the data is +stored. Especially with something like Nextcloud, I want to have the Nextcloud +application, the database, and the data store on **one** VPS, without any +indirections, without any communication over the internet or a VPN, via some +proxy software. From what little I've heard about K8s (forgive me my ignorance), +I had more questions that I could answer. K8s seems really complex, because it +~~has~~ can have so many moving parts (yes, you can probably run a very basic +setup, most of the components seem optional). I don't want my database suddenly +moved around to somewhere else. + +That is to say: I never had a use case of trying out K8s. No *actual, real* one. +I could probably construct one if I tried really hard. But, eh. "My current +setup works". + +My attempt to run K8s on my Proxmox via LXC all failed, even if they're +privileged containers, probably because I need to mount Linux Namespaces, or +load specific kernel modules on Proxmox itself so they can be loaded in the LXC +containers as well (???). + diff --git a/_posts/2025-05-11-table-tennis.md b/_posts/2025-05-11-table-tennis.md new file mode 100644 index 0000000..8d9ce82 --- /dev/null +++ b/_posts/2025-05-11-table-tennis.md @@ -0,0 +1,14 @@ +--- +layout: post +title: Table Tennis! +date: 2025-05-11 08:16 +0200 +lang: en +categories: life +--- + +Recently, I was at a seminar. I learned a lot. It was an exquisite group of inquisitive people. +But we also had some free time in which we played some table tennis. +I have no idea how to play it besides "hit the ball with the racket". +Actually makes me want to join the local sports club for once, which does have a +table tennis department. + diff --git a/_posts/2025-05-25-cpu-usage-problems-again.md b/_posts/2025-05-25-cpu-usage-problems-again.md new file mode 100644 index 0000000..beb905a --- /dev/null +++ b/_posts/2025-05-25-cpu-usage-problems-again.md @@ -0,0 +1,16 @@ +--- +layout: post +title: CPU usage problems on my VPS again +date: 2025-05-25 19:29 +0200 +lang: en +categories: tech +--- + +<a href="{% post_url 2025-02-02-dn42-put-it-in-a-box-linux-network-namespace +%}">As reported previously</a>, I had problems with the CPU usage on my VPS +again, even after namespace isolation. This time, it was dnsmasq causing the +loadavg to rise. "This is a problem for future me to solve properly", is the +motto. For the time being, I simply added a service restart when I detect a high +loadavg. Works well enough. I'll keep monitoring it to see if this occurs more +than once a week or so. + diff --git a/_posts/2025-05-29-furdew-valley.md b/_posts/2025-05-29-furdew-valley.md new file mode 100644 index 0000000..cbdf420 --- /dev/null +++ b/_posts/2025-05-29-furdew-valley.md @@ -0,0 +1,24 @@ +--- +layout: post +title: Furdew Valley +date: 2025-05-29 15:21 +0200 +lang: en +categories: gaming +--- + +[In my last blog post]({% post_url 2025-03-18-games-i-play_ed %}) about gaming, +I think I already mentioned I played Stardew Valley. Back then, on an Android +tablet. Due to [Pan on Mastodon](https://woof.tech/@Pan_H_Shiroi@toot.cat) +streaming that game recently, I picked it up again. + +I found it can even be modded! The mod in question is +[Animals and Myths Pack](https://www.moddrop.com/stardew-valley/mods/1119098-fs-shs-animals-and-myths-pack). + +{% image + img="https://pics.uvokchee.de/upload/2025/05/29/20250529132445-6dbbe14d.jpg" + alt="Screenshot of modded Stardew Valley, showing the player character with anthro legs + and a fox tail" +%} + +That adds to the fun. I might even get a mod that adds NPC lines. The build-in +ones can get monotonous after some time. diff --git a/_posts/2025-06-16-oops-dn42-stops-working.md b/_posts/2025-06-16-oops-dn42-stops-working.md new file mode 100644 index 0000000..26d4ed7 --- /dev/null +++ b/_posts/2025-06-16-oops-dn42-stops-working.md @@ -0,0 +1,73 @@ +--- +layout: post +title: Oops, DN42 stopped working +date: 2025-06-16 20:39 +0200 +last_modified_at: 2025-06-17 18:12 +0200 +lang: en +categories: tech +--- + +As you might know, I participate in [DN42]({% link dn42.md %}). +I have a somewhat peculiar setup, in +which some VPS run the routing daemons, and my home router simply has a VPN +connection to them and statically routes everything `fd00::/8` to them. The router +runs OpenWRT, and has dnsmasq setup to resolve DN42 domains via the DN42 anycast +servers. I set this up *months ago*, it worked, I was happy, and didn't need it +since. + +Cue last weekend. "Suddenly" the resolution didn't work anymore. It simply timed +out. So I connected to my VPS (which is running DN42 +[in a namespace]({%post_url 2025-02-02-dn42-put-it-in-a-box-linux-network-namespace %})) +and took a look at tcpdump. Inside the namespace, I saw the strange lines + +``` +18:49:05.296629 eth0 In IP6 fd7a:115c:a1e0::xxx > fd42:d42:d42:53::1.53: 42631+ [1au] AAAA? wiki.dn42. (50) +18:49:05.296679 kioubit Out IP6 fd3e:bc05:2d6::80.50255 > fd42:d42:d42:53::1.53: 42631+ [1au] AAAA? wiki.dn42. (50) +18:49:05.302946 tinc_dn42 In IP6 fd42:d42:d42:53::1.53 > fd3e:bc05:2d6::80.50255: 42631 1/0/1 AAAA fd42:d42:d42:80::1 (66) +18:49:05.302990 kioubit Out IP6 fd3e:bc05:2d6::80 > fd42:d42:d42:53::1: ICMP6, destination unreachable, unreachable route fd3e:bc05:2d6::80, length 122 +``` + +And all the time I was thinking… "huh??? Why is `fd3e:bc05:2d6::80` unreachable??? +It is **clearly** in the `ip -6 a` output!!!". I looked through all the +iptables statistics and couldn't find the culprit. + +A join in the DN42 IRC and some back and forth later, someone suggested +"Hey, what's with the `fd7a:…` address? Is there a route for *that*?". + +And of course, no, it wasn't! I was so focused on the ICMP6 message that I +didn't notice the incoming line. As you can read in my other article linked +above, I perform NAT. Of course in that case it probably wouldn't make sense for the +ICMP6 message to tell someone that there's no route for the original IP (before NAT). + +**So, but… where does the `fd7a:…` address come from?**<br/> +The answer is [Tailscale]({% post_url 2024-12-08-trying-out-tailscale %}). +Unfortunately, they decided to use the `fd00::/8` IP range, which collides with DN42. +I didn't do any DN42 stuff since installing it, so I didn't notice that.<br/> +**But… why is that address used at all for the DNS request?**<br/> +Weeeeell… I found out as well. It comes from OpenWRT. I simply set up +a static route there, and Linux does its best to determine the source address for the +DNS request. And it seems the Tailscale one was a closer match than +the address from my own DN42 prefix.<br/> +**So, how to fix that?**<br/> +[It's not as easy as you think!](https://github.com/openwrt/openwrt/issues/13720). +Merely using the "source" option in the config file would work for IPv4, but +for IPv6 it has a different meaning!<br/> +**But why does it say "no route to host" instead of using a default route?**<br/> +Because I configured bird to insert an "unreachable" route for the `fd::/8` prefix +to avoid leaking traffic. +``` +# ip -6 route show fd00::/8 table dn42 +unreachable fd00::/8 dev lo proto bird src fd3e:bc05:2d6::1 metric 500 pref medium +``` + +At this point, it's Monday evening. Unnerved, I threw my hands in the air and +simply put a line of +``` +ip -6 route replace fd00::/8 ... src <my-openwrt-dn42-address> +``` +in `/etc/rc.local` and called it a day. My setup +works again, and I learned something again. Don't just look at the last line, +look at the whole picture. A lesson I actually already learned in the +ubuntuusers forums when asking for help compiling a package and only posted the +last few make output lines, which of course didn't contain the actual +compilation error… diff --git a/_posts/2025-06-22-blog-now-on-gemini-with-dn42.md b/_posts/2025-06-22-blog-now-on-gemini-with-dn42.md new file mode 100644 index 0000000..fa46a58 --- /dev/null +++ b/_posts/2025-06-22-blog-now-on-gemini-with-dn42.md @@ -0,0 +1,39 @@ +--- +layout: post +title: Blog now on Gemini - with DN42 +date: 2025-06-22 17:42 +0200 +--- + +The Gemini protocol is a minimal protocol to serve content, and is +the "spiritual successor" to the Gopher protocol. +(Do not confuse with Google's AI Gemini. I hate naming collissions), + +It took some tinkering, especially because Gemini's markup language +("Gemtext") +is deliberately +minimal, and Jekyll can't output/convert Markdown to Gemini, so I had to +take "the ugly route" to convert the "finished" Jekyll HTML page to Gemtext +via the below-mentioned tool, which basically does +HTML > Markdown > Gemtext. +I can't directly use the raw Markdown files of my blog, since I use +Liquid tags. + +Anyway, my blog is now accessible in "Geminispace", alas, only within DN42, +because I'm too lazy right now to do it properly. (With the DN42 namespace +isolation and all). And also, it's a really "nerdy" protocol, with I don't +know how many users. + +`gemini://uvok.dn42/` + +Addendum: What I really like is the "feed" specification, which basically consists +of separate lines of <br/> `=> $link $date $heading`, <br/> and browsers like +Lagrange can subscribe +to these (like RSS feeds, but the format is much simpler!). + +- [Gemini Protocol on Wikipedia](https://en.wikipedia.org/wiki/Gemini_(protocol)) +- [Gopher Protocol on Wikipedia](https://en.wikipedia.org/wiki/Gopher_(protocol)) +- [Gemini Protocol homepage](https://geminiprotocol.net/) +- [Gemini "Quickstart"](https://geminiquickst.art/) +- [Gemtext intro](https://gemini.flounder.online/docs/gemtext.gmi) +- [Html2Gemini](https://github.com/Aarontheissueguy/Html2GeminiPy) +- [Lagrange browser](https://git.skyjake.fi/gemini/lagrange) |