<?xml version="1.0" encoding="UTF-8"?> 
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
    <title>Solene's percent %</title>
    <atom:link href="https://dataswamp.org/~solene/rss.xml" rel="self" type="application/rss+xml" />
  <title>Top 12 best opensource games available on OpenBSD</title>
Title : Top 12 best opensource games available on OpenBSD
Author: Solène
Date  : 07 March 2021
Tags  : openbsd gaming

# Introduction

This article features the 12 best games (in my opinion) in term of quality and fun available in OpenBSD packages.  The list only contains open source games that you can install out of the box.  This means that game engines requiring proprietary (or paid) game assets are not part of this list.

# Tales of Maj'Eyal

Tome4 is a rogue-like game with many classes, many races, lot of areas to explore.  There are fun pieces of lore to find and read if it's your thing, you have to play it many times to unlock everything.  Note that while the game is open source, there are paid extensions requiring an online account on the official website, this is not mandatory to play or finish the game.

```How to install and launch
# pkg_add tome4
$ tome4

=> https://te4.org Tales of Maj'Eyal official website

# OpenTTD

This famous game is a free reimplementation of the Transport Tycoon game.  Build roads, rails, make huge trains networks with signals, transports materials from extraction to industries and then deliver goods to cities to make them grow.  There is a huge community and many mods, and the game can be played in multiplayer.  Also available on Android.

```How to install and launch
# pkg_add openttd
$ openttd

=> https://www.openttd.org/en/ OpenTTD official website
=> https://videos.pair2jeux.tube/videos/watch/32ac4e83-abda-414d-a32e-7be96615355f [Peertube video] OpenTTD

# The Battle for Wesnoth

Wesnoth is a turn based strategy game based on hexagons.  There are many races with their own units.  The game features a full set of campaign for playing solo but also include multiplayer.  Also available on Android.

```How to install and launch
# pkg_add wesnoth
$ wesnoth

=> https://www.wesnoth.org/ The Battle for Wesnoth official website

# Endless Sky

This game is about space exploration, you are captain of a ship and you can get missions, enhance your ship, trade goods over the galaxy or fight enemies.  There is a learning curve to enjoy it because it's quite hard to understand at first.

```How to install and launch
# pkg_add endless-sky
$ endless-sky

=> https://endless-sky.github.io/ Endless Sky official website

# OpenRA

Open Red Alert, the 100% free reimplementation of the engine AND assets of Red Alert, Command and Conquer and Dune.  You can play all these games from OpenRA, including multiplayer.  Note that there are no campaign, you can play skirmish alone with bots or in multiplayer.  Campaigns (and cinematics) could be played using the original games files (from OpenRA launcher), as the games have been published as freeware a few years ago, one can find them for free and legally.

```How to install and launch
# pkg_add openra
$ openra
wait for instructions to download the assets of the game you want to play

=> https://www.openra.net/ OpenRA official website
=> https://videos.pair2jeux.tube/videos/watch/f2ab675e-8c99-4d66-90dd-dd98b24c2305 [Peertube video] Red Alert

# Cataclysm: Dark Days Ahead

Cataclysm DDA is a game in which you awake in a zombie apocalypse and you have to survive.  The game is extremely complete and allow many actions/combinations like driving vehicles, disassemble electronics to build your own devices and many things I didn't try yet.  The game is turn based and 2D from top, I highly recommend reading the manual and how-to because the game is hard.  You can also create your character when you start a game, which will totally change the game experience because of your characters attributes and knowledge.

```How to install and launch
# pkg_add cataclysm-dda
$ cataclysm-dda

=> https://cataclysmdda.org/ Cataclysm: Dark Days Ahead official website

# Taisei

Taisei is a bullet hell game in the Touhou universe.  Very well done, extremely fun, multiple characters to play with an alternative mechanic of each character.

```How to install and launch
# pkg_add taisei
$ taisei

=> https://taisei-project.org/ Taisei official website
=> https://videos.pair2jeux.tube/videos/watch/d3d077e1-6591-4c9e-a8dd-45756ce15716 [Peertube video] Taisei

# The Legend of Zelda: Return of the Hylian SE

There is a game engine named Solarus dedicated to write Zelda like games, and Zelda RotH is a game based on this.  Nothing special to say, it's a 2D Zelda game, very well done with a new adventure.

```How to install and launch
# pkg_add zelda_roth_se
$ zelda_roth_se

=> https://www.solarus-games.org/en/games/the-legend-of-zelda-return-of-the-hylian-se Zelda RotH official website

# Shapez.io

This game is about making industries from shapes and colors in order to deliver what you are asked to produce in the most efficient manner, this game is addictive and easy to understand thanks to the tutorial when you start the game.

```How to install and launch
# pkg_add shapezio
$ /usr/local/bin/electron /usr/local/share/shapez.io/index.html

=> https://github.com/tobspr/shapez.io/ Shapez.io official website

# OpenArena

OpenArena is a Quake 3 reimplementation, including assets.  It's like Quake 3 but it's not Quake 3 :)

```How to install and launch
# pkg_add openarena
$ openarena

=> http://www.openarena.ws/ OpenArena official website

# Xonotic

This is a fast paced arena FPS game with beautiful graphics, many weapons with two modes of fire and many games modes.  Reminds me a lot Unreal Tournament 2003.

```How to install and launch
# pkg_add xonotic
$ xonotic

=> https://xonotic.org/ Xonotic official website

# Hyperrogue

This game is a rogue like (every run is different than last one) in which you move from hexagone to hexagone to get points, each biome has its own characteristics, like a sand biome in which you have to gather spice and you must escape sand worms :-) .  The game is easy to play, turn by turn and has unusual graphics because of the non-euclidian nature of its world.  I recommend reading the game manual because the first time I played it I really disliked it by missing most of the game mechanics...  Also available on Android!

=> https://roguetemple.com/z/hyper/ Hyperrogue official website

# And many others

Here is a list of games I didn't include but at also worth being played: 0ad, Xmoto, Freedoom, The Dark Mod, Freedink, crack-attack, witchblast, flare, vegastrike and many others.

=> https://openports.pl/cat/games List of games available on OpenBSD

  <pubDate>Sun, 07 Mar 2021 00:00:00 GMT</pubDate>
  <title>Port of the week: checkrestart</title>
Title : Port of the week: checkrestart
Author: Solène
Date  : 02 March 2021
Tags  : openbsd portoftheweek

# Introduction

This article features the very useful program "checkrestart" which is OpenBSD specific.  The purpose of checkrestart is to display which programs and their according PID for which the binaries doesn't exist anymore.

Why would their binary be absent? The obvious case is that the program was removed, but what it is really good at, is when you upgrade a package with running binaries, the old binary is deleted and the new binary installed.  In that case, you will have to stop all the running binaries and restart them. Hence the name "checkrestart".

# Installation

Installing it is as simple as running pkg_add checkrestart

# Usage

This is simple too, when you run checkrestart, you will have a list of PID numbers with the binary name.

For example, on my system, checkrestart gives me information about what programs got updated that I should restart to run the new binary.

69575	lagrange
16033	lagrange
9664	lagrange
77211	dhcpleased
6134	dhcpleased
21860	dhcpleased

# Real world usage

If you run OpenBSD -stable, you will want to use checkrestart after running pkg_add -u.  After a package update, most often related to daemons, you will have to restart the related services.

On my server, in my daily script updating packages and running syspatch, I use it to automatically restart some services.

checkrestart | grep php && rcctl restart php-fpm
checkrestart | grep postgres && rcctl restart postgresql
checkrestart | grep nginx && rcctl restart nginx

  <pubDate>Tue, 02 Mar 2021 00:00:00 GMT</pubDate>
  <title>Port of the week: shapez.io - a libre factory gaming</title>
Title : Port of the week: shapez.io - a libre factory gaming
Author: Solène
Date  : 26 February 2021
Tags  : openbsd openbsd69 gaming portoftheweek

# Introduction

I would like to introduce you to a very nice game I discovered a few months ago, its name is Shapez.io and is a "factory" game, a genre popularized by the famous game Factorio.  In this game you will have to extract shapes and colors and rework the shapez, mix colors and mix the whole thing together to produce wanted pieces.

# The game

The gameplay is very cool, the early game is an introduction to the game mechanics, you can extract shapes, cut them rotate pieces, merge conveys belts into one, paint shapes etc... and logic circuits!

In those games, you will have to learn how to make efficient factories and mostly "tile-able" installations.  A tile-able setup means that if you copy a setup and paste it next to it, it will be bigger and functional, meaning you can extend it to infinity (except that the input conveyors will starve at some point).

It can be quite addictive to improve your setups over and over.  This game is non violent and doesn't require any reflex but you need to think.  You can't loose, it's between a puzzle and a management game.

=> static/shapezio_tileable.png Compact tile-able painting setup (may spoil if you want to learn yourself)

# Where to get it

On OpenBSD since version 6.9 (not released yet when I publish this) you can install the package shapezio and find a launcher in your desktop environment Game menu.

I also compiled a web version that you can play in your web browser (I discourage using Firefox due to performance..) without installing it, it's legal because the game is open source :)

=> https://perso.pw/shapez.io/ Play shapez.io in the web browser

The game is also sold on Steam, pre-compiled and ready to run, if you prefer it, it's also a nice way to support the developer.

=> https://store.steampowered.com/app/1318690/shapezio/ shapez.io on Steam

# More content

=> https://shapez.io/ Official website
=> https://www.youtube.com/watch?v=B50vxkcpFck Youtube video of "Real civil engineer" explaining the game

  <pubDate>Fri, 26 Feb 2021 00:00:00 GMT</pubDate>
  <title>Nginx as a TCP/UDP relay</title>
Title : Nginx as a TCP/UDP relay
Author: Solène
Date  : 24 February 2021
Tags  : openbsd nginx network

# Introduction

In this tutorial I will explain how to use Nginx as a TCP or UDP relay as an alternative to Haproxy or Relayd.  This mean nginx will be able to accept requests on a port (TCP/UDP) and relay it to another backend without knowing about the content.  It also permits to negociates a TLS session with the client and relay to a non-TLS backend.  In this example I will explain how to configure Nginx to accept TLS requests to transmit it to my Gemini server Vger, Gemini protocol has TLS as a requirement.

I will explain how to install and configure Nginx and how to parse logs to obtain useful information.  I will use an OpenBSD system for the examples.

It is important to understand that in this context Nginx is not doing anything related to HTTP.

# Installation

On OpenBSD we need the package nginx-stream, if you are unsure about which package is required on your system, search which package provide the file ngx_stream_module.so .  To enable Nginx at boot, you can use rcctl enable nginx.

=> http://nginx.org/en/docs/stream/ngx_stream_core_module.html Nginx stream module core documentation
=> http://nginx.org/en/docs/stream/ngx_stream_log_module.html Nginx stream module log documentation

# Configuration

The default configuration file for nginx is /etc/nginx/nginx.conf , we will want it to listen on port 1965 and relay to

```Nginx configuration file
worker_processes  1;

load_module modules/ngx_stream_module.so;

events {
   worker_connections 5;

stream {
    log_format basic '$remote_addr $upstream_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '

    access_log logs/nginx-access.log basic;

    upstream backend {
        hash $remote_addr consistent;
    server {
        listen 1965 ssl;
        ssl_certificate /etc/ssl/perso.pw:1965.crt;
        ssl_certificate_key /etc/ssl/private/perso.pw:1965.key;
        proxy_pass backend;

In the previous configuration file, the backend defines the destination, multiples servers could be defined, with weights and timeouts, there is only one in this example.

