I use Tor onion services (location-hidden services) to manage a lot of my servers, since some are behind NAT or have dynamic IP addresses and onion services do excellent NAT traversal and allow access without knowing IP addresses. Alas, for security reasons the older v2-style onion addresses will deprecate in 11 days. I thought it would be trivial to generate v3 addresses for all my servers, and for most it was, but I ran into some grief.
keeping das Blinkenlights on
The Junkyard Server Farm has grown up. The primary data center has over 30 servers and serves a number of diverse users. As it has grown from a couple of old, junked machines on a desk, to taking up most of a walk-in closet, to a growing motley collection of machines on the floor, to getting a formal equipment rack (not a 19″ EIA rack; rack mount equipment is still way too overpriced for us), I have had opportunity to re-cable everything. Between times, as machines get added or replaced and new networking requirements (IPv6!) come into play, cables get added without the benefit of careful dressing through established channels, and things begin to look rather a mess.
remote authentication for whole disk encryption
the (skippable) background
Update 31August2019: Ugh. It all gets rather more complicated than I like by the time you get WiFi and the Tor hidden service running. I was thinking of creating an SD card image, but then I’d have to maintain it for each new release of Raspbian. Josh suggested that, instead, I create a bash script to do the whole install to a vanilla Raspbian. If you’ve tried creating this and got lost, stay tuned and I’ll do the installer as time allows. Email me if you want to encourage me to do it sooner.
I am a fan of whole-disk encryption. It is just about the only way to insure that a lost, stolen, confiscated, or discarded machine doesn’t leak information.
Continue reading remote authentication for whole disk encryption
spamassassin + spampd + bayesian filtering
I have been running my own mail server for an eternity. For the last decade or two, it’s been Postfix with Spamassassin (invoked via spampd) for spam control. I then ran the most-excellent SpamSieve on my laptop to catch the spam that Spamassassin missed.
managing Let’s Encrypt wildcard certificates
For a long time, TLS (née SSL) certificates were out of reach for the low-budget network admin. They got cheaper and easier to get, but it was still a hassle and an expense. Then came Let’s Encrypt, which offered no-cost certificates that you could obtain using fully automated tools.
Continue reading managing Let’s Encrypt wildcard certificates
cognitive behavioral therapy
Journalist Sydney J. Harris said “Once we assuage our conscience by calling something a ‘necessary evil,’ it begins to look more and more necessary and less and less evil.” I think that may be where we’re at with psychotropic medications for depression.
I just renewed my membership to TidBITS. If you’ve never heard of TidBITS, you should check them out. They have been publishing continuously online for 28 years, and their content is second to none. They also host an amazing online discussion list, TidBITS-Talk. The site’s content is focused on Apple news and technology, but the quality of the journalism is so high and the coverage is broad enough that there is likely something there for everyone.
Membership is completely optional, so check it out. It is not hyperbole to say that TidBITS has improved the quality of my life every week for the past quarter century.
I’ve been using the TWiki collaboration platform since at least 2004. It has always been a bit of a trial—it doesn’t create terribly pretty sites, and it has been a bear to maintain. Its real strength is collaboration, but I used it mostly as a site-creation tool.
Edit 13June2018: also check out our 3D print projects on risley.net.
Making Linux Bootable Clones
A bootable clone is a disk that holds a complete copy of a running system that’s ready to boot. Bootable clones can be a critical part of your backup strategy.