shithub: sirjofri_de

ref: cb9235713472745f68d43c1269a076959fed23a9
dir: /pub/changeblog.plain.xml/

View raw version
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<author>
	<name>sirjofri</name>
	<email>sirjofri@sirjofri.de</email>
</author>
<link rel="self" href="https://sirjofri.de/changeblog.plain.xml"/>
<rights>© Copyright 2020 sirjofri</rights>
<id>https://sirjofri.de/</id>
<title>changeblog</title>
<updated>2020-12-15T11:24:57+01:00</updated>
<entry>
	<title>Restrict RCPU User Access to Groups</title>
	<id>https://sirjofri.de/changeblog/1596011563/</id>
	<link href="https://sirjofri.de/changeblog/1596011563/"/>
	<updated>2020-07-29T10:32:43+02:00</updated>
	<content type="text">



 Restrict RCPU User Access to Groups



This is how to restrict user access to groups. You can use this to enable rcpu access for all users of a spe-
cific group. All other groups will not be allowed.

To allow access only to sys group members: adjust your /rc/bin/service/tcp17019

 #!/bin/rc
 userfile=/adm/users
 fn useringroup{
  grep $1 $userfile | {
  found=0
  while(~ $found 0 &amp;&amp; line=`:{read}){
  if(~ $line(2) $2){
  found=1
  }
  }
  if(~ $found 1)
  status=''
  if not
  status='not found'
  }
 }
 if(~ $#* 3){
  netdir=$3
  remote=$2!`{cat $3/remote}
 }
 fn server {
  ~ $#remote 0 || echo -n $netdir $remote &gt;/proc/$pid/args
  rm -f /env/'fn#server'
  . &lt;{n=`{read} &amp;&amp; ! ~ $#n 0 &amp;&amp; read -c $n} &gt;[2=1]
 }
 exec tlssrv -a /bin/rc -c 'useringroup $user sys &amp;&amp; server'

This checks if the user is in group sys and only then calls the server function. Otherwise the connection
is terminated.

This is especially useful if you want a CPU server to expose filesystems and have cpu access for adminis-
trators only.





</content>
</entry>

<entry>
	<title>lib/profile quick hack</title>
	<id>https://sirjofri.de/changeblog/1594885496/</id>
	<link href="https://sirjofri.de/changeblog/1594885496/"/>
	<updated>2020-07-16T09:44:56+02:00</updated>
	<content type="text">



 lib/profile quick hack



Some smaller change that can change your life.

There are reasons why you not run rio in your lib/profile. For me the main reason would be: You can no
longer use commandsrcpu-c in your shell. Rio opens and there you are, stuck in front of a gray back-
ground.

My solution:

 case cpu
 # … lots of stuff …
 rcpucmd=`{cat /mnt/term/env/cmd &gt;[2]/dev/null}
 if(~ $#rcpucmd 0)
 rio
 # … lots of stuff …

Now I can rcpu and have my rio, or rcpu -c command and run the command without leaving my shell.





</content>
</entry>

<entry>
	<title>Mail Server Configuration</title>
	<id>https://sirjofri.de/changeblog/1594881674/</id>
	<link href="https://sirjofri.de/changeblog/1594881674/"/>
	<updated>2020-07-16T08:41:14+02:00</updated>
	<content type="text">



 Mail Server Configuration



Recently I installed my mail server on 9front. Most of the time I followed the guide in the FQA, but still
there are things to explain. In this document I'll go through the section of the FQA and annotate things.

Right at the beginning the FQA mentions how the executing user needs write permissions for the mail-
boxes. This is If upas can't write the mailboxes the mail server will not accept incoming mail!

In my setup I can skip all DNS stuff, because I have my DNS hosted somewhere else. Make sure to add
proper MX records as well as (at least) an SPF record.

/mail/lib/smtpd.conf

To make things short, here are the necessary lines in my setup. The server handles authenticated incoming
mail for sending to other providers as well as incoming mail for local accounts.

 defaultdomain sirjofri.de
 norelay on
 verifysenderdom on
 saveblockedmsg off
 ourdomains sirjofri.de

Note that the server is no relay for unauthenticated/untrusted requests, it will still relay if you authenticate.