The server block will tell on which port Nginx should listen and if it has to handle TLS (which is named ssl because of history), usual TLS configuration can be used here, then for a request, we have to tell to which backend Nginx have to relay the connections.

The configuration file defines a custom log format that is useful for TLS connections, it includes remote host, backend destination, connection status, bytes transffered and duration.

# Log parsing

## Using awk to calculate time performance

I wrote a quite long shell command parsing the log defined earlier that display the number of requests, and median/min/max session time.

```awk command to parse nginx custom log defined earlier
$ awk '{ print $NF }' /var/www/logs/nginx-access.log | sort -n |  awk '{ data[NR] = $1 } END { print "Total: "NR" Median:"data[int(NR/2)]" Min:"data[2]" Max:"data[NR] }'
Total: 566 Median:0.212 Min:0.000 Max:600.487

## Find bad clients using awk

Sometimes in the logs there are clients that obtains a status 500, meaning the TLS connection haven't been established correctly.  It may be some scanner that doesn't try a TLS connection, if you want to get statistics about those and see if it would be worth to block them if they do too many attempt, it is easy to use awk to get the list.

```awk command reporting clients with a status 500
awk '$(NF-3) == 500 { print $1 }' /var/www/logs/nginx-access.log

## Using goaccess for real time log visualization

It is also possible to use the program Goaccess to view logs in real time with many information, it is really an awesome program.

```goaccess command line with lot of parameters
goaccess --date-format="%d/%b/%Y" \
         --time-format="%H:%M:%S" \
         --log-format="%h %r [%d:%t %^] TCP %s %^ %b %L" /var/www/logs/nginx-access.log

=> https://goaccess.io/ Goaccess official website

# Conclusion

I was using relayd before trying Nginx with stream module, while relayd worked fine it doesn't provide any of the logs Nginx offer.  I am really happy with this use of Nginx because it is a very versatile program that shown to be more than a http server over time.  For a minimal setup I would still recommend lighter daemon such as relayd.

  <pubDate>Wed, 24 Feb 2021 00:00:00 GMT</pubDate>
  <title>Port of the week: catgirl irc client</title>
Title : Port of the week: catgirl irc client
Author: Solène
Date  : 22 February 2021
Tags  : openbsd69 openbsd irc catgirl portoftheweek

## Introduction

In this Port of the Week I will introduce you to the IRC client catgirl.  While there are already many IRC clients available (and good ones), there was a niche that wasn't filled yet, between minimalism (ii, irCII) and full featured clients (irssi, weechat) in the terminal world.  Here comes catgirl, a simple IRC client coming with enough features to be comfortable to use for heavy IRC users.

Catgirl has the following features: tab completion, split scrolling, URL detection, nick coloring, ignores filter.  On the other hand, it doesn't support non-TLS networks, CCTP, multi networks or dynamic configuration.  If you want to use catgirl with multiples networks, you have to run it once per network.

Catgirl will be available as a package in OpenBSD starting with version 6.9.

OpenBSD security bonus: catgirl features a very good use of unveil to reduce file system access to the minimum required (configuration+logs+certs), reducing the severity of an exploit.  It also has a restricted mode when using the -R parameter that reduce features like notifications or url handling and tight the pledge list (allowing systems calls).

=> https://git.causal.agency/catgirl/about/ Catgirl official website

=> static/catgirl.png Catgirl screenshot

## Configuration

A simple configuration file to connect to the irc.tilde.chat server would look like the following file that must be stored under ~/.config/catgirl/tilde

```Catgirl configuration file sample
nick = solene_nickname
real = Solene
host = irc.tilde.chat
join = #foobar-channel

You can then run catgirl and use the configuration file but passing the config file name as parameter.

```shell command to start catgirl
$ catgirl tilde

## Usage and tips

I recommend reading catgirl man page, everything is well explained there.  I will cover most basics needs here.

=> https://git.causal.agency/catgirl/about/catgirl.1 Catgirl man page

Catgirl only display one window at a time, it is not possible to split the display, but if you scroll up you will see the last displayed lines and the text stream while keeping the upper part displaying the history, it is a neat way to browse the history without cutting yourself from what's going on in the channel.

Channels can be browsed from keyboard using Ctrl+N or Ctrl+P like in Irssi or by typing /window NUMBER, with number being the buffer number. Alt+NUMBER could also be used to switch directly to buffer NUMBER.

Searches in buffer could be used by typing a word in your input and using Ctrl+R to search backward or Ctrl+S for searching forward (given you are in the history of course).

Finally, my most favorite feature which is missing in minimal clients is Alt+A, jumping to next buffers I have to read (also yes, catgirl keep a line with information about how many messages in channels since last time you didn't read them).  Even better, when you press alt+A while there is nothing to read, you jump back to the channel you manually selected last, this allow to quickly read what you missed and return to the channel you spend all your time on.

## Conclusion

I really love this IRC client, it replaced Irssi that I used for years really easily because most of the key bindings are the same, but I am also very happy to use a client that is a lot safer (on OpenBSD).  It can be used with tmux for persistence but also connect to multiple servers and make it manageable.

  <pubDate>Mon, 22 Feb 2021 00:00:00 GMT</pubDate>
  <title>Full list of services offered by a default OpenBSD installation</title>
Title : Full list of services offered by a default OpenBSD installation
Author: Solène
Date  : 16 February 2021
Tags  : openbsd69 openbsd unix

# Introduction

This article is about giving a short description of EVERY service available as part of an OpenBSD default installation (= no package installed).

From all this list, the following list is started by default: cron, pflogd, sndiod, openssh, ntpd, syslogd and smtpd.  Network related daemons smtpd (localhost only), openssh and ntpd (as a client) are running.

# Service list 

I extracted the list of base install services by looking at /etc/rc.conf.

```shell command starting with a dollar sign meaning it should be run by a regular user
$ grep _flags /etc/rc.conf | cut -d '_' -f 1

## amd

This daemon is used to automatically mount a remote NFS server when someone wants to access it, it can provide a replacement in case the file system is not reachable.  More information using "info amd".

=> https://man.openbsd.org/amd amd man page

## apmd

This is the daemon responsible for frequency scaling. It is important to run it on workstation and especially on laptop, it can also trigger automatic suspend or hibernate in case of low battery.

=> https://man.openbsd.org/apmd apmd man page
=> https://man.openbsd.org/apm apm man page

## bgpd

This is a BGP daemon that is used by network routers to exchanges about routes with others routers.  This is mainly what makes the Internet work, every hosting company announces their IP ranges and how to reach them, in returns they also receive the paths to connect to all others addresses.

=> http://www.openbgpd.org OpenBGPD website

## bootparamd

This daemon is used for diskless setups on a network, it provides information about the client such as which NFS mount point to use for swap or root devices.

=> https://man.openbsd.org/diskless Information about a diskless setup

## cron

This is a daemon that will read from each user cron tabs and the system crontabs to run scheduled commands.  User cron tabs are modified using crontab command.

=> https://man.openbsd.org/cron Cron man page
=> https://man.openbsd.org/crontab.1 Crontab command
=> https://man.openbsd.org/crontab.5 Crontab format

## dhcpd

This is a DHCP server used to automatically provide IPv4 addresses on an network for systems using a DHCP client.

## dhcrelay

This is a DHCP requests relay, used to on a network interface to relay the requests to another interface.

## dvmrpd

This daemon is a multicast routing daemon, in case you need multicast spanning to deploy it outside of your local LAN.  This is mostly replaced by PIM nowadays.

## eigrpd

This daemon is an Internal gateway link-state routing protocol, it is like OSPF but compatible with CISCO.

## ftpd

This is a FTP server providing many features.  While FTP is getting abandoned and obsolete (certainly because it doesn't really play well with NAT) it could be used to provide read/write anonymous access on a directory (and many other things).

=> https://man.openbsd.org/ftpd ftpd man page

## ftpproxy

This is a FTP proxy daemon that one is supposed to run on a NAT system, this will automatically add PF rules to connect an incoming request to the server behind the NAT.  This is part of the FTP madness. 

## ftpproxy6

Same as above but for IPv6.  Using IPv6 behind a NAT make no sense.

## hostapd

This is the daemon that turns OpenBSD into a WiFi access point.

=> https://man.openbsd.org/hostapd hostapd man page
=> https://man.openbsd.org/hostapd.conf hostapd configuration file man page

## hotplugd

hotplugd is an amazing daemon that will trigger actions when devices are connected or disconnected.  This could be scripted to automatically run a backup if some conditions are met like an usb disk inserted matching a known name or mounting a drive.

=> https://man.openbsd.org/hotplugd hotplugd man page

## httpd

httpd is a HTTP(s) daemon which supports a few features like fastcgi support, rewrite and SNI.  While it doesn't have all the features a web server like nginx has, it is able to host some PHP programs such as nextcloud, roundcube mail or mediawiki.

=> https://man.openbsd.org/httpd.conf httpd man page
=> https://man.openbsd.org/httpd.conf httpd configuration file man page

## identd

Identd is a daemon for the Identification Protocol which returns the login name of an user who initiatied a connection, this can be used on IRC to authenticate which user started an IRC connection.

## ifstated

This is a daemon monitoring the state of network interfaces and which can take actions upon changes.  This can be used to trigger changes in case of an interface losing connectivity.  I used it to trigger a route change to a 4G device in case a ping over uplink interface was failing.

=> https://man.openbsd.org/ifstated ifstated man page
=> https://man.openbsd.org/ifstated.conf ifstated configuration file man page

## iked

This daemon is used to provide IKEv2 authentication for IPSec tunnel establishment.

=> https://www.openbsd.org/faq/faq17.html OpenBSD FAQ about VPN

## inetd

This daemon is often forgotten but is very useful.  Inetd can listen on TCP or UDP port and will run a command upon connection on the related port, incoming data will be passed as standard input of the program and program standard output will be returned to the client.  This is an easy way to turn a program into a network program, it is not widely used because it doesn't scale well as the whole process of running a new program upon every connection can push a system to its limit.

=> https://man.openbsd.org/inetd inetd man page

## isakmpd

This daemon is used to provide IKEv1 authentication for IPSec tunnel establishment.

## iscsid

This daemon is an iSCSI initator which will connect to an iSCSI target (let's call it a network block device) and expose it locally as a /dev/vcsi device.  OpenBSD doesn't provide a target iSCSI daemon in its base system but there is one in ports.

