antipaucity

fighting the lack of good ideas

tesla’s cybertruck [almost] does two things i’ve said for a long time

“Telsa will add solar power to the Cybertruck to generate 15 miles per day. Fold-out solar wings for the Cybertruck would generate 30 to 40 miles per day. The average daily commute in the US averages 30 miles per day.”

https://www.nextbigfuture.com/2019/11/solar-power-tesla-cybertruck-could-have-free-15-40-mile-daily-commutes.html (https://twitter.com/elonmusk/status/1197889310550216704)

Or remember my comments on SolarCity 3 years ago?

Offering a solar option (or standard) tonneau cover for the bed is an absolute no-brainer. When you own the solar production plant, why wouldn’t you include it?

But more than this, the multi-motor options are a real-world implementation of something I’ve been saying for 20+ years: it makes far more sense to put a motor at (or very near) each wheel or at least axel in an electric vehicle than it does to have one that’s distributing its work everywhere.

Sure, running the cabling to each wheel/axel is a little complicated – but it’s a lot less complicated than drivetrains.

powering my merikebi with ifttt

As I mentioned a while back, I am maintaining a merikebi for myself of as much of my public internet content as possible.

The initial seeding of content was done via WordPress import. Then I added a dump from Pocket of everything I’d saved there.

Lastly, to keep it going, I made a few IFTTT triggers – one for my Twitter account, and then one each to import from RSS from my other blogs.

IFTTT has been a great tool for me for several years. And though their current interface isn’t as simple as it used to be, it’s still got great functionality.

goodbye, self-hosted mastodon

It was nice knowing you. No really. It was.

I don’t say that because I found anything wrong in the fediverse.

Nope.

It’s entirely because a recent apt update not only broke my sweetree.ga instance, it irrecoverably broke it.

Guess I’ll have to use that domain somewhere somehow somewhen else.

Maybe I’ll try you again in a couple years.

a semi-permanent psa on passwords

Passwords should never expire: https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

Passwords should not be changed often: https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html

Password “complexity” is – mostly – a joke: https://www.xkcd.com/936

You have been breached: https://blog.augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches

Passphrases are better than passwords – and https://password.ga will generate them for you (it will also generate random passwords that pass complexity requirements)

Use a password manager of some kind

do you leak?

It would seem I have configured OpenVPN, Squid proxy, and, to a lesser extent, Pi-hole well – none of the major sites that report IP, DNS, and other connection-related security issues find anything out of the ordinary when I’m either running “just” proxied, or VPN, or VPN+proxy.

You should check yourself hereon:

  1. https://ipleak.net
  2. http://ip-check.info/?lang=en (ironic this site isn’t serving itself over https)
  3. https://doileak.com
  4. https://whatismyip.com
  5. https://browserleaks.com/ip

And, of course, if you just want to see what your pubic IP address is, go hit my service – IPv4.cf

rethinking pi-hole (again)

About 2 years ago, I started running Pi-hole as a DNS resolver and ad-blocker. Then last year, I ditched it.

After seeing a recent post by Troy Hunt, though, I thought it might be worth revisiting..but I needed a better way to control how it worked.

Enter OpenVPN – a service I already run on three endpoints. Here’s what I did:

Install Pi-hole per the usual (curl -sSL https://install.pi-hole.net | bash if you’re feeling brave, curl -sSL https://install.pi-hole.net, inspect, then run, if you’re feeling a little more wary).

This time, though, I set my upstream DNS providers to Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) instead of Freenom and Google.

I also did a two-step install – once with Pi-hole listening on the primary network interface on my OpenVPN endpoint (ie the public IP), and then, once I made sure all was happy, I flipped it to listen on tun0 – the OpenVPN-provided interface. This means Pi-hole can only hear DNS queries if you’re connected to the VPN.

Why the change from how I’d done it before? Two reasons (at least):

First, if you leave Pi-hole open to the world, you can get involved in DNS amplification attacks. That is muy no bueno.

Second, sometimes I don’t care about ads – sometimes I do. I don’t care, for example, most of the time when I’m home. But when I’m traveling or on my iPhone? I care a lot more then.

Bonus – since it’s only “working” when connected to my VPN, it’s super easy to check if a site isn’t working because of Pi-hole, or because it just doesn’t like my browser (hop off the VPN, refresh, and see if all is well that wasn’t when on the VPN).

Changes you need to make to your OpenVPN’s server.conf:


push "dhcp-option DNS 10.8.0.1"

This ensures clients use the OpenVPN server as their DNS resolver. (Note: 10.8.0.1 might not be your OpenVPN parent IP address; adjust as necessary.) Restart OpenVPN after making this change.

My setupVars.conf for Pi-hole:


PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=10.8.0.1/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=false
WEBPASSWORD=01f3217c12bcdf8aa0ca08cdf737f99cd68a46dbdc92ce35fd75f39ce2faaf81
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=1.1.1.1
PIHOLE_DNS_2=1.0.0.1
PIHOLE_DNS_3=9.9.9.9
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
CONDITIONAL_FORWARDING=false

I tried getting lighttpd to only listen on on port 443 so I could use Let’s Encrypt’s SSL certs following a handful of tutorials and walk-throughs, but was unsuccessful. So I disabled lighttpd, and only start it by hand if I want to check on my Pi-hole’s status.

Speaking of which, as I write this, here is what the admin console looks like:

admin console screenshot

Hope this helps you.

finally starting to get some good docs amassed

I had a decent library of documentation, templates, hand-offs, slide decks, etc in my pre-Splunk consulting life (technically, I still have them).

It’s nice to be finally getting a decent collection to draw from for my customers in my post-automation consulting life.