<?xml version="1.0"?>
 <rss version="2.0"
      xmlns:dc="http://purl.org/dc/elements/1.1/"
      xmlns:dcterms="http://purl.org/dc/terms/" >
 <channel>
 <title>Open source software and nice hardware</title>
 <link>gopher://box.matto.nl/</link>
 <description>This is my gopher burrow</description>
 <language>en-us</language>
 <lastBuildDate>Tue, 30 Apr 2024 21:03:29 +0200</lastBuildDate><item>
<title>The Sheep Look Up still feels real after 50 years</title>
  <guid isPermaLink="false">gopher://box.matto.nl/0/the-sheep-look-up-still-feels-real-after-50-years.txt</guid>
  <link>gopher://box.matto.nl/0/the-sheep-look-up-still-feels-real-after-50-years.txt</link>
  <pubDate>Tue, 30 Apr 2024 19:00:08 +0200</pubDate>
<description> <![CDATA[
<pre>
The Sheep Look Up still feels real after 50 years
=================================================

I finished reading "The Sheep Look Up", written by John Brunner.

This book is published in 1972, more than 50 years ago.

At the time of writing it was considered to be a dystopian science
fiction novel.

Capitalism, greed, and corruption rendered the world unlivable. The
air is difficult to breath and smells foul, water is unsafe to drink,
the rain is aggressively acid, and the population is plagued by a
variety of diseases. Large corporations are not afraid to order people
to be killed and the government is corrupt.

Scary read
----------
What makes this book so terrifying is that the behavior of
individuals, governments, and companies is so familiar.

When the novel was written, it provided a terrifying glimpse into the
future. Now, it appears to be a description of how our world will be
in just a few years.

Must read
---------
It is a sad story, and sometimes the feel of the seventies breathes
through the lines.

Still, I think this book is a "must read".

It helps us to see the warning signs, and to recognize the dangerous
crushing power of right wing politics.


Last edited: $Date: 2024/04/30 19:00:08 $
  </pre>
  ]]></description>
</item>
<item>
<title>Added Marginalia to my jump lists</title>
  <guid isPermaLink="false">gopher://box.matto.nl/0/added-marginalia-to-my-jump-lists.txt</guid>
  <link>gopher://box.matto.nl/0/added-marginalia-to-my-jump-lists.txt</link>
  <pubDate>Fri, 26 Apr 2024 19:15:51 +0200</pubDate>
<description> <![CDATA[
<pre>
Added Marginalia to my jump lists
=================================

Today I added Marginalia to my jump lists.

Marginalia
----------
Marginalia is a web search engine aimed at the smol web.

Marginalia is created and run by Viktor Lofgren.

The about page mentions

  "The purpose of the tool is primarily to help you find and navigate
  the non-commercial parts of the internet."

Good browser support
--------------------
Marginalia works fine on many browsers.

Using Marginalia is no problem at all with eww, the simple web browser
in Emacs, as well as Links (link -g).

Jump lists
----------

Emacs webjump
............
In Emacs, I use webjump to quickly jump to favorite Gopher addresses
and web addresses. Webjump also supports simple queries and I have
webjump entries for Wikipedia and DuckDuckgo in my config.

Now I have added to this list:

   ("Marginallia" .
     [simple-query "marginalia.nu"
     "https://search.marginalia.nu/search?query="  #1#])

Webjumps to web pages are opened in eww, and to Gopher addresses
are opened in Elpher.

Ratpoison key binding
....................
In my $HOME/.ratpoisonrc I have a key binding that opens Links
(links -g) and another key binding that opens Links with the
contents of the clipboard.

I have now added a dkey binding that opens the Marginalia URL
in Links:

   bind l exec links -g
   bind L exec links -g $(xclip -o)
   bind M exec links -g "https://search.marginalia.nu/"

Preferred search engine
-----------------------
My plan is to use Marginalia as my default search engine.
Let's see how that works out!


Last edited: $Date: 2024/04/26 19:15:51 $
  </pre>
  ]]></description>
</item>
<item>
<title>Tooting with mastodon.el</title>
  <guid isPermaLink="false">gopher://box.matto.nl/0/tooting-with-mastodonel.txt</guid>
  <link>gopher://box.matto.nl/0/tooting-with-mastodonel.txt</link>
  <pubDate>Sun, 14 Apr 2024 16:13:00 +0200</pubDate>
<description> <![CDATA[
<pre>
Tooting with mastodon.el
========================

Mastodon.el is an Emacs mode to access ActivityPub instances.