At this point it might be a good idea to check your user password. Use auth/changeuser to add
Inferno/POP secrets to your user accounts. Use these passwords to authenticate to the smtp server.

/mail/lib/rewrite

The program that handles sending mail uses this file to rewrite mail addresses. This file is responsible for
filtering out local mail as well as sending other mails to the mailer.

In my setup I added three aliases:

 pOsTmAsTeR alias postmaster
 aBuSe alias abuse
 wEbMaStEr alias webmaster

Use regular expressions to define your domain:

 \l!(.*) alias \1
 \l\.sirjofri.de!(.*) alias \1
 sirjofri.de!(.*) alias \1

For translating mails I added one more rule for mail address tags. These tags are in the form of
user+tag@example.com. Official specifications say that everything behind that “+” must be ignored, but it
can be used to automatically sort incoming mail into folders. I do this, by the way, so I describe here, how.

We need rules for those plus signs:

 \"(.+)\+(.*)\" translate "echo `{/bin/upas/aliasmail '\1'}^'+\2'"
 # The other translate rules are default

For delivering local mails, I added extra rules:

 local!(.+)\+(.+) | "/bin/test -d /mail/box/\1/\2 \&amp;\&amp;
 /bin/upas/mbappend /mail/box/\1/\2 || /bin/upas/mbappend
 /mail/box/\1/mbox"
 local!"(.+)+(.+) | "/bin/test -d /mail/box/\1/\2 \&amp;\&amp;




 - 2 -


 /bin/upas/mbappend /mail/box/\1/\2 || /bin/upas/mbappend
 /mail/box/\1/mbox"
 # leave the other rules untouched.

With this settings, mails to user+tag will be checked. If a mailbox folder for tag exists, mail is sent to this
folder. Otherwise it is sent to the user's default inbox. Note: I tested, but this does not work with aliased
mail. If my aliasmail changes userA to userB, mails to userA+tag will be rejected! If you know how I can
make this work, feel free to send me a mail.

/mail/lib/names.local

This file is pretty easy. Just add your alias mail addresses:

 postmaster sirjofri
 webmaster sirjofri
 abuse sirjofri

/mail/lib/remotemail

 #!/bin/rc
 shift
 sender=$1
 shift
 addr=$1
 shift
 fd=`{/bin/upas/aliasmail -f $sender}
 switch($fd){
 case *.*
 ;
 case *
 fd=sirjofri.de
 }
 exec /bin/upas/smtp -h $fd $addr $sender $*

SMTP over TLS

I don't use port 587. I use 25 for this. Mail servers relay mails to this port by default, so it makes sense.

/rc/bin/service/tcp25

 #!/bin/rc
 user=`{cat /dev/user}
 exec /bin/upas/smtpd -f -E -r -c /sys/lib/tls/cert -n $3

Don't forget to create your TLS certificate!

IMAP4 over TLS

I did this exactly like the FQA. See there.

No.

At this point I stopped. I did not configure ratfs and have no spam handling right now. It doesn't really mat-
ter for me, because nobody knows me and I don't use that mail address to register anywhere.

Links:

→ https://fqa.9front.org/fqa7.html#7.7





</content>
</entry>

<entry>
	<title>Guided Replica</title>
	<id>https://sirjofri.de/changeblog/1593621046/</id>
	<link href="https://sirjofri.de/changeblog/1593621046/"/>
	<updated>2020-07-01T18:30:46+02:00</updated>
	<content type="text">



 Guided Replica



Today I installed on my VPS. I noticed that I can write some helper scripts around it and here they are.

You can download them from https://sirjofri.de/files/guidedreplica.

You can install it like that:

# bind your client $home to /n/rclient
# bind your server $home to /n/rserver
hget https://sirjofri.de/files/guidedreplica/guidedreplica.rc | rc
# follow the prompts

This will also install two helper scripts to $home/bin/rc/replica/. Reproto copies one proto over
the other. You can choose which one you want to keep. Reupdate is helpful if there are update-update
errors. It should automatically solve them (untested, but should work).

Update: has issues. Often it does a bad job tracking changes, leaving removed files there and vice versa. I
never encountered data loss, only inconsistencies in the copies.

