Recent changes to this wiki:

Update name of Viscosity option and explicitly disable compression
diff --git a/posts/using-openvpn-on-ios-and-osx.mdwn b/posts/using-openvpn-on-ios-and-osx.mdwn
index 990f70b..5c9c99f 100644
--- a/posts/using-openvpn-on-ios-and-osx.mdwn
+++ b/posts/using-openvpn-on-ios-and-osx.mdwn
@@ -83,7 +83,8 @@ connection:
    - Tls-Auth: `ta.key`
    - direction: 1
 - **Options**
-   - peer certificate: require server nsCertType
+   - peer certificate: Require certificate was signed for server use
+   - Compression: Off
 - **Networking**
    - send all traffic on VPN
 - **Advanced**

Improve congestion control
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index da30bd7..991c537 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -383,4 +383,10 @@ queueing discipline (jessie or later) by putting the following in `/etc/sysctl.d
 
     net.core.default_qdisc=fq_codel
 
+and the following to improve congestion control and
+[HTTP/2 prioritization](https://blog.cloudflare.com/http-2-prioritization-with-nginx/):
+
+    net.ipv4.tcp_congestion_control = bbr
+    net.ipv4.tcp_notsent_lowat = 16384
+
 [[!tag sysadmin]] [[!tag debian]] [[!tag nzoss]]

Add a section on forwarding to 1.1.1.1 for DNS-over-TLS
https://www.ctrl.blog/entry/unbound-tls-forwarding
diff --git a/posts/setting-up-your-own-dnssec-aware.mdwn b/posts/setting-up-your-own-dnssec-aware.mdwn
index 500e326..0035ba2 100644
--- a/posts/setting-up-your-own-dnssec-aware.mdwn
+++ b/posts/setting-up-your-own-dnssec-aware.mdwn
@@ -7,7 +7,7 @@ Now that the root DNS servers are [signed,](http://www.root-dnssec.org/2010/07/1
 
 Being already packaged in [Debian](http://packages.debian.org/source/unstable/unbound) and [Ubuntu](https://launchpad.net/ubuntu/+source/unbound), unbound is only an `apt-get` away:
 
-    apt install unbound
+    apt install unbound ca-certificates
 
 ## Optional settings
 
@@ -103,6 +103,33 @@ $ dig +dnssec A www.dnssec.cz | grep ad
   
 Are there any other ways of making sure that DNSSEC is fully functional?
 
+## Using DNS-over-TLS using Cloudflare's `1.1.1.1`
+
+In order to make use of [DNS over
+TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) and effectively hide DNS
+queries from anybody looking at your network traffic, one option is to
+forward your queries to [Cloudflare's
+`1.1.1.1`](https://cloudflare-dns.com):
+
+    server:
+        tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+    
+    forward-zone:
+        name: "."
+        forward-tls-upstream: yes
+        # Cloudflare DNS
+        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+        forward-addr: 1.1.1.1@853#cloudflare-dns.com
+        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+        forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+While Unbound appears to support DNS over TLS natively, it's not clear to me
+that it will connect to DNS servers over TLS while doing a recursive name
+resolution. Additionally, it will leak queries to non-encrypted servers to
+your ISP and other potential on-path attackers. Therefore, forwarding
+traffic to a non-logging trusted recursive resolver appears to be the best
+solution at the moment.
+
 ## Integration with OpenVPN
 
 If you are [running your own OpenVPN server](https://feeding.cloud.geek.nz/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu/),

Remove comments which have been merged into the article
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_3_cc2943361afc1181a8920ffbfd028465._comment b/posts/setting-up-your-own-dnssec-aware/comment_3_cc2943361afc1181a8920ffbfd028465._comment
deleted file mode 100644
index b47155d..0000000
--- a/posts/setting-up-your-own-dnssec-aware/comment_3_cc2943361afc1181a8920ffbfd028465._comment
+++ /dev/null
@@ -1,11 +0,0 @@
-[[!comment format=mdwn
- ip="162.243.251.96"
- subject="OpenVPN settings"
- date="2017-08-16T06:28:48Z"
- content="""
-Dear François,
-
-Thank you so much for this! What changes need to be made to /etc/openvpn/server.conf in order to use Unbound from within the VPN tunnel when connected to the server from an external client?
-
-Thanks for your help, François!
-"""]]
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_4_76f7656b5ca945dc2cf6a11ee9402d12._comment b/posts/setting-up-your-own-dnssec-aware/comment_4_76f7656b5ca945dc2cf6a11ee9402d12._comment
deleted file mode 100644
index 39b5f93..0000000
--- a/posts/setting-up-your-own-dnssec-aware/comment_4_76f7656b5ca945dc2cf6a11ee9402d12._comment
+++ /dev/null
@@ -1,11 +0,0 @@
-[[!comment format=mdwn
- username="francois@665656f0ba400877c9b12e8fbb086e45aa01f7c0"
- nickname="francois"
- avatar="http://fmarier.org/avatar/0110e86fdb31486c22dd381326d99de9"
- subject="Re: OpenVPN settings"
- date="2017-08-16T16:20:31Z"
- content="""
-> What changes need to be made to /etc/openvpn/server.conf in order to use Unbound from within the VPN tunnel when connected to the server from an external client?
-
-I haven't yet figured out how to do that, but it's something I'd really like to add to my [OpenVPN setup](https://feeding.cloud.geek.nz/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu/).
-"""]]
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
deleted file mode 100644
index 4cc2a1a..0000000
--- a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
+++ /dev/null
@@ -1,47 +0,0 @@
-[[!comment format=mdwn
- ip="162.243.251.96"
- claimedauthor="Eldin Hadzic"
- subject="Solution"
- date="2017-08-26T23:33:27Z"
- content="""
-I figured it out.
-
-In order for OpenVPN to use the locally installed Unbound DNS resolver, do this:
-
-First check for the IP we should use with: `sudo ifconfig`
-
-The IP we need is the one listed at 
-
-    tun0: inet 10.8.0.1
-
-## UNBOUND
-
-Add this to `/etc/unbound/unbound.conf`:
-
-    server:
-        interface: 127.0.0.1
-        interface: 10.8.0.1
-        access-control: 127.0.0.1 allow
-        access-control: 10.8.0.1/24 allow
-
-Then restart Unbound with: `sudo service unbound restart`
-
-Test with: `dig @10.8.0.1 google.com`
-
-(SERVER should read: `SERVER: 10.8.0.1#53(10.8.0.1)`)
-
-## OPENVPN
-
-Add this to (or modify) `/etc/openvpn/server.conf`:
-
-    push \"redirect-gateway def1 bypass-dhcp\"
-    push \"dhcp-option DNS 10.8.0.1\"
-    push \"register-dns\"
-
-Then restart OpenVPN with: `sudo service openvpn restart`
-
-OpenVPN clients should now be using Unbound. Test at <http://dnsleak.com/>.
-
-Eldin Hadzic
-eldinhadzic@protonmail.com
-"""]]

Fix config file blurbs and remove unnecessary lines
diff --git a/posts/setting-up-your-own-dnssec-aware.mdwn b/posts/setting-up-your-own-dnssec-aware.mdwn
index 86d07ba..500e326 100644
--- a/posts/setting-up-your-own-dnssec-aware.mdwn
+++ b/posts/setting-up-your-own-dnssec-aware.mdwn
@@ -2,39 +2,38 @@
 [[!meta date="2010-09-12T18:00:00.000+12:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 Now that the root DNS servers are [signed,](http://www.root-dnssec.org/2010/07/16/status-update-2010-07-16/) I thought it was time I started using [DNSSEC](https://secure.wikimedia.org/wikipedia/en/wiki/Dnssec) on my own PC. However, not wanting to wait for my ISP to enable it, I decided to setup a private recursive DNS resolver for myself using [Unbound](http://unbound.net/).  
-  
 
 ## Installing Unbound
 
 Being already packaged in [Debian](http://packages.debian.org/source/unstable/unbound) and [Ubuntu](https://launchpad.net/ubuntu/+source/unbound), unbound is only an `apt-get` away:
 
-
     apt install unbound
 
 ## Optional settings
 
 In `/etc/unbound/unbound.conf.d/francois.conf`, I enabled the following security options:
 
-    harden-below-nxdomain: yes
-    harden-referral-path: yes
-    harden-algo-downgrade: no # false positives with improperly configured zones
-    use-caps-for-id: no # makes lots of queries fail
-    hide-identity: yes
-    hide-version: yes
+    server:
+        harden-below-nxdomain: yes
+        harden-referral-path: yes
+        harden-algo-downgrade: no # false positives with improperly configured zones
+        use-caps-for-id: no # makes lots of queries fail
+        hide-identity: yes
+        hide-version: yes
 
 and turned on prefetching to hopefully keep in cache the sites I visit regularly:
 
-
-    prefetch: yes
-    prefetch-key: yes
-    msg-cache-size: 128k
-    msg-cache-slabs: 2
-    rrset-cache-size: 8m
-    rrset-cache-slabs: 2
-    key-cache-size: 32m
-    key-cache-slabs: 2
-    cache-min-ttl: 3600
-    num-threads: 2
+    server:
+        prefetch: yes
+        prefetch-key: yes
+        msg-cache-size: 128k
+        msg-cache-slabs: 2
+        rrset-cache-size: 8m
+        rrset-cache-slabs: 2
+        key-cache-size: 32m
+        key-cache-slabs: 2
+        cache-min-ttl: 3600
+        num-threads: 2
 
 Finally, I also enabled the control interface:
 
@@ -44,37 +43,31 @@ Finally, I also enabled the control interface:
 
 and increased the amount of debugging information:
 
-    val-log-level: 2
-    use-syslog: yes
-    verbosity: 1
+    server:
+        val-log-level: 2
+        use-syslog: yes
+        verbosity: 1
 
 before running `sudo unbound-control-setup` to generate the necessary keys.
   
 Once unbound is restarted (`sudo service unbound restart`) stats can be queried to make sure that the DNS resolver is working:
 
-
     unbound-control stats
   
-
 ## Overriding DHCP settings
 
 In order to use my own unbound server for DNS lookups and not the one received via [DHCP](https://secure.wikimedia.org/wikipedia/en/wiki/Dhcp), I added this line to `/etc/dhcp/dhclient.conf`:
 
-
     supersede domain-name-servers 127.0.0.1;
 
-
 and restarted dhclient:
 
-
     sudo killall dhclient
     sudo killall dhclient
     sudo /etc/init.d/network-manager restart
 
-
 If you're not using DHCP, then you simply need to put this in your `/etc/resolv.conf`:
 
-
     nameserver 127.0.0.1
 
 or on more recent distros, the following in `/etc/systemd/resolved.conf`:
@@ -135,6 +128,4 @@ Then restart both services and everything should work:
     systemctl restart unbound.service
     systemctl restart openvpn.service
 
-You can test it on <http://dnsleak.com>.
-
 [[!tag catalyst]] [[!tag debian]] [[!tag sysadmin]] [[!tag security]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag dns]] [[!tag dnssec]] [[!tag openvpn]]

Disable LZO compression on OpenVPN
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index 2ec0414..fa0c8ec 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -159,8 +159,6 @@ connection of type "OpenVPN":
 
 then click the "Avanced" button and set the following:
 
-* General
-   * Use LZO data compression: `YES`
 * Security
    * Cipher: `AES-256-GCM`
 * TLS Authentication
diff --git a/posts/using-openvpn-on-android-lollipop.mdwn b/posts/using-openvpn-on-android-lollipop.mdwn
index 4a08a0f..631c4c8 100644
--- a/posts/using-openvpn-on-android-lollipop.mdwn
+++ b/posts/using-openvpn-on-android-lollipop.mdwn
@@ -36,7 +36,6 @@ you'll need to use on your phone:
 
 Basic:
 
-- LZO Compression: `YES`
 - Type: `Certificates`
 - CA Certificate: `ca.crt`
 - Client Certificate: `nexus6.crt`
diff --git a/posts/using-openvpn-on-ios-and-osx.mdwn b/posts/using-openvpn-on-ios-and-osx.mdwn
index 41eb522..990f70b 100644
--- a/posts/using-openvpn-on-ios-and-osx.mdwn
+++ b/posts/using-openvpn-on-ios-and-osx.mdwn
@@ -59,7 +59,6 @@ Here is the config I successfully used to connect to my server:
     cert iphone.crt
     key iphone.key
     cipher AES-256-GCM
-    comp-lzo yes
     proto udp
     tls-remote server
     remote-cert-tls server
@@ -85,7 +84,6 @@ connection:
    - direction: 1
 - **Options**
    - peer certificate: require server nsCertType
-   - compression: turn LZO on
 - **Networking**
    - send all traffic on VPN
 - **Advanced**

Add CRL to OpenVPN config
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index 853ef79..2ec0414 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -78,6 +78,7 @@ On my server, called `hafnarfjordur.fmarier.org`, I installed the
 and then copied the following files from my high-entropy machine:
 
     cp ca.crt dh2048.pem server.key server.crt ta.key /etc/openvpn/
+    touch /etc/openvpn/crl.pem
     chown root:root /etc/openvpn/*
     chmod 600 /etc/openvpn/ta.key /etc/openvpn/server.key
 
@@ -99,6 +100,7 @@ and set the following in `/etc/openvpn/server.conf` (which includes recommendati
     ncp-disable
     user nobody
     group nogroup
+    crl-verify crl.pem
 
 (These DNS servers are the ones I found in `/etc/resolv.conf` on my Linode VPS.)
 

Comment moderation
diff --git a/posts/installing-vidyo-on-ubuntu-1804/comment_2_93c96cdc7713032646438fe0a172a56c._comment b/posts/installing-vidyo-on-ubuntu-1804/comment_2_93c96cdc7713032646438fe0a172a56c._comment
new file mode 100644
index 0000000..c735c96
--- /dev/null
+++ b/posts/installing-vidyo-on-ubuntu-1804/comment_2_93c96cdc7713032646438fe0a172a56c._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="francois@665656f0ba400877c9b12e8fbb086e45aa01f7c0"
+ nickname="francois"
+ subject="Re: comment 1"
+ date="2018-11-08T06:32:12Z"
+ content="""
+I'm not sure why you're saying that it's sloppy for a system-wide binary to be owned by root. That's both [the policy in Debian](https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners) and also it prevents an ordinary user from tampering a binary that could be used by other users.
+"""]]

Comment moderation
diff --git a/posts/installing-vidyo-on-ubuntu-1804/comment_1_03e04002d4cb78385f28970bc70bb8ee._comment b/posts/installing-vidyo-on-ubuntu-1804/comment_1_03e04002d4cb78385f28970bc70bb8ee._comment
new file mode 100644
index 0000000..ec7728d
--- /dev/null
+++ b/posts/installing-vidyo-on-ubuntu-1804/comment_1_03e04002d4cb78385f28970bc70bb8ee._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="2620:101:80f8:224:b92d:19e8:b46d:ea95"
+ subject="comment 1"
+ date="2018-11-07T19:02:03Z"
+ content="""
+    sudo chown root:root /usr/bin/VidyoDesktop  
+Why, specifically, does it need to be root?  Simple chown-to-root is operationally sloppy/Windows-think.  Do you have a setcap(8) procedure that could yield a viable result?
+"""]]
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu/comment_6_f1867c6f2b06324f6bb268a4ba839219._comment b/posts/running-your-own-xmpp-server-debian-ubuntu/comment_6_f1867c6f2b06324f6bb268a4ba839219._comment
new file mode 100644
index 0000000..3a8c2f0
--- /dev/null
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu/comment_6_f1867c6f2b06324f6bb268a4ba839219._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="86.42.105.221"
+ claimedauthor="lsjmhar "
+ subject="ejabberd"
+ date="2018-10-31T00:28:40Z"
+ content="""
+You can install freedombox on debian now and it provides apps to bypass all thia - ejabberd, matrix, lets encrypt and more.
+"""]]