Follow your home timeline, the local timeline, and the federated
timeline all from within the comfort of your Emacs session.

Many options
------------
Just like any other ActivityPub client, Mastodon.el supports many options.

Some examples:
* Follow the standard timelines
* Follow the timeline of one or more tags
* Compose and send a toot
* Boost and favorite posts
* Bookmark posts
* View and update your profile
* View profiles of other ActivityPub users
* Search posts
* And more

Installation
------------
Add the following lines to your Emacs init file to install mastodon.el
with use-package:

  (use-package mastodon
    :ensure t
    :config
    (setq mastodon-instance-url "<url-of-your-instance>")
    (setq mastodon-active-user "<username>"))

Evaluate the buffer with the init file or restart Emacs.

Next, open the `*Messages*'-buffer in a second window.
Run `M-x mastodon', this will add an extremely long URL to your messages
and prompts for an authorization code in the mini-buffer.

Copy the URL from the `*Messages*'-buffer and open it in your browser
(I used Firefox for this). You will get a code, copy this and paste
it in the mini-buffer.

You are now all set.

Tooting and some other useful keys
----------------------------------
Just hit `t' to compose a toot, and when ready, send it with the well
known key combo `C-c C-c', or cancel it with `C-c C-k'.
Change the toot visibility with `C-c C-v', and add a content warning
with `C-c C-w'.

Keys to open timelines:
* `H' : Open your home timeline
* `F' : Open federated timeline
* `L' : Open local timeline

Some other useful keys:
* `#' : Prompts you for a tag and open the timeline of the tag.
* `u' : Update the current timeline
* `b' : Boost toot under point
* `f' : Favorite toot under point
* `k' : Toggle bookmark of toot under point

For (much) more, see the info-file that comes with the package
or the mastodon.el homepage at:
https://codeberg.org/martianh/mastodon.el

Happy tooting!


Last edited: $Date: 2024/04/14 16:13:00 $
  </pre>
  ]]></description>
</item>
<item>
<title>Pass, the password storage manager on FreeBSD</title>
  <guid isPermaLink="false">gopher://box.matto.nl/0/pass-the-password-storage-manager-on-freebsd.txt</guid>
  <link>gopher://box.matto.nl/0/pass-the-password-storage-manager-on-freebsd.txt</link>
  <pubDate>Sun, 07 Apr 2024 16:33:32 +0200</pubDate>
<description> <![CDATA[
<pre>
Pass, the password storage manager on FreeBSD
=============================================

> The "standard UNIX password manager"

Pass is a password storage manager that works on the command line.
It advertises itself as the "standard UNIX password manager".

The passwords are encrypted with GnuPG and saved in a directory
structure. Pass uses Git for the version control of this directory.

A sub directory tree inside this directory provides a structure. Each
password is stored in a separate file, encrypted using GnuPG.

Actions that affect passwords, like creation, editing, and deleting,
are automatically committed to Git. Add a remote repository to share
and synchronize the password store with your other machines.

You start by adding existing passwords to the storage. For new
accounts you let pass generate the password. Pass generates unique,
strong passwords using /dev/urandom.

Retrieved passwords can be shown on the command line, copied to the
clipboard, or exported as a QR-code. The clipboard will be restored
after 45 seconds.

Pass is available for the most current operating systems. It support
the use of multiple GnuPG keys.

Convenience utilities
---------------------
Pass comes with several convenience utilities.

* completion is available for several shells
* passmenu uses dmenu to let you select an account
* pass-import imports several formats, used by some popular password
 managers
* a Emacs mode to use pass from within Emacs
* and more

Directory structure
-------------------
At initialization, pass creates a directory at the default location
$HOME/.password-store.

Set the environment variable `PASSWORD_STORE_DIR' to override the
default location,

By adding entries to pass, you create a structure within this
directory. To add a new entry the name of the sub directory must be
provided.

Entries are grouped together in a sub directory, for example all a sub
directory for your Fediverse accounts, a sub directory for news outlet
accounts, and so on. Sub directories can be nested, you can add as
many layers as you want.

Install package
---------------
On FreeBSD, install the packages "password-store" and "git".

   pkg install git password-store

The package "password-store" provides "pass", our cli tool.

Create a GnuPG key
------------------
You can use pass with an existing GnuPG key, or create a dedicated
key.

