Apr 5, 2022 - RV Media Setup

Comments

Just some random notes about my RV network setup.

Parts in RV

  • UniFi airCube AC mini WiFi AP / Router
  • Netgear LTE 4G hotspot, with ethernet
  • Raspberry Pi 4, running Raspberry Pi OS
  • Apple TV
  • Antennas:
    • Netgear 6000450 MIMO Antenna
    • 11dBi High Gain 3G 4G/LTE Waterproof Fixed-Mount Panel Dual Polarized MIMO Antenna

At home

  • Synology NAS, running Channels
  • UniFi Security Gateway (USG)

The airCube and Netgear LTE hotspot are relatively straight forward to setup, I use an AT&T prepaid plan which gets me 100Gb/month. It’s unfortunately not a ton of bandwidth, but we generally don’t run out since we’re only up at the seasonal site on weekends, and maybe an odd week or two during the summer.

I have two antenna options for my Netgear hotspot. There’s an external 11dBi antenna I mount on a pole, and run the cables through the slide. This is really only ever used when we’re going to remote New Hampshire, otherwise the hotspot or the mini window MIMO antenna Netgear sells work fine.

If you’d rather link up to the camground wifi, you can buy something like the UniFi Nanostation Loco M5, and link your RV network to the campground’s WiFi.

At some point, I’ll have to think about moving to something that supports 5G, but the LTE speeds are fine for what we do.

Raspberry Pi Setup

My raspberry pi is running the raspberry pi OS, headless. It mostly just acts as a VPN gateway for my Apple TV, which doesn’t support any VPN. I may have it do something else, like hosting a local media server.

The VPN lets me access my Channels instance at home, and stream live TV (HD Homerun with CableCARD) or our media library. This generally works well enough that I haven’t found the need to say run something local.

Some software I installed

$ history | grep install
    5  apt install cockpit
   11  apt install podman
   14  apt install cockpit-podman cockpit-networkmanager
   16  apt install network-manager-l2tp
   58  apt install iptables-persistent

VPN Connection

To connect to my UniFi L2PT network at home, I set up the connection using nmcli:

$ nmcli c add con-name Home \
  type vpn \
  vpn-type l2tp \
  vpn.data 'gateway=<GATEWAY IP>, ipsec-enabled=yes, ipsec-psk=<PSK>, password-flags=0, user=<MY USER>' \
  vpn.secrets 'password=<MY SECRET PASSWORD>'

I then setup my Wired connection to always use the VPN (uuids from nmcli c)

$ nmcli c modify uuid 4d2d61c5-0da0-3fa4-a5bd-11f887e8610c +connection.secondaries 6020210e-4605-4c5a-afbd-a6bef4c24aae

iptables

And configure iptables to forward traffic through the VPN:

# Generated by iptables-save v1.8.7 on Wed Apr  6 01:08:04 2022
*filter
:INPUT DROP [183:49914]
:FORWARD DROP [1886:122937]
:OUTPUT ACCEPT [316:38255]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr  6 01:08:04 2022
# Generated by iptables-save v1.8.7 on Wed Apr  6 01:08:04 2022
*nat
:PREROUTING ACCEPT [2056:170538]
:INPUT ACCEPT [2:148]
:OUTPUT ACCEPT [64:4711]
:POSTROUTING ACCEPT [64:4711]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Apr  6 01:08:04 2022

Make sure ipv4 forwarding is on in /etc/sysctl.conf, and configure whatever devices you want to use your Pi as their gateway. I do not make this the default, but rather just set static networking on the Apple TV.

Sep 25, 2020 - Slack is Toxic

Comments

Do other people have conversations with their managers about how to have healthier relationships with tools like Slack, or is it just me? It can’t just be me. I’ve been thinking for a while about what frustrates me most about Slack and similar systems, and after more than a year of full-time use, I have some thoughts.

First, you are locked in to their client. Why can’t I use Pidgin or irssi, without jumping through hoops – and even then half the features don’t work.

