Recent changes to this wiki:

creating tag page tags/ham
diff --git a/tags/ham.mdwn b/tags/ham.mdwn
new file mode 100644
index 0000000..4ef4784
--- /dev/null
+++ b/tags/ham.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ham"]]
+
+[[!inline pages="tagged(ham)" actions="no" archive="yes"
+feedshow=10]]

Add my Pat and D72 post
diff --git a/posts/using-kenwood-th-d72a-with-pat-linux-ax25.mdwn b/posts/using-kenwood-th-d72a-with-pat-linux-ax25.mdwn
new file mode 100644
index 0000000..4ddba68
--- /dev/null
+++ b/posts/using-kenwood-th-d72a-with-pat-linux-ax25.mdwn
@@ -0,0 +1,101 @@
+[[!meta title="Using a Kenwood TH-D72A with Pat on Linux and ax25"]]
+[[!meta date="2018-04-19T22:45:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+Here is how I managed to get my [Kenwood
+TH-D72A](http://www.kenwood.com/usa/com/amateur/th-d72a/) radio working with
+[Pat](http://getpat.io) on Linux using the built-in
+[TNC](https://en.wikipedia.org/wiki/Terminal_node_controller) and the
+[AX.25](http://linuxdocs.org/HOWTOs/AX25-HOWTO.html) mode
+
+# Installing Pat
+
+First of all, download and install the [latest Pat
+package](https://github.com/la5nta/pat/releases) from the GitHub project
+page.
+
+    dpkg -i pat_x.y.z_amd64.deb
+
+Then, follow the [installation
+instructions](https://github.com/la5nta/pat/wiki/AX25-Linux) for the AX.25
+mode and install the necessary packages:
+
+    apt install ax25-tools ax25-apps
+
+along with the systemd script that comes with Pat:
+
+    /usr/share/pat/ax25/install-systemd-ax25-unit.bash
+
+# Configuration
+
+Once the packages are installed, it's time to configure everything
+correctly:
+
+1. Power cycle the radio.
+2. Enable TNC in `packet12` mode (**band A***).
+3. Tune band A to [VECTOR
+   channel](https://vectorradio.ca/ops/frequency-list/) 420
+   (or [421](https://www.repeaterbook.com/repeaters/details.php?state_id=CA02&ID=3586)
+   if you can't reach `VA7EOC` on simplex).
+4. Put the following in `/etc/ax25/axports` (replacing `CALLSIGN` with your
+   own callsign):
+
+        wl2k    CALLSIGN    9600    128    4    Winlink
+
+5. Set `HBAUD` to **`1200`** in `/etc/default/ax25`.
+6. Download and compile the [`tmd710_tncsetup`
+   script](http://www.trinityos.com/HAM/CentosDigitalModes/usr/src/misc/D710/tmd710_tncsetup.c)
+   mentioned in a comment in `/etc/default/ax25`:
+
+        gcc -o tmd710_tncsetup tmd710_tncsetup.c
+
+7. Add the `tmd710_tncsetup` script in `/etc/default/ax25` and use these command
+   line parameters (`-B 0` specifies band A, use `-B 1` for band B):
+
+        tmd710_tncsetup -B 0 -S $DEV -b $HBAUD -s
+
+8. Start ax25 driver:
+
+        systemctl start ax25.service
+
+# Connecting to a winlink gateway
+
+To monitor what is being received and transmitted:
+
+    axlisten -cart
+
+Then create aliases like these in `~/.wl2k/config.json`:
+
+    {
+      "connect_aliases": {
+        "ax25-VA7EOC": "ax25://wl2k/VA7EOC-10",
+        "ax25-VE7LAN": "ax25://wl2k/VE7LAN-10"
+      },
+    }
+
+and use them to connect to your preferred Winlink gateways.
+
+# Troubleshooting
+
+If it doesn't look like ax25 can talk to the radio (i.e. the TX light
+doesn't turn ON), then it's possible that the `tmd710_tncsetup` script isn't
+being run at all, in which case the TNC isn't initialized correctly.
+
+On the other hand, if you can see the radio transmitting but are not seeing
+any **incoming packets** in `axlisten` then double check that the speed is
+set correctly:
+
+- `HBAUD` in `/etc/default/ax25` should be set to **1200**
+- line speed in `/etc/ax25/axports` should be set to **9600**
+- `SERIAL_SPEED` in `tmd710_tncsetup` should be set to **9600**
+- radio displays `packet12` in the top-left corner, not `packet96`
+
+If you can establish a connection, but it's very **unreliable**, make sure that
+you have enabled software flow control (the `-s` option in
+`tmd710_tncsetup`).
+
+If you can't connect to `VA7EOC-10` on UHF, you could also try the VHF BCFM
+repeater on Mt Seymour, [VE7LAN](http://www.bcfmca.bc.ca/lanvhf.php) (VECTOR
+channel 65).
+
+[[!tag ham]]

Emphasize the executable bit on the pre-up script
Also mention the log file as a way to confirm that everything
works.
diff --git a/posts/using-iptables-with-network-manager.mdwn b/posts/using-iptables-with-network-manager.mdwn
index 92a21d8..030c598 100644
--- a/posts/using-iptables-with-network-manager.mdwn
+++ b/posts/using-iptables-with-network-manager.mdwn
@@ -50,7 +50,7 @@ work on my Debian and Ubuntu machines. Instead, I had to create a new
     
     exit 0
 
-and then make that script executable:
+and then **make that script executable** (otherwise it won't run):
 
     chmod a+x /etc/NetworkManager/dispatcher.d/pre-up.d/iptables
 
@@ -59,4 +59,8 @@ With this in place, I can put my iptables rules in the usual place
 use the handy `iptables-apply` and `ip6tables-apply` commands to test
 any changes to my firewall rules.
 
+Looking at `/var/log/iptables.log`, you'll be able to confirm that
+it is being called correctly for each network interface as they
+are started.
+
 [[!tag nzoss]] [[!tag debian]] [[!tag iptables]]

Add SSDP multicast address to the iptables rules
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
index 5fe6cc4..24422d0 100644
--- a/posts/lxc-setup-on-debian-stretch.mdwn
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -50,6 +50,7 @@ world through the "host":
        -A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A FORWARD -s 10.0.3.0/24 -j ACCEPT
        -A INPUT -d 224.0.0.251 -s 10.0.3.1 -j ACCEPT
+       -A INPUT -d 239.255.255.250 -s 10.0.3.1 -j ACCEPT
        -A INPUT -d 10.0.3.255 -s 10.0.3.1 -j ACCEPT
        -A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j ACCEPT
 

Add Libravatar shutdown post
diff --git a/posts/looking-back-on-starting-libravatar.mdwn b/posts/looking-back-on-starting-libravatar.mdwn
new file mode 100644
index 0000000..8b5bcab
--- /dev/null
+++ b/posts/looking-back-on-starting-libravatar.mdwn
@@ -0,0 +1,175 @@
+[[!meta title="Looking back on starting Libravatar"]]
+[[!meta date="2018-04-02T18:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+As noted on the [official Libravatar
+blog](https://blog.libravatar.org/posts/Libravatar.org_is_shutting_down_on_2018-09-01/),
+I will be shutting the service down on 2018-09-01.
+
+It has been an [incredible
+journey](https://ourincrediblejourney.tumblr.com/) but Libravatar has been
+more-or-less in maintenance mode for 5 years, so it's somewhat outdated in
+its technological stack and I no longer have much interest in doing the work
+that's required every two years when migrating to a new version of
+Debian/Django. The free software community prides itself on transparency and
+so while it is a [difficult decision to
+make](https://blog.liw.fi/posts/2017/08/13/retiring_obnam/), it's time to
+be upfront with the users who depend on the project and admit that the
+project is not sustainable in its current form.
+
+# Many things worked well
+
+The most motivating aspect of running Libravatar has been the steady organic
+growth within the FOSS community. Both in terms of traffic (in March 2018,
+we served a total of 5 GB of images and 12 GB of `302` redirects to
+Gravatar), integration with other sites and projects (Fedora, Debian,
+Mozilla, Linux kernel, Gitlab, Liberapay and many others), but also in terms
+of users:
+
+![](/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png)
+
+In addition, I wanted to validate that it is possible to run a FOSS service
+without having to pay for anything out-of-pocket, so that it would be
+financially sustainable. Hosting and domain registrations have been entirely
+funded by the community, thanks to the generosity of sponsors and donors.
+Most of the donations came through [Gittip/Gratipay](https://gratipay.com/)
+and [Liberapay](https://liberapay.com/). While Gratipay has now [shut
+down](https://gratipay.news/the-end-cbfba8f50981), I encourage you to
+[support Liberapay](https://liberapay.com/Liberapay/donate).
+
+Finally, I made an effort to host Libravatar on FOSS infrastructure. That
+meant shying away from popular proprietary services in order to make a point
+that these convenient and well-known services aren't actually needed to run
+a successful project.
+
+# A few things didn't pan out
+
+On the other hand, there were also a few disappointments.
+
+A lot of the [libraries and plugins](https://wiki.libravatar.org/libraries/)
+never implemented [DNS federation](https://wiki.libravatar.org/api/). That
+was the key part of the protocol that made Libravatar a decentralized
+service but unfortunately the rest of the protocol was must easier to
+implement and therefore many clients stopped there.
+
+In addition, it turns out that while the DNS system is essentially a
+federated caching system for IP addresses, many DNS resolvers aren't doing a
+good job caching records and that created unnecessary latency for clients
+that chose to support DNS federation.
+
+The main disappointment was that very few people stepped up to run mirrors.
+I designed the service so that it could scale easily in the same way that
+Linux distributions have coped with increasing user bases: "ftp" mirrors. By
+making the actual serving of images only require Apache and `mod_rewrite`, I
+had hoped that anybody running Apache would be able to add an extra vhost to
+their setup and start serving our static files. A few people did sign up for
+this over the years, but it mostly didn't work. Right now, there are no
+third-party mirrors online.
+
+The other aspect that was a little disappointing was the lack of code
+contributions. There were a handful from friends in the first couple of
+months, but it's otherwise been a one-man project. I suppose that when a
+service works well for what people use it for, there are less opportunities
+for contributions (or less desire for it). The fact [dev environment
+setup](https://wiki.libravatar.org/development_environment/) was not the
+easiest could definitely be a contributing factor, but I've only ever had a
+single person ask about it so it's not clear that this was the limiting
+factor. Also, while our source code repository was hosted on Github and open
+for pull requests, we never even received a single drive-by contribution,
+hinting at the fact that Github is not the magic bullet for community
+contributions that many people think it is.
+
+Finally, it turns out that it is harder to delegate sysadmin work (you need
+root, for one thing) which consumes the majority of the time in a mature
+project. The general administration and maintenance of Libravatar has never
+moved on beyond its core team of one. I don't have a lot of ideas here, but
+I do want to join
+[others](http://scanlime.org/2011/05/cia-vc-service-is-down-indefinitely/)
+who have flagged this as an area for "future work" in terms of project
+sustainability.
+
+# Personal goals
+
+While I was originally inspired by [Evan Prodromou's
+vision](http://static.fsf.org/nosvn/Evan_Prodromou_-_identi.ca_-_LibrePlanet_2009.spx)
+of a suite of FOSS services to replace the proprietary stack that everybody
+relies on, starting a free software project is an inherently personal
+endeavour: the shape of the project will be influenced by the personal goals
+of the founder.
+
+When I started the project in 2011, I had a few goals:
+
+- I wanted to get experience with Python, Django, and Bazaar.
+
+- I wanted to speak at a [Kiwi PyCon](https://python.nz/) which [I
+  did](https://web.archive.org/web/20110808005944/http://nz.pycon.org/2010/talks/talk/72/),
+  [twice](https://www.youtube.com/watch?v=wfDhGAMPS1g), but my Libravatar
+  experience also led to speak at
+  [DebConf](http://penta.debconf.org/dc10_schedule///////events/682.en.html)
+  [twice](https://summit.debconf.org/debconf14/meeting/16/outsourcing-your-webapp-maintenance-to-debian/),
+  [linux.conf.au](https://www.youtube.com/watch?v=ufkYjt9HV64) and
+  [OSCON](https://conferences.oreilly.com/oscon/oscon2011/public/schedule/detail/18773).
+
+- Career-wise, I wanted to move beyond PHP development, which I successfully
+  achieved by working for a [new client](https://logger.paua.org.nz/) while
+  I was at [Catalyst](https://catalyst.net.nz) and then getting hired by
+  [Mozilla](https://mozilla.org) to work on
+  [Persona](https://en.wikipedia.org/wiki/Mozilla_Persona) until it was
+  de-staffed following a [Mozilla reorg](http://arewereorganizedyet.com/).
+
+This project personally taught me a lot of different technologies and
+allowed me to try out various web development techniques I wanted to explore
+at the time. That was intentional: I chose my technologies so that even if
+the project was a complete failure, I would still have gotten something out
+of it.
+
+# A few things I've learned
+
+I learned many things along the way, but here are a few that might be useful
+to other people starting a new free software project:
+
+- Speak about your new project at every user group you can. It's important
+  to validate that you can get other people excited about your project. User
+  groups are a great (and cheap) way to kickstart your word of mouth
+  marketing.
+
+- When speaking about your project, ask simple things of the attendees (e.g.
+  create an account today, join the IRC channel). Often people want to
+  support you but they can't commit to big tasks. Make sure to take
+  advantage of all of the support you can get, especially early on.
+
+- Having your friends join (or lurk on!) an IRC channel means it's vibrant,
+  instead of empty, and there are people around to field simple questions or
+  tell people to wait until you're around. Nobody wants to be alone in a
+  channel with a stranger.
+
+# Thank you
+
+I do want to sincerely thank all of the people who contributed to the
+project over the years:
+
+- Jonathan Harker and Brett Wilkins for productive hack sessions in the
+  Catalyst office.
+- Lars Wirzenius, Andy Chilton and Jesse Noller for graciously hosting the
+  service.
+- Christian Weiske, Melissa Draper, Thomas Goirand and Kai Hendry for
+  running mirrors on their servers.
+- Chris Forbes, fr33domlover, Kang-min Liu and strk for writing and
+  maintaining client libraries.
+- The Wellington Perl Mongers for their invaluable feedback on an early prototype.
+- The `#equifoss` group for their ongoing suppport and numerous ideas.
+- Nigel Babu and Melissa Draper for producing the first (and only) project
+  stikers, as well as Chris Cormack for spreading so effectively.
+- Adolfo Jayme, Alfredo Hernández, Anthony Harrington, Asier Iturralde
+  Sarasola, Besnik, Beto1917, Daniel Neis, Eduardo Battaglia, Fernando P
+  Silveira, Gabriele Castagneti, Heimen Stoffels, Iñaki Arenaza, Jakob
+  Kramer, Jorge Luis Gomez, Kristina Hoeppner, Laura Arjona Reina, Léo
+  POUGHON, Marc Coll Carrillo, Mehmet Keçeci, Milan Horák, Mitsuhiro
+  Yoshida, Oleg Koptev, Rodrigo Díaz, Simone G, Stanislas Michalak, Volkan
+  Gezer, VPablo, Xuacu Saturio, Yuri Chornoivan, yurchor and zapman for
+  making Libravatar speak so many languages.
+
+I'm sure I have forgotten people who have helped over the years. If your
+name belongs in here and it's not, please email me or leave a comment.
+
+[[!tag debian]] [[!tag nzoss]] [[!tag libravatar]] [[!tag indieweb]]
diff --git a/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png b/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png
new file mode 100644
index 0000000..9358577
Binary files /dev/null and b/posts/looking-back-on-starting-libravatar/cumulative_user_accounts.png differ

Add missing step in lxc-net setup
https://wiki.debian.org/LXC#Networked_quickstart_for_Debian_Stretch_.28testing_as_of_Q3_2016.29
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
index 6daa81b..5fe6cc4 100644
--- a/posts/lxc-setup-on-debian-stretch.mdwn
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -20,6 +20,10 @@ change needed here):
     lxc.network.flags = up
     lxc.network.hwaddr = 00:FF:AA:xx:xx:xx
 
+and enable networking by putting the following in a new `/etc/default/lxc-net` file:
+
+    USE_LXC_BRIDGE="true"
+
 That configuration requires that the `veth` kernel module be loaded. If
 you have any kinds of module-loading restrictions enabled, you probably
 need to add the following to `/etc/modules` and **reboot**:

Remove spurious characters
This is probably mistyped emacs C-n.
diff --git a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
index 3107dea..d22ff84 100644
--- a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
+++ b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
@@ -54,7 +54,7 @@ for the "world" regulatory authority.
 
 Because [Gargoyle](https://www.gargoyle-router.com/) is based on
 [OpenWRT](https://openwrt.org/), there are a lot more
-nn[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
+[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
 available than what's exposed in the Web UI.
 
 In this case, the solution was to explicitly [set my country in the wireless options](https://feeding.cloud.geek.nz/posts/setting-wifi-regulatory-domain-linux-openwrt/) (where `CA` is the

Link to my regulatory authority post instead of hacking the config file
diff --git a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
index 438951f..3107dea 100644
--- a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
+++ b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
@@ -57,15 +57,9 @@ Because [Gargoyle](https://www.gargoyle-router.com/) is based on
 nn[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
 available than what's exposed in the Web UI.
 
-In this case, the solution was to explicitly set my country in the wireless
-options by putting:
-
-    country 'CA'
-
-(where `CA` is the
-[country code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) where the
-router is physically located) in the 5 GHz radio section of
-`/etc/config/wireless` on the router.
+In this case, the solution was to explicitly [set my country in the wireless options](https://feeding.cloud.geek.nz/posts/setting-wifi-regulatory-domain-linux-openwrt/) (where `CA` is the
+[country code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) for Canada, where my
+router is physically located).
 
 Then I rebooted and I was able to set the channel successfully via the Web UI.
 