As an example we choose to create a new, dedicated key.
Here's how to create an elliptic curve key:

   gpg2 --full-gen-key
   gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.

   Please select what kind of key you want:
      (1) RSA and RSA
      (2) DSA and Elgamal
      (3) DSA (sign only)
      (4) RSA (sign only)
      (9) ECC (sign and encrypt) *default*
     (10) ECC (sign only)
     (14) Existing key from card
   Your selection? 9
   Please select which elliptic curve you want:
      (1) Curve 25519 *default*
      (4) NIST P-384
      (6) Brainpool P-256
   Your selection? 1
   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0)
   Key does not expire at all
   Is this correct? (y/N) y

Here, we did choose 0 - key does not expire. Depending on your
thread model, you might prefer a different choice.

    GnuPG needs to construct a user ID to identify your key.

    Real name: <name, for example: pass-store-key>
    Email address: <email, for example [email protected]>
    Comment: <leave blank or enter a some comment>

The next step is to enter a password or passphrase (very long
password). Choose a strong password, this is the protection of your
data when your system, the Git repo or a backup from the repo gets
compromised. Make sure you save the password in a safe place, without
the password you won't be able to decrypt your data.

Make a backup of your key:

    gpg -a --export-secret-key <keyid> > backup-of-key.asc

Here `backup-of-key.asc' is the name of the file. Choose any name
you like. It is customary to use the .asc extension for ascii-armored
keys.

For <keyid> you can use the email address with which you created the key
(in our example: [email protected]), or the long hexidecimal string
shown when you request a list of your secret keys with `gpg -K' (that is
an uppercase k).

Keep the backup file separated from your passwords. Don't put the
exported key (the backup file) in the same Git repository as your
passwords.

Initialize password storage manager
-----------------------------------
Next, we initialize the storage directory.

   pass init <gpg-key>
   pass git init

The first command create a new directory, $HOME/.password-store
The second command initializes Git in this directory.

Initialize a remote repository
------------------------------
It's best to immediately create a remote repository, so your passwords
live at least on two locations.

   ssh <othermachine> mkdir password-store
   ssh <othermachine> "cd password-store && git init --bare"

Add the remote:

   pass git remote add origin <othermachine>:password-store

Add an existing password
------------------------
Add the password:

   pass insert Yahoo/<account>

You will be prompted for the password twice.
Use `-e' to echo back your input to the console.

This password will be saved in the encrypted file
`$HOME/.password-store/Yahoo/[email protected]'

Create a new, strong password
-----------------------------
Random generated passwords are stronger than the passwords you
can come up with. Pass generates passwords with any length.

It shows the generated password on the command line, or copies it
to the clipboard, or creates a QR-code.

   pass generate Yahoo/<other-account>

This will generate a password with the default length (25 chars).

To generate a password with the length of 35 chars:

   pass generate Yahoo/<other-account> 35

With the flag `-c' the password will be copied to the clipboard:

   pass generate -c Yahoo/<other-account>

Set the environment variable `PASSWORD_STORE_GENERATED_LENGTH' to override
the default length without having to provide a length at the command line.

Push the Git repository to the remote
-------------------------------------
Pass has automatically committed any changes to the local Git
repository.

You have to push these manually to the remote repository:

    pass git push -u --all

If you started with a Git clone, `pass git push' will be enough.

Likewise, you can pull the changes from the remote with:

   pass git pull

By pushing the changes to a remote repo, the keys are stored at least
at two different places, lowering the chance of total loss.

List the available passwords
----------------------------
To get a list of the available passwords, simply issue the command;

   pass

Pass creates a tree view of the directory structure and the files with the
passwords.

Retrieve the password
---------------------
Retrieval of the password is easy:

   pass Yahoo/<account>

This requires the password for your GnuPG key. The gpg-agent will make
sure you don't have to type your password too often.

Change the password
-------------------
To change the password, use the `pass edit' command.

   pass edit Yahoo/<account>

This will fire up your editor and let you edit the password. Which
editor is used depends on the environment variable EDITOR, or using vi
as a fallback.

Use this not only for changing the password but also for adding
multi-line entries (see below).