Add post about lean data at Mozilla
diff --git a/posts/lean-data-in-practice.mdwn b/posts/lean-data-in-practice.mdwn
new file mode 100644
index 0000000..feaf715
--- /dev/null
+++ b/posts/lean-data-in-practice.mdwn
@@ -0,0 +1,83 @@
+[[!meta title="Lean data in practice"]]
+[[!meta date="2018-11-01T08:05:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+Mozilla has been promoting the idea of [lean
+data](https://www.mozilla.org/about/policy/lean-data/) for a while. It's
+about recognizing both that data is valuable and that it is a dangerous
+thing to hold on to. Following these lean data principles forces you to
+clarify the questions you want to answer and think hard about the minimal
+set of information you need to answer these questions.
+
+Out of these general principles came the [Firefox data collection
+guidelines](https://wiki.mozilla.org/Firefox/Data_Collection). These are the
+guidelines that every team must follow when they want to collect [data about
+our users](https://data.firefox.com/) and that are enforced through the data
+stewardship program.
+
+As one of the data steward for Firefox, I have reviewed hundreds of data
+collection requests and can attest to the fact that Mozilla does follow the
+lean data principles it promotes. Mozillians are already aware of the
+problems with collecting large amounts of data, but the Firefox data review
+process provides an additional opportunity for an outsider to question the
+necessity of each piece of data. In my experience, this system is quite
+effective at reducing the data footprint of Firefox.
+
+What does lean data look like in practice? Here are a few examples of
+changes that were made to restrict the data collected by Firefox to what is
+truly needed:
+
+- Collecting a user's country is not particularly identifying in the case of
+  large countries likes the USA, but it can be when it comes to very small
+  island nations. How many Firefox users are there in
+  [Niue](https://en.wikipedia.org/wiki/Niue)? Hard to know, but it's
+  definitely less than the number of Firefox users in Germany. After I
+  raised that issue, the team decided to [put all of the small countries
+  into a single "other"
+  bucket](https://github.com/mozilla/activity-stream/pull/3877/commits/9a48cbec1cc1686758fec5cdfae5995f10918904).
+
+- Similarly, cities generally have enough users to be non-identifying.
+  However, some municipalities are quite small and can lead to the same
+  problems. There are lots of Firefox users in [Portland,
+  Oregon](https://en.wikipedia.org/wiki/Portland,_Oregon) for example, but
+  probably not that many in [Portland,
+  Arkansas](https://en.wikipedia.org/wiki/Portland,_Arkansas) or [Portland,
+  Pennsylvania](https://en.wikipedia.org/wiki/Portland,_Pennsylvania). If
+  you want to tell the [Oregonian
+  Portlanders](https://www.youtube.com/watch?v=cnVjkE87FDY) apart, it might
+  be sufficient to bucket Portland users into "Oregon" and "not Oregon",
+  instead of recording both the city and the state.
+
+- When collecting window sizes and other pixel-based measurements, it's
+  easier to collect the exact value. However, that exact value could be
+  stable for a while and create a temporary
+  [fingerprint](https://en.wikipedia.org/wiki/Device_fingerprint) for a
+  user. In most cases, teams wanting to collect this kind of data have
+  agreed to round the value in order to increase the number of users in each
+  "bucket" without affecting their ability to answer their underlying
+  questions.
+
+- Firefox occasionally runs studies which involve collecting specific URLs
+  that users have consented to share with us (e.g. "this site crashes my
+  Firefox"). In most cases though, the full URL is not needed and so I have
+  often been able to get teams to restrict the collection to the hostname,
+  or to at least remove the query string, which could include username and
+  passwords on badly-designed websites.
+
+- When [making use of Google
+  Analytics](https://hacks.mozilla.org/2016/01/google-analytics-privacy-and-event-tracking/),
+  it may not be necessary to collect everything it supports by default. For
+  example, my [suggestion to trim the
+  referrers](https://github.com/mozilla-services/screenshots/issues/2579)
+  was implemented by one of the teams using Google Analytics since while it
+  would have been an interesting data point, it wasn't necessary to answer
+  the questions they had in mind.
+
+Some of these might sound like small wins, but to me they are a sign that
+the process is working. In most cases, requests are
+very easy to approve because developers have already done the hard work of
+data minimization. In a few cases, by asking questions and getting familiar
+with the problem, the data steward can point out opportunities for further
+reductions in data collection that the team may have missed.
+
+[[!tag mozilla]] [[!tag privacy]]

Fix time of Vidyo post
diff --git a/posts/installing-vidyo-on-ubuntu-1804.mdwn b/posts/installing-vidyo-on-ubuntu-1804.mdwn
index 19291df..3121a0f 100644
--- a/posts/installing-vidyo-on-ubuntu-1804.mdwn
+++ b/posts/installing-vidyo-on-ubuntu-1804.mdwn
@@ -1,5 +1,5 @@
 [[!meta title="Installing Vidyo on Ubuntu 18.04"]]
-[[!meta date="2018-10-29T15:45:00:00.000-07:00"]]
+[[!meta date="2018-10-29T15:45:00.000-07:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
 Following [these

creating tag page tags/vidyo
diff --git a/tags/vidyo.mdwn b/tags/vidyo.mdwn
new file mode 100644
index 0000000..54dd80c
--- /dev/null
+++ b/tags/vidyo.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged vidyo"]]
+
+[[!inline pages="tagged(vidyo)" actions="no" archive="yes"
+feedshow=10]]

Add a post about Vidyo on Ubuntu 18.04
diff --git a/posts/installing-vidyo-on-ubuntu-1804.mdwn b/posts/installing-vidyo-on-ubuntu-1804.mdwn
new file mode 100644
index 0000000..19291df
--- /dev/null
+++ b/posts/installing-vidyo-on-ubuntu-1804.mdwn
@@ -0,0 +1,60 @@
+[[!meta title="Installing Vidyo on Ubuntu 18.04"]]
+[[!meta date="2018-10-29T15:45:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+Following [these
+instructions](http://information-technology.web.cern.ch/services/fe/howto/users-use-vidyo-linux)
+as well as the comments in there, I was able to get
+[Vidyo](https://www.vidyo.com/), the proprietary videoconferencing system
+that Mozilla uses internally, to work on [Ubuntu](https://www.ubuntu.com/)
+18.04 (Bionic Beaver). The same instructions should work on recent versions
+of [Debian](https://www.debian.org/) too.
+
+# Installing dependencies
+
+First of all, install all of the package dependencies:
+
+    sudo apt install libqt4-designer libqt4-opengl libqt4-svg libqtgui4 libqtwebkit4 sni-qt overlay-scrollbar-gtk2 libcanberra-gtk-module
+
+Then, ensure you have a [system tray application
+running](https://bugzilla.mozilla.org/show_bug.cgi?id=989811#c3). This
+should be the case for most desktop environments.
+
+# Building a custom Vidyo package
+
+Download [version 3.6.3](https://vidyoportal.cern.ch/upload/VidyoDesktopInstaller-ubuntu64-TAG_VD_3_6_3_017.deb)
+from the [CERN Vidyo
+Portal](https://vidyoportal.cern.ch/download.html?lang=en) but don't expect
+to be able to install it right away.
+
+You need to first hack the package in order to [remove obsolete
+dependencies](https://support.vidyocloud.com/hc/en-us/articles/226103528-VidyoDesktop-3-6-3-for-Linux-and-Ubuntu-15-04-and-higher).
+
+Once that's done, install the resulting package:
+
+    sudo dpkg -i vidyodesktop-custom.deb
+
+# Packaging fixes and configuration
+
+There are a few more things to fix before it's ready to be used.
+
+First, fix the ownership on the main executable:
+
+    sudo chown root:root /usr/bin/VidyoDesktop
+
+Then disable autostart since you don't probably don't want to keep the
+client running all of the time (and listening on the network) given it
+hasn't received any updates in a long time and has apparently been abandoned
+by Vidyo:
+
+    sudo rm /etc/xdg/autostart/VidyoDesktop.desktop
+
+Remove any old configs in your home directory that could interfere with this
+version:
+
+    rm -rf ~/.vidyo ~/.config/Vidyo
+
+Finally, launch `VidyoDesktop` and go into the settings to check "Always use
+VidyoProxy".
+
+[[!tag mozilla]] [[!tag vidyo]]

Create the tmp directory if it doesn't exist already
diff --git a/posts/crashplan-and-non-executable-tmp-directories.mdwn b/posts/crashplan-and-non-executable-tmp-directories.mdwn
index c63036c..e03925b 100644
--- a/posts/crashplan-and-non-executable-tmp-directories.mdwn
+++ b/posts/crashplan-and-non-executable-tmp-directories.mdwn
@@ -65,6 +65,12 @@ machine), by adding something like this to the `SRV_JAVA_OPTS` variable of
 
     -Djava.io.tmpdir=/var/tmp/crashplan
 
+To ensure that the directory exists, you can put the following in `/etc/rc.local`:
+
+    #!/bin/sh -e
+    mkdir -p /var/tmp/crashplan
+    exit 0
+
 Finally, it seems like you **need to restart the machine** before this
 starts working. I'm not sure why restarting crashplan isn't enough.
 

Ensure that mon isn't listening on all network interfaces
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 3807f51..da30bd7 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -359,6 +359,10 @@ To monitor that mail never stops flowing, add this machine to a free
 In order to ensure that the root partition never has less than 1G of free
 space, I put the following in `/etc/mon/mon.cf`:
 
+    serverbind = 127.0.0.1
+    trapbind = 127.0.0.1
+    clientallow = 127.0.0.1
+    
     watch localhost
         service freespace
             interval 10m

Add diskspace monitoring with mon
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 19582f0..3807f51 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -352,6 +352,25 @@ To monitor that mail never stops flowing, add this machine to a free
 
     0 1 * * * root echo "ping" | mail xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@hchk.io
 
+# Monitoring
+
+    apt install --no-install-recommends mon libfilesys-diskspace-perl
+
+In order to ensure that the root partition never has less than 1G of free
+space, I put the following in `/etc/mon/mon.cf`:
+
+    watch localhost
+        service freespace
+            interval 10m
+            monitor freespace.monitor /:1048576 ;;
+            period
+                numalerts 10
+                alert mail.alert root
+                upalert mail.alert root
+                alertevery 60m
+
+and then `systemctl restart mon.service`.
+
 # Network tuning
 
 To [reduce the server's contribution to

Comment moderation
diff --git a/posts/tls_authentication_freenode_and_oftc/comment_3_ff61fc9636d7df82c721a08c8be0b9a7._comment b/posts/tls_authentication_freenode_and_oftc/comment_3_ff61fc9636d7df82c721a08c8be0b9a7._comment
new file mode 100644
index 0000000..77af10a
--- /dev/null
+++ b/posts/tls_authentication_freenode_and_oftc/comment_3_ff61fc9636d7df82c721a08c8be0b9a7._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="185.220.102.6"
+ claimedauthor="austere"
+ subject="tls authentication freenode and oftc"
+ date="2018-10-08T00:55:14Z"
+ content="""
+Has the irssi certificate leakage been fixed yet?
+"""]]

Improving formatting of filenames and package name.
diff --git a/posts/encrypted-swap-partition-on.mdwn b/posts/encrypted-swap-partition-on.mdwn
index a61e38b..9204e2a 100644
--- a/posts/encrypted-swap-partition-on.mdwn
+++ b/posts/encrypted-swap-partition-on.mdwn
@@ -5,15 +5,15 @@ The swap partition can hold a lot of unencrypted confidential information and th
   
 Encrypting a swap partition however is slightly tricky if one wants to also support suspend-to-disk (also called hibernation). Here's a procedure that worked for me on both Debian Stretch and Ubuntu 18.04 (Bionic Beaver):
   
-1. Install the cryptsetup package:  
+1. Install the [cryptsetup package](https://packages.debian.org/stable/cryptsetup):
 
        apt install cryptsetup
 
-2. Add this line to /etc/crypttab:  
+2. Add this line to `/etc/crypttab`:
 
        sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard
 
-3. Set the swap partition to be this in /etc/fstab:  
+3. Set the swap partition to be this in `/etc/fstab`:
 
        /dev/mapper/sda2_crypt none swap sw 0 0
 

Update for newer Ubuntu and Debian, switch to a random key.
diff --git a/posts/encrypted-swap-partition-on.mdwn b/posts/encrypted-swap-partition-on.mdwn
index a21c399..a61e38b 100644
--- a/posts/encrypted-swap-partition-on.mdwn
+++ b/posts/encrypted-swap-partition-on.mdwn
@@ -3,33 +3,22 @@
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 The swap partition can hold a lot of unencrypted confidential information and the fact that it persists after shutting down the computer can be a problem.  
   
-Encrypting a swap partition however is slightly tricky if one wants to also support suspend-to-disk (also called hibernation). Here's a procedure that worked for me on both Debian Lenny and Ubuntu 7.10 (Gutsy Gibbon):  
+Encrypting a swap partition however is slightly tricky if one wants to also support suspend-to-disk (also called hibernation). Here's a procedure that worked for me on both Debian Stretch and Ubuntu 18.04 (Bionic Beaver):
   
 1. Install the cryptsetup package:  
 
-       apt-get install cryptsetup
-
-1. Setup the encrypted partition as root:  
-
-       swapoff -a
-       cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
-       cryptsetup luksOpen /dev/hda2 cswap
-       mkswap /dev/mapper/cswap
+       apt install cryptsetup
 
 2. Add this line to /etc/crypttab:  
 
-       cswap /dev/hda2 none swap,luks,timeout=30
+       sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard
 
 3. Set the swap partition to be this in /etc/fstab:  
 
-       /dev/mapper/cswap none swap sw 0 0
+       /dev/mapper/sda2_crypt none swap sw 0 0
 
-4. Configure uswsusp to use **/dev/mapper/cswap** and **write unencrypted data**  
+You will of course want to replace `/dev/sda2` with the partition that currently holds your unencrypted swap.  
 
-       dpkg-reconfigure -plow uswsusp
-
-You will of course want to replace `/dev/hda2` with the partition that currently holds your unencrypted swap.  
-  
-(This is loosely based on a similar [procedure for Ubuntu 6.10](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html).)
+This is loosely based on a similar [procedure for Ubuntu 6.10](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), but I don't use suspend-to-disk and so I simplified the setup and use a random encryption key instead of a passphrase.
 
 [[!tag debian]] [[!tag security]] [[!tag ubuntu]] [[!tag luks]]

Fix formatting
diff --git a/posts/encrypted-swap-partition-on.mdwn b/posts/encrypted-swap-partition-on.mdwn
index a3b2712..a21c399 100644
--- a/posts/encrypted-swap-partition-on.mdwn
+++ b/posts/encrypted-swap-partition-on.mdwn
@@ -7,30 +7,29 @@ Encrypting a swap partition however is slightly tricky if one wants to also supp
   
 1. Install the cryptsetup package:  
 
-        apt-get install cryptsetup
+       apt-get install cryptsetup
 
 1. Setup the encrypted partition as root:  
 
-        swapoff -a
-        cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
-        cryptsetup luksOpen /dev/hda2 cswap
-        mkswap /dev/mapper/cswap
+       swapoff -a
+       cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
+       cryptsetup luksOpen /dev/hda2 cswap
+       mkswap /dev/mapper/cswap
 
 2. Add this line to /etc/crypttab:  
 
-        cswap /dev/hda2 none swap,luks,timeout=30
+       cswap /dev/hda2 none swap,luks,timeout=30
 
 3. Set the swap partition to be this in /etc/fstab:  
 
-        /dev/mapper/cswap none swap sw 0 0
+       /dev/mapper/cswap none swap sw 0 0
 
 4. Configure uswsusp to use **/dev/mapper/cswap** and **write unencrypted data**  
 
-        dpkg-reconfigure -plow uswsusp
+       dpkg-reconfigure -plow uswsusp
 
 You will of course want to replace `/dev/hda2` with the partition that currently holds your unencrypted swap.  
   
 (This is loosely based on a similar [procedure for Ubuntu 6.10](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html).)
 
-
 [[!tag debian]] [[!tag security]] [[!tag ubuntu]] [[!tag luks]]

Fix formatting
diff --git a/posts/encrypting-your-home-directory-using.mdwn b/posts/encrypting-your-home-directory-using.mdwn
index 96873ba..9f2e21e 100644
--- a/posts/encrypting-your-home-directory-using.mdwn
+++ b/posts/encrypting-your-home-directory-using.mdwn
@@ -5,41 +5,32 @@ Laptops are easily lost or stolen and in order to protect your emails, web passw
 
 If you happen to have `/home` on a separate partition already (`/dev/sda5` in this example), then it's a really easy process:
 
-  1. Copy your home directory to a temporary directory on a different partition:
+1. Copy your home directory to a temporary directory on a different partition:
 
+       mkdir /homebackup
+       cp -a /home/* /homebackup
 
-        mkdir /homebackup
-        cp -a /home/* /homebackup
+2. Encrypt your home partition:
 
+       umount /home
+       cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda5
+       cryptsetup luksOpen /dev/sda5 chome
+       mkfs.ext4 -m 0 /dev/mapper/chome
 
-  2. Encrypt your home partition:
+3. Add this line to `/etc/crypttab`:
 
-        umount /home
-        cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda5
-        cryptsetup luksOpen /dev/sda5 chome
-        mkfs.ext4 -m 0 /dev/mapper/chome
+       chome    /dev/sda5    none    luks,timeout=30
 
-  3. Add this line to `/etc/crypttab`:
+4. Set the home partition to this in `/etc/fstab`:
 
+       /dev/mapper/chome /home ext4 nodev,nosuid,noatime 0 2
 
-        chome    /dev/sda5    none    luks,timeout=30
-
-
-  4. Set the home partition to this in `/etc/fstab`:
-
-
-        /dev/mapper/chome /home ext4 nodev,nosuid,noatime 0 2
-
-
-  5. Copy your home data back into the encrypted partition:
-
-
-        mount /home
-        cp -a /homebackup/* /home
-        rm -rf /homebackup
+5. Copy your home data back into the encrypted partition:
 
+       mount /home
+       cp -a /homebackup/* /home
+       rm -rf /homebackup
 
 That's it. Now to fully secure your laptop against theft, you should think about an [encrypted backup strategy](http://packages.debian.org/sid/duplicity) for your data...
 
