Thefoggiest.dev

“Why yes, I do have the foggiest”


Homebrew blogging engine

April 16, 2024

"When you want to bake an apple pie from scratch, you have to invent the universe first" (Carl Sagan)

Perhaps you've noticed, but this blog won't greet you with a cookie warning anymore, because it doesn't use cookies anymore. There is also no need for you to spin up your browser's JavaScript engine, because this site is 100% pure html plus css. Everything here is cooked server side and served to you perfectly statically.

under contruction banner

The reason is simple. I've ditched WordPress and built my own platform instead, which was surprisingly easy. The result is that I have much more control and it uses less electricity, both at my end as at yours. To compare, for me, this page takes 217 ms to load on this site, while its counterpart on my old WP site took 849 ms, and that one didn't even have the picture. That is a good difference and one I'm very happy with.

Git and JSON

Of course, my own code allows me to use all my own favourite tools. I'm using git for version control on the content. That's good, because I noticed that I tend to write posts ahead, so I can read them again a week or so later and make a few corrections that I didn't see I needed earlier.

It also means this site will be perpetually under construction, as it should be. Right now, there's no search, you can't click on category or tag names, and webmention and pingbacks don't work yet. It won't need spam protection, because all it does is show static content. Also, you might need to re-subscribe to the RSS feed. Sorry for that.

I have a git hook set up on my server that will push the file to the right folder. Posts are in fact HTML files with a JSON header, like this:

{
	"title": "Homebrew blogging engine",
	"date": "2024-04-16",
	"categories": ["blog"],
	"tags": ["python", "css", "code"],
	"summary": "Introducing my new blogging engine!"
}
<article>
<p>content</p>
</article>
The meta data allows me to create the archives an categories on the left and sort them by date. It also allows me to push files to the server before their publication date.

Zen

I've been using WordPress since I started blogging in 2006. This is because it seemed a good option back then and after my blogging hiatus of the last few years, it was easiest to restart by re-downloading WP, let it adjust the old database and then merrily go on blogging. But since that hiatus, cookie warnings became mandatory, on-site discussions stopped happening and comment spam therefore became 100% of my comments.

I've been looking at a dozen other solutions, among them Hugo, Poet and WriteFreely, and they fell, more or less, into two categories. On the one hand I found platforms focusing on SEO as much as WP and often just as bloated. And then there were those that were very minimalist and felt like a lot of work or didn't allow for pictures. In neither category I found exactly what I wanted, mostly because nothing ever made me feel like I was in control. Minimalist is good and feels zen, but then I'd rather use my own code instead of having to pull in mesmerising amounts of node modules and go through some steep learning curve made up by someone else.

So I've creating my own, from scratch. Well, not entirely from scratch, there was already a universe, python template libraries and everything in between. I made it look like my old WP theme for now, but I will probably change that.


Security for a more civilised age

April 15, 2024

The Universal Declaration of Human Rights is one of the international treaties declaring the right to freedom of movement. Since a passport is needed to move across borders, it can be seen as essential to exercise that right. My country, like many, if not all, of its neighbours, goes one step further and makes owning a passport effectively mandatory. I say effectively because what’s mandatory is that, when outside your home, you are mandated to have legal identifying documentation with you, which is either a driving licence or a passport. Since driving licences are only given to people who have gone through an expensive and time-consuming training, passports can be considered mandatory.

Passports are also expensive, which, combined with the previous observation, seems problematic. A passport for someone under eighteen years old costs €62,- in my town and will be valid for five years only. You also need to provide a passport photo yourselves, which makes it even more expensive.

This is not what this post is about.

The fact that for any citizen in my country, passports are mandatory, means that all infants are criminalised. To be allowed to buy the right that is your passport, your newborn needs their picture taken by a professional photographer. To accomplish this, they need to go outside, at which point they are officially committing a crime. Should they be stopped by a police officer on their way to the photographer, they must be taken to the police station for further questioning.

This is also not what this post is about.

A few days ago, we noticed that our son’s passport was no longer valid, so we ordered a replacement passport for him. The procedure included downloading and printing a form so that we could sign it and mail it to the town hall, together with a new passport photo. Payment was also made online, and we were going to receive a notice when it would be available.

So far, so good.

Except we received a letter stating they couldn’t confirm my signature was, in fact, mine, so I needed to come over to town hall and make another attempt at signing. I needed to bring my son, and if I succeeded they would hand out the passport. So at the start of the day, I had to tell my team at work I was going to miss about an hour, depending on the line, that afternoon.

I call this an “attempt” because I suck at my own signature. This is partly because I mostly type and I don’t write on paper very often (this is a problem in itself, but also not what this post is about) so I do not get a lot of practice writing in a normal way. The only time I do get to use my signature, is when a package deliverer shoves his phone under my nose while handing me a stylus. And not an actual stylus, like my Palm TX had, but one of those thick clumsy pen-shaped things with some soft black dome at the tip.

A clumsy and random modern stylus

This, for me at least, counts as dispracticing my signature. What I draw there never remotely looks like what’s in my own passport. At first, I used to try at least, but I’ve given up on that. It’s impossible. And anyway, it’ll always be accepted.

An elegant stylus for a more civilized age

So while we were waiting in line at our town hall, and while I was explaining to my son why signatures are a ludicrously old-fashioned and highly insecure system anyway, I was nervously looking at the signature in my own passport trying to remember each curl and each angle, hoping to be able to get it right when we were called to the desk.

