diff options
| author | Paul Buetow <paul@buetow.org> | 2022-07-30 11:36:24 +0100 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2022-07-30 11:36:24 +0100 |
| commit | 5cb6e5d903eb2001d14e7493aadd7b9635f09021 (patch) | |
| tree | fde2999c3e2311d727689696c3f8b397c6a54120 /gemfeed | |
| parent | 9dfc03317d44e2c071ae659af87a4ed2384ccc09 (diff) | |
add lets encrypt article
Diffstat (limited to 'gemfeed')
| -rw-r--r-- | gemfeed/2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi | 662 | ||||
| -rw-r--r-- | gemfeed/atom.xml | 769 | ||||
| -rw-r--r-- | gemfeed/index.gmi | 1 |
3 files changed, 1351 insertions, 81 deletions
diff --git a/gemfeed/2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi b/gemfeed/2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi new file mode 100644 index 00000000..2e421ee7 --- /dev/null +++ b/gemfeed/2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi @@ -0,0 +1,662 @@ +# Let's Encrypt with OpenBSD and Rex + +``` + / _ \ + The Hebern Machine \ ." ". / + ___ / \ + .."" "".. | O | + / \ | | + / \ | | + --------------------------------- + _/ o (O) o _ | + _/ ." ". | + I/ _________________/ \ | + _/I ." | | + ===== / I / / | + ===== | | | \ | _________________." | +===== | | | | | / \ / _|_|__|_|_ __ | + | | | | | | | \ "._." / o o \ ." ". | + | --| --| -| / \ _/ / \ | + \____\____\__| \ ______ | / | | | + -------- --- / | | | + ( ) (O) / \ / | + ----------------------- ".__." | + _|__________________________________________|_ + / \ + /________________________________________________\ + ASCII Art by John Savard +``` + +> Published by Paul at 2022-07-30 + +I was amazed how easy it is to automatically generate and update Let's Encrypt certificates with OpenBSD. + +## What's Let's Encrypt? + +> Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 265 million websites, with the goal of all websites being secure and using HTTPS. + +=> https://en.wikipedia.org/wiki/Let's_Encrypt Source: Wikipedia + +In short, it gives away TLS certificates for your website - for free! The catch is, that the certificates are only valid for three months. So it is better to automate certificate generation and renevals. + +## Meet `acme-client` + +`acme-client` is the default Automatic Certifcate Management Environment (ACME) client on OpenBSD and part of the OpenBSD base system. + +When invoked, the client first checks whether certificates actually require to be generated. + +* It first checks whether a certificate already exists, if not, it will attempt to generate a new one. +* If the certificate already exists but expires within the next 30 days, it will renew it. +* Otherwise, `acme-client` won't do anything. + +Oversimplified, the following steps are undertaken by `acme-client` for generating a new certificate: + +* Reading its config file `/etc/acme-client.conf` for a list of hosts (and their alternative names) to generate certificates for. So it means you can also have certificates for abritary subdomains! +* Automatic generation of the private certificate part (the certificate key) and the certificate signing request (CSR) to `/etc/ssl/...`. +* Requesting Let's Encrypt to sign the certificate. This also includes providing a set of temporary files which will be requested by Let's Encrypt in the next step for verification. +* Let's Encrypt then will contact the hostname for the certificate through a special URL (e.g. `http://foo.zone/.well-known/acme-challenge/...`) to verify that the requester is the valid owner of the host. +* Let's Encrypt generates a certificate, which then is downloaded to `/etc/ssl/...`. + +## Configuration + +There is some (but easy) configuration required to make that all work on OpenBSD. + +### acme-client.conf + +This is how my `/etc/acme-client.conf` looks like (I copied a template from `/etc/examples/acme-client.conf` to `/etc/acme-client.conf` and added my domains to the bottom: + +``` +# +# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +authority buypass { + api url "https://api.buypass.com/acme/directory" + account key "/etc/acme/buypass-privkey.pem" + contact "mailto:me@example.com" +} + +authority buypass-test { + api url "https://api.test4.buypass.no/acme/directory" + account key "/etc/acme/buypass-test-privkey.pem" + contact "mailto:me@example.com" +} + +domain buetow.org { + alternative names { www.buetow.org paul.buetow.org } + domain key "/etc/ssl/private/buetow.org.key" + domain full chain certificate "/etc/ssl/buetow.org.fullchain.pem" + sign with letsencrypt +} + +domain dtail.dev { + alternative names { www.dtail.dev } + domain key "/etc/ssl/private/dtail.dev.key" + domain full chain certificate "/etc/ssl/dtail.dev.fullchain.pem" + sign with letsencrypt +} + +domain foo.zone { + alternative names { www.foo.zone } + domain key "/etc/ssl/private/foo.zone.key" + domain full chain certificate "/etc/ssl/foo.zone.fullchain.pem" + sign with letsencrypt +} + +domain irregular.ninja { + alternative names { www.irregular.ninja } + domain key "/etc/ssl/private/irregular.ninja.key" + domain full chain certificate "/etc/ssl/irregular.ninja.fullchain.pem" + sign with letsencrypt +} + +domain snonux.land { + alternative names { www.snonux.land } + domain key "/etc/ssl/private/snonux.land.key" + domain full chain certificate "/etc/ssl/snonux.land.fullchain.pem" + sign with letsencrypt +} +``` + +### httpd.conf + +For ACME to work you will also need to configure the HTTP daemon so that the "special" ACME requests made from Let's Encrypt are served correctly. I am using the standard OpenBSD `httpd` here. These are the snippets I use for the `foo.zone` host in `/etc/httpd.conf` (of course, you need similar setup for all other hosts as well): + +``` +server "foo.zone" { + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "foo.zone" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/foo.zone.fullchain.pem" + key "/etc/ssl/private/foo.zone.key" + } + location * { + root "/htdocs/gemtexter/foo.zone" + directory auto index + } +} +``` + +As you see, plain HTTP only serves the ACME challenge path. Otherwise, it is redirecting the requests to TLS. The TLS section then attempts to use the Let's Encrypt certificates. + +It is worth noticing that `httpd` will start without the certificates actually being present. This will cause a certificate error when you try to reach the HTTPS endpoint but it helps to bootstrap Let's Encrypt. As you saw in the config snippet above, Let's Encrypt only requests the plain HTTP endpoint for the verification process so that HTTPS doesn't need to be operational yet at this stage. But once the certificates are generated you will have to reload or restart `httpd` in order to use any new certificate. + +### CRON job + +You could now run `doas acme-client foo.zone` to generate the certificate or to renew it. Or you could automate it with CRON. + +I have created a script `/usr/local/bin/acme.sh` for that for all of my domains: + +``` +#!/bin/sh + +function handle_cert { + host=$1 + # Create symlink, so that relayd also can read it. + crt_path=/etc/ssl/$host + if [ -e $crt_path.crt ]; then + rm $crt_path.crt + fi + ln -s $crt_path.fullchain.pem $crt_path.crt + # Requesting and renewing certificate. + /usr/sbin/acme-client -v $host +} + +has_update=no +handle_cert www.buetow.org +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.paul.buetow.org +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.tmp.buetow.org +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.dtail.dev +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.foo.zone +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.irregular.ninja +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.snonux.land +if [ $? -eq 0 ]; then + has_update=yes +fi + +# Pick up the new certs. +if [ $has_update = yes ]; then + /usr/sbin/rcctl reload httpd + /usr/sbin/rcctl reload relayd + /usr/sbin/rcctl restart smtpd +fi +``` + +And added the following line to `/etc/daily.local` to run the script once daily so that certificates will be renewed fully automatically: + +``` +/usr/local/bin/acme.sh +``` + +I am receiving a daily output via E-Mail like this now: + +``` +Running daily.local: +acme-client: /etc/ssl/buetow.org.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/paul.buetow.org.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/tmp.buetow.org.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/dtail.dev.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/foo.zone.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/irregular.ninja.