25/04/2024

git-crypt headache

Just a quick tip to remind myself how to properly commit some data that needs to be encrypted with git-crypt.

First of all, if you need to change files pattern or paths of the data you need to encrypt you have to change your .gitattributes file:

  1. git clone the encrypted repo
  2. modify .gitattributes
  3. git add & git commit
  4. git push

In case you only have to change encrypted files or add new encrypted files

  1. git clone the encrypted repo
  2. unlock it with “git-crypt unlock <key path>”
  3. verify files are not crypted with “git-crypt status ; file <encrypted files path>”.
    If they’re shown as “data” it means they’re still encrypted (unless they’re binary data by themself)
  4. add/change files
  5. git add & git commit
  6. git-crypt lock
  7. verify files are encrypted before pushing repo with “git-crypt status ; file <encrypted files path>”
  8. git push

After all this you can blame yourself for turning one more simple thing into a hard one.

18/04/2024

The State of EVE Online – Spring 2024

It looks like a century has passed since I wrote something about this game… in fact it was 2022 and I was writing about the problems affecting the game.

Well none of that has been solved, and probably more problems have been added… but that’s the last important of the bad news.

The main problem the game is facing is that something terrible we saw coming for years is happening, the game is basically split into two big factions fighting each other, or better not fighting each other and living in some sort of “cold war stalemate”.

On one side we have the Imperium and allies, basically the Goonswarm and friends.

It’s a huge community with a great organization, good fleet commanders and with any opportunity for any player to do whatever they want, no matter they are experienced bitter veterans or fresh newbies.

In its recent history Imperium removed any kind of system renting (basically small entities pays a fee to use a system for farming and their own things, just like a victim of some sort of mafia boss, if they don’t pay they have to leave or get crushed), made its space free for all its members and call a war against botting (the use of illegal bots to farm).

On the other side we have a larger organization called Pandafam, made by the chinese alliance Fraternity, Pandemic Legion, Pandemic Horde and North Coalition.

This huge collection of alliances have almost anything inside:

  • chinese alliances that costantly violates the game rules and licenses promoting bots and RMT (Real Money Trading, selling or buying game goods with real money, which is strictly prohibited but the game owner CCP) and living on renting.
  • veteran alliances like Pandemic Legion and Northern Coalition made by a bunch of people but ruling like mafia bosses thanks to space renting
  • a melting pot of everything (newbies, spies, whoever else dislike Imperim for no reasons) called Pandemic Horde.

This mix of everything is founded (and funded) mostly on renting and illegal operations (bots and RMT) and usually deny any content (which means pvp fight) they are not 100% sure to win, they use timezone tanking (putting their structure’s vulnerability timers in chinese timezone in a way that it’s almost impossible to contest them), and recently they started to reinforce their own structures to put next timers also in chinese timezone (preventing enemies to set those timers in US or EU timezone, denying pvp content).

In short words they are killing the game.

You may think I’m clearly on Impierium side and against Pandafam, take a loot yourself on how vast is Pandafam space compared to Imperium and its allies.

In general Imperium+allies and Pandafam have similar player numbers, but look how huge is Pandafam space compared to Imperium one.

Why? The answer is simple: renting.

All those regions highlighted in purple are almost entirely dedicated to renting, the less attractive systems (systems with low resources) are empty resulting in a huge waste of systems, all the others are rented to very small corporations for farming 24/7 (in a lot of case using bots) with astronomical profits of trillions of isks each month.

No attackers, no fleets, no pvp, all that purple area is a totally dead region made to earn money by renting and botting, turning a fun game into renting/botting farm… if this makes you remember The Matrix you’re not far from the truth…

On the other side Imperium and allies showed a completely opposite scenario:

  • any alliance, no matter its size, can live in a single region if it’s well organized
  • no renting, no mafia bosses, no extortion
  • the essence of the game, which makes it alive is pvp so everything should be focused on it, everything that prevents pvp should be modified or removed
  • if you want to conquer a system, a constellation or an entire region you’re free to try it, get organized, get people and fight for conquer it
  • if you want to stay in a system, a constellation or a region you have to fight, to get people and get resources to defend yourself
  • less passive income, if you want to get resources you must have players and be active
  • each region should be accessible for invasion and conquer
  • small groups should be able to conquer space to get bigger and fight each other for survival, a bipolar universe is not healthy for the game.