Delete the password
-------------------

   pass rm Yahoo/<account>

Usernames and passwords
-----------------------
Suppose you have two different usernames or accounts at the same
organization, just use the sub directory structure:

  pass insert Fediverse/Lemmy/<username-1>
  pass insert Fediverse/Lemmy/<username-2>

This will result in:

   .password-store/
   `-- Fediverse
       `-- Lemmy
           |-- username-1
           `-- username-2

Multiline entries
-----------------
To enter a multi-line entry, add the `-m' switch to the pass insert
command:

   pass insert -m Group/account

Enter as much info as you like, and finish with Ctrl-d.

Another option to enter multi-line entries is to use the edit command,
and create the multi-line entry in vi. This method is less
error-prone, because it allows you to correct mistakes.

When you retrieve a password with -c, pass copies only the first line
of a multi-line entry to the clipboard. The first line in multi-line
entries should therefor contain the password, and nothing else.

This is useful when you also want to store the security questions and
the answers you gave. This is also useful for websites where you are
identified by both a username and an email address. Or if you need to
store any other additional information. The information that you add
below the first line doesn't harm the normal pass workflow and still
enjoys the protection from the encryption.

Organize the information in the lines below the password using the
format

   fieldname: value

This way, e.g., additional tools like the Emacs mode are able to
fetch specific fields from it.

Accessing the passwords on a different machine
----------------------------------------------
Two steps are needed to access the passwords on a different machine:

* clone the Git repository
* import the GnuPG key

Clone the repostiroty from the remote
....................................
To clone the repository from the remote:

   git clone <othermachine>:password-store .password-store

Where <othermachine> is the machine where you pushed the remote.

Test that you see the tree when you issue the command `pass'.

Importing the GnuPG key
......................
Copy the file `backup-of-key.asc' (or whatever file name you entered)
to the machines where you also want to use your password store and
import it in GnuPg with:

   gpg --import backup-of-key.asc

After that, you must set the trust. Edit the key with gpg --edit-key
and issue the command `trust'.

   gpg --edit-key <keyid>
   ...
   trust
   Please decide how far you trust this user to correctly verify other users' keys
  (by looking at passports, checking fingerprints from different sources, etc.)

    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu

Choose 5 - trust ultimately.

Retrieve a password to check that GnuPG can decrypt the file with the
password.

After this, you can open, change and add passwords with the imported
key.

The good, the bad and the ugly
------------------------------
The good:
* pass is easy to use
* GnuPG provides secure encryption
* pass supports multi-line entries for additional information
* pass generates strong passwords
* pass commits your changes to Git
* the package comes with an Emacs mode

The bad:
* pass uses the name of the account as file name

 Somebody who reads the directory tree --which doesn't require a
 GnuPG key-- sees which accounts are in the tree.
 This requires either access to your machine or to the Git repo
 or a backup from the Git repo.

The ugly:
* When using multiple machines you have to keep the tree in sync

 This is probably the hardest part when using pass on multiple
 machines.
 - Whenever you make changes, make it a habit to immediately push
   your changes to the remote (`pass git push').
 - Start your session with `pass git pull' to make sure you have the
   latest version.

Emacs mode
----------
Of course there is an Emacs mode for pass!

The FreeBSD package `password-store' installs a few files in
`/usr/local/share/password-store/emacs/', among others the file
`password-store.el' and `README.md'.

After loading the `password-store.el' in Emacs, you can run commands
like:

* M-x password-store-insert
* M-x password-store-copy
* M-x password-store-copy-field

The last option is useful for multi-line entries, where each line
(except the first line, which contains the password) starts with
`fieldname: '.

There are more options than shown here, see the password-store.el file.

The commands like password-store-copy will give you a list of the
available passwords in the mini buffer, where you can pick the right
one using completion.

Much more
---------
Pass can do much more, and there is a small ecosystem around it,
with tools, clients, GUIs, and so on.

See the friendly manual with `man pass', and also the website
https://www.passwordstore.org/



Last edited: $Date: 2024/04/07 16:33:32 $
  </pre>
  ]]></description>
</item>
<item>
<title>Shell script to create and sign certificates</title>
  <guid isPermaLink="false">gopher://box.matto.nl/0/shell-script-to-create-and-sign-certificates.txt</guid>
  <link>gopher://box.matto.nl/0/shell-script-to-create-and-sign-certificates.txt</link>
  <pubDate>Sun, 31 Mar 2024 19:34:07 +0200</pubDate>
<description> <![CDATA[
<pre>
Shell script to create and sign certificates
============================================

Modern web browsers lament the absence of encryption when they access
local web services on the home network. Adding certificates
to these services gain sigificance.

