Use updated RSS feed by default

Expand on ACL issues
Replace link with sources, and actually show them
2024-02-21 11:48:17 +00:00 · 2024-02-21 11:46:18 +00:00 · 2024-02-21 11:40:55 +00:00 · 2024-02-21 11:11:56 +00:00 · 2024-02-21 11:05:56 +00:00
17 changed files with 91 additions and 65 deletions
--- a/docs/README.md
+++ b/docs/README.md
@ -12,4 +12,4 @@ Things I've learned, and need to remember - so future me has a chance of using t
 !!! warning
    These notes are mine, collected over time. Just because I've said it here, doesn't mean it's the absolute best practice. It worked for me, it might work for you.

-If you're interested, there's an [RSS feed](/feed_rss_created.xml).
+If you're interested, there are RSS feeds for [updated](/feed_rss_updated.xml) and [created](/feed_rss_created.xml) notes.
--- a/docs/notes/database/long-running-queries.md
+++ b/docs/notes/database/long-running-queries.md
@ -2,7 +2,8 @@
 title: Find and kill long running queries
 tags:
  - PostgreSQL
-link: https://medium.com/little-programming-joys/finding-and-killing-long-running-queries-on-postgres-7c4f0449e86d
+sources:
+  - https://medium.com/little-programming-joys/finding-and-killing-long-running-queries-on-postgres-7c4f0449e86d
 ---

 # Running queries
--- a/docs/notes/database/redis-monitor.md
+++ b/docs/notes/database/redis-monitor.md
@ -2,11 +2,9 @@
 title: Monitor redis commands
 tags:
  - Redis
-emoji: 👀
-link: https://redis.io/commands/monitor/
 ---

 It's often useful to view what Redis is working on.

 1. Connect to redis
-2. `MONITOR`
+2. [`MONITOR`](https://redis.io/commands/monitor/)
--- a/docs/notes/database/running-queries.md
+++ b/docs/notes/database/running-queries.md
@ -2,7 +2,8 @@
 title: Monitor running queries
 tags:
  - PostgreSQL
-link: https://techmango.org/2017/11/04/monitor-running-queries-postgresql/
+sources:
+  - https://techmango.org/2017/11/04/monitor-running-queries-postgresql/
 ---

 View a list of running queries:
--- a/docs/notes/database/truncate-database.md
+++ b/docs/notes/database/truncate-database.md
@ -2,7 +2,6 @@
 title: Truncate a database from the inside
 tags:
  - PostgreSQL
-emoji: 🐘
 ---

 How to delete database from the inside, with only access to that database.
--- a/docs/notes/example-note.md
+++ b/docs/notes/example-note.md
@ -1,6 +1,5 @@
 ---
 title: Example note
-emoji: 👋
 modified: 2022-09-09
 ---

--- a/docs/notes/infrastructure/assume-role-credentials.md
+++ b/docs/notes/infrastructure/assume-role-credentials.md
@ -2,8 +2,8 @@
 title: Get credentials for an assumed role
 tags:
  - AWS
-link: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
-emoji: 🔑
+sources:
+  - https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
 ---

 It's often useful to get regular access keys as if you were assumed into another role. This is possible:
--- a/docs/notes/infrastructure/cross-account-transfer.md
+++ b/docs/notes/infrastructure/cross-account-transfer.md
@ -1,47 +0,0 @@
---
-title: Cross-account data transfer
-tags:
-  - AWS
-link: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
-emoji: 🪣
---
-
-To copy bucket contents from bucket in account A to bucket in account B:
-
-1. Create new S3 bucket in account B
-2. Create IAM role / user in account B, with access to destination bucket
-3. Add IAM inline policy to user:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "s3:*",
-      "Resource": [
-        "arn:aws:s3:::<source_bucket>/*",
-        "arn:aws:s3:::<source_bucket>"
-      ]
-    }
-  ]
-}
-```
-
-4. Add policy to source bucket
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::<account_id>:user/<user>"
-      },
-      "Action": "s3:*",
-      "Resource": ["arn:aws:s3:::<source_bucket>/*", "arn:aws:s3:::<source_bucket>"]
-    }
-  ]
-}
-```
--- a/docs/notes/infrastructure/s3-cross-account-transfer.md
+++ b/docs/notes/infrastructure/s3-cross-account-transfer.md
@ -0,0 +1,62 @@
+---
+title: Cross-account data transfer in S3
+tags:
+  - AWS
+sources:
+  - https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
+  - https://stackoverflow.com/a/63804619
+---
+
+To copy bucket contents from a bucket in account A to a bucket in account B:
+
+1. Create new S3 bucket in account B
+2. Create IAM role / user in account B, with access to destination bucket
+3. Add IAM inline policy to the newly-created user:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:*",
+      "Resource": [
+        "arn:aws:s3:::<source_bucket>/*",
+        "arn:aws:s3:::<source_bucket>"
+      ]
+    }
+  ]
+}
+```
+
+4. Add policy to source bucket
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<account_id>:user/<user>"
+      },
+      "Action": "s3:*",
+      "Resource": ["arn:aws:s3:::<source_bucket>/*", "arn:aws:s3:::<source_bucket>"]
+    }
+  ]
+}
+```
+
+Now, you can run `aws s3 sync` as the account in account B, and access both buckets.
+
+## ACLs
+
+Whilst it might seem counter-intuitive, a **pull**-based transfer is significantly simpler than a **push**-based transfer. Notably, it avoids [issues](https://stackoverflow.com/a/63804619) with ownership issues and ACLs. Bucket policies don't seem to apply if the object is owned by a different account, which is the case when ACLs are enabled and the object is written by a user not in the organisation (hence pull-based being best).
+
+These can be solved by overwriting the file's ACLs to enforce the bucket owner owns the file:
+
+```
+aws s3 cp --recursive 's3://<destination_bucket>` 's3://<destination_bucket>` --acl bucket-owner-full-control --metadata-directive REPLACE
+```
+
+It's then good practice to make sure the ACLs are as you expect (eg [`./manage.py fix_document_acls`](https://github.com/torchbox/wagtail-storages?tab=readme-ov-file#django-admin-fix_document_acls)).
--- a/docs/notes/mitm-port-forward.md
+++ b/docs/notes/mitm-port-forward.md
@ -2,9 +2,10 @@
 title: Simple reverse proxy
 tags:
  - Networking
-link: https://docs.mitmproxy.org/stable
 ---

