Network on Andrew's Memory Blog

Uploading to the webserver from Forgejo

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Wed, 08 Apr 2026 23:14:09 -0700

To get Hugo up to the webserver, I had to scp the files up there using my keyfile. For that, I started with the image that I gave the docker tag, which is one of the default Forgejo images.

Setting up variables
#

First I set up a bunch of variables:

WEBSERVER_SSH_USERNAME: my username on the webserver
WEBSERVER_SSH_HOST: the hostname of the webserver I upload to
WEBSERVER_HTML_DIR: the directory where the webserver files get sent

Setting up secrets
#

I ended up with two secrets:

SSH_PRIV_KEY: my private key
SSH_KNOWN_HOSTS: I also needed to set up my ~/.ssh/known_hosts so that I wouldn’t get errors when connecting via scp. I temporarily threw away my existing deploy.yaml and built a new one that did a little (very little) ssh using sftp:

.forgejo/workflows/deploy.yaml

on: [push]
 deployscp:
 runs-on: docker
 steps:
 - run: |
 echo dir > ftpbatch
 echo bye >> ftpbatch
 - name: setup ssh
 run: |
 mkdir -p ~/.ssh
 chmod 0700 ~/.ssh
 echo "${{ secrets.SSH_PRIV_KEY }}" > ~/.ssh/id_rsa_webserver
 chmod 0600 ~/.ssh/id_rsa_webserver
 ssh-keyscan ${{ vars.WEBSERVER_SSH_HOST }} >> ~/.ssh/known_hosts
 cat ~/.ssh/known_hosts
 - name: push public
 run: |
 echo about to sftp
 sftp -i ~/.ssh/id_rsa_webserver -b ./ftpbatch ${{ vars.WEBSERVER_SSH_USERNAME }}@${{ vars.WEBSERVER_SSH_HOST }}
 echo did sftp

The first time I ran that, I copied the output of the cat ~/.ssh/known_hosts line into the secret SSH_KNOWN_HOSTS. Then I updated deploy.yaml to use the secret instead:

.forgejo/workflows/deploy.yaml

on: [push]
 deployscp:
 runs-on: docker
 steps:
 - run: |
 echo dir > ftpbatch
 echo bye >> ftpbatch
 - name: setup ssh
 run: |
 mkdir -p ~/.ssh
 chmod 0700 ~/.ssh
 echo "${{ secrets.SSH_PRIV_KEY }}" > ~/.ssh/id_rsa_webserver
 chmod 0600 ~/.ssh/id_rsa_webserver
 echo "${{ secrets.SSH_KNOWN_HOST }}" > ~/.ssh/known_hosts
 chmod 0600 ~/.ssh/known_hosts
 - name: push public
 run: |
 echo about to sftp
 sftp -i ~/.ssh/id_rsa_webserver -b ./ftpbatch ${{ vars.WEBSERVER_SSH_USERNAME }}@${{ vars.WEBSERVER_SSH_HOST }}
 echo did sftp

I was hoping that Forgejo would preserve the line separators that I pasted into the secret dialog. It did! Nice!

Add Hugo back to the build and really upload
#

With a working sftp (and presumably a working ssh) and a good private key, I could add the hugo step back. It packages up the build, then the docker image retrieves the build and uploads the important bit. Here’s the whole enchilada:

.forgejo/workflows/deploy.yaml

on: [push]
jobs:
 buildhugo:
 runs-on: hugo
 steps:
 - run: hugo version
 - uses: actions/checkout@v4
 with:
 submodules: 'recursive'
 - name: run hugo
 run: hugo --gc --minify
 - name: fix up RSS
 run: cp ./public/index.xml ./public/rss.xml
 - name: stash public files
 uses: https://code.forgejo.org/forgejo/upload-artifact@v4
 with:
 name: public
 path: ./public/ 

 deployscp:
 runs-on: docker
 needs: buildhugo
 steps:
 - name: grab public files
 uses: https://code.forgejo.org/forgejo/download-artifact@v4
 - name: setup ssh
 run: |
 mkdir -p ~/.ssh
 chmod 0700 ~/.ssh
 echo "${{ secrets.SSH_PRIV_KEY }}" > ~/.ssh/id_rsa_webserver
 chmod 0600 ~/.ssh/id_rsa_webserver
 echo "${{ secrets.SSH_KNOWN_HOST }}" > ~/.ssh/known_hosts
 chmod 0600 ~/.ssh/known_hosts
 - name: push public
 run: |
 ssh -i ~/.ssh/id_rsa_webserver ${{ vars.WEBSERVER_SSH_USERNAME }}@${{ vars.WEBSERVER_SSH_HOST }} 'rm -rf /home/${{ vars.WEBSERVER_SSH_USERNAME }}/${{ vars.WEBSERVER_HTML_DIR }}/*'
 scp -r -i ~/.ssh/id_rsa_webserver ./public/* ${{ vars.WEBSERVER_SSH_USERNAME }}@${{ vars.WEBSERVER_SSH_HOST }}:/home/${{ vars.WEBSERVER_SSH_USERNAME }}/${{ vars.WEBSERVER_HTML_DIR }}/

This makes it look easy. It wasn’t. I was nervous about the process, and started with echo ssh -i ~/... and echo scp -r -i ~/... instead of actually running the ssh and scp commands. I made sure things looked right in the Actions window on the Forgejo server before I did the scp for real, and it took me a couple more deep breaths before I did the ssh (which does a rm -rf).

Ultimately, I had to run things 70 times — I counted — before I got a working deploy. Lots of echo and ls -al to make sure I was oriented. And probably a third of the commits were fixes for this error:

Workflow was not executed due to an error that blocked the execution attempt.
Unable to parse supported events in workflow: yaml: line 25: found a tab character where an indentation space is expected

I really need to set my Emacs up so it uses only spaces for yaml files. Esc-X untabify was my best friend.

Now, I have a website that updates automatically when I push the code. Not when I commit — I’m still trying to remember that git push origin after publishing. I think I’ll commit this and do that now.