## ldapd

This is a light LDAP server, offering version 3 of the protocol.

=> https://man.openbsd.org/ldap ldap client man page
=> https://man.openbsd.org/ldapd ldapd daemon man page
=> https://man.openbsd.org/ldapd.conf ldapd daemon configuration file man page

## ldattach

This daemon allows to configure programs that are exposed as a serial port, such as gps devices.

## ldomd

This daemon is specific to the sparc64 platform and provide services for dom feature.

## lockd

This daemon is used as part of a NFS environment to support file locking.

## ldpd

This daemon is used by MPLS routers to get labels.

## lpd

This daemon is used to manage print access to a line printer.

## mountd

This daemon is used by remote NFS client to give them information about what the system is currently offering.  The command showmount can be used to see what mountd is currently exposing.

=> https://man.openbsd.org/mountd mountd man page
=> https://man.openbsd.org/showmount.8 showmount man page

## mopd

This daemon is used to distribute MOP images, which seem related to alpha and VAX architectures.

## mrouted

Similar to dvmrpd.

## nfsd

This server is used to service the NFS requests from NFS client.  Statistics about NFS (client or server) can be obtained from the nfsstat command.

=> https://man.openbsd.org/nfsd nfsd man page
=> https://man.openbsd.org/nfsstat.1 nfsstat man page

## npppd

This daemon is used to establish connection using PPP but also to create tunnels with L2TP, PPTP and PPPoE.  PPP is used by some modems to connect to the Internet.

## nsd

This daemon is an authoritative DNS nameserver, which mean it is holding all information about a domain name and about the subdomains.  It receive queries from recursive servers such as unbound / unwind etc...  If you own a domain name and you want to manage it from your system, this is what you want.

=> https://man.openbsd.org/nsd nsd man page
=> https://man.openbsd.org/nsd.conf nsd configuration file man page

## ntpd

This daemon is a NTP service that keep the system clock at the correct time, it can use ntp servers or sensors (like GPS) as time source but also support using remote servers to challenge the time sources.  It can acts a daemon to provide time to other NTP client.

=> https://man.openbsd.org/ntpd ntpd man page

## ospfd

It is a daemon for the OSPF routing protocol (Open Shortest Path First).

## ospf6d

Same as above for IPv6.

## pflogd

This daemon is receiving packets from PF matching rules with a "log" keyword and will store the data into a logfile that can be reused with tcpdump later.  Every packet in the logfile contains information about which rule triggered it so it is very practical for analysis.

=> https://man.openbsd.org/pflogd pflogd man page
=> https://man.openbsd.org/tcpdump.8 tcpdump

## portmap

This daemon is used as part of a NFS environment.

## rad

This daemon is used on IPv6 routers to advertise routes so client can automatically pick up routes.

## radiusd

This daemon is used to offer RADIUS protocol authentication.

## rarpd

This daemon is used for diskless setups in which it will help associating an ARP address to an IP and hostname.

=> https://man.openbsd.org/diskless Information about a diskless setup

## rbootd

Per the man page, it says « rbootd services boot requests from Hewlett-Packard workstation over LAN ».

## relayd

This daemon is used to accept incoming connections and distribute them to backend.  It supports many protocols and can act transparently, its purpose is to have a front end that will dispatch connections to a list of backend but also verify backend status.  It has many uses and can also be used in addition to httpd to add HTTP headers to a request, or apply conditions on HTTP request headers to choose a backend.

=> https://man.openbsd.org/relayd relayd man page
=> https://man.openbsd.org/relayctl relayd control tool man page
=> https://man.openbsd.org/relayd.conf relayd configuration file man page

## ripd

This is a routing daemon using an old protocol but widely supported.

## route6d

Same as above but for IPv6.

## sasyncd

This daemon is used to keep IPSec gateways synchronized in case of a fallback required.  This can be used with carp devices.

## sensorsd

This daemon gathers monitoring information from the hardware like temperature or disk status.  If a check exceeds a threshold, a command can be run.

=> https://man.openbsd.org/sensorsd sensorsd man page
=> https://man.openbsd.org/sensorsd.conf sensorsd configuration file man page

## slaacd

This service is a daemon that will automatically pick up auto IPv6 configuration on the network.

## slowcgi

This daemon is used to expose a CGI program as a fastcgi service, allowing httpd HTTP server to run CGI.  This is an equivalent of inetd but for fastcgi.

=> https://man.openbsd.org/slowcgi slowcgi man page

## smtpd

This daemon is the SMTP server that will be used to deliver mails locally or to remote email server.

=> https://man.openbsd.org/smtpd smtpd man page
=> https://man.openbsd.org/smtpd.conf smtpd configuration file man page
=> https://man.openbsd.org/smtpctl smtpd control command man page

## sndiod

This is the daemon handling sound from various sources.  It also support sending local sound to a remote sndiod server.

=> https://man.openbsd.org/sndiod sndiod man page
=> https://man.openbsd.org/sndioctl.1 sndiod control command man page
=> https://man.openbsd.org/mixerctl mixerctl man page to control an audio device
=> https://www.openbsd.org/faq/faq13.html OpenBSD FAQ about multimedia devices

## snmpd

This daemon is a SNMP server exposing some system metrics to SNMP client.

=> https://man.openbsd.org/snmpd snmpd man page
=> https://man.openbsd.org/snmpd.conf snmpd configuration file man page

## spamd

This daemon acts as a fake server that will delay or block or pass emails depending on some rules.  This can be used to add IP to a block list if they try to send an email to a specific address (like a honeypot), pass emails from servers within an accept list or delay connections for unknown servers (grey list) to make them and reconnect a few times before passing the email to the SMTP server.  This is a quite effective way to prevent spam but it becomes less relevant as sender use whole ranges of IP to send emails, meaning that if you want to receive an email from a big email server, you will block server X.Y.Z.1 but then X.Y.Z.2 will retry and so on, so none will pass the grey list.

## spamlogd

This daemon is dedicated to the update of spamd whitelist.

## sshd

This is the well known ssh server.  Allow secure connections to a shell from remote client.  It has many features that would gain from being more well known, such as restrict commands per public key in the ~/.ssh/authorized_keys files or SFTP only chrooted accesses.

=> https://man.openbsd.org/sshd sshd man page
=> https://man.openbsd.org/sshd_config.5 sshd configuration file man page

## statd

This daemon is used in NFS environment using lockd in order to check if remote hosts are still alive.

## switchd

This daemon is used to control a switch pseudo device.

=> https://man.openbsd.org/switch.4 switch pseudo device man page

## syslogd

This is the logging server that receives messages from local programs and store them in the according logfile.  It can be configured to pipe some messages to command, program like sshlockout uses this method to learn about IP that must be blocked, but can also listen on the network to aggregates logs from other machines.  The program newsyslog is used to rotate files (move a file, compress it and allow a new file to be created and remove too old archives).  Script can use the command logger to send text to syslog.

=> https://man.openbsd.org/syslogd syslogd man page
=> https://man.openbsd.org/syslog.conf.5 syslogd configuration file man page
=> https://man.openbsd.org/newsyslog.8 newsyslog man page
=> https://man.openbsd.org/logger.1 logger man page

## tftpd

This daemon is a TFTP server, used to provide kernels over the network for diskless machines or push files to appliances.

=> https://man.openbsd.org/diskless Information about a diskless setup

## tftpproxy

This daemon is used to manipulate the firewall PF to relay TFTP requests to a TFTP server.

## unbound

This daemon is a recursive DNS server, this is the kind of server listed in /etc/resolv.conf whose responsibility is to translate a fully qualified domain name into the IP address behind, asking one server at a time,  for example, to ask www.dataswamp.org server, it is required to ask the .org authoritative server where is the authoritative server for dataswamp (within .org top domain), then dataswamp.org DNS server will be asked what is the address of www.dataswamp.org.  It can also keep queries in cache and validates the queries and replies, it is a good idea to have such a server on a LAN with many client to share the queries cache.

=> https://man.openbsd.org/unbound unbound man page
=> https://man.openbsd.org/unbound.conf unbound configuration file man page

## unwind

This daemon is a local recursive DNS server that will make its best to give valid replies, it is designed for nomad users that may encounter hostile environments like captive portals or dhcp offered DNS server preventing DNSSEC to work etc..  Unwind polls a few DNS sources (recursive from root servers, provided by dns, stub or DNS over TLS server from configuration file) regularly and choose the fastest.  It will also act as a local cache and can't listen on the network to be used by other clients.  It also supports a list of blocked domains as input.

=> https://man.openbsd.org/unwind unwind man page
=> https://man.openbsd.org/unwind.conf unwind configuration file man page
=> https://man.openbsd.org/unwindctl unwind control command man page

## vmd

This is the daemon that allow to run virtual machines using vmm.  As of OpenBSD 6.9 it is capable of running OpenBSD and Linux guests without graphical interface and only one core.

=> https://man.openbsd.org/vmd vmd man page
=> https://man.openbsd.org/vm.conf vmd configuration file man page
=> https://man.openbsd.org/vmctl vmd control command man page
=> https://man.openbsd.org/vmm vmm driver man page
=> https://www.openbsd.org/faq/faq16.html OpenBSD FAQ about virtualization

## watchdogd

This daemon is used to trigger watchdog timer devices if any.

## wsmoused

This daemon is used to provide a mouse support to the console.

## xenodm

This daemon is used to start the X server and allow users to authenticate themselves and log in their session.

=> https://man.openbsd.org/xenodm xenodm man page

## ypbind

This daemon is used with a Yellow Page (YP) server to keep and maintain a binding information file.

## ypldap

This daemon offers a YP service using a LDAP backend.

## ypserv

This daemon is a YP server.

  <pubDate>Tue, 16 Feb 2021 00:00:00 GMT</pubDate>
  <title>What security does a default OpenBSD installation offer?</title>
Title : What security does a default OpenBSD installation offer?
Author: Solène
Date  : 14 February 2021
Tags  : openbsd69 openbsd security

# Introduction

In this text I will explain what makes OpenBSD secure by default when you install it.  Do not take this for a security analysis, but more like a guide to help you understand what is done by OpenBSD to have a secure environment.  The purpose of this text is not to compare OpenBSD to other OSes but to say what you can honestly expect from OpenBSD.

There are no security without a threat model, I always consider the following cases: computer stolen at home by a thief, remote attacks trying to exploit running services, exploit of user network clients.

# Security matters

Here is a list of features that I consider important for an operating system security.  While not every item from the following list are strictly security features, they help having a strict system that prevent software to misbehave and lead to unknown lands.

In my opinion security is not only about preventing remote attackers to penetrate the system, but also to prevent programs or users to make the system unusable.

## Pledge / unveil on userland

Pledge and unveil are often referred together although they can be used independently.  Pledge is a system call to restrict the permissions of a program at some point in its source code, permissions can't be get back once pledge has been called.  Unveil is a system call that will hide all the file system to the process except the paths that are unveiled, it is possible to choose what permissions is allowed for the paths.

