fox.cpp @[email protected]

So in case GitHub does a flop again, one could grab the source code of maddy, for example, from git.hexanet.dev/foxcpp/maddy. I should link it somewhere...

https://neustadt.fr/essays/against-a-user-hostile-web/

Case study: github.com/foxcpp/maddy deployment consists of /var/lib/maddy directory, /etc/maddy/maddy.conf file, /usr/bin/maddy executable with only libc dependency and init system config. What do you need docker for here?

Create software that does not require Docker to have maintainable deployments, prefer software that does not require Docker to have maintainable deployments, keep software with a shitshow of dependencies in containers created using mechanisms that are much more simple than Docker (lxd, nspawn, just chroot jail afer all).

https://shouldiusethreads.com/

git+ssh+some scripting seems to be the best configuration deployment system.

Take a look:
Firewall configs for hexanet.dev servers are in Git repo. Update takes one 'git push' and two commands on each affected server. Later can be easily improved to be fully automatic using Git hooks. What I am doing wrong?

Protocol Labs have little to no incentive to have IPFS working well. It is a project full of not-bad ideas but lacks polish nearly everywhere. Also Protocol Labs missed FileCoin mainnet launch deadline several times already. This tells a lot about company behind IPFS and FileCoin. Do not waste your time on either of these.

Kudos to Dovecot team for designing a reasonable external authentication protocol and providing a useful specification for it.

If AppArmor seems a bit too much, at least protect startup files. Make .bashrc, .bash_profile, .xinitrc, WM and shell configs immutable.

The sudo password is a security theater. If untrusted code is isolated, it will be unable to run sudo (or other privilege escalation tool) at all. If untrusted code is not isolated, it has millions of ways to sniff the sudo password. This applies to both server and desktop Linux installations.

Keep your stuff sandboxed. The Evil Systemd, despite being Evil, has a set of useful options for this. Check systemd.service(5).

Here we go.
If somebody wants to try it - clone master branch and do 'git cherry-pick d0e7df023cadb3d7068e5b09509bc562ad63f10b', then run build.sh script as usual.

maddy is getting milter client support once I figure out how to use go-fuzz!

https://github.com/emersion/go-milter/pull/6

So far testing IPNS performance:

/ipns/QmbrC2DvpGp2jmFH9udVFuzAvzwB967DRT1CcRu1Pru5FC

IPNS lookup + fetch using gateway.ipfs.io
1. 17.12 seconds
2. 23 seconds

IPNS lookup + fetch using ipfs.hex.dn42
1. 7.23 seconds
2. 0.147 seconds (cache hit)
3. 0.876 seconds (after node restart, wtf)

IPNS lookup + fetch using cloudflare-ipfs.com:
1. Timeout
2. Timeout

IPNS lookup + fetch using ipfs.eternum.io
1. 64.49 secs

IPNS lookup + fetch using ipfs.best-practice.se
1. 502 Bad Gateway

go-ipfs 0.5 is released. Promises IPNS performance improvement. Now `ipfs name publish` fails with timeout instead of failing silently after a terribly big amount of time. That is an improvement, I think?

#ipfs

So in case GitHub does a flop again, one could grab the source code of maddy, for example, from git.hexanet.dev/foxcpp/maddy. I should link it somewhere...

<jrb0001> ansible is slow
<jrb0001> foxcpp: ansible is 7+ minutes for me, and that's just copying files over + restarting stuff if needed. generating all files is a custom tool and takes much less than a second.
(from #dn42 at hackint)

Literally: https://git.hexanet.dev/foxcpp/chicken-coop
Can even be fully automated via little systemd timer/cron job.

Screw #ansible.

As for deployment, there are lxd and other similar software. If you are into The Evil Systemd things, you can even try mkosi+nspawn. I found it rather convenient for throwaway experiments with software.

Often heard argument for Docker: security via isolation. As a complete security freak, I think AppArmor combined with simple application https://github.com/foxcpp/scmp-confine for seccomp offers more security with less management overhead. If you want more - you have bubblewrap.