Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

May 10 2014


Running irssi as an interactive service

I revamped my server-side IRC setup a bit. I run irssi there, mainly for logging, so I want it to always run, but only really use it interactively from time to time.

I used to have it running in a separate tmux session under my own user, started at boot-time through a crontab entry like

@reboot tmux -u new-session -d -s irssi /usr/local/bin/irssi

Now I wanted it to

  • run under the irc user
  • be controlled by runit
  • have all relevant files in /srv

This is on a new server running Debian Wheezy but should apply roughly on all UNIXoid systems.

Setting up a service with runit is quite simple, but a bit different to traditional (self-backgrounding) services: There is a run script that performs all necessary setup, and then execs the actual program. This is necessary to keep the same PID so the stop/restart functions work properly. Additionally, the service itself must not fork; it should just keep running. Optionally, stdout is piped into a dependent log service. Should either ever crash or exit, they will be restarted automatically.

The multi-user support in tmux is a bit weak, and it lacks any way to synchronously wait for the session to end without attaching to it. I settled on using screen instead– since they (by default) use different shortcuts it is quite convenient to attach to a screen session within my normal tmux.

The default Debian irc user has a home directory /var/run/ircd which does not exist unless ircd is installed (which I don't need), so just symlink this:

ln -s /srv/irc /var/run/ircd

Install the packages:

apt-get install runit irssi screen

And create the scaffolding for the service:

mkdir -p /etc/sv/irssi /etc/sv/irssi/log/main /etc/sv/irssi/supervise /etc/sv/irssi/log/supervise
cat >/etc/sv/irssi/log/run <<EOF
exec svlogd -tt ./main
chmod +x /etc/sv/irssi/log/run

Finally, create the run script for irssi itself:


exec 2>&1

export HOME=/srv/irc
export LANG=en_US.UTF-8

echo "Starting irssi..."
exec chpst -uirc screen -S irssi -m -D irssi

Explanation of the steps:

  • exec 2>&1: fold stderr into stdout so it is captured in the logs (just in case; I do this in all run-scripts)
  • exports: the run script, and subsequently the service, have an almost empty environment. Set $HOME so screen can find .screenrc, and $LANG to work correctly with UTF-8 characters
  • echo: a marker to track restarts, as screen won't produce any output
  • chpst: a tool that comes with runit to run the service in the context of another user. Easier to use than su and does not interfere with runit
  • screen -S irssi -m -D: set the session name to irssi so there is a fixed name to attach to, start detached but wait until the session finishes

Make it executable (chmod +x /etc/sv/irssi/run), and add /srv/irc/.screenrc to enable multiuser operation:

multiuser on
acladd <your username>

Then enable the service, it will start automatically:

ln -s ../sv/irssi /etc/service/irssi

and attach to it

screen -r irc/irssi

To detach without exiting, press ^A d.

January 25 2014

1146 e891
Reposted fromkarmacoma karmacoma viaDeva Deva
3467 4f9a 500



Correcting Internet DisInformation: The American Space Pen / The Russian Pencil

thank you for this.

Reposted fromKortniKatastrophi KortniKatastrophi viaAgnes Agnes
It's OK to make stuff up [when writing a documentation ...]
If you have the wrong stuff on a page they will tell you, and they will tell you fast, and they will tell you in great detail, and it's the best way of getting information out of developers.
— Lana Brindley, There and Back Again: An Unexpected Journey in Agile Documentation
Reposted frommschuett mschuett viasofias sofias

Des sculptures de machines animées

sculpture kinetique 01 Des sculptures de machines animées  sculpture bonus art

L’artiste Bob Potts crée des sculpture cinétiques qui représentent des bateaux ou des machines volantes.

sculpture kinetique 02 Des sculptures de machines animées  sculpture bonus art

sculpture kinetique 03 Des sculptures de machines animées  sculpture bonus art


Reposted fromtheGRID theGRID viakthxy kthxy
0315 592a 500
Reposted fromEwkaLoL EwkaLoL viawonko wonko
Reposted fromvolldost volldost viawandi wandi
Sie gelten als Krawallmacher, Störenfriede, Chaoten. Dabei ermöglichen sie uns ein Leben, in dem Rechtsextreme die Rolle spielen, die ihnen zusteht: keine. Verteidigung einer viel gescholtenen Subkultur.
Danke, liebe Antifa!
Reposted fromcygenb0ck cygenb0ck viaDeva Deva
9829 c513 500
Reposted fromocks ocks viaBediko Bediko
Reposted fromscythe scythe viaDeva Deva

December 31 2013


OpenVPN with IPv6 and OpenBSD on a cheap VPS

One day after the Kongress I finally finished my VPN setup. The problem with most "standard" VPN setups (including mine when I went to Hamburg) is that they are IPv4 only, leaving your IPv6 traffic unencrypted unless you block it completely. OpenVPN finally supports IPv6 over TUN devices as of 2.3.0.

I have a cheap VPS from Netcup. Since they moved to KVM installing any OS is relatively easy, for this machine I chose OpenBSD. The setup should be similar on FreeBSD and DragonFly since they also have PF, although their PF version may be older and the syntax therefore slightly different.

Netcup provide one IPv6 /64, but setting up IPv6 for OpenVPN requires a separate network block for the upstream internet connection and the VPN. One option is buying another /64, but this is relatively expensive (given the whole VPS is less than 10EUR/month) and requires a fax. Instead I used a SiXXS tunnel where IPv6 addresses are free. IPv6 traffic for the VPS itself uses the native IPv6.


  • a Netcup VPS with OpenBSD (5.4 or higher, otherwise OpenVPN is too old) and working networking
  • a client (tested with Debian Wheezy)

SiXXS setup

If you do not already have a SixXS account, sign up and request a tunnel and extra subnet. Let the subnet be routed to the tunnel. Note if you're signing up new, your tunnel may need to be up for a while so you have sufficient ISK to request a subnet.

Set the tunnel to 6in4-static and enter the IPv4 address of your server. Set the MTU to 1480, 6in4 has less overhead than the other methods. On the server, add /etc/hostname.gif0:

tunnel <server IPv4> <PoP IP>
inet6 <Your IPv6> 128
dest <PoP IPv6>
mtu 1480
group egress

Bring it up with

# sh /etc/netstart gif0

your should now be able to ping6 <PoP IPv6>. Note that we did not add a default route to this interface, so normal IPv6 traffic will still use your VPS' native connection (try ping6 sixxs.net).

VPN setup

DNS recursor

To send all DNS requests through the VPN, set up a DNS recursor. To install it

# pkg_add unbound

and make sure the VPN can access the DNS recursor. To do this, look for the access-control: lines in /var/unbound/unbound.conf and add

access-control: allow
access-control: <your SixXS subnet> allow

To have it started, add the following lines to /etc/rc.conf.local:

syslogd_flags="${syslogd_flags} -a /var/unbound/dev/log"
pkg_scripts="${pkg_scripts} unbound"

Then restart syslogd and start unbound

# /etc/rc.d/syslogd restart
# /etc/rc.d/unbound start


Install OpenVPN:

# pkg_add openvpn

Generate keys following the HOWTO. Create /etc/openvpn/tun0.conf:

port 1194
proto tcp # or udp, then change client config accordingly
dev tun0
# generate following the PKI howto
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh4096.pem # I use 4096-bit stuff
server # the IPv4 VPN range
server-ipv6 <your SixXS subnet>
push "route-ipv6 2000::/3" # route internet traffic through the VPN
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
user _openvpn
group _openvpn
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Create /etc/hostname.tun0:

!cd /etc/openvpn; /usr/local/sbin/openvpn --config tun0.conf --daemon openvpn/tun0
group vpn

Enable IPv4 and IPv6 forwarding in /etc/sysctl.conf


and for the running system run

# sysctl net.inet.ip.forwarding=1
# sysctl net.inet6.ip6.forwarding=1

Set the following in /etc/pf.conf

set block-policy return
set skip on lo

# NAT for IPv4 VPN
match out on egress from to any nat-to egress:0

# default rules
block in
pass out

# normal traffic rules
block in on egress
# allow SSH
pass in on egress proto tcp from any to (egress) port 22
pass in proto icmp
pass in proto icmp6
pass in on vpn

# OpenVPN
pass in on egress proto { tcp udp } from any to (egress) port 1194
pass in on egress proto tcp from any to (egress) port 443 rdr-to localhost port 1194

# IPv6 routing for VPN
pass in on vpn from <your SixXS IPv6 block> to ! (egress) route-to (gif0 <PoP IPv6>)

Adjust the last line to your SixXS blocks. It makes sure that IPv6 traffic from the VPN is routed out through SixXS. Incoming traffic is not allowed, if you want this add a line like

pass in on gif0 from any to <your IPv6 block> <further limits> route-to (tun0 <Your IPv6>)


Load the firewall configuration with

# pfctl -f /etc/pf.conf

and bring the VPN up with

# sh /etc/netstart tun0

You should now be able to connect to it. The client configuration is nothing special:

dev tun
proto tcp
remote <your server> 1194
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
verb 3

# Debian/Ubuntu: set name server
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

If your client has OpenVPN 2.3 or higher, IPv6 will be set up correctly now. Try

# ping6 sixxs.net

on the client.

November 06 2013

Reposted byBedikodecarabiagordin

November 03 2013

Reposted fromfirebat firebat viayetzt yetzt
I have gotten one question repeatedly from young men. These are guys who liked the book, but they are honestly confused. They ask me why Melinda was so upset about being raped.
The first dozen times I heard this, I was horrified. But I heard it over and over again. I realized that many young men are not being taught the impact that sexual assault has on a woman. They are inundated by sexual imagery in the media, and often come to the (incorrect) conclusion that having sex is not a big deal. This, no doubt, is why the number of sexual assaults is so high.

Laurie Halse Anderson, author of Speak, on the question “Have any readers ever asked questions that shocked you?”

Read that again. Read it again, and again, and again. Over and over guys have asked her why Melinda was so upset about being raped. This is a girl who went to a party with friends. She was thirteen. She had a drink, because everyone else was. And a senior held her down and raped her while she was too drunk to get away.

And guys don’t understand why she was upset.

Read that again and then come back and tell me again why I should just shut up and take a joke when a comedian blows off rape as a big deal, or women’s bodies are casually treated as commodities in media. Remind me why I shouldn’t care about the very real harm that society’s treatment of women and sexual assault does.

(via witchlingfumbles)

Reposted fromsexgenderbody sexgenderbody viaastrid astrid
Der Boden ist Lava!
When the hell that happened?
Reposted frommyname myname viawonko wonko
Fix you
Reposted fromweheartit weheartit viabitstacker bitstacker
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!