-
 [[!tag debian]] [[!tag sysadmin]] [[!tag ubuntu]] [[!tag luks]]

Install apt-file as a handy utility
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index c83d5e0..19582f0 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -269,7 +269,7 @@ you need to restart a daemon using an obsolete library.
 
 # Handy utilities
 
-    apt install renameutils atool iotop sysstat lsof mtr-tiny mc netcat-openbsd command-not-found nocache
+    apt install renameutils atool iotop sysstat lsof mtr-tiny mc netcat-openbsd command-not-found nocache apt-file
 
 Most of these tools are configuration-free, except for sysstat, which requires
 enabling data collection in `/etc/default/sysstat` to be useful.

Turn off commit signing in etckeeper
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 0024fdf..c83d5e0 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -43,6 +43,11 @@ and then put these config files in `/etc/.gitignore`:
     /subgid-
     /subuid-
 
+and this in `/etc/.git/config`:
+
+    [commit]
+        gpgsign = false
+
 To get more control over the various packages I install, I change the
 default debconf level to medium:
 

Include a copy of my /etc/.gitignore for etckeeper
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 0b0bf0a..0024fdf 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -33,6 +33,16 @@ the default `/etc/etckeeper/etckeeper.conf`:
 - turn off daily auto-commits
 - turn off auto-commits before package installs
 
+and then put these config files in `/etc/.gitignore`:
+
+    /aliases.db
+    /group-
+    /gshadow-
+    /passwd-
+    /shadow-
+    /subgid-
+    /subuid-
+
 To get more control over the various packages I install, I change the
 default debconf level to medium:
 

Comment moderation
diff --git a/posts/creating-freedos-bootable-usb-stick-to/comment_4_22e10c8246f646a56e100d6e23cc84cf._comment b/posts/creating-freedos-bootable-usb-stick-to/comment_4_22e10c8246f646a56e100d6e23cc84cf._comment
new file mode 100644
index 0000000..5625269
--- /dev/null
+++ b/posts/creating-freedos-bootable-usb-stick-to/comment_4_22e10c8246f646a56e100d6e23cc84cf._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="2a02:1810:3f24:700:fdf1:b732:6e67:2697"
+ claimedauthor="Hamid"
+ subject="Awesome tutorial"
+ date="2018-09-25T07:10:16Z"
+ content="""
+I was looking into this so bad. My Bios update images are big enough to not fit into the default floppy or usb installer of freedos specially that I want to boot it over pxe. This definitely helped me.
+Thank you.
+"""]]
diff --git a/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_3_cbd36f2900e966992f874221a5182e8e._comment b/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_3_cbd36f2900e966992f874221a5182e8e._comment
new file mode 100644
index 0000000..ebafd4c
--- /dev/null
+++ b/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_3_cbd36f2900e966992f874221a5182e8e._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ ip="2607:fea8:a51f:f592::2"
+ claimedauthor="JC"
+ subject="Got mine back with a Btrfs root"
+ date="2018-09-27T20:41:52Z"
+ content="""
+I got the same problem after upgrading to 18.04, I don't use LVM but Btrfs, all I had to change was
+
+```apt install btrfs-progs```
+
+Everything else was exactly the same.
+
+Thank you.
+"""]]

Update my network hardening settings to what I currently use
Also hide martian packets since they are too common and annoying.
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index e54879e..0b0bf0a 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -206,11 +206,14 @@ from unprivileged processes:
 
 and the following to harden the TCP stack:
 
-    net.ipv4.conf.all.send_redirects = 0
+    net.ipv4.conf.all.accept_redirects = 0
     net.ipv4.conf.all.accept_source_route = 0
-    net.ipv6.conf.all.accept_source_route = 0
-    net.ipv4.conf.all.log_martians = 1
+    net.ipv4.conf.all.rp_filter=1
+    net.ipv4.conf.all.send_redirects = 0
+    net.ipv4.conf.default.rp_filter=1
     net.ipv4.tcp_syncookies=1
+    net.ipv6.conf.all.accept_redirects = 0
+    net.ipv6.conf.all.accept_source_route = 0
 
 before reloading these settings using `sysctl -p`.
 

Use shorter `apt purge` everywhere
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index a301231..e54879e 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -117,7 +117,7 @@ and add a timeout for root sessions by putting this in `/root/.bash_profile`:
 # Security checks
 
     apt install logcheck logcheck-database fcheck tiger debsums systemd-coredump rkhunter
-    apt remove --purge john john-data rpcbind tripwire unhide unhide.rb
+    apt purge john john-data rpcbind tripwire unhide unhide.rb
 
 Logcheck is the main tool I use to keep an eye on log files, which is why I
 add a few additional log files to the default list in

Remove obsolete mcelog package
https://tracker.debian.org/news/932631/removed-153dfsg-1-from-unstable/
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index a382b3c..a301231 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -116,7 +116,7 @@ and add a timeout for root sessions by putting this in `/root/.bash_profile`:
 
 # Security checks
 
-    apt install logcheck logcheck-database fcheck tiger debsums systemd-coredump mcelog rkhunter
+    apt install logcheck logcheck-database fcheck tiger debsums systemd-coredump rkhunter
     apt remove --purge john john-data rpcbind tripwire unhide unhide.rb
 
 Logcheck is the main tool I use to keep an eye on log files, which is why I

Replace ntp with chrony and corekeeper with systemd-coredump
Chrony (https://chrony.tuxfamily.org/) is supported financially by
the Linux Foundation.
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 45f17cf..a382b3c 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -116,7 +116,7 @@ and add a timeout for root sessions by putting this in `/root/.bash_profile`:
 
 # Security checks
 
-    apt install logcheck logcheck-database fcheck tiger debsums corekeeper mcelog rkhunter
+    apt install logcheck logcheck-database fcheck tiger debsums systemd-coredump mcelog rkhunter
     apt remove --purge john john-data rpcbind tripwire unhide unhide.rb
 
 Logcheck is the main tool I use to keep an eye on log files, which is why I
@@ -216,7 +216,7 @@ before reloading these settings using `sysctl -p`.
 
 # Entropy and timekeeping
 
-    apt install rng-tools ntp
+    apt install rng-tools chrony
 
 To keep the system clock accurate and increase the amount of entropy
 available to the server, I install the above packages and add the `tpm_rng`

Add an XMPP anti-spam section
https://blog.process-one.net/wp-content/uploads/2016/07/Fighting-XMPP-messaging-spam-thanks-to-ejabberd-API.pdf
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
index 3ac5436..75177d6 100644
--- a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
@@ -182,4 +182,24 @@ Finally, to ensure that your TLS settings are reasonable, use this
 [automated tool](https://xmpp.net/) to test both the client-to-server (c2s)
 and the server-to-server (s2s) flows.
 
+# Spam protection
+
+If you start having problems with spammers sending messages or subscription
+requests to your users, you can whitelist the servers that are allowed to
+federate with yours by putting the following in
+`/etc/ejabberd/ejabberd.yml`:
+
+    acl:
+      trusted_servers:
+        server:
+          - "cheogram.com"
+          - "conference.soprani.ca"
+          - "conversations.im"
+
+    access:
+      s2s:
+        trusted_servers: allow
+        all: deny
+    s2s_access: s2s
+
 [[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag sysadmin]] [[!tag xmpp]] [[!tag letsencrypt]] [[!tag ejabberd]]

Comment moderation
diff --git a/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_2_344f04840164a73701084d11ef52358c._comment b/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_2_344f04840164a73701084d11ef52358c._comment
new file mode 100644
index 0000000..8ce3c8b
--- /dev/null
+++ b/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_2_344f04840164a73701084d11ef52358c._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ ip="107.167.211.178"
+ claimedauthor="dragon788"
+ subject="Thanks for this, with some tweaks I was able to script a recovery process for my machine"
+ date="2018-09-05T18:57:56Z"
+ content="""
+I wanted to make sure the next time it happens I could recover quickly with just the LiveCD available.
+
+I wrote it to detect the correct name from the /mnt/etc/crypttab to ensure the `update-initramfs` command can properly update. 
+
+https://gist.github.com/dragon788/e777ba64d373210e4f6306ad40ee0e80
+"""]]

Comment moderation
diff --git a/posts/tweaking-referrer-for-privacy-in-firefox/comment_2_c0dc184322c98f5b9a8238e3126c12f5._comment b/posts/tweaking-referrer-for-privacy-in-firefox/comment_2_c0dc184322c98f5b9a8238e3126c12f5._comment
new file mode 100644
index 0000000..abdb511
--- /dev/null
+++ b/posts/tweaking-referrer-for-privacy-in-firefox/comment_2_c0dc184322c98f5b9a8238e3126c12f5._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ ip="73.221.3.163"
+ claimedauthor="Andrew Schwartzmeyer"
+ url="https://andschwa.com"
+ subject="Trimming breaks Google Play Music web app"
+ date="2018-09-04T18:41:31Z"
+ content="""
+Ah, I found some breakage with just:
+
+```
+network.http.referer.XOriginTrimmingPolicy = 2
+```
+
+With this set, the Google Play Music web app errors with \"couldn't fetch recommendations, please try again\" (found the idea that it might by my referer policy [here](https://productforums.google.com/forum/#!topic/play/AvyGY6MHo7Q)).
+"""]]

Improve the pulseaudio config
https://wiki.archlinux.org/index.php/Music_Player_Daemon/Tips_and_tricks#Local_.28with_separate_mpd_user.29
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index e0d4baa..6f443bb 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -33,8 +33,15 @@ with a pulseaudio one:
     audio_output {
        type    "pulse"
        name    "Pulseaudio Output"
+       server  "127.0.0.1"
     }
 
+and exposing pulseaudio to localhost via `/etc/pulse/default.pa`:
+
+    ### Network access (may be configured with paprefs, so leave this commented
+    ### here if you plan to use paprefs)
+    load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
+
 In order for the automatic detection (zeroconf) of your music server
 to work, you need to [prevent systemd from creating the network
 socket](https://www.mail-archive.com/mpd-devel@musicpd.org/msg00239.html):

Fix broken config file blurb
diff --git a/posts/redirecting-entire-site-except-certbot-webroot.mdwn b/posts/redirecting-entire-site-except-certbot-webroot.mdwn
index 91ea91f..33b6e8e 100644
--- a/posts/redirecting-entire-site-except-certbot-webroot.mdwn
+++ b/posts/redirecting-entire-site-except-certbot-webroot.mdwn
@@ -40,7 +40,7 @@ Here are the relevant portions of `/etc/letsencrypt/renewal/www.libravatar.org.c
     authenticator = webroot
     account = 
     
-    [[webroot_map]]
+    \[[webroot_map]]
     libravatar.org = /var/www/acme
     www.libravatar.org = /var/www/acme
 

Link to my certbot cronjob post
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
index 359938b..3ac5436 100644
--- a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
@@ -46,6 +46,8 @@ and then restart the service:
 
     systemctl restart ejabberd.service
 
+I wrote a [cronjob to renew this certificate automatically using certbot](https://feeding.cloud.geek.nz/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot/).
+
 ## StartSSL
 
 I have also used [StartSSL](https://startssl.com) successfully. This is how I generated the CSR

Comment moderation
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu/comment_5_00979aadf4dda21e91be3bab44548a99._comment b/posts/running-your-own-xmpp-server-debian-ubuntu/comment_5_00979aadf4dda21e91be3bab44548a99._comment
new file mode 100644
index 0000000..e55da61
--- /dev/null
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu/comment_5_00979aadf4dda21e91be3bab44548a99._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="francois@665656f0ba400877c9b12e8fbb086e45aa01f7c0"
+ nickname="francois"
+ subject="Re: LetsEncrypt"
+ date="2018-08-24T21:24:56Z"
+ content="""
+> I suppose I could come up with a root cronjob to do it
+
+Indeed, that's exactly how I have my letsencrypt certs set to [renew automatically using certbot](https://feeding.cloud.geek.nz/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot/).
+"""]]

Comment moderation
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu/comment_4_ec674c4e1f08650cef559f3c403d6e9d._comment b/posts/running-your-own-xmpp-server-debian-ubuntu/comment_4_ec674c4e1f08650cef559f3c403d6e9d._comment
new file mode 100644
index 0000000..b5bfc01
--- /dev/null
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu/comment_4_ec674c4e1f08650cef559f3c403d6e9d._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="172.221.247.189"
+ claimedauthor="B. Shea"
+ subject="LetsEncrypt"
+ date="2018-08-24T17:20:44Z"
+ content="""
+Looking for good install guide. The only drawback I see in reading your directions (I haven't done this yet) is the fact that you are concatenating key/bundle/csr to static file - and LE certs expire quickly. You will have to repeat this every 90 days. I suppose I could come up with a root cronjob to do it as a certbot cron.d 'post-renew' job, but I am guessing there is a better way.. if I find I will post again.
+"""]]

Mention how to set the wallpaper using feh
https://faq.i3wm.org/question/6/how-can-i-set-a-desktop-background-image-in-i3.1.html
https://wiki.archlinux.org/index.php/Feh#Set_the_wallpaper
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 472bb90..8e12cd5 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -37,6 +37,18 @@ I can also trigger it manually using the following shortcut defined in my `~/.i3
 
     bindsym Ctrl+Mod1+l exec xautolock -locknow
 
+# Wallpaper
+
+To set the wallpaper, I use [feh](https://packages.debian.org/stretch/feh). The first step is to run it once:
+
+    feh --bg-scale /usr/share/images/desktop-base/desktop-grub.png
+
+so that it generates a script for itself at `~/.fehbg`.
+
+Then you can add that to your startup script or to `~/.i3/config`:
+
+    exec --no-startup-id ~/.fehbg
+
 # Keyboard shortcuts
 
 While keyboard shortcuts can be configured in GNOME, they don't work within i3, so I added a few more bindings to my `~/.i3/config`:

Mention the new HandleLidSwitchExternalPower option in systemd
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 5be5dbd..472bb90 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -75,6 +75,10 @@ Since I run lots of things in the background, I have set my laptop to avoid susp
 
     HandleLidSwitch=lock
 
+though you might want to have the laptop suspend if it's running on battery, using the following setting instead:
+
+    HandleLidSwitchExternalPower=lock
+
 Instead, when I want to suspend to ram, I use the following keyboard shortcut:
 
     bindsym Ctrl+Mod1+s exec /home/francois/bin/s2ram

creating tag page tags/pagekite
diff --git a/tags/pagekite.mdwn b/tags/pagekite.mdwn
new file mode 100644
index 0000000..02109da
--- /dev/null
+++ b/tags/pagekite.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged pagekite"]]
+
+[[!inline pages="tagged(pagekite)" actions="no" archive="yes"
+feedshow=10]]

Add a pagekite tag
diff --git a/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn b/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
index 39ab3f9..90562b2 100644
--- a/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
+++ b/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
@@ -88,4 +88,4 @@ before restarting the pagekite daemon using:
 
     systemctl restart pagekite
 
-[[!tag mozilla]] [[!tag debian]] [[!tag sysadmin]] [[!tag ssh]] [[!tag nzoss]]
+[[!tag mozilla]] [[!tag debian]] [[!tag sysadmin]] [[!tag ssh]] [[!tag nzoss]] [[!tag pagekite]]

Use systemd for restarting services
diff --git a/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn b/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
index 193242e..39ab3f9 100644
--- a/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
+++ b/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
@@ -86,6 +86,6 @@ as well as removing the following lines from `/etc/pagekite.d/10_account.rc`:
 
 before restarting the pagekite daemon using:
 
