1
Fork 0

Replace resource shortcode with markup transform

This commit is contained in:
Jake Howard 2020-07-23 19:16:50 +01:00
parent f87466090e
commit f804d2313d
Signed by: jake
GPG key ID: 57AFB45680EDD477
13 changed files with 33 additions and 82 deletions

View file

@ -7,15 +7,11 @@ tags: [security]
Yesterday, an email was sent to `django-announce`, informing of an upcoming security update, labelled "high" severity. Previous notifications like this have been one week before the actual disclosure; This email, just 12 hours. The updates were scheduled to be released 12:00 UTC the next day (today). Already, not the best thing to be reading just one week before Christmas, and one day before the company production freeze.
{{< resource src="initial-announcement-email.png" >}}
Email announcing the upcoming security release.
{{< /resource >}}
![Email announcing the upcoming security release.](initial-announcement-email.png)
This morning, at 09:23 UTC, said updates were [released](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/), and an email hit my inbox, almost three hours early. I can only imagine what seeing that notification did to my heart rate.
{{< resource src="release-email.png" >}}
Email announcing the release
{{< /resource >}}
![Email announcing the release](release-email.png)
These updates, versions 3.0.1, 2.2.9, and 1.11.27, contain a fix for CVE-2019-19844, a vulnerability around the password reset mechanism, potentially enabling accounts to be hijacked, simply by knowing the user's email address. It was possible to receive the password reset email for an account you didn't control, reset their password, and hence gain access to the account. GitHub was hit by a very similar issue [only last month](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/). Because of the high-profile nature of the vulnerability, and its high impact, the Django security team decided to release updates as quickly as possible, hence the small notification period.

View file

@ -7,9 +7,7 @@ hide_header_image: true
Bluetooth audio is great! I've had a pair of Bluetooth headphones, [Sony MDR-XB950 BT](https://www.sony.com/electronics/headband-headphones/mdr-xb950bt), for around a year now, and the ability to listen to music without cables is amazing. But, I can only use the Bluetooth parts of this with my phone, because on Linux, it just sounds terrible. I've even gone so far as to buy and wire in a cable on my desk at work to enable me to fairly easily connect to my desk, without having to plug into the desktop every day.
{{< resource src="device-broken.png" >}}
`A2DP` marked as _unavailable_.
{{< /resource >}}
![`A2DP` marked as _unavailable_.](device-broken.png)
## The Problem
The issue is caused by a lack of `A2DP`, a Bluetooth profile for transmitting stereo audio at high quality. According to the manual for my headphones, it supports `A2DP` just fine, however, my computer was reporting it didn't, and so was saying it was _unavailable_.
@ -25,9 +23,7 @@ If there's one thing I know, it's that there's an [AUR](https://aur.archlinux.or
That's it!
{{< resource src="device-fixed.png" >}}
`A2DP` is now enabled! _(Ignore the fact the device name changed)_
{{< /resource >}}
![`A2DP` is now enabled! _(Ignore the fact the device name changed)_](device-fixed.png)
## The Cause
According to the [related wiki](https://wiki.archlinux.org/index.php/Talk:Bluetooth_headset#GDMs_pulseaudio_instance_captures_bluetooth_headset), it's caused by `GDM` capturing the Bluetooth device, and unloading certain modules if they exist. I'm not exactly sure why it does this, but it's a fairly well documented issue.

View file

@ -25,9 +25,7 @@ These new features require some changes to the system, your database file, and b
To migrate to KDBX4, you must change the _Encryption Algorithm_ to _"ChaCha20"_, and the _Key Derivation Function_ to _"Argon2"_. These can both be done in the _Encryption_ settings for your database (Database > Database Settings).
{{< resource src="db-settings.png" >}}
The settings I'm using for my database
{{< /resource >}}
![The settings I'm using for my database](db-settings.png)
### Mobile
If you're planning to use your database on less-powerful hardware, such as a phone, you'll want to set the transformation rounds low. Argon2 is far more computationally intensive compared to PBKDF2. Using the 1-second benchmark button suggests using just 23 rounds. Where before I used 20,000 rounds of PBKDF2, I now use just five rounds of Argon2, to ensure it opens in reasonable time on my phone.
@ -74,16 +72,12 @@ With the SSH now enabled, a new _"SSH Agent"_ tab appears in the entry edit view
To pair the key with this entry, you should attach it from the _"Advanced"_ pane. You only need to attach the private key, as this often contains the related public key as part of the file. Then, from the _"SSH Agent"_ pane, select the attachment as the primary key. This should populate the _"Public key"_ section with the respective public key.
{{< resource src="ssh-agent-settings.png" >}}
The _"SSH Agent"_ pane showing an attached key
{{< /resource >}}
![The _"SSH Agent"_ pane showing an attached key](ssh-agent-settings.png)
I've also set the key to be automatically added and removed from the agent, rather than manually. It'd be nice if this could be changed / defaulted globally.
Now, the keys are accessibly to use for authentication.
{{< resource src="ssh-agent-terminal.png" >}}
You can validate they're accessible using `ssh-add -l`, which should show the fingerprint of the key.
{{< /resource >}}
![You can validate they're accessible using `ssh-add -l`, which should show the fingerprint of the key.](ssh-agent-terminal.png)
These new features of KeePassXC are completely optional. However, KeePassHTTP and legacy key files are considered deprecated, and may be removed in upcoming releases. So, might as well update now!