Many people use which does not overwrite changed files. At some point I will build some scripts around it
and use that instead of

(Files: https://sirjofri.de/files/guidedreplica/README
https://sirjofri.de/files/guidedreplica/guidedreplica.rc)





</content>
</entry>

<entry>
	<title>9front on Netcup VPS</title>
	<id>https://sirjofri.de/changeblog/1593448779/</id>
	<link href="https://sirjofri.de/changeblog/1593448779/"/>
	<updated>2020-06-29T18:39:39+02:00</updated>
	<content type="text">



 9front on Netcup VPS



Today I installed 9front on a Netcup VPS. Here are some notes if you want to do it yourself.

I used the smallest VPS option. Currently, that's “VPS 200 G8”. It costs like 2.69 Euro, but you might be
able to find some way to make it cheaper.

After ordering it might take some time until the server is up and ready. By default debian was installed in a
GPT, we can ignore that.

Before we can install our custom ISO we first must upload it somewhere. This is done via FTP (you get the
access data from the SCP), I used windows default file explorer (ftp://user@address, enter password). Copy
the 9front ISO in /cdrom. This will take some time.

Meanwhile you can delete the virtual disk and create a new one. You need your SCP password for this.
This step is necessary to remove the GPT. Of course you could manually reformat the disk, but deleting the
disk will save time.

In the settings you can virtually insert the iso as a DVD and verify the boot order (DVD first). Start up the
machine and switch to the web VNC display.

At this point you can proceed with the default 9front installation described in the fqa. Don't forget to
install the MBR and activate the partition. Otherwise there are no additional special steps besides manually
configuring the /lib/ndb/local after installation. In my case I made an auth server.

Currently it seems to work fine. I installed the machine today, so there might be some issues I didn't find
yet.





</content>
</entry>

<entry>
	<title>changeblog feed — social media²</title>
	<id>https://sirjofri.de/changeblog/1592917245/</id>
	<link href="https://sirjofri.de/changeblog/1592917245/"/>
	<updated>2020-06-23T15:00:45+02:00</updated>
	<content type="text">



 changeblog feed — social media²



RSS is still a thing.

Yes, there are more modern alternatives, like Atom or fancy json feeds. What I want to say is, feeds are still
a thing.

That's why you are now able to read my changeblog as an Atom feed.

Now I just need to find enough time to write my posts.





</content>
</entry>

<entry>
	<title>I use 9front</title>
	<id>https://sirjofri.de/changeblog/1590105600/</id>
	<link href="https://sirjofri.de/changeblog/1590105600/"/>
	<updated>2020-05-22T02:00:00+02:00</updated>
	<content type="text">



 I use 9front



Today I want to share with you, that I use the plan9 distribution '9front' as my main computer.

Of course there are things that are almost impossible to do there, for example: all gamedev related stuff.
This is of course an issue, because I am a game developer. I still have my windows machine with relevant
tools, so I can still fiddle around with those complex things.

For gaming I also use my windows machine or some game console. Yes, there are a few games on plan9
systems.

Also most online services use javascript and heavy styling of webpages, so I also use a modern computer
with a modern browser. Mothra is fine for doing basic research stuff, but in 2020 it's almost impossible to
actually do things on the web.

Anyways, let me tell you that I don't really miss anything on plan9. I can write documents, check my email
stuff, chat with people, and step by step it becomes more usable. The community is helpful and provides
more applications. The system runs stable, the user interface is consistent and good to look at. Colors don't
jump in your eye and want to kill you and there's catclock(1), our friendly companion.





</content>
</entry>

<entry>
	<title>Revived</title>
	<id>https://sirjofri.de/changeblog/1578614400/</id>
	<link href="https://sirjofri.de/changeblog/1578614400/"/>
	<updated>2020-01-10T01:00:00+01:00</updated>
	<content type="text">



 Revived



I updated my website to Uberspace 7, but not only this: I changed the whole webpage to make it more
nine-friendly.

My whole webpage management system is completely 9 based. I use oridb's git9 implementation and plan9
tools, mk, sed, cat, …

I also decided to change the main language of the website to English.





</content>
</entry>

</feed>