Mkcert
------
Mkcert creates signed locally trusted certificates. It makes managing
and operating a local CA much easier.

Mkcert is written in Go and available for Linux, Mac OS and Windows.

My home network's systems are running FreeBSD. I had some dependency
issues when compiling Mkcert, so I installed Mkcert it in a Linux
virtual machine. It is excessive to start a virtual machine (VM)
merely to generate few certificates.

Shell script
------------
After some trial and error, I created a shell script to generate
signed certificates. The script signs using the rootCA key generated
by Mkcert, which is already trusted on my systems.

Mkcert creates certificates with the parameter:

   subjectAltName=DNS:<FQDN of the subdomain>,IP:<ip-address of the server>

I also set out to accomplish this with the script.

Structure
---------
* The script asumes that the rootCA.key and the rootCA.crt are
 in the directory ~/certs/rootcert.
* For every subdomain a subdirectory is created under
 ~/certs/keys/

This is how it looks:

   certs
   |-- keys
   |   |-- first.example.com
   |   |   |-- first.example.com.crt
   |   |   `-- first.example.com.key
   |   `-- second.example.com
   |       |-- second.example.com.crt
   |       `-- second.example.com.key
   `-- rootcert
       |-- rootCA-key
       `-- rootCA.crt

The idea is that you can either put ~/certs or the subdirectory
~/certs/keys into a versioning system like Git.

Choose any versioning system, the key and certificate are text files.

Not a security solution
-----------------------
Always evaluate your thread model before selecting a security
solution.

The purpose of the certificates is to prevent browsers from
complaining about the lack of encryption. Perhaps in the future,
browsers will not allow users to log in to sites that do not use
encryption. It's best to have things ready before that happens.

The traffic is now encrypted, providing some protection against
eavesdropping; nonetheless, do not use this method when security is
critical.

Where to install the certificates
---------------------------------

Your FreeBSD workstation trust the certificates when you place the
rootCA certificate in:

   /usr/local/share/certs

Next, run

  certctl rehash

Configuriation of your subdomains in NGINX:

   server {
       listen *:443 ssl;
       server_name subdomain.example.com;
       ssl_certificate /path/to/subdomain.crt;
       ssl_certificate_key /path/to/subdomain.key;
       location / {
         ...
       }
   }

The script
----------

Here's the script:

   #!/bin/sh

   if [ $# -ne 2 ]; then
     echo "Usage: $0 <subdomain> <ip-address>"
     exit
   fi

   subdomain=$1
   IP=$2

   echo "Creating certifcate for FQDN: <$subdomain> on IP: <$IP> ..."
   echo ""

   myrootcertpath=${HOME}/certs/rootcert/
   mypath=${HOME}/certs/keys/$subdomain
   mkdir -p $mypath
   cd $mypath

   # Create conf file:
   echo "[req]" > $subdomain.conf
   echo "distinguished_name=req" >> $subdomain.conf
   echo "[SAN]" >> $mypath/$subdomain.conf
   echo "subjectAltName=DNS:$subdomain,IP:$IP" >> $subdomain.conf

   echo "subjectAltName=DNS:$subdomain,IP:$IP" > $subdomain.ext

   # Check if key exists, if not, create
   if [ -e $subdomain.key ]; then
     echo "Key $mypath/$subdomain.key available, not generated"
   else
     openssl genrsa -out $subdomain.key 2048
     echo "Created key $mypath/$subdomain.key"
   fi

   # Create a new csr from the key
   openssl req -new -sha256 -key $subdomain.key -subj /CN=$subdomain -out $subdomain.csr

   # Sign the key
   openssl x509 -req -extfile $subdomain.ext -in $subdomain.csr \
           -CA $myrootcertpath/rootCA.crt -CAkey $myrootcertpath/rootCA.key \
           -CAcreateserial -out $subdomain.crt -days 500 -sha256

   # Clean up
   rm $subdomain.conf
   rm $subdomain.ext
   rm $subdomain.csr

   echo "Certificate $mypath/$subdomain.crt created"
   echo "view with: openssl x509 -noout -text -in $mypath/$subdomain.crt"

Have fun!


Last edited: $Date: 2024/03/31 19:34:07 $
  </pre>
  ]]></description>
</item>
</channel>
</rss>

You are viewing proxied material from box.matto.nl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.