Both a very effective and powerful surgical security tools but they require some modification within the source code of a software, but adding them requires a deep understanding on what the software is doing.  It is not always possible to forbid some system calls to a software that requires to do almost anything, software designed with privilege separation are better candidate for a proper pledge addition because each part has its own job.

Some software in packages have received pledge or/and unveil support, like Chromium or Firefox for the most well known.

=> https://www.openbsd.org/papers/bsdcan2019-unveil/index.html OpenBSD presentation about Unveil (BSDCan2019)
=> https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf OpenBSD presentation of Pledge and Unveil (BSDCan2018)

## Privilege separation

Most of the base system services used within OpenBSD runs using a privilege separation pattern.  Each part of a daemon is restricted to the minimum required.  A monolithic daemon would have to read/write files, accept network connections, send messages to the log, in case of security breach this allows a huge attack surface.  By separating a daemon in multiple parts, this allow a more fine grained control of each workers, and using pledge and unveil system calls, it's possible to set limits and highly reduce damage in case a worker is hacked.

## Clock synchronization

The daemon server is started by default to keep the clock synchronized with time servers.  A reference TLS server is used to challenge the time servers.  Keeping a computer with its clock synchronized is very important.  This is not really a security feature but you can't be serious if you use a computer on a network without its time synchronized.

## X display not as root

If you use the X, it drops privileges to _x11 user, it runs as unpriviliged user instead of root, so in case of security issue this prevent an attacker of accessing through a X11 bug more than what it should.

## Resources limits

Default resources limits prevent a program to use too much memory, too many open files or too many processes.  While this can prevent some huge programs to run with the default settings, this also helps finding file descriptor leaks, prevent a fork bomb or a simple daemon to steal all the memory leading to a crash.

## Genuine full disk encryption

When you install OpenBSD using a full disk encryption setup, everything will be locked down by the passphrase at the bootloader step, you can't access the kernel or anything of the system without the passphrase.

## W^X

Most programs on OpenBSD aren't allowed to map memory with Write AND Execution bit at the same time (W^X means Write XOR Exec), this can prevents an interpreter to have its memory modified and executed.  Some packages aren't compliant to this and must be linked with a specific library to bypass this restriction AND must be run from a partition with the "wxallowed" option.

=> https://www.openbsd.org/papers/hackfest2015-w-xor-x.pdf OpenBSD presentation « Kernel W^X Improvements In OpenBSD »

## Only one reliable randomness source

When your system requires a random number (and it does very often), OpenBSD only provides one API to get a random number and they are really random and can't be exhausted.  A good random number generator (RNG) is important for many cryptography requirements.

=> https://www.openbsd.org/papers/hackfest2014-arc4random/index.html OpenBSD presentation about arc4random

## Accurate documentation

OpenBSD comes with a full documentation in its man pages.  One should be able to fully configure their system using only the man pages.  Man pages comes with CAVEATS or BUGS sections sometimes, it's important to take care about those sections.  It is better to read the documentation and understand what has to be done in order to configure a system instead of following an outdated and anonymous text available on the Internet.

=> https://man.openbsd.org/ OpenBSD man pages online
=> https://www.openbsd.org/papers/eurobsdcon2018-mandoc.pdf EuroBSDcon 2018 about « Better documentation »

## IPSec and Wireguard out of the box

If you need to setup a VPN, you can use IPSec or Wireguard protocols only using the base system, no package required.

## Memory safeties

OpenBSD has many safeties in regards to memory allocation and will prevent use after free or unsafe memory usage very aggressively, this is often a source of crash for some software from packages because OpenBSD is very strict when you want to use the memory.  This helps finding memory misuses and will kill software misbehaving.

## Dedicated root account

When you install the system, a root account is created and its password is asked, then you create an user that will be member of "wheel" group, allowing it to switch user to root with root's password.  doas (OpenBSD base system equivalent of sudo) isn't configured by default.  With the default installation, the root password is required to do any root action.  I think a dedicated root account that can be logged in without use of doas/sudo is better than a misconfigured doas/sudo allowing every thing only if you know the user password.

## Small network attack surface

The only services that could be enabled at installation time listening on the network are OpenSSH (asked at install time with default = yes), dhclient (if you choose dhcp) and slaacd (if you use ipv6 in automatic configuration).

## Encrypted swap

By default the OpenBSD swap is encrypted, meaning if programs memory are sent to the swap nobody can recover it later.

## SMT disabled

Due to a heavy number of security breaches due to SMT (like hyperthreading), the default installation disables the logical cores to prevent any data leak.

=> https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) Meltdown: one of the first security issue related to speculative execution in the CPU

## Micro and Webcam disabled

With the default installation, both microphone and webcam won't actually record anything except blank video/sound until you set a sysctl for this.

### Maintainability, release often, update often

The OpenBSD team publish a new release a new version every six months and only last two releases receives security updates.  This allows to upgrade often but without pain, the upgrade process are small steps twice a year that help keep the whole system up to date.  This avoids the fear of a huge upgrade and never doing it and I consider it a huge security bonus.  Most OpenBSD around are running latest versions.

### Signify chain of trust

Installer, archives and packages are signed using signify public/private keys.  OpenBSD installations comes with the release and release n+1 keys to check the packages authenticity.  A key is used only six months and new keys are received in each new release allowing to build a chain of trust.  Signify keys are very small and are published on many medias to double check when you need to bootstrap this chain of trust.

=> https://www.openbsd.org/papers/bsdcan-signify.html Signify at BSDCan 2015

## Packages

While most of the previous items were about the base system or the kernel, the packages also have a few tricks to offer.

### Chroot by default when available

Most daemons that are available offering a chroot feature will have it enabled by default.  In some circumstances like for Nginx web server, the software is patched by the OpenBSD team to enable chroot which is not an official feature.

### Dedicated users for services

Most packages that provide a server also create a new dedicated user for this exact service, allowing more privilege separation in case of security issue in one service.

### Installing a service doesn't enable it

When you install a service, it doesn't get enabled by default.  You will have to configure the system to enable it at boot.  There is a single /etc/rc.conf.local file that can be used to see what is enabled at boot, this can be manipulated using rcctl command.  Forcing the user to enable services makes the system administrator fully aware of what is running on the system, which is good point for security.

=> https://man.openbsd.org/rcctl rcctl man page

# Conclusion

Most of the previous "security features" should be considered good practices and not features.  Many good practices such as the following could be easily implemented into most systems: Limiting users resources, reducing daemon privileges, memory usage strictness, providing a good documentation, start the least required services and provide the user a clean default installation.

There are also many other features that have been added and which I don't fully understand, and that I prefer letting the reader take notice. 

=> https://www.openbsd.org/papers/bsdtw.pdf « Mitigations and other real security features » by Theo De Raadt
=> https://www.openbsd.org/innovations.html OpenBSD innovations
=> https://www.openbsd.org/events.html OpenBSD events, often including slides or videos

  <pubDate>Sun, 14 Feb 2021 00:00:00 GMT</pubDate>
  <title>Firejail on Linux to sandbox all the things</title>
Title : Firejail on Linux to sandbox all the things
Author: Solène
Date  : 14 February 2021
Tags  : linux security sandbox

## Introduction

Firejail is a program that can prepare sandboxes to run other programs.  This is an efficient way to keep a software isolated from the rest of the system without need of changing its source code, it works for network, graphical or daemons programs.
You may want to sandbox programs you run in order to protect your system for any issue that could happen within the program (security breach, code mistake, unknown errors), like Steam once had a "rm -fr /" issue, using a sandbox that would have partially saved a part of the user directory.  Web browsers are major tools nowadays and yet they have access to the whole system and have many security issues discovered and exploited in the wild, running it in a sandbox can reduce the data a hacker could exfiltrate from the computer.  Of course, sandboxing comes with an usability tradeoff because if you only allow access to the ~/Downloads/ directory, you need to put files in this directory if you want to upload them, and you can only download files into this directory and then move them later where you really want to keep your files.

## Installation

On most Linux systems you will find a Firejail package that you can install.  If your distribution doesn't provide a Firejail package, it seems the installing from sources process is quite easy, and as the project is written in C with limited dependencies it may be easy to get the build process done.
There are no service to enable and no kernel parameters to add.  Apparmor or SELinux features in kernel can be used to integrates into Firejail profiles if you want to.

## Usage

### Start a program

The simplest usage is to run a command by adding Firejail before the command name.

```shell command
$ Firejail firefox

### Use a symlink

Firejail has a neat feature to allow starting software by their name without calling Firejail explicitly, if you create a symbolic link in your $PATH using a program name but targeting Firejail, when you call that name Firejail will automatically now what you want to start.  The following example will run firefox when you call the symbolic link.

```shell command
export PATH=~/bin/:$PATH
$ ln -s /usr/bin/firejail ~/bin/firefox
$ firefox

### Listing sandboxes

There is a Firejail --list command that will tell you about all sandboxes running and what are their parameters.  As a first column the identifier is available for more Firejail features.

```shell command
$ firejail --list
6108:solene::/usr/bin/firejail /usr/bin/firefox 

### Limit bandwidth per program

Firejail also has a neat feature that allows to limit the bandwidth available only for one sandbox environment.  Reusing previous list output, I will reduce firefox bandwidth, the number are in kB/s.

```shell command
$ firejail --bandwidth=6108 set wlan0 1000 40

You can find more information about this feature in the "TRAFFIC SHAPING" section of the Firejail man page.

### Restrict network access

If for some reason you want to start a program with absolutely no network access, you can run a program and deny it any network.

```shell command
$ firejail --net=none libreoffice

## Conclusion

Firejail is a neat way to start software into sandboxes without requiring any particular setup.  It may be more limited and maybe less reliable than OpenBSD programs who received unveil() features but it's a nice trade off between safety and required work within source code (literally none).  It is a very interesting project that proves to work easily on any Linux system, with a simple C source code with little dependencies.  I am not really familiar with Linux kernel and its features but Firejail seems to use seccomp-bpf and namespace, I guess they are complicated to use but powerful and Firejail comes here as a wrapper to automate all of this.

Firejail has been proven to be USABLE and RELIABLE for me while my attempts at sandboxing Firefox with AppArmor were tedious and not optimal.  I really recommend it.

## More resources

=> https://firejail.wordpress.com/ Official project website with releases and security information
=> https://github.com/netblue30/firejail Firejail sources and documentation

=> https://github.com/chiraag-nataraj/firejail-profiles Community profiles 1
=> https://github.com/nyancat18/fe Community profiles 2

  <pubDate>Sun, 14 Feb 2021 00:00:00 GMT</pubDate>
  <title>Bandwidth limiting on OpenBSD 6.8</title>
Title : Bandwidth limiting on OpenBSD 6.8
Author: Solène
Date  : 07 February 2021
Tags  : openbsd68 openbsd unix network

This is a February 2021 update of a text originally published in April 2017.

## Introduction

I will explain how to limit bandwidth on OpenBSD using its firewall PF (Packet Filter) queuing capability.  It is a very powerful feature but it may be hard to understand at first.  What is very important to understand is that it's technically not possible to limit the bandwidth of the whole system, because once data is getting on your network interface, it's already there and got by your router, what is possible is to limit the upload rate to cap the download rate.

=> https://man.openbsd.org/pf.conf#QUEUEING OpenBSD pf.conf man page about queuing

## Prerequisites

My home internet access allows me to download at 1600 kB/s and upload at 95 kB/s.  An easy way to limit bandwidth is to calculate a percent of your upload, that should apply that ratio to your download speed as well (this may not be very precise and may require tweaks).

PF syntax requires bandwidth to be defined as kilo-bits (kb) and not kilo-bytes (kB), multiplying by 8 allow to switch from kB to kb.

## Configuration

Edit the file /etc/pf.conf as root and add the following before any pass/match/drop rules, in the example my main interface is em0.