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/snonux.land.fullchain.pem: certificate valid: 79 days left +``` + +## relayd.conf and smtpd.conf + +Besides of `httpd`, `relayd` (mainly for Gemini) and `smtpd` (for mail, of course) also use TLS certificates. And as you can see in `acme.sh`, the services are also reloaded or restarted (`smtpd` doesn't support reload) whenever a certificate was generated or updated. + +## Rexification + +I didn't write all these configuration files by hand. As a matter of fact, everything is automated with the Rex configuration management system. + +=> https://www.rexify.org + +At the top of the `Rexfile` I define all my hosts: + +``` +our @acme_hosts = qw/buetow.org paul.buetow.org tmp.buetow.org dtail.dev foo.zone irregular.ninja snonux.land/; +``` + +### General ACME client configuration + +ACME will be installed into the frontend group of hosts. Here, blowfish is the primary, and twofish the secondary OpenBSD box. + +``` +group frontends => 'blowfish.buetow.org', 'twofish.buetow.org'; +``` + +This is my Rex task for the general ACME configuration: + +``` +desc 'Configure ACME client'; +task 'acme', group => 'frontends', + sub { + file '/etc/acme-client.conf', + content => template('./etc/acme-client.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644'; + + file '/usr/local/bin/acme.sh', + content => template('./scripts/acme.sh.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '744'; + + file '/etc/daily.local', + ensure => 'present', + owner => 'root', + group => 'wheel', + mode => '644'; + + append_if_no_such_line '/etc/daily.local', '/usr/local/bin/acme.sh'; + }; +``` + +And there is also a Rex task just to run the ACME script remotely: + +``` +desc 'Invoke ACME client'; +task 'acme_invoke', group => 'frontends', + sub { + say run '/usr/local/bin/acme.sh'; + }; + +``` + +Furthermore, this snippet (also at the top of the Rexfile) helps to determine whether the current server is the primary server (all hosts will be without the `www.` prefix) or the secondary server (all hosts will be with the `www.` prefix): + +``` +# Bootstrapping the FQDN based on the server IP as the hostname and domain +# facts aren't set yet due to the myname file in the first place. +our $fqdns = sub { + my $ipv4 = shift; + return 'blowfish.buetow.org' if $ipv4 eq '23.88.35.144'; + return 'twofish.buetow.org' if $ipv4 eq '108.160.134.135'; + Rex::Logger::info("Unable to determine hostname for $ipv4", 'error'); + return 'HOSTNAME-UNKNOWN.buetow.org'; +}; + +# To determine whether the server is the primary or the secondary. +our $is_primary = sub { + my $ipv4 = shift; + $fqdns->($ipv4) eq 'blowfish.buetow.org'; +}; +``` + +The following is the `acme-client.conf.tpl` Rex template file used for the automation. You see here that the `www.` prefix isn't sent for the primary server. E.g. `foo.zone` will be served by the primary server (in my case a server located in Germany) and `www.foo.zone` by the secondary server (in my case a server located in Japan): + +``` +# +# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +authority buypass { + api url "https://api.buypass.com/acme/directory" + account key "/etc/acme/buypass-privkey.pem" + contact "mailto:me@example.com" +} + +authority buypass-test { + api url "https://api.test4.buypass.no/acme/directory" + account key "/etc/acme/buypass-test-privkey.pem" + contact "mailto:me@example.com" +} + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +<% for my $host (@$acme_hosts) { %> +domain <%= $prefix.$host %> { + domain key "/etc/ssl/private/<%= $prefix.$host %>.key" + domain full chain certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + sign with letsencrypt +} +<% } %> + +``` + +And this is the `acme.sh.tpl`: + +``` +#!/bin/sh + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +-%> + +function handle_cert { + host=$1 + # Create symlink, so that relayd also can read it. + crt_path=/etc/ssl/$host + if [ -e $crt_path.crt ]; then + rm $crt_path.crt + fi + ln -s $crt_path.fullchain.pem $crt_path.crt + # Requesting and renewing certificate. + /usr/sbin/acme-client -v $host +} + +has_update=no +<% for my $host (@$acme_hosts) { -%> +handle_cert <%= $prefix.$host %> +if [ $? -eq 0 ]; then + has_update=yes +fi +<% } -%> + +# Pick up the new certs. +if [ $has_update = yes ]; then + /usr/sbin/rcctl reload httpd + /usr/sbin/rcctl reload relayd + /usr/sbin/rcctl restart smtpd +fi +``` + +### Service rexification + +These are the Rex tasks setting up `httpd`, `relayd` and `smtpd` services: + +``` +desc 'Setup httpd'; +task 'httpd', group => 'frontends', + sub { + append_if_no_such_line '/etc/rc.conf.local', 'httpd_flags='; + + file '/etc/httpd.conf', + content => template('./etc/httpd.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'httpd' => 'restart' }; + + service 'httpd', ensure => 'started'; + }; + +desc 'Setup relayd'; +task 'relayd', group => 'frontends', + sub { + append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; + + file '/etc/relayd.conf', + content => template('./etc/relayd.conf.tpl', + ipv6address => $ipv6address, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '600', + on_change => sub { service 'relayd' => 'restart' }; + + service 'relayd', ensure => 'started'; + }; + +desc 'Setup OpenSMTPD'; +task 'smtpd', group => 'frontends', + sub { + Rex::Logger::info('Dealing with mail aliases'); + file '/etc/mail/aliases', + source => './etc/mail/aliases', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { say run 'newaliases' }; + + Rex::Logger::info('Dealing with mail virtual domains'); + file '/etc/mail/virtualdomains', + source => './etc/mail/virtualdomains', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + + Rex::Logger::info('Dealing with mail virtual users'); + file '/etc/mail/virtualusers', + source => './etc/mail/virtualusers', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + + Rex::Logger::info('Dealing with smtpd.conf'); + file '/etc/mail/smtpd.conf', + content => template('./etc/mail/smtpd.conf.tpl', + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + + service 'smtpd', ensure => 'started'; + }; + +``` + +This is `httpd.conf.tpl`: + +``` +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +# Plain HTTP for ACME and HTTPS redirect +<% for my $host (@$acme_hosts) { %> +server "<%= $prefix.$host %>" { + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} +<% } %> + +# Gemtexter hosts +<% for my $host (qw/foo.zone snonux.land/) { %> +server "<%= $prefix.$host %>" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + key "/etc/ssl/private/<%= $prefix.$host %>.key" + } + location * { + root "/htdocs/gemtexter/<%= $host %>" + directory auto index + } +} +<% } %> + +# DTail special host +server "<%= $prefix %>dtail.dev" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>dtail.dev.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>dtail.dev.key" + } + location * { + block return 302 "https://github.dtail.dev$REQUEST_URI" + } +} + +# Irregular Ninja special host +server "<%= $prefix %>irregular.ninja" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>irregular.ninja.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>irregular.ninja.key" + } + location * { + root "/htdocs/irregular.ninja" + directory auto index + } +} + +# buetow.org special host. +server "<%= $prefix %>buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>buetow.org.key" + } + block return 302 "https://paul.buetow.org" +} + +server "<%= $prefix %>paul.buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>paul.buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>paul.buetow.org.key" + } + block return 302 "https://foo.zone/contact-information.html" +} + +server "<%= $prefix %>tmp.buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>tmp.buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>tmp.buetow.org.key" + } + root "/htdocs/buetow.org/tmp" + directory auto index +} +``` + +and this the `relayd.conf.tpl`: + + +``` +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +log connection + +tcp protocol "gemini" { + tls keypair <%= $prefix %>foo.zone + tls keypair <%= $prefix %>buetow.org +} + +relay "gemini4" { + listen on <%= $vio0_ip %> port 1965 tls + protocol "gemini" + forward to 127.0.0.1 port 11965 +} + +relay "gemini6" { + listen on <%= $ipv6address->($hostname) %> port 1965 tls + protocol "gemini" + forward to 127.0.0.1 port 11965 +} +``` + +And last but not least, this is the `smtpd.conf.tpl`: + +``` +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +pki "buetow_org_tls" cert "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" +pki "buetow_org_tls" key "/etc/ssl/private/<%= $prefix %>buetow.org.key" + +table aliases file:/etc/mail/aliases +table virtualdomains file:/etc/mail/virtualdomains +table virtualusers file:/etc/mail/virtualusers + +listen on socket +listen on all tls pki "buetow_org_tls" hostname "<%= $prefix %>buetow.org" +#listen on all + +action localmail mbox alias <aliases> +action receive mbox virtual <virtualusers> +action outbound relay + +match from any for domain <virtualdomains> action receive +match from local for local action localmail +match from local for any action outbound +``` + +## All