Running Hugo from the runner on Forgejo

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Wed, 08 Apr 2026 22:33:06 -0700

I’m taking a shortcut here. With the benefit of foresight which is really hindsight, I set my runner up to run Hugo already with the label hugo. So this is really about the automation I used to do the build. I started with attempts to install Hugo using apk add with the Docker image. That was a side quest that led nowhere.

Then when I decided to split things up, it took me a while to find the right image. The official Hugo Docker image luckily it includes Node.js so it can run the checkout and upload-artifact actions.

However, you can’t do everything on the Hugo image. That means the build has to be split up into two parts. This part is only for running Hugo. Luckily, when it runs, Hugo can store the files it built (./public/) in an artifact, so it’s not too hard to get them later for uploading.

You also need to check out the right thing. For Hugo with Blowfish installed, that means checking out submodules.

If you want to avoid the shortcut and do what I really did, check out the Forgejo Actions quick start guide and build a “hello world” action first.

This is the file I ended up creating in my local repo:

.forgejo/workflows/deploy.yaml

on: [push]
jobs:
 buildhugo:
 runs-on: hugo
 steps:
 - run: hugo version
 - uses: actions/checkout@v4
 with:
 submodules: 'recursive'
 - name: run hugo
 run: hugo --gc --minify
 - name: fix up RSS
 run: cp ./public/index.xml ./public/rss.xml
 - name: stash public files
 uses: https://code.forgejo.org/forgejo/upload-artifact@v4
 with:
 name: public
 path: ./public/

This checks out the git repo with submodules, runs hugo --gc --minify on that, copies index.xml to rss.xml because I started with Astro and didn’t want to have to migrate everyone’s links, then uploads the ./public/ directory with the name public to Forgejo’s artifact repo.

Once you’ve done that, you can:

git add .forgejo/workflows/deploy.yaml
git commit
git push origin

That triggers the automation that will (first time) download the Hugo image, then build the website, then stash it in an artifact called public.

But that’s only half the story for deploy.yaml. Read about uploading to the webserver here.

Setting up a Forgejo runner for Hugo and others

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Thu, 02 Apr 2026 22:16:05 -0700

I spent a lot of time messing around because I thought the runner was the thing that ran my actions. Nope, it’s the thing that runs the Docker image that builds your images. That makes life easier. Here’s how I set up mine:

Get the runner token
#

You need the runner token to configure a runner. So do that first. You need to be an admin to set up the runner.

Under the profile menu on the far right, click on “Site administration.”
Under “Admin settings” expand Actions to click on “Runners”

Over on the right, click the “Create a new runner” button. This opens a dialog with a token in it. Copy that token to a text editor.

Setting up a runner
#

I spent a lot of time messing around because I thought the runner was the thing that ran my actions. Nope, it’s the thing that runs the Docker image that builds your images. That makes life easier.

Make a directory for the runner, put the Dockerfile in it, and grab the image. These instructions look at lot like the ones at the OCI image installation instructions on the Forgejo website.

cd /data/shared/forgejo
mkdir runner
cd runner
wget https://code.forgejo.org/forgejo/runner/raw/branch/main/Dockerfile
docker run --rm data.forgejo.org/forgejo/runner:11 forgejo-runner --version

Create a setup.sh in runner/ that looks like this. (Make sure to update the chown line to use the UID and GID you specified in the Forgejo docker-compose.yaml):

setup.sh

#!/usr/bin/env bash
cd /data/shared/forgejo/runner
set -e

mkdir -p data/.cache
chown -R 2000:2000 data
chmod 775 data/.cache
chmod g+s data/.cache

Edit the Dockerfile to use your user info. Look for the USER line and put in your UID and GID:

USER 2000:2000

Run setup.sh

bash ./setup.sh

Create a docker-compose.yaml. Based on the Forgejo instructions, it should look like this (but remember to change the user: to your UID and GID). Yeah, I know it should be a different UID and GID but I’m lazy:

docker-compose.yaml

version: '3.8'

services:
 docker-in-docker:
 image: docker:dind
 container_name: 'docker_dind'
 privileged: 'true'
 command: ['dockerd', '-H', 'tcp://0.0.0.0:2375', '--tls=false']
 restart: 'unless-stopped'

 runner:
 image: 'data.forgejo.org/forgejo/runner:11'
 links:
 - docker-in-docker
 depends_on:
 docker-in-docker:
 condition: service_started
 container_name: 'runner'
 environment:
 DOCKER_HOST: tcp://docker-in-docker:2375
 # User without root privileges, but with access to `./data`.
 user: 2000:2000
 volumes:
 - ./data:/data
 restart: 'unless-stopped'

 command: '/bin/sh -c "while : ; do sleep 1 ; done ;"'
# command: '/bin/sh -c "sleep 5; forgejo-runner daemon --config config.yml"'

Fire up the runner and attach to the shell in the runner image.

docker compose up -d
docker exec -it runner /bin/sh

From within the Docker image shell, run:

forgejo-runner generate-config > config.yml
forgejo-runner register

This will run a script. I used the following values. For the runner labels, what they really want is the label followed by a colon followed by the URL of the docker image, with each entry separated by commas. Since I wanted my runner to run Hugo, I added a label for hugo and a pointer to the Hugo image as well as a “docker” label which is one of the defaults:


INFO Enter the Forgejo instance URL (for example, https://next.forgejo.org/):
http://myforgejoserver.acornwall.net:3000

INFO Enter the runner token:
d41d8cd98f00b204e9800998ecf8427e32d6c11747e037155210

INFO Enter the runner name (if set empty, use hostname: 3b586057879f):
runner

INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-20.04:docker://node:20-bookworm,ubuntu-18.04:docker://node:20-bookworm):
hugo:docker://ghcr.io/gohugoio/hugo:v0.152.2,docker:docker://data.forgejo.org/oci/node:20-bullseye

All that creates a .runner file in the Docker image, which gets mapped to the data directory that setup.sh created.
Now, shut the image down.

docker compose down

Next, edit the docker-compose.yaml. Comment out the command that just spins, and uncomment the command that does the thing:

docker-compose.yaml

...
# command: '/bin/sh -c "while : ; do sleep 1 ; done ;"'
 command: '/bin/sh -c "sleep 5; forgejo-runner daemon --config config.yml"'

Bring the runner back up:

docker compose up -d

If you did everything right, you should see a runner show up under Admin settings - Actions - Runners.

Getting the runner to restart on reboot
#

Another bout with systemd, ‘cause we’d like this to start on reboot as well.

/etc/systemd/system/forgejo-runner.service

[Unit]
Description=Forgejo Runner
After=forgejo.service
Requires=forgejo.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash -c "/usr/bin/docker compose -f /data/shared/forgejo/runner/docker-compose.yaml up --detach"
ExecStop=/bin/bash -c "/usr/bin/docker compose -f /data/shared/forgejo/runner/docker-compose.yaml down"

[Install]
WantedBy=multi-user.target

And then the requisite:

/usr/bin/docker compose -f /data/shared/forgejo/runner/docker-compose.yaml down
sudo systemctl start forgejo-runner
sudo systemctl status forgejo-runner
sudo systemctl stop forgejo-runner
sudo systemctl enable forgejo-runner
sudo systemctl start forgejo-runner

Installing a minimal Forgejo via Docker on Ubuntu 24.04

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Thu, 02 Apr 2026 20:54:05 -0700

I’ve been wanting to play with Forgejo for a while. It’s the open source DevOps platform behind Codeberg and I like the idea of self-hosted automation. I wanted a minimal one — I didn’t need mail but I wanted automation on push.

If you know Docker (the current version of Docker) you’ll find it pretty easy to install. Here’s how to do it.

Pull Forgejo from Docker
#

Ubuntu 24.04 doesn’t come with the new Docker, or sqlite3. So:

sudo apt install docker-compose-v2 sqlite3

Grab the Docker image:

docker pull codeberg.org/forgejo/forgejo:14

Create a docker-compose.yaml based on the one at forgejo.org/docs/next/admin/installation/docker/. I changed three places the USER_UID, USER_GID, and the path to the volume (I used a hard-coded one rather than ./forgejo. The file I ended up with was:

docker-compose.yaml

networks:
 forgejo:
 external: false

services:
 server:
 image: codeberg.org/forgejo/forgejo:14
 container_name: forgejo
 environment:
 - USER_UID=2000
 - USER_GID=2000
 restart: always
 networks:
 - forgejo
 volumes:
 - /data/shared/forgejo/forjego:/data ← was ./forgejo:/data
 - /etc/localtime:/etc/localtime:ro
 ports:
 - '3000:3000'
 - '222:22'

Bring the image up:

docker compose up -d

Open a browser on the host’s port 3000 (which I’ll call myforgejoserver.acornwall.net:3000) to initialize Forgejo.
In the browser, leave everything as default except the server domain and base URL. That means I’m using the default sqlite

I skipped email settings and server/third-party service settings, and entered the administrator account settings, then clicked Install Forgejo:

Next I restarted Forgejo and made sure that the settings stuck. If you have the storage volume wrong in the docker-compose.yaml, as I did the first time, you get to enter everything again after fixing it.

docker compose down
docker compose up -d

Creating a Git Repo Into Forgejo
#

Once things were set up, I could log in and create a repo in Forgejo. Here’s what I did.

Navigate to the + dropdown and click “New repository”.
Fill out the form. I called my repo “andrewmemory” and set my user as the owner. I checked “Make repostitory private.” I also checked “Initialize repository” which lead to some issues later, but hey, it looked good at the time. I added both “Emacs” and “Hugo” to .gitignore — I didn’t realize I could do both the first time I tried. I went with CC-BY-NC-ND-4.0 for the license. Then I clicked “Create repository.”

There, the repo is created!

Verifying your public key
#

Once the repo was created on Forgejo, I needed to add my private cert to Forgejo. That meant clicking the dropdown on the right with my avatar, clicking “Settings,” then navigating to “SSH / GPG keys”. From there I could click “Add key” under SSH Keys. I pasted my public key in there. Then click “Add key.”
Once you’ve done that, you’ve got something like this. Click “Verify”:
After clicking verify, you’re presented with a token and a string to paste into a terminal. Copy the string, paste it into the terminal, but edit the filename if your private key is not id_ed25519.

echo -n 'ee2cd80b5f8f4e95800ddca4d92053998bc3f8e7a9cc1dd60fe30e7ad83b87d6' | ssh-keygen -Y sign -n myforgejoserver.acornwall.net -f ~/.ssh/id_rsa

Running that command will dump a wad into your terminal that looks like this:

-----BEGIN SSH SIGNATURE-----
U1mIU0lHAAAAAQA
...
+wrNHO9W
-----END SSH SIGNATURE-----

Copy the whole wad including the BEGIN and END parts, then paste that into the section that says “Armored SSH signature” and press the “Verify” button.
If you’ve done everything right your key is now verified.

Connecting the old repo
#

Finally, I could start moving my website (which is in a git repo on disk) into Forgejo. That wasn’t terrible, although it took me a couple of tries because I wasn’t sure how to do it. Here’s what I did.

cd andrewmemory-hugo
git remote rm origin # It took me a couple of tries, so I had to remove the old origin
git remote add origin ssh://git@myforgejoserver.acornwall.net:222/andrew/andrewmemory
git pull --allow-unrelated origin main

This resulted in a bunch of merge conflicts in .gitignore that I manually took care of. Once that was done, I could:

git push --set-upstream origin main

Setting Forgejo to restart after reboot
#

This is all groovy, but next time I install Linux patches, I’m going to have to reboot my machine. So I created a systemd (boo) service to do that.

/etc/systemd/system/forgejo.service

[Unit]
Description=Forgejo
After=docker.service
Requires=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash -c "/usr/bin/docker-compose -f /data/shared/forgejo/docker-compose.yaml up --detach"
ExecStop=/bin/bash -c "/usr/bin/docker-compose -f /data/shared/forgejo/docker-compose.yaml down"

[Install]
WantedBy=multi-user.target

Then, I made sure it worked and enabled it on boot:

sudo systemctl start forgejo
sudo systemctl status forgejo
sudo systemctl stop forgejo
sudo systemctl enable forgejo
sudo systemctl start forgejo

Ok, Forgejo is set up!