```OpenBSD packet filter configuration file sample
# we define a main queue (requirement)
queue main on em0 bandwidth 1G

# set a queue for everything
queue normal parent main bandwidth 200K max 200K default

And reload with `pfctl -f /etc/pf.conf` as root.  You can monitor the queue working with `systat queue`

```Output of the command systat queue
main on em0  1000M fifo        0        0        0        0    0
 normal      1000M fifo   535424 36032467        0        0   60

## More control (per user / protocol)

This is only a global queuing rule that will apply to everything on the system.  This can be greatly extended for specific need.  For example, I use the program "oasis" which is a daemon for a peer to peer social network, sometimes it has upload burst because someone is syncing against my computer, I use the following rule to limit the upload bandwidth of this user.

```OpenBSD packet filter configuration file sample
# within the queue rules
queue oasis parent main bandwidth 150K max 150K

# in your match rules
match on egress proto tcp from any to any user oasis set queue oasis

Instead of an user, the rule could match a "to" address, I used to have such rules when I wanted to limit my upload bandwidth for uploading videos through peertube web interface.

  <pubDate>Sun, 07 Feb 2021 00:00:00 GMT</pubDate>
  <title>How to set a system wide bandwidth limit on Linux systems</title>
Title : How to set a system wide bandwidth limit on Linux systems
Author: Solène
Date  : 06 February 2021
Tags  : linux bandwidth

In these times of remote work / home office, you may have a limited bandwidth shared with other people/device.  All software doesn't provide a way to limit bandwidth usage (package manager, Youtube videos player etc...).

Fortunately, Linux has a very nice program very easy to use to limit your bandwidth in one command.  This program is « Wondershaper » and is using the Linux QoS framework that is usually manipulated with "tc", but it makes it VERY easy to set limits.

=> https://www.linux.com/training-tutorials/qos-linux-tc-and-filters/ What are QoS, TC and Filters on Linux

On most distributions, wondershaper will be available as a package with its own name.  I found a few distributions that didn't provide it (NixOS at least), and some are providing various wondershaper versions.

To know if you have the newer version, a "wondershaper --help" may provide information about "-d" and "-u" flags, the older version doesn't have this.

Wondershaper requires the download and upload bandwidths to be set in kb/s (kilo bits per second, not kilo bytes).  I personally only know my bandwidth in kB/s which is a 1/8 of its kb/s equivalent.  My home connection is 1600 kB/s max in download and 95 kB/s max in upload, I can use wondershaper to limit to 1000 / 50 so it won't affect much my other devices on my network.

```shell commands to run wondershaper, include comments
# my network device is enp3s0
# new wondershaper
sudo wondershaper -a enp3s0 -d $(( 1000 * 8 )) -u $(( 50 * 8 ))

# old wondershaper
sudo wondershaper enp3s0 $(( 1000 * 8 )) $(( 50 * 8 ))

I use a multiplication to convert from kB/s to kb/s and still keep the command understandable to me.  Once a limit is set, wondershaper can be used to clear the limit to get full bandwidth available again.

```shell command to clear bandwidth limit, include comments
# new wondershaper
sudo wondershaper -c -a enp3s0

# old wondershaper
sudo wondershaper clear enp3s0

There are so many programs that doesn't allow to limit download/upload speeds, wondershaper effectiveness and ease of use are a blessing.

  <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
  <title>Filtering TCP connections by operating system on OpenBSD</title>
Title : Filtering TCP connections by operating system on OpenBSD
Author: Solène
Date  : 06 February 2021
Tags  : openbsd security

### Introduction

In this text I will explain how to filter TCP connections by operating system using OpenBSD Packet filter.

=> https://man.openbsd.org/pf.conf#OPERATING_SYSTEM_FINGERPRINTING OpenBSD pf.conf man page about OS Fingerprinting

### Explanations

Every operating system has its own way to construct some SYN packets, this is called Fingerprinting because it permits to identify which OS sent which packet.  This must be clear it's not a perfect filter and may be easily get bypassed if you want to.
Because if some packets required to identify the operating system, only TCP connections can be filtered by OS.  The OS list and SYN values can be found in the file /etc/pf.os.

### How to setup

The keyword "os $value" must be used within the "from $address" keyword.  I use it to restrict the ssh connection to my server only to OpenBSD systems (in addition to key authentication).

```OpenBSD packet filter configuration file including comments
# only allow OpenBSD hosts to connect
pass in on egress inet proto tcp from any os OpenBSD to (egress) port 22

# allow connections from $home IP whatever the OS is
pass in on egress inet proto tcp from $home to (egress) port 22

This can be a very good way to stop unwanted traffic spamming logs but should be used with cautiousness because you may incidentally block legitimate traffic.

  <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
  <title>Using pkgsrc on OpenBSD</title>
Title : Using pkgsrc on OpenBSD
Author: Solène
Date  : 06 February 2021
Tags  : openbsd pkgsrc

This quick article will explain how to install pkgsrc packages on an OpenBSD installation. This is something regulary asked on #openbsd freenode irc channel. I am not convinced by the relevant use of pkgsrc under OpenBSD but why not :)

I will cover an unprivileged installation that doesn't require root. I will use packages from 2020Q4 release, I may not update regularly this text so you will have to adapt to your current year.

```shell commands to install pkgsrc, dollar sign mean it's a regular user
$ cd ~/
$ ftp https://cdn.NetBSD.org/pub/pkgsrc/pkgsrc-2020Q4/pkgsrc.tar.gz
$ tar -xzf pkgsrc.tar.gz
$ cd pkgsrc/bootstrap
$ ./bootstrap --unprivileged

From now you must add the path ~/pkg/bin to your $PATH environment variable. The pkgsrc tree is in ~/pkgsrc/ and all the relevant files for it to work are in ~/pkg/.

You can install programs by searching directories of software you want in ~/pkgsrc/ and run "bmake install", for example in ~/pkgsrc/chat/irssi/ to install irssi irc client.

I'm not sure X11 software compiles well, I got issues compiling dbus as a dependency of x11/xterm and I got compilation errors, maybe clashing with Xenocara from base system... I don't really want to investigate more about this though.

  <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
  <title>Enable multi-factor authentication on OpenBSD</title>
Title : Enable multi-factor authentication on OpenBSD
Author: Solène
Date  : 06 February 2021
Tags  : openbsd security

# Introduction

In this article I will explain how to add a bit more security to your OpenBSD system by adding a requirement for user logging into the system, locally or by ssh.  I will explain how to setup 2 factor authentication (2FA) using TOTP on OpenBSD

=> https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm What is TOTP (Time-based One time Password)

When do you want or need this? It adds a burden in term of usability, in addition to your password you will require a device that will be pre-configured to generate the one time passwords, if you don't have it you won't be able to login (that's the whole point). Let's say you activated 2FA for ssh connection on an important server, if you get your private ssh key stolen (and without password, bouh!), the hacker will not be able to connect to the SSH server without having access to your TOTP generator.

# TOTP software

Here is a quick list of TOTP software

- command line: oathtool from package oath-toolkit
- GUI and multiplatform: KeepassXC
- Android: FreeOTP+, andOTP, OneTimePass etc.. (watched on F-droid)

# Setup

A package is required in order to provide the various programs required.  The package comes with a README file available at /usr/local/share/doc/pkg-readmes/login_oath with many explanations about how to use it.  I will take lot of information from there for the local login setup.

```shell command with a # sign indicating it should be run as root
# pkg_add login_oath

You will have to add a new login class, depending on what of the kind of authentication you want.  You can either provide password OR TOTP, or set password AND TOTP (in the form of TOTP_CODE/password as the password to type).  From the README file, add what you want to use:

```file /etc/login.conf sample including comments starting with #
# totp OR password

# totp AND password

If you have a /etc/login.conf.db file, you have to run cap_mkdb on /etc/login.conf to update the file, most people don't need this, it only helps a bit in regards to performance when you have many many rules in /etc/login.conf.

# Local login

Local login means logging on a TTY or in your X session or anything requiring your system password.  You can then modify the users you want to use TOTP by adding them to the according login class with this command.

```shell command with a # sign indicating it should be run as root
# usermod -L totp some_user

In the user directory, you have to generate a key and give it the correct permissions.

```shell command with a $ sign indicating it should be run as a regular user
$ openssl rand -hex 20 > ~/.totp-key
$ chmod 400 .totp-key

The .totp-key contains the secret that will be used by the TOTP generator, but most generator will only accept it in encoded as base32.  You can use the following python3 command to convert the secret into base32.

```shell command
python3 -c "import base64; print(base64.b32encode(bytes.fromhex('YOUR SECRET HERE')).decode('utf-8'))"

# SSH login

It is possible to require your users to use TOTP or a public key + TOTP.  When your refer to "password" in ssh, this will be the same password as for login, so it can be the plain password for regular user, the TOTP code for users in totp class, and TOTP/password for users in totppw.

This allow fine grained tuning for login options.  The password requirement in SSH can be enabled per user or globally by modifying the file  /etc/ssh/sshd_config.

=> https://man.openbsd.org/sshd_config#AuthenticationMethods sshd_config man page about AuthenticationMethods

```Sample configuration including comments for /etc/ssh/sshd_config
# enable for everyone
AuthenticationMethods publickey,password

# for one user
Match User solene
	AuthenticationMethods publickey,password

Let's say you enabled totppw class for your user and you use "publickey,password" in the AuthenticationMethods in ssh.  You will require your ssh private key AND your password AND your TOTP generator.
Without doing any TOTP, by using this setting in SSH, you can require users to use their key and their system password in order to login, TOTP will only add more strength to the requirements to connect, but also more complexity for people who may not be comfortable with such security levels.

# Conclusion

In this text we have seen how to enable 2FA for your local login and for login over ssh.  Be careful to not lock you out of your system by losing the 2FA generator.