Comment moderation
diff --git a/posts/dynamic-dns-on-own-domain/comment_2_86d0b5b701b44721af5d38a180e60df4._comment b/posts/dynamic-dns-on-own-domain/comment_2_86d0b5b701b44721af5d38a180e60df4._comment
new file mode 100644
index 0000000..c604845
--- /dev/null
+++ b/posts/dynamic-dns-on-own-domain/comment_2_86d0b5b701b44721af5d38a180e60df4._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="francois@665656f0ba400877c9b12e8fbb086e45aa01f7c0"
+ nickname="francois"
+ subject="Re: IPv6"
+ date="2018-03-20T23:44:16Z"
+ content="""
+> Do you use IPv6? How do you update the IPv6 ?
+
+Unfortunately, No-IP still [doesn't support IPv6 in their Dynamic DNS service](https://www.noip.com/blog/2009/06/19/ipv6-records-now-available/#comment-421947). My setup is IPv4-only.
+
+I'd be happy to consider other services that support IPv6 if they also support **custom domains** and are supported by a **client that's included in Debian**. If you know of one, please leave a comment.
+"""]]

Comment moderation
diff --git a/posts/dynamic-dns-on-own-domain/comment_1_193af8570ba24987f776b567180167e7._comment b/posts/dynamic-dns-on-own-domain/comment_1_193af8570ba24987f776b567180167e7._comment
new file mode 100644
index 0000000..dd367b2
--- /dev/null
+++ b/posts/dynamic-dns-on-own-domain/comment_1_193af8570ba24987f776b567180167e7._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="2804:14d:5ce0:9e33:540a:d1c7:6490:c04a"
+ claimedauthor="S.V."
+ subject="IPv6"
+ date="2018-03-20T22:27:53Z"
+ content="""
+Hi,
+Do you use IPv6? How do you update the IPv6 ?
+Best,
+S.V.
+"""]]

Add missing tags to dynamic DNS post
diff --git a/posts/dynamic-dns-on-own-domain.mdwn b/posts/dynamic-dns-on-own-domain.mdwn
index a6a43e7..6fed580 100644
--- a/posts/dynamic-dns-on-own-domain.mdwn
+++ b/posts/dynamic-dns-on-own-domain.mdwn
@@ -88,3 +88,5 @@ The IP for that machine should now be visible on the [No-IP control
 panel](https://www.noip.com/members/dns/) and in DNS lookups:
 
     dig +short machinename.dyn.fmarier.org
+
+[[!tag debian]] [[!tag nzoss]] [[!tag dns]]

Add post on dynamic DNS using noip.com
diff --git a/posts/dynamic-dns-on-own-domain.mdwn b/posts/dynamic-dns-on-own-domain.mdwn
new file mode 100644
index 0000000..a6a43e7
--- /dev/null
+++ b/posts/dynamic-dns-on-own-domain.mdwn
@@ -0,0 +1,90 @@
+[[!meta title="Dynamic DNS on your own domain"]]
+[[!meta date="2018-03-18T13:45:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+I recently moved my dynamic DNS hostnames from
+[dyndns.org](https://dyn.com/dns/) (now owned by Oracle) to
+[No-IP](https://www.noip.com/remote-access). In the process, I moved all of
+my hostnames under a sub-domain that I control in case I ever want to
+self-host the authoritative DNS server for it.
+
+# Creating an account
+
+In order to use my own existing domain, I registered for the [Plus Managed
+DNS](https://www.noip.com/remote-access) service and provided my top-level
+domain (`fmarier.org`).
+
+Then I created a [support ticket](https://www.noip.com/ticket/) to ask for
+the **sub-domain feature**. Without that, No-IP expects you to delegate your
+entire domain to them, whereas I only wanted to delegate `*.dyn.fmarier.org`.
+
+Once that got enabled, I was able to create hostnames like `machine.dyn` in
+the No-IP control panel. Without the sub-domain feature, you can't have dots
+in hostnames.
+
+I used a bogus IP address (e.g. `1.2.3.4`) for all of the hostnames I
+created in order to easily confirm that the client software is working.
+
+# DNS setup
+
+On my registrar's side, here are the DNS records I had to add to delegate
+anything under `dyn.fmarier.org` to No-IP:
+
+    dyn NS ns1.no-ip.com.
+    dyn NS ns2.no-ip.com.
+    dyn NS ns3.no-ip.com.
+    dyn NS ns4.no-ip.com.
+    dyn NS ns5.no-ip.com.
+
+# Client setup
+
+In order to update its IP address whenever it changes, I installed
+[ddclient](https://sourceforge.net/p/ddclient/wiki/Home/) on each of my
+machines:
+
+    apt install ddclient
+
+While the [ddclient package](https://packages.debian.org/stretch/ddclient)
+[won't help you
+configure](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625715) your
+No-IP service during installation or [enable the web IP lookup
+method](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285007), this can
+all be done by editing the configuration after the fact.
+
+I put the following in `/etc/ddclient.conf`:
+
+    ssl=yes
+    protocol=noip
+    use=web, web=checkip.dyndns.com, web-skip='IP Address'
+    server=dynupdate.no-ip.com
+    login=myusername
+    password='Password1!'
+    machinename.dyn.fmarier.org
+
+and the following in `/etc/default/ddclient`:
+
+    run_dhclient="false"
+    run_ipup="false"
+    run_daemon="true"
+    daemon_interval="3600"
+
+Then restart the service:
+
+    systemctl restart ddclient.service
+
+Note that you do need to change the default update interval or the
+`checkip.dyndns.com` server [will ban your IP
+address](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489997).
+
+# Testing
+
+To test that the client software is working, wait 6 minutes (there is an
+internal check which cancels any client invocations within 5 minutes of
+another), then run it manually:
+
+    ddclient --verbose --debug
+
+The IP for that machine should now be visible on the [No-IP control
+panel](https://www.noip.com/members/dns/) and in DNS lookups:
+
+    dig +short machinename.dyn.fmarier.org

Comment moderation
diff --git a/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_6_5b9ac5c6cdbe9ec824c914134327fdf7._comment b/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_6_5b9ac5c6cdbe9ec824c914134327fdf7._comment
new file mode 100644
index 0000000..41694b7
--- /dev/null
+++ b/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_6_5b9ac5c6cdbe9ec824c914134327fdf7._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="176.147.239.109"
+ claimedauthor="BigFan"
+ subject="faster dd"
+ date="2018-03-17T11:52:27Z"
+ content="""
+Use option 'bs=4M' for faster write to the usb key (otherwise it will take several minutes):  
+    $ dd bs=4M if=bios.img of=/dev/sdX
+
+"""]]

Use mpc-fade to stop music in the evening
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index 7974cec..e0d4baa 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -76,8 +76,12 @@ daily and stop the music automatically in the evening:
     # Refresh DB once an hour
     5 * * * *  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet update
     # Think of the neighbours
-    0 22 * * 0-4  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
-    0 23 * * 5-6  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
+    0 22 * * 0-4  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/local/bin/mpc-fade
+    0 23 * * 5-6  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/local/bin/mpc-fade
+
+My [`mpc-fade` script](https://github.com/fmarier/user-scripts/blob/master/mpc-fade),
+heavily inspired by [Guillaume's](http://guillaumeplayground.net/mpd-mpc-fade-in-out-script/),
+gradually brings the volume down instead of stopping the music abrutly.
 
 ## Album covers
 

Comment moderation
diff --git a/posts/redirecting-entire-site-except-certbot-webroot/comment_1_66c587e8b38d4ae2d0f24422f959f166._comment b/posts/redirecting-entire-site-except-certbot-webroot/comment_1_66c587e8b38d4ae2d0f24422f959f166._comment
new file mode 100644
index 0000000..0f20b27
--- /dev/null
+++ b/posts/redirecting-entire-site-except-certbot-webroot/comment_1_66c587e8b38d4ae2d0f24422f959f166._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="2a02:8071:b581:3afc:25b1:3686:15d9:fce3"
+ claimedauthor="Uwe Kleine-König"
+ subject="conditions for letsencrypt certs"
+ date="2018-03-02T08:42:11Z"
+ content="""
+Hello,
+
+according to my experience having a redirect for `/.well-known/acme-challenge` works fine. So an unconditional redirect from `http://libravatar.org/(.*)` to `http://www.libravatar.org/$1` should do the trick a bit easier.
+
+Best regards
+Uwe
+"""]]
diff --git a/posts/redirecting-entire-site-except-certbot-webroot/comment_2_fa5e9bec263f4d7787b74b22f82e13ea._comment b/posts/redirecting-entire-site-except-certbot-webroot/comment_2_fa5e9bec263f4d7787b74b22f82e13ea._comment
new file mode 100644
index 0000000..f9e6b38
--- /dev/null
+++ b/posts/redirecting-entire-site-except-certbot-webroot/comment_2_fa5e9bec263f4d7787b74b22f82e13ea._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="2a02:810d:4740:cc10:6e29:95ff:fe7c:2bad"
+ claimedauthor="Philipp Kern"
+ subject="HTTP redirects should be fine?"
+ date="2018-03-02T08:37:07Z"
+ content="""
+I was under the impression that 301 redirects will be followed by the CA. Is that not the case?
+"""]]

Add another letsencrypt/cerbot config post
diff --git a/posts/redirecting-entire-site-except-certbot-webroot.mdwn b/posts/redirecting-entire-site-except-certbot-webroot.mdwn
new file mode 100644
index 0000000..91ea91f
--- /dev/null
+++ b/posts/redirecting-entire-site-except-certbot-webroot.mdwn
@@ -0,0 +1,47 @@
+[[!meta title="Redirecting an entire site except for the certbot webroot"]]
+[[!meta date="2018-03-01T21:40:00.000-08:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+In order to be able to use the [webroot
+plugin](https://certbot.eff.org/docs/using.html#webroot) for
+[certbot](https://certbot.eff.org/) and automatically renew the [Let's
+Encrypt](https://letsencrypt.org/) certificate for `libravatar.org`, I
+had to put together an Apache config that would do the following on port 80:
+
+- Let `/.well-known/acme-challenge/*` through on the bare domain
+  (`http://libravatar.org/`).
+- Redirect anything else to `https://www.libravatar.org/`.
+
+The reason for this is that the main
+[Libravatar](https://www.libravatar.org) service listens on
+`www.libravatar.org` and not `libravatar.org`, but that cerbot needs to
+ascertain control of the bare domain.
+
+This is the configuration I ended up with:
+
+    <VirtualHost *:80>
+        DocumentRoot /var/www/acme
+        <Directory /var/www/acme>
+            Options -Indexes
+        </Directory>
+    
+        RewriteEngine on
+        RewriteCond "/var/www/acme%{REQUEST_URI}" !-f
+        RewriteRule ^(.*)$ https://www.libravatar.org/ [last,redirect=301]
+    </VirtualHost>
+
+The trick I used here is to make the redirection `RewriteRule` conditional
+on the requested file (`%{REQUEST_URI}`) not existing in the `/var/www/acme`
+directory, the one where I tell certbot to drop its temporary files.
+
+Here are the relevant portions of `/etc/letsencrypt/renewal/www.libravatar.org.conf`:
+
+    [renewalparams]
+    authenticator = webroot
+    account = 
+    
+    [[webroot_map]]
+    libravatar.org = /var/www/acme
+    www.libravatar.org = /var/www/acme
+
+[[!tag debian]] [[!tag letsencrypt]] [[!tag nzoss]] [[!tag apache]] [[!tag ssl]]

Fix typo
Can be verified using `uci show system`.
Thanks to CapnNarkolepso for reporting this.
diff --git a/posts/debugging-openwrt-routers-by-shipping.mdwn b/posts/debugging-openwrt-routers-by-shipping.mdwn
index 59f84df..335ec00 100644
--- a/posts/debugging-openwrt-routers-by-shipping.mdwn
+++ b/posts/debugging-openwrt-routers-by-shipping.mdwn
@@ -34,7 +34,7 @@ After logging into the router via ssh, I ran the following commands:
 
 
     uci set system.@system[0].log_ip=192.168.1.2  
-    uci set system.@system[0].conloglevel=7  
+    uci set system.@system[0].cronloglevel=7
     uci commit
 
 

Add cover URL config for MPDRemote on iOS
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index e45f73a..7974cec 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -164,4 +164,9 @@ since [MPoD](http://www.katoemba.net/makesnosenseatall/mpod/) and
 [MPaD](http://www.katoemba.net/makesnosenseatall/mpad/) don't appear to be
 available on the AppStore anymore.
 
+Of these, MPDRemote appears to be the better one. It also supports album art
+if you configure the profile with the following cover URL:
+
+    http://192.168.1.2/
+
 [[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag mpd]] [[!tag ios]] [[!tag android]] [[!tag tor]] [[!tag systemd]]

Add album cover support via Apache web server
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index 8bbe5d6..e45f73a 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -79,12 +79,39 @@ daily and stop the music automatically in the evening:
     0 22 * * 0-4  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
     0 23 * * 5-6  mpd  test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
 
+## Album covers
+
+In order to supply album cover art to clients which support grabbing covers
+from a local web server I have installed
+[Apache](https://httpd.apache.org/):
+
+    apt install apache2
+
+and configured it to serve the covers by putting the following in
+`/etc/apache2/conf-available/mpd.conf`:
+
+    <Directory /path/to/music>
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+and then the following line in the default vhost section of
+`/etc/apache2/sites-available/000-default.conf`:
+
+    Alias /music /path/to/music
+
+Finally, I enabled the new configuration and restarted Apache:
+
+    a2enconf mpd.conf
+    systemctl restart apache2.service
+
 # Clients
 
-To let anybody on the local network connect, I opened **port 6600** on the
-firewall (`/etc/network/iptables.up.rules` since I'm using Debian's
+To let anybody on the local network connect, I opened **ports 80 and 6600**
+on the firewall (`/etc/network/iptables.up.rules` since I'm using Debian's
 `iptables-apply`):
 
+    -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
     -A INPUT -s 192.168.1.0/24 -p tcp --dport 6600 -j ACCEPT
 
 Then I looked at [the long list of clients](http://mpd.wikia.com/wiki/Clients) on the mpd wiki.
@@ -119,7 +146,12 @@ On Android, I got these two to work:
 - [M.A.L.P.](https://f-droid.org/repository/browse/?fdfilter=malp&fdid=org.gateshipone.malp) (requires Android 5 or later)
 - [MPDroid](https://f-droid.org/repository/browse/?fdfilter=mpdroid&fdid=com.namelessdev.mpdroid)
 
-I picked M.A.L.P. since it includes a nice widget for the homescreen.
+I picked M.A.L.P. since it includes a nice widget for the homescreen. In the
+profile settings, I enabled *Prefer [HTTP cover
+files](https://github.com/gateship-one/malp/wiki/FAQ#application-usage)* and
+used this URL:
+
+    http://192.168.1.2/%d
 
 ## iOS
 

Add MPDRemote AppStore link
This free software client is now available on the Apple AppStore.
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index 0f0e02a..8bbe5d6 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -125,7 +125,7 @@ I picked M.A.L.P. since it includes a nice widget for the homescreen.
 
 On iOS, these are the most promising clients I found:
 
-- [MPDRemote](https://github.com/Nyx0uf/MPDRemote) (free software, not on the AppStore)
+- [MPDRemote](https://github.com/Nyx0uf/MPDRemote) (free software, sold on the [AppStore](https://itunes.apple.com/us/app/mpdremote/id1202933180?ls=1&mt=8))
 - [MPDluxe](http://kineticfactory.com/MPDluxe/) (proprietary, sold on the [AppStore](https://itunes.apple.com/app/mpdluxe/id991758069?mt=8))
 
 since [MPoD](http://www.katoemba.net/makesnosenseatall/mpod/) and

Update DNSCrypt links
diff --git a/posts/using-dnssec-and-dnscrypt-in-debian.mdwn b/posts/using-dnssec-and-dnscrypt-in-debian.mdwn
index 3722667..a57c7ee 100644
--- a/posts/using-dnssec-and-dnscrypt-in-debian.mdwn
+++ b/posts/using-dnssec-and-dnscrypt-in-debian.mdwn
@@ -8,7 +8,7 @@ While there is real progress being made towards
 Internet service that still usually relies on unauthenticated cleartext.
 There are however a few efforts to try and fix this problem. Here is the
 setup I use on my Debian laptop to make use of both
-[DNSSEC](http://www.dnssec.net/) and [DNSCrypt](https://dnscrypt.org/).
+[DNSSEC](http://www.dnssec.net/) and [DNSCrypt](https://dnscrypt.info/).
 
 # DNSCrypt
 
@@ -29,7 +29,7 @@ if you are using a static network configuration or in
 if you rely on dynamic network configuration via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol).
 
 There are two things you might want to keep in mind when choosing your
-[DNSCrypt resolver](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv):
+[DNSCrypt resolver](https://github.com/DNSCrypt/dnscrypt-resolvers/tree/master/v1):
 
 - whether or not they keep any logs of the DNS traffic
 - whether or not they support DNSSEC

Linkify flashrom.org link in comment
diff --git a/posts/creating-freedos-bootable-usb-stick-to/comment_3_44ccac1abc9c63695fcec1942a2648a9._comment b/posts/creating-freedos-bootable-usb-stick-to/comment_3_44ccac1abc9c63695fcec1942a2648a9._comment
index 582f50f..aa9cd4b 100644
--- a/posts/creating-freedos-bootable-usb-stick-to/comment_3_44ccac1abc9c63695fcec1942a2648a9._comment
+++ b/posts/creating-freedos-bootable-usb-stick-to/comment_3_44ccac1abc9c63695fcec1942a2648a9._comment
@@ -3,7 +3,7 @@
  subject=""
  date="2012-03-13T20:14:08.798+13:00"
  content="""
-What about http://www.flashrom.org?
+What about <https://www.flashrom.org>?
 