There’s the oft-complained about @here and @channel, for which you can only turn off notifications per-channel. Usually people forget, and in large public channels you see a flurry of departures after someone uses one of those wide-distribution aliases for the first time.

Naked pings or just saying hello are disruptive as well. Then, there’s behavior like looping others into threads that are hundreds of messages long, with a simple “cc” or “FYI”. I’m calling those “naked FYI’s.”

But those are just individual annoyances: there’s something more sinister about the premise of the entire product – maybe intentional or not – that is harmful to individuals. One of the design decisions of Slack is that your user is always just there – waiting to get a message, or magicked into a new channel with a simple ping. You can never just not be there.

Did you ever use AOL Instant Messenger? Offline messages were not possible for many years. You’d long to hear the sound of a favorite person signed on and was open to get messages. Not with Slack.

Have a co-worker in a different time zone? You can send a message at 3:00 a.m.. She can have her status as away, or do not disturb, but her digital presence is still there. Slack helpfully sends her an e-mail with just a snippet of the conversation – just enough to get their attention. Maybe she sees it on her phone while eating breakfast, and Slack helpfully refers her to install their app.

Yes, the mobile access is convenient. I can take off to a doctor’s appointment and still talk to a coworker about an on-going issue. That’s not the only time I use it, though. I open it before bed. I have a look at dinner. In this day and age, we are used to instant gratification, we like to get it ourselves so we want to give it back, too.

Not to mention the fear of missing out. You’re on holiday? What important discussions are you missing on Slack while you’re sitting on the beach? Well, thankfully you can just pop in for a second to check it out since you have the mobile app! If you forget to check the app on vacation, the notification bubble will be there when you get back, as well as all the Slack e-mails urgently telling you all the stuff you missed.

People have a responsibility to use tools appropriately, and manage their work-life balance, but at a certain point the evidence is so overwhelming the system is designed to be used irresponsibly that you just need to reconsider it’s use.

People complain about IRC – clunky CLI clients and it’s ephemeral nature, but the latter is a part of why it’s such a right-sized tool. It’s temporary nature drives longer form discussions to different places. Fear of missing out is diminished when there’s not an expectation to read back history. The lack of threads encourages summaries when reaching out to include someone else in a discussion.

The problem, of course, is that Slack is here to stay. What do you all do to have a healthier relationship with it?

Mar 5, 2020 - Tarbombs considered harmful

So, one day you hear about this great new open source project, and visit the company’s web site and download the latest version of their software tofu-wonder.tar.gz, and extract it in your home directory:

$ tar xvf tofu-wonder.tar.gz
.config/
.config/server.xml
.config/database.xml
README.txt
LICENSE.txt
tofu-wonder
001.dat
002.dat
003.dat
004.dat
005.dat
[...]
943.dat

You just got tarbombed. In older versions of tar, tarballs could even contain absolute paths and potentially overwrite existing files on your file system. These days, most versions of tar prevent this unless explicitly allowed, so the worst that happens is a particular tar archive litters it’s files in whatever unfortunate directory you were in when you extracted it. Have fun cleaning that up.

Ok - so how to avoid it? I now include this line in my .zshrc:

export TAR_OPTIONS="--one-top-level"

This option extracts all files into a directory named by the basename. In the example above, it’d now look like this:

$ tar xvf tofu-wonder.tar.gz
tofu-wonder/.config/
tofu-wonder/.config/server.xml
tofu-wonder/.config/database.xml
tofu-wonder/README.txt
tofu-wonder/LICENSE.txt
tofu-wonder/tofu-wonder
tofu-wonder/001.dat
tofu-wonder/002.dat
tofu-wonder/003.dat
tofu-wonder/004.dat
tofu-wonder/005.dat
[...]
tofu-wonder/943.dat

Perfect! But, it’s better not to make users do this. The first way to prevent this is to include the top-level directory when you’re creating a tarball:

tar czvf tofu-wonder.tar.gz tofu-wonder/

Another option is to use transform and replace . with something else:

tar czvf tofu-wonder.tar.gz --transform "s?^\.?tofu-wonder-0.1.1?"  .