  <pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate>
  <title>NixOS review: pros and cons</title>
Title : NixOS review: pros and cons
Author: Solène
Date  : 22 January 2021
Tags  : nixos linux

Hello, in this article I would like to share my thoughts about the NixOS Linux distribution.  I've been using it daily for more than six months as my main workstation at work and on some computer at home too.  I also made modest contributions to the git repository. 

=> https://nixos.org/ NixOS official website

## Introduction

NixOS is a Linux distribution built around Nix tool.  I'll try to explain quickly what Nix is but if you want more accurate explanations I recommend visiting the project website.  Nix is the package manager of the system, Nix could be used on any Linux distribution on top of the distribution package manager.  NixOS is built from top to bottom from Nix.

This makes NixOS a system entirely different than what one can expect from a regular Linux/Unix system (with the exception of Guix sharing the same idea with a different implementation).  NixOS system configuration is stateless, most of the system is in read-only and most of paths you know doesn't exist.  The directory /bin/sh only contains "sh" which is a symlink.

The whole system configuration: fstab, packages, users, services, crontab, firewall... is configured from a global configuration file that defines the state of the system.

An example of my configuration file to enable graphical interface with Mate as a desktop and a french keyboard layout.

```Code sample for nixos configuration file
services.xserver.enable = true;
services.xserver.layout = "fr";
services.xserver.libinput.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.mate.enable = true;

I could add the following lines into the configuration to add auto login into my graphical session.

```Code sample for nixos configuration file
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "solene";

## Pros

There are a lot of pros.  The system is really easy to setup, installing a system (for a reinstall or replicate an installation) is very easy, you only need to get the configuration.nix file from the other/previous system.  Everything is very fast to setup, it's often only a few lines to add to the configuration.

Every time the system is rebuilt from the configuration file, a new grub entry is made so at boot you can choose on which environment you want to boot.  This make upgrades or tries very easy to rollback and safe.

Documentation! The NixOS documentation is very nice and is part of the code.  There is a special man page "configuration.nix" in the system that contains all variables you can define, what values to expect, what is the default and what it's doing.  You can literally search for "steam", "mediawiki" or "luks" to get information to configure your system.

=> https://nixos.org/learn.html All the documentation

Builds are reproducible, I don't consider it a huge advantage but it's nice to have it.  This allow to challenge a package mirror by building packages locally and verifying they provide the exact same package on the mirror.

It has a lot of packages.  I think the NixOS team is pretty happy to share their statistics because, if I got it right, Nixpkgs is the biggest and up to date repository alive.

=> https://search.nixos.org/packages Search for a package

## Cons

When you download a pre compiled Linux program that isn't statically built, it's a huge pain to make it work on NixOS.  The binary will expect some paths to exist at usual places but they won't exist on NixOS.  There are some tricks to get them work but it's not always easy.  If the program you want isn't in the packages, it may not be easy to use it.  Flatpak can help to get some programs if they are not in the packages though.

=> https://nixos.wiki/wiki/Packaging/Binaries Running binaries

It takes disk space, some libraries can exist at the same time with small compilation differences.  A program can exist with different version at the same time because of previous builds still available for boot in grub, if you forget to clean them it takes a lot of memory.

The whole system (especially for graphical environments) may not feel as polished as more mainstream distributions putting a lot of efforts into branding and customization.  NixOS will only install everything and you will have a quite raw environment that you will have to configure.  It's not a real cons but in comparison to other desktop oriented distributions, NixOS may not look as good out of the box.

## Conclusion

NixOS is an awesome piece of software.  It works very well and I never had any reliability issue with it.  Some services like xrdp are usually quite complex to setup but it worked out of the box here for me.

I see it as a huge Lego© box with which you can automate the building of the super system you want, given you have the schematics of its parts.  Once you need a block you don't have in your recipes list, you will have a hard time.

I really classify it into its own category, in comparison to Linux/BSD distributions and Windows, there is the NixOS / Guix category with those stateless systems for which the configuration is their code.

  <pubDate>Fri, 22 Jan 2021 00:00:00 GMT</pubDate>
  <title>Vger security analysis</title>
Title : Vger security analysis
Author: Solène
Date  : 14 January 2021
Tags  : vger gemini security

I would like to share about Vger internals in regards to how the security was thought to protect vger users and host systems.

=> https://tildegit.org/solene/vger Vger code repository

## Thinking about security first

I claim about security in Vger as its main feature, I even wrote Vger to have a secure gemini server  that I can trust. Why so? It's written in C and I'm a beginner developer in this language, this looks like a scam.
I chose to follow the best practice I'm aware of from the very first line. My goal is to be sure Vger can't be used to exfiltrate data from the host on which it runs or to allow it to run arbirary command. While I may have missed corner case in which it could crash, I think a crash is the worse that can happen with Vger.

### Smallest code possible

Vger doesn't have to manage connections or TLS, this was a lot of code already removed by this design choice. There are better tools which are exactly made for this purpose, so it's time to reuse other people good work.

### Inetd and user

Vger is run by inetd daemon, allowing to choose the user running vger. Using a dedicated user is always a good idea to prevent any harm in case of issue, but it's really not sufficient to protect vger to behave badly.
Another kind of security benefit is that vger runtime isn't looping like a daemon awaiting new connections. Vger accept a request, read a file if exist and gives its result and terminates. This is less error prone because no variable can be reused or tricked after a loop that could leave the code in an inconsistent or vulnerable state.

### Chroot

A critical vger feature is the ability to chroot into a directory, meaning the directory is now seen as the root of the file system (/var/gemini would be seen as /) and prevent vger to escape it. In addition to the chroot feature, the feature allow vger to drop to an unprivileged user.

```C code showing the chroot feature
      * use chroot() if an user is specified requires root user to be 
      * running the program to run chroot() and then drop privileges 
     if (strlen(user) > 0) {

             /* is root? */
             if (getuid() != 0) {
                     syslog(LOG_DAEMON, "chroot requires program to be run as root");
                     errx(1, "chroot requires root user");
             /* search user uid from name */
             if ((pw = getpwnam(user)) == NULL) {
                     syslog(LOG_DAEMON, "the user %s can't be found on the system", user);
                     err(1, "finding user");
             /* chroot worked? */
             if (chroot(path) != 0) {
                     syslog(LOG_DAEMON, "the chroot_dir %s can't be used for chroot", path);
                     err(1, "chroot");
             chrooted = 1;
             if (chdir("/") == -1) {
                     syslog(LOG_DAEMON, "failed to chdir(\"/\")");
                     err(1, "chdir");
             /* drop privileges */
             if (setgroups(1, &pw->pw_gid) ||
                 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
                 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) {
                     syslog(LOG_DAEMON, "dropping privileges to user %s (uid=%i) failed",
                            user, pw->pw_uid);
                     err(1, "Can't drop privileges");

### No use of third party libs

Vger only requires standard C includes, this avoid leaving trust to dozens of developers using fragile or barely tested code.

### OpenBSD specific code

In addition to all the previous security practices, OpenBSD is offering a few functions to help restricting a lot what Vger can do.

The first function is pledge, allowing to restrict the system calls that can happen within the code itself. The current syscalls allowed in vger are related to the categories "rpath" and "stdio", basically standard input/output and reading files/directories only. This mean after pledge() is called, if any syscall not in those two categories is used, vger will be killed and a pledge error will be reported in the logs.

The second function is unveil, which will basically restrict access to the filesystem to anything but what you list, with the permission. Currently, vger only allows file access in read-only mode in the base directory used to serve files.

Here is an extract of the code relative to the OpenBSD specific code. With unveil available everywhere chroot wouldn't be required.

```C code with OpenBSD specific code
 #ifdef __OpenBSD__
          * prevent access to files other than the one in path 
         if (chrooted) {
                 eunveil("/", "r");
         } else {
                 eunveil(path, "r");
          * prevent system calls other parsing queryfor fread file and 
          * write to stdio 
         if (pledge("stdio rpath", NULL) == -1) {
                 syslog(LOG_DAEMON, "pledge call failed");
                 err(1, "pledge");

## The least code before dropping privileges

I made my best to use the least code possible before reducing Vger capabilities. Only the code managing the parameters is done before activating chroot and/or unveil/pledge.

```C code showing the parameters parsing
main(int argc, char **argv)
     char            request  [GEMINI_REQUEST_MAX] = {'\0'};
     char            hostname [GEMINI_REQUEST_MAX] = {'\0'};
     char            uri      [PATH_MAX]           = {'\0'};
     char            user     [_SC_LOGIN_NAME_MAX] = "";
     int             virtualhost = 0;
     int             option = 0;
     char           *pos = NULL;

     while ((option = getopt(argc, argv, ":d:l:m:u:vi")) != -1) {
             switch (option) {
             case 'd':
                     estrlcpy(chroot_dir, optarg, sizeof(chroot_dir));
             case 'l':
                     estrlcpy(lang, "lang=", sizeof(lang));
                     estrlcat(lang, optarg, sizeof(lang));
             case 'm':
                     estrlcpy(default_mime, optarg, sizeof(default_mime));
             case 'u':
                     estrlcpy(user, optarg, sizeof(user));
             case 'v':
                     virtualhost = 1;
             case 'i':
                     doautoidx = 1;

      * do chroot if an user is supplied run pledge/unveil if OpenBSD 
     drop_privileges(user, chroot_dir); 

## The Unix way

Unix is made of small component that can work together as small bricks to build something more complex. Vger is based on this idea by delegating the listening daemon handling incoming requests to another software (let's say relayd or haproxy). And then, what's left from the gemini specs once you delegate TLS is to take account of a request and return some content, which is well suited for a program accepting a request on its standard input and giving the result on standard ouput. Inetd is a key here to make such a program compatible with a daemon like relayd or haproxy. When a connection is made into the TLS listening daemon, a local port will trigger inetd that will run the command, passing the network content to the binary into its stdin.

## Fine grained CGI

CGI support was added in order to allow Vger to make dynamic content instead of serving only static files. It has a fine grained control, you can allow only one file to be executable as a CGI or a whole directory of files.  When serving a CGI, vger forks, a pipe is opened between the two processes and a process is using execlp to run the cgi and transmit its output to vger.

## Using tests

From the beginning, I wrote a set of tests to be sure that once a kind of request or a use case work I can easily check I won't break it. This isn't about security but about reliability. When I push a new version on the git repository, I am absolutely confident it will work for the users. It was also an invaluable help for writing Vger.
As vger is a simple binary that accept data in stdin and output data on stdout, it is simple to write tests like this. The following example will run vger with a request, as the content is local and within the git repository, the output is predictable and known.