I don’t know what you think but the last manifesto is way better and promising for the future of the game.

04/04/2024

Matomo & OpenID: a sad story…

These days I’m playing a little bit with Authentik, quite a pretty piece of software if you need a flexible identity provider for your services and don’t want to pay a ton of money for Okta or some other humongous commercial idp.

To be honest the more I spend time on Authentik the more I think It’s probably the best option if you’re looking for an “open source” Okta.

Honestly I don’t need a service like this, I have a basic experience with federation (mostly with SAML2 protocol) but I never had to setup and idp.

This time I tried to federate WordPress and Matomo with Authentik.

With WordPress it was fine, I had only one problem with the RedirectURI that has a querystring, and that means that the question mark needs an escape character, for example:

/wp-admin/admin-ajax.php\?action=openid-connect-authorize

With Matomo… well It was a different story:

1. first of all I had to install the only plugin available (LoginOIDC)

2. as for WordPress I had to escape the querystring question mark for the RedirectURI

3. I had to create a rewrite rule to accept a static RedirectURI

RewriteRule oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc$1 [R=301,QSA]

4. I had to manually create the database table for the plugin to work, because the plugin installation procedure missed.

I used this SQL syntax onMariaDB 10:

CREATE TABLE piwik_loginoidc_provider (
user VARCHAR(100) NOT NULL,
provider_user VARCHAR(255) NOT NULL,
provider VARCHAR(255) NOT NULL,
date_connected TIMESTAMP NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
PRIMARY KEY (provider_user, provider),
UNIQUE KEY user_provider (user, provider),
FOREIGN KEY (user) REFERENCES piwik_user (login) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;

…and finally the OpenID federation plugin start to work.

A couple of considerations:

WordPress: how is it bloody possible that in 2024 the most used CMS, the platform that runs more than 70% of the web does not support out of the box at least one federation protocol?!?!?
This is absolutely crazy imho… stop working on the damn interface and fix this nonsense…

Matomo: c’mon guys… you pretend to be a serious alternative to Google Analytics and you don’t support out of the box at least one federation protocol???? Seriously?!?!?
And the only plugin available was updated almost 1 year ago, we have two options:
1) it has no bugs, maybe it’s the best written piece of software ever made in human history
2) its development is basically abandoned

I would like it’s the first option, but if I had to bet some money I’ll bet on the 2nd one…

16/03/2024

RPi4 power consumption

It’s been a while since a started using a Raspberry Pi 4 as a home server instead of my old Banana PI, yesterday I was following a interesting thread on a forum regarding RPi5 compared to some x64 boards, specially those using Intel N100 processor.

This thread made me remember the good old days when I started using my ancient Via Epia board and I won a forum competition for the home server with the lowest possible power consumption.

Now seems like people complains about RPi because of its cost and it’s performance/power ratio compared to other boards, like those using Intel N100, and this pushed me to check out my beloved Pi power consumption, let’s bust some myths!

Before starting let me roughly explain how I use my RPi4, just to clarify that it’s not an idle server stuck in a closet to absorb electricity:

  • backup server (I keep the main backup copy on the Pi, every night I start a second server via PoE and I sync any backup on it and on a Backblaze B2 bucket)
  • hosting server (a few sites, mainly based on PHP cms and published via Cloudflare Tunnel)
  • personal wiki with Bookstack
  • PiHole server
  • phpIPAM server
  • Nagios server to monitor my network and my devices
  • Collectd + Collectd Graph Panel to monitor resources usage
  • Uniquiti Unifi Controller to manage my Wifi APs
  • Document management system with Paperless NGX
  • Wireguard server for VPN
  • Gitea as my private git repository
  • Webmail server with Roundcube to get any notification from my cron jobs and devices on LAN
  • Immich as a backup server for media on mobile devices
  • Jellyfin server
  • Vaultwarden as password manager
  • several LAMP stacks here and there to try things, web projects etc etc…

Not let’s take a look to my setup:

  1. Raspberry Pi 4B with 8GB of ram
  2. Crucial BX500 240GB SATA SSD as a boot device via usb on the RPi4
  3. Seagate ST1000LM024 1TB SATA 2.5″ hard drive as a data volume connected via usb to the RPi4

To measure power consumption I used a Shelly Plug and an external self powered USB hub for measuring each usb drive.

