Jun 162018
 

Getting pretty annoyed with keeping track of which browser on which machine has which add blockers installed, so it’s time for a more holistic approach. Enter, stage left, the Pi-hole. In short it:

…acts as a forwarding DNS server, which means if it doesn’t know where a domain is, it has to forward your query to another server that does. When you install Pi-hole, it knows where the ad-serving domains are (because you tell it), so it doesn’t forward those requests.

With a Rapsberry Pi 3 model b and a 64GB micro SD card, a set-up that is beefier than it needs to be, but who knows what the Pi will be used for in the future…

#1 Get Raspbian, and format micro SD card— after much jiggling with the unlock tab on the adapter and delicately repeatedly inserting-half-inserting into 2012 Macbook Pro’s gunked-up card reader port…

$ wget http://director.downloads.raspberrypi.org/raspbian/images/raspbian-2018-04-19/2018-04-18-raspbian-stretch.zip

$ unzip -a 2018-04-18-raspbian-stretch.zip

$ diskutil list
...
/dev/disk3 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *62.0 GB    disk3
   1:               Windows_NTFS                         62.0 GB    disk3s1

$ sudo diskutil eraseDisk FAT32 RASPBIAN MBRFormat /dev/disk3
...
Finished erase on disk3

$ df -h
/dev/disk3s1    62Gi  1.5Mi   62Gi     1%       0                   0  100%   /Volumes/RASPBIAN

$ sudo diskutil unmount /dev/disk3s1
Volume RASPBIAN on disk3s1 unmounted

$ sudo dd if=/Users/yearluk/Downloads/2018-04-18-raspbian-stretch.img of=/dev/disk3 bs=4m

#2 First boot on the Pi, change hostname, and run the installer…

$ sudo apt update
$ sudo apt upgrade
$ sudo nano /etc/hostname
pihole
...
$ curl -sSL https://install.pi-hole.net | bash

#3 Select eth0 as the interface, and 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google) as the upstream DNS providers.

IP: 192.168.2.23/24
Default Gateway: 192.168.2.1

Log queries and select web-gui option.

admin password xxxxxxx

install log at /etc/pihole/install.log

web gui 192.168.2.23/admin

As easy as Pi 🙂

Set up SSH and VNC access (just a couple of checkboxes in Raspberian’s GUI), enable wi-fi (DCHP– 192.168.0.104)

Expand blacklists…

curl -s https://tspprs.com/dl/fraud | pihole -g
curl -s https://tspprs.com/dl/ads | pihole -g
curl -s https://tspprs.com/dl/spam | pihole -g
curl -s https://tspprs.com/dl/scam | pihole -g
curl -s https://tspprs.com/dl/ransomware | pihole -g
curl -s https://tspprs.com/dl/phishing | pihole -g
curl -s https://tspprs.com/dl/tracking | pihole -g

Unbound and setting up resolving/recursive DNS (rather than merely forwarding)

What’s the difference? With forwarding, if a name has not been previously associated with an IP (ie. ached on the pi-hole), the request is sent upstream and the result cahed.

Aaand in recursive… request is sent to ROOT servers for resolving say, “.us”, and thence to TLD name servers. Domain lookup will go to AUTHORATATIVE servers handling “yearl” (and subdomains), and all will be relayed and chached locally. So, a few more steps? Why do this? Neither Cloudflare nor Google (or whatever my upstream DNS would have been) will know where I am going. So, err privacy. Why not do this? It will take longer for the first resolution of a name.

Install the recursive DNS resolver:

sudo apt install unbound

Update list of primary root servers:

wget -O root.hints https://www.internic.net/domain/named.root
sudo mv root.hints /var/lib/unbound/

Configure unbound:

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
...
server:
    verbosity: 1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

<h1>May be set to yes if you have IPv6 connectivity</h1>

<pre><code>do-ip6: no

# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the servers authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines
num-threads: 1

# Ensure kernel buffer is large enough to not loose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
</code></pre>

And start unbound and validate:

sudo service unbound start
dig yearl.us @127.0.0.1 -p 5353
...
; &lt;&lt;>> DiG 9.10.3-P4-Raspbian &lt;&lt;>> yearl.us @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 26331
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;yearl.us.          IN  A

;; ANSWER SECTION:
yearl.us.       3585    IN  A   104.28.19.121
yearl.us.       3585    IN  A   104.28.18.121

dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
...
NOERR
...

And then set custom upstram DNS in the pi-hole webgui to “127.0.0.1#5353”

Some basic Pi (Debian Stretch base) stuff…

Basic Pi config:

$ sudo raspi-config

Move over, ifconfig!