-    service pagekite restart
+    systemctl restart pagekite
 
 [[!tag mozilla]] [[!tag debian]] [[!tag sysadmin]] [[!tag ssh]] [[!tag nzoss]]

Prevent my pagekite post from returning to Planet Mozilla again
diff --git a/tags/mozilla.mdwn b/tags/mozilla.mdwn
index 458c107..7883bf0 100644
--- a/tags/mozilla.mdwn
+++ b/tags/mozilla.mdwn
@@ -1,4 +1,4 @@
 [[!meta title="pages tagged mozilla"]]
 
 [[!inline pages="tagged(mozilla)" actions="no" archive="yes"
-feedshow=10 feedpages=created_after(posts/prefetching-resources-to-prime-browser)]]
+feedshow=9 feedpages=created_after(posts/letting-someone-ssh-into-your-laptop-using-pagekite)]]

Add instructions for systemd-resolved
diff --git a/posts/setting-up-your-own-dnssec-aware.mdwn b/posts/setting-up-your-own-dnssec-aware.mdwn
index 807277c..86d07ba 100644
--- a/posts/setting-up-your-own-dnssec-aware.mdwn
+++ b/posts/setting-up-your-own-dnssec-aware.mdwn
@@ -77,6 +77,23 @@ If you're not using DHCP, then you simply need to put this in your `/etc/resolv.
 
     nameserver 127.0.0.1
 
+or on more recent distros, the following in `/etc/systemd/resolved.conf`:
+
+    [Resolve]
+    DNS=127.0.0.1
+    DNSSEC=no
+
+Yes, you need `DNSSEC=no` because otherwise it will break insecure
+delegations and you'll see messages like this one in your logs:
+
+    systemd-resolved[1161]: DNSSEC validation failed for question dyn.fmarier.org IN SOA: no-signature
+
+You can test that
+[systemd-resolved](https://www.freedesktop.org/wiki/Software/systemd/resolved/)
+is configured properly using:
+
+    systemd-resolve --status
+
 ## Testing DNSSEC resolution
 
 Once everything is configured properly, the best way I found to test that this setup was actually working is to use a web browser to visit these sites:

Remove obsolete and unnecessary options
diff --git a/posts/hardening-ssh-servers.mdwn b/posts/hardening-ssh-servers.mdwn
index 75b715a..1d5de08 100644
--- a/posts/hardening-ssh-servers.mdwn
+++ b/posts/hardening-ssh-servers.mdwn
@@ -14,11 +14,9 @@ you forget):
 
 This is what `/etc/ssh/sshd_config` should contain:
 
-    Protocol 2
     HostKey /etc/ssh/ssh_host_ed25519_key
     HostKey /etc/ssh/ssh_host_rsa_key
     HostKey /etc/ssh/ssh_host_ecdsa_key
-    UsePrivilegeSeparation sandbox
     AuthenticationMethods publickey
     PasswordAuthentication no
     PermitRootLogin no

Put the fully-qualified hostname in the ServerName field
This is needed because we won't be able to get a TLS cert for the short name
and so using the full name will avoid warnings that the server name can't be
found in any of the TLS certs names.
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 0b1e3c4..45f17cf 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -280,7 +280,7 @@ I enable these in `/etc/apache2/conf-enabled/security.conf`:
 
 I also create a new `/etc/apache2/conf-available/servername.conf` which contains:
 
-    ServerName machine_hostname
+    ServerName machine_hostname.example.com
 
 and then run:
 

Use stronger OpenVPN 2.4+ crypto
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index 2913757..853ef79 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -93,9 +93,10 @@ and set the following in `/etc/openvpn/server.conf` (which includes recommendati
     push "dhcp-option DNS 74.207.241.5"
     push "dhcp-option DNS 74.207.242.5"
     tls-auth ta.key 0
-    tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RS
-    cipher AES-256-CBC
-    auth SHA384
+    tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+    tls-version-min 1.2
+    cipher AES-256-GCM
+    ncp-disable
     user nobody
     group nogroup
 
@@ -159,8 +160,7 @@ then click the "Avanced" button and set the following:
 * General
    * Use LZO data compression: `YES`
 * Security
-   * Cipher: `AES-256-CBC`
-   * HMAC Authentication: `SHA-384`
+   * Cipher: `AES-256-GCM`
 * TLS Authentication
    * Server Certificate Check: `Verify name exactly`
    * Subject Match: `server`
diff --git a/posts/using-openvpn-on-android-lollipop.mdwn b/posts/using-openvpn-on-android-lollipop.mdwn
index 74d3e6e..4a08a0f 100644
--- a/posts/using-openvpn-on-android-lollipop.mdwn
+++ b/posts/using-openvpn-on-android-lollipop.mdwn
@@ -57,8 +57,7 @@ Authentication/Encryption:
 - Use TLS Authentication: `YES`
 - TLS Auth File: `ta.key`
 - TLS Direction: `1`
-- Encryption cipher: `AES-256-CBC`
-- Packet authentication: `SHA384` (**not** `SHA-384`)
+- Encryption cipher: `AES-256-GCM`
 
 Advanced:
 
diff --git a/posts/using-openvpn-on-ios-and-osx.mdwn b/posts/using-openvpn-on-ios-and-osx.mdwn
index d104815..41eb522 100644
--- a/posts/using-openvpn-on-ios-and-osx.mdwn
+++ b/posts/using-openvpn-on-ios-and-osx.mdwn
@@ -58,8 +58,7 @@ Here is the config I successfully used to connect to my server:
     ca ca.crt
     cert iphone.crt
     key iphone.key
-    cipher AES-256-CBC
-    auth SHA384
+    cipher AES-256-GCM
     comp-lzo yes
     proto udp
     tls-remote server
@@ -92,7 +91,6 @@ connection:
 - **Advanced**
    - add the following extra OpenVPN configuration commands:
 
-         cipher AES-256-CBC
-         auth SHA384
+         cipher AES-256-GCM
 
 [[!tag openvpn]] [[!tag ios]] [[!tag osx]]

Add a new option in latest network-manager-openvpn version
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index 6fa82a3..2913757 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -168,7 +168,8 @@ then click the "Avanced" button and set the following:
      * Remote peer certificate TLS type: `Server`
    * Verify peer (server) certificate nsCertType designation: `YES`
      * Remove peer certificate nsCert designation: `Server`
-   * Use additional TLS authentication: `YES`
+   * Additional TLS authentication or encryption:
+     * Mode: `TLS-Auth`
      * Key File: `/etc/openvpn/ta.key`
      * Key Direction: `1`
 

Format option correctly
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index c9aacdc..6fa82a3 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -162,7 +162,7 @@ then click the "Avanced" button and set the following:
    * Cipher: `AES-256-CBC`
    * HMAC Authentication: `SHA-384`
 * TLS Authentication
-   * Server Certificate Check: Verify name exactly
+   * Server Certificate Check: `Verify name exactly`
    * Subject Match: `server`
    * Verify peer (server) certificate usage signature: `YES`
      * Remote peer certificate TLS type: `Server`

Link to a tweet without a missing word.
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index 56962d7..8d67302 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -92,7 +92,7 @@ go through a similar process.
 
 # Migrating servers
 
-* [Tweet](https://twitter.com/libravatar/status/364659172983308288) and [dent](https://identi.ca/libravatar/note/UFBI9ne8SsOftkYlSKPHQQ) about the upcoming migration.
+* [Tweet](https://twitter.com/libravatar/status/1028767128227205120) and [dent](https://identi.ca/libravatar/note/UFBI9ne8SsOftkYlSKPHQQ) about the upcoming migration.
 
 * Enable the static file config on the old server (disabling the Django app):
 

Note that the authorized_keys file should be moved, not just deleted
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index a695a55..56962d7 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -135,8 +135,8 @@ go through a similar process.
 
 # Disable mirror sync
 
-* Log into each mirror and comment out the sync cron jobs in `/etc/cron.d/libravatar-slave`.
-* Make sure mirrors are no longer able to connect to the old server by deleting `/var/lib/libravatar/master/.ssh/authorized_keys` on the old server.
+* Log into each mirror and comment out the update cron jobs in `/etc/cron.d/libravatar-slave`.
+* Make sure mirrors are no longer able to connect to the old server by moving `/var/lib/libravatar/master/.ssh/authorized_keys` to the new server and removing it from the old server.
 
 # Testing the main site
 

Fix file ownership after the rsync
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index 9ee4ccb..a695a55 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -131,6 +131,7 @@ go through a similar process.
 
         chmod go-w /var/lib/libravatar/avatar
         chmod go-w /var/lib/libravatar/user
+        chown -R root:root /var/lib/libravatar/avatar/* /var/lib/libravatar/user/*
 
 # Disable mirror sync
 

Fix path and use fake server names to avoid copy/paste errors
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index 5eb525d..9ee4ccb 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -122,10 +122,10 @@ go through a similar process.
 
   * From laptop:
 
-        rsync -a -H -v husavik.libravatar.org:/var/lib/libravatar/avatar .
-        rsync -a -H -v husavik.libravatar.org:/var/lib/libravatar/user .
-        rsync -a -H -v avatar/* selfoss.libravatar.org:/var/lib/libravatar/avatar/
-        rsync -a -H -v user/* selfoss.libravatar.org:/var/lib/libravatar/avatar/
+        rsync -a -H -v old.libravatar.org:/var/lib/libravatar/avatar .
+        rsync -a -H -v old.libravatar.org:/var/lib/libravatar/user .
+        rsync -a -H -v avatar/* new.libravatar.org:/var/lib/libravatar/avatar/
+        rsync -a -H -v user/* new.libravatar.org:/var/lib/libravatar/user/
 
   * On the new server:
 

Delete any leftovers from a previous test run
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index 0b1bc01..5eb525d 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -116,7 +116,9 @@ go through a similar process.
   * On the new server:
 
         chmod a+w /var/lib/libravatar/avatar
+        rm -rf /var/lib/libravatar/avatar/*
         chmod a+w /var/lib/libravatar/user
+        rm -rf /var/lib/libravatar/user/*
 
   * From laptop:
 

Expand the instructions to include actual commands
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index 9918bba..0b1bc01 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -94,9 +94,24 @@ go through a similar process.
 
 * [Tweet](https://twitter.com/libravatar/status/364659172983308288) and [dent](https://identi.ca/libravatar/note/UFBI9ne8SsOftkYlSKPHQQ) about the upcoming migration.
 
-* Enable the static file config on the old server (disabling the Django app).
-* Disable pgbouncer to ensure that Django cannot access postgres anymore.
-* Copy the database from the old server and restore it on the new server **making sure it's in the UTF8 encoding**.
+* Enable the static file config on the old server (disabling the Django app):
+
+      cd /etc/apache2/
+      mv sites-enabled sites-enabled.django
+      mv sites-enabled.static sites-enabled
+      apache2ctl configtest
+      systemctl restart apache2.service
+
+* Disable pgbouncer to ensure that Django cannot access postgres anymore:
+
+      systemctl stop pgbouncer.service
+
+* Copy the database from the old server and restore it on the new server **making sure it's in the UTF8 encoding**:
+
+      dropdb libravatar
+      createdb -O djangouser -E utf8 libravatar
+      pg_restore -d libravatar libravatar20180812.pg
+
 * Copy `/var/lib/libravatar` from the old server to the new one.
   * On the new server:
 
@@ -131,6 +146,13 @@ go through a similar process.
 * If testing is successful, update DNS A and AAAA records to point to the new server with a short TTL (in case we need to revert).
 
 * Enable the proxy config on the old server.
+
+      cd /etc/apache2/
+      mv sites-enabled sites-enabled.static
+      mv sites-enabled.proxy/ sites-enabled
+      apache2ctl configtest
+      systemctl restart apache2.service
+
 * Hack my local `/etc/hosts` file to point to the old server's IP address.
 * Test basic functionality going through the proxy.
 * Remove local `/etc/hosts` hacks.

Fix typo
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index 4be060c..9918bba 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -133,7 +133,7 @@ go through a similar process.
 * Enable the proxy config on the old server.
 * Hack my local `/etc/hosts` file to point to the old server's IP address.
 * Test basic functionality going through the proxy.
-* Remove local `/etc/hosts/` hacks.
+* Remove local `/etc/hosts` hacks.
 
 # Re-enable mirror sync
 

Add a note about setting the server time to UTC
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index f70beca..0b1e3c4 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -222,6 +222,8 @@ To keep the system clock accurate and increase the amount of entropy
 available to the server, I install the above packages and add the `tpm_rng`
 module to `/etc/modules`.
 
+I also set the server timezone to **UTC** using `dpkg-reconfigure tzdata`.
+
 # Preventing mistakes
 
     apt install molly-guard safe-rm sl

Mention the need to test both IPv4 and IPv6
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index f184c73..4be060c 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -122,12 +122,13 @@ go through a similar process.
 
 # Testing the main site
 
-* Hack my local `/etc/hosts` file to point to the new server's IP address:
+* Hack my local `/etc/hosts` file to point to the new server's IPv4 address:
 
-      xxx.xxx.xxx.xxx www.libravatar.org stats.libravatar.org cdn.libravatar.org
+      xxx.xxx.xxx.xxx www.libravatar.org stats.libravatar.org cdn.libravatar.org seccdn.libravatar.org
 
 * Test all functionality on the new site.
-* If testing is successful, update DNS to point to the new server with a short TTL (in case we need to revert).
+* Do a basic version of the previous test using IPv6.
+* If testing is successful, update DNS A and AAAA records to point to the new server with a short TTL (in case we need to revert).
 
 * Enable the proxy config on the old server.
 * Hack my local `/etc/hosts` file to point to the old server's IP address.

Clarify the DNS entries to modify
diff --git a/posts/server-migration-plan.mdwn b/posts/server-migration-plan.mdwn
index cb2358e..f184c73 100644
--- a/posts/server-migration-plan.mdwn
+++ b/posts/server-migration-plan.mdwn
@@ -12,7 +12,7 @@ go through a similar process.
 
 # Prepare DNS
 
-* Change the TTL on the DNS entry for `libravatar.org` to 3600 seconds.
+* Change the TTL on the DNS entry for `libravatar.org` (i.e. bare `A` and `AAAA` records) to **3600** seconds.
 * Remove the mirrors I don't control from the DNS load balancer (`cdn` **and** `seccdn`).
 * Remove the main server from `cdn` and `seccdn` in DNS.
 

Reduce verbosity of sshd
The INFO level now provides the pubkey fingerprints of logged in users.
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index e461a3e..f70beca 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -86,7 +86,6 @@ and end up with the following settings in `/etc/ssh/sshd_config` (jessie):
     PermitRootLogin no
 
     AcceptEnv LANG LC_* TZ
-    LogLevel VERBOSE
     AllowGroups sshuser
 
 On those servers where I need [duplicity/paramiko to

Create missing log files to make logcheck happy
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 62b01f0..e461a3e 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -140,6 +140,11 @@ and fixing the log rotation configuration by adding the following to
 
     create 644 root adm
 
+I usually create these empty files to silence logcheck errors:
+
+    touch /var/log/mail.{err,warn}
+    chown root:adm /var/log/mail.{err,warn}
+
 I also modify the main logcheck configuration file
 (`/etc/logcheck/logcheck.conf`):
 

Comment moderation
diff --git a/posts/mercurial-commit-series-phabricator-using-arcanist/comment_1_d14f851bb83a648edec489e7a777af2b._comment b/posts/mercurial-commit-series-phabricator-using-arcanist/comment_1_d14f851bb83a648edec489e7a777af2b._comment
new file mode 100644
index 0000000..848e6a0
--- /dev/null
+++ b/posts/mercurial-commit-series-phabricator-using-arcanist/comment_1_d14f851bb83a648edec489e7a777af2b._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ ip="195.166.157.111"
+ claimedauthor="Standard8"
+ subject="Missing a useful part"
+ date="2018-08-02T13:31:35Z"
+ content="""
+I think you're missing one useful part to commit series updates.
+
+It is unclear if you let it prompt you for the commit messages & data when you upload, but if you do, then you can follow this slightly easier process.
+
+* upload first patch with `arc diff`, set the reviewer and bug number.
+* Note the \"Dnnnn\" number.
+* upload the second patch, again with `arc diff`. Also set the reviewer and bug number, but this time add to the summary \"Depends on Dnnnn\" (where Dnnnn is the id of the previous patch).
+
+Then you can avoid linking the commits in the phabricator UI.
+
+Also when you then need to update a diff, you can simply do `arc diff` to generate the new version as it already knows what it depends on.
+"""]]

Link to Libravatar revival blogpost
diff --git a/posts/looking-back-on-starting-libravatar.mdwn b/posts/looking-back-on-starting-libravatar.mdwn
index 8b5bcab..cb10af1 100644
--- a/posts/looking-back-on-starting-libravatar.mdwn
+++ b/posts/looking-back-on-starting-libravatar.mdwn
@@ -2,6 +2,8 @@
 [[!meta date="2018-04-02T18:00:00.000-07:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
+**Update (2018-07-31): [Libravatar is not going away](https://blog.libravatar.org/posts/Libravatar.org_is_not_going_away/)**
+
 As noted on the [official Libravatar
 blog](https://blog.libravatar.org/posts/Libravatar.org_is_shutting_down_on_2018-09-01/),
 I will be shutting the service down on 2018-09-01.