 
 """]]

Remove comment with a suggestion that won't work
diff --git a/posts/creating-freedos-bootable-usb-stick-to/comment_2_0f744a1b053542b4118d9737433838c7._comment b/posts/creating-freedos-bootable-usb-stick-to/comment_2_0f744a1b053542b4118d9737433838c7._comment
deleted file mode 100644
index b546ab3..0000000
--- a/posts/creating-freedos-bootable-usb-stick-to/comment_2_0f744a1b053542b4118d9737433838c7._comment
+++ /dev/null
@@ -1,12 +0,0 @@
-[[!comment format=mdwn
- username="http://www.blogger.com/profile/02726867824497339744"
- nickname="gebi"
- subject=""
- date="2012-03-13T12:47:01.504+13:00"
- content="""
-An alternative method to get a freebsd bootable usb-stick:  
-  
-https://plus.google.com/101377063020971314139/posts/d5KMP7yBPRh
-
-
-"""]]
diff --git a/posts/creating-freedos-bootable-usb-stick-to/comment_5_29c0397ad176cf563ad33ee2eb69504a._comment b/posts/creating-freedos-bootable-usb-stick-to/comment_5_29c0397ad176cf563ad33ee2eb69504a._comment
deleted file mode 100644
index 46c4ada..0000000
--- a/posts/creating-freedos-bootable-usb-stick-to/comment_5_29c0397ad176cf563ad33ee2eb69504a._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- ip="142.177.126.65"
- subject="untried suggestions"
- date="2014-10-28T21:41:29Z"
- content="""
-Please if you are going to make a suggestion, make sure it does what is asked in the question. The OP wanted to add files to a FreeDOS USB stick, so he could update a BIOS. Presumably he would need the particular BIOS update executable plus a new BIOS image and possibly the ability to save a copy of the current BIOS in case something goes awry. The poster who suggested using balder10.img obviously hadn't tested it and didn't know that it boots as a 1.44 Mb floppy image.
-"""]]

Fix broken links and use HTTPS in all wget calls
diff --git a/posts/creating-freedos-bootable-usb-stick-to.mdwn b/posts/creating-freedos-bootable-usb-stick-to.mdwn
index bd8c6f9..b92aa99 100644
--- a/posts/creating-freedos-bootable-usb-stick-to.mdwn
+++ b/posts/creating-freedos-bootable-usb-stick-to.mdwn
@@ -1,67 +1,59 @@
 [[!meta title="Creating a FreeDOS bootable USB stick to upgrade BIOS"]]
 [[!meta date="2012-03-13T08:00:00.000+13:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
-I have an old motherboard that requires creating a DOS boot floppy in order to upgrade its BIOS. Fortunately, it's not too hard to do this with [FreeDOS](http://www.freedos.org/) and a USB stick.  
-  
-_The instructions below are based on an [FDos wiki article](http://wiki.fdos.info/Installation/BootDiskCreateUSB)._  
-  
+I have an old motherboard that requires creating a DOS boot floppy in order to upgrade its BIOS. Fortunately, it's not too hard to do this with [FreeDOS](http://www.freedos.org/) and a USB stick.
+
+_The instructions below are based on an [old FDos wiki article](https://web.archive.org/web/20090301055636/http://wiki.fdos.org/Installation/BootDiskCreateUSB).
+You maye have more luck with the [latest instructions from the official wiki](http://wiki.freedos.org/wiki/index.php/USB)_
+
 
 ### Downloading the dependencies
 
-The first step is to download the required files from your motherboard manufacturer:  
+The first step is to download the required files from your motherboard manufacturer:
 
   * the latest BIOS image
   * the BIOS flashing program
 
-and then install the tools you'll need:  
-
+and then install the tools you'll need:
 
     apt-get install makebootfat syslinux
 
-
-  
-
 ### Preparing the "floppy" image
 
-Start by collecting all of the files you need to install FreeDOS on the USB stick:  
-
-
-    cd /tmp  
-      
-    wget http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/commandx.zip  
-    wget http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/kernels.zip  
-    wget http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/substx.zip  
-    wget http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/unstablx.zip  
-      
-    for ZIP in *.zip; do unzip $ZIP; done  
-      
-    cp ./source/ukernel/boot/fat16.bin  .  
-    cp ./source/ukernel/boot/fat12.bin .  
-    cp ./source/ukernel/boot/fat32lba.bin .  
-      
-    cp /usr/lib/syslinux/mbr.bin .
+Start by collecting all of the files you need to install FreeDOS on the USB stick:
 
+    cd /tmp
+    
+    wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/commandx.zip
+    wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/kernels.zip
+    wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/substx.zip
+    wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/pkgs/unstablx.zip
+    
+    for ZIP in *.zip; do unzip $ZIP; done
+    
+    cp ./source/ukernel/boot/fat16.bin  .
+    cp ./source/ukernel/boot/fat12.bin .
+    cp ./source/ukernel/boot/fat32lba.bin .
+    
+    cp /usr/lib/syslinux/mbr.bin .
 
 and then create a directory for the files that will end up in the root directory of the "floppy":
 
-    mkdir /tmp/fs-root  
-    cp ./bin/command.com /tmp/fs-root/  
-    cp ./bin/kernel.sys  /tmp/fs-root/  
-    
-
+    mkdir /tmp/fs-root
+    cp ./bin/command.com /tmp/fs-root/
+    cp ./bin/kernel.sys  /tmp/fs-root/
 
-and copy the BIOS image and update program into that same directory (`/tmp/fs-root/`).  
-  
+and copy the BIOS image and update program into that same directory (`/tmp/fs-root/`).
 
 ### Creating a bootable USB stick
 
-Plug in a [FAT](https://en.wikipedia.org/wiki/File_Allocation_Table)-formatted USB stick and look for the device it uses (`/dev/sdb` in the example below).  
-  
-Finally, run `makebootfat`:  
+Plug in a [FAT](https://en.wikipedia.org/wiki/File_Allocation_Table)-formatted USB stick and look for the device it uses (`/dev/sdb` in the example below).
+
+Finally, run `makebootfat`:
 
 <pre>
 /usr/bin/makebootfat -o <i>/dev/sdb</i> -E 255 -1 fat12.bin -2 fat16.bin -3 fat32lba.bin -m mbr.bin /tmp/fs-root
 </pre>
 
 
-[[!tag catalyst]] [[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] 
+[[!tag catalyst]] [[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]]

Simplify the mount option
Thanks to madduck for pointing it out!
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
index 994bc77..6daa81b 100644
--- a/posts/lxc-setup-on-debian-stretch.mdwn
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -96,7 +96,7 @@ In order to have my home directory available within the container, I
 created a user account for myself inside the container and then added
 the following to the container config file (`/var/lib/lxc/sid64/config`):
 
-    lxc.mount.entry=/home/francois /var/lib/lxc/sid64/rootfs/home/francois none bind 0 0
+    lxc.mount.entry=/home/francois home/francois none bind 0 0
 
 before restarting the container:
 

Comment moderation
diff --git a/posts/lxc-setup-on-debian-stretch/comment_1_ea87a21cd2ed4968ed792df4d533bd43._comment b/posts/lxc-setup-on-debian-stretch/comment_1_ea87a21cd2ed4968ed792df4d533bd43._comment
new file mode 100644
index 0000000..fc829ea
--- /dev/null
+++ b/posts/lxc-setup-on-debian-stretch/comment_1_ea87a21cd2ed4968ed792df4d533bd43._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ ip="193.203.232.31"
+ claimedauthor="risca"
+ url="http://wiki.risca.eu"
+ subject="lxc-net configuration"
+ date="2018-01-24T10:10:54Z"
+ content="""
+Hi,
+
+about network configuration on LXC in debian stretch, it is possible to easy the setup through the lxc-net script (it's shipped with-in the lxc package itself). This way you only need:
+
+- to fill parameters in /etc/default/lxc-net
+- add bridge configuration for lxcbr0 in /etc/network/interfaces
+
+All of other steps pointed out in your \"Network setup\" are done by lxc-net itself.
+
+The only downside of the script is that it would be nice to use, instead of a script, an horde of systemd units (if using systemd). I tried to fill a request for it [1] but it's still a work in progress.
+
+[1] https://github.com/lxc/lxc/issues/2083
+"""]]
diff --git a/posts/time-synchronization-with-ntp-and-systemd/comment_4_6d6235632443890b9f5645bc745cdb41._comment b/posts/time-synchronization-with-ntp-and-systemd/comment_4_6d6235632443890b9f5645bc745cdb41._comment
new file mode 100644
index 0000000..64e11d4
--- /dev/null
+++ b/posts/time-synchronization-with-ntp-and-systemd/comment_4_6d6235632443890b9f5645bc745cdb41._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="81.242.162.111"
+ claimedauthor="Patrick"
+ subject="NTP synchro"
+ date="2018-01-21T21:54:39Z"
+ content="""
+Hello,
+
+I'm interested cause my  NTP synchronized is always :no
+I done exactly the same commands on the blog and no change appears.
+
+Thank you for advice.
+"""]]

Replace xbacklight with new set-backlight script
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 6c51008..5be5dbd 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -47,18 +47,18 @@ While keyboard shortcuts can be configured in GNOME, they don't work within i3,
     bindsym XF86AudioMute exec /usr/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle
 
     # brightness control
-    bindsym XF86MonBrightnessDown exec xbacklight -steps 1 -time 0 -dec 5
-    bindsym XF86MonBrightnessUp exec xbacklight -steps 1 -time 0 -inc 10
+    bindsym XF86MonBrightnessDown exec /home/francois/bin/set-brightness -
+    bindsym XF86MonBrightnessUp exec /home/francois/bin/set-brightness +
 
     # show battery stats
     bindsym XF86Battery exec gnome-power-statistics
 
 to make volume control, screen brightness and battery status buttons work as expected on my laptop.
 
-These bindings require the following packages:
+These bindings require the following packages or scripts:
 
 * [pulseaudio-utils](https://packages.debian.org/stable/pulseaudio-utils)
-* [xbacklight](https://packages.debian.org/stable/xbacklight)
+* [set-brightness](https://github.com/fmarier/user-scripts/blob/master/set-brightness)
 * [gnome-power-manager](https://packages.debian.org/stable/gnome-power-manager)
 
 # Keyboard layout switcher

Fix post title and remove unnecessary -d flags
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
index a3516df..994bc77 100644
--- a/posts/lxc-setup-on-debian-stretch.mdwn
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -1,4 +1,4 @@
-[[!meta title="LXC setup on Debian jessie"]]
+[[!meta title="LXC setup on Debian stretch"]]
 [[!meta date="2018-01-23T21:30:00.000-08:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
@@ -101,7 +101,7 @@ the following to the container config file (`/var/lib/lxc/sid64/config`):
 before restarting the container:
 
     lxc-stop -n sid64
-    lxc-start -n sid64 -d
+    lxc-start -n sid64
 
 # Fixing locale errors
 
@@ -139,13 +139,13 @@ work-around I found is to temporarily shutdown AppArmor on the host:
 
     lxc-stop -n sid64
     systemctl stop apparmor
-    lxc-start -n sid64 -d
+    lxc-start -n sid64
 
 and then start up it later once the locales have been updated:
 
     lxc-stop -n sid64
     systemctl start apparmor
-    lxc-start -n sid64 -d
+    lxc-start -n sid64
 
 # AppArmor support
 

Add LXC setup on stretch post
diff --git a/posts/lxc-setup-on-debian-stretch.mdwn b/posts/lxc-setup-on-debian-stretch.mdwn
new file mode 100644
index 0000000..a3516df
--- /dev/null
+++ b/posts/lxc-setup-on-debian-stretch.mdwn
@@ -0,0 +1,157 @@
+[[!meta title="LXC setup on Debian jessie"]]
+[[!meta date="2018-01-23T21:30:00.000-08:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+Here's how to setup LXC-based "chroots" on Debian stretch. While I [wrote about this on Debian jessie](https://feeding.cloud.geek.nz/posts/lxc-setup-on-debian-jessie/), I
+had to make some [networking changes for stretch](https://wiki.debian.org/LXC#Networked_quickstart_for_Debian_Stretch_.28testing_as_of_Q3_2016.29)
+and so here are the full steps that should work on stretch.
+
+Start by installing (as root) the necessary packages:
+
+    apt install lxc libvirt-clients debootstrap
+
+# Network setup
+
+I decided to use the default `/etc/lxc/default.conf` configuration (no
+change needed here):
+
+    lxc.network.type = veth
+    lxc.network.link = lxcbr0
+    lxc.network.flags = up
+    lxc.network.hwaddr = 00:FF:AA:xx:xx:xx
+
+That configuration requires that the `veth` kernel module be loaded. If
+you have any kinds of module-loading restrictions enabled, you probably
+need to add the following to `/etc/modules` and **reboot**:
+
+    veth
+
+Next, I had to make sure that the "guests" could connect to the outside
+world through the "host":
+
+1. Enable IPv4 forwarding by putting this in `/etc/sysctl.conf`:
+
+       net.ipv4.ip_forward=1
+
+2. and then applying it using:
+
+       sysctl -p
+
+3. Restart the network bridge:
+
+       systemctl restart lxc-net.service
+
+4. and ensure that it's not blocked by the host firewall, by putting this in `/etc/network/iptables.up.rules`:
+
+       -A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+       -A FORWARD -s 10.0.3.0/24 -j ACCEPT
+       -A INPUT -d 224.0.0.251 -s 10.0.3.1 -j ACCEPT
+       -A INPUT -d 10.0.3.255 -s 10.0.3.1 -j ACCEPT
+       -A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j ACCEPT
+
+5. and applying the rules using:
+
+       iptables-apply
+
+# Creating a container
+
+Creating a new container (in `/var/lib/lxc/`) is simple:
+
+    sudo MIRROR=http://httpredir.debian.org/debian lxc-create -n sid64 -t debian -- -r sid -a amd64
+
+You can start or stop it like this:
+
+    sudo lxc-start -n sid64
+    sudo lxc-stop -n sid64
+
+# Connecting to a guest using ssh
+
+The ssh server is configured to require pubkey-based authentication for root
+logins, so you'll need to log into the console:
+
+    sudo lxc-stop -n sid64
+    sudo lxc-start -n sid64 -F
+
+Since the root password is randomly generated, you'll need to reset it before
+you can login as root:
+
+    sudo lxc-attach -n sid64 passwd
+
+Then login as root and install a text editor inside the container because the
+root image doesn't have one by default:
+
+    apt install vim
+
+then paste your public key in `/root/.ssh/authorized_keys`.
+
+Then you can exit the console (using `Ctrl+a q`) and ssh into the
+container. You can find out what IP address the container received from DHCP
+by typing this command:
+
+    sudo lxc-ls --fancy
+
+# Mounting your home directory inside a container
+
+In order to have my home directory available within the container, I
+created a user account for myself inside the container and then added
+the following to the container config file (`/var/lib/lxc/sid64/config`):
+
+    lxc.mount.entry=/home/francois /var/lib/lxc/sid64/rootfs/home/francois none bind 0 0
+
+before restarting the container:
+
+    lxc-stop -n sid64
+    lxc-start -n sid64 -d
+
+# Fixing locale errors
+
+If you see a bunch of errors like these when you start your container:
+
+    perl: warning: Setting locale failed.
+    perl: warning: Please check that your locale settings:
+	LANGUAGE = (unset),
+	LC_ALL = (unset),
+	LANG = "fr_CA.utf8"
+        are supported and installed on your system.
+    perl: warning: Falling back to the standard locale ("C").
+
+then log into the container as root and use:
+
+    dpkg-reconfigure locales
+
+to enable the same locales as the ones you have configured in the host.
+
+If you see these errors while reconfiguring the `locales` package:
+
+    Generating locales (this might take a while)...
+      en_US.UTF-8...cannot change mode of new locale archive: No such file or directory
+     done
+      fr_CA.UTF-8...cannot change mode of new locale archive: No such file or directory
+     done
+    Generation complete.
+
+and see the following `dmesg` output on the host:
+
+    [235350.947808] audit: type=1400 audit(1441664940.224:225): apparmor="DENIED" operation="chmod" info="Failed name lookup - deleted entry" error=-2 profile="/usr/bin/lxc-start" name="/usr/lib/locale/locale-archive.WVNevc" pid=21651 comm="localedef" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
+
+then AppArmor is interfering with the `locale-gen` binary and the
+work-around I found is to temporarily shutdown AppArmor on the host:
+
+    lxc-stop -n sid64
+    systemctl stop apparmor
+    lxc-start -n sid64 -d
+
+and then start up it later once the locales have been updated:
+
+    lxc-stop -n sid64
+    systemctl start apparmor
+    lxc-start -n sid64 -d
+
+# AppArmor support
+
+If you are running AppArmor, your container probably won't start until you
+add the following to the container config (`/var/lib/lxc/sid64/config`):
+
+    lxc.aa_allow_incomplete = 1
+
+[[!tag debian]] [[!tag lxc]] [[!tag nzoss]]