View file

@ -7,9 +7,7 @@ hide_header_image: true
As anyone who's used an application written with the QT UI framework will know, they don't always look the best, and certainly don't fit in with the rest of your desktops theme in the way GTK does. Certain themes support styling both GTK and QT applications, however most don't.
{{< resource src="qt-gtk-before.png" >}}
KeePassXC, before it looked pretty
{{< /resource >}}
![KeePassXC, before it looked pretty](qt-gtk-before.png)
Fortunately, there's a solution, and it comes in the form of a _Theme engine_. Theme engines act as a small compatibility layer, allowing certain frameworks to render as if they were others. With this, we can tell QT applications to render as if they were GTK.
@ -24,6 +22,4 @@ Installing the environment variable can't be done in your `.bashrc`, as variable
After install, simply reboot, and your apps should fit in far, _far_ better with the rest of your desktop.
{{< resource src="qt-gtk-after.png" >}}
KeePassXC, with GTK looks much nicer!
{{< /resource >}}
![KeePassXC, with GTK looks much nicer!](qt-gtk-after.png)

View file

@ -13,9 +13,7 @@ My current distro of choice is [Arch](https://www.archlinux.org/), specifically
## Desktop
My current desktop of choice is [i3](https://i3wm.org/). After spending a lot of time using [Gnome](https://www.gnome.org/), and always having windows either full screen or split, I tried out i3 in an attempt to use fewer resources, and it's amazing. Admittedly i3 doesn't look quite as nice, but it's far cleaner, and structured, and that's enough for me!
{{< resource src="editing-my-stack.png" >}}
Editing my stack, in caret
{{< /resource >}}
![Editing my stack, in caret](editing-my-stack.png)
# Editors
## Code
@ -30,9 +28,7 @@ If I'm just editing a file quickly, whether it be config from the terminal, or a
# Shell
Whilst I use [ZSH](https://www.zsh.org/), I'm not a fan of the [super fancy themes](https://github.com/robbyrussell/oh-my-zsh/wiki/External-themes) for it, which display your current git branch, node version, time, all that jazz. My terminal is a take on the default colourized Debian terminal, with a lambda symbol who's colour changes depending on the return code of the previous command.
{{< resource src="shell-prompt.png" >}}
My shell prompt
{{< /resource >}}
![My shell prompt](shell-prompt.png)
I do have a fair number of plugins and aliases, thanks to both [oh my ZSH](http://ohmyz.sh/) and [my custom config](https://github.com/RealOrangeOne/dotfiles/tree/master/modules/shell/files).

View file

@ -31,9 +31,7 @@ Last year, I was a fan of [Caret](https://caret.io/), and was eagerly awaiting v
## Quick files edits
Nothing beats [Vim](http://www.vim.org/) for anything like this. I've switched my default editor for git commit messages, and have it installed on all my servers. I'm still unfamiliar with many of the advanced keyboard shortcuts, but I can navigate around a file just well enough for me.
{{< resource src="editing-my-stack.png" >}}
Editing my stack, in VSCode
{{< /resource >}}
![Editing my stack, in VSCode](editing-my-stack.png)
# Shell
My shell prompt is almost identical to last year. If it ain't broke, don't fix it! I've got plenty of aliases set up to make complex tasks easier, and the prompt looking just how I like it!
@ -41,9 +39,7 @@ My shell prompt is almost identical to last year. If it ain't broke, don't fix i
# Terminal Emulator
My terminal environment has probably been one of the largest changes in the last 12 months. Previously, I was using [Terminator](https://gnometerminator.blogspot.co.uk/p/introduction.html). In the last year, I've moved from Terminator, to [Tilix](https://gnunn1.github.io/tilix-web/), and finally settled on [Alacritty](https://github.com/jwilm/alacritty), with [Tmux](https://github.com/tmux/tmux). Alacritty is fast, lightweight, and GPU-accelerated. Thanks to Tmux, I can keep the tiled experience in my terminal too. After a colleague started experimenting with Tmux, I gave it a shot, and it's great. My config is modified, like changing the prefix to `C-t`, and to make sure things still work as I'm used to.
{{< resource src="terminal.png" >}}
My shell prompt
{{< /resource >}}
![My shell prompt](terminal.png)
# Browser
[Firefox](https://www.mozilla.org/en-GB/firefox/new/), end of.