Add a section on amending commits after the fact
diff --git a/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn b/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn
index c485eb3..746fe80 100644
--- a/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn
+++ b/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn
@@ -95,7 +95,7 @@ earliest to latest):
 
 # Link all revisions together
 
-In order to ensure that these commits depend on one another, lick on that
+In order to ensure that these commits depend on one another, click on that
 last [`phabricator.services.mozilla.com`
 link](https://phabricator.services.mozilla.com/D2486), then click "Related
 Revisions" then "Edit Parent Revisions" in the right-hand side bar and then
@@ -107,4 +107,57 @@ revision](https://phabricator.services.mozilla.com/D2485) and repeat the
 same steps to set [D2484](https://phabricator.services.mozilla.com/D2484) as
 its parent.
 
+# Amend one of the commits
+
+As it turns out my first patch wasn't perfect and I needed to amend the
+middle commit to fix some test failures that came up after [pushing to
+Try](https://treeherder.mozilla.org/#/jobs?repo=try&revision=5ec6dd24172c11d5fc498dfcc9e5a0287ade312e).
+I ended up with the following commits (as viewed in `hg histedit`):
+
+    pick ee4d9e9fcbad 477986 Bug 1461515 - Split tracking annotations from tracki...
+    pick c24f4d9e75b9 477992 Bug 1461515 - Fix and expand tracking annotation tes...
+    pick 1840f68978a7 477993 Bug 1461515 - Make TP test fail if it uses the wrong...
+
+which highlights that the last two commits changed and that I would have two
+revisions ([D2485](https://phabricator.services.mozilla.com/D2485) and
+[D2486](https://phabricator.services.mozilla.com/D2486)) to update in
+Phabricator.
+
+However, since the only reason why the third patch has a different commit
+hash is because its parent changed, theres's no need to upload it again to
+Phabricator. [Lando](https://lando.services.mozilla.com/) doesn't care about
+the parent **hash** and relies instead on the parent **revision ID**. It
+essentially applies diffs one at a time.
+
+The trick was to pass the `--update DXXXX` argument to `arc diff`:
+
+    ~/devel/mozilla-unified (annotation-list-1461515)$ hg up c24f4d9e75b9
+    2 files updated, 0 files merged, 0 files removed, 0 files unresolved
+    (leaving bookmark annotation-list-1461515)
+
+    ~/devel/mozilla-unified (c24f4d9)$ arc diff --no-amend --update D2485
+    Linting...
+    No lint engine configured for this project.
+    Running unit tests...
+    No unit test engine is configured for this project.
+     SKIP STAGING  Phabricator does not support staging areas for this repository.
+    Updated an existing Differential revision:
+            Revision URI: https://phabricator.services.mozilla.com/D2485
+
+    Included changes:
+      M       browser/base/content/test/general/trackingPage.html
+      M       netwerk/test/unit/test_trackingProtection_annotateChannels.js
+      M       toolkit/components/antitracking/test/browser/browser_imageCache.js
+      M       toolkit/components/antitracking/test/browser/browser_subResources.js
+      M       toolkit/components/antitracking/test/browser/head.js
+      M       toolkit/components/antitracking/test/browser/popup.html
+      M       toolkit/components/antitracking/test/browser/tracker.js
+      M       toolkit/components/url-classifier/tests/UrlClassifierTestUtils.jsm
+      M       toolkit/components/url-classifier/tests/mochitest/test_trackingprotection_bug1312515.html
+      M       toolkit/components/url-classifier/tests/mochitest/trackingRequest.html
+
+Note that changing the commit message will not automatically update the
+revision details in Phabricator. This has to be done manually in the Web UI
+if required.
+
 [[!tag mozilla]] [[!tag mercurial]]

Add Phabricator commit series blogpost
diff --git a/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn b/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn
new file mode 100644
index 0000000..c485eb3
--- /dev/null
+++ b/posts/mercurial-commit-series-phabricator-using-arcanist.mdwn
@@ -0,0 +1,110 @@
+[[!meta title="Mercurial commit series in Phabricator using Arcanist"]]
+[[!meta date="2018-08-01T09:00:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+[Phabricator](https://www.phacility.com/phabricator/) supports multi-commit
+patch series, but it's not yet obvious how to do it using Mercurial. So this
+the "hg" equivalent of [this blog post for git
+users](https://smacleod.ca/posts/commit-series-with-phabricator/ ).
+
+Note that other people have written [tools and
+plugins](https://groups.google.com/d/topic/mozilla.dev.platform/o9f2S0vO47k/discussion)
+to do the same thing and that [an official client is coming
+soon](https://groups.google.com/d/msg/mozilla.dev.platform/LhUq1EUvcfg/yLuTpAhvCAAJ).
+
+# Initial setup
+
+I'm going to assume that you've setup arcanist and gotten an account on the
+[Mozilla Phabricator instance](https://phabricator.services.mozilla.com/).
+If you haven't, follow this [video
+introduction](https://www.youtube.com/watch?reload=9&v=3e-eaeeIDXk) or the
+[excellent
+documentation](https://moz-conduit.readthedocs.io/en/latest/phabricator-user.html)
+for it (Bryce also wrote additionnal [instructions for Windows
+users](https://www.brycevandyk.com/setting-up-arcanist-for-mozilla-development-on-windows/)).
+
+# Make a list of commits to submit
+
+First of all, use `hg histedit` to make a list of the commits that are needed:
+
+    pick ee4d9e9fcbad 477986 Bug 1461515 - Split tracking annotations from tracki...
+    pick 5509b5db01a4 477987 Bug 1461515 - Fix and expand tracking annotation tes...
+    pick e40312debf76 477988 Bug 1461515 - Make TP test fail if it uses the wrong...
+
+# Create Phabricator revisions
+
+Now, create a Phabricator *revision* for each commit (in order, from
+earliest to latest):
+
+    ~/devel/mozilla-unified (annotation-list-1461515)$ hg up ee4d9e9fcbad
+    5 files updated, 0 files merged, 0 files removed, 0 files unresolved
+    (leaving bookmark annotation-list-1461515)
+
+    ~/devel/mozilla-unified (ee4d9e9)$ arc diff --no-amend
+    Linting...
+    No lint engine configured for this project.
+    Running unit tests...
+    No unit test engine is configured for this project.
+     SKIP STAGING  Phabricator does not support staging areas for this repository.
+    Created a new Differential revision:
+            Revision URI: https://phabricator.services.mozilla.com/D2484
+
+    Included changes:
+      M       modules/libpref/init/all.js
+      M       netwerk/base/nsChannelClassifier.cpp
+      M       netwerk/base/nsChannelClassifier.h
+      M       toolkit/components/url-classifier/Classifier.cpp
+      M       toolkit/components/url-classifier/SafeBrowsing.jsm
+      M       toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+      M       toolkit/components/url-classifier/tests/UrlClassifierTestUtils.jsm
+      M       toolkit/components/url-classifier/tests/mochitest/test_trackingprotection_bug1312515.html
+      M       xpcom/base/ErrorList.py
+
+    ~/devel/mozilla-unified (ee4d9e9)$ hg up 5509b5db01a4
+    3 files updated, 0 files merged, 0 files removed, 0 files unresolved
+
+    ~/devel/mozilla-unified (5509b5d)$ arc diff --no-amend
+    Linting...
+    No lint engine configured for this project.
+    Running unit tests...
+    No unit test engine is configured for this project.
+     SKIP STAGING  Phabricator does not support staging areas for this repository.
+    Created a new Differential revision:
+            Revision URI: https://phabricator.services.mozilla.com/D2485
+
+    Included changes:
+      M       toolkit/components/url-classifier/tests/UrlClassifierTestUtils.jsm
+      M       toolkit/components/url-classifier/tests/mochitest/test_trackingprotection_bug1312515.html
+      M       toolkit/components/url-classifier/tests/mochitest/trackingRequest.html
+
+    ~/devel/mozilla-unified (5509b5d)$ hg up e40312debf76
+    2 files updated, 0 files merged, 0 files removed, 0 files unresolved
+
+    ~/devel/mozilla-unified (e40312d)$ arc diff --no-amend
+    Linting...
+    No lint engine configured for this project.
+    Running unit tests...
+    No unit test engine is configured for this project.
+     SKIP STAGING  Phabricator does not support staging areas for this repository.
+    Created a new Differential revision:
+            Revision URI: https://phabricator.services.mozilla.com/D2486
+
+    Included changes:
+      M       toolkit/components/url-classifier/tests/mochitest/classifiedAnnotatedPBFrame.html
+      M       toolkit/components/url-classifier/tests/mochitest/test_privatebrowsing_trackingprotection.html
+
+# Link all revisions together
+
+In order to ensure that these commits depend on one another, lick on that
+last [`phabricator.services.mozilla.com`
+link](https://phabricator.services.mozilla.com/D2486), then click "Related
+Revisions" then "Edit Parent Revisions" in the right-hand side bar and then
+add the previous commit
+([D2485](https://phabricator.services.mozilla.com/D2485) in this example).
+
+Then go to [that parent
+revision](https://phabricator.services.mozilla.com/D2485) and repeat the
+same steps to set [D2484](https://phabricator.services.mozilla.com/D2484) as
+its parent.
+
+[[!tag mozilla]] [[!tag mercurial]]

Comment moderation
diff --git a/posts/recovering-from-botched-mercurial-bookmark-histedit/comment_2_95f87a12f7409c2774c54b9cf818cf2a._comment b/posts/recovering-from-botched-mercurial-bookmark-histedit/comment_2_95f87a12f7409c2774c54b9cf818cf2a._comment
new file mode 100644
index 0000000..108e753
--- /dev/null
+++ b/posts/recovering-from-botched-mercurial-bookmark-histedit/comment_2_95f87a12f7409c2774c54b9cf818cf2a._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="sphink@fbb18a7777e2e0ef4afb7f7c664405c496334047"
+ nickname="sphink"
+ avatar="http://cdn.libravatar.org/avatar/d269c0228684029dedb75d73b81a64c3"
+ subject="alternative"
+ date="2018-07-28T00:09:31Z"
+ content="""
+I would expect that you would do the unbundle, then move your bookmark back to 'tip' (which should be last unbundled changeset). I would think:
+
+    hg unbundle ~/devel/mozilla-unified/.hg/strip-backup/47906774d58d-ae1953e1-backup.hg
+    hg bookmark -r tip hashstore-crash-1434206-recovered
+
+though I would probably do `hg log -G` to verify it's the one you want. Or `hg log --template list -G`.
+
+"""]]

Comment moderation
diff --git a/posts/recovering-from-botched-mercurial-bookmark-histedit/comment_1_79745417458229f91cdb2f08049182d1._comment b/posts/recovering-from-botched-mercurial-bookmark-histedit/comment_1_79745417458229f91cdb2f08049182d1._comment
new file mode 100644
index 0000000..811601d
--- /dev/null
+++ b/posts/recovering-from-botched-mercurial-bookmark-histedit/comment_1_79745417458229f91cdb2f08049182d1._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="50.100.182.11"
+ claimedauthor="Connor"
+ subject="comment 1"
+ date="2018-07-27T14:04:56Z"
+ content="""
+You should check out the evolve extension. `pip install hg-evolve`
+"""]]

Add post on `hg histedit`
diff --git a/posts/recovering-from-botched-mercurial-bookmark-histedit.mdwn b/posts/recovering-from-botched-mercurial-bookmark-histedit.mdwn
new file mode 100644
index 0000000..a80567d
--- /dev/null
+++ b/posts/recovering-from-botched-mercurial-bookmark-histedit.mdwn
@@ -0,0 +1,92 @@
+[[!meta title="Recovering from a botched hg histedit on a mercurial bookmark"]]
+[[!meta date="2018-07-26T22:42:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+If you are in the middle of a failed
+[Mercurial](https://www.mercurial-scm.org/) `hg histedit`, you can normally
+do `hg histedit --abort` to cancel it, though sometimes you also have to
+reach out for `hg update -C`. This is the equivalent of
+[git](https://git-scm.com/)'s `git rebase --abort` and it does what you'd
+expect.
+
+However, if you go ahead and finish the history rewriting and only notice
+problems later, it's not as straighforward. With git, I'd look into the
+[reflog](https://www.atlassian.com/git/tutorials/rewriting-history/git-reflog)
+(`git reflog`) for the previous value of the branch pointer and simply `git
+reset --hard` to that value. Done.
+
+Based on a [Stack Overflow
+answer](https://stackoverflow.com/questions/43742808/how-do-i-recover-from-a-botched-histedit-in-mercurial),
+I thought I could undo my botched histedit using:
+
+    hg unbundle ~/devel/mozilla-unified/.hg/strip-backup/47906774d58d-ae1953e1-backup.hg
+
+but it didn't seem to work. Maybe it doesn't work when using
+[bookmarks](https://www.mercurial-scm.org/wiki/Bookmarks).
+
+Here's what I ended up doing to fully revert my botched Mercurial
+[histedit](https://www.mercurial-scm.org/wiki/HisteditExtension). If you
+know of a simpler way to do this, feel free to leave a comment.
+
+# Collecting the commits to restore
+
+The first step was to collect all of the commits hashes I needed to restore.
+Luckily, I had sumitted my patch to
+[Try](https://wiki.mozilla.org/ReleaseEngineering/TryServer) before changing
+it and so I was able to look at the
+[pushlog](https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/hashstore-crash-1434206)
+to get all of the commits at once.
+
+If I didn't have that, I could also go to the [last bookmark I
+pushed](https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/hashstore-crash-1434206)
+and click on parent commits until I hit the [first one that's not
+mine](https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/ff8505d177b9).
+Then I could collect all of the commits using the browser's back button:
+
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/3c31c543e736>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/7ddfe5ae2fa6>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/c04b620136c7>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/2d1bf04fd155>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/e194843f5b7a>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/47906774d58d>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/f6a657bca64f>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/0d7a4e1c0079>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/976e25b49758>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/a1a382f2e773>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/b1565f3aacdb>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/3fdd157bb698>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/b1b041990577>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/220bf5cd9e2a>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/c927a5205abe>
+- <https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/4140cd9c67b0>
+
+For that last one, I had to click on the changeset commit hash link in order to
+get the commit hash instead of the name of the bookmark (`/rev/hashstore-crash-1434206`).
+
+# Recreating the branch from scratch
+
+This is what did to export patches for each commit and then re-import them
+one after the other:
+
+    for c in 3c31c543e736 7ddfe5ae2fa6 c04b620136c7 2d1bf04fd155 e194843f5b7a 47906774d58d f6a657bca64f 0d7a4e1c0079 976e25b49758 a1a382f2e773 b1565f3aacdb 3fdd157bb698 b1b041990577 220bf5cd9e2a c927a5205abe ; do hg export $c > ~/$c.patch ; done
+    hg up ff8505d177b9
+    hg bookmarks hashstore-crash-1434206-new
+    for c in 3c31c543e736 7ddfe5ae2fa6 c04b620136c7 2d1bf04fd155 e194843f5b7a 47906774d58d f6a657bca64f 0d7a4e1c0079 976e25b49758 a1a382f2e773 b1565f3aacdb 3fdd157bb698 b1b041990577 220bf5cd9e2a c927a5205abe 4140cd9c67b0 ; do hg import ~/$c.patch ; done
+
+# Copying a bookmark
+
+As an aside, if you want to make a copy of a bookmark before you do an `hg
+histedit`, it's not as simple as:
+
+    hg up hashstore-crash-1434206
+    hg bookmarks hashstore-crash-1434206-copy
+    hg up hashstore-crash-1434206
+
+While that seemed to work at the time, the `histedit` ended up messing with
+both of them.
+
+An alternative that works is to push the bookmark to another machine. That
+way if worse comes to worse, you can `hg clone` from there and `hg export`
+the commits you want to re-import using `hg import`.
+
+[[!tag mozilla]] [[!tag mercurial]]