Comment moderation
diff --git a/posts/encrypting-your-home-directory-using/comment_12_abdd8124a6af058ad8500bafa47dcc9e._comment b/posts/encrypting-your-home-directory-using/comment_12_abdd8124a6af058ad8500bafa47dcc9e._comment
new file mode 100644
index 0000000..de20f2b
--- /dev/null
+++ b/posts/encrypting-your-home-directory-using/comment_12_abdd8124a6af058ad8500bafa47dcc9e._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="181.169.244.161"
+ claimedauthor="julio"
+ subject="LUKS key"
+ date="2017-12-04T23:46:28Z"
+ content="""
+Good post and good comments.
+I was wondering about the passphrase LUKS requires to decrypt.
+
+Where should I setup it up to decrypt files upon user login?
+
+Thanks!
+"""]]
diff --git a/posts/time-synchronization-with-ntp-and-systemd/comment_2_50d64a2eefb88b42770b9a45ed09a0b6._comment b/posts/time-synchronization-with-ntp-and-systemd/comment_2_50d64a2eefb88b42770b9a45ed09a0b6._comment
new file mode 100644
index 0000000..726d1a0
--- /dev/null
+++ b/posts/time-synchronization-with-ntp-and-systemd/comment_2_50d64a2eefb88b42770b9a45ed09a0b6._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ ip="173.174.116.184"
+ claimedauthor="Graham"
+ subject="tumesyncd logging"
+ date="2017-12-06T14:05:52Z"
+ content="""
+In Jessie, systemd-timesyncd put out some logging information to syslog, everytime that it pinged the time server that gave you a time stamp, time correction and frequency correction information.  With Stretch, these log reports have been suppressed. Does anyone know how to get them back? I can't find anything in the documentation. 
+Thanks,
+--- Graham
+
+==
+"""]]
diff --git a/posts/time-synchronization-with-ntp-and-systemd/comment_3_51a20c86cc857bb7102b5c1648c624d5._comment b/posts/time-synchronization-with-ntp-and-systemd/comment_3_51a20c86cc857bb7102b5c1648c624d5._comment
new file mode 100644
index 0000000..52ae9d5
--- /dev/null
+++ b/posts/time-synchronization-with-ntp-and-systemd/comment_3_51a20c86cc857bb7102b5c1648c624d5._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="91.123.239.210"
+ claimedauthor="Andrew McMillan"
+ url="https://plus.google.com/+andrewmcmillan"
+ subject="How long after enabling NTP should it show sync?"
+ date="2018-01-05T16:30:00Z"
+ content="""
+systemd-timesyncd seems to have some nice features - it touches `/var/lib/systemd/clock` (or perhaps `/var/lib/systemd/timesync/clock` on Debian) after each successful sync, so it will at least move forward after reboot even before the network is up.
+
+On the other hand there are situations where I would like a whole set of services to have a hard dependency on a successful time synchronisation before they will even try and start up, and this does not seem to be well-supported by systemd (see https://github.com/systemd/systemd/issues/5097 for more detail).
+
+You say you had to `timedatectl set-ntp true` after you got timesyncd running, but that's not working for me and I'm curious about how long I should spend watching it before I see a \"Yes\" in the NTP sync status, and I wonder what I might be missing if I'm not seeing this even though timesyncd appears to be running without errors.
+"""]]

calendar update
diff --git a/archives/2018.mdwn b/archives/2018.mdwn
new file mode 100644
index 0000000..e62c64e
--- /dev/null
+++ b/archives/2018.mdwn
@@ -0,0 +1 @@
+[[!calendar type=year year=2018 pages="page(posts/*) and !*/Discussion"]]
diff --git a/archives/2018/01.mdwn b/archives/2018/01.mdwn
new file mode 100644
index 0000000..21c038d
--- /dev/null
+++ b/archives/2018/01.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=01 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(01) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/02.mdwn b/archives/2018/02.mdwn
new file mode 100644
index 0000000..e6db08f
--- /dev/null
+++ b/archives/2018/02.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=02 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(02) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/03.mdwn b/archives/2018/03.mdwn
new file mode 100644
index 0000000..3c67a9f
--- /dev/null
+++ b/archives/2018/03.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=03 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(03) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/04.mdwn b/archives/2018/04.mdwn
new file mode 100644
index 0000000..89e91b0
--- /dev/null
+++ b/archives/2018/04.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=04 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(04) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/05.mdwn b/archives/2018/05.mdwn
new file mode 100644
index 0000000..76556e2
--- /dev/null
+++ b/archives/2018/05.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=05 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(05) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/06.mdwn b/archives/2018/06.mdwn
new file mode 100644
index 0000000..7244cd0
--- /dev/null
+++ b/archives/2018/06.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=06 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(06) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/07.mdwn b/archives/2018/07.mdwn
new file mode 100644
index 0000000..b7659d6
--- /dev/null
+++ b/archives/2018/07.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=07 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(07) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/08.mdwn b/archives/2018/08.mdwn
new file mode 100644
index 0000000..2044f98
--- /dev/null
+++ b/archives/2018/08.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=08 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(08) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/09.mdwn b/archives/2018/09.mdwn
new file mode 100644
index 0000000..ed51cd6
--- /dev/null
+++ b/archives/2018/09.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=09 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(09) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/10.mdwn b/archives/2018/10.mdwn
new file mode 100644
index 0000000..f916789
--- /dev/null
+++ b/archives/2018/10.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=10 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(10) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/11.mdwn b/archives/2018/11.mdwn
new file mode 100644
index 0000000..253e46a
--- /dev/null
+++ b/archives/2018/11.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=11 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(11) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]
diff --git a/archives/2018/12.mdwn b/archives/2018/12.mdwn
new file mode 100644
index 0000000..bc7c9c6
--- /dev/null
+++ b/archives/2018/12.mdwn
@@ -0,0 +1,5 @@
+[[!sidebar content="""
+[[!calendar type=month month=12 year=2018 pages="page(posts/*) and !*/Discussion"]]
+"""]]
+
+[[!inline pages="creation_month(12) and creation_year(2018) and page(posts/*) and !*/Discussion" show=0 feeds=no reverse=yes]]

Need to stop existing RAID0 array before re-creating it
diff --git a/posts/replacing-a-failed-raid-drive.mdwn b/posts/replacing-a-failed-raid-drive.mdwn
index 33622d6..43cf150 100644
--- a/posts/replacing-a-failed-raid-drive.mdwn
+++ b/posts/replacing-a-failed-raid-drive.mdwn
@@ -64,6 +64,7 @@ I used the following trick:
 
 Then, I recreated my RAID0 swap partition like this:
 
+    mdadm --stop /dev/md1
     mdadm /dev/md1 --create --level=0 --raid-devices=2 /dev/sda3 /dev/sdb3
     mkswap /dev/md1
 

Add post about 5GHz wifi channels
diff --git a/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
new file mode 100644
index 0000000..438951f
--- /dev/null
+++ b/posts/using-all-5ghz-wifi-frequencies-in-gargoyle-router.mdwn
@@ -0,0 +1,76 @@
+[[!meta title="Using all of the 5 GHz WiFi frequencies in a Gargoyle Router"]]
+[[!meta date="2017-12-10T18:00:00:00.000-08:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+WiFi in the 2.4 GHz range is usually fairly congested in urban environments.
+The 5 GHz band used to be better, but an increasing number of routers now
+support it and so it has become fairly busy as well. It turns out that there
+are a
+[number of channels on that band](https://en.wikipedia.org/wiki/List_of_WLAN_channels#5_GHz_.28802.11a.2Fh.2Fj.2Fn.2Fac.29)
+that nobody appears to be using despite being legal in my region.
+
+## Why are the middle channels unused?
+
+I'm not entirely sure why these channels are completely empty in my area,
+but I would speculate that access point manufacturers don't want to deal
+with the extra complexity of the middle channels. Indeed these channels are
+not entirely unlicensed. They are also used by weather radars, for example.
+If you look at the regulatory rules that ship with your OS:
+
+    $ iw reg get
+    global
+    country CA: DFS-FCC
+    	(2402 - 2472 @ 40), (N/A, 30), (N/A)
+    	(5170 - 5250 @ 80), (N/A, 17), (N/A), AUTO-BW
+    	(5250 - 5330 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW
+    	(5490 - 5600 @ 80), (N/A, 24), (0 ms), DFS
+    	(5650 - 5730 @ 80), (N/A, 24), (0 ms), DFS
+    	(5735 - 5835 @ 80), (N/A, 30), (N/A)
+
+you will see that these channels are flagged with "DFS". That stands for
+[Dynamic Frequency Selection](http://wifi-insider.com/wlan/dfs.htm) and it
+means that WiFi equipment needs to be able to detect when the frequency is
+used by radars (by detecting their pulses) and automaticaly switch to a
+different channel for a few minutes.
+
+So an access point needs extra hardware and extra code to avoid interfering
+with priority users. Additionally, different channels have
+[different bandwidth limits](http://www.radio-electronics.com/info/wireless/wi-fi/80211-channels-number-frequencies-bandwidth.php)
+so that's something else to consider if you want to use 40/80 MHz at once.
+
+## Using all legal channels in Gargoyle
+
+The first time I tried setting my access point channel to one of the middle
+5 GHz channels, the SSID wouldn't show up in scans and the channel was still
+empty in [WiFi Analyzer](https://f-droid.org/packages/com.vrem.wifianalyzer/).
+
+I tried changing the channel again, but this time, I ssh'd into my router
+and looked at the errors messages using this command:
+
+    logread -f
+
+I found a number of errors claiming that these channels were not authorized
+for the "world" regulatory authority.
+
+Because [Gargoyle](https://www.gargoyle-router.com/) is based on
+[OpenWRT](https://openwrt.org/), there are a lot more
+nn[wireless configuration options](https://wiki.openwrt.org/doc/uci/wireless)
+available than what's exposed in the Web UI.
+
+In this case, the solution was to explicitly set my country in the wireless
+options by putting:
+
+    country 'CA'
+
+(where `CA` is the
+[country code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) where the
+router is physically located) in the 5 GHz radio section of
+`/etc/config/wireless` on the router.
+
+Then I rebooted and I was able to set the channel successfully via the Web UI.
+
+If you are interested, there is a lot more information about how all of this
+works in the
+[kernel documentation for the wireless stack](https://wireless.wiki.kernel.org/en/developers/regulatory/processing_rules#country_definition).
+
+[[!tag debian]] [[!tag nzoss]] [[!tag openwrt]] [[!tag gargoyle]]

Replace dead link with link to the Internet Archive copy
diff --git a/posts/raid1-alternative-for-ssd-drives.mdwn b/posts/raid1-alternative-for-ssd-drives.mdwn
index e7f2eb5..2176781 100644
--- a/posts/raid1-alternative-for-ssd-drives.mdwn
+++ b/posts/raid1-alternative-for-ssd-drives.mdwn
@@ -16,7 +16,7 @@ This setup has the benefit of using a very small SSD to speed up the main partit
 
 The first thing I did, given that I purchased a second-hand drive, was to **completely erase the drive** and mark all sectors as empty using an [ATA secure erase](http://en.wikipedia.org/wiki/Write_amplification#Secure_erase). Because SSDs have a tendency to get slower as data is added to them, it is necessary to clear the drive in a way that will let the controller know that every byte is now free to be used again.  
   
-There is a lot of advice on the web on how to do this and many tutorials refer to an old piece of software called [Secure Erase](http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml). There is a much better solution on Linux: [issuing the commands directly using **hdparm**](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase).  
+There is a lot of advice on the web on how to do this and many tutorials refer to an old piece of software called [Secure Erase](https://web.archive.org/web/20130511064320/http://cmrr.ucsd.edu:80/people/Hughes/SecureErase.shtml). There is a much better solution on Linux: [issuing the commands directly using **hdparm**](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase).  
   
 
 ## Partitioning the SSD

Comment moderation
diff --git a/posts/manipulating-debconf-settings-on/comment_4_3e0e8e7fe1639af6f0d2afdc4a69c3ec._comment b/posts/manipulating-debconf-settings-on/comment_4_3e0e8e7fe1639af6f0d2afdc4a69c3ec._comment
new file mode 100644
index 0000000..329a1b1
--- /dev/null
+++ b/posts/manipulating-debconf-settings-on/comment_4_3e0e8e7fe1639af6f0d2afdc4a69c3ec._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ ip="131.247.54.65"
+ claimedauthor="draeath"
+ subject="workaround"
+ date="2017-12-04T22:05:56Z"
+ content="""
+You can edit /var/cache/debconf/config.dat manually instead, but be aware that you can really break things by editing this.
+
+The file it uses for configuration is defined in /etc/debconf.conf, should it not be where you expect on your system
+
+    # World-readable, and accepts everything but passwords.
+    Name: config
+    Driver: File
+    Mode: 644
+    Reject-Type: password
+    Filename: /var/cache/debconf/config.dat
+"""]]

Add my letsencrypt ACME proxy
diff --git a/posts/proxy-acme-challenges-to-single-machine.mdwn b/posts/proxy-acme-challenges-to-single-machine.mdwn
new file mode 100644
index 0000000..aa2ebb5
--- /dev/null
+++ b/posts/proxy-acme-challenges-to-single-machine.mdwn
@@ -0,0 +1,93 @@
+[[!meta title="Proxy ACME challenges to a single machine"]]
+[[!meta date="2017-11-28T22:10:00:00.000-08:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+The [Libravatar mirrors](https://wiki.libravatar.org/run_a_mirror/) are
+setup using [DNS round-robin](https://en.wikipedia.org/wiki/Round-robin_DNS)
+which makes it a little challenging to automatically provision [Let's
+Encrypt](https://letsencrypt.org/) certificates.
+
+In order to be able to use [Certbot](https://certbot.eff.org/)'s
+[webroot](https://certbot.eff.org/docs/using.html#webroot) plugin, I need to
+be able to simultaneously host a randomly-named file into the webroot of
+each mirror. The reason is that the verifier will connect to
+`seccdn.libravatar.org`, but there's no way to know which of the DNS entries
+it will hit. I could copy the file over to all of the mirrors, but that
+would be annoying since some of the mirrors are run by volunteers and I
+don't have direct access to them.
+
+Thankfully, [Scott Helme](https://scotthelme.co.uk) has shared his elegant
+solution:
+[proxy the `.well-known/acme-challenge/` directory from all of the mirrors to a single validation host](https://scotthelme.ghost.io/lets-encrypt-with-dns-round-robin/).
+Here's the exact configuration I ended up with.
+
+# DNS Configuration
+
+In order to serve the certbot validation files separately from the main
+service, I created a new hostname, `acme.libravatar.org`, pointing to the
+main Libravatar server:
+
+    CNAME acme libravatar.org.
+
+# Mirror Configuration
+
+On each mirror, I created a new Apache vhost on port 80 to proxy the acme challenge
+files by putting the following in the existing port 443 vhost config
+(`/etc/apache2/sites-available/libravatar-seccdn.conf`):
+
+    <VirtualHost *:80>
+        ServerName __SECCDNSERVERNAME__
+        ServerAdmin __WEBMASTEREMAIL__
+    
+        ProxyPass /.well-known/acme-challenge/ http://acme.libravatar.org/.well-known/acme-challenge/
+        ProxyPassReverse /.well-known/acme-challenge/ http://acme.libravatar.org/.well-known/acme-challenge/
+    </VirtualHost>
+
+Then I enabled the right modules and restarted Apache:
+
+    a2enmod proxy
+    a2enmod proxy_http
+    systemctl restart apache2.service
+
+Finally, I added a cronjob in `/etc/cron.daily/commit-new-seccdn-cert` to
+commit the new cert to
+[etckeeper](https://packages.debian.org/sid/etckeeper) automatically:
+
+    #!/bin/sh
+    cd /etc/libravatar
+    /usr/bin/git commit --quiet -m "New seccdn cert" seccdn.crt seccdn.pem seccdn-chain.pem > /dev/null || true
+
+# Main Configuration
+
+On the main server, I created a new webroot:
+
+    mkdir -p /var/www/acme/.well-known
+
+and a new vhost in `/etc/apache2/sites-available/acme.conf`:
+
+    <VirtualHost *:80>
+        ServerName acme.libravatar.org
+        ServerAdmin webmaster@libravatar.org
+        DocumentRoot /var/www/acme
+        <Directory /var/www/acme>
+            Options -Indexes
+        </Directory>
+    </VirtualHost>
+
+before enabling it and restarting Apache:
+
+    a2ensite acme
+    systemctl restart apache2.service
+
+# Registering a new TLS certificate
+
+With all of this in place, I was able to register the cert easily using the
+webroot plugin on the main server:
+
+    certbot certonly --webroot -w /var/www/acme -d seccdn.libravatar.org
+
+The resulting certificate will then be
+[automatically renewed before it expires](https://feeding.cloud.geek.nz/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot/).
+
+[[!tag debian]] [[!tag nzoss]] [[!tag letsencrypt]] [[!tag sysadmin]]
+[[!tag apache]] [[!tag ssl]]

Comment moderation
diff --git a/posts/setting-up-a-network-scanner-using-sane/comment_7_9bf228090795c3ee8f0867c6a41ac5ab._comment b/posts/setting-up-a-network-scanner-using-sane/comment_7_9bf228090795c3ee8f0867c6a41ac5ab._comment
new file mode 100644
index 0000000..e920f2f
--- /dev/null
+++ b/posts/setting-up-a-network-scanner-using-sane/comment_7_9bf228090795c3ee8f0867c6a41ac5ab._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ ip="80.177.21.246"
+ claimedauthor="copernicus"
+ subject="systemd and the scanner group"
+ date="2017-11-18T18:55:52Z"
+ content="""
+> In order for users to be able to see the scanner, they will need to be in the scanner group:
+
+On Debian jessie and stretch there is no need for a user to be in the scanner group.
+
+<https://wiki.debian.org/Scanner>
+
+Cheers,
+
+Brian
+"""]]

Comment moderation
diff --git a/posts/setting-up-a-network-scanner-using-sane/comment_6_d521247e1fd08189e6cc833effcc2916._comment b/posts/setting-up-a-network-scanner-using-sane/comment_6_d521247e1fd08189e6cc833effcc2916._comment
new file mode 100644
index 0000000..153a3f4
--- /dev/null
+++ b/posts/setting-up-a-network-scanner-using-sane/comment_6_d521247e1fd08189e6cc833effcc2916._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ ip="2607:f2c0:f00f:8f00:ed49:1678:801c:8c76"
+ claimedauthor="anarcat"
+ url="https://anarc.at/"
+ subject="what about auto-discovery?"
+ date="2017-11-15T23:44:58Z"
+ content="""
+i also wonder if we could get this simplified somehow. i don't mind configuring the server so much, but it's kind of painful to have to edit config files by hand on each client that needs to be configured...
+
+can't Avahi take care of this for us, just like it does for CUPS and printing? i looked around for this feature but so far all I've found are bug reports saying that it doesn't work ([ubuntu LP#508866](https://bugs.launchpad.net/ubuntu/+source/sane-backends/+bug/508866), [debian #743420](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743420)). and indeed, with `SANE_DEBUG_NET=128 scanimage -L` says:
+
+    [net] sane_get_devices: local_only = 0
+    [net] sane_get_devices: finished (0 devices)
+    [net] net_avahi_browse_callback: CACHE_EXHAUSTED
+    [net] net_avahi_browse_callback: ALL_FOR_NOW
+    
+    No scanners were identified.
+
+So I'm not sure what's going on, but clearly this is not working...
+"""]]

Comment moderation
diff --git a/posts/setting-up-a-network-scanner-using-sane/comment_5_95f1c41889868ad977a645af03b75261._comment b/posts/setting-up-a-network-scanner-using-sane/comment_5_95f1c41889868ad977a645af03b75261._comment
new file mode 100644
index 0000000..5b37168
--- /dev/null
+++ b/posts/setting-up-a-network-scanner-using-sane/comment_5_95f1c41889868ad977a645af03b75261._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="2607:f2c0:f00f:8f00:ed49:1678:801c:8c76"
+ claimedauthor="anarcat"
+ url="https://anarc.at/"
+ subject="why network and central docs"
+ date="2017-11-15T22:47:34Z"
+ content="""
+i setup a network scanner here because it is also a printer and already connected, by USB, to a print server so that many people can print on it without having to worry about cabling.
+
+yes, they need to move their feet to get actual paper in and out of there. crazy physics. but it beats fiddling with wires. :)
+
+also i figured i would mention there is a similar [guide in the Debian wiki](https://wiki.debian.org/SaneOverNetwork) - which seems to have slightly better SEO, so it comes up first. Therefore, I have reworked it to include the excellent suggestions here that were missing there. See if you can improve it further! :)
+"""]]
diff --git a/posts/setting-up-centralied-git-repository/comment_2_f78d1e13da378f9e71450f27fbcf1f80._comment b/posts/setting-up-centralied-git-repository/comment_2_f78d1e13da378f9e71450f27fbcf1f80._comment
new file mode 100644
index 0000000..df1dbc4
--- /dev/null
+++ b/posts/setting-up-centralied-git-repository/comment_2_f78d1e13da378f9e71450f27fbcf1f80._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ ip="107.77.202.230"
+ subject="Question"
+ date="2017-09-27T17:41:15Z"
+ content="""
+This command:
+git push /tmp/myrepo.git master
+
+Seems to be pushing an empty repo.  What am I missing?
+
+You touched a file in myrepo1, correct?
+
+Second:
+Don’t you need to specify the origin of myrepo1? Before pushing it?
+"""]]

Fix typo and add link to mutt homepage
diff --git a/posts/test-mail-server-ubuntu-debian.mdwn b/posts/test-mail-server-ubuntu-debian.mdwn
index 2ece0ec..6028b53 100644
--- a/posts/test-mail-server-ubuntu-debian.mdwn
+++ b/posts/test-mail-server-ubuntu-debian.mdwn
@@ -2,9 +2,9 @@
 [[!meta date="2017-11-13T17:30:00:00.000+08:00"]]
 [[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 
-I wanted to setup a mailserver on a staging server that would send all
+I wanted to setup a mail service on a staging server that would send all
 outgoing emails to a local mailbox. This avoids sending emails out to real
-users when running the stating server using production data.
+users when running the staging server using production data.
 