+This uses [`mitmproxy`](https://docs.mitmproxy.org/stable), which can proxy both HTTP and HTTPS.
+
 ```
 mitmproxy --mode reverse:http://localhost:8000
 ```
--- a/docs/notes/rebase-onto.md
+++ b/docs/notes/rebase-onto.md
@ -2,7 +2,6 @@
 title: Rebase commits done on the wrong branch
 tags:
  - Git
-link: https://git-scm.com/book/en/v2/Git-Branching-Rebasing#_more_interesting_rebases
 ---

 ```sh
@ -10,3 +9,5 @@ git rebase --onto master server client
 ```

 > Take the `client` branch, figure out the patches since it diverged from the `server` branch, and replay these patches in the client branch as if it was based directly off the `master` branch instead.
+
+See also ["more interesting rebases"](https://git-scm.com/book/en/v2/Git-Branching-Rebasing#_more_interesting_rebases)
--- a/docs/notes/shell/ffmpeg-downmixing-audio.md
+++ b/docs/notes/shell/ffmpeg-downmixing-audio.md
@ -2,8 +2,8 @@
 title: Downmixing audio channels
 tags:
  - Media
-emoji: 🎵
-link: https://trac.ffmpeg.org/wiki/AudioChannelManipulation
+sources:
+  - https://trac.ffmpeg.org/wiki/AudioChannelManipulation
 ---

 ```bash
--- a/docs/notes/shell/ffmpeg-remove-stream.md
+++ b/docs/notes/shell/ffmpeg-remove-stream.md
@ -2,8 +2,8 @@
 title: Strip audio / subtitle stream with ffmpeg
 tags:
  - Media
-emoji: 🎵
-link: https://stackoverflow.com/a/38162168
+sources:
+  - https://stackoverflow.com/a/38162168
 ---

 ```bash
--- a/docs/notes/shell/stop-saving-history.md
+++ b/docs/notes/shell/stop-saving-history.md
@ -1,6 +1,5 @@
 ---
 title: Stop saving bash history
-emoji: 🤔
 tags:
  - Shell
 modified: 2022-11-02
--- a/hooks/notes.py
+++ b/hooks/notes.py
@ -1,5 +1,6 @@
 import jinja2
 from mkdocs.structure.nav import Navigation
+from urllib.parse import urlparse

@jinja2.pass_context
 def get_page(context, slug):
@ -25,8 +26,11 @@ def get_notes(context):

    return sorted(notes, key=lambda p: p.meta["git_creation_date_localized_raw_iso_date"], reverse=True)

+def get_domain(url):
+    return urlparse(url).netloc

 def on_env(env, config, files):
    env.tests["startswith"] = str.startswith
    env.globals["get_page"] = get_page
    env.globals["get_notes"] = get_notes
+    env.filters["domain"] = get_domain
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -15,7 +15,7 @@ extra:
    - icon: fontawesome/brands/github
      link: https://github.com/RealOrangeOne
    - icon: fontawesome/solid/rss
-      link: /feed_rss_created.xml
+      link: /feed_rss_updated.xml
  analytics:
    provider: plausible
    domain: notes.theorangeone.net
--- a/theme/main.html
+++ b/theme/main.html
@ -30,3 +30,11 @@
    <strong>GitHub</strong>
  </a>.
 {% endblock %}
+
+{% block content %}
+  {{ super() }}
+
+  {% if page.meta.sources %}
+  <small>Sources: {% for source in page.meta.sources %}<a href="{{ source }}">{{ source|domain }}</a>{% endfor %}</small>
+  {% endif %}
+{% endblock %}
Author	SHA1	Message	Date
Jake Howard	b07249f7ae	Use updated RSS feed by default	2024-02-21 11:48:17 +00:00
Jake Howard	4227e6da2f	Expand on ACL issues	2024-02-21 11:46:18 +00:00
Jake Howard	65e681742d	Replace link with sources, and actually show them	2024-02-21 11:40:55 +00:00
Jake Howard	24fc330e64	Add note about ACLs and ownership when copying between accounts	2024-02-21 11:11:56 +00:00
Jake Howard	74ef7d9232	Remove legacy emoji from notes	2024-02-21 11:05:56 +00:00