I failed. Miserably. The second time was marginally better, but my son wasn’t above pointing out my mistakes. Surprisingly, though, the friendly lady behind the desk decided to hand us the passport.

You see? I told my son, while we were walking toward the exit. I was right. Signatures are not a good system and should be replaced with something better.


Homebrew blogging engine

April 13, 2024

"When you want to bake an apple pie from scratch, you have to invent the universe first" (Carl Sagan)

Perhaps you've noticed, but this blog won't greet you with a cookie warning anymore, because it doesn't use cookies anymore. There is also no need for you to spin up your browser's JavaScript engine, because this site is 100% pure html plus css. Everything here is cooked server side and served to you perfectly statically.

The reason is simple. I've ditched WordPress and built my own platform instead, which was surprisingly easy. The result is that I have much more control and it uses less electricity, both at my end as at yours. To compare, for me, this page takes 48 ms to load on this site, while its counterpart on my old WP site took 849 ms, and that one didn't even have the picture. That is a significant difference and one I'm very happy with.

Git and JSON

Of course, my own code allows me to use all my own favourite tools. I'm using git for version control on the content. That's good, because I noticed that I tend to write lots of posts ahead, so I can read them again a week or so later and make a few corrections that I didn't see earlier. It also means this site will be perpetually under construction, as it should be. I have a git hook set up on my server that will push the file to the right folder. Posts are in fact html files with a json header, like this:

{
  "title": "Homebrew",
  "published": "2024-03-31",
  "categories": ["blog"],
  "tags": ["python", "css", "code"],
  "summary": "Introducing my new blogging engine!"
}
<article>
<p>content</p>
</article>
The meta data allows me to create the archives an categories on the left and sort them by date. It also allows me to push files to the server before their publication date.

Zen

I've been using WordPress since I started blogging in 2006. This is because it seemed a good option back then and after my blogging hyatus of the last few years, it was easiest to restart by re-downloading WP, let it adjust the old database and just merrily go on blogging. But since that hyatus, cookie warnings became mandatory, on-site discussions stopped happening and comment spam therefore became 100% of my comments.

I've been looking at a dozen other solutions, among them Hugo, Poet and WriteFreely, and they more or less fell into two categories. On the one hand I found platforms focusing on SEO as much as WP and often just as bloated. And then there were those that were very minimalist and felt like a lot of work or didn't allow for pictures. In neither category I found exactly what I wanted, mostly because nothing ever made me feel like I was in control. Minimalist is good and feels zen, but then I'd rather use my own code instead of having to pull in a mesmerising amount of node modules and go through some steep learning curve made up by someone else.

So I've creating my own, from scratch. Well, not entirely from scratch, there was already a universe, python libraries that respond to HTTP requests and everything in between. It won't have spam protection, because all it does is show content. I made it look like my old WP theme for now, but I might change that.

I'd love to hear your feedback.


2FA without a phone

April 11, 2024

I make it a point not to have my phone with me all the time, so it’s usually on a table somewhere else in the room or even in another room. The reason is, of course, that I don’t want to be disturbed by incoming notifications when I’m spending time with my family or reading a book. This also means that even when I’m on my laptop or a proper computer, I don’t always have my phone with me.

One problem, though, is when I need a time-based token for two-factor authentication (2FA) on some website. I find it annoying to have to get up from where I’m sitting and having to fetch my phone, unlock it and then get blasted with all the messages I was trying to avoid in the first place, distracting me from what I was about to do.

So I was looking for a 2FA app to use on my computer, and after dodging the usual suspects (seriously, why are you explaining to me what 2FA is when I specifically asked for a 2FA tool?), I found that my password manager of choice, gnu-pass, actually has a plugin that does that, called pass-otp.

On Arch:

$ sudo pacman -S pass-otp

Or on Alpine:

$ sudo apk add pass-otp

If you don’t use gnu-pass, there are also oathtool (cli) and Authenticator (gui).

But wait, doesn’t this defeat the whole purpose of 2FA? One idea behind 2FA is that you need a second device to authenticate. In essence, you know something (your password) and you have something (your phone). But if you think that, you’d also never use 2FA authentication on your phone itself, since you’d get both your password and your token from apps on your phone. Reasoned like that, using a tool like pass-otp on a computer increases your security because now you have a second device to get your token from when using your phone to authenticate with that website.

Anyway.

On my phone, I use Aegis. Aegis is an open source 2FA app for Android that is available in F-Droid, so you can even avoid the usual Google rootkit that you’d get when installing it via the Play Store. From Aegis, you can export all your keys. To be able to import them easily into pass-otp, I exported them as a plain unencrypted text file, that I shared via Signal’s Note to Self. On my computer, I downloaded the file from the Signal client and opened it in a text editor.

$ pass otp insert -e <oauth-url>

The above command will import a single token into the pass database, which is encrypted. Since I exported the data as a plain text file, I could just generate all the tokens by using each line from the export file. I gave the otp entries the same path and name as their corresponding password entries, with an added “-otp”. Afterward, I deleted the file both from Signal and my computer, and tried it out:

$ pass otp path/to/web-service-otp

Sure enough, it gave the same token as Aegis. The only downside is that fish tab completion doesn’t seem to work with pass-otp, but that can be worked-around easily, since usually, I’d look for the password of that service first, and then I can just press up and add the otp argument to the pass command and the “-otp” suffix at the end. Only one thing left to do, really:

$ pass git push

CC-BY-SA 2006-2024 thefoggiest.dev