 First, install the [postfix](http://www.postfix.org/) mail server:
 
@@ -26,7 +26,7 @@ and restart postfix:
 
 Once that's done, you can find all of the emails in `/var/mail/root`.
 
-So you can install mutt:
+So you can install [mutt](http://mutt.org):
 
     apt install mutt
 

Add a requirement on the "dunst" package
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 53539aa..6c51008 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -20,6 +20,11 @@ Because of [a bug in gnome-settings-daemon](https://ask.fedoraproject.org/en/que
 
     dconf write /org/gnome/settings-daemon/plugins/cursor/active false
 
+While my startup script doesn't run this tool directly, installing the
+[dunst package](https://packages.debian.org/stable/dunst) is required to receive desktop notifications:
+
+    apt install dunst
+
 # Screensaver
 
 In addition, gnome-screensaver didn't automatically lock my screen, so I installed [xautolock](https://packages.debian.org/stable/xautolock) and added it to my startup script:

Revert "Add a section on my keyboard backlight script"
This reverts commit 9826c76ed6cdf99b58efc9168577a7a36cf8b02e.
Remove this unncessary configuration since the feature is built-in:
Fn+space
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 31fe6b4..53539aa 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -64,23 +64,6 @@ To make it work, I wrote [a simple shell script](https://github.com/fmarier/user
 
     bindsym $mod+u exec /home/francois/bin/toggle-xkbmap
 
-# Keyboard backlight
-
-To control the keyboard backlight on my ThinkPad, I added the following
-shortcut:
-
-    bindsym Ctrl+Mod1+k exec /home/francois/bin/toggle-kbdlight
-
-That
-[script](https://github.com/fmarier/user-scripts/blob/master/toggle-kbdlight)
-simply cycles through these states: off, half brightness and full
-brightness.
-
-Because normal users can't control this setting though, I had to add the
-following to `/etc/sudoers`:
-
-    francois ALL=(ALL) NOPASSWD: /usr/bin/tee /proc/acpi/ibm/kbdlight
-
 # Suspend script
 
 Since I run lots of things in the background, I have set my laptop to avoid suspending when the lid is closed by putting the following in `/etc/systemd/login.conf`:
@@ -139,4 +122,4 @@ Finally, because X sometimes fail to detect my external monitor when docking/und
 
     bindsym XF86Display exec /home/francois/bin/external-monitor
 
-[[!tag debian]] [[!tag i3]] [[!tag gnome]] [[!tag nzoss]] [[!tag systemd]] [[!tag thinkpad]]
+[[!tag debian]] [[!tag i3]] [[!tag gnome]] [[!tag nzoss]] [[!tag systemd]]

Update monitor device names for stretch
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 91e52de..31fe6b4 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -121,15 +121,15 @@ I run [Gajim](https://gajim.org/) on my first workspace and I have the following
 
 ## Automatically moving workspaces when docking
 
-Here's a neat configuration blurb which automatically moves my workspaces (and their contents) from the laptop screen (`eDP1`) to the external monitor (`DP2`) when I dock my laptop:
+Here's a neat configuration blurb which automatically moves my workspaces (and their contents) from the laptop screen (`eDP-1`) to the external monitor (`DP-3-1`) when I dock my laptop:
 
     # bind workspaces to the right monitors
-    workspace 1 output DP2
-    workspace 2 output DP2
-    workspace 3 output DP2
-    workspace 4 output DP2
-    workspace 5 output DP2
-    workspace 6 output eDP1
+    workspace 1 output DP-3-1
+    workspace 2 output DP-3-1
+    workspace 3 output DP-3-1
+    workspace 4 output DP-3-1
+    workspace 5 output DP-3-1
+    workspace 6 output eDP-1
 
 You can get these output names by running:
 

Add a section on my keyboard backlight script
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 2b7a8db..91e52de 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -64,6 +64,23 @@ To make it work, I wrote [a simple shell script](https://github.com/fmarier/user
 
     bindsym $mod+u exec /home/francois/bin/toggle-xkbmap
 
+# Keyboard backlight
+
+To control the keyboard backlight on my ThinkPad, I added the following
+shortcut:
+
+    bindsym Ctrl+Mod1+k exec /home/francois/bin/toggle-kbdlight
+
+That
+[script](https://github.com/fmarier/user-scripts/blob/master/toggle-kbdlight)
+simply cycles through these states: off, half brightness and full
+brightness.
+
+Because normal users can't control this setting though, I had to add the
+following to `/etc/sudoers`:
+
+    francois ALL=(ALL) NOPASSWD: /usr/bin/tee /proc/acpi/ibm/kbdlight
+
 # Suspend script
 
 Since I run lots of things in the background, I have set my laptop to avoid suspending when the lid is closed by putting the following in `/etc/systemd/login.conf`:
@@ -122,4 +139,4 @@ Finally, because X sometimes fail to detect my external monitor when docking/und
 
     bindsym XF86Display exec /home/francois/bin/external-monitor
 
-[[!tag debian]] [[!tag i3]] [[!tag gnome]] [[!tag nzoss]] [[!tag systemd]]
+[[!tag debian]] [[!tag i3]] [[!tag gnome]] [[!tag nzoss]] [[!tag systemd]] [[!tag thinkpad]]

Update i3 config with Syncthing and Gajim
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index d0f9432..2b7a8db 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -14,7 +14,7 @@ As soon as I log into my desktop, my [startup script](https://github.com/fmarier
 * [gnome-keyring-daemon](https://packages.debian.org/stable/gnome-keyring): remembers ssh public keys for the duration of my session
 * [gnome-screensaver](https://packages.debian.org/stable/gnome-screensaver): locks the screen when I'm not around
 * [nm-applet](https://packages.debian.org/stable/network-manager-gnome): handles wifi and VPN connections
-* [git-annex](http://git-annex.branchable.com/): keeps my folders synchronized between machines
+* [syncthing](https://www.syncthing.net/): keeps my folders synchronized between machines
 
 Because of [a bug in gnome-settings-daemon](https://ask.fedoraproject.org/en/question/31186/my-mouse-cursor-dissapears-when-using-gnome3/) which makes the mouse cursor disappear as soon as gnome-settings-daemon is started, I had to run the following to disable the offending gnome-settings-daemon plugin:
 
@@ -98,9 +98,9 @@ before clicking on the window.
 
 ## Keeping IM windows on the first workspace
 
-I run [Pidgin](http://pidgin.im) on my first workspace and I have the following rule to keep any new window that pops up (e.g. in response to a new incoming message) on the same workspace:
+I run [Gajim](https://gajim.org/) on my first workspace and I have the following rule to keep any new window that pops up (e.g. in response to a new incoming message) on the same workspace:
 
-    assign [class="Pidgin"] 1
+    assign [class="Gajim"] 1
 
 ## Automatically moving workspaces when docking
 

Add posts on setting up a test mail server
diff --git a/posts/test-mail-server-ubuntu-debian.mdwn b/posts/test-mail-server-ubuntu-debian.mdwn
new file mode 100644
index 0000000..2ece0ec
--- /dev/null
+++ b/posts/test-mail-server-ubuntu-debian.mdwn
@@ -0,0 +1,37 @@
+[[!meta title="Test mail server on Ubuntu and Debian"]]
+[[!meta date="2017-11-13T17:30:00:00.000+08:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+I wanted to setup a mailserver on a staging server that would send all
+outgoing emails to a local mailbox. This avoids sending emails out to real
+users when running the stating server using production data.
+
+First, install the [postfix](http://www.postfix.org/) mail server:
+
+    apt install postfix
+
+and choose the "Local only" mail server configuration type.
+
+Then change the following in `/etc/postfix/main.cf`:
+
+    default_transport = error
+
+to:
+
+    default_transport = local:root
+
+and restart postfix:
+
+    systemctl restart postfix.service
+
+Once that's done, you can find all of the emails in `/var/mail/root`.
+
+So you can install mutt:
+
+    apt install mutt
+
+and then view the mailbox like this:
+
+    mutt -f /var/mail/root
+
+[[!tag debian]] [[!tag nzoss]] [[!tag postfix]]

Add postfix tag to monitoring post
diff --git a/posts/simple-remote-mail-queue-monitoring.mdwn b/posts/simple-remote-mail-queue-monitoring.mdwn
index 8296325..91c0a2a 100644
--- a/posts/simple-remote-mail-queue-monitoring.mdwn
+++ b/posts/simple-remote-mail-queue-monitoring.mdwn
@@ -60,4 +60,4 @@ server will want to send an email at 2am. However, all that does is send a
 spurious warning email in that case and so it's a pretty small price to pay
 for a dirt simple setup that's unlikely to break.
 
-[[!tag sysadmin]] [[!tag debian]] [[!tag nzoss]]
+[[!tag sysadmin]] [[!tag debian]] [[!tag nzoss]] [[!tag postfix]]

Comment moderation
diff --git a/posts/checking-your-passwords-against-hibp/comment_1_557b3f6294c8fdca37f5d69c9b0a91fd._comment b/posts/checking-your-passwords-against-hibp/comment_1_557b3f6294c8fdca37f5d69c9b0a91fd._comment
new file mode 100644
index 0000000..359a3b7
--- /dev/null
+++ b/posts/checking-your-passwords-against-hibp/comment_1_557b3f6294c8fdca37f5d69c9b0a91fd._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ ip="202.61.72.50"
+ claimedauthor="Russell Stuart"
+ subject="Taking a sledgehammer to an egg?"
+ date="2017-10-19T03:47:28Z"
+ content="""
+That pwned list of a password is a fantastic resource.  Thanks for posting a pointer to it.
+
+But Egad! - using postgres to index and search it??  You must have the patience of a saint.
+
+Given a false positive isn't a death sentence, a bloom filter is a better choice.  Setting the parameters to give a false positive range of 1e-9 (roughly 50/50 chance of getting 1 false positive if I checked a password with it every second for my entire life), the resulting filter occupies 2.6G - about 1/2 the size of the compressed original.  Creating the filter takes about 3 hours on my laptop (please forgive the butt ugly inline python):
+
+    sudo apt-get install python, python-pybloomfilter
+    wget http://.../pwned-*.txt.7z; for f in *.7z; do 7z x $f; done
+    python -c \"import pybloomfilter, sys; b = pybloomfilter.BloomFilter(500000000, 0.000000001, 'pwned.bf'); [b.update(open(f)) for f in sys.argv[1:]]\" pwned-passwords-*.txt
+
+Querying it:
+
+    python -c 'import hashlib,sys,pybloomfilter; b = pybloomfilter.BloomFilter.open(\"pwned.bf\"); sys.stdout.write(\"\".join(\"%s is pwned: %r\n\" % (p, hashlib.sha1(p).hexdigest().upper() + \"\r\n\" in b) for p in sys.argv[1:]))' password1 password2 ...
+
+"""]]
diff --git a/posts/checking-your-passwords-against-hibp/comment_2_5619343f4064a0aed19b23f8e91f223a._comment b/posts/checking-your-passwords-against-hibp/comment_2_5619343f4064a0aed19b23f8e91f223a._comment
new file mode 100644
index 0000000..f389ab3
--- /dev/null
+++ b/posts/checking-your-passwords-against-hibp/comment_2_5619343f4064a0aed19b23f8e91f223a._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="2a00:23c5:69ce:df00:b7:aa91:48db:f9da"
+ claimedauthor="Jonathan"
+ url="jmtd.net"
+ subject="magnet URL for data"
+ date="2017-10-17T09:22:11Z"
+ content="""
+If it helps, I can vouch that this torrent magnet URL corresponds to the initial release of the password list. I found it the most convenient way to obtain the data. magnet:?xt=urn:btih:88145066d8d89cf426a22cfbeb1983dacb2a45d7&dn=pwned-passwords-1.0.txt.7z&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Fzer0day.ch%3A1337&tr=udp%3A%2F%2Fopen.demonii.com%3A1337&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fexodus.desync.com%3A6969
+"""]]

Post about my HIBP lookup tool
diff --git a/posts/checking-your-passwords-against-hibp.mdwn b/posts/checking-your-passwords-against-hibp.mdwn
new file mode 100644
index 0000000..adfa2bb
--- /dev/null
+++ b/posts/checking-your-passwords-against-hibp.mdwn
@@ -0,0 +1,31 @@
+[[!meta title="Checking Your Passwords Against the Have I Been Pwned List"]]
+[[!meta date="2017-10-16T22:10:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+Two months ago, Troy Hunt, the security professional behind
+[Have I been pwned?](https://haveibeenpwned.com/),
+[released](https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/)
+an incredibly comprehensive
+[password list](https://haveibeenpwned.com/Passwords) in the hope that it
+would allow web developers to steer their users away from passwords that
+have been compromised in past breaches.
+
+While the list released by HIBP is hashed, the plaintext passwords are out
+there and one should assume that password crackers have access to them.
+So if you use a password on that list, you can be fairly confident
+that it's very easy to guess or crack your password.
+
+I wanted to check my **active** passwords against that list to check whether
+or not any of them are compromised and should be changed immediately. This
+meant that I needed to download the list and do these lookups locally since
+it's not a good idea to send your current passwords to this third-party
+service.
+
+I put my tool up on [Launchpad](https://launchpad.net/hibp-pwlookup) /
+[PyPI](https://pypi.python.org/pypi/hibp-pwlookup) and you are more than
+welcome to give it a go. Install [Postgres](https://www.postgresql.org/) and
+[Psycopg2](http://initd.org/psycopg/) and then follow the
+[README instructions](https://git.launchpad.net/hibp-pwlookup/tree/README.txt)
+to setup your database.
+
+[[!tag debian]] [[!tag nzoss]] [[!tag mozilla]] [[!tag security]]

Add license notice to the frontpage
diff --git a/index.mdwn b/index.mdwn
index d08446d..b37741c 100644
--- a/index.mdwn
+++ b/index.mdwn
@@ -1,3 +1,4 @@
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
 [[!if test="enabled(sidebar)" then="""
 [[!sidebar]]
 """ else="""

libvirt-bin is now called libvirt-clients
Even in jessie, libvirt-bin is a transitional package:
https://packages.debian.org/jessie/libvirt-bin
diff --git a/posts/lxc-setup-on-debian-jessie.mdwn b/posts/lxc-setup-on-debian-jessie.mdwn
index 417d043..5d764bf 100644
--- a/posts/lxc-setup-on-debian-jessie.mdwn
+++ b/posts/lxc-setup-on-debian-jessie.mdwn
@@ -8,7 +8,7 @@ a few things to get the networking to work on my machine.
 
 Start by installing (as root) the necessary packages:
 
-    apt install lxc libvirt-bin debootstrap
+    apt install lxc libvirt-clients debootstrap
 
 # Network setup
 

Comment moderation
diff --git a/posts/tls_authentication_freenode_and_oftc/comment_2_dac77c215afa19d55048c700d8fdd922._comment b/posts/tls_authentication_freenode_and_oftc/comment_2_dac77c215afa19d55048c700d8fdd922._comment
new file mode 100644
index 0000000..34cf11c
--- /dev/null
+++ b/posts/tls_authentication_freenode_and_oftc/comment_2_dac77c215afa19d55048c700d8fdd922._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ ip="38.109.115.130"
+ claimedauthor="Daniel Kahn Gillmor"
+ subject="Followup: "
+ date="2017-09-13T21:57:33Z"
+ content="""
+Thanks to this discussion, i just opened a [bug report on irssi](https://github.com/irssi/irssi/issues/756) to try to resolve the second issue above by sending client certificates in a renegotiated handshake.
+
+I've tested irssi, and it definitely does leak the user's public certificate to a passive network monitor.
+
+I haven't tested ZNC yet -- If someone wanted to open a similar report for ZNC, i'd appreciate it.
+
+If you want to test to see whether it's dumping traffic, you can do this with tshark:
+
+    tshark -O ssl  -Y 'ssl.handshake.certificates_length > 1 && ssl.record.content_type == 22'  -o http.ssl.port:6697 port 6697
+
+I don't have a patch to propose for either irssi or ZNC yet, and don't have much time to work on it myself.  I'd be happy to see that happen, because it would remove one of the major downsides to using certificates for IRC.
+"""]]

Comment moderation
diff --git a/posts/tls_authentication_freenode_and_oftc/comment_1_c11c1c8d07ec6290bdc3fe0a5c305de2._comment b/posts/tls_authentication_freenode_and_oftc/comment_1_c11c1c8d07ec6290bdc3fe0a5c305de2._comment
new file mode 100644
index 0000000..329d433
--- /dev/null
+++ b/posts/tls_authentication_freenode_and_oftc/comment_1_c11c1c8d07ec6290bdc3fe0a5c305de2._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ ip="38.109.115.130"
+ claimedauthor="Daniel Kahn Gillmor"
+ subject="problems with certificate-based TLS authentication for IRC"
+ date="2017-09-11T15:13:56Z"
+ content="""
+I used to use this approach myself, but i stopped using it a few years
+ago, for two reasons:
+
+ * certificate expiration -- when my registered certificate expires, i
+   still need to update the server with my new certificate.  to do that,
+   i need my password.  so my password still works, and i still have to
+   retain it and send it to (what i hope is the correct) nickserv
+   service at each cert renewal time.  so this doesn't actually remove
+   either my needing to remember/retain/record a password, and it
+   doesn't make my remembered/recorded password less powerful.
+
+ * client certificate leakage -- in TLS versions 1.2 and earlier (all
+   deployed versions of TLS), the client certificate is exchanged in the
+   clear, during the handshake.  (TLS 1.3 will fix this, but it is not yet fully standardized or in deployed production).  This means that client cert
+   authentication actually leaks your identity to any passive network
+   observer, whereas password-based authentication to nickserv does not.
+
+This pains me, because i generally *strongly* prefer pubkey-based
+authentication over password-based authentication.  But in this case, i
+think it's not enough of a win overall to make the transition.
+
+What do you think about these tradeoffs?  Are there mitigating factors that i should know about that makes them less troubling?
+
+"""]]

creating tag page tags/znc
diff --git a/tags/znc.mdwn b/tags/znc.mdwn
new file mode 100644
index 0000000..d2b3d6c
--- /dev/null
+++ b/tags/znc.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged znc"]]
+
+[[!inline pages="tagged(znc)" actions="no" archive="yes"
+feedshow=10]]

Add a post on TLS authentication for IRC
diff --git a/posts/hiding-network-disconnections-using-irc-bouncer.mdwn b/posts/hiding-network-disconnections-using-irc-bouncer.mdwn
index b4b35ee..7a705e3 100644
--- a/posts/hiding-network-disconnections-using-irc-bouncer.mdwn
+++ b/posts/hiding-network-disconnections-using-irc-bouncer.mdwn
@@ -107,4 +107,5 @@ kernel update, I keep the bouncer running. At the end of the day, I say yes
 to killing the bouncer. That way, I don't have a backlog to go through when
 I wake up the next day.
 