```Shell command to run vger for testing purpose using a pipe
printf "gemini://host.name/autoidx/\r\n" | vger -d var/gemini/

From here, it's possible to build an automatic test by checking the checksum of the output to the checksum of the known correct output. Of course, when you make a new use case, this requires manually generating the checksum to use it as a comparison later.

```Shell command comparing vger output to a checksum
OUT=$(printf "gemini://host.name/autoidx/\r\n" | ../vger -d var/gemini/ -i | md5)
if ! [ $OUT = "770a987b8f5cf7169e6bc3c6563e1570" ]
	echo "error"
	exit 1

At this time, vger as 19 use case in its test suite.

By using the program `entr` and a Makefile to manage the build process, it was very easy to trigger the testing process while working on the source code, allowing me to check the test suite only by saving my current changes. Anytime a .c file is modified, entr will trigger a make test command that will be displayed in a dedicated terminal.

```shell command using the command "entr" to auto rebuild the project
ls *.c | entr make test

Realtime integration tests? :)

# Conclusion

By using best practices, reducing the amount of code and using only system libraries, I am quite confident about Vger good security. The only real issue could be to have too many connections leading to a quite high load due to inetd spawning new processes and doing a denial of services. This could be avoided by throttling simultaneous connection in the TLS daemon.

If you want to contribute, please do, and if you find a security issue please contact me, I'll be glad to examine the issue.

  <pubDate>Thu, 14 Jan 2021 00:00:00 GMT</pubDate>
  <title>Free time partitionning</title>
Title : Free time partitionning
Author: Solène
Date  : 06 January 2021
Tags  : life

Lately I wanted to change the way I use my free time. I define my free time as: not working, not sleeping, not eating. So, I estimate it to six hours a day in work day and fourteen hours in non worked day.
With the year 2020 being quite unusual, I was staying at home most of the time without seeing the time passing. At the end of the year, I started to mix the duration of weeks and months which disturbed me a lot.

For a a few weeks now, I started to change the way I spend my free time. I thought it was be nice to have a few separate activies in the same day to help me realizing how time is passing by.

# Activity list

Here is the way I chose to distribute my free time. It's not a strict approach, I measure nothing. But I try to keep a simple ratio of 3/6, 2/6 and 1/6.

## Recreation: 3/6

I spend a lot of time in recreation time. A few activies I've put into recreation:

* video games
* movies
* reading novels
* sports

## Creativity: 2/6

Those activies requires creativy, work and knowledge:

* writing code
* reading technical books
* playing music
* creating content (texts, video, audio etc..)

## Chores: 1/6

Yes, obviously this has to be done on free time... And it's always better to do it a bit everyday than accumulating it until you are forced to proceed.

# Conclusion

I only started for a few weeks now but I really enjoy doing it. As I said previously, it's not something I stricly apply, but more a general way to spend my time and not stick for six hours writing code in a row from after work to going to sleep. I really feel my life is better balanced now and I feel some accomplishments for the few activies done every day.

# Questions / Answers

> Some asked asked me if I was planning in advance how I spend my time.

The answer is no. I don't plan anything but when I tend to lose focus on what I'm doing (and this happen often), I think about this time repartition method and then I think it may be time to jump on another activity and I pick something in another category. Now I think about it, that was very often that I was doing something because I was bored and lacking idea of activities to occupy myself, with this current list I no longer have this issue.

  <pubDate>Wed, 06 Jan 2021 00:00:00 GMT</pubDate>
  <title>Toward a simpler lifestyle</title>
Title : Toward a simpler lifestyle
Author: Solène
Date  : 04 January 2021
Tags  : life

I don't often give my own opinion on this blog but I really feel it is important here.

The matter is about ecology, fair money distribution and civilization. I feel I need to share a bit about my lifestyle, in hope it will have a positive impact on some of my readers. I really think one person can make a change. I changed myself, only by spending a few moments with a member of my family a few years ago. That person never tried to convince me of anything, they only lived by their own standard without never offending me, it was simple things, nothing that would make that person a paria in our society. But I got curious about the reasons and I figurated it myself way later, now I understand why.

My philisophy is simple. In a life in modern civilization where everything is going fast, everyone cares about opinions other have about them and ultra communication, step back.

Here are the various statement I am following, this is something I self defined, it's not absolute rules.

* Be yourself and be prepare to assume who you are. If you don't have the latest gadget you are not "has been", if you don't live in a giant house, you didn't fail your career, if you don't have a top notch shiny car nobody should ever care.
* Reuse what you have. It's not because a cloth has a little scratch that you can't reuse it. It's not because an electronic device is old that you should replace it.
* Opensource is a great way to revive old computers
* Reduce your food waste to 0 and eat less meat because to feed animals we eat this requires a huge food production, more than what we finally eat in the meat
* Travel less, there are a lot to see around where I live than at the other side of the planet. Certainly not go on vacation far away from home only to enjoy a beach under the sun. This also mean no car if it can be avoided, and if I use a car, why not carpooling?
* Avoid gadgets (electronic devices that bring nothing useful) at all cost. Buy good gears (kitchen tools, workshop tools, furnitures etc...) that can be repaired. If possible buy second hand. For non-essential gears, second hand is mandatory.
* In winter, heat at 19°C maximum with warm clothes while at home.
* In summer, no A/C but use of extern isolation and vines along the home to help cooling down. And fans + water while wearing lights clothes to keep cool.

While some people are looking for more and more, I do seek for less. There are not enough for everyone on the planet, so it's important to make sacrifices.
Of course, it is how I am and I don't expect anyone to apply this, that would be insane :)

Be safe and enjoy this new year! <3

=> https://www.lowtechmagazine.com/ Lowtech Magazine, articles about doing things using simple technology

  <pubDate>Mon, 04 Jan 2021 00:00:00 GMT</pubDate>
  <title>[FR] Pourquoi j'utilise OpenBSD</title>
Title : [FR] Pourquoi j'utilise OpenBSD
Author: Solène
Date  : 04 January 2021
Tags  : openbsd francais

Dans ce billet je vais vous livrer mon ressenti sur ce que j'aime dans OpenBSD.

### Respect de la vie privée

Il n'y a aucune télémétrie dans OpenBSD, je n'ai pas à m'inquiéter pour le respect de ma vie privée. Pour rappel, la télémétrie est un mécanisme qui consiste à remonter des informations de l'utilisateur afin d'analyser l'utilisation du produit.
De plus, le défaut du système a été de désactiver entièrement le micro, à moins d'une intervention avec le compte root, le microphone enregistre du silence (ce qui permet de ne pas le bloquer quant à des droits d'utilisation). A venir dans 6.9, la caméra suit le même chemin et sera désactivée par défaut. Il s'agit pour moi d'un signal fort quant à la nécessité de protéger l'utilisateur.

### Navigateurs web sécurisés

Avec l'ajout des fonctionnalités de sécurité (pledge et surtout unveil) dans les sources de Firefox et Chromium, je suis plus sereine quant à leur utilisation au quotidien. À l'heure actuelle, l'utilisation d'un navigateur web est quasiment incontournable, mais ils sont à la fois devenus extrêmement complexes et mal maîtrisés. L'exécution de code côté client via Javascript qui a de plus en plus de possibilité, de performances et de nécessités, ajouter un peu de sécurité dans l'équation était nécessaire. Bien que ces ajouts soient parfois un peu dérangeants à l'utilisation, je suis vraiment heureuse de pouvoir en bénéficier.
Avec ces sécurités ajoutés (par défaut), les navigateurs cités précédemment ne peuvent pas parcourir les répertoires en dehors de ce qui leur est nécessaire à leur bon fonctionnement plus les dossiers ~/Téléchargements/ et /tmp/. Ainsi, des emplacements comme ~/Documents ou ~/.gnupg sont totalement inaccessibles ce qui limite grandement les risques d'exfiltration de données par le navigateur.
On pourrait refaire grossièrement la même fonctionnalité sous Linux en utilisant AppArmor mais l'intégration est extrêmement compliquée (là où c'est par défaut sur OpenBSD) et un peu moins efficace, il est plus facile d'agir au bon moment depuis le code plutôt qu'en encapsulant le programme entier d'un groupe de règles.

### Pare-feu PF

Avec PF, il est très simple de vérifier le fichier de configuration pour comprendre les règles en place sur le serveur ou un ordinateur de bureau. La centralisation des règles dans un fichier et le système de macros permet d'écrire des règles simples et lisibles.

J'utilise énormément la fonctionnalité de gestion de bande passante pour limiter le débit de certaines applications qui n'offrent pas ce réglage. C'est très important pour moi n'étant pas la seule utilisatrice du réseau et ayant une connexion assez lente.
Sous Linux, il est possible d'utiliser les programmes trickle ou wondershaper pour mettre en place des limitations de bande passante, par contre, iptables est un cauchemar à utiliser en tant que firewall!

### C'est stable

A part à l'utilisation sur du matériel peu répandu, OpenBSD est très stable et fiable. Je peux facilement atteindre deux semaines d'uptime sur mon pc de bureau avec plusieurs mises en veille par jour. Mes serveurs OpenBSD tournent 24/24 sans problème depuis des années.
Je dépasse rarement deux semaines puisque je dois mettre à jour le système de temps en temps pour continuer les développements sur OpenBSD :)