pieces together + +For the full `Rexfile` example and all the templates, please look at the Git repository: + +=> https://codeberg.org/snonux/rexfiles + +Besides of ACME, also other things, such as DNS server, are rexified too. The following command will run all the Rex tasks and configure everything on my frontend machines automatically: + +``` +rex commons +``` + +The `commons` is a group of task I specified which combines a set of common tasks I always want to execute on all frontend machines. This also includes the ACME tasks mentioned in this article! + +## Conclusion + +ACME and Let's Encrypt greatly help reducing recurring manual maintenance work (creating and renewing certificates). Furthermore, all the certificates are free of costs! I love to use OpenBSD and Rex to automate all of this. + +OpenBSD suits perfectly here as all the tools are already part of the base installation. Rex is not as powerful and popular as other configuration management systems (e.g. Puppet, Chef, SALT or even Ansible). It is more of an underdog and the community is small. But I like underdogs. + +I love the fact that a `Rexfile` is just a Perl DSL. Why re-inventing the wheel? Also, OpenBSD comes with Perl in the base system. So no new programming language had to be added to my mix for the configuration management system. Also, the `acme.sh` shell script is not a Bash but a standard Bourne shell script so that I didn't have to install yet another shell. + +E-Mail me your comments to paul at buetow dot org! + +=> ../ Go back to the main site diff --git a/gemfeed/atom.xml b/gemfeed/atom.xml index ca42dddf..70dea87e 100644 --- a/gemfeed/atom.xml +++ b/gemfeed/atom.xml @@ -1,18 +1,625 @@ <?xml version="1.0" encoding="utf-8"?> <feed xmlns="http://www.w3.org/2005/Atom"> - <updated>2022-07-07T22:06:15+03:00</updated> + <updated>2022-07-30T11:35:29+01:00</updated> <title>foo.zone feed</title> <subtitle>To be in the .zone!</subtitle> <link href="gemini://foo.zone/gemfeed/atom.xml" rel="self" /> <link href="gemini://foo.zone/" /> <id>gemini://foo.zone/</id> <entry> + <title>Let's Encrypt with OpenBSD and REX</title> + <link href="gemini://foo.zone/gemfeed/2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi" /> + <id>gemini://foo.zone/gemfeed/2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi</id> + <updated>2022-07-30T10:33:58+01:00</updated> + <author> + <name>Paul C. Buetow</name> + <email>comments@mx.buetow.org</email> + </author> + <summary>I was amazed how easy it is to automatically generate and update Let's Encrypt certificates with OpenBSD.. .....to read on please visit my site.</summary> + <content type="xhtml"> + <div xmlns="http://www.w3.org/1999/xhtml"> + <h1>Let's Encrypt with OpenBSD and Rex</h1> +<pre> + / _ \ + The Hebern Machine \ ." ". / + ___ / \ + .."" "".. | O | + / \ | | + / \ | | + --------------------------------- + _/ o (O) o _ | + _/ ." ". | + I/ _________________/ \ | + _/I ." | | + ===== / I / / | + ===== | | | \ | _________________." | +===== | | | | | / \ / _|_|__|_|_ __ | + | | | | | | | \ "._." / o o \ ." ". | + | --| --| -| / \ _/ / \ | + \____\____\__| \ ______ | / | | | + -------- --- / | | | + ( ) (O) / \ / | + ----------------------- ".__." | + _|__________________________________________|_ + / \ + /________________________________________________\ + ASCII Art by John Savard +</pre><br /> +<p class="quote"><i>Published by Paul at 2022-07-30</i></p> +<p>I was amazed how easy it is to automatically generate and update Let's Encrypt certificates with OpenBSD.</p> +<h2>What's Let's Encrypt?</h2> +<p class="quote"><i>Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 265 million websites, with the goal of all websites being secure and using HTTPS.</i></p> +<a class="textlink" href="https://en.wikipedia.org/wiki/Let's_Encrypt">Source: Wikipedia</a><br /> +<p>In short, it gives away TLS certificates for your website - for free! The catch is, that the certificates are only valid for three months. So it is better to automate certificate generation and renevals.</p> +<h2>Meet <span class="inlinecode">acme-client</span></h2> +<p><span class="inlinecode">acme-client</span> is the default Automatic Certifcate Management Environment (ACME) client on OpenBSD and part of the OpenBSD base system. </p> +<p>When invoked, the client first checks whether certificates actually require to be generated.</p> +<ul> +<li>It first checks whether a certificate already exists, if not, it will attempt to generate a new one.</li> +<li>If the certificate already exists but expires within the next 30 days, it will renew it.</li> +<li>Otherwise, `acme-client` won't do anything.</li> +</ul> +<p>Oversimplified, the following steps are undertaken by <span class="inlinecode">acme-client</span> for generating a new certificate:</p> +<ul> +<li>Reading its config file <span class="inlinecode">/etc/acme-client.conf</span> for a list of hosts (and their alternative names) to generate certificates for. So it means you can also have certificates for abritary subdomains!</li> +<li>Automatic generation of the private certificate part (the certificate key) and the certificate signing request (CSR) to `/etc/ssl/...`.</li> +<li>Requesting Let's Encrypt to sign the certificate. This also includes providing a set of temporary files which will be requested by Let's Encrypt in the next step for verification.</li> +<li>Let's Encrypt then will contact the hostname for the certificate through a special URL (e.g. `http://foo.zone/.well-known/acme-challenge/...`) to verify that the requester is the valid owner of the host.</li> +<li>Let's Encrypt generates a certificate, which then is downloaded to `/etc/ssl/...`.</li> +</ul> +<h2>Configuration</h2> +<p>There is some (but easy) configuration required to make that all work on OpenBSD.</p> +<h3>acme-client.conf</h3> +<p>This is how my <span class="inlinecode">/etc/acme-client.conf</span> looks like (I copied a template from <span class="inlinecode">/etc/examples/acme-client.conf</span> to <span class="inlinecode">/etc/acme-client.conf</span> and added my domains to the bottom:</p> +<pre> +# +# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +authority buypass { + api url "https://api.buypass.com/acme/directory" + account key "/etc/acme/buypass-privkey.pem" + contact "mailto:me@example.com" +} + +authority buypass-test { + api url "https://api.test4.buypass.no/acme/directory" + account key "/etc/acme/buypass-test-privkey.pem" + contact "mailto:me@example.com" +} + +domain buetow.org { + alternative names { www.buetow.org paul.buetow.org } + domain key "/etc/ssl/private/buetow.org.key" + domain full chain certificate "/etc/ssl/buetow.org.fullchain.pem" + sign with letsencrypt +} + +domain dtail.dev { + alternative names { www.dtail.dev } + domain key "/etc/ssl/private/dtail.dev.key" + domain full chain certificate "/etc/ssl/dtail.dev.fullchain.pem" + sign with letsencrypt +} + +domain foo.zone { + alternative names { www.foo.zone } + domain key "/etc/ssl/private/foo.zone.key" + domain full chain certificate "/etc/ssl/foo.zone.fullchain.pem" + sign with letsencrypt +} + +domain irregular.ninja { + alternative names { www.irregular.ninja } + domain key "/etc/ssl/private/irregular.ninja.key" + domain full chain certificate "/etc/ssl/irregular.ninja.fullchain.pem" + sign with letsencrypt +} + +domain snonux.land { + alternative names { www.snonux.land } + domain key "/etc/ssl/private/snonux.land.key" + domain full chain certificate "/etc/ssl/snonux.land.fullchain.pem" + sign with letsencrypt +} +</pre><br /> +<h3>httpd.conf</h3> +<p>For ACME to work you will also need to configure the HTTP daemon so that the "special" ACME requests made from Let's Encrypt are served correctly. I am using the standard OpenBSD <span class="inlinecode">httpd</span> here. These are the snippets I use for the <span class="inlinecode">foo.zone</span> host in <span class="inlinecode">/etc/httpd.conf</span> (of course, you need similar setup for all other hosts as well):</p> +<pre> +server "foo.zone" { + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} + +server "foo.zone" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/foo.zone.fullchain.pem" + key "/etc/ssl/private/foo.zone.key" + } + location * { + root "/htdocs/gemtexter/foo.zone" + directory auto index + } +} +</pre><br /> +<p>As you see, plain HTTP only serves the ACME challenge path. Otherwise, it is redirecting the requests to TLS. The TLS section then attempts to use the Let's Encrypt certificates.</p> +<p>It is worth noticing that <span class="inlinecode">httpd</span> will start without the certificates actually being present. This will cause a certificate error when you try to reach the HTTPS endpoint but it helps to bootstrap Let's Encrypt. As you saw in the config snippet above, Let's Encrypt only requests the plain HTTP endpoint for the verification process so that HTTPS doesn't need to be operational yet at this stage. But once the certificates are generated you will have to reload or restart <span class="inlinecode">httpd</span> in order to use any new certificate.