-[[!tag mozilla]] [[!tag debian]] [[!tag irc]] [[!tag irssi]] [[!tag nzoss]] [[!tag letsencrypt]]
+[[!tag mozilla]] [[!tag debian]] [[!tag irc]] [[!tag irssi]] [[!tag nzoss]]
+[[!tag letsencrypt]] [[!tag znc]]
diff --git a/posts/tls_authentication_freenode_and_oftc.mdwn b/posts/tls_authentication_freenode_and_oftc.mdwn
new file mode 100644
index 0000000..31f7f1a
--- /dev/null
+++ b/posts/tls_authentication_freenode_and_oftc.mdwn
@@ -0,0 +1,82 @@
+[[!meta title="TLS Authentication on Freenode and OFTC"]]
+[[!meta date="2017-09-08T21:50:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+In order to easily authenticate with IRC networks such as
+[OFTC](https://www.oftc.net/NickServ/CertFP/) and
+[Freenode](https://freenode.net/kb/answer/certfp), it is possible to use
+*client TLS certificates* (also known as *SSL certificates*). In fact, it
+turns out that it's very easy to setup both on [irssi](https://irssi.org/)
+and on [znc](https://wiki.znc.in/).
+
+# Generate your TLS certificate
+
+On a machine with [good entropy](http://altusmetrum.org/ChaosKey/), run the
+following command to create a keypair that will last for 10 years:
+
+    openssl req -nodes -newkey rsa:2048 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=<your nick>"
+
+Then extract your key fingerprint using this command:
+
+    openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g'
+
+# Share your fingerprints with NickServ
+
+On each IRC network, do this:
+
+    /msg NickServ IDENTIFY Password1!
+    /msg NickServ CERT ADD <your fingerprint>
+
+in order to add your fingerprint to the access control list.
+
+# Configure ZNC
+
+To configure znc, start by putting the key in the right place:
+
+    cp user.pem ~/.znc/users/<your nick>/networks/oftc/moddata/cert/
+
+and then enable the built-in [cert plugin](https://wiki.znc.in/Cert) for
+each network in `~/.znc/configs/znc.conf`:
+
+    <Network oftc>
+        ...
+                LoadModule = cert
+        ...
+	</Network>
+        <Network freenode>
+        ...
+                LoadModule = cert
+        ...
+	</Network>
+
+# Configure irssi
+
+For irssi, do the same thing but put the cert in `~/.irssi/user.pem` and
+then change the OFTC entry in `~/.irssi/config` to look like this:
+
+    {
+      address = "irc.oftc.net";
+      chatnet = "OFTC";
+      port = "6697";
+      use_tls = "yes";
+      tls_cert = "~/.irssi/user.pem";
+      tls_verify = "yes";
+      autoconnect = "yes";
+    }
+
+and the Freenode one to look like this:
+
+    {
+      address = "chat.freenode.net";
+      chatnet = "Freenode";
+      port = "7000";
+      use_tls = "yes";
+      tls_cert = "~/.irssi/user.pem";
+      tls_verify = "yes";
+      autoconnect = "yes";
+    }
+
+That's it. That's all you need to replace password authentication with a
+much stronger alternative.
+
+[[!tag debian]] [[!tag nzoss]] [[!tag irc]] [[!tag irssi]] [[!tag znc]]

Mention the requirement for the veth kernel module
https://github.com/lxc/lxc/issues/1604
diff --git a/posts/lxc-setup-on-debian-jessie.mdwn b/posts/lxc-setup-on-debian-jessie.mdwn
index b46eab6..417d043 100644
--- a/posts/lxc-setup-on-debian-jessie.mdwn
+++ b/posts/lxc-setup-on-debian-jessie.mdwn
@@ -21,8 +21,14 @@ change needed here):
     lxc.network.hwaddr = 00:FF:AA:xx:xx:xx
     lxc.network.ipv4 = 0.0.0.0/24
 
-but I had to make sure that the "guests" could connect to the outside world
-through the "host":
+That configuration requires that the `veth` kernel module be loaded. If
+you have any kinds of module-loading restrictions enabled, you probably
+need to add the following to `/etc/modules` and **reboot**:
+
+    veth
+
+Next, I had to make sure that the "guests" could connect to the outside
+world through the "host":
 
 1. Enable IPv4 forwarding by putting this in `/etc/sysctl.conf`:
 

Add a section on fixing permissions for the scanner
diff --git a/posts/setting-up-a-network-scanner-using-sane.mdwn b/posts/setting-up-a-network-scanner-using-sane.mdwn
index 8dcaa26..e1c7147 100644
--- a/posts/setting-up-a-network-scanner-using-sane.mdwn
+++ b/posts/setting-up-a-network-scanner-using-sane.mdwn
@@ -29,8 +29,8 @@ detects your scanner:
 
     scanimage -L
 
-Note that you'll need to be in the `scanner` group for this to work
-(`adduser username scanner`).
+Note that you may need to be **root** for this to work. We'll fix that in
+the next section.
 
 This should give you output similar to this:
 
@@ -53,6 +53,33 @@ To do a test scan, simply run:
 
 and then take a look at the (greyscale) image it produced (`test.ppm`).
 
+# Letting normal users access the scanner
+
+In order for users to be able to see the scanner, they will need to be in
+the `scanner` group:
+
+    adduser francois scanner
+    adduser saned scanner
+
+with the second one being for remote users.
+
+Next, you'll need to put this in `/etc/udev/rules.d/55-libsane.rules`:
+
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="04a9", MODE="0660", GROUP="scanner", ENV{libsane_matched}="yes"
+
+and then restart udev:
+
+    systemctl restart udev.service
+
+That `04a9` ID is the first part of what you saw in `lsusb`, but you can
+also see it in the output of `sane-find-scanner`.
+
+Finally, test the scanner as your normal user:
+
+    scanimage > test.ppm
+
+to confirm that everything is working.
+
 # Configure the server
 
 With the scanner working locally, it's time to expose it to network clients

Add missing firewall ports for SANE
diff --git a/posts/setting-up-a-network-scanner-using-sane.mdwn b/posts/setting-up-a-network-scanner-using-sane.mdwn
index bd8dfe8..8dcaa26 100644
--- a/posts/setting-up-a-network-scanner-using-sane.mdwn
+++ b/posts/setting-up-a-network-scanner-using-sane.mdwn
@@ -61,10 +61,11 @@ by adding the client IP addresses to `/etc/sane.d/saned.conf`:
     ## Access list
     192.168.1.3
 
-and then opening the appropriate port on your firewall
+and then opening the appropriate ports on your firewall
 (typically `/etc/network/iptables` in Debian):
 
     -A INPUT -s 192.168.1.3 -p tcp --dport 6566 -j ACCEPT
+    -A INPUT -s 192.168.1.3 -p udp -j ACCEPT
 
 Then you need to ensure that the SANE server is running by setting the
 following in `/etc/default/saned`:
@@ -98,7 +99,7 @@ where `myserver` is the hostname or IP address of the server running saned.
 If you have a firewall runnning on the client, make sure you allow
 SANE traffic from the server:
 
-    -A INPUT -s 192.168.1.2 -p tcp --sport 6566  -j ACCEPT
+    -A INPUT -s 192.168.1.2 -p tcp --sport 6566 -j ACCEPT
 
 # Test the scanner remotely
 

Restore lost comment
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
new file mode 100644
index 0000000..4cc2a1a
--- /dev/null
+++ b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
@@ -0,0 +1,47 @@
+[[!comment format=mdwn
+ ip="162.243.251.96"
+ claimedauthor="Eldin Hadzic"
+ subject="Solution"
+ date="2017-08-26T23:33:27Z"
+ content="""
+I figured it out.
+
+In order for OpenVPN to use the locally installed Unbound DNS resolver, do this:
+
+First check for the IP we should use with: `sudo ifconfig`
+
+The IP we need is the one listed at 
+
+    tun0: inet 10.8.0.1
+
+## UNBOUND
+
+Add this to `/etc/unbound/unbound.conf`:
+
+    server:
+        interface: 127.0.0.1
+        interface: 10.8.0.1
+        access-control: 127.0.0.1 allow
+        access-control: 10.8.0.1/24 allow
+
+Then restart Unbound with: `sudo service unbound restart`
+
+Test with: `dig @10.8.0.1 google.com`
+
+(SERVER should read: `SERVER: 10.8.0.1#53(10.8.0.1)`)
+
+## OPENVPN
+
+Add this to (or modify) `/etc/openvpn/server.conf`:
+
+    push \"redirect-gateway def1 bypass-dhcp\"
+    push \"dhcp-option DNS 10.8.0.1\"
+    push \"register-dns\"
+
+Then restart OpenVPN with: `sudo service openvpn restart`
+
+OpenVPN clients should now be using Unbound. Test at <http://dnsleak.com/>.
+
+Eldin Hadzic
+eldinhadzic@protonmail.com
+"""]]

removed
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
deleted file mode 100644
index 42db2f0..0000000
--- a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
+++ /dev/null
@@ -1,43 +0,0 @@
-[[!comment format=mdwn
- ip="162.243.251.96"
- subject="Re: OpenVPN settings"
- date="2017-08-26T22:19:01Z"
- content="""
-We figured it out:
-
-In order for OpenVPN to use the locally installed Unbound DNS resolver, do this:
-
-First check for the IP we should use with: `sudo ifconfig`
-
-The IP we need is the one listed at 
-
-    tun0: inet 10.8.0.1
-
-## UNBOUND
-
-Add this to `/etc/unbound/unbound.conf`:
-
-    server:
-        interface: 127.0.0.1
-        interface: 10.8.0.1
-        access-control: 127.0.0.1 allow
-        access-control: 10.8.0.1/24 allow
-
-Then restart Unbound with: `sudo service unbound restart`
-
-Test with: `dig @10.8.0.1 google.com`
-
-(SERVER should read: `SERVER: 10.8.0.1#53(10.8.0.1)`)
-
-## OPENVPN
-
-Add this to (or modify) `/etc/openvpn/server.conf`:
-
-    push \"redirect-gateway def1 bypass-dhcp\"
-    push \"dhcp-option DNS 10.8.0.1\"
-    push \"register-dns\"
-
-Then restart OpenVPN with: `sudo service openvpn restart`
-
-OpenVPN clients should now be using Unbound. Test at <http://dnsleak.com/>.
-"""]]

Add a blurb about integrating with OpenVPN
diff --git a/posts/setting-up-your-own-dnssec-aware.mdwn b/posts/setting-up-your-own-dnssec-aware.mdwn
index 247ca72..807277c 100644
--- a/posts/setting-up-your-own-dnssec-aware.mdwn
+++ b/posts/setting-up-your-own-dnssec-aware.mdwn
@@ -9,7 +9,7 @@ Now that the root DNS servers are [signed,](http://www.root-dnssec.org/2010/07/1
 Being already packaged in [Debian](http://packages.debian.org/source/unstable/unbound) and [Ubuntu](https://launchpad.net/ubuntu/+source/unbound), unbound is only an `apt-get` away:
 
 
-    apt-get install unbound
+    apt install unbound
 
 ## Optional settings
 
@@ -76,7 +76,6 @@ If you're not using DHCP, then you simply need to put this in your `/etc/resolv.
 
 
     nameserver 127.0.0.1
-  
 
 ## Testing DNSSEC resolution
 
@@ -94,4 +93,31 @@ $ dig +dnssec A www.dnssec.cz | grep ad
   
 Are there any other ways of making sure that DNSSEC is fully functional?
 
-[[!tag catalyst]] [[!tag debian]] [[!tag sysadmin]] [[!tag security]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag dns]] [[!tag dnssec]]
+## Integration with OpenVPN
+
+If you are [running your own OpenVPN server](https://feeding.cloud.geek.nz/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu/),
+you can tell clients to connect to the local unbound DNS client by putting the following in `/etc/unbound/unbound.conf.d/openvpn.conf`:
+
+    server:
+        interface: 127.0.0.1
+        interface: 10.8.0.1
+        access-control: 127.0.0.1 allow
+        access-control: 10.8.0.1/24 allow
+
+the following in `/etc/openvpn/server.conf`:
+
+    push "dhcp-option DNS 10.8.0.1"
+    push "register-dns"
+
+and opening the following port on your firewall (typically `/etc/network/iptables.up.rules` on Debian):
+
+    -A INPUT -p udp --dport 53 -s 10.8.0.0/24 -j ACCEPT
+
+Then restart both services and everything should work:
+
+    systemctl restart unbound.service
+    systemctl restart openvpn.service
+
+You can test it on <http://dnsleak.com>.
+
+[[!tag catalyst]] [[!tag debian]] [[!tag sysadmin]] [[!tag security]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag dns]] [[!tag dnssec]] [[!tag openvpn]]

Update unbound config for stretch
diff --git a/posts/setting-up-your-own-dnssec-aware.mdwn b/posts/setting-up-your-own-dnssec-aware.mdwn
index a5b458b..247ca72 100644
--- a/posts/setting-up-your-own-dnssec-aware.mdwn
+++ b/posts/setting-up-your-own-dnssec-aware.mdwn
@@ -38,8 +38,9 @@ and turned on prefetching to hopefully keep in cache the sites I visit regularly
 
 Finally, I also enabled the control interface:
 
-    control-enable: yes
-    control-interface: 127.0.0.1
+    remote-control:
+        control-enable: yes
+        control-interface: 127.0.0.1
 
 and increased the amount of debugging information:
 

Reformat comment using markdown
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
index f5a93b7..42db2f0 100644
--- a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
+++ b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
@@ -7,36 +7,37 @@ We figured it out:
 
 In order for OpenVPN to use the locally installed Unbound DNS resolver, do this:
 
-First check for the IP we should use with: sudo ifconfig
+First check for the IP we should use with: `sudo ifconfig`
 
 The IP we need is the one listed at 
 
-tun0: inet 10.8.0.1 
+    tun0: inet 10.8.0.1
 
-UNBOUND
+## UNBOUND
 
-Add this to /etc/unbound/unbound.conf
+Add this to `/etc/unbound/unbound.conf`:
 
-server:
-    interface: 127.0.0.1
-    interface: 10.8.0.1
-    access-control: 127.0.0.1 allow
-    access-control: 10.8.0.1/24 allow
+    server:
+        interface: 127.0.0.1
+        interface: 10.8.0.1
+        access-control: 127.0.0.1 allow
+        access-control: 10.8.0.1/24 allow
 
-Then restart Unbound with: sudo service unbound restart
+Then restart Unbound with: `sudo service unbound restart`
 
-Test with: dig @10.8.0.1 google.com
-(SERVER should read: SERVER: 10.8.0.1#53(10.8.0.1))
+Test with: `dig @10.8.0.1 google.com`
 
-OPENVPN
+(SERVER should read: `SERVER: 10.8.0.1#53(10.8.0.1)`)
 
-Add this to (or modify) /etc/openvpn/server.conf
+## OPENVPN
 
-push \"redirect-gateway def1 bypass-dhcp\"
-push \"dhcp-option DNS 10.8.0.1\"
-push \"register-dns\"
+Add this to (or modify) `/etc/openvpn/server.conf`:
 
-Then restart OpenVPN with: sudo service openvpn restart
+    push \"redirect-gateway def1 bypass-dhcp\"
+    push \"dhcp-option DNS 10.8.0.1\"
+    push \"register-dns\"
 
-OpenVPN clients should now be using Unbound. Test at http://dnsleak.com/
+Then restart OpenVPN with: `sudo service openvpn restart`
+
+OpenVPN clients should now be using Unbound. Test at <http://dnsleak.com/>.
 """]]

Comment moderation
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
new file mode 100644
index 0000000..f5a93b7
--- /dev/null
+++ b/posts/setting-up-your-own-dnssec-aware/comment_5_650c2de462eaf647cf57a7989e8f67fd._comment
@@ -0,0 +1,42 @@
+[[!comment format=mdwn
+ ip="162.243.251.96"
+ subject="Re: OpenVPN settings"
+ date="2017-08-26T22:19:01Z"
+ content="""
+We figured it out:
+
+In order for OpenVPN to use the locally installed Unbound DNS resolver, do this:
+
+First check for the IP we should use with: sudo ifconfig
+
+The IP we need is the one listed at 
+
+tun0: inet 10.8.0.1 
+
+UNBOUND
+
+Add this to /etc/unbound/unbound.conf
+
+server:
+    interface: 127.0.0.1
+    interface: 10.8.0.1
+    access-control: 127.0.0.1 allow
+    access-control: 10.8.0.1/24 allow
+
+Then restart Unbound with: sudo service unbound restart
+
+Test with: dig @10.8.0.1 google.com
+(SERVER should read: SERVER: 10.8.0.1#53(10.8.0.1))
+
+OPENVPN
+
+Add this to (or modify) /etc/openvpn/server.conf
+
+push \"redirect-gateway def1 bypass-dhcp\"
+push \"dhcp-option DNS 10.8.0.1\"
+push \"register-dns\"
+
+Then restart OpenVPN with: sudo service openvpn restart
+
+OpenVPN clients should now be using Unbound. Test at http://dnsleak.com/
+"""]]