Website automation with Forgejo

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 29 Mar 2026 21:54:05 -0700

If you see this, then my Forgejo web automation is working.

It took a few steps:

Setting up systemd resolv.conf

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Feb 2026 23:08:05 -0700

Like every intelligent person, I hate systemd. But Linux seems determined to undo all good things, and Debian has adopted it.

In my Ubuntu 22.04 install, I’d disabled it and gone back to normal resolv.conf resolution. That didn’t work for 24.04. So I had to figure out the stupid resolution the systemd way.

To fix DNS on Ubuntu 24.04 — which, I will note, works perfectly for every other system that gets provisioned from my DHCP server — I had to go into /etc/systemd/resolved.conf and uncomment a bunch of stupid crap.

/etc/systemd/resolved.conf

...
[Resolve]
DNS=(my DNS server IP address)
...
Domains=(my local domain)
DNSSEC=yes
...
DNSStubListener=no
...

Fixing buffer bloat on OpenBSD 7.2

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sat, 01 Feb 2025 01:28:19 -0700

I learned a little today about buffer bloat, which is latency introduced when uploading/downloading. After that, I headed straight over to WaveForm’s buffer bloat test and got a D.

Luckily, the WaveForm page pointed me to a solution, which I found at Paul Smith’s blog.

Following Paul’s instructions, I added a Queue section to my /etc/pf.conf:

#---------------------------------#
# Queues
#---------------------------------#
queue outq on $ext_if flows 1024 bandwidth 10M max 10M qlimit 1024 default
queue inq on $lan_if flows 1024 bandwidth 225M max 225M qlimit 1024 default

then reloaded the rules:

doas pfctl -n -f /etc/pf.conf && doas pfctl -f /etc/pf.conf

I didn’t get an A, but I did move up to a C, which means I’ve at least halved the latency problem. There’s a warning in a comment on Paul Smith’s page:

“This works well if you have OpenBSD acting as a firewall/NAT appliance only, but doesn’t work if you have multiple downstream interfaces, or run any services on the OpenBSD server at all (facing either the LAN or the internet).” The commenter suggests an explict parent queue with the whole LAN bandwidth and subqueues for internet and everything else.

Anyway, I went to CloudFlare’s speed test and I’m “great.”

Block Ad Sites and Nasties on OpenBSD 7.4

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 22 Oct 2023 22:03:47 -0700

One of the benefits of building your own firewall is that you get to decide what you want to block. I’d been using a list from pgl.yoyo.org/adservers. There’s a utility called Pf-badhost that blocks evil hosts. I wanted to do a little more: block bad IPs (sorry, Cloudflare, I know you hate that) and have better control over when things get updated.

So I ultimately decided to adapt some of Pf-badhost to a few scripts I created. First, a script to get the latest list of bad hostnames from pgl.yoyo.org — grab-bad-hosts.sh:

Grabbing Bad Hostnames
#

#! /bin/sh
/usr/local/bin/wget -O ./pgl-adhosts.conf 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=1&mimetype=plaintext'
grep -v -f /var/unbound/etc/unbound-whitelist-ads.txt pgl-adhosts.conf > unbound-adhosts.conf
grep -f /var/unbound/etc/unbound-whitelist-ads.txt pgl-adhosts.conf > unbound-adhosts-whitelist.conf
echo "In a root shell, run:"
echo "cat unbound-adhosts.conf > /var/unbound/etc/unbound-adhosts.conf"
echo "cat unbound-adhosts-whitelist.conf > /var/unbound/etc/unbound-adhosts-whitelist.conf"
echo "rcctl restart unbound"
echo "(or run root-update-hosts.sh as root)"

This builds two files: /var/unbound/etc/unbound-adhosts.conf and /var/unbound/etc/unbound-adhosts-whitelists.conf based on a file I created, /var/unbound/etc/unbound-whitelist-ads.txt, which I had to add to make other users happy. /var/unbound/etc/unbound-whitelist-ads.txt looks like this:

adservice.google.com[^.]
googleadservices.com[^.]

… and I’m going to set up unbound to allow one host to have the whitelisted ads.

Grabbing Bad IPs
#

I used Pf-badhost as a source of places to grab bad IP addresses from. I ended up with this script, grab-bad-ips.sh:

#! /bin/sh
/usr/local/bin/wget -O ./banlist_firehol_level1 https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
/usr/local/bin/wget -O ./banlist_firehol_level2 https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
/usr/local/bin/wget -O ./banlist_binarydefence https://www.binarydefense.com/banlist.txt
/usr/local/bin/wget -O ./banlist_emergingthreats https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
cat ./banlist_firehol_level1 > pf-badguys.table
printf "\n">> pf-badguys.table
cat ./banlist_firehol_level2 >> pf-badguys.table
printf "\n">> pf-badguys.table
cat ./banlist_binarydefence >> pf-badguys.table
printf "\n">> pf-badguys.table
cat ./banlist_emergingthreats >> pf-badguys.table
printf "\n">> pf-badguys.table
grep '^[0-9]' pf-badguys.table | sort | uniq > pf-badguys.table.sort.uniq
mv pf-badguys.table.sort.uniq pf-badguys.table
echo "In a root shell, run:"
echo " cat pf-badguys.table > /etc/pf-badguys.table"
echo " pfctl -F Tables -f /etc/pf.conf"
echo "(or run root-update-ips.sh as root)"

This script creates /etc/pf-badguys.table, which I’ll plug into my PF configuration.

Configuring unbound to use the bad hosts lists
#

It’s not hard to have unbound import the bad hosts, which are already formatted to redirect to 127.0.0.1. Here’s a sample from /var/unbound/etc/unbound-adhosts.conf:

local-zone: "1-1ads.com" redirect
local-data: "1-1ads.com A 127.0.0.1"

unbound-adhosts-whitelist.conf looks the same, but only contains the whitelisted ad servers. After the last local-data:/local-data-ptr: pair for my network, I added the following:

 # open a hole for ad servers
# 192.168.150.180 is unblocked desktop
access-control-view: 192.168.150.180/32 adview

After my access-control: directives, I added:

# Host addresses - spam to block
#
include: /var/unbound/etc/unbound-adhosts.conf
include: /var/unbound/etc/unbound-adhosts-whitelist.conf
include: /var/unbound/etc/unbound-adhosts-local.conf

At the end of the unbound.conf file I added:

view:
name: "adview"
include: /var/unbound/etc/unbound-adhosts.conf
include: /var/unbound/etc/unbound-adhosts-local.conf

Then a quick:

# unbound-checkconf
# rcctl restart unbound

… and I was blocking ad servers. I could update this in cron, but I prefer to do it manually every week or so.

Configuring PF to block the bad IP addresses
#

I know there’s an argument for not blocking bad IP addresses. After all, there may be legitimate sites that are hosted on the same IP address. But… so far I’ve only run into one. So I’m happy to continue blocking them. In my pf.conf, after the table, I added a table:

table <badguys> persist file "/etc/pf-badguys.table"

Then after the block for martians, I added an equivalent for badguys:

# Block addresses in the badguys table
# We use the "quick" parameter here to make this rule the last.
# Note that badguys might contain martians, but they get handled before
# this rule.
block in quick on $ext_if from <badguys> to any
block return out quick on $ext_if from any to <badguys>

Then pfctl -F Tables -f /etc/pf.conf to reread the table.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Setting up Wireguard on an OpenBSD 7.4 firewall device

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 22 Oct 2023 21:09:01 -0700

It took me a little while after I set up my firewall device to set up Wireguard as a VPN. It’s probably something I should have done right away — the benefits of being able to log in from home (and block ads) while on the road is really nice.

Wireguard needs a publicly available IP or domain name. I used DuckDNS. I posted about that a while back so I won’t do it again here, but you’ll need to do that first.

Wireguard is in the kernel in 7.4. Prior releases required you to pkg_add wireguard_tools, but these days you don’t need to.

The way Wireguard works is that you generate public and private keys. Each device gets its own private key, and you share the public keys. Wireguard has tools to do that. On the OpenBSD firewall side:

# mkdir /etc/wireguard
# chmod 700 /etc/wireguard
# wg genkey > /etc/wireguard/private.key
# chmod 600 /etc/wireguard/private.key
# wg pubkey < private.key > public.key

Next, you need to generate private and public keys on each of your clients. Then set up /etc/wireguard/wg0.conf to contain the firewall’s private key and also the public keys of the client. I decided to do this on a completely different network — 172.16. I assigned individual IP addresses for each device. It’s a little more management headache, but makes it easy to delete something if I lose a device. The /etc/wireguard/wg0.conf looks like this:

[Interface]
PrivateKey = the private key from /etc/wireguard/private.key
ListenPort = 51820
[Peer]
# My first peer - a laptop
PublicKey = the public key from the laptop
AllowedIPs = 172.16.0.2
[Peer]
# My second peer - an Android device running Wireguard from F-Droid
PublicKey = the public key from the device
AllowedIPs = 172.16.0.3
# ... etc...

Obviously, on each device you have to do the reverse: specify the private key generated on device, and put the firewall’s public key in as the peer. Next, you need an /etc/hostname.wg0 to bring the network up:

inet 172.16.0.1 255.255.255.0 NONE up
!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf

Before you can go further, you need to unblock the Wireguard interface in /etc/pf.conf:

(after the lan_if macro)
vpn_if="wg0"
vpn_port="51820"
(at the end after the NAT rules)
#---------------------------------#
# WireGuard
#---------------------------------#
pass in on $vpn_if
pass in inet proto udp from any to any port $vpn_port
pass out on egress inet from ($vpn_if:network) nat-to ($ext_if:0)

From there, you can restart pf and reload the new rules and sh /etc/netstart wg0.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Set up networking for an OpenBSD 7.4 firewall device

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sat, 21 Oct 2023 17:14:44 -0700

I had a few wrinkles because I’d already set up networking, and I didn’t want to have to go through and redo all my static IPs. But I wanted to make my network more rational. I had devices on 192.168.150.*/24 and I wanted something bigger, so I decided to go with /20. That gave me a range of 92.168.144.1–192.168.159.254. (I admit I used an IP subnet calculator for that.) My ISP gives me IPv4, so I’m using that and not worrying about IPv6.

First things first: let’s make the box forward packets:

# sysctl net.inet.ip.forwarding=1
# echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

Configure Network Adapters
#

I have two Intel NICs. I’m connecting igc0 to my cable modem. I’m connecting igc1 to a 16-port switch which is my internal network. I’ve got another network port that was autodetected, but I’m not using it yet, so I’ll remove it.

# echo "inet autoconf" > /etc/hostname.igc0
# echo "inet 192.168.144.1 255.255.240.0 NONE" > /etc/hostname.igc1
# rm /etc/hostname.igc2
# sh /etc/netstart.sh

Setting up the PF packet filter
#

Now, set up PF. I got my instructions for this mostly from home.nuug.no/~peter/pf/en/ftpproblem.html. Here’s how I edited /etc/pf.conf:

#---------------------------------#
# Macros
#---------------------------------#
ext_if="igc0"
lan_if="igc1"
ftpproxy="127.0.0.1"
ftpproxyport="8021"
#---------------------------------#
# Tables
#---------------------------------#
table <localonly> { \
# Addresses that can talk to the local network but not to the rest of the world
\
# Local printer
192.168.158.1/32 \
}
# This is a table of non-routable private addresses.
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
#---------------------------------#
# Protect and block by default
#---------------------------------#
set skip on lo0
set block-policy drop
# Spoofing protection for all NICs.
block in from no-route
block in quick from urpf-failed
# Block non-routable private addresses.
# We use the "quick" parameter here to make this rule the last.
block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>
# Default blocking all traffic in on all LAN NICs from any computer or device
# attached.
block return in on { $lan_if }
# Default blocking all traffic in on the external NIC from the Internet/ISP,
# we'll log that too.
block drop in log on $ext_if
# Don't allow ICMP from outside. Commented out this section.
# Yeah, I know people hate that.
#
#match in on $ext_if inet proto icmp icmp-type {echoreq } tag ICMP_IN
#block drop in on $ext_if proto icmp
#pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
# We need the router to have access to the Internet, so we'll default allow
# packets to pass out from our router through the external NIC to the Internet.
pass out inet from $ext_if
#---------------------------------#
# LAN Setup
#---------------------------------#
# Allow any computer or device on the LAN to send data packets in through the NIC.
# This means any computer attached to this network interface can pass in data
# reaching anywhere, i.e. the Internet or any of the computers attached to the
# router.
pass in on $lan_if
# Always block DNS queries not addressed to our DNS server.
block return in quick on $lan_if proto { udp tcp } to ! $lan_if port { 53 853 }
# Block localonly from seeing the internet
block in quick on lan_if from <localonly>
# Allow data packets to pass from the router out through the NIC to the
# computers or devices attached to it on the lan NIC.
# Without this we can't even ping computers attached to the lan NIC from
# the router itself.
pass out on $lan_if inet keep state
#---------------------------------#
# FTP
#---------------------------------#
# allow ftp clients to work
anchor "ftp-proxy/*"
pass in quick on $lan_if inet proto tcp to port ftp divert-to $ftpproxy port $ftpproxyport
# no ftp servers so don't pass out
# pass out proto tcp from $ftpproxy to any port ftp
#---------------------------------#
# NAT
#---------------------------------#
pass out on $ext_if inet from $lan_if:network to any nat-to ($ext_if)

Then you can test things out and restart pf. I think my network connection dropped at this point:

# pfctl -n -f /etc/pf.conf
# pfctl -F all
# pfctl -f /etc/pf.conf

Configure dhcpd
#

Now I need to configure serving IPs from this machine. (My old firewall is still on the network at this point and serving real IPs as well as doing DNS, but I need to get the new firewall enabled.) So time to edit /etc/dhcpd.conf:

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# This is for 192.168.144.* to 192.168.159.*
subnet 192.168.144.0 netmask 255.255.240.0 {
option domain-name "lan.example.net";
option domain-name-servers 192.168.144.1;
option routers 192.168.144.1;
########################################
# Dynamic IP addresses
########################################
range 192.168.145.1 192.168.149.254;
########################################
# Fixed IP machines that humans don't
# (normally) see - WAPs etc.
########################################
host wap {
hardware ethernet dc:9f:44:11:22:33;
fixed-address 192.168.144.13;
}
########################################
# Fixed IP machines that humans see.
########################################
# These are machines I normally ssh
# or telnet to, or run servers on.
#
host fileserver {
hardware ethernet 22:33:44:55:66:77;
fixed-address 192.168.150.171;
option host-name "fileserver";
}
host weather {
hardware ethernet 88:99:00:AA:BB:CC;
fixed-address 192.168.150.177;
option host-name "weather";
}
#... etc...
# I'm putting my laptop on a non-150 address for testing purposes.
# That way I can plug it into the server and get a DHCP address that
# should route on to the internet.
host laptop {
hardware ethernet 00:22:44:66:88:ff;
fixed-address 192.168.161.2;
}
} # subnet

Next, start serving DHCP:

rcctl enable dhcpd
rcctl start dhcpd

At this point I could plug my laptop into the new firewall and get an IP address.

Start Unbound for DNS
#

On my old firewall I was using bind. That was heavyweight, so I decided to do something different here. Originally I thought I needed NSD and Unbound for DNS (I was looking at some instructions at jamsek.dev/blog/2019/Jul/28/openbsd-dns-server-with-unbound-and-nsd/) but eventually realized I could get away with just unbound.

# rcctl enable unbound
# rcctl start unbound

Next, I changed my DNS server so the new firewall was getting it locally instead of going to the old firewall. In /etc/resolv.conf:

nameserver 127.0.0.1
lookup file bind

After that, configure DNSSEC:

# unbound-anchor -a "/var/unbound/db/root.key"
# ftp -S do -o /var/unbound/db/root.hints https://www.internic.net/domain/named.root

With root.key downloaded, I could set up my /var/unbound/etc/unbound.conf:

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
server:
interface: 192.168.144.1
interface: ::1
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.144.0/20 allow
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"
root-hints: "/var/unbound/db/root.hints"
qname-minimisation: yes
val-log-level: 2
# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
local-zone: "lan.example.net." static
#
# Host addresses - infrastructure
#
local-data: "firewall.lan.example.net. IN A 192.168.144.1"
local-data-ptr: "192.168.144.1 firewall.lan.example.net"
#
# Host addresses - named servers
#
local-data: "fileserver.lan.example.net. IN A 192.168.150.171"
local-data-ptr: "192.168.150.171 fileserver.lan.example.net"
local-data: "weather.lan.example.net. IN A 192.168.150.177"
local-data-ptr: "192.168.150.177 weather.lan.example.net"
# ... etc...
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock

With all that set up, I could make sure I didn’t have any syntax errors and restart unbound:

# unbound-checkconf
# rcctl restart unbound

I think it was at this point that I made the switch from using the old firewall to the new firewall. I changed the new firewall to have the same MAC as the old one (my ISP wanted to see a specific MAC) and then put the new one in place:

# echo "inet autoconf lladdr 11:22:33:44:55:66" > /etc/hostname.igc0
# sh /etc/netstart

Having two devices with the same MAC is a Bad Thing, and I had a lot of weirdness on my network until I unplugged the old firewall.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Setting up an OpenBSD 7.4 Firewall Device

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Oct 2023 23:59:39 -0700

My PC Engines ALIX running the (mumble) version of OpenBSD has been a great firewall. But now that it looks like PC Engines is wrapping up, it’s time to find something new. For a while I’ve suspected that the ALIX is a little underpowered. It’s harder to find 4G CF cards these days. Plus I want something with a HDMI port so I can put it on a KVM switch and don’t need to worry about serial port speeds.

So… here’s the order of operations:

Here goes!

Installing OpenBSD 7.4 for a Firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Oct 2023 23:45:00 -0700

Installing OpenBSD 7.4 was pretty simple. I followed the OpenBSD installation guide and used dd on a Linux box to write install74.img to a USB stick. Don’t use the .iso, it doesn’t boot. Then I booted off the USB stick. (You don’t have to disable UEFI.) I used a standard layout

At the time I wondered if I should install all the packages or not. I decided that maintenance would be simpler if I just went for everything, so I added all the packages including X. That turned out to be the right decision.

I used a relatively standard partitioning scheme, although I think I bumped up a few of the sizes. I probably should have bumped up X11R6 more, right now it’s at 41%:

/dev/sd0a 986M /
/dev/sd0l 295G /home
/dev/sd0d 291M /tmp
/dev/sd0f 5.8G /usr
/dev/sd0g 986M /usr/X11R6
/dev/sd0h 19.4G /usr/local
/dev/sd0k 5.8G /usr/obj
/dev/sd0j 2.9G /usr/src
/dev/sd0e 34.4G /var

Set up doas
#

After installing, I set up doas ‘cause I like seatbelts:

$ su
# vi /etc/doas.conf
permit persist andrewmemory as root
permit persist keepenv root as root

Install patches and packages
#

After that I installed patches:

$ doas syspatch
$ doas shutdown -r now

Next I installed a few useful packages:

$ doas pkg_add -i emacs mutt firefox wget

I picked the -no_x11 version for emacs, and the normal (not gpge, not sasl, not slang) version for mutt. I’m not going to be mailing to the world from this box, just looking at local emails. I also installed Firefox, which turned out to be another good idea. It’s a lot easier to search for doc on the firewall box itself than to ssh in.

Set up mfs for /tmp
#

Finally, I’m paranoid about wearing out my SSD, so I set up /tmp to be mfs in /etc/fstab using the useful instructions from Solene Rapenne:

$ doas vi /etc/fstab
#f1ea06b71e2dca43.d /tmp ffs rw,nodev,nosuid 1 2
swap /tmp mfs rw,nodev,nosuid,-s=300m 0 0

… and I had to boot to single-user mode to fix up permissions for /tmp:

$ doas umount /tmp
$ doas chmod 1777 /tmp
$ doas mount /tmp

Apparently tmpfs has been removed because it’s not supported, so mfs it is. I’ve got plenty of RAM for a /tmp file system, but I have delusions of putting most of /var in its own mfs file system, so I restricted /tmp to 300M.

Once that was done, I could log into a few other machines on my network to establish fingerprints for them. I also tested X by running startx, and then firefox, and it worked.

There were some noisy beeps
#

By default, OpenBSD rings the bell when you mistype certain things. That was annoying other people in the house, so I had to shut those up. That took two things. In ~/.login I added:

/sbin/wsconsctl keyboard.bell.volume=0

Then, I created ~/.xsession and added:

/usr/X11R6/bin/xset b off

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Buying new hardware for an OpenBSD firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Oct 2023 23:30:53 -0700

I knew going in that I wanted more than two ethernet ports for my OpenBSD firewall device. I had visions of multiple networks and/or a spare port that I could use when I screwed up my pf configuration. I also knew that I wanted HDMI so I could pop the firewall on my KVM switch - I’d used serial to the APU2 and that was not always wonderful. The Linux box would sometimes forget about the serial ports when they were plugged in for a while.

In the end, I got a random Intel N5105 mini-PC with four Intel ethernet ports. The HUNSN Micro Firewall Appliance, Mini PC, VPN, Router PC, Intel N5105, HUNSN RJ03, AES-NI, 4 x Intel 2.5GbE I226-V LAN, Type-C, TF, M.2 WiFi 6 Slot, Barebone, NO RAM, NO Storage, NO System was around $250 US. Add a Western Digital NVMe 500G drive and 16G of Cruical laptop RAM and I had something on which I could install a system. It’s low-powered enough that I don’t mind keeping it running 24/7, and high-powered enough that I’m not worried about it being a bottleneck.

[

I learned afterwards that the I226-V might potentially have a problem if you want to do 2.5G ethernet. So far, I haven’t experienced any network instability because of that.

As a belt-and-suspenders kind of thing, I bought a “silent” USB fan that sits on top of the case, just because the server room can get a little warm.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

ssh unable to negotiate

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 28 Aug 2022 22:24:49 -0700

My upgrade to Ubuntu LTS 22.04.1 from 20.04 was pretty smooth, but I ran into one issue. When I tried to ssh to a few other boxes around the network, I saw:

Unable to negotiate with 192.168.1.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

Looks like I need to upgrade my ssh server on some machines. But I can’t do that if I can’t ssh to them! So I added a couple of lines to my /etc/ssh/ssh_config instead:

HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedKeyTypes ssh-rsa,rsa-sha2-512,rsa-sha2-256

I’ll need to undo that once I fix the server, but until then I can log into it.

Setting up NFS on Ubuntu 20.04

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 30 May 2021 14:11:18 -0700

I have been experiencing random weirdness with CIFS on Ubuntu 20.04. Every now and then the current working directory will disappear. I can usually get things back to normal by “cd ..; cd myDir” but that’s a pain - more of a pain when a build has failed because the current directory evaporated on the Gradle script.

So I decided to try NFS. Setting up NFS is not too hard. I found a very useful page on LinuxConfig.org that got me 90% of the way there.

Server setup

In short, on the server:

$ sudo apt install nfs-kernel-server
$ sudo systemctl enable --now nfs-server

Then edit /etc/exports on the server to include the line:

/myshareddisk 192.168.1.0/8(rw,sync,no_subtree_check)

It looks as if there’s no easy way for NFS to handle DHCP unless the file server can look up the IP. Boo. Going onward and knowing my network is now less protected:

$ sudo exportfs -arv

At this point, the LinuxConfig.org instructions start pointing you to server configuration. However, there’s a vital step omitted - pretty much every sane app will fail with “no locks available.” Why? StackExchange to the rescue. Enabling NFS doesn’t enable rpc-statd.

$ sudo systemctl enable rpc-statd
$ sudo systemctl start rpc-statd

As the StackExchage article says, “Thanks, systemd!”