</p> +<h3>CRON job</h3> +<p>You could now run <span class="inlinecode">doas acme-client foo.zone</span> to generate the certificate or to renew it. Or you could automate it with CRON.</p> +<p>I have created a script <span class="inlinecode">/usr/local/bin/acme.sh</span> for that for all of my domains:</p> +<pre> +#!/bin/sh + +function handle_cert { + host=$1 + # Create symlink, so that relayd also can read it. + crt_path=/etc/ssl/$host + if [ -e $crt_path.crt ]; then + rm $crt_path.crt + fi + ln -s $crt_path.fullchain.pem $crt_path.crt + # Requesting and renewing certificate. + /usr/sbin/acme-client -v $host +} + +has_update=no +handle_cert www.buetow.org +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.paul.buetow.org +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.tmp.buetow.org +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.dtail.dev +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.foo.zone +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.irregular.ninja +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert www.snonux.land +if [ $? -eq 0 ]; then + has_update=yes +fi + +# Pick up the new certs. +if [ $has_update = yes ]; then + /usr/sbin/rcctl reload httpd + /usr/sbin/rcctl reload relayd + /usr/sbin/rcctl restart smtpd +fi +</pre><br /> +<p>And added the following line to <span class="inlinecode">/etc/daily.local</span> to run the script once daily so that certificates will be renewed fully automatically:</p> +<pre> +/usr/local/bin/acme.sh +</pre><br /> +<p>I am receiving a daily output via E-Mail like this now:</p> +<pre> +Running daily.local: +acme-client: /etc/ssl/buetow.org.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/paul.buetow.org.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/tmp.buetow.org.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/dtail.dev.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/foo.zone.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/irregular.ninja.fullchain.pem: certificate valid: 80 days left +acme-client: /etc/ssl/snonux.land.fullchain.pem: certificate valid: 79 days left +</pre><br /> +<h2>relayd.conf and smtpd.conf</h2> +<p>Besides of <span class="inlinecode">httpd</span>, <span class="inlinecode">relayd</span> (mainly for Gemini) and <span class="inlinecode">smtpd</span> (for mail, of course) also use TLS certificates. And as you can see in <span class="inlinecode">acme.sh</span>, the services are also reloaded or restarted (<span class="inlinecode">smtpd</span> doesn't support reload) whenever a certificate was generated or updated.</p> +<h2>Rexification</h2> +<p>I didn't write all these configuration files by hand. As a matter of fact, everything is automated with the Rex configuration management system.</p> +<a class="textlink" href="https://www.rexify.org">https://www.rexify.org</a><br /> +<p>At the top of the <span class="inlinecode">Rexfile</span> I define all my hosts:</p> +<pre> +our @acme_hosts = qw/buetow.org paul.buetow.org tmp.buetow.org dtail.dev foo.zone irregular.ninja snonux.land/; +</pre><br /> +<h3>General ACME client configuration</h3> +<p>ACME will be installed into the frontend group of hosts. Here, blowfish is the primary, and twofish the secondary OpenBSD box.</p> +<pre> +group frontends => 'blowfish.buetow.org', 'twofish.buetow.org'; +</pre><br /> +<p>This is my Rex task for the general ACME configuration:</p> +<pre> +desc 'Configure ACME client'; +task 'acme', group => 'frontends', + sub { + file '/etc/acme-client.conf', + content => template('./etc/acme-client.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644'; + + file '/usr/local/bin/acme.sh', + content => template('./scripts/acme.sh.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '744'; + + file '/etc/daily.local', + ensure => 'present', + owner => 'root', + group => 'wheel', + mode => '644'; + + append_if_no_such_line '/etc/daily.local', '/usr/local/bin/acme.sh'; + }; +</pre><br /> +<p>And there is also a Rex task just to run the ACME script remotely:</p> +<pre> +desc 'Invoke ACME client'; +task 'acme_invoke', group => 'frontends', + sub { + say run '/usr/local/bin/acme.sh'; + }; + +</pre><br /> +<p>Furthermore, this snippet (also at the top of the Rexfile) helps to determine whether the current server is the primary server (all hosts will be without the <span class="inlinecode">www.</span> prefix) or the secondary server (all hosts will be with the <span class="inlinecode">www.</span> prefix):</p> +<pre> +# Bootstrapping the FQDN based on the server IP as the hostname and domain +# facts aren't set yet due to the myname file in the first place. +our $fqdns = sub { + my $ipv4 = shift; + return 'blowfish.buetow.org' if $ipv4 eq '23.88.35.144'; + return 'twofish.buetow.org' if $ipv4 eq '108.160.134.135'; + Rex::Logger::info("Unable to determine hostname for $ipv4", 'error'); + return 'HOSTNAME-UNKNOWN.buetow.org'; +}; + +# To determine whether the server is the primary or the secondary. +our $is_primary = sub { + my $ipv4 = shift; + $fqdns->($ipv4) eq 'blowfish.buetow.org'; +}; +</pre><br /> +<p>The following is the <span class="inlinecode">acme-client.conf.tpl</span> Rex template file used for the automation. You see here that the <span class="inlinecode">www.</span> prefix isn't sent for the primary server. E.g. <span class="inlinecode">foo.zone</span> will be served by the primary server (in my case a server located in Germany) and <span class="inlinecode">www.foo.zone</span> by the secondary server (in my case a server located in Japan):</p> +<pre> +# +# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +authority buypass { + api url "https://api.buypass.com/acme/directory" + account key "/etc/acme/buypass-privkey.pem" + contact "mailto:me@example.com" +} + +authority buypass-test { + api url "https://api.test4.buypass.no/acme/directory" + account key "/etc/acme/buypass-test-privkey.pem" + contact "mailto:me@example.com" +} + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +<% for my $host (@$acme_hosts) { %> +domain <%= $prefix.$host %> { + domain key "/etc/ssl/private/<%= $prefix.$host %>.key" + domain full chain certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + sign with letsencrypt +} +<% } %> + +</pre><br /> +<p>And this is the <span class="inlinecode">acme.sh.tpl</span>:</p> +<pre> +#!/bin/sh + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +-%> + +function handle_cert { + host=$1 + # Create symlink, so that relayd also can read it. + crt_path=/etc/ssl/$host + if [ -e $crt_path.crt ]; then + rm $crt_path.crt + fi + ln -s $crt_path.fullchain.pem $crt_path.crt + # Requesting and renewing certificate. + /usr/sbin/acme-client -v $host +} + +has_update=no +<% for my $host (@$acme_hosts) { -%> +handle_cert <%= $prefix.$host %> +if [ $? -eq 0 ]; then + has_update=yes +fi +<% } -%> + +# Pick up the new certs. +if [ $has_update = yes ]; then + /usr/sbin/rcctl reload httpd + /usr/sbin/rcctl reload relayd + /usr/sbin/rcctl restart smtpd +fi +</pre><br /> +<h3>Service rexification </h3> +<p>These are the Rex tasks setting up <span class="inlinecode">httpd</span>, <span class="inlinecode">relayd</span> and <span class="inlinecode">smtpd</span> services:</p> +<pre> +desc 'Setup httpd'; +task 'httpd', group => 'frontends', + sub { + append_if_no_such_line '/etc/rc.conf.local', 'httpd_flags='; + + file '/etc/httpd.conf', + content => template('./etc/httpd.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'httpd' => 'restart' }; + + service 'httpd', ensure => 'started'; + }; + +desc 'Setup relayd'; +task 'relayd', group => 'frontends', + sub { + append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; + + file '/etc/relayd.conf', + content => template('./etc/relayd.conf.tpl', + ipv6address => $ipv6address, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '600', + on_change => sub { service 'relayd' => 'restart' }; + + service 'relayd', ensure => 'started'; + }; + +desc 'Setup OpenSMTPD'; +task 'smtpd', group => 'frontends', + sub { + Rex::Logger::info('Dealing with mail aliases'); + file '/etc/mail/aliases', + source => './etc/mail/aliases', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { say run 'newaliases' }; + + Rex::Logger::info('Dealing with mail virtual domains'); + file '/etc/mail/virtualdomains', + source => './etc/mail/virtualdomains', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + + Rex::Logger::info('Dealing with mail virtual users'); + file '/etc/mail/virtualusers', + source => './etc/mail/virtualusers', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + + Rex::Logger::info('Dealing with smtpd.conf'); + file '/etc/mail/smtpd.conf', + content => template('./etc/mail/smtpd.conf.tpl', + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + + service 'smtpd', ensure => 'started'; + }; + +</pre><br /> +<p>This is <span class="inlinecode">httpd.conf.tpl</span>:</p> +<pre> +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +# Plain HTTP for ACME and HTTPS redirect +<% for my $host (@$acme_hosts) { %> +server "<%= $prefix.