Comment moderation
diff --git a/posts/pristine-tar-and-git-buildpackage-work-arounds/comment_1_e0c2bea75571323d9b0089c173e4afef._comment b/posts/pristine-tar-and-git-buildpackage-work-arounds/comment_1_e0c2bea75571323d9b0089c173e4afef._comment
new file mode 100644
index 0000000..76b9453
--- /dev/null
+++ b/posts/pristine-tar-and-git-buildpackage-work-arounds/comment_1_e0c2bea75571323d9b0089c173e4afef._comment
@@ -0,0 +1,40 @@
+[[!comment format=mdwn
+ ip="2a02:120b:7ff:13f0:26be:5ff:fee1:2b31"
+ claimedauthor="Joël Krähemann"
+ url="http://nongnu.org/gsequencer"
+ subject="debian/rules target work-around"
+ date="2017-08-22T15:02:19Z"
+ content="""
+Hi
+
+We worked on a debian/rules target to download upstream tarball and signature. But I don't know if my debian sponsor is happy about it.
+
+
+    # Gets the name of the source package
+    DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | cut -f 2 -d ':'))
+
+    # Gets the full version of the source package including debian version
+    DEB_VERSION := $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
+    DEB_NOEPOCH_VERSION := $(shell echo $(DEB_VERSION) | cut -d: -f2-)
+
+    # Gets only the upstream version of the package
+    DEB_UPSTREAM_VERSION := $(shell echo $(DEB_NOEPOCH_VERSION) | sed 's/-[^-]*$$//')
+    DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | cut -f 2 -d ':'))
+    DEB_UPSTREAM_MINOR_VERSION := $(shell echo $(DEB_UPSTREAM_VERSION) | sed -r 's/([0-9]+).([0-9]+).([0-9]+)/\1.\2.x/')
+
+    # Sets tarball-dir if not provided by command line
+    TARBALL_DIR ?= ../tarballs
+
+    # Sets export-dir if not provided by command line
+    EXPORT_DIR ?= ../build-area
+
+    get-orig-source:
+      mkdir -p $(TARBALL_DIR)
+      mkdir -p $(EXPORT_DIR)
+      wget -O \"$(TARBALL_DIR)/$(DEB_SOURCE_PACKAGE)_$(DEB_UPSTREAM_VERSION).orig.tar.gz\" -c \"http://download.savannah.gnu.org/releases/gsequencer/$(DEB_UPSTREAM_MINOR_VERSION)/$(DEB_SOURCE_PACKAGE)-$(DEB_UPSTREAM_VERSION).tar.gz\"
+      wget -O \"$(TARBALL_DIR)/$(DEB_SOURCE_PACKAGE)_$(DEB_UPSTREAM_VERSION).orig.tar.gz.asc\" -c \"http://download.savannah.gnu.org/releases/gsequencer/$(DEB_UPSTREAM_MINOR_VERSION)/$(DEB_SOURCE_PACKAGE)-$(DEB_UPSTREAM_VERSION).tar.gz.sig\"
+      ln -s \"$(TARBALL_DIR)/$(DEB_SOURCE_PACKAGE)_$(DEB_UPSTREAM_VERSION).orig.tar.gz.asc\" $(EXPORT_DIR)
+
+
+
+"""]]

Comment moderation
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_4_76f7656b5ca945dc2cf6a11ee9402d12._comment b/posts/setting-up-your-own-dnssec-aware/comment_4_76f7656b5ca945dc2cf6a11ee9402d12._comment
new file mode 100644
index 0000000..39b5f93
--- /dev/null
+++ b/posts/setting-up-your-own-dnssec-aware/comment_4_76f7656b5ca945dc2cf6a11ee9402d12._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="francois@665656f0ba400877c9b12e8fbb086e45aa01f7c0"
+ nickname="francois"
+ avatar="http://fmarier.org/avatar/0110e86fdb31486c22dd381326d99de9"
+ subject="Re: OpenVPN settings"
+ date="2017-08-16T16:20:31Z"
+ content="""
+> What changes need to be made to /etc/openvpn/server.conf in order to use Unbound from within the VPN tunnel when connected to the server from an external client?
+
+I haven't yet figured out how to do that, but it's something I'd really like to add to my [OpenVPN setup](https://feeding.cloud.geek.nz/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu/).
+"""]]

Comment moderation
diff --git a/posts/setting-up-your-own-dnssec-aware/comment_3_cc2943361afc1181a8920ffbfd028465._comment b/posts/setting-up-your-own-dnssec-aware/comment_3_cc2943361afc1181a8920ffbfd028465._comment
new file mode 100644
index 0000000..b47155d
--- /dev/null
+++ b/posts/setting-up-your-own-dnssec-aware/comment_3_cc2943361afc1181a8920ffbfd028465._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="162.243.251.96"
+ subject="OpenVPN settings"
+ date="2017-08-16T06:28:48Z"
+ content="""
+Dear François,
+
+Thank you so much for this! What changes need to be made to /etc/openvpn/server.conf in order to use Unbound from within the VPN tunnel when connected to the server from an external client?
+
+Thanks for your help, François!
+"""]]

Add a step to fixup the 127.0.0.1 entry in /etc/hosts
This will help ensure that the sender address is correctly set to the fully
qualified domain in outgoing emails.
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index f29443e..62b01f0 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -290,6 +290,12 @@ Configuring mail properly is tricky but the following has worked for me.
 In `/etc/hostname`, put the bare hostname (no domain), but in
 `/etc/mailname` put the fully qualified hostname.
 
+In `/etc/hosts`, make sure that the fully qualified hostname is the
+first alias for `127.0.0.1`, followed by the bare hostname and then
+anything else. For example:
+
+    127.0.0.1 hostname.example.com hostname localhost
+
 Change the following in `/etc/postfix/main.cf`:
 
     inet_interfaces = loopback-only

Filed a pristine-tar bug at Tomasz Buchert's request
diff --git a/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn b/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn
index b8db6c6..1e801cd 100644
--- a/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn
+++ b/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn
@@ -38,12 +38,10 @@ This time, I got a different `pristine-tar` error:
     pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
     pristine-tar: failed to generate tarball
 
-After looking through the
-[list of open bugs](https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=pristine-tar;dist=unstable#_0_4_4),
-I thought it was probably not worth filing a bug given how many similar ones
-are waiting to be addressed.
+I filed [bug 871938](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871938)
+for this.
 
-So as a work-around, I simply symlinked the upstream tarball I already had
+As a work-around, I simply symlinked the upstream tarball I already had
 and then built the package using the tarball directly instead of the
 `upstream` git branch:
 

Add my packaging blog post
diff --git a/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn b/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn
new file mode 100644
index 0000000..b8db6c6
--- /dev/null
+++ b/posts/pristine-tar-and-git-buildpackage-work-arounds.mdwn
@@ -0,0 +1,92 @@
+[[!meta title="pristine-tar and git-buildpackage Work-arounds"]]
+[[!meta date="2017-08-09T22:25:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+I recently ran into problems trying to package the
+[latest version](https://launchpad.net/planetfilter/trunk/0.7.4) of my
+[planetfilter](https://feeding.cloud.geek.nz/posts/keeping-up-with-noisy-blog-aggregators-using-planetfilter/)
+tool.
+
+This is how I was able to temporarily work-around bugs in my tools and still
+produce a [package](https://tracker.debian.org/news/860953) that can be
+built reproducibly from source and that contains a verifiable upstream
+signature.
+
+# pristine-tar being is unable to reproduce a tarball
+
+After importing the
+[latest upstream tarball](https://pypi.python.org/pypi/planetfilter/0.7.4)
+using `gbp import-orig`, I tried to build the package but ran into this
+[`pristine-tar`](https://packages.debian.org/sid/pristine-tar) error:
+
+    $ gbp buildpackage
+    gbp:error: Pristine-tar couldn't checkout "planetfilter_0.7.4.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
+    xdelta3: normally this indicates that the source file is incorrect
+    xdelta3: please verify the source file with sha1sum or equivalent
+    xdelta3 decode failed! at /usr/share/perl5/Pristine/Tar/DeltaTools.pm line 56.
+    pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
+    pristine-tar: failed to generate tarball
+
+So I decided to throw away what I had, re-import the tarball and try again.
+This time, I got a different `pristine-tar` error:
+
+    $ gbp buildpackage
+    gbp:error: Pristine-tar couldn't checkout "planetfilter_0.7.4.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
+    xdelta3: normally this indicates that the source file is incorrect
+    xdelta3: please verify the source file with sha1sum or equivalent
+    xdelta3 decode failed! at /usr/share/perl5/Pristine/Tar/DeltaTools.pm line 56.
+    pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
+    pristine-tar: failed to generate tarball
+
+After looking through the
+[list of open bugs](https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=pristine-tar;dist=unstable#_0_4_4),
+I thought it was probably not worth filing a bug given how many similar ones
+are waiting to be addressed.
+
+So as a work-around, I simply symlinked the upstream tarball I already had
+and then built the package using the tarball directly instead of the
+`upstream` git branch:
+
+    ln -s ~/deve/remote/planetfilter/dist/planetfilter-0.7.4.tar.gz ../planetfilter_0.7.4.orig.tar.gz
+    gbp buildpackage --git-tarball-dir=..
+
+Given that only the `upstream` and `master` branches are signed, the
+[.delta file](https://anonscm.debian.org/cgit/collab-maint/planetfilter.git/tree/planetfilter_0.7.4.orig.tar.gz.delta?h=pristine-tar)
+on the
+[`pristine-tar` branch](https://anonscm.debian.org/cgit/collab-maint/planetfilter.git/tree/?h=pristine-tar)
+could be fixed at any time in the future by committing a new `.delta` file
+once `pristine-tar` gets fixed. This therefore seems like a reasonable
+work-around.
+
+# git-buildpackage doesn't import the upstream tarball signature
+
+The second problem I ran into was a missing upstream signature after
+building the package with
+[`git-buildpackage`](https://packages.debian.org/sid/git-buildpackage):
+
+    $ lintian -i planetfilter_0.7.4-1_amd64.changes
+    E: planetfilter changes: orig-tarball-missing-upstream-signature planetfilter_0.7.4.orig.tar.gz
+    N: 
+    N:    The packaging includes an upstream signing key but the corresponding
+    N:    .asc signature for one or more source tarballs are not included in your
+    N:    .changes file.
+    N:    
+    N:    Severity: important, Certainty: certain
+    N:    
+    N:    Check: changes-file, Type: changes
+    N: 
+
+This problem (and the lintian error I suspect) is fairly new and [hasn't been
+solved yet](https://lists.debian.org/debian-devel/2017/07/msg00451.html).
+
+So until `gbp import-orig` gets proper support for upstream signatures, my
+work-around was to copy the upstream signature in the `export-dir` output
+directory (which I set in `~/.gbp.conf`) so that it can be picked up by the
+final stages of `gbp buildpackage`:
+
+    ln -s ~/deve/remote/planetfilter/dist/planetfilter-0.7.4.tar.gz.asc ../build-area/planetfilter_0.7.4.orig.tar.gz.asc
+
+If there's a better way to do this, please feel free to leave a comment
+(authentication not required)!
+
+[[!tag debian]] [[!tag nzoss]] [[!tag packaging]]

Mention that the existing cronjob needs to be disabled
diff --git a/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot.mdwn b/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot.mdwn
index 5fd7dbc..084aeb2 100644
--- a/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot.mdwn
+++ b/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot.mdwn
@@ -9,7 +9,12 @@ tool. Since I use the "temporary webserver" method of proving domain
 ownership via the [ACME protocol](https://ietf-wg-acme.github.io/acme/), I
 cannot use the cert renewal cronjob built into Certbot.
 
-Instead, this is the script I put in `/etc/cron.daily/certbot-renew`:
+To disable the built-in cronjob, I ran the following:
+
+    systemctl disable certbot.service
+    systemctl disable certbot.timer
+
+Then I put my own renewal script in `/etc/cron.daily/certbot-renew`:
 
     #!/bin/bash
 

Rephrase the introduction, as suggested by Marco d'Itri
diff --git a/posts/time-synchronization-with-ntp-and-systemd.mdwn b/posts/time-synchronization-with-ntp-and-systemd.mdwn
index a3bd6c8..84d3841 100644
--- a/posts/time-synchronization-with-ntp-and-systemd.mdwn
+++ b/posts/time-synchronization-with-ntp-and-systemd.mdwn
@@ -9,9 +9,9 @@ some wouldn't suggested a problem with time keeping on my laptop.
 
 This was surprising since I've been running [NTP](http://www.ntp.org/) for a
 many years and have therefore never had to think about time synchronization.
-After looking into this though, I realized that the move to
-[systemd](https://freedesktop.org/wiki/Software/systemd/) had changed how
-this is meant to be done.
+After realizing that `ntpd` had stopped working on my machine for some reason,
+I found that [systemd](https://freedesktop.org/wiki/Software/systemd/)
+provides an easier way to keep time synchronized.
 
 # The new systemd time synchronization daemon
 
@@ -49,8 +49,6 @@ between `ntpd` and `systemd-timesyncd`. The solution of course is to remove
 the former before enabling the latter:
 
     apt purge ntp
-    systemctl enable systemd-timesyncd.service
-    systemctl restart systemd-timesyncd.service
 
 # Enabling time synchronization with NTP
 

Comment moderation
diff --git a/posts/time-synchronization-with-ntp-and-systemd/comment_1_e99afcbef4e7617574d9bf3041b265d3._comment b/posts/time-synchronization-with-ntp-and-systemd/comment_1_e99afcbef4e7617574d9bf3041b265d3._comment
new file mode 100644
index 0000000..7d3e0bc
--- /dev/null
+++ b/posts/time-synchronization-with-ntp-and-systemd/comment_1_e99afcbef4e7617574d9bf3041b265d3._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="217.193.164.68"
+ claimedauthor="EVD"
+ subject="comment 1"
+ date="2017-08-07T06:13:28Z"
+ content="""
+Not sure why, but on my freshly installed Stretch I have ntpd installed in /usr/sbin/ntpd and systemd-timesyncd seems to be running fine. Actually it looks like both are running in top?
+"""]]

creating tag page tags/systemd
diff --git a/tags/systemd.mdwn b/tags/systemd.mdwn
new file mode 100644
index 0000000..62a1852
--- /dev/null
+++ b/tags/systemd.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged systemd"]]
+
+[[!inline pages="tagged(systemd)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tags/ntp
diff --git a/tags/ntp.mdwn b/tags/ntp.mdwn
new file mode 100644
index 0000000..6e70f03
--- /dev/null
+++ b/tags/ntp.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ntp"]]
+
+[[!inline pages="tagged(ntp)" actions="no" archive="yes"
+feedshow=10]]

Create a new systemd tag
diff --git a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
index 1c3e781..d0f9432 100644
--- a/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
+++ b/posts/creating-a-modern-tiling-desktop-environment-using-i3.mdwn
@@ -122,4 +122,4 @@ Finally, because X sometimes fail to detect my external monitor when docking/und
 
     bindsym XF86Display exec /home/francois/bin/external-monitor
 
-[[!tag debian]] [[!tag i3]] [[!tag gnome]] [[!tag nzoss]]
+[[!tag debian]] [[!tag i3]] [[!tag gnome]] [[!tag nzoss]] [[!tag systemd]]
diff --git a/posts/home-music-server-with-mpd.mdwn b/posts/home-music-server-with-mpd.mdwn
index aeeaa61..0f0e02a 100644
--- a/posts/home-music-server-with-mpd.mdwn
+++ b/posts/home-music-server-with-mpd.mdwn
@@ -132,4 +132,4 @@ since [MPoD](http://www.katoemba.net/makesnosenseatall/mpod/) and
 [MPaD](http://www.katoemba.net/makesnosenseatall/mpad/) don't appear to be
 available on the AppStore anymore.
 
