• 1 Post
  • 107 Comments
Joined 1 year ago
cake
Cake day: July 21st, 2023

help-circle







  • Maybe not. But that was before he was president for four years - fuck, it’s still crazy to think that happened - and really forced people to acknowledge that yeah, he is a pathological liar who doesn’t give a shit about the country.

    A lot of people still suck on the tit. But a lot of others recognise that the hot pain comes from getting burned.

    You had all the tea party nutters for years - but none of them became president.





  • No! Bad dev! No biscuit!

    Never merge master into a feature branch. It’s called a “wrong-way” merge and it makes the history fucking awful.

    You shit in the face of project maintainers when you do this.

    You may not care, in fact many don’t. Also people buy timeshares, read celebrity gossip magazines, and vote for scumbags. They are fucking idiots who don’t know what they are doing. So are people who leave wrong-way merges in shared history.

    In fact, wrong-way mergers are worse, because you can’t just ignore them - git blame rubs your face in their shit, so they shit in your face forever.

    Just don’t fucking do it, OK? Or I will hit you in the throat with a cricket bat soaked in wasps. As a first warning.


  • If I were a democrat pol, I’d want to keep Gaetz, and Trump, and all the nut jobs.

    They are loved by their base and horrible to work with in the houses, but they are electorally toxic.

    Prediction for your next presidential election: Trump will still be on trial on federal charges, he will be the nominee anyway, and he will lose badly. DeSantis will bite chunks out of him. Bullish on popcorn.

    Or Trump bites chunks out of whoever they do nominate. The party either gets moderate votes, or Trump votes, or DeSantis votes, but not all three.




  • Implementation of VPN’d torrent client

    This is how I torrent over Mullvad. I have no hesitation to recommend Mullvad - but I am not a crypto or security expert.

    The main image fails closed - if the VPN goes down, transmission disconnects.

    This setup also includes a SOCKS server that proxies your traffic over the same VPN. I use a separate browser (librewolf) and set the SOCKS proxy to :2020 including sending DNS over SOCKS. That’s because my country blocks piracy-related sites at the DNS level. If you don’t need this, you can delete the socks section of the docker-compose file.

    On my ubuntu laptop, I install transmission-remote-gtk in order to click on a magnet link and have it added. Otherwise you have to browse to the container’s web interface, which gets tiresome.

    I have this installed as a systemd service so it runs on boot. I use the systemd state and credential features as a safeguard against my own mistakes with permissions, but my long-term goal is to encrypt these files on disk. Linux can be pwned - I have read that around 35% of botnet nodes are linux (although these are presumably mostly weak IoT devices). The secondary benefit of the LoadCredential/CREDENTIALS_DIRECTORY mechanism is that it doesn’t expose secrets as environment variables.

    The p2p.service file needs to be in that path, but you can put the other files wherever you want.

    Known issues / todo list

    • The socks proxy sometimes falls over, I haven’t looked into why
    • The downloaded files will be owned by root, since that’s what the container runs as

    File contents

    /root/.secrets/mullvad:

    123456789
    ""
    

    For mullvad, there is no password, only an account number. I believe that the empty quotes are necessary. This file should be owned by root and chmod 600; containing dir should be 700. Replace the account number with your own account, obvs!

    /etc/systemd/system/p2p.service:

    [Unit]
    Description=p2p
    Requires=docker.service multi-user.target
    After=docker.service network-online.target dhcpd.service
    
    [Service]
    Restart=always
    RemainAfterExit=yes
    WorkingDirectory=/usr/local/bin/p2p
    ExecStart=docker compose up --remove-orphans
    ExecStop=docker compose down
    LoadCredential=mullvad:/root/.secrets/mullvad
    DynamicUser=yes
    SupplementaryGroups=docker
    StateDirectory=p2p
    StateDirectoryMode=700
    
    [Install]
    WantedBy=multi-user.target
    

    /usr/local/bin/p2p/docker-compose.yml:

    ---
    version: "3.7"
    
    services:
      p2p:
        restart: always
        container_name: p2p
        image: haugene/transmission-openvpn   # see also: https://www.nickkjolsing.com/posts/dockermullvadvpn/
        cap_add:
          - NET_ADMIN
        sysctls:
          - "net.ipv6.conf.all.disable_ipv6=0"  # ipv6 must be enabled for Mullvad to work
        volumes:
          - ${STATE_DIRECTORY:-./config/}:/config   # dir managed by systemd - but defaults to ./config if running interactively
          - ${CREDENTIALS_DIRECTORY:-.}/mullvad:/config/openvpn-credentials.txt:ro  # var populated by LoadCredential - but defaults to ./mullvad if running interactively
          - transmission:/data
          - transmission_incomplete:/data/incomplete
          - /my/directory/Downloads:/data/completed
        environment:
          - OPENVPN_PROVIDER=MULLVAD
          - OPENVPN_CONFIG=se_all  # sweden
          - LOCAL_NETWORK=192.168.1.0/24    # put your own LAN network here - in most cases it should end in .0/24
          - TRANSMISSION_WEB_UI=flood-for-transmission  # optional
        ports:
          - 9091:9091
          - 80:9091
          - 2020:2020
    
      socks:
        restart: always
        container_name: socks
        image: lthn/dante
        network_mode: "service:p2p"
        volumes:
          - ./sockd.conf:/etc/sockd.conf
        depends_on:
          - p2p
    
    volumes:
      transmission:
        external: false
      transmission_completed:
        external: false
      transmission_incomplete:
        external: false
    

    /usr/local/bin/p2p/sockd.conf:

    logoutput: stderr
    # debug: 2
    internal: 0.0.0.0 port = 2020
    external: tun0
    external.rotation: route
    
    clientmethod: none
    socksmethod: username none
    
    user.privileged: root
    user.notprivileged: nobody
    user.unprivileged: sockd
    
    # Allow everyone to connect to this server.
    client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error  # disconnect
    }
    
    # Allow all operations for connected clients on this server.
    socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error  # connect disconnect iooperation
        #socksmethod: username
    }
    # Allow all inbound packets.
    socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bindreply udpreply
        log: error  # connect disconnect iooperation
    }
    

    Steps

    1. Install docker and docker-compose, e.g. with sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
    2. Create the files with contents as above
    3. sudo systemctl enable p2p
    4. sudo systemctl start p2p
    5. Check what it’s doing: systemctl status p2p
    6. On first start, it will take a few minutes to pull the images
    7. To debug interactively while also passing the creds, use sudo systemd-run -P --wait -p LoadCredential=mullvad:/root/.secrets/mullvad docker compose up --remove-orphans
    8. Every so often, cd into /usr/local/bin/p2p and run docker compose pull to update the images.