$host %>" { + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } +} +<% } %> + +# Gemtexter hosts +<% for my $host (qw/foo.zone snonux.land/) { %> +server "<%= $prefix.$host %>" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + key "/etc/ssl/private/<%= $prefix.$host %>.key" + } + location * { + root "/htdocs/gemtexter/<%= $host %>" + directory auto index + } +} +<% } %> + +# DTail special host +server "<%= $prefix %>dtail.dev" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>dtail.dev.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>dtail.dev.key" + } + location * { + block return 302 "https://github.dtail.dev$REQUEST_URI" + } +} + +# Irregular Ninja special host +server "<%= $prefix %>irregular.ninja" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>irregular.ninja.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>irregular.ninja.key" + } + location * { + root "/htdocs/irregular.ninja" + directory auto index + } +} + +# buetow.org special host. +server "<%= $prefix %>buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>buetow.org.key" + } + block return 302 "https://paul.buetow.org" +} + +server "<%= $prefix %>paul.buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>paul.buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>paul.buetow.org.key" + } + block return 302 "https://foo.zone/contact-information.html" +} + +server "<%= $prefix %>tmp.buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>tmp.buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>tmp.buetow.org.key" + } + root "/htdocs/buetow.org/tmp" + directory auto index +} +</pre><br /> +<p>and this the <span class="inlinecode">relayd.conf.tpl</span>:</p> +<pre> +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +log connection + +tcp protocol "gemini" { + tls keypair <%= $prefix %>foo.zone + tls keypair <%= $prefix %>buetow.org +} + +relay "gemini4" { + listen on <%= $vio0_ip %> port 1965 tls + protocol "gemini" + forward to 127.0.0.1 port 11965 +} + +relay "gemini6" { + listen on <%= $ipv6address->($hostname) %> port 1965 tls + protocol "gemini" + forward to 127.0.0.1 port 11965 +} +</pre><br /> +<p>And last but not least, this is the <span class="inlinecode">smtpd.conf.tpl</span>:</p> +<pre> +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +pki "buetow_org_tls" cert "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" +pki "buetow_org_tls" key "/etc/ssl/private/<%= $prefix %>buetow.org.key" + +table aliases file:/etc/mail/aliases +table virtualdomains file:/etc/mail/virtualdomains +table virtualusers file:/etc/mail/virtualusers + +listen on socket +listen on all tls pki "buetow_org_tls" hostname "<%= $prefix %>buetow.org" +#listen on all + +action localmail mbox alias <aliases> +action receive mbox virtual <virtualusers> +action outbound relay + +match from any for domain <virtualdomains> action receive +match from local for local action localmail +match from local for any action outbound +</pre><br /> +<h2>All pieces together</h2> +<p>For the full <span class="inlinecode">Rexfile</span> example and all the templates, please look at the Git repository:</p> +<a class="textlink" href="https://codeberg.org/snonux/rexfiles">https://codeberg.org/snonux/rexfiles</a><br /> +<p>Besides of ACME, also other things, such as DNS server, are rexified too. The following command will run all the Rex tasks and configure everything on my frontend machines automatically:</p> +<pre> +rex commons +</pre><br /> +<p>The <span class="inlinecode">commons</span> is a group of task I specified which combines a set of common tasks I always want to execute on all frontend machines. This also includes the ACME tasks mentioned in this article!</p> +<h2>Conclusion</h2> +<p>ACME and Let's Encrypt greatly help reducing recurring manual maintenance work (creating and renewing certificates). Furthermore, all the certificates are free of costs! I love to use OpenBSD and Rex to automate all of this.</p> +<p>OpenBSD suits perfectly here as all the tools are already part of the base installation. Rex is not as powerful and popular as other configuration management systems (e.g. Puppet, Chef, SALT or even Ansible). It is more of an underdog and the community is small. But I like underdogs.</p> +<p>I love the fact that a <span class="inlinecode">Rexfile</span> is just a Perl DSL. Why re-inventing the wheel? Also, OpenBSD comes with Perl in the base system. So no new programming language had to be added to my mix for the configuration management system. Also, the <span class="inlinecode">acme.sh</span> shell script is not a Bash but a standard Bourne shell script so that I didn't have to install yet another shell.</p> +<p>E-Mail me your comments to paul at buetow dot org!</p> + </div> + </content> + </entry> + <entry> <title>Sweating the small stuff - Tiny projects of mine</title> <link href="gemini://foo.zone/gemfeed/2022-06-15-sweating-the-small-stuff.gmi" /> <id>gemini://foo.zone/gemfeed/2022-06-15-sweating-the-small-stuff.gmi</id> - <updated>2022-06-15T08:47:44+01:00</updated> + <updated>2022-06-15T10:31:11+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>This blog post is a bit different from the others. It consists of multiple but smaller projects worth mentioning. I got inspired by Julia Evan's 'Tiny programs' blog post and the side projects of The Sephist, so I thought I would also write a blog posts listing a couple of small projects of mine:. .....to read on please visit my site.</summary> @@ -251,9 +858,9 @@ v = 008 [v = p*c*(s != c ? 2 : 1)] Total logical CPUs <title>Perl is still a great choice</title> <link href="gemini://foo.zone/gemfeed/2022-05-27-perl-is-still-a-great-choice.gmi" /> <id>gemini://foo.zone/gemfeed/2022-05-27-perl-is-still-a-great-choice.gmi</id> - <updated>2022-05-27T07:50:12+01:00</updated> + <updated>2022-05-27T10:31:12+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>Perl (the Practical Extraction and Report Language) is a battle-tested, mature, multi-paradigm dynamic programming language. Note that it's not called PERL, neither P.E.R.L. nor Pearl. 'Perl' is the name of the language and 'perl' the name of the interpreter or the interpreter command.. .....to read on please visit my site.</summary> @@ -352,9 +959,9 @@ v = 008 [v = p*c*(s != c ? 2 : 1)] Total logical CPUs <title>Creative universe</title> <link href="gemini://foo.zone/gemfeed/2022-04-10-creative-universe.gmi" /> <id>gemini://foo.zone/gemfeed/2022-04-10-creative-universe.gmi</id> - <updated>2022-04-10T10:09:11+01:00</updated> + <updated>2022-04-10T10:31:12+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>I have been participating in an annual work-internal project contest (we call it Pet Project contest) since I moved to London and switched jobs to my current employer. I am very happy to say that I won a 'silver' prize last week here 🎆. Over the last couple of years I have been a finalist in this contest six times and won some kind of prize five times. Some of my projects were also released as open source software. One had a magazine article published, and for another one I wrote an article on my employer's engineering blog. If you have followed all my posts on this blog (the one you are currently reading), then you have probably figured out what these projects were:. .....to read on please visit my site.</summary> @@ -459,9 +1066,9 @@ learn () { <title>The release of DTail 4.0.0</title> <link href="gemini://foo.zone/gemfeed/2022-03-06-the-release-of-dtail-4.0.0.gmi" /> <id>gemini://foo.zone/gemfeed/2022-03-06-the-release-of-dtail-4.0.0.gmi</id> - <updated>2022-03-06T18:11:39+00:00</updated> + <updated>2022-03-06T10:31:12+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>I have recently released DTail 4.0.0 and this blog post goes through all the new goodies. You can also read my previous post about DTail in case you wonder what DTail is:. .....to read on please visit my site.</summary> @@ -711,9 +1318,9 @@ exec /usr/local/bin/dtailhealth --server localhost:2222 <title>Computer operating systems I use(d)</title> <link href="gemini://foo.zone/gemfeed/2022-02-04-computer-operating-systems-i-use.gmi" /> <id>gemini://foo.zone/gemfeed/2022-02-04-computer-operating-systems-i-use.gmi</id> - <updated>2022-02-04T09:58:22+00:00</updated> + <updated>2022-02-04T10:31:13+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>This is a list of Operating Systems I currently use. This list is in no particular order and also will be updated over time. The very first operating system I used was MS-DOS (mainly for games) and the very first Unix like operating system I used was SuSE Linux 5.3. My first smartphone OS was Symbian on a clunky Sony Ericsson device.. .....to read on please visit my site.</summary> @@ -877,9 +1484,9 @@ GNU/kFreeBSD rhea.buetow.org 8.0-RELEASE-p5 FreeBSD 8.0-RELEASE-p5 #2: Sat Nov 2 <title>Welcome to the foo.zone</title> <link href="gemini://foo.zone/gemfeed/2022-01-23-welcome-to-the-foo.zone.gmi" /> <id>gemini://foo.zone/gemfeed/2022-01-23-welcome-to-the-foo.zone.gmi</id> - <updated>2022-01-23T16:42:04+00:00</updated> + <updated>2022-01-23T10:31:14+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>I don't count this as a real blog post, but more of an announcement (I aim to write one real post once monthly). From now on, 'foo.zone' is the new address of this site. All other addresses will still forward to it and eventually (based on the traffic still going through) will be deactivated.. .....to read on please visit my site.</summary> @@ -924,9 +1531,9 @@ GNU/kFreeBSD rhea.buetow.org 8.0-RELEASE-p5 FreeBSD 8.0-RELEASE-p5 #2: Sat Nov 2 <title>Bash Golf Part 2</title> <link href="gemini://foo.zone/gemfeed/2022-01-01-bash-golf-part-2.gmi" /> <id>gemini://foo.zone/gemfeed/2022-01-01-bash-golf-part-2.gmi</id> - <updated>2022-01-01T23:36:15+00:00</updated> + <updated>2022-01-01T10:31:14+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>This is the second blog post about my Bash Golf series. This series is random Bash tips, tricks and weirdnesses I came across. It's a collection of smaller articles I wrote in an older (in German language) blog, which I translated and refreshed with some new content.. .....to read on please visit my site.</summary> @@ -1336,12 +1943,12 @@ PAUL:X:1000:1000:PAUL BUETOW:/HOME/PAUL:/BIN/BASH <title>How to stay sane as a DevOps person </title> <link href="gemini://foo.zone/gemfeed/2021-12-26-how-to-stay-sane-as-a-devops-person.gmi" /> <id>gemini://foo.zone/gemfeed/2021-12-26-how-to-stay-sane-as-a-devops-person.gmi</id> - <updated>2021-12-26T12:02:02+00:00</updated> + <updated>2021-12-26T10:31:15+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>Log4shell (CVE-2021-44228) made it clear, once again, that working in information technology is not an easy job (especially when you are a DevOps/SRE or a security engineer). I thought it would be interesting to summarize a few techniques to help you to relax.. .....to read on please visit my site.</summary> + <summary>Log4shell (CVE-2021-44228) made it clear, once again, that working in information technology is not an easy job (especially when you are a DevOps person). I thought it would be interesting to summarize a few techniques to help you to relax.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>How to stay sane as a DevOps person </h1> @@ -1428,12 +2035,12 @@ PAUL:X:1000:1000:PAUL BUETOW:/HOME/PAUL:/BIN/BASH <title>Bash Golf Part 1</title> <link href="gemini://foo.zone/gemfeed/2021-11-29-bash-golf-part-1.gmi" /> <id>gemini://foo.zone/gemfeed/2021-11-29-bash-golf-part-1.gmi</id> - <updated>2021-11-29T14:06:14+00:00</updated> + <updated>2021-11-29T10:31:15+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>This is the first blog post about my Bash Golf series. This series is random Bash tips, tricks and weirdnesses I came across. It's a collection of smaller articles I wrote in an older (in German language) blog, which I translated and refreshed with some new content.. .....to read on please visit my site.</summary> + <summary>This is the first blog post about my Bash Golf series. This series is about random Bash tips, tricks and weirdnesses I came across. It's a collection of smaller articles I wrote in an older (in German language) blog, which I translated and refreshed with some new content.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Bash Golf Part 1</h1> @@ -1811,9 +2418,9 @@ bash: line 1: 1/10.0 : syntax error: invalid arithmetic operator (error token is <title>Defensive DevOps</title> <link href="gemini://foo.zone/gemfeed/2021-10-22-defensive-devops.gmi" /> <id>gemini://foo.zone/gemfeed/2021-10-22-defensive-devops.gmi</id> - <updated>2021-10-22T10:02:46+03:00</updated> + <updated>2021-10-22T10:31:16+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>I have seen many different setups and infrastructures during my carreer. My roles always included front-line ad-hoc fire fighting production issues. This often involves identifying and fixing these under time pressure, without the comfort of 2-week-long SCRUM sprints and without an exhaustive QA process. I also wrote a lot of code (Bash, Ruby, Perl, Go, and a little Java), and I followed the typical software development process, but that did not always apply to critical production issues.. .....to read on please visit my site.</summary> @@ -1890,9 +2497,9 @@ bash: line 1: 1/10.0 : syntax error: invalid arithmetic operator (error token is <title>Keep it simple and stupid</title> <link href="gemini://foo.zone/gemfeed/2021-09-12-keep-it-simple-and-stupid.gmi" /> <id>gemini://foo.zone/gemfeed/2021-09-12-keep-it-simple-and-stupid.gmi</id> - <updated>2021-09-12T09:39:20+03:00</updated> + <updated>2021-09-12T10:31:16+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>A robust computer system must be kept simple and stupid (KISS). The fancier the system is, the more can break. Unfortunately, most systems tend to become complex and challenging to maintain in today's world. In the early days, so I was told, engineers understood every part of the system, but nowadays, we see more of the 'lasagna' stack. One layer or framework is built on top of another layer, and in the end, nobody has got a clue what's going on.. .....to read on please visit my site.</summary> @@ -1960,9 +2567,9 @@ bash: line 1: 1/10.0 : syntax error: invalid arithmetic operator (error token is <title>On being Pedantic about Open-Source</title> <link href="gemini://foo.zone/gemfeed/2021-08-01-on-being-pedantic-about-open-source.gmi" /> <id>gemini://foo.zone/gemfeed/2021-08-01-on-being-pedantic-about-open-source.gmi</id> - <updated>2021-08-01T10:37:58+03:00</updated> + <updated>2021-08-01T10:31:17+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>I believe that it is essential to always have free and open-source alternatives to any kind of closed-source proprietary software available to choose from. But there are a couple of points you need to take into consideration. . .....to read on please visit my site.</summary> @@ -2039,12 +2646,12 @@ bash: line 1: 1/10.0 : syntax error: invalid arithmetic operator (error token is <title>The Well-Grounded Rubyist</title> <link href="gemini://foo.zone/gemfeed/2021-07-04-the-well-grounded-rubyist.gmi" /> <id>gemini://foo.zone/gemfeed/2021-07-04-the-well-grounded-rubyist.gmi</id> - <updated>2021-07-04T10:51:23+01:00</updated> + <updated>2021-07-04T10:31:17+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>When I was a Linux System Administrator, I have been programming in Perl for years. I still maintain some personal Perl programming projects (e.g. Xerl, guprecords, Loadbars). After switching jobs a couple of years ago (becoming a Site Reliability Engineer), I found Ruby (and some Python) widely used there. As I wanted to do something new, I then decided to give Ruby a go for all medium-sized programming and scripting projects.. .....to read on please visit my site.</summary> + <summary>When I was a Linux System Administrator, I have been programming in Perl for years. I still maintain some personal Perl programming projects (e.g. Xerl, guprecords, Loadbars). After switching jobs a couple of years ago (becoming a Site Reliability Engineer), I found Ruby (and some Python) widely used there. As I wanted to do something new, I decided to give Ruby a go.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>The Well-Grounded Rubyist</h1> @@ -2120,9 +2727,9 @@ Hello World <title>Gemtexter - One Bash script to rule it all</title> <link href="gemini://foo.zone/gemfeed/2021-06-05-gemtexter-one-bash-script-to-rule-it-all.gmi" /> <id>gemini://foo.zone/gemfeed/2021-06-05-gemtexter-one-bash-script-to-rule-it-all.gmi</id> - <updated>2021-06-05T19:03:32+01:00</updated> + <updated>2021-06-05T10:31:17+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>You might have read my previous blog post about entering the Geminispace, where I pointed out the benefits of having and maintaining an internet presence there. This whole site (the blog and all other pages) is composed in the Gemtext markup language. . .....to read on please visit my site.