$ hostname -I
192.168.2.23 192.168.0.104

$ ip -4 addr show | grep global
    inet 192.168.2.23/24 brd 192.168.2.255 scope global eth0
    inet 192.168.0.104/24 brd 192.168.0.255 scope global wlan0

$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1

What’re my interfaces default gateways?

$ ip route | grep default | awk '{print $3}'
192.168.2.1
192.168.0.1

Can configure a static IP via /etc/network/interfaces or /etc/dhcpcd.conf Might do this when moving the Pi from the 192.168.2.0 subnet to the router “guarding” 192.168.0.0

$ sudo route add default gw 192.168.0.1 eth0
$ sudo /etc/init.d/networking restart

EDIT (2018-06-19): Pi-hole was running quite nicely over wi-fi (assigned to 192.168.0.0), went to put it on the LAN and after removing SD card to placement of the Pi board inso some case the SD card decided to go fuck up. Anyhoo repeated above steps with a new (32GB) SD card, and all appears to be peachy-creamy.



May 112017
 

Part 2 of installing Solus Linux on a 2012 Macbook Pro.

Part 1- simply booting the liveCD to even allow installation is here:
https://stephen.yearl.us/installing-solus-linux-on-a-macbook-pro-9

Rebooting after install lead to, you guessed it, the Black Screen of Death again. Solus was installed, accepting all defaults (and therefore one humongous / paritiion), to /dev/sdb2, /dev/sda1 is the EFI partition on which rEFInd was installed when running OSX MacOS.

❯ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sdb      8:16   0   477G  0 disk
├─sdb2   8:18   0 473.2G  0 part /
└─sdb1   8:17   0   3.7G  0 part [SWAP]
sdc      8:32   1   3.9G  0 disk
sda      8:0    0 465.8G  0 disk
├─sda2   8:2    0   465G  0 part
├─sda3   8:3    0 619.9M  0 part
└─sda1   8:1    0   200M  0 part

#1 boot back into MacOS, mount EFI paritition:

sudo /Users/yearluk/Downloads/refind-bin-0.10.7/mountesp
❯  cd /Volumes/ESP/loader/entries
nano Solus-lts-4.9.22-17.conf

#2 CHANGE:

title Solus 2017.04.18.0
linux /EFI/com.solus-project/kernel-com.solus-project.lts.4.9.22-17
initrd /EFI/com.solus-project/initrd-com.solus-project.lts.4.9.22-17
options root=PARTUUID=c96bc351-b364-4c61-9fe6-8489f0ceec8f quiet ro splash resume=UUID=8f7d1509-fe95-4e47-8017-41611ad0a14c

TO:

title Solus 2017.04.18.0
linux /EFI/com.solus-project/kernel-com.solus-project.lts.4.9.22-17
initrd /EFI/com.solus-project/initrd-com.solus-project.lts.4.9.22-17
options root=PARTUUID=c96bc351-b364-4c61-9fe6-8489f0ceec8f ro nomodeset nouveau.blacklist=1  resume=UUID=8f7d1509-fe95-4e47-8017-41611ad0a14c text 3

#3 Repeat steps #3 through #8 from Part 1 (#7 this time was modprobe nvidia)

#4 update entire system

sudo eopkg up

#5 using the Apple bootloader [hold opt key whilst booting] to boot… boots graphically now.

May 082017
 

I’ve been sunning* Solus as guest in a Parallels virtual machine on a macOS Sierra 10.12.4 host for a couple of months now, and I am delighted and impressed, so impressed I bought the company** wanted to install this on Apple iron. Solus installed beautifully on an 2010 Lenovo X201 and on a new and cheap and plastically Dell Inspiron 14-3452, so it should have no probs installing on a mid-2012, 15.4″ Hi-Res MBP. Right? Right? Wrong!

[*] s/sunning/running/ but gonna let that stand because, as typos go, this is pretty funny
[**] Showing my age… thanks Victor Kiam!

So, minus the bits where I was as angry frustrated as a guy who met a stranger in the Alps [may not be SFW. Depends where you work.]:

————————–
EDIT: 2017-05-11
#001 Disable SIP (System Integrity Protection)
Reboot, holding CMD+R

❯ csrutil disable

Reboot

❯ csrutil status
System Integrity Protection status: disabled.