-[[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag mpd]] [[!tag ios]] [[!tag android]] [[!tag tor]]
+[[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag mpd]] [[!tag ios]] [[!tag android]] [[!tag tor]] [[!tag systemd]]
diff --git a/posts/setting-up-a-network-scanner-using-sane.mdwn b/posts/setting-up-a-network-scanner-using-sane.mdwn
index a624359..bd8dfe8 100644
--- a/posts/setting-up-a-network-scanner-using-sane.mdwn
+++ b/posts/setting-up-a-network-scanner-using-sane.mdwn
@@ -140,4 +140,4 @@ before finally restarting the service:
     systemctl daemon-reload
     systemctl restart saned.socket
 
-[[!tag debian]] [[!tag sane]]
+[[!tag debian]] [[!tag sane]] [[!tag systemd]]

Add NTP blog post
diff --git a/posts/time-synchronization-with-ntp-and-systemd.mdwn b/posts/time-synchronization-with-ntp-and-systemd.mdwn
new file mode 100644
index 0000000..a3bd6c8
--- /dev/null
+++ b/posts/time-synchronization-with-ntp-and-systemd.mdwn
@@ -0,0 +1,93 @@
+[[!meta title="Time Synchronization with NTP and systemd"]]
+[[!meta date="2017-08-06T13:10:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+I recently ran into problems with generating
+[TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)
+2-factor codes on my laptop. The fact that some of the codes would work and
+some wouldn't suggested a problem with time keeping on my laptop.
+
+This was surprising since I've been running [NTP](http://www.ntp.org/) for a
+many years and have therefore never had to think about time synchronization.
+After looking into this though, I realized that the move to
+[systemd](https://freedesktop.org/wiki/Software/systemd/) had changed how
+this is meant to be done.
+
+# The new systemd time synchronization daemon
+
+On a machine running systemd, there is no need to run the full-fledged
+`ntpd` daemon anymore. The built-in `systemd-timesyncd` can do the basic
+time synchronization job just fine.
+
+However, I noticed that the daemon wasn't actually running:
+
+    $ systemctl status systemd-timesyncd.service 
+    ● systemd-timesyncd.service - Network Time Synchronization
+       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
+      Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
+               └─disable-with-time-daemon.conf
+       Active: inactive (dead)
+    Condition: start condition failed at Thu 2017-08-03 21:48:13 PDT; 1 day 20h ago
+         Docs: man:systemd-timesyncd.service(8)
+
+referring instead to a mysterious "failed condition". Attempting to restart
+the service did provide more details though:
+
+    $ systemctl restart systemd-timesyncd.service 
+    $ systemctl status systemd-timesyncd.service 
+    ● systemd-timesyncd.service - Network Time Synchronization
+       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
+      Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
+               └─disable-with-time-daemon.conf
+       Active: inactive (dead)
+    Condition: start condition failed at Sat 2017-08-05 18:19:12 PDT; 1s ago
+               └─ ConditionFileIsExecutable=!/usr/sbin/ntpd was not met
+         Docs: man:systemd-timesyncd.service(8)
+
+The above check for the presence of `/usr/sbin/ntpd` points to a conflict
+between `ntpd` and `systemd-timesyncd`. The solution of course is to remove
+the former before enabling the latter:
+
+    apt purge ntp
+    systemctl enable systemd-timesyncd.service
+    systemctl restart systemd-timesyncd.service
+
+# Enabling time synchronization with NTP
+
+Once the `ntp` package has been removed, it is time to enable NTP support in
+`timesyncd`.
+
+Start by choosing the [NTP server pool](http://www.pool.ntp.org/en/) nearest
+you and put it in `/etc/systemd/timesyncd.conf`. For example, mine reads
+like this:
+
+    [Time]
+    NTP=ca.pool.ntp.org
+
+before restarting the daemon:
+
+    systemctl restart systemd-timesyncd.service 
+
+That may not be enough on your machine though. To check whether or not the
+time has been synchronized with NTP servers, run the following:
+
+    $ timedatectl status
+    ...
+     Network time on: yes
+    NTP synchronized: no
+     RTC in local TZ: no
+
+If NTP is not enabled, then you can enable it by running this command:
+
+    timedatectl set-ntp true
+
+Once that's done, everything should be in place and time should be kept
+correctly:
+
+    $ timedatectl status
+    ...
+     Network time on: yes
+    NTP synchronized: yes
+     RTC in local TZ: no
+
+[[!tag debian]] [[!tag nzoss]] [[!tag systemd]] [[!tag ntp]]

Reword heading added in 01104034a971ac6f0bce5fe55b9893ea87b112c0
diff --git a/posts/setting-up-a-network-scanner-using-sane.mdwn b/posts/setting-up-a-network-scanner-using-sane.mdwn
index d29341a..a624359 100644
--- a/posts/setting-up-a-network-scanner-using-sane.mdwn
+++ b/posts/setting-up-a-network-scanner-using-sane.mdwn
@@ -112,7 +112,7 @@ and successfully perform a test scan using this command:
 
     scanimage > test.ppm
 
-# Troubleshooting broken
+# Troubleshooting connection problems
 
 If you see the following error in your logs (`systemctl status saned.socket`):
 

Add troubleshooting information for systemd unit bug in sane-backends
diff --git a/posts/setting-up-a-network-scanner-using-sane.mdwn b/posts/setting-up-a-network-scanner-using-sane.mdwn
index cf3a120..d29341a 100644
--- a/posts/setting-up-a-network-scanner-using-sane.mdwn
+++ b/posts/setting-up-a-network-scanner-using-sane.mdwn
@@ -112,4 +112,32 @@ and successfully perform a test scan using this command:
 
     scanimage > test.ppm
 
+# Troubleshooting broken
+
+If you see the following error in your logs (`systemctl status saned.socket`):
+
+    saned.socket: Too many incoming connections (1), dropping connection.
+
+then you can work around [this bug in the systemd
+unit](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850649) by
+[overriding the systemd unit that comes with the
+package](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Managing_Services_with_systemd-Unit_Files.html#sect-Managing_Services_with_systemd-Unit_File_Modify):
+
+    cp /lib/systemd/system/saned.socket /etc/systemd/system/saned.socket
+
+then replace:
+
+    [Socket]
+    MaxConnections=1
+
+with:
+
+    [Socket]
+    MaxConnections=64
+
+before finally restarting the service:
+
+    systemctl daemon-reload
+    systemctl restart saned.socket
+
 [[!tag debian]] [[!tag sane]]

Mention the scanner group in my SANE post
diff --git a/posts/setting-up-a-network-scanner-using-sane.mdwn b/posts/setting-up-a-network-scanner-using-sane.mdwn
index ca2e320..cf3a120 100644
--- a/posts/setting-up-a-network-scanner-using-sane.mdwn
+++ b/posts/setting-up-a-network-scanner-using-sane.mdwn
@@ -29,6 +29,9 @@ detects your scanner:
 
     scanimage -L
 
+Note that you'll need to be in the `scanner` group for this to work
+(`adduser username scanner`).
+
 This should give you output similar to this:
 
     device `genesys:libusb:001:006' is a Canon LiDE 220 flatbed scanner
@@ -41,7 +44,7 @@ USB stack:
 
 and that its USB ID shows up in the SANE backend it needs:
 
-    $ grep 190f /etc/sane.d/genesys.conf 
+    $ grep 190f /etc/sane.d/genesys.conf
     usb 0x04a9 0x190f
 
 To do a test scan, simply run:

Explain how to make command-not-found work
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857090
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 2c33033..f29443e 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -250,6 +250,11 @@ you need to restart a daemon using an obsolete library.
 Most of these tools are configuration-free, except for sysstat, which requires
 enabling data collection in `/etc/default/sysstat` to be useful.
 
+Also, [`command-not-found` won't work until you update the apt cache](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857090):
+
+    apt update
+    update-command-not-found
+
 # Apache configuration
 
     apt install apache2

Mention nocache since it's useful for cronjobs
https://feeding.cloud.geek.nz/posts/three-wrappers-to-run-commands-without-impacting-the-rest-of-the-system/
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index d12fbf4..2c33033 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -245,7 +245,7 @@ you need to restart a daemon using an obsolete library.
 
 # Handy utilities
 
-    apt install renameutils atool iotop sysstat lsof mtr-tiny mc netcat-openbsd command-not-found
+    apt install renameutils atool iotop sysstat lsof mtr-tiny mc netcat-openbsd command-not-found nocache
 
 Most of these tools are configuration-free, except for sysstat, which requires
 enabling data collection in `/etc/default/sysstat` to be useful.

Mention that the tp_smapi module is unusable on newer ThinkPads
diff --git a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
index eb22b74..6f85734 100644
--- a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
+++ b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
@@ -8,13 +8,19 @@ hook into the ACPI events and run arbitrary scripts.
 
 This was tested on a T420 with a [ThinkPad Dock Series
 3](http://www.thinkwiki.org/wiki/ThinkPad_Port_Replicator_Series_3) as well
-as a T440p with a [ThinkPad Ultra
+as a T440p and a T460p with a [ThinkPad Ultra
 Dock](http://www.thinkwiki.org/wiki/ThinkPad_Ultra_Dock).
 
-The only requirement is the ThinkPad ACPI kernel module which you can find in
-the [tp-smapi-dkms
-package](https://packages.debian.org/stable/tp-smapi-dkms) in Debian. That's
-what generates the `ibm/hotkey` events we will listen for.
+The only requirement is the ThinkPad kernel module. On most ThinkPads
+it's the [`tp_smapi` module](http://www.thinkwiki.org/wiki/Tp_smapi)
+(which you can find in the [tp-smapi-dkms
+package](https://packages.debian.org/stable/tp-smapi-dkms) in Debian)
+but on newer hardware, [that interface is
+gone](https://github.com/evgeni/tp_smapi/issues/24) and you can simply
+use the [`thinkpad_acpi`
+module](http://www.thinkwiki.org/wiki/Thinkpad-acpi) built into the
+kernel. That's what generates the `ibm/hotkey` events we will listen
+for.
 
 ## Hooking into the events
 

Add two more useful packages from my stretch installs
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 59bedd3..d12fbf4 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -245,7 +245,7 @@ you need to restart a daemon using an obsolete library.
 
 # Handy utilities
 
-    apt install renameutils atool iotop sysstat lsof mtr-tiny mc
+    apt install renameutils atool iotop sysstat lsof mtr-tiny mc netcat-openbsd command-not-found
 
 Most of these tools are configuration-free, except for sysstat, which requires
 enabling data collection in `/etc/default/sysstat` to be useful.

Update openvpn settings for latest version of Network Manager
diff --git a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
index fd98016..e18ea5e 100644
--- a/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
+++ b/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu.mdwn
@@ -164,6 +164,7 @@ then click the "Avanced" button and set the following:
    * Cipher: `AES-256-CBC`
    * HMAC Authentication: `SHA-384`
 * TLS Authentication
+   * Server Certificate Check: Verify name exactly
    * Subject Match: `server`
    * Verify peer (server) certificate usage signature: `YES`
      * Remote peer certificate TLS type: `Server`

Fix typo in ejabberd.yml
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
index 88834d9..3213970 100644
--- a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
@@ -110,7 +110,7 @@ by adding `starttls_required` to this block:
             - "cipher_server_preference"
           ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
           tls_compression: false
-          dhfile: "/etc/ssl/ejabberd/dh2048.pem"
+          dhfile: "/etc/ejabberd/dh2048.pem"
           max_stanza_size: 65536
           shaper: c2s_shaper
           access: c2s
@@ -121,7 +121,7 @@ by adding `starttls_required` to this block:
         - "no_tlsv1"
         - "no_tlsv1_1"
         - "cipher_server_preference"
-      s2s_dhfile: /etc/ssl/ejabberd/dh2048.pem
+      s2s_dhfile: "/etc/ejabberd/dh2048.pem"
       s2s_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 
 5. Create the required dh2048.pem file:

creating tag page tags/ejabberd
diff --git a/tags/ejabberd.mdwn b/tags/ejabberd.mdwn
new file mode 100644
index 0000000..29a499a
--- /dev/null
+++ b/tags/ejabberd.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ejabberd"]]
+
+[[!inline pages="tagged(ejabberd)" actions="no" archive="yes"
+feedshow=10]]

Create an ejabberd tag
diff --git a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
index 7f904e9..88834d9 100644
--- a/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
+++ b/posts/running-your-own-xmpp-server-debian-ubuntu.mdwn
@@ -181,4 +181,4 @@ Finally, to ensure that your TLS settings are reasonable, use this
 [automated tool](https://xmpp.net/) to test both the client-to-server (c2s)
 and the server-to-server (s2s) flows.
 
-[[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag sysadmin]] [[!tag xmpp]] [[!tag letsencrypt]]
+[[!tag debian]] [[!tag ubuntu]] [[!tag nzoss]] [[!tag sysadmin]] [[!tag xmpp]] [[!tag letsencrypt]] [[!tag ejabberd]]

Use a local config file for fail2ban instead of hacking the main one
diff --git a/posts/hardening-ssh-servers.mdwn b/posts/hardening-ssh-servers.mdwn
index 9351138..75b715a 100644
--- a/posts/hardening-ssh-servers.mdwn
+++ b/posts/hardening-ssh-servers.mdwn
@@ -58,7 +58,7 @@ package. It keeps an eye on the ssh log file (`/var/log/auth.log`) and
 temporarily blocks IP addresses after a number of failed login attempts.
 
 To prevent your own IP addresses from being blocked, add them to
-`/etc/fail2ban/jail.conf`:
+`/etc/fail2ban/jail.d/local.conf`:
 
     [DEFAULT]
     ignoreip = 127.0.0.1/8 1.2.3.4
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index ab8abcc..59bedd3 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -97,7 +97,7 @@ work](https://github.com/paramiko/paramiko/issues/509), I also add the following
 
 Since [fail2ban](http://www.fail2ban.org/) is used to rate-limit attempts to
 brute-force ssh connections, you may want to whitelist your own IP addresses
-by adding them to `/etc/fail2ban/jail.conf`:
+by adding them to `/etc/fail2ban/jail.d/local.conf`:
 
     [DEFAULT]
     ignoreip = 127.0.0.1/8 1.2.3.4

Make sure the debian-security-support package is installed
diff --git a/posts/usual-server-setup.mdwn b/posts/usual-server-setup.mdwn
index 722d134..ab8abcc 100644
--- a/posts/usual-server-setup.mdwn
+++ b/posts/usual-server-setup.mdwn
@@ -227,7 +227,7 @@ The above packages are all about catching mistakes (such as
 
 # Package updates
 
-    apt install apticron unattended-upgrades deborphan debfoster apt-listchanges reboot-notifier popularity-contest needrestart
+    apt install apticron unattended-upgrades deborphan debfoster apt-listchanges reboot-notifier popularity-contest needrestart debian-security-support
 
 These tools help me keep packages up to date and remove unnecessary or
 obsolete packages from servers. On Rackspace servers, a small [configuration

Add Atlassian products in the referrer breakage section
diff --git a/posts/tweaking-referrer-for-privacy-in-firefox.mdwn b/posts/tweaking-referrer-for-privacy-in-firefox.mdwn
index 1d72634..a241807 100644
--- a/posts/tweaking-referrer-for-privacy-in-firefox.mdwn
+++ b/posts/tweaking-referrer-for-privacy-in-firefox.mdwn
@@ -117,16 +117,17 @@ example:
 
 - anything that uses the default [Django authentication](https://code.djangoproject.com/ticket/16870)
 - [Launchpad logins](https://bugs.launchpad.net/launchpad/+bug/560246)
+- Atlassian's [JIRA and Confluence](https://github.com/pyllyukko/user.js/issues/329)
 - [AMD driver downloads](https://bugzilla.mozilla.org/show_bug.cgi?id=970092#c7)
 - some [CDN-hosted images](https://www.capbridge.com/visit/shuttle-service/)
 - [Google Hangouts](https://github.com/pyllyukko/user.js/issues/328)
 
-The first two have been worked-around successfully by setting
+The first three have been worked-around successfully by setting
 `network.http.referer.spoofSource` to `true`, an advanced setting
 which always sends the destination URL as the referrer, thereby not leaking
 anything about the original page.
 
-Unfortunately, the last three are examples of the kind of breakage that can
+Unfortunately, the others are examples of the kind of breakage that can
 only be fixed through a whitelist (an approach supported by the [smart
 referer add-on](https://addons.mozilla.org/firefox/addon/smart-referer/)) or
 by temporarily using a different [browser

Comment moderation
diff --git a/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_5_9d3d165b503d8358a142b44f612be973._comment b/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_5_9d3d165b503d8358a142b44f612be973._comment
new file mode 100644
index 0000000..c307326
--- /dev/null
+++ b/posts/upgrading-lenovo-thinkpad-bios-under-linux/comment_5_9d3d165b503d8358a142b44f612be973._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ ip="88.214.186.65"
+ subject="enable UEFI"
+ date="2017-07-25T16:28:17Z"
+ content="""
+Also, you need to enable UEFI boot, so the usb or cd can boot... and plug in the AC power
+"""]]

Add a note about Google Hangouts requiring referrers
diff --git a/posts/tweaking-referrer-for-privacy-in-firefox.mdwn b/posts/tweaking-referrer-for-privacy-in-firefox.mdwn
index bd8ca21..1d72634 100644
--- a/posts/tweaking-referrer-for-privacy-in-firefox.mdwn
+++ b/posts/tweaking-referrer-for-privacy-in-firefox.mdwn
@@ -119,13 +119,14 @@ example:
 - [Launchpad logins](https://bugs.launchpad.net/launchpad/+bug/560246)
 - [AMD driver downloads](https://bugzilla.mozilla.org/show_bug.cgi?id=970092#c7)
 - some [CDN-hosted images](https://www.capbridge.com/visit/shuttle-service/)
+- [Google Hangouts](https://github.com/pyllyukko/user.js/issues/328)
 
 The first two have been worked-around successfully by setting
 `network.http.referer.spoofSource` to `true`, an advanced setting
 which always sends the destination URL as the referrer, thereby not leaking
 anything about the original page.
 
-Unfortunately, the last two are examples of the kind of breakage that can
+Unfortunately, the last three are examples of the kind of breakage that can
 only be fixed through a whitelist (an approach supported by the [smart
 referer add-on](https://addons.mozilla.org/firefox/addon/smart-referer/)) or
 by temporarily using a different [browser

Add pulseaudio docking post
diff --git a/posts/toggling-between-pulseaudio-outputs-when-docking-a-laptop.mdwn b/posts/toggling-between-pulseaudio-outputs-when-docking-a-laptop.mdwn
new file mode 100644
index 0000000..696add0
--- /dev/null
+++ b/posts/toggling-between-pulseaudio-outputs-when-docking-a-laptop.mdwn
@@ -0,0 +1,108 @@
+[[!meta title="Toggling Between Pulseaudio Outputs when Docking a Laptop"]]
+[[!meta date="2017-07-11T22:00:00:00.000-07:00"]]
+[[!meta license="[Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)"]]
+
+In addition to
+[selecting the right monitor after docking my ThinkPad](https://feeding.cloud.geek.nz/posts/hooking-into-docking-undocking-events-to-run-scripts/),
+I wanted to set the correct sound output since I have headphones connected
+to my Ultra Dock. This can be done fairly easily using
+[Pulseaudio](https://www.freedesktop.org/wiki/Software/PulseAudio/).
+
+# Switching to a different pulseaudio output
+
+To find the device name and the output name I need to provide to `pacmd`, I
+ran `pacmd list-sinks`:
+
+    2 sink(s) available.
+    ...
+      * index: 1
+    	name: <alsa_output.pci-0000_00_1b.0.analog-stereo>
+    	driver: <module-alsa-card.c>
+    ...
+    	ports:
+    		analog-output: Analog Output (priority 9900, latency offset 0 usec, available: unknown)
+    			properties:
+    				
+    		analog-output-speaker: Speakers (priority 10000, latency offset 0 usec, available: unknown)
+    			properties:
+    				device.icon_name = "audio-speakers"
+
+From there, I extracted the soundcard name
+(`alsa_output.pci-0000_00_1b.0.analog-stereo`) and the names of the two
+output ports (`analog-output` and `analog-output-speaker`).
+
+To switch between the headphones and the speakers, I can therefore run the
+following commands:
+
+    pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output
+    pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output-speaker
+
+# Listening for headphone events
+
+Then I looked for the ACPI event triggered when my headphones are detected
+by the laptop after docking.
+
+After looking at the output of `acpi_listen`, I found `jack/headphone HEADPHONE plug`.
+
+Combining this with the above pulseaudio names, I put the following in
+`/etc/acpi/events/thinkpad-dock-headphones`:
+
+    event=jack/headphone HEADPHONE plug
+    action=su francois -c "pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output"
+
+to automatically switch to the headphones when I dock my laptop.
+
+# Finding out whