Maddie Griffiths

Installing Honk on Debian 11

July 20, 2023

I like Mastodon, and I like to self-host everything I can, but Mastodon itself is a bit heavier than I want something I'm self-hosting to be. Thankfully, there are a few great lightweight single-user alternatives that I'm more than happy to run myself. I chose Honk because it's purple.

Basic setup

Honk is basically simple: it's a Go app that runs as a single binary and sits behind a reverse proxy. We'll run it as its own user, so let's create then become that user:

# useradd -m --system honk
# su - honk

It requires a newer version of Go than Debian 11 ships, so fetch that from https://go.dev/dl/ and unpack it. We also need libsqlite3-dev, so get that too (as root)

$ wget https://go.dev/dl/go1.20.6.linux-amd64.tar.gz
$ tar xf go*
# apt -y install libsqlite3-dev

Go comes precompiled for our convenience, so we can go ahead and fetch and build Honk.

$ wget https://humungus.tedunangst.com/r/honk/d/honk-0.9.91.tgz
$ tar xf honk*
$ cd honk-0.9.91
$ PATH=~/go/bin/:$PATH make

Now we've built the monolithic binary, we can configure it with

$ ./honk init

This asks a few questions to get it setup. Choose a free port, say 127.0.0.1:4567, for it to listen on and a hostname you like (I chose micro.maddie.sh). You'll also set the name and password for the only user here. Make sure you've got DNS set up for the domain name you choose.

Reverse proxy

We can now run it with a simple ./honk. However, we still need to set up a SSL reverse proxy (including fetching the certs). I use Apache httpd, so set up a barebones VHost and ask Certbot for a certificate. As root:

# cat > /etc/apache2/sites-available/micro.maddie.sh.conf << EOF
<VirtualHost *:80>
  ServerName micro.maddie.sh
</VirtualHost>
EOF

# a2ensite micro.maddie.sh
# systemctl reload apache2
# certbot -d micro.maddie.sh -i apache

This will create /etc/apache2/sites-availabel/micro.maddie.sh-le-ssl.conf, where we can put the reverse proxy config. Add the following lines to that file below the ServerName directive:

ProxyPreserveHost on
ProxyPass / http://127.0.0.1:4576
ProxyPassReverse / http://127.0.0.1:4567

Then systemctl reload apache2 and everything should be good!

Systemd service

We want to run Honk as a service that restarts on every boot, so let's set up a Systemd unit file.

# cat > /etc/systemd/system/honk.service << EOF

[Unit]
Description=Honk, a Fediverse server
After=syslog.target network.target

[Service]
Type=simple
StandardOutput=syslog
StandardError=syslog
User=honk
Group=honk
WorkingDirectory=/home/honk/honk-0.9.91
ExecStart=/home/honk/honk-0.9.91/honk
Restart=always
CapabilityBoundingSet=CAP_SET_UID
DevicePolicy=closed
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ProtectSystem=strict
ReadWritePaths=/home/honk
RestrictAddressFamilies=AF_UNIX AF_INET
RestrictNamespaces=yes
RestrictRealtime=yes

[Install]
WantedBy=multi-user.target

EOF

This adds in a few securitey enhancements, and lets us operate Honk with systemctl. Let's start the service and enable it at boot time, and we're done!

# systemctl daemon-reload
# systemctl enable --now honk

Debian as a dual-stack router for AAISP, Part 1: PPP

June 23, 2023

I'm not a fan of all-in-one routerfirewallswitchaccesspointmodem devices as supplied by most ISPs, and prefer to use a mini-PC UNIX box as router/firewall. These have usually been old Lenovo ThinkCenter Mini units — routing and firewalling is incredibly resource-light, and it leaves plenty of room to run more useful services like DNS and webhosting. I've used both OpenBSD and CentOS for this in the past, but these days Debian has been my go-to since it's what I use everywhere else.

My ISP is the (excellent, and the only ISP I'll ever use!) Andrews & Arnold, which provide a lot of fun features on their most basic Home::1 service like a /29 of IPv4 and a /48 of native IPv6. VDSL is persistently unavailable where I am, so I'm stuck on an occasionally painful ADSL connection but I can't blame them for that!

Network Layout

My basic network setup has a NATted range for “most” devices, a public v4 range, and a separate NATted range for “untrustworthy” devices like guests. Each of these sits in its own VLAN, and a Unifi access point broadcasts an SSID for a few of them.

I use a router-on-a-stick configuration, feeding a bunch of VLANs in on one port. Since I need a modem for the ADSL, I have my ISP-supplied CPE in PPP passthrough mode.

PPP

pppoeconf makes this pretty easy in Debian — just run pppoeconf and it'll set up a working IPv4 setup for you; start it with pon dsl-provider. One downside is it seems to be stuck with a MTU of 1492 whilst AAISP works fine with 1500 (one of the few ISPs in the UK that do, apparently).

This doesn't give working IPv6, that takes a bit of fiddling (which I left on the todo pile for months, since I don't have the same requirement for v6 that I used to). Basically, add +ipv6 in /etc/ppp/options and restart the DSL connection with poff dsl-provider; pon dsl-provider and you should get a fe80:: address on the ppp0 interface. This still doesn't work for routing packets yet, though — you need a v6 WAN address on ppp0. With AAISP, the format for this is standardized to 2001:8b0:1111:1111:0:ffff:<IPv4 WAN address in hex>. You could calculate this and manually add it, but that's not ideal.

DHCPv6

To get a working WAN address, you need to run DHCPv6 with IA_NA. Very irritatingly, the stock dhclient -6 in Debian won't work over a PPP interface! wide-dhcpv6-client in the repos does, however.

In /etc/wide-dhcpv6/dhcp6c.conf:

    interface ppp0 {
      send ia-na 1;
      send ia-pd 0;
      send domain-name-servers,domain-name;
    };
    id-assoc na 1 {
      address 2001:8b0:1111:1111:0:ffff:<IPv4 WAN address in hex>;
    };
    id-assoc pd {
    };

Conclusion

So now that the Debian box has a working dual-stack network connection, next up we need to set up the LAN side, which I'll write up in another post.

#tech #debian #ipv6

s/reddit/fediverse/

June 21, 2023

Reddit has never been a great place to be — I've probably dumped hundreds or thousands of hours into it over a decade and I've hardly ever had less than a dozen Reddit tabs open at any given time. Yet for all the time and addiction fuelled by little dopamine hits, I've had little in return for it. Certainly it provided a lot of useful queer community, and it's a great source of (usually far too much!) news, but it's a huge distraction. The recent direction of the company with regards to third-party apps would have affected me as a user of the (excellent, and libre) RedReader, so it's as good a moment as any to jump ship.

I don't so much want to replace Reddit like-for-like as fill that time with better (as defined in my system of value) activities — I want to read more, and do more interesting things than scrolling. But I do also want that little dopamine hit every now and then. Thankfully, there are a lot of worthy replacements.

Hacker News is perennial and excellent, of course, and essential reading as a sysadmin. A lot of the queer communities on Reddit I read have shifted over to raddle.me. On the more general-purpose side, I've really been loving kbin (I'm @maddieg@kbin.social, but still lurking) — I've not tried out Lemmy for more than a glance but of course the same communities are just as usable on both. I haven't Tweeted much for a very long time, but Mastodon is cool and if I'm “on the Fediverse” now, might as well join too (@maddieg@mastodon.social!).

I was really happy to see BookWyrm, a libre alternative to GoodReads, so I joined that too (unsurprisingly, @maddieg@bookwyrm.social).

And, of course, this blog is now running WriteFreely, a blogging platform powered by ActivityPub like the rest of the Fediverse. I'll need to play around with it a lot to make it more “suitable” as a personal page, so watch this space.

#life #tech