Client setup

Next you can set up the client:

$ sudo mount -t nfs4 my-server-fqdn:/myshareddisk /localmnt

Hey, it mounted, and it looks like a file system. Now anyone on my network can mount my NFS server! Exposing it to ransomware and all sorts of excellent things like that. Err… good?

Last step is to make it automount on the client by editing /etc/fstab:

my-server-fqdn:/myshareddisk /localmnt nfs4 defaults,user,exec 0 2

I’m really unsure about this, and may need to undo it or at least find a way to stop it advertising to everyone. But it’s that way for now.

Ubiquiti AP enters reset state but never leaves

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Fri, 20 Jul 2018 13:11:31 -0700

I did something dumb recently. I had a network failure at my ISP, so I had to kill my dhclient and restart it. After restarting, everything seemed cool - until I reset my Ubiquiti AP. At that point, the AP entered the “Restarting” state and never came out.

After a few minutes of poking around on the Ubiquiti management screen, I saw this:

Apparently I killed off my DHCP server too. Oops.

One restart of the DHCP server later, my AP was back online (it detected when the DHCP server started). Some day I really should put the AP on its own static IP. That’s what I get for being lazy…

Making the Netgear WGR614 a bridge

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sat, 16 Aug 2014 20:51:55 -0700

For the longest time, I’ve had a Netgear WGR614 acting as a NAT for my wifi traffic. That meant I had a separate network for wifi traffic, rather than sharing traffic with my wired network.

Eventually this lead to problems. Some phone apps want to search the network for printers or set top boxes, for instance - and because the wireless devices were on a different network, they’d never find the wired devices.

After a long time thinking about this, I decided to see what it would take to turn my wifi router into a bridge. Turns out the Netgear WGR614 is very nicely suited to that. All it takes is one plug change and a few settings changes, and now my wireless and wired traffic is all on the same IP address range.

I found a few useful posts for this:

http://www.fieldsnet.com/2009/10/how-to-use-a-netgear-wgr614-wireless-router-as-a-bridge/

http://puzzling.org/uncategorized/2006/08/netgear-wgr614/

http://kb.netgear.com/app/answers/detail/a_id/19852

Note that this assumes you’ve got something else on the network that’s going to serve IP addresses for you. If you don’t know, you probably shouldn’t do this.

Here’s how to do it:

Unplug the Netgear WGR614 from everything except one laptop. Make sure the laptop is plugged into a regular port, not the WAN port.
Hard-reset the Netgear WGR614 (push the button that’s inset next to the WAN port for 10 seconds).
After the router reboots, connect to http://192.168.0.1 from the laptop. After a reset, the account is “admin” and the password is “password”.
You’ll be asked if you want to step through the configuration. Select “No, I know what I’m doing”.
First off, change that password. Choose the “Set Password” tab on the left and make it something better.
Next, go into the Wireless Settings tab. Set the SSID, security to WPA2-PSK and passphrase for WPA2.
If you know what channels other routers in your neighbourhood use, now is a good time to set the wifi channel as well.
Go to the LAN Setup tab and unclick “Use Router as DHCP Server”.
Next, on the LAN Setup tab set the IP address for the router to something in your static address range.
Now unplug the laptop and plug what was the WAN uplink cable into a regular port (non-WAN) on the router.
Unplug and re-plug the router.

Once you’ve done all that, your router will be acting as a bridge for traffic between the wifi and wired networks.

One warning: I originally didn’t hard-reset the router. This left it with an IP address of my internal wired network on the WAN port. Once I’d done that, I couldn’t connect to it over the LAN interface, since it saw that as an address conflict. So just hard-reset it.

Incidentally - this isn’t strictly a bridge, since the router has an IP address on the LAN. But it’s routing the packets from wifi to wired and back.

Network on Andrew's Memory Blog

Uploading to the webserver from Forgejo

Setting up variables #

Setting up secrets #

Add Hugo back to the build and really upload #

Running Hugo from the runner on Forgejo

Setting up a Forgejo runner for Hugo and others

Get the runner token #

Setting up a runner #

Getting the runner to restart on reboot #

Installing a minimal Forgejo via Docker on Ubuntu 24.04

Pull Forgejo from Docker #

Creating a Git Repo Into Forgejo #

Verifying your public key #

Connecting the old repo #

Setting Forgejo to restart after reboot #

Website automation with Forgejo

Setting up systemd resolv.conf

Fixing buffer bloat on OpenBSD 7.2

Block Ad Sites and Nasties on OpenBSD 7.4

Grabbing Bad Hostnames #

Grabbing Bad IPs #

Configuring unbound to use the bad hosts lists #

Configuring PF to block the bad IP addresses #

Setting up Wireguard on an OpenBSD 7.4 firewall device

Set up networking for an OpenBSD 7.4 firewall device

Configure Network Adapters #

Setting up the PF packet filter #

Configure dhcpd #

Start Unbound for DNS #

Setting up an OpenBSD 7.4 Firewall Device

Installing OpenBSD 7.4 for a Firewall

Set up doas #

Install patches and packages #

Set up mfs for /tmp #

There were some noisy beeps #

Buying new hardware for an OpenBSD firewall

ssh unable to negotiate

Setting up NFS on Ubuntu 20.04

Ubiquiti AP enters reset state but never leaves

Making the Netgear WGR614 a bridge

Setting up variables
#

Setting up secrets
#

Add Hugo back to the build and really upload
#

Get the runner token
#

Setting up a runner
#

Getting the runner to restart on reboot
#

Pull Forgejo from Docker
#

Creating a Git Repo Into Forgejo
#

Verifying your public key
#

Connecting the old repo
#

Setting Forgejo to restart after reboot
#

Grabbing Bad Hostnames
#

Grabbing Bad IPs
#

Configuring unbound to use the bad hosts lists
#

Configuring PF to block the bad IP addresses
#

Configure Network Adapters
#

Setting up the PF packet filter
#

Configure dhcpd
#

Start Unbound for DNS
#

Set up doas
#

Install patches and packages
#

Set up mfs for /tmp
#

There were some noisy beeps
#