————————–

#01 Grab the 2017-04-18 ISO torrent from https://solus-project.com/download/
#02 Burn to a 16GB shiny-new USB thumdrive using etcher.
#03 Press opt (alt) key at boot, select the livecd image

and, Mr. Franklin, it balked. Black Screen of Death. If you do the googles this usually has something to do with graphics *and stuff*. Which, for me, means:

❯ system_profiler SPDisplaysDataType | grep -i chipset
      Chipset Model: Intel HD Graphics 4000
      Chipset Model: NVIDIA GeForce GT 650M

Boot at runlevel 3, wired connection and all that. Run the usual dmesg | less , journalctl | less, linux-driver-management status, modprobe and the googles. Poke and prod and pull hair, and finally…

—————

#1 Press opt (alt) key at boot, select the livecd image
#2 Immediately press ‘e’ and edit the kernel command line parameters (boot options), replacing “quiet splash” with “nomodeset nouveau.blacklist=1 3”. Full KMS now reads:

initrd root=live:CDLABEL=SolusLiveBudgie ro rd.luks=0 rd.md=0 nomodeset nouveau.blacklist=1 text 3

#3 Login prompt. User is “live”, there is no password
#4 Become root, password is “root”
#5 Unload nouveau (open source NVIDIA drivers)

# modprobe -r nouveau

#6 get more drivers from the Solus repository

# eopkg it nvidia-glx drivers

#7 load Intel (integrated) graphics

# modprobe i915

#8 Boot graphically

# /sbin/init 5

#9 Install and…
#10 sell as lakefront property
#11 PROFIT!

Apr 172017
 

Playing with Solus recently got me to thinking that maybe I could live again in a Linux world, but rather than running Linux in a Virtual Machine (that would currently be Parallels 12 for me), what if I dit it the other way around? That is, run OS X 10.12.4 (macOS Sierra) as a guest and Linux as a host…

Download MacOS Sierra from AppStore.

Reboot.

❯ hdiutil attach /Applications/Install\ macOS\ Sierra.app/Contents/SharedSupport/InstallESD.dmg -noverify -nobrowse -mountpoint /Volumes/install_app
❯ hdiutil create -o /tmp/Sierra.cdr -size 7316m -layout SPUD -fs HFS+J
❯ hdiutil attach /tmp/Sierra.cdr.dmg -noverify -nobrowse -mountpoint /Volumes/install_build
❯ asr restore -source /Volumes/install_app/BaseSystem.dmg -target /Volumes/install_build -noprompt -noverify -erase
rm /Volumes/OS\ X\ Base\ System/System/Installation/Packages
cp -rp /Volumes/install_app/Packages /Volumes/OS\ X\ Base\ System/System/Installation/
cp -rp /Volumes/install_app/BaseSystem.chunklist /Volumes/OS\ X\ Base\ System/BaseSystem.chunklist
cp -rp /Volumes/install_app/BaseSystem.dmg /Volumes/OS\ X\ Base\ System/BaseSystem.dmg
❯ hdiutil detach /Volumes/install_app
❯ hdiutil detach /Volumes/OS\ X\ Base\ System/
❯ hdiutil convert /tmp/Sierra.cdr.dmg -format UDTO -o /tmp/Sierra.iso
mv /tmp/Sierra.iso.cdr ~/Desktop/Sierra.iso

I grabbed this off the internets somewhere, and I do not know whence. Thanks to the original author, whoever she he may be.
EDIT [2017-05-08]: Found you: https://gist.github.com/arobb/447a962af4f07ef81e79987d686275e5

Mar 192017
 

# Disable “Eject” in keyboard settings. It is the first entry under “Sound and Media”
# create a file, ~/.Xmodmap, adding the line:

keycode 151 = BackSpace

# run

xmodmap ~/.Xmodmap

# add that to wherever your startup scripts are for persistence

The keycode mappings I got from xev, kind of like “keyboard viewer” in OS X. Its available in the Solus repo:

sudo eopkg install xev
Mar 112017
 

Still playing with Solus OS, and liking it more and more. The eopkg repository of software is a little thin in comparison to the likes of Debian-based apt-get and Arch’s AUR, but most of the things I want are there. And if they are not there I am thinking maybe I should review my needs… I am in the process of planning for a life without OS X/MacOS after all, so a prefect time for reflection. This is also part of the reason I am attracted to Solus… because not everything is there, and because not everything is answered by a quick google search, I have to take some effort to actually find things out again. Some nostalgia there.

 

Cloudage

Librevault is… “transfers data directly from one device to another. You can use it in your local network, and it will work even without Internet access.” So not exactly cloud storage. In fact not even close to that. So why do I think I need it? I don’t. But I wont know until I try. Chances are I can get away with continuing with Dropbox, but since I am working on a major change of OS I might as well kinda think about previous tools and workflows and so on. Anyway there is no librevault in the Solus repository. Compiling time!