</summary> @@ -2259,12 +2866,12 @@ assert::equals "$(generate::make_link md "$gemtext")" \ <title>Personal Bash coding style guide</title> <link href="gemini://foo.zone/gemfeed/2021-05-16-personal-bash-coding-style-guide.gmi" /> <id>gemini://foo.zone/gemfeed/2021-05-16-personal-bash-coding-style-guide.gmi</id> - <updated>2021-05-16T14:51:57+01:00</updated> + <updated>2021-05-16T10:31:18+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>Lately, I have been polishing and writing a lot of Bash code. Not that I never wrote a lot of Bash, but now as I also looked through the 'Google Shell Style Guide' I thought it is time to also write my own thoughts on that. I agree to that guide in most, but not in all points. . .....to read on please visit my site.</summary> + <summary>Lately, I have been polishing and writing a lot of Bash code. Not that I never wrote a lot of Bash, but now as I also looked through the Google Shell Style Guide, I thought it is time also to write my thoughts on that. I agree with that guide in most, but not in all points. . .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Personal Bash coding style guide</h1> @@ -2567,12 +3174,12 @@ fi <title>Welcome to the Geminispace</title> <link href="gemini://foo.zone/gemfeed/2021-04-24-welcome-to-the-geminispace.gmi" /> <id>gemini://foo.zone/gemfeed/2021-04-24-welcome-to-the-geminispace.gmi</id> - <updated>2021-04-24T19:28:41+01:00</updated> + <updated>2021-04-24T10:31:19+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>Have you reached this article already via Gemini? You need a special client for that, web browsers such as Firefox, Chrome, Safari etc. don't support the Gemini protocol. The Gemini address of this site (or the address of this capsule as people say in Geminispace) is: ... to read on visit my site.</summary> + <summary>Have you reached this article already via Gemini? It requires a Gemini client; web browsers such as Firefox, Chrome, Safari, etc., don't support the Gemini protocol. The Gemini address of this site (or the address of this capsule as people say in Geminispace) is:. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Welcome to the Geminispace</h1> @@ -2637,12 +3244,12 @@ fi <title>DTail - The distributed log tail program</title> <link href="gemini://foo.zone/gemfeed/2021-04-22-dtail-the-distributed-log-tail-program.gmi" /> <id>gemini://foo.zone/gemfeed/2021-04-22-dtail-the-distributed-log-tail-program.gmi</id> - <updated>2021-04-22T19:28:41+01:00</updated> + <updated>2021-04-22T10:31:19+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>This article first appeared at the Mimecast Engineering Blog but I made it available here in my personal Gemini capsule too. ...to read on visit my site.</summary> + <summary>This article first appeared at the Mimecast Engineering Blog but I made it available here in my personal internet site too.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>DTail - The distributed log tail program</h1> @@ -2718,9 +3325,9 @@ dtail –servers serverlist.txt –files ‘/var/log/*.log’ –regex ‘(?i:er <title>Realistic load testing with I/O Riot for Linux</title> <link href="gemini://foo.zone/gemfeed/2018-06-01-realistic-load-testing-with-ioriot-for-linux.gmi" /> <id>gemini://foo.zone/gemfeed/2018-06-01-realistic-load-testing-with-ioriot-for-linux.gmi</id> - <updated>2018-06-01T14:50:29+01:00</updated> + <updated>2018-06-01T10:31:19+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>This text first was published in the german IT-Administrator computer Magazine. 3 years have passed since and I decided to publish it on my blog too. . .....to read on please visit my site.</summary> @@ -2857,9 +3464,9 @@ Total time: 1213.00s <title>Object oriented programming with ANSI C</title> <link href="gemini://foo.zone/gemfeed/2016-11-20-object-oriented-programming-with-ansi-c.gmi" /> <id>gemini://foo.zone/gemfeed/2016-11-20-object-oriented-programming-with-ansi-c.gmi</id> - <updated>2016-11-20T22:10:57+00:00</updated> + <updated>2016-11-20T10:31:20+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>You can do a little of object-oriented programming in the C Programming Language. However, that is, in my humble opinion, limited. It's easier to use a different programming language than C for OOP. But still it's an interesting exercise to try using C for this.. .....to read on please visit my site.</summary> @@ -2949,12 +3556,12 @@ mult.calculate(mult,a,b)); <title>Spinning up my own authoritative DNS servers</title> <link href="gemini://foo.zone/gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.gmi" /> <id>gemini://foo.zone/gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.gmi</id> - <updated>2016-05-22T18:59:01+01:00</updated> + <updated>2016-05-22T10:31:20+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>Finally, I had time to deploy my own authoritative DNS servers (master and slave) for my domains 'buetow.org' and 'buetow.zone'. My domain name provider is Schlund Technologies. They allow their customers to manually edit the DNS records (BIND files). And they also give you the opportunity to set your own authoritative DNS servers for your domains. From now I am making use of that option.. .....to read on please visit my site.</summary> + <summary>Finally, I had time to deploy my authoritative DNS servers (master and slave) for my domains 'buetow.org' and 'buetow.zone'. My domain name provider is Schlund Technologies. They allow their customers to edit the DNS records (BIND files) manually. And they also allow you to set your authoritative DNS servers for your domains. From now, I am making use of that option.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Spinning up my own authoritative DNS servers</h1> @@ -3174,12 +3781,12 @@ apply Service "dig6" { <title>Offsite backup with ZFS (Part 2)</title> <link href="gemini://foo.zone/gemfeed/2016-04-16-offsite-backup-with-zfs-part2.gmi" /> <id>gemini://foo.zone/gemfeed/2016-04-16-offsite-backup-with-zfs-part2.gmi</id> - <updated>2016-04-16T22:43:42+01:00</updated> + <updated>2016-04-16T10:31:20+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>I enhanced the procedure a bit. From now on I am having two external 2TB USB hard drives. Both are setup exactly the same way. To decrease the probability that they will not fail at about the same time both drives are of different brands. One drive is kept at the secret location. The other one is kept at home right next to my HP MicroServer. ...to read on visit my site.</summary> + <summary>I enhanced the procedure a bit. From now on, I have two external 2TB USB hard drives. Both are set up precisely the same way. To decrease the probability that both drives will not fail simultaneously, they are of different brands. One drive is kept at a secret location. The other one is held at home, right next to my HP MicroServer.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Offsite backup with ZFS (Part 2)</h1> @@ -3211,9 +3818,9 @@ apply Service "dig6" { <title>Jails and ZFS with Puppet on FreeBSD</title> <link href="gemini://foo.zone/gemfeed/2016-04-09-jails-and-zfs-on-freebsd-with-puppet.gmi" /> <id>gemini://foo.zone/gemfeed/2016-04-09-jails-and-zfs-on-freebsd-with-puppet.gmi</id> - <updated>2016-04-09T18:29:47+01:00</updated> + <updated>2016-04-09T10:31:20+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> <summary>Over the last couple of years I wrote quite a few Puppet modules in order to manage my personal server infrastructure. One of them manages FreeBSD Jails and another one ZFS file systems. I thought I would give a brief overview in how it looks and feels.. .....to read on please visit my site.</summary> @@ -3590,12 +4197,12 @@ Notice: Finished catalog run in 206.09 seconds <title>Offsite backup with ZFS</title> <link href="gemini://foo.zone/gemfeed/2016-04-03-offsite-backup-with-zfs.gmi" /> <id>gemini://foo.zone/gemfeed/2016-04-03-offsite-backup-with-zfs.gmi</id> - <updated>2016-04-03T22:43:42+01:00</updated> + <updated>2016-04-03T10:31:21+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>When it comes to data storage and potential data loss I am a paranoid person. It is not just due to my job but also due to a personal experience I encountered over 10 years ago: A single drive failure and loss of all my data (pictures, music, ....). ...to read on visit my site.</summary> + <summary>When it comes to data storage and potential data loss, I am a paranoid person. It is due to my job and a personal experience I encountered over ten years ago: A single drive failure and loss of all my data (pictures, music, etc.).. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Offsite backup with ZFS</h1> @@ -3633,12 +4240,12 @@ Notice: Finished catalog run in 206.09 seconds <title>Run Debian on your phone with Debroid</title> <link href="gemini://foo.zone/gemfeed/2015-12-05-run-debian-on-your-phone-with-debroid.gmi" /> <id>gemini://foo.zone/gemfeed/2015-12-05-run-debian-on-your-phone-with-debroid.gmi</id> - <updated>2015-12-05T16:12:57+00:00</updated> + <updated>2015-12-05T10:31:21+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>You can use the following tutorial to install a full blown Debian GNU/Linux Chroot on a LG G3 D855 CyanogenMod 13 (Android 6). First of all you need to have root permissions on your phone and you also need to have the developer mode activated. The following steps have been tested on Linux (Fedora 23). .....to read on please visit my site.</summary> + <summary>You can use the following tutorial to install a full-blown Debian GNU/Linux Chroot on an LG G3 D855 CyanogenMod 13 (Android 6). First of all, you need to have root permissions on your phone, and you also need to have the developer mode activated. The following steps have been tested on Linux (Fedora 23).. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Run Debian on your phone with Debroid</h1> @@ -3794,15 +4401,15 @@ exit </content> </entry> <entry> - <title>The fibonacci.pl.c Polyglot</title> + <title>The fibonacci.pl.raku.c Polyglot</title> <link href="gemini://foo.zone/gemfeed/2014-03-24-the-fibonacci.pl.c-polyglot.gmi" /> <id>gemini://foo.zone/gemfeed/2014-03-24-the-fibonacci.pl.c-polyglot.gmi</id> - <updated>2014-03-24T21:32:53+00:00</updated> + <updated>2014-03-24T10:31:22+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>In computing, a polyglot is a computer program or script written in a valid form of multiple programming languages, which performs the same operations or output independent of the programming language used to compile or interpret it. .....to read on please visit my site.</summary> + <summary>In computing, a polyglot is a computer program or script written in a valid form of multiple programming languages, which performs the same operations or output independent of the programming language used to compile or interpret it.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>The fibonacci.pl.raku.c Polyglot</h1> @@ -3939,12 +4546,12 @@ fib(10) = 55 <title>Perl Daemon (Service Framework)</title> <link href="gemini://foo.zone/gemfeed/2011-05-07-perl-daemon-service-framework.gmi" /> <id>gemini://foo.zone/gemfeed/2011-05-07-perl-daemon-service-framework.gmi</id> - <updated>2011-05-07T22:26:02+01:00</updated> + <updated>2011-05-07T10:31:22+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>PerlDaemon is a minimal daemon for Linux and other Unix like operating systems programmed in Perl. It is a minimal but pretty functional and fairly generic service framework. This means that it does not do anything useful other than providing a framework for starting, stopping, configuring and logging. In order to do something a module (written in Perl) bust be provided.. .....to read on please visit my site.</summary> + <summary>PerlDaemon is a minimal daemon for Linux and other Unix like operating systems programmed in Perl. It is a minimal but pretty functional and fairly generic service framework. This means that it does not do anything useful other than providing a framework for starting, stopping, configuring and logging. To do something useful, a module (written in Perl) must be provided.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Perl Daemon (Service Framework)</h1> @@ -4085,12 +4692,12 @@ sub do ($) { <title>The Fype Programming Language</title> <link href="gemini://foo.zone/gemfeed/2010-05-09-the-fype-programming-language.gmi" /> <id>gemini://foo.zone/gemfeed/2010-05-09-the-fype-programming-language.gmi</id> - <updated>2010-05-09T12:48:29+01:00</updated> + <updated>2010-05-09T10:31:22+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>Fype is an interpreted programming language created by me for learning and fun. The interpreter is written in C. It has been tested on FreeBSD and NetBSD and may also work on other Unix like operating systems such as Linux based ones. To be honest, besides learning and fun there is really no other use case of why Fype actually exists as many other programming languages are much faster and more powerful.. .....to read on please visit my site.</summary> + <summary>Fype is an interpreted programming language created by me for learning and fun. The interpreter is written in C. It has been tested on FreeBSD and NetBSD and may also work on other Unix like operating systems such as Linux based ones. Besides learning and fun, there is no other use case of why Fype exists as many other programming languages are much faster and more powerful.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>The Fype Programming Language</h1> @@ -4500,12 +5107,12 @@ BB <title>Lazy Evaluation with Standard ML</title> <link href="gemini://foo.zone/gemfeed/2010-05-07-lazy-evaluation-with-standarn-ml.gmi" /> <id>gemini://foo.zone/gemfeed/2010-05-07-lazy-evaluation-with-standarn-ml.gmi</id> - <updated>2010-05-07T08:17:59+01:00</updated> + <updated>2010-05-07T10:31:23+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>In contrast to Haskell, Standard SML does not use lazy evaluation by default, but strict evaluation. . .....to read on please visit my site.</summary> + <summary>In contrast to Haskell, Standard SML does not use lazy evaluation by default but an eager evaluation. . .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Lazy Evaluation with Standard ML</h1> @@ -4600,12 +5207,12 @@ first 10 nat_pairs_not_null <title>Standard ML and Haskell</title> <link href="gemini://foo.zone/gemfeed/2010-04-09-standard-ml-and-haskell.gmi" /> <id>gemini://foo.zone/gemfeed/2010-04-09-standard-ml-and-haskell.gmi</id> - <updated>2010-04-09T22:57:36+01:00</updated> + <updated>2010-04-09T10:31:24+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>I am currently looking into the functional programming language Standard ML (aka SML). The purpose is to refresh my functional programming skills and to learn something new too. Since I already know a little Haskell, could I do not help myself and I implemented the same exercises in Haskell too.. .....to read on please visit my site.</summary> + <summary>I am currently looking into the functional programming language Standard ML (aka SML). The purpose is to refresh my functional programming skills and to learn something new too. Since I already knew a little Haskell, I could not help myself, and I also implemented the same exercises in Haskell.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Standard ML and Haskell</h1> @@ -4754,12 +5361,12 @@ my_filter f l = foldr (make_filter_fn f) [] l <title>Using my Nokia N95 for fixing my MTA</title> <link href="gemini://foo.zone/gemfeed/2008-12-29-using-my-nokia-n95-for-fixing-my-mta.gmi" /> <id>gemini://foo.zone/gemfeed/2008-12-29-using-my-nokia-n95-for-fixing-my-mta.gmi</id> - <updated>2008-12-29T09:10:41+00:00</updated> + <updated>2008-12-29T10:31:24+00:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>The last week I was in Vidin, Bulgaria with no internet access and I had to fix my MTA (Postfix) at. .....to read on please visit my site.</summary> + <summary>The last week I was in Vidin, Bulgaria with no internet access and I had to fix my MTA (Postfix) at host.0.buetow.org which serves E-Mail for all my customers at P. B. Labs. Good, that I do not guarantee high availability on my web services (I've to do a full time job somewhere else too). . .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Using my Nokia N95 for fixing my MTA</h1> @@ -4800,12 +5407,12 @@ _jgs_\|//_\\|///_\V/_\|//__ <title>Perl Poetry</title> <link href="gemini://foo.zone/gemfeed/2008-06-26-perl-poetry.gmi" /> <id>gemini://foo.zone/gemfeed/2008-06-26-perl-poetry.gmi</id> - <updated>2008-06-26T21:43:51+01:00</updated> + <updated>2008-06-26T10:31:24+01:00</updated> <author> - <name>Paul Buetow</name> + <name>Paul C. Buetow</name> <email>comments@mx.buetow.org</email> </author> - <summary>Here are some Perl Poems I wrote. They don't do anything useful when you run them but they don't produce a compiler error either. They only exists for fun and demonstrate what you can do with Perl syntax.. .....to read on please visit my site.</summary> + <summary>Here are some Perl Poems I wrote. They don't do anything useful when you run them, but they don't produce a compiler error either. They only exist for fun and demonstrate what you can do with Perl syntax.. .....to read on please visit my site.</summary> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> <h1>Perl Poetry</h1> diff --git a/gemfeed/index.gmi b/gemfeed/index.gmi index d73b35ad..2a7aa6e2 100644 --- a/gemfeed/index.gmi +++ b/gemfeed/index.gmi @@ -2,6 +2,7 @@ ## To be in the .zone! +=> ./2022-07-30-lets-encrypt-with-openbsd-and-rex.gmi 2022-07-30 - Let's Encrypt with OpenBSD and Rex => ./2022-06-15-sweating-the-small-stuff.gmi 2022-06-15 - Sweating the small stuff - Tiny projects of mine => ./2022-05-27-perl-is-still-a-great-choice.gmi 2022-05-27 - Perl is still a great choice => ./2022-04-10-creative-universe.gmi 2022-04-10 - Creative universe |