I’ve found myself tinkering with WordPress stuff a lot lately. Here’s another quick change I made for nicer shortlinks with a shorter domain that I have.
This was inspired by trawling through jwz’ archives and hacks. This post in particular.
The first piece of this puzzle is adding this location block to the nginx configs for bhh.sh. There’s probably a better way to do this to handle more types or remove the extra redirect.
The other half is filtering the shortlink on the WordPress end. I’ve added this to the functions.php of my theme. Basic logic here is based on jwz’ base64 shortlinks, just minus the base64 and dumping the post ID right in there.
I run my own authoritative nameservers and have had a slight nagging feeling that I should’ve enabled DNSSEC years ago. It’s been on my perpetual to-do list but I’ve never gotten around to it. I’ve definitely caused some outages trying to get DNSSEC to work.
Came across this article and it confirms that my procrastination was pretty OK in this specific case.
Here’s how I got a self-hosted PDS (personal data server) running without docker.
This can be useful if you want to run the PDS on an existing machine or just don’t like docker. I came up with these steps by emulating what the installer script does.
My setup uses nginx and a wildcard TLS cert for my PDS domain.
Get the code
Clone the PDS repo
$ git clone https://github.com/bluesky-social/pds
Set up nginx
I use certbot to issue wildcard certs for my domains. See my wildcard cert script here. Note that you will need to set up credentials for your nameservers. I’m not aware of a way in nginx to issue certs on-demand like the example caddy config does.
This example is for the main IPv4 of 157.90.92.151 with two subnets of 157.90.196.48/28 and 162.55.142.192/28. The IPv4 gateway is derived from the existing Hetzner configs given on install.
source /etc/network/interfaces.d/*
auto lo iface lo inet loopback iface lo inet6 loopback
auto vmbr0 iface vmbr0 inet static address 157.90.92.151 netmask 255.255.255.255 bridge_ports none bridge_stp off bridge_fd 0 pre-up brctl addbr vmbr0 up ip route add 157.90.196.48/28 dev vmbr0 up ip route add 162.55.142.192/28 dev vmbr0 down ip route del 157.90.196.48/28 dev vmbr0 down ip route del 162.55.142.192/28 dev vmbr0 post-down brctl delbr vmbr0
The important bits here are sysctl forwarding and routing our guest subnet to vmbr0.
Also need to systemctl disable --now rpcbind.socket per Hetzner rules.
Debian guest config
Subnet: 157.90.196.48/28
auto ens18 iface ens18 inet static address 157.90.196.48/32 # or address 157.90.196.X/32 gateway 157.90.92.151
iface ens18 inet6 static # in this case i'm using the same ending as ipv4 address 2a01:4f8:252:3e22::48/64 gateway 2a01:4f8:252:3e22::2
/etc/apt/sources.list
deb http://mirror.hetzner.de/debian/packages bookworm main deb http://mirror.hetzner.de/debian/packages bookworm-updates main deb http://mirror.hetzner.de/debian/packages bookworm-backports main deb http://mirror.hetzner.de/debian/security bookworm-security main
deb http://security.debian.org bookworm-security main
/etc/resolv.conf
These are specifically Hetzner’s internal resolvers.
The mastodon-sidekiq@.service units were added to address queues backing up and is essentially the same as the default unit file but with the -q queue name parameter added.
As an example, here’s some pics of Shaq Attaq that I posted the other day: https://benharr.is/post/3k655thdbzv2p. Note that bsky.app is not in the url.
I added this location block to the nginx config for benharr.is:
Running WordPress with sqlite is quick, easy, and can be much less system administration load as it eliminates the need for a separate database process.
Here’s the longer version about the outage on August 24, 2021:
After finishing the package upgrades on my Proxmox hosts for the new release (Proxmox 7.0, corresponding to Debian 11/bullseye), I typed reboot and pressed enter, crossing my fingers that it would come back up as expected.
It didn’t.
Luckily I had done one last round of VM-level backups before starting the upgrade! I started restoring the backups to one of my other servers, but my authoritative DNS is hosted on the same server as tilde.team, so that needed to happen first.
I got the ns1 set up on my Proxmox node at Hetzner, but my ns2 secondary zones had been hosted at ovh. Time to move those to he.net to get it going again (and move away from a provider-dependent solution).
While shuffling VMs around, I ended up starting a restore of the tilde.team VM on my infra-2 server at OVH. It’s a large VM with two 300gb disks so it would take a while.
I started working to update the DNS records for tilde.team to live on OVH instead of my soyoustart box, but shortly after, I received a mail (in my non-tilde inbox luckily) from the ovh monitoring team that my server had been rebooted into rescue mode after being unpingable for this long.
I was able to log in with the temporary ssh password and update /etc/network/interfaces to use the currently working MAC address that the rescue system was using.
Once I figured out how to disable the netboot rescue mode in the control panel, I hit reboot once more. we’re back up and running on the server that it was on at the start of the day!
ejabberd wasn’t happy with mysql for some reason but everything else seems to have come back up now.
If you’re a mastodon user on tilde.zone (the tildeverse mastodon instance), you might’ve noticed some downtime recently.
Here’s a quick recap of what went down during the upgrade process.
We run the current stable version of PostgreSQL from the postgres apt repos. PostgreSQL 13 was released recently and the apt upgrades automatically created a new cluster running 13.
The database for mastodon has gotten quite large (about 16gb) which complicates this upgrade a bit. This was my initial plan:
drop the 13 cluster created by the apt package upgrades
upgrade the 12-main cluster to 13
drop the 12 cluster
These steps appeared to work fine, but closer inspection afterwards led me to discover that the new cluster had ended up with SQL_ASCII encoding somehow. This is not a situation we want to be in. Time to fix it.
Here’s the new plan:
stop mastodon: for i in streaming sidekiq web; do systemctl stop mastodon-$i; done
dump current database state:
pg_dump mastodon_production > db.dump
drop and recreate cluster with utf8 encoding: pg_dropcluster 13 main --stop pg_createcluster --locale=en_US.UTF8 13 main --start
As of git 2.28, there’s a new configuration option and you don’t need to use the templateDir option:
git config --global init.defaultBranch main
Changing git’s default branch name has come up recently as an easy action we can take to update our language and remove harmful ideas from our daily usage.
I’m concerned that this effort to change the language used is ultimately a symbolic gesture to avoid scrutiny into actual change (notably github’s push for this change and continued contracts with ICE).
However, it’s an easy change to make.
Let’s have a look at how to change it for new repos:
Note that you can put this template dir anywhere you like.
You can also set this system-wide (not just for your user) in /usr/share, but note that this might get overridden by package updates.
echo "ref: refs/head/main" | sudo tee /usr/share/git-core/templates/HEAD
The next time you git init, you’ll be on a branch named main.
To change an existing repo, you can use the -m switch of git-branch:
git checkout master
git branch -m master main
Push with -u to your remote if needed and update the default branch in the repo settings in the hosting platform of choice.
It’s a relatively easy change, but don’t kid yourself that it makes any real impact. go protest, donate and sign petitions, and get out there to fix the actual problems.