### Peu de maintenance

Garder à jour un système OpenBSD est très simple. Je lance les commandes syspatch et pkg_add -u tous les jours pour garder mes serveurs à jour. Une mise à jour tous les six mois est nécessaire pour monter en version mais à part quelques instructions spécifiques qui peuvent parfois arriver, une mise à jour ressemble à ça :

```liste de commandes shells qui commencent par un # pour préciser que l'utilisateur est root
# sysupgrade
[..attendre un peu..]
# pkg_add -u
# reboot

### Documentation de qualité

Installer OpenBSD avec un chiffrement complet du disque est très facile (il faudra que j'écrive un billet sur l'importance de chiffrer ses disques et téléphones).
La documentation officielle expliquant l'installation d'un routeur avec NAT est parfaitement expliquée pas à pas, c'est une référence dès qu'il s'agit d'installer un routeur.
Tous les binaires du système de base (ça ne compte pas les packages) ont une documentation, ainsi que leurs fichiers de configuration.
Le site internet, la FAQ officielle et les pages de man sont les seules ressources nécessaires pour s'en sortir. Elles représentent un gros morceau, il n'est pas toujours facile de s'y retrouve mais tout y est.
Si je devais me débrouiller pendant un moment sans internet, je préférerais largement être sur un système OpenBSD. La documentation des pages de man suffit en général à s'en sortir.
Imaginez mettre en place un routeur qui fait du trafic shaping sous OpenBSD ou Linux sans l'aide de documents extérieurs au système. Personnellement je choisis OpenBSD à 100% pour ça :)

### Facilité de contribution

J'adore vraiment la façon dont OpenBSD gère les contributions. Je récupère les sources sur mon système et je procède aux modifications, je génère un fichier de diff (différence entre avant/après) et je l'envoie sur la liste de diffusion. Tout ça peut être fait en console avec des outils que je connais déjà (git/cvs) et des emails.
Parfois, les nouveaux contributeurs peuvent penser que les personnes qui répondent ne sont vraiment pas sympa. **Ce n'est pas vrai**. Si vous envoyez un diff et que vous recevez une critique, cela signifie déjà qu'on vous accorde du temps pour vous expliquer ce qui peut être amélioré. Je peux comprendre que cela puisse paraître rude pour certaines personnes, mais ce n'est pas ça du tout.

Cette année, j'ai fait quelques modestes contributions aux projets OpenIndiana et NixOS, c'était l'occasion de découvrir comment ces projets gèrent les contributions. Les deux utilisent github et la manière de faire est très intéressante, mais la comprendre demande beaucoup de travail car c'est relativement compliqué.
=> https://www.openindiana.org Site officiel d'OpenIndiana
=> https://nixos.org Site officiel de NixOS

La méthode de contribution nécessite un compte sur Github, de faire un fork du projet, cloner le fork en local, créer une branche, faire les modifications en local, envoyer le fork sur son compte github et utiliser l'interface web de github pour faire un "pull request". Ça c'est la version courte. Sur NixOS, ma première tentative de faire un pull request s'est terminée par une demande contenant six mois de commits en plus de mon petit changement. Avec une bonne documentation et de l'entrainement c'est tout à fait surmontable. Cette méthode de travail présente certains avantages comme le suivi des contributeurs, l'intégration continue ou la facilité de critique de code, mais c'est rebutoire au possible pour les nouveaux.

### Packages top qualité

Mon opinion est sûrement biaisée ici (bien plus que pour les éléments précédents) mais je pense sincèrement que les packages d'OpenBSD sont de très bonne qualité. La plupart d'entre eux fonctionnent "out of the box" avec des paramètres par défaut corrects.
Les packages qui nécessitent des instructions particulières sont fournis avec un fichier "readme" expliquant ce qui est nécessaire, par exemple créer certains répertoires avec des droits particuliers ou comment mettre à jour depuis une version précédente.

Même si par manque de contributeurs et de temps (en plus de certains programmes utilisant beaucoup de linuxismes pour être faciles à porter), la plupart des programmes libres majeurs sont disponibles et fonctionnent très bien.

Je profite de l'occasion de ce billet pour critiquer une tendance au sein du monde Open Source.

* les programmes distribués avec flatpak / docker / snap fonctionnent très bien sur Linux mais sont hostiles envers les autres systèmes. Ils utilisent souvent des fonctionnalités spécifiques à Linux et les méthodes de compilation sont tournées vers Linux. Cela complique grandement le portage de ces applications vers d'autres systèmes.
* les programmes avec nodeJS: ils nécessitent parfois des centaines voir des milliers des libs et certaines sont mêmes un peu bancales. C'est vraiment compliqué de faire fonctionner ces programmes sur OpenBSD. Certaines libs vont même jusqu'à embarquer du code rust ou à télécharger un binaire statique sur un serveur distant sans solution de compilation si nécessaire ou sans regardant si ce binaire est disponible dans $PATH. On y trouve des aberrations incroyables.
* les programmes nécessitant git pour compiler: le système de compilation dans les ports d'OpenBSD fait de son mieux pour faire au plus propre. L'utilisateur dédié à la création des packages n'a pas du tout accès à internet (bloqué par le pare-feu avec une règle par défaut) et ne pourra pas exécuter de commande git pour récupérer du code. Il n'y a aucune raison pour que la compilation d'un programme nécessite de télécharger du code au milieu de l'étape de compilation!

Évidemment je comprends que ces trois points ci-dessus existent car cela facilite la vie des développeurs, mais si vous écrivez un programme et que vous le publiez, ce serait très sympa de penser aux systèmes non-linux. N'hésite pas à demander sur les réseaux sociaux si quelqu'un veut tester votre code sur un autre système que Linux. On adore les développeurs "BSD friendly" qui acceptent nos patches pour améliorer le support OpenBSD. 

### Ce que j'aimerais voir évoluer

Il y a certaines choses où j'aimerais voir OpenBSD s'améliorer. Cette liste est personnelle et reflète pas l'opinion des membres du projet OpenBSD.

* Meilleur support ARM
* Débit du Wifi
* Meilleures performances (mais ça s'améliore un peu à chaque version)
* Améliorations de FFS (lors de crashs j'ai parfois des fichiers dans lost+found)
* Un pkg_add -u plus rapide
* Support du décodage vidéo matériel
* Meilleur support de FUSE avec une possibilité de monter des systèmes CIFS/samba
* Plus de contributeurs

Je suis consciente de tout le travail nécessaire ici, et ce n'est certainement pas moi qui vais y faire quelque chose. J'aimerais que cela s'améliore sans toutefois me plaindre de la situation actuelle :)
Malheureusement, tout le monde sait qu'OpenBSD évolue par un travail acharné et pas en envoyant une liste de souhaits aux développeurs :)
Quand on pense à ce qu'arrive à faire une petite équipe (environ 150 développeurs impliqués sur les dernières versions) en comparaison d'autres systèmes majeurs, je pense qu'on est assez efficace!

  <pubDate>Mon, 04 Jan 2021 00:00:00 GMT</pubDate>
  <title>[FR] Méthodes de publication de mon blog sur plusieurs médias</title>
Title : [FR] Méthodes de publication de mon blog sur plusieurs médias
Author: Solène
Date  : 03 January 2021
Tags  : life blog francais

On me pose souvent la question sur la façon dont je publie mon blog, comment j'écris mes textes et comment ils sont publiés sur trois médias différents. Cet article est l'occasion pour moi de répondre à ces questions.

Pour mes publications j'utilise le générateur de site statique "cl-yag" que j'ai développé. Son principal travail est de générer les fichiers d'index d'accueil et de chaque tags pour chacun des médias de diffusion, HTML pour http, gophermap pour gopher et gemtext pour gemini. Après la génération des indexs, pour chaque article publié en HTML, un convertisseur va être appelé pour transformer le fichier d'origine en HTML afin de permettre sa consultation avec un navigateur internet. Pour gemini et gopher, l'article source est simplement copié avec quelques méta-données ajoutées en haut du fichier comme le titre, la date, l'auteur et les mots-clés.

Publier sur ces trois format en même temps avec un seul fichier source est un défi qui requiert malheureusement de faire des sacrifices sur le rendu si on ne veut pas écrire trois versions du même texte. Pour gopher, j'ai choisi de distribuer les textes tel quel, en tant que fichier texte, le contenu peut être du markdown, org-mode, mandoc ou autre mais gopher ne permet pas de le déterminer. Pour gémini, les textes sont distribués comme .gmi qui correspondent au type gemtext même si les anciennes publications sont du markdown pour le contenu. Pour le http, c'est simplement du HTML obtenu via une commande en fonction du type de données en entrée.

J'ai récemment décidé d'utiliser le format gemtext par défaut plutôt que le markdown pour écrire mes articles. Il a certes moins de possibilités que le markdown, mais le rendu ne contient aucune ambiguïté, tandis que le rendu d'un markdown peut varier selon l'implémentation et le type de markdown (tableaux, pas tableaux ? Syntaxe pour les images ? etc...)

Lors de l'exécution du générateur de site, tous les indexs sont régénérées, pour les fichiers publiés, la date de modification de celui-ci est comparée au fichier source, si la source est plus récente alors le fichier publié est généré à nouveau car il y a eu un changement. Cela permet de gagner énormément de temps puisque mon site atteint bientôt les 200 articles et copier 200 fichiers pour gopher, 200 pour gemini et lancer 200 programmes de conversion pour le HTML rendrait la génération extrêmement longue.

Après la génération de tous les fichiers, la commande rsync est utilisée pour mettre à jour les dossiers de sortie pour chaque protocole vers le serveur correspondant. J'utilise un serveur pour le http, deux serveurs pour gopher (le principal n'était pas spécialement stable à l'époque), un serveur pour gemini.

J'ai ajouté un système d'annonce sur Mastodon en appelant le programme local "toot" configuré sur un compte dédié. Ces changements n'ont pas été déployé dans cl-yag car il s'agit de changements très spécifiques pour mon utilisation personnelle. Ce genre de modification me fait penser qu'un générateur de site statique peut être un outil très personnel que l'on configure vraiment pour un besoin hyper spécifique et qu'il peut être difficile pour quelqu'un d'autre de s'en servir. J'avais décidé de le publier à l'époque, je ne sais pas si quelqu'un l'utilise activement, mais au moins le code est là pour les plus téméraires qui voudraient y jeter un oeil.

Mon générateur de blog peut supporter le mélange de différents types de fichiers sources pour être convertis en HTML. Cela me permet d'utiliser le type de formatage que je veux sans avoir à tout refaire.

Voici quelques commandes utilisées pour convertir les fichiers d'entrées (les articles bruts tels que je les écrits) en HTML. On constate que la conversion org-mode vers HTML n'est pas la plus simple. Le fichier de configuration de cl-yag est du code LISP chargé lors de l'exécution, je peux y mettre des commentaires mais aussi du code si je le souhaite, cela se révèle pratique parfois.

```Code Common-lisp pour la déclaration des convertisseurs texte vers html
(converter :name :gemini    :extension ".gmi" :command "gmi2html/gmi2html data/%IN | tee %OUT")
(converter :name :markdown  :extension ".md"  :command "peg-markdown -t html -o %OUT data/%IN")
(converter :name :markdown2 :extension ".md"  :command "multimarkdown -t html -o %OUT data/%IN")
(converter :name :mmd       :extension ".mmd" :command "cat data/%IN | awk -f mmd | tee %OUT")
(converter :name :mandoc    :extension ".man"
           :command "cat data/%IN  | mandoc -T markdown | sed -e '1,2d' -e '$d' | multimarkdown -t html -o %OUT")
(converter :name :org-mode  :extension ".org"
	   :command (concatenate 'string
				 "emacs data/%IN --batch --eval '(with-temp-buffer (org-mode) "
				 "(insert-file \"%IN\") (org-html-export-as-html nil nil nil t)"
				 "(princ (buffer-string)))' --kill | tee %OUT"))

Quand je déclare un nouvel article dans le fichier de configuration qui détient les méta-données de toutes les publications, j'ai la possibilité de choisir le convertisseur HTML à utiliser si ce n'est pas celui par défaut.

```Exemple de déclaration d'un nouveau texte à publier avec ses métadonnées
;; utilisation du convertisseur par défaut
(post :title "Minimalistic markdown subset to html converter using awk"
      :id "minimal-markdown" :tag "unix awk" :date "20190826")

;; utilisation du convertisseur mmd, un script awk très simple que j'ai fait pour convertir quelques fonctionnalités de markdown en html
(post :title "Life with an offline laptop"
      :id "offline-laptop" :tag "openbsd life disconnected" :date "20190823" :converter :mmd)

Quelques statistiques concernant la syntaxe de mes différentes publications, via http vous ne voyez que le HTML, mais en gopher ou gemini vous verrez la source telle quelle.

* markdown :: 183
* gemini :: 12
* mandoc :: 4
* mmd :: 2
* org-mode :: 1

  <pubDate>Sun, 03 Jan 2021 00:00:00 GMT</pubDate>