This is my RPi4 power consumption on idle with the two usb drives, as you can see we’re on a 6.4W average, not bad…

 

Here is the Pi with only the SSD, around 4.7W

And here’s the mechanical HDD by itself at around 2.7W

As you can see the sum of the Pi+SSD (4.7W) and the HDD (2.7W) is over the average power consumption of the three devices all together (7.4W vs 6.4W), and that’s pretty normal, attaching the HDD directly to the Pi and power it via Pi’s usb ports is more efficient, and does not have the overhead of the usb external hub (which probably is less efficient as the Pi and its PSU).

Let’s continue with the hard drives, in this test I measured the power consumption of the SSD and the HDD powered via the USB external hub.

This test imho is particularly interesting because it show something unexpected to me, the yellow box shows the HDD test while the blue box shows the SSD test.

As you can see the idle power consumption is not that different between the two drives (~2.7W), and that’s shocked me because I thought the SSD would be much more energy efficient and less power hungry. If we move to the stress test we can se a huge difference between the two, and that’s what I was expecting to see.

And finally we can see how the application load really impact on the power consumption.

For this test I measured only the Pi power consumption without SSD or HDD, in the first section (marked in the yellow box) you can see the Pi consumption on idle with only the basic OS (Debian 11) running on it, then I started all the application I usually run on it, all together (check the spike in the blue box), then finally the Pi with all the services running on it (red box).

As you can see there’s no such difference between an idle system with basically no services running on it, and the system with all the services I mentioned at the beginning running on it.

Obviously we’re talking about a home server solution, with basically one user and a few hosted sites (but we’re still talking about small WordPress sites with a few Matomo instances and not a lot of visitors)

 

 

I hope this will be helpful if you’re thinking about buying a Raspberry Pi as your own home server.

02/03/2024

Using KeeAgent with Cygwin OpenSSH

As I said in the previous post I’m in love with Cygwin… but I’m also in love with Keepass… and I also live with ssh… so how to make my life easier?

The answer is simple: KeeAgent

KeeAgent is a Keepass plugin that can work as a ssh agent, in this way:

  1. you can save you ssh private keys in a safe and encrypted Keepass database –> NO MORE PRIVATE KEYS ON FILESYSTEM
  2. you don’t have to deal with ssh private keys passphrases, because they’re stored in the Keepass entries where you’ll save private keys –> NO MORE UNENCRYPTED PRIVATE KEYS
  3. you can easily retrieve public keys to authorize hosts access without searching like a hound on your filesystem, in a couple of clicks KeeAgent will provide them

Apparently the setup of all this thing may seem complex, in reality it’s quite simple:

  1. download and install KeeAgent from https://github.com/dlech/KeeAgent/releases
  2. in KeeAgent options (Tools -> Options -> KeeAgent) put this string into “Cygwin/MSYS Integration” Path
    %UserProfile%/.keeagent.sock
  3. restart Keepass and check if there’s the file .keeagent.sock in your home and it’s a socket file
    file ~/.keeagent.sock
  4. export SSH_AUTH_SOCK variable and put it on your .bashrc file, the value of the variable should be the path of the socket file you set at the point number 2.
    echo "export SSH_AUTH_SOCK=~/.keeagent.sock" >> ~/.bashrc
  5. make sure you have installed Cygwin OpenSSH and you’re not using Windows ssh

The setup is complete, now you only have to create key entries in your Keepass database, attach private key files, fill the password field and enable those entries to be loaded with KeeAgent.

For more details check the super clear KeeAgent documentation.

« Post precedenti | Post successivi »