Rephrase a sentence to hopefully force a regeneration of this page
diff --git a/posts.mdwn b/posts.mdwn
index 2bd0f1d..663a69d 100644
--- a/posts.mdwn
+++ b/posts.mdwn
@@ -1,3 +1,3 @@
-Here is a full list of posts to the [[blog|index]].
+Here's a full list of the posts on this [[blog|index]]:
 
 [[!inline pages="page(./posts/*) and !*/Discussion" archive=yes feedshow=10 quick=yes trail=yes]]

Fix post title again, hopefully for the last time
diff --git a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
index a1a9b58..4fad7a3 100644
--- a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
+++ b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
@@ -1,5 +1,5 @@
-[[!meta title='Mysterious "everybody is busy/congested at this time" error in Asterisk']]
-[[!meta date="2018-06-10T18:55:00.000-07:00"]]
+[[!meta title="Mysterious 'everybody is busy/congested at this time' error in Asterisk"]]
+[[!meta date="2018-06-10T19:00:00.000-07:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
 I was trying to figure out why I was getting a BUSY signal from

Fix broken markup in post title
diff --git a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
index b436139..a1a9b58 100644
--- a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
+++ b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
@@ -1,4 +1,4 @@
-[[!meta title="Mysterious \"everybody is busy/congested at this time\" error in Asterisk"]]
+[[!meta title='Mysterious "everybody is busy/congested at this time" error in Asterisk']]
 [[!meta date="2018-06-10T18:55:00.000-07:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 

Fix post title
diff --git a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
index 6181290..b436139 100644
--- a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
+++ b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
@@ -1,4 +1,4 @@
-[[!meta title="Running mythtv-setup over ssh"]]
+[[!meta title="Mysterious \"everybody is busy/congested at this time\" error in Asterisk"]]
 [[!meta date="2018-06-10T18:55:00.000-07:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 

creating tag page tags/asterisk
diff --git a/tags/asterisk.mdwn b/tags/asterisk.mdwn
new file mode 100644
index 0000000..7389596
--- /dev/null
+++ b/tags/asterisk.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged asterisk"]]
+
+[[!inline pages="tagged(asterisk)" actions="no" archive="yes"
+feedshow=10]]

Add asterisk "busy/congested" post
diff --git a/posts/asterisk-everyone-busy-congested-at-this-time.mdwn b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
new file mode 100644
index 0000000..6181290
--- /dev/null
+++ b/posts/asterisk-everyone-busy-congested-at-this-time.mdwn
@@ -0,0 +1,101 @@
+[[!meta title="Running mythtv-setup over ssh"]]
+[[!meta date="2018-06-10T18:55:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+I was trying to figure out why I was getting a BUSY signal from
+[Asterisk](https://www.asterisk.org/) while trying to ring a SIP phone even
+though that phone was not in use.
+
+My asterisk setup looks like this:
+
+    phone 1 <--SIP--> asterisk 1 <==IAX2==> asterisk 2 <--SIP--> phone 2
+
+While I couldn't call SIP phone #2 from SIP phone #1, the reverse was
+working fine (ringing #1 from #2). So it's not a network/firewall problem.
+The two SIP phones can talk to one another through their respective Asterisk
+servers.
+
+This is the error message I could see on the second asterisk server:
+
+    $ asterisk -r
+    ...
+      == Using SIP RTP TOS bits 184
+      == Using SIP RTP CoS mark 5
+        -- Called SIP/12345
+        -- SIP/12345-00000002 redirecting info has changed, passing it to IAX2/iaxuser-6347
+        -- SIP/12345-00000002 is busy
+      == Everyone is busy/congested at this time (1:1/0/0)
+        -- Executing [12345@local:2] Goto("IAX2/iaxuser-6347", "in12345-BUSY,1") in new stack
+        -- Goto (local,in12345-BUSY,1)
+        -- Executing [in12345-BUSY@local:1] Hangup("IAX2/iaxuser-6347", "17") in new stack
+      == Spawn extension (local, in12345-BUSY, 1) exited non-zero on 'IAX2/iaxuser-6347'
+        -- Hungup 'IAX2/iaxuser-6347'
+
+where:
+
+- `12345` is the extension of SIP phone #2 on Asterisk server #2
+- `iaxuser` is the user account on server #2 that server #1 uses
+- `local` is the *context* that for incoming IAX calls on server #1
+
+This `Everyone is busy/congested at this time (1:1/0/0)` was surprising
+since looking at each SIP channel on that server showed nobody as busy:
+
+    asterisk2*CLI> sip show inuse
+    * Peer name               In use          Limit           
+    12345                     0/0/0           2               
+
+So I enabled the raw SIP debug output and got the following (edited for
+clarity):
+
+    asterisk2*CLI> sip set debug on
+    SIP Debugging enabled
+    
+      == Using SIP RTP TOS bits 184
+      == Using SIP RTP CoS mark 5
+    
+    INVITE sip:12345@192.168.0.4:2048;line=m2vlbuoc SIP/2.0
+    Via: SIP/2.0/UDP 192.168.0.2:5060
+    From: "Francois Marier" <sip:67890@192.168.0.2>
+    To: <sip:12345@192.168.0.4:2048;line=m2vlbuoc>
+    CSeq: 102 INVITE
+    User-Agent: Asterisk PBX
+    Contact: <sip:67890@192.168.0.2:5060>
+    Content-Length: 274
+    
+        -- Called SIP/12345
+    
+    <--- SIP read from UDP:192.168.0.4:2048 --->
+    SIP/2.0 100 Trying
+    Via: SIP/2.0/UDP 192.168.0.2:5060
+    From: "Francois Marier" <sip:67890@192.168.0.2>
+    To: <sip:12345@192.168.0.4:2048;line=m2vlbuoc>
+    CSeq: 102 INVITE
+    User-Agent: snom300
+    Contact: <sip:12345@192.168.0.4:2048;line=m2vlbuoc>
+    Content-Length: 0
+    
+    <------------->
+    --- (9 headers 0 lines) ---
+    
+    <--- SIP read from UDP:192.168.0.4:2048 --->
+    SIP/2.0 480 Do Not Disturb
+    Via: SIP/2.0/UDP 192.168.0.2:5060
+    From: "Francois Marier" <sip:67890@192.168.0.2>
+    To: <sip:12345@192.168.0.4:2048;line=m2vlbuoc>
+    CSeq: 102 INVITE
+    User-Agent: snom300
+    Contact: <sip:12345@192.168.0.4:2048;line=m2vlbuoc>
+    Content-Length: 0
+
+where:
+
+- `12345` is the extension of SIP phone #2 on Asterisk server #2
+- `67890` is the extension of SIP phone #1 on Asterisk server #2
+- `192.168.0.4` is the IP address of SIP phone #2
+- `192.168.0.1` is the IP address of Asterisk server #2
+
+From there, I can see that SIP phone #2 is returning a status of `408 Do Not
+Disturb`. That's what the problem was: **the phone itself was in DnD mode
+and set to reject all incoming calls**.
+
+[[!tag asterisk]] [[!tag nzoss]]

Comment moderation
diff --git a/posts/time-synchronization-with-ntp-and-systemd/comment_5_eef2612fa5fd51ce24329641c0d25c86._comment b/posts/time-synchronization-with-ntp-and-systemd/comment_5_eef2612fa5fd51ce24329641c0d25c86._comment
new file mode 100644
index 0000000..f3fda45
--- /dev/null
+++ b/posts/time-synchronization-with-ntp-and-systemd/comment_5_eef2612fa5fd51ce24329641c0d25c86._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ ip="128.171.1.2"
+ claimedauthor="Robin"
+ subject="&quot;NTP synchronized&quot; => &quot;systemd-timesyncd.service active&quot;"
+ date="2018-05-25T03:01:43Z"
+ content="""
+NOTE: This commit changed the output:
+
+https://github.com/systemd/systemd/commit/3ec530a1890925efe347f739917dd4078c1b1942
+
+\"NTP synchronized\" => \"systemd-timesyncd.service active\"
+"""]]

Remove all affiliate links
I never got anything out of them and don't want to have to read about the
rules for how to do those correctly (e.g. FTC guidelines in the US).
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index e18ea5e..c9aacdc 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -16,7 +16,7 @@ VPN is a faster way to connect to sites that already know you.
 
 Here are my instructions for setting up [OpenVPN](http://openvpn.net/) on
 Debian / Ubuntu machines where the VPN server is located on a cheap
-[Linode](https://www.linode.com/?r=4f882417aa3809652b227d6d9c25b2a0472c6cff)
+[Linode](https://www.linode.com/)
 virtual private server. They are largely based on the
 [instructions found on the Debian wiki](https://wiki.debian.org/openvpn%20for%20server%20and%20client).
 
@@ -70,9 +70,7 @@ and generate the keys:
 
 # Configuring the server
 
-On my server, a
-[Linode VPS](https://www.linode.com/?r=4f882417aa3809652b227d6d9c25b2a0472c6cff)
-called `hafnarfjordur.fmarier.org`, I installed the
+On my server, called `hafnarfjordur.fmarier.org`, I installed the
 [openvpn package](http://packages.debian.org/stable/openvpn):
 
     apt-get install openvpn
diff --git a/posts/ipv6-and-openvpn-on-linode.mdwn b/posts/ipv6-and-openvpn-on-linode.mdwn
index f118113..3560624 100644
--- a/posts/ipv6-and-openvpn-on-linode.mdwn
+++ b/posts/ipv6-and-openvpn-on-linode.mdwn
@@ -16,9 +16,7 @@ The first thing you need to do is get a new IPv6 address block (or "pool" as
 Linode calls it) from which you can allocate a single address to each VPN
 client that connects to the server.
 
-If you are using a
-[Linode VPS](https://www.linode.com/?r=4f882417aa3809652b227d6d9c25b2a0472c6cff),
-there are
+If you are using a [Linode VPS](https://www.linode.com/), there are
 [instructions on how to request a new IPv6 pool](https://www.linode.com/docs/networking/native-ipv6-networking#additional-ipv6-addresses).
 Note that you need to get an address block **between `/64` and `/112`**. A
 `/116` like Linode offers won't work in [OpenVPN](https://openvpn.net/). Thankfully, Linode
diff --git a/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn b/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
index e16ca62..193242e 100644
--- a/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
+++ b/posts/letting-someone-ssh-into-your-laptop-using-pagekite.mdwn
@@ -4,13 +4,13 @@
 
 In order to [investigate a bug I was running into](https://github.com/mozilla/rr/issues/1537), I recently had to give
 [my colleague](http://robert.ocallahan.org/) ssh access to my laptop behind a firewall. The easiest way
-I found to do this was to create an account for him on my laptop and setup a
-[pagekite](https://pagekite.net/wiki/OpenSource/) frontend on my
-[Linode server](https://www.linode.com/?r=4f882417aa3809652b227d6d9c25b2a0472c6cff) and a pagekite backend on my laptop.
+I found to do this was to create an account for him on my laptop, and setup a
+[pagekite](https://pagekite.net/wiki/OpenSource/) frontend on my personal server
+and a pagekite backend on my laptop.
 
 # Frontend setup
 
-Setting up my Linode server in order to make the ssh service accessible and
+Setting up my server in order to make the ssh service accessible and
 proxy the traffic to my laptop was fairly straightforward.
 
 First, I had to install the
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
index 3213970..359938b 100644
--- a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
@@ -3,8 +3,7 @@
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
 In order to get closer to my goal of reducing my dependence on centralized
-services, I decided to setup my own XMPP / Jabber server on a
-[Linode VPS](https://www.linode.com/?r=4f882417aa3809652b227d6d9c25b2a0472c6cff)
+services, I decided to setup my own XMPP / Jabber server on a server
 running [Debian wheezy](http://www.debian.org/releases/wheezy/). I chose
 [ejabberd](http://www.ejabberd.im/) since it was recommended by the
 [RTC Quick Start](http://www.rtcquickstart.org/) website and here's how I
diff --git a/posts/using-openvpn-on-android-lollipop.mdwn b/posts/using-openvpn-on-android-lollipop.mdwn
index ecc7bb6..74d3e6e 100644
--- a/posts/using-openvpn-on-android-lollipop.mdwn
+++ b/posts/using-openvpn-on-android-lollipop.mdwn
@@ -2,9 +2,7 @@
 [[!meta date="2015-04-03T16:45:00.000+13:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
-I use my
-[Linode VPS](https://www.linode.com/?r=4f882417aa3809652b227d6d9c25b2a0472c6cff)
-as a VPN endpoint for my laptop when I'm using untrusted networks and I
+I use my personal server as a VPN endpoint for my laptop when I'm using untrusted networks and I
 wanted to do the same on my Android 5 (Lollipop) phone.
 
 It turns out that it's quite easy to do (doesn't require rooting your phone)

Fix disappearing instruction in user comment
diff --git a/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment b/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment
index 0e51508..44ae82e 100644
--- a/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment
+++ b/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment
@@ -15,7 +15,7 @@ Or, if you'd rather just boot into the system and fix it from there, I use somet
   
     configfile (hd0,0)/boot/grub/menu.lst
 
-<press escape>
+(press escape)
 
 
 """]]

Improve formatting of user comments
diff --git a/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment b/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment
index de32904..0e51508 100644
--- a/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment
+++ b/posts/reinstalling-grub-on-unbootable-debian/comment_1_a230444cac2eb55bee01b0ec698fda2a._comment
@@ -3,17 +3,18 @@
  subject=""
  date="2009-06-09T06:11:56.908+12:00"
  content="""
-The method I use is to boot another copy of Grub from somewhere (bootable CD, USB stick, or network boot -- it's easy to boot grub from any of these). Then, from the prompt, something like  
+The method I use is to boot another copy of Grub from somewhere (bootable CD, USB stick, or network boot -- it's easy to boot grub from any of these). Then, from the prompt, something like:
   
-root (hd0,0)  
-setup (hd0)  
-reboot  
+    root (hd0,0)
+    setup (hd0)
+    reboot
   
-is all you need to install grub onto the disk.  
+is all you need to install grub onto the disk.
   
-Or, if you'd rather just boot into the system and fix it from there, I use something like  
+Or, if you'd rather just boot into the system and fix it from there, I use something like:
   
-configfile (hd0,0)/boot/grub/menu.lst  
+    configfile (hd0,0)/boot/grub/menu.lst
+
 <press escape>
 
 
diff --git a/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment b/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment
index 703e75f..65ead62 100644
--- a/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment
+++ b/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment
@@ -4,5 +4,5 @@
  subject="Need one extra step on Debian Jessie"
  date="2018-05-13T20:26:19Z"
  content="""
-I followed your instruction but it did not work.  It turns out that I need to run one additional command, \"grub-mkconfig\" (because I have changed the boot partition).  After that, the computer was able to boot successfully.
+I followed your instruction but it did not work.  It turns out that I need to run one additional command, `grub-mkconfig` (because I have changed the boot partition).  After that, the computer was able to boot successfully.
 """]]

Comment moderation
diff --git a/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment b/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment
new file mode 100644
index 0000000..703e75f
--- /dev/null
+++ b/posts/reinstalling-grub-on-unbootable-debian/comment_2_262c218d575a3f8b0fe9c07f72434230._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="108.200.55.112"
+ claimedauthor="Toan Tran"
+ subject="Need one extra step on Debian Jessie"
+ date="2018-05-13T20:26:19Z"
+ content="""
+I followed your instruction but it did not work.  It turns out that I need to run one additional command, \"grub-mkconfig\" (because I have changed the boot partition).  After that, the computer was able to boot successfully.
+"""]]

Add mythtv-setup over ssh post
diff --git a/posts/mythtv-setup-over-ssh.mdwn b/posts/mythtv-setup-over-ssh.mdwn
new file mode 100644
index 0000000..e77957f
--- /dev/null
+++ b/posts/mythtv-setup-over-ssh.mdwn
@@ -0,0 +1,30 @@
+[[!meta title="Running mythtv-setup over ssh"]]
+[[!meta date="2018-05-13T13:55:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+In order to configure a remote [MythTV](https://www.mythtv.org/) server, I
+had to run `mythtv-setup` remotely over an ssh connection with X forwarding:
+
+    ssh -X mythtv@machine
+
+For most config options, I can either use the configuration menus inside of
+of `mythfrontend` (over a [vnc
+connection](https://feeding.cloud.geek.nz/posts/high-latency-vnc-tech-support/))
+or the *Settings* section of
+[MythWeb](https://www.mythtv.org/detail/mythweb), but some of the backend
+and tuner settings are only available through the main setup program.
+
+Unfortunately, `mythtv-setup` won't work over an ssh connection by default
+and prints the following error in the terminal:
+
+    $ mythtv-setup
+    ...
+    W  OpenGL: Could not determine whether Sync to VBlank is enabled.
+    Handling Segmentation fault
+    Segmentation fault (core dumped)
+
+The fix for this was to specify a different theme engine:
+
+    mythtv-setup -O ThemePainter=qt
+
+[[!tag mythtv]]

Comment moderation
diff --git a/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_1_dbf4ae9f9fe087f9b03cfb0961a4fe57._comment b/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_1_dbf4ae9f9fe087f9b03cfb0961a4fe57._comment
new file mode 100644
index 0000000..76a00f1
--- /dev/null
+++ b/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/comment_1_dbf4ae9f9fe087f9b03cfb0961a4fe57._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="107.181.176.98"
+ claimedauthor="William"
+ url="willinspire.us"
+ subject="Without using a live instance"
+ date="2018-05-06T20:54:15Z"
+ content="""
+I successfully used your recommended approach without booting via USB. This can be accomplished by selecting to boot into a previous kernel via the Grub boot menu during startup, and then (without the need to mount local partitions) simply ensure the latest version of lvm2 is installed and regenerating the initramfs for all of the installed kernels (as recommended). I also have a fully encrypted drive configuration and found no issues when performing these steps. 
+
+Thank you for putting this article together. While I normally find the forums to be of great assistance, this issue was not one that is easy to find real working solutions for. Keep up the great work.
+"""]]

Comment moderation
diff --git a/posts/setting-up-a-network-scanner-using-sane/comment_8_ea06287e4ee5254087011d534e543316._comment b/posts/setting-up-a-network-scanner-using-sane/comment_8_ea06287e4ee5254087011d534e543316._comment
new file mode 100644
index 0000000..68e4645
--- /dev/null
+++ b/posts/setting-up-a-network-scanner-using-sane/comment_8_ea06287e4ee5254087011d534e543316._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="216.162.65.24"
+ claimedauthor="ajeh"
+ url="linuxlies.mee.nu"
+ subject="This still works well under Fedora 26 and Windows 7"
+ date="2018-04-29T15:10:44Z"
+ content="""
+The instructions in this blog are spot on: everything worked right away (well, except the FW rule, but this is a very minor issue) and I ended up doing some googling for the Windows SANE client and found SANEWinDS on source forge. Works standalone and from Open Office and I am happy camper.
+
+Thanks a lot for putting together this concise instruction, it saves my users from moving files around from the scanner sharing machine!
+"""]]

creating tag page tags/ham
diff --git a/tags/ham.mdwn b/tags/ham.mdwn
new file mode 100644
index 0000000..4ef4784
--- /dev/null
+++ b/tags/ham.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ham"]]
+
+[[!inline pages="tagged(ham)" actions="no" archive="yes"
+feedshow=10]]

Add my Pat and D72 post
diff --git a/posts/using-kenwood-th-d72a-with-pat-linux-ax25.mdwn b/posts/using-kenwood-th-d72a-with-pat-linux-ax25.mdwn
new file mode 100644
index 0000000..4ddba68
--- /dev/null
+++ b/posts/using-kenwood-th-d72a-with-pat-linux-ax25.mdwn
@@ -0,0 +1,101 @@
+[[!meta title="Using a Kenwood TH-D72A with Pat on Linux and ax25"]]
+[[!meta date="2018-04-19T22:45:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+Here is how I managed to get my [Kenwood
+TH-D72A](http://www.kenwood.com/usa/com/amateur/th-d72a/) radio working with
+[Pat](http://getpat.io) on Linux using the built-in
+[TNC](https://en.wikipedia.org/wiki/Terminal_node_controller) and the
+[AX.25](http://linuxdocs.org/HOWTOs/AX25-HOWTO.html) mode
+
+# Installing Pat
+
+First of all, download and install the [latest Pat
+package](https://github.com/la5nta/pat/releases) from the GitHub project
+page.
+
+    dpkg -i pat_x.y.z_amd64.deb
+
+Then, follow the [installation
+instructions](https://github.com/la5nta/pat/wiki/AX25-Linux) for the AX.25
+mode and install the necessary packages:
+
+    apt install ax25-tools ax25-apps
+
+along with the systemd script that comes with Pat:
+
+    /usr/share/pat/ax25/install-systemd-ax25-unit.bash
+
+# Configuration
+
+Once the packages are installed, it's time to configure everything
+correctly:
+
+1. Power cycle the radio.
+2. Enable TNC in `packet12` mode (**band A***).
+3. Tune band A to [VECTOR
+   channel](https://vectorradio.ca/ops/frequency-list/) 420
+   (or [421](https://www.repeaterbook.com/repeaters/details.php?state_id=CA02&ID=3586)
+   if you can't reach `VA7EOC` on simplex).
+4. Put the following in `/etc/ax25/axports` (replacing `CALLSIGN` with your
+   own callsign):
+
+        wl2k    CALLSIGN    9600    128    4    Winlink
+
+5. Set `HBAUD` to **`1200`** in `/etc/default/ax25`.
+6. Download and compile the [`tmd710_tncsetup`
+   script](http://www.trinityos.com/HAM/CentosDigitalModes/usr/src/misc/D710/tmd710_tncsetup.c)
+   mentioned in a comment in `/etc/default/ax25`:
+
+        gcc -o tmd710_tncsetup tmd710_tncsetup.c
+
+7. Add the `tmd710_tncsetup` script in `/etc/default/ax25` and use these command
+   line parameters (`-B 0` specifies band A, use `-B 1` for band B):
+
+        tmd710_tncsetup -B 0 -S $DEV -b $HBAUD -s
+
+8. Start ax25 driver:
+
+        systemctl start ax25.service
+
+# Connecting to a winlink gateway
+
+To monitor what is being received and transmitted:
+
+    axlisten -cart
+
+Then create aliases like these in `~/.wl2k/config.json`:
+
+    {
+      "connect_aliases": {
+        "ax25-VA7EOC": "ax25://wl2k/VA7EOC-10",
+        "ax25-VE7LAN": "ax25://wl2k/VE7LAN-10"
+      },
+    }
+
+and use them to connect to your preferred Winlink gateways.
+
+# Troubleshooting
+
+If it doesn't look like ax25 can talk to the radio (i.e. the TX light
+doesn't turn ON), then it's possible that the `tmd710_tncsetup` script isn't
+being run at all, in which case the TNC isn't initialized correctly.
+
+On the other hand, if you can see the radio transmitting but are not seeing
+any **incoming packets** in `axlisten` then double check that the speed is
+set correctly:
+
+- `HBAUD` in `/etc/default/ax25` should be set to **1200**
+- line speed in `/etc/ax25/axports` should be set to **9600**
+- `SERIAL_SPEED` in `tmd710_tncsetup` should be set to **9600**
+- radio displays `packet12` in the top-left corner, not `packet96`
+
+If you can establish a connection, but it's very **unreliable**, make sure that
+you have enabled software flow control (the `-s` option in
+`tmd710_tncsetup`).
+
+If you can't connect to `VA7EOC-10` on UHF, you could also try the VHF BCFM
+repeater on Mt Seymour, [VE7LAN](http://www.bcfmca.bc.ca/lanvhf.php) (VECTOR
+channel 65).
+
+[[!tag ham]]

Emphasize the executable bit on the pre-up script
Also mention the log file as a way to confirm that everything
works.
diff --git a/posts/using-iptables-with-network-manager.mdwn b/posts/using-iptables-with-network-manager.mdwn
index 92a21d8..030c598 100644
--- a/posts/using-iptables-with-network-manager.mdwn
+++ b/posts/using-iptables-with-network-manager.mdwn
@@ -50,7 +50,7 @@ work on my Debian and Ubuntu machines. Instead, I had to create a new
     
     exit 0
 
-and then make that script executable:
+and then **make that script executable** (otherwise it won't run):
 
     chmod a+x /etc/NetworkManager/dispatcher.d/pre-up.d/iptables
 
@@ -59,4 +59,8 @@ With this in place, I can put my iptables rules in the usual place
 use the handy `iptables-apply` and `ip6tables-apply` commands to test
 any changes to my firewall rules.
 
+Looking at `/var/log/iptables.log`, you'll be able to confirm that
+it is being called correctly for each network interface as they
+are started.
+
 [[!tag nzoss]] [[!tag debian]] [[!tag iptables]]

Add SSDP multicast address to the iptables rules
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
index 5fe6cc4..24422d0 100644
--- a/posts/lxc-setup-on-debian-stretch.mdwn
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -50,6 +50,7 @@ world through the "host":
        -A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A FORWARD -s 10.0.3.0/24 -j ACCEPT
        -A INPUT -d 224.0.0.251 -s 10.0.3.1 -j ACCEPT
+       -A INPUT -d 239.255.255.250 -s 10.0.3.1 -j ACCEPT
        -A INPUT -d 10.0.3.255 -s 10.0.3.1 -j ACCEPT
        -A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j ACCEPT
 

Add Libravatar shutdown post
diff --git a/posts/looking-back-on-starting-libravatar.mdwn b/posts/looking-back-on-starting-libravatar.mdwn
new file mode 100644
index 0000000..8b5bcab
--- /dev/null
+++ b/posts/looking-back-on-starting-libravatar.mdwn
@@ -0,0 +1,175 @@
+[[!meta title="Looking back on starting Libravatar"]]
+[[!meta date="2018-04-02T18:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+As noted on the [official Libravatar
+blog](https://blog.libravatar.org/posts/Libravatar.org_is_shutting_down_on_2018-09-01/),
+I will be shutting the service down on 2018-09-01.
+
+It has been an [incredible
+journey](https://ourincrediblejourney.tumblr.com/) but Libravatar has been
+more-or-less in maintenance mode for 5 years, so it's somewhat outdated in
+its technological stack and I no longer have much interest in doing the work
+that's required every two years when migrating to a new version of
+Debian/Django. The free software community prides itself on transparency and
+so while it is a [difficult decision to
+make](https://blog.liw.fi/posts/2017/08/13/retiring_obnam/), it's time to
+be upfront with the users who depend on the project and admit that the
+project is not sustainable in its current form.
+
+# Many things worked well
+
+The most motivating aspect of running Libravatar has been the steady organic
+growth within the FOSS community. Both in terms of traffic (in March 2018,
+we served a total of 5 GB of images and 12 GB of `302` redirects to
+Gravatar), integration with other sites and projects (Fedora, Debian,
+Mozilla, Linux kernel, Gitlab, Liberapay and many others), but also in terms
+of users:
+
+![](/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png)
+
+In addition, I wanted to validate that it is possible to run a FOSS service
+without having to pay for anything out-of-pocket, so that it would be
+financially sustainable. Hosting and domain registrations have been entirely
+funded by the community, thanks to the generosity of sponsors and donors.
+Most of the donations came through [Gittip/Gratipay](https://gratipay.com/)
+and [Liberapay](https://liberapay.com/). While Gratipay has now [shut
+down](https://gratipay.news/the-end-cbfba8f50981), I encourage you to
+[support Liberapay](https://liberapay.com/Liberapay/donate).
+
+Finally, I made an effort to host Libravatar on FOSS infrastructure. That
+meant shying away from popular proprietary services in order to make a point
+that these convenient and well-known services aren't actually needed to run
+a successful project.
+
+# A few things didn't pan out
+
+On the other hand, there were also a few disappointments.
+
+A lot of the [libraries and plugins](https://wiki.libravatar.org/libraries/)
+never implemented [DNS federation](https://wiki.libravatar.org/api/). That
+was the key part of the protocol that made Libravatar a decentralized
+service but unfortunately the rest of the protocol was must easier to
+implement and therefore many clients stopped there.
+
+In addition, it turns out that while the DNS system is essentially a
+federated caching system for IP addresses, many DNS resolvers aren't doing a
+good job caching records and that created unnecessary latency for clients
+that chose to support DNS federation.
+
+The main disappointment was that very few people stepped up to run mirrors.
+I designed the service so that it could scale easily in the same way that
+Linux distributions have coped with increasing user bases: "ftp" mirrors. By
+making the actual serving of images only require Apache and `mod_rewrite`, I
+had hoped that anybody running Apache would be able to add an extra vhost to
+their setup and start serving our static files. A few people did sign up for
+this over the years, but it mostly didn't work. Right now, there are no
+third-party mirrors online.
+
+The other aspect that was a little disappointing was the lack of code
+contributions. There were a handful from friends in the first couple of
+months, but it's otherwise been a one-man project. I suppose that when a
+service works well for what people use it for, there are less opportunities
+for contributions (or less desire for it). The fact [dev environment
+setup](https://wiki.libravatar.org/development_environment/) was not the
+easiest could definitely be a contributing factor, but I've only ever had a
+single person ask about it so it's not clear that this was the limiting
+factor. Also, while our source code repository was hosted on Github and open
+for pull requests, we never even received a single drive-by contribution,
+hinting at the fact that Github is not the magic bullet for community
+contributions that many people think it is.
+
+Finally, it turns out that it is harder to delegate sysadmin work (you need
+root, for one thing) which consumes the majority of the time in a mature
+project. The general administration and maintenance of Libravatar has never
+moved on beyond its core team of one. I don't have a lot of ideas here, but
+I do want to join
+[others](http://scanlime.org/2011/05/cia-vc-service-is-down-indefinitely/)
+who have flagged this as an area for "future work" in terms of project
+sustainability.
+
+# Personal goals
+
+While I was originally inspired by [Evan Prodromou's
+vision](http://static.fsf.org/nosvn/Evan_Prodromou_-_identi.ca_-_LibrePlanet_2009.spx)
+of a suite of FOSS services to replace the proprietary stack that everybody
+relies on, starting a free software project is an inherently personal
+endeavour: the shape of the project will be influenced by the personal goals
+of the founder.
+
+When I started the project in 2011, I had a few goals:
+
+- I wanted to get experience with Python, Django, and Bazaar.
+
+- I wanted to speak at a [Kiwi PyCon](https://python.nz/) which [I
+  did](https://web.archive.org/web/20110808005944/http://nz.pycon.org/2010/talks/talk/72/),
+  [twice](https://www.youtube.com/watch?v=wfDhGAMPS1g), but my Libravatar
+  experience also led to speak at
+  [DebConf](http://penta.debconf.org/dc10_schedule///////events/682.en.html)
+  [twice](https://summit.debconf.org/debconf14/meeting/16/outsourcing-your-webapp-maintenance-to-debian/),
+  [linux.conf.au](https://www.youtube.com/watch?v=ufkYjt9HV64) and
+  [OSCON](https://conferences.oreilly.com/oscon/oscon2011/public/schedule/detail/18773).
+
+- Career-wise, I wanted to move beyond PHP development, which I successfully
+  achieved by working for a [new client](https://logger.paua.org.nz/) while
+  I was at [Catalyst](https://catalyst.net.nz) and then getting hired by
+  [Mozilla](https://mozilla.org) to work on
+  [Persona](https://en.wikipedia.org/wiki/Mozilla_Persona) until it was
+  de-staffed following a [Mozilla reorg](http://arewereorganizedyet.com/).
+
+This project personally taught me a lot of different technologies and
+allowed me to try out various web development techniques I wanted to explore
+at the time. That was intentional: I chose my technologies so that even if
+the project was a complete failure, I would still have gotten something out
+of it.
+
+# A few things I've learned
+
+I learned many things along the way, but here are a few that might be useful
+to other people starting a new free software project:
+
+- Speak about your new project at every user group you can. It's important
+  to validate that you can get other people excited about your project. User
+  groups are a great (and cheap) way to kickstart your word of mouth
+  marketing.
+
+- When speaking about your project, ask simple things of the attendees (e.g.
+  create an account today, join the IRC channel). Often people want to
+  support you but they can't commit to big tasks. Make sure to take
+  advantage of all of the support you can get, especially early on.
+
+- Having your friends join (or lurk on!) an IRC channel means it's vibrant,
+  instead of empty, and there are people around to field simple questions or
+  tell people to wait until you're around. Nobody wants to be alone in a
+  channel with a stranger.
+
+# Thank you
+
+I do want to sincerely thank all of the people who contributed to the
+project over the years:
+
+- Jonathan Harker and Brett Wilkins for productive hack sessions in the
+  Catalyst office.
+- Lars Wirzenius, Andy Chilton and Jesse Noller for graciously hosting the
+  service.
+- Christian Weiske, Melissa Draper, Thomas Goirand and Kai Hendry for
+  running mirrors on their servers.
+- Chris Forbes, fr33domlover, Kang-min Liu and strk for writing and
+  maintaining client libraries.
+- The Wellington Perl Mongers for their invaluable feedback on an early prototype.
+- The `#equifoss` group for their ongoing suppport and numerous ideas.
+- Nigel Babu and Melissa Draper for producing the first (and only) project
+  stikers, as well as Chris Cormack for spreading so effectively.
+- Adolfo Jayme, Alfredo Hernández, Anthony Harrington, Asier Iturralde
+  Sarasola, Besnik, Beto1917, Daniel Neis, Eduardo Battaglia, Fernando P
+  Silveira, Gabriele Castagneti, Heimen Stoffels, Iñaki Arenaza, Jakob
+  Kramer, Jorge Luis Gomez, Kristina Hoeppner, Laura Arjona Reina, Léo
+  POUGHON, Marc Coll Carrillo, Mehmet Keçeci, Milan Horák, Mitsuhiro
+  Yoshida, Oleg Koptev, Rodrigo Díaz, Simone G, Stanislas Michalak, Volkan
+  Gezer, VPablo, Xuacu Saturio, Yuri Chornoivan, yurchor and zapman for
+  making Libravatar speak so many languages.
+
+I'm sure I have forgotten people who have helped over the years. If your
+name belongs in here and it's not, please email me or leave a comment.
+
+[[!tag debian]] [[!tag nzoss]] [[!tag libravatar]] [[!tag indieweb]]
diff --git a/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png b/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png
new file mode 100644
index 0000000..9358577
Binary files /dev/null and b/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png differ

Add missing step in lxc-net setup
https://wiki.debian.org/LXC#Networked_quickstart_for_Debian_Stretch_.28testing_as_of_Q3_2016.29
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
index 6daa81b..5fe6cc4 100644
--- a/posts/lxc-setup-on-debian-stretch.mdwn
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -20,6 +20,10 @@ change needed here):
     lxc.network.flags = up
     lxc.network.hwaddr = 00:FF:AA:xx:xx:xx
 
+and enable networking by putting the following in a new `/etc/default/lxc-net` file:
+
+    USE_LXC_BRIDGE="true"
+
 That configuration requires that the `veth` kernel module be loaded. If
 you have any kinds of module-loading restrictions enabled, you probably
 need to add the following to `/etc/modules` and **reboot**:

Remove spurious characters
This is probably mistyped emacs C-n.
diff --git a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
index 3107dea..d22ff84 100644
--- a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
+++ b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
@@ -54,7 +54,7 @@ for the "world" regulatory authority.
 
 Because [Gargoyle](https://www.gargoyle-router.com/) is based on
 [OpenWRT](https://openwrt.org/), there are a lot more
-nn[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
+[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
 available than what's exposed in the Web UI.
 
 In this case, the solution was to explicitly [set my country in the wireless options](https://feeding.cloud.geek.nz/posts/setting-wifi-regulatory-domain-linux-openwrt/) (where `CA` is the

Link to my regulatory authority post instead of hacking the config file
diff --git a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
index 438951f..3107dea 100644
--- a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
+++ b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
@@ -57,15 +57,9 @@ Because [Gargoyle](https://www.gargoyle-router.com/) is based on
 nn[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
 available than what's exposed in the Web UI.
 
-In this case, the solution was to explicitly set my country in the wireless
-options by putting:
-
-    country 'CA'
-
-(where `CA` is the
-[country code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) where the
-router is physically located) in the 5 GHz radio section of
-`/etc/config/wireless` on the router.
+In this case, the solution was to explicitly [set my country in the wireless options](https://feeding.cloud.geek.nz/posts/setting-wifi-regulatory-domain-linux-openwrt/) (where `CA` is the
+[country code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) for Canada, where my
+router is physically located).
 
 Then I rebooted and I was able to set the channel successfully via the Web UI.
 

Comment moderation
diff --git a/posts/dynamic-dns-on-own-domain/comment_2_86d0b5b701b44721af5d38a180e60df4._comment b/posts/dynamic-dns-on-own-domain/comment_2_86d0b5b701b44721af5d38a180e60df4._comment
new file mode 100644
index 0000000..c604845
--- /dev/null
+++ b/posts/dynamic-dns-on-own-domain/comment_2_86d0b5b701b44721af5d38a180e60df4._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="francois@665656f0ba400877c9b12e8fbb086e45aa01f7c0"
+ nickname="francois"
+ subject="Re: IPv6"
+ date="2018-03-20T23:44:16Z"
+ content="""
+> Do you use IPv6? How do you update the IPv6 ?
+
+Unfortunately, No-IP still [doesn't support IPv6 in their Dynamic DNS service](https://www.noip.com/blog/2009/06/19/ipv6-records-now-available/#comment-421947). My setup is IPv4-only.
+
+I'd be happy to consider other services that support IPv6 if they also support **custom domains** and are supported by a **client that's included in Debian**. If you know of one, please leave a comment.
+"""]]

Comment moderation
diff --git a/posts/dynamic-dns-on-own-domain/comment_1_193af8570ba24987f776b567180167e7._comment b/posts/dynamic-dns-on-own-domain/comment_1_193af8570ba24987f776b567180167e7._comment
new file mode 100644
index 0000000..dd367b2
--- /dev/null
+++ b/posts/dynamic-dns-on-own-domain/comment_1_193af8570ba24987f776b567180167e7._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="2804:14d:5ce0:9e33:540a:d1c7:6490:c04a"
+ claimedauthor="S.V."
+ subject="IPv6"
+ date="2018-03-20T22:27:53Z"
+ content="""
+Hi,
+Do you use IPv6? How do you update the IPv6 ?
+Best,
+S.V.
+"""]]

Add missing tags to dynamic DNS post
diff --git a/posts/dynamic-dns-on-own-domain.mdwn b/posts/dynamic-dns-on-own-domain.mdwn
index a6a43e7..6fed580 100644
--- a/posts/dynamic-dns-on-own-domain.mdwn
+++ b/posts/dynamic-dns-on-own-domain.mdwn
@@ -88,3 +88,5 @@ The IP for that machine should now be visible on the [No-IP control
 panel](https://www.noip.com/members/dns/) and in DNS lookups:
 
     dig +short machinename.dyn.fmarier.org
+
+[[!tag debian]] [[!tag nzoss]] [[!tag dns]]

Add post on dynamic DNS using noip.com
diff --git a/posts/dynamic-dns-on-own-domain.mdwn b/posts/dynamic-dns-on-own-domain.mdwn
new file mode 100644
index 0000000..a6a43e7
--- /dev/null
+++ b/posts/dynamic-dns-on-own-domain.mdwn
@@ -0,0 +1,90 @@
+[[!meta title="Dynamic DNS on your own domain"]]
+[[!meta date="2018-03-18T13:45:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+I recently moved my dynamic DNS hostnames from
+[dyndns.org](https://dyn.com/dns/) (now owned by Oracle) to
+[No-IP](https://www.noip.com/remote-access). In the process, I moved all of
+my hostnames under a sub-domain that I control in case I ever want to
+self-host the authoritative DNS server for it.
+
+# Creating an account
+
+In order to use my own existing domain, I registered for the [Plus Managed
+DNS](https://www.noip.com/remote-access) service and provided my top-level
+domain (`fmarier.org`).
+
+Then I created a [support ticket](https://www.noip.com/ticket/) to ask for
+the **sub-domain feature**. Without that, No-IP expects you to delegate your
+entire domain to them, whereas I only wanted to delegate `*.dyn.fmarier.org`.
+
+Once that got enabled, I was able to create hostnames like `machine.dyn` in
+the No-IP control panel. Without the sub-domain feature, you can't have dots
+in hostnames.
+
+I used a bogus IP address (e.g. `1.2.3.4`) for all of the hostnames I
+created in order to easily confirm that the client software is working.
+
+# DNS setup
+
+On my registrar's side, here are the DNS records I had to add to delegate
+anything under `dyn.fmarier.org` to No-IP:
+
+    dyn NS ns1.no-ip.com.
+    dyn NS ns2.no-ip.com.
+    dyn NS ns3.no-ip.com.
+    dyn NS ns4.no-ip.com.
+    dyn NS ns5.no-ip.com.
+
+# Client setup
+
+In order to update its IP address whenever it changes, I installed
+[ddclient](https://sourceforge.net/p/ddclient/wiki/Home/) on each of my
+machines:
+
+    apt install ddclient
+
+While the [ddclient package](https://packages.debian.org/stretch/ddclient)
+[won't help you
+configure](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625715) your
+No-IP service during installation or [enable the web IP lookup
+method](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285007), this can
+all be done by editing the configuration after the fact.
+
+I put the following in `/etc/ddclient.conf`:
+
+    ssl=yes
+    protocol=noip
+    use=web, web=checkip.dyndns.com, web-skip='IP Address'
+    server=dynupdate.no-ip.com
+    login=myusername
+    password='Password1!'
+    machinename.dyn.fmarier.org
+
+and the following in `/etc/default/ddclient`:
+
+    run_dhclient="false"
+    run_ipup="false"
+    run_daemon="true"
+    daemon_interval="3600"
+
+Then restart the service:
+
+    systemctl restart ddclient.service
+
+Note that you do need to change the default update interval or the
+`checkip.dyndns.com` server [will ban your IP
+address](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489997).
+
+# Testing
+
+To test that the client software is working, wait 6 minutes (there is an
+internal check which cancels any client invocations within 5 minutes of
+another), then run it manually:
+
+    ddclient --verbose --debug
+
+The IP for that machine should now be visible on the [No-IP control
+panel](https://www.noip.com/members/dns/) and in DNS lookups:
+
+    dig +short machinename.dyn.fmarier.org

Comment moderation
diff --git a/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_6_5b9ac5c6cdbe9ec824c914134327fdf7._comment b/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_6_5b9ac5c6cdbe9ec824c914134327fdf7._comment
new file mode 100644
index 0000000..41694b7
--- /dev/null
+++ b/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_6_5b9ac5c6cdbe9ec824c914134327fdf7._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="176.147.239.109"
+ claimedauthor="BigFan"
+ subject="faster dd"
+ date="2018-03-17T11:52:27Z"
+ content="""
+Use option 'bs=4M' for faster write to the usb key (otherwise it will take several minutes):  
+    $ dd bs=4M if=bios.img of=/dev/sdX
+
+"""]]

Use mpc-fade to stop music in the evening
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index 7974cec..e0d4baa 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -76,8 +76,12 @@ daily and stop the music automatically in the evening:
     # Refresh DB once an hour
     5 * * * *  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet update
     # Think of the neighbours
-    0 22 * * 0-4  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
-    0 23 * * 5-6  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
+    0 22 * * 0-4  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/local/bin/mpc-fade
+    0 23 * * 5-6  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/local/bin/mpc-fade
+
+My [`mpc-fade` script](https://github.com/fmarier/user-scripts/blob/master/mpc-fade),
+heavily inspired by [Guillaume's](http://guillaumeplayground.net/mpd-mpc-fade-in-out-script/),
+gradually brings the volume down instead of stopping the music abrutly.
 
 ## Album covers
 

Comment moderation
diff --git a/posts/redirecting-entire-site-except-certbot-webroot/comment_1_66c587e8b38d4ae2d0f24422f959f166._comment b/posts/redirecting-entire-site-except-certbot-webroot/comment_1_66c587e8b38d4ae2d0f24422f959f166._comment
new file mode 100644
index 0000000..0f20b27
--- /dev/null
+++ b/posts/redirecting-entire-site-except-certbot-webroot/comment_1_66c587e8b38d4ae2d0f24422f959f166._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="2a02:8071:b581:3afc:25b1:3686:15d9:fce3"
+ claimedauthor="Uwe Kleine-König"
+ subject="conditions for letsencrypt certs"
+ date="2018-03-02T08:42:11Z"
+ content="""
+Hello,
+
+according to my experience having a redirect for `/.well-known/acme-challenge` works fine. So an unconditional redirect from `http://libravatar.org/(.*)` to `http://www.libravatar.org/$1` should do the trick a bit easier.
+
+Best regards
+Uwe
+"""]]
diff --git a/posts/redirecting-entire-site-except-certbot-webroot/comment_2_fa5e9bec263f4d7787b74b22f82e13ea._comment b/posts/redirecting-entire-site-except-certbot-webroot/comment_2_fa5e9bec263f4d7787b74b22f82e13ea._comment
new file mode 100644
index 0000000..f9e6b38
--- /dev/null
+++ b/posts/redirecting-entire-site-except-certbot-webroot/comment_2_fa5e9bec263f4d7787b74b22f82e13ea._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="2a02:810d:4740:cc10:6e29:95ff:fe7c:2bad"
+ claimedauthor="Philipp Kern"
+ subject="HTTP redirects should be fine?"
+ date="2018-03-02T08:37:07Z"
+ content="""
+I was under the impression that 301 redirects will be followed by the CA. Is that not the case?
+"""]]

Add another letsencrypt/cerbot config post
diff --git a/posts/redirecting-entire-site-except-certbot-webroot.mdwn b/posts/redirecting-entire-site-except-certbot-webroot.mdwn
new file mode 100644
index 0000000..91ea91f
--- /dev/null
+++ b/posts/redirecting-entire-site-except-certbot-webroot.mdwn
@@ -0,0 +1,47 @@
+[[!meta title="Redirecting an entire site except for the certbot webroot"]]
+[[!meta date="2018-03-01T21:40:00.000-08:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+In order to be able to use the [webroot
+plugin](https://certbot.eff.org/docs/using.html#webroot) for
+[certbot](https://certbot.eff.org/) and automatically renew the [Let's
+Encrypt](https://letsencrypt.org/) certificate for `libravatar.org`, I
+had to put together an Apache config that would do the following on port 80:
+
+- Let `/.well-known/acme-challenge/*` through on the bare domain
+  (`http://libravatar.org/`).
+- Redirect anything else to `https://www.libravatar.org/`.
+
+The reason for this is that the main
+[Libravatar](https://www.libravatar.org) service listens on
+`www.libravatar.org` and not `libravatar.org`, but that cerbot needs to
+ascertain control of the bare domain.
+
+This is the configuration I ended up with:
+
+    <VirtualHost *:80>
+        DocumentRoot /var/www/acme
+        <Directory /var/www/acme>
+            Options -Indexes
+        </Directory>
+    
+        RewriteEngine on
+        RewriteCond "/var/www/acme%{REQUEST_URI}" !-f
+        RewriteRule ^(.*)$ https://www.libravatar.org/ [last,redirect=301]
+    </VirtualHost>
+
+The trick I used here is to make the redirection `RewriteRule` conditional
+on the requested file (`%{REQUEST_URI}`) not existing in the `/var/www/acme`
+directory, the one where I tell certbot to drop its temporary files.
+
+Here are the relevant portions of `/etc/letsencrypt/renewal/www.libravatar.org.conf`:
+
+    [renewalparams]
+    authenticator = webroot
+    account = 
+    
+    [[webroot_map]]
+    libravatar.org = /var/www/acme
+    www.libravatar.org = /var/www/acme
+
+[[!tag debian]] [[!tag letsencrypt]] [[!tag nzoss]] [[!tag apache]] [[!tag ssl]]

Fix typo
Can be verified using `uci show system`.
Thanks to CapnNarkolepso for reporting this.
diff --git a/posts/debugging-openwrt-routers-by-shipping.mdwn b/posts/debugging-openwrt-routers-by-shipping.mdwn
index 59f84df..335ec00 100644
--- a/posts/debugging-openwrt-routers-by-shipping.mdwn
+++ b/posts/debugging-openwrt-routers-by-shipping.mdwn
@@ -34,7 +34,7 @@ After logging into the router via ssh, I ran the following commands:
 
 
     uci set system.@system[0].log_ip=192.168.1.2  
-    uci set system.@system[0].conloglevel=7  
+    uci set system.@system[0].cronloglevel=7
     uci commit
 
 

Add cover URL config for MPDRemote on iOS
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index e45f73a..7974cec 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -164,4 +164,9 @@ since [MPoD](http://www.katoemba.net/makesnosenseatall/mpod/) and
 [MPaD](http://www.katoemba.net/makesnosenseatall/mpad/) don't appear to be
 available on the AppStore anymore.
 
+Of these, MPDRemote appears to be the better one. It also supports album art
+if you configure the profile with the following cover URL:
+
+    http://192.168.1.2/
+
 [[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag mpd]] [[!tag ios]] [[!tag android]] [[!tag tor]] [[!tag systemd]]