Not to flog a dead horse, but what follows is what worked for me, soup to nuts. Playing with librevault will have to wait a few days, cause the weather is awesome and I’ve a potato patch to dig out of raw sod up the orchard, Besides rclone and Google drive are working for what I need *at the moment*… and all that is, is, primarily, syncing files from the MacOS partition to the Solus partition. Google drive will have to go though when the time is right.

$ sudo eopkg it -c system.devel
$ sudo eopkg it cryptopp-devel libboost-devel libicu-devel openssl-devel protobuf-devel
$ sudo eopkg it qca-qt5 qt5-base-devel qt5-svg-devel qt5-tools-devel qt5-websockets-devel

$ mkdir ~/usr/src
$ cd ~/usr/src
$ git clone https://github.com/Librevault/librevault.git
$ cd librevault &amp;&amp; git submodule update --init
$ mkdir build &amp;&amp; cd build
# $ cmake .. &amp;&amp; cmake --build .
$ cmake --pthread .. &amp;&amp; cmake --pthread --build .
$ sudo make install

DICE!
Install the project…
— Install configuration: “RelWithDebInfo”
— Installing: /usr/local/bin/librevault-daemon
— Installing: /usr/local/bin/librevault-gui
— Installing: /usr/local/share/applications/Librevault.desktop
— Installing: /usr/local/share/icons/hicolor/scalable/apps/librevault.svg
— Installing: /usr/local/bin/librevault-cli

Now, do I go to the trouble of packaging this? Other’s who better know what they are doing in this area will prolly get it done soon enough, but why not give it a shot, eh? If I am going to be living with Solus I might as well get to know her a little better.

Mar 072017
 

tl;dr

I feel that after ten years I can no longer countenance the purchase of a new Apple laptop should my existing machine shit the bed. All that nonsense associated with the race to thinness and the resultant lack of expandability of the newer machines, where everything is soldered or glued into place, has me pretty upset. Oh, and the OS itself has been getting more annoying with each release since Snow Leopard. So I am planning for a day without OS X/ MacOS. After a few distro trials (ongoing) I’ve come down to:

Linux Mint 18.1

Solus OS

True OS

 With the thinking that Solus will be “The One”.

Problem: iPhone 5, iOS: 10.2.1 (14D27) will not mount under Solus OS.

iPhones, generally, used to mount fine prior to the iOS 10 release. The developers of

libimobiledevice

have rectified this, but many down stream distos have not quite caught up. Solution is to build oneself. Or wait. I didn’t want to wait…. in large part because Solus’s packaging system eopkg is completely rewritten and not based on AUR or apt-get I wanted to get to poke around it some more.

My hand-compiling of this is probably moot since Solus, being a rolling release, will eventually catch up. It probably will have by the time any reads this.

$ sudo eopkg it -c system.devel git
$ sudo eopkg it -c libtool pkg-config python-devel ibplist-devel libusb-devel fuse-devel

$ mkdir -p ~/usr/src
$ cd ~/usr/src

$ for x in libusbmuxd usbmuxd &nbsp;ifuse; do git clone https://github.com/libimobiledevice/${x}.git;done

$ cd ~/usr/src/libusbmuxd
$ ./autogen.sh --prefix="$HOME/usr"
$ make &amp;&amp; make install

$ cd ~/usr/src/libimobiledevice
$ ./autogen.sh --prefix="$HOME/usr"
$ make &amp;&amp; make install

$ cd ~/usr/src/usbmuxd
$ ./autogen.sh --prefix="$HOME/usr"
$ make &amp;&amp; sudo make install

$ cd ~/usr/src/ifuse
$ ./autogen.sh --prefix="$HOME/usr"
$ make &amp;&amp; make install

$ mkdir -p ~/usr/mnt
$ ~idevice_id -l
$ ~/usr/bin/idevicepair pair

$ nautilus &amp;
$ ls $ ls ~/usr/mnt/

All the real work was done by someone else (isn’t it always?), here: https://gist.github.com/samrocketman/70 … 33c259a0fc

Dec 142014
 

Well flummery. It’s been a while since I had to do this, so here, future self, some awesome notes…

LOCAL

$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_4096
$ scp -P 2222 192.168.0.108:/home/yearluk/.ssh/yearluk.ehecatl.pub

SSH to REMOTE…

$ cat ~/.ssh/yearluk.ehecatl.pub >> authorized_keys