View file

@ -43,10 +43,7 @@ When it comes to creating the database for WordPress, it's really very simple. J
In simple terms, Wordfence is a firewall for WordPress. It monitors the requests to your application, and blocks suspicious activity, and attempts to block brute-force attempts. The nicest feature I found was the check for commonly exposed configuration files, and prompting to remove them.
{{< resource src="wordfence.png" >}}
Categories Wordfence protects
{{< /resource >}}
![Categories Wordfence protects](wordfence.png)
## Validate your work

View file

@ -5,9 +5,7 @@ date: 2020-04-11
A few days ago, I was sharing a [blog post]({{< relref "wireguard-haproxy-gateway" >}}) to someone on the [self-hosted podcast](https://selfhosted.show/) discord, and they asked if I was self hosting my website. Unfortunately, and rather ironically, I had to answer no. I've been intending to move it over to my own server for a while, so this felt like as good of a push as any!
{{< resource src="chat-log.png" >}}
Chat log of me admitting shame
{{< /resource >}}
![chat-log.png](Chat log of me admitting shame)
At the time, my website was hosted on [Netlify](https://www.netlify.com/). If you're looking to host a static site, and don't want to run your own servers, netlify is the right answer! The performance is great, the free plan is wonderful, and the fact content is distributed over their CDN is pretty nice!

View file

@ -66,13 +66,9 @@ When getting started, and even long after that, the traefik dashboard is an incr
If you're trying to configure a service, and not sure how Traefik is seeing, if it sees it at all. The web interfaces shows you everything.
{{< resource src="traefik-router.png" >}}
Traefik router configuration for this website
{{< /resource >}}
![Traefik router configuration for this website](traefik-router.png)
{{< resource src="traefik-service.png" >}}
Traefik service configuration for this website
{{< /resource >}}
![Traefik service configuration for this website](traefik-service.png)
## TLS

View file

@ -78,9 +78,7 @@ OpenVPN Access Server is free for two concurrent users. For this, we only need,
Once the script has finished, you'll need to set the password for the builtin user. Run `sudo passwd openvpn` to do this. Open the _"Admin UI"_ URL displayed after the init script. It's probably `https://<ip>:943/admin`. Here, you can log in as the `openvpn` user.
{{< resource src="landing-screen.png" >}}
Landing page for OpenVPN admin panel
{{< /resource >}}
![Landing page for OpenVPN admin panel](landing-screen.png)
### Create the client account
@ -90,10 +88,7 @@ Once logged in, click _"User Permissions"_ in the sidebar, and create a new user
The new VPN user needs to be told to allow traffic to flow to other devices on its network. To do this, we need to enable a feature called _"VPN Gateway"_. Under the user settings, switch the related radio button to _Yes_, and enter the subnets you want to be accessible. These should be one per line, and in the format `192.168.1.0/24`. You will also need to enable access from _"all server side private subnets"_ and _"all other VPN clients"_.
{{< resource src="user-settings.png" >}}
Make sure your user settings look roughly like this.
{{< /resource >}}
![Make sure your user settings look roughly like this.](user-settings.png)
### Set up the client device

View file

@ -44,9 +44,7 @@ The Wireguard codebase is nice and small. Compared to OpenVPN it's practically m
Wireguard is incredibly fast. Take these benchmarks from the Wireguard website, captured over a gigabit network.
{{< resource src="charts.png" >}}
Wireguard benchmarks. [src](https://www.Wireguard.com/performance/#results)
{{< /resource >}}
![Wireguard benchmarks. [src](https://www.Wireguard.com/performance/#results)](charts.png)
Not only is Wireguard significantly faster than OpenVPN, and slightly faster still than IPSec, there's an important extra bit of detail. The Wireguard version was the only one not maxing out the CPU, meaning whatever's limiting Wireguard's score, it's not Wireguard itself, it's likely something far more fundamental like networking overhead, seeing as 1011mb is pretty close to one gigabit.

View file

@ -0,0 +1,13 @@
{{ $destination := .Destination }}
{{ if not (hasPrefix .Destination "http") }}
{{ $resource := .Page.Resources.GetMatch $destination }}
{{ $destination = ($resource.Resize "1000x").RelPermalink }}
{{ end }}
<figure class="text-center">
<img src="{{ $destination | safeURL }}" alt="{{ .Text | plainify }}" style="max-width: 90%;"/>
<figcaption class="text-center">
<small>{{ .Text | markdownify }}</small>
</figcaption>
</figure>

View file

@ -1,20 +0,0 @@
{{ $original := .Page.Resources.GetMatch (.Get "src") }}
{{ $options := default "1000x" (.Get "options") }}
{{ .Scratch.Set "image" ($original.Resize $options) }}
{{ define "img" }}
{{ $image := .Scratch.Get "image" }}
<img src='{{ $image.RelPermalink }}' class='{{ .Get "class" }}' alt="{{ .Inner | plainify }}" style="max-width: 90%;" />
{{ end }}
{{ if .Inner }}
<figure class="text-center">
{{ template "img" . }}
<figcaption class="text-center">
<small>{{ .Inner | markdownify }}</small>
</figcaption>
</figure>
{{ else }}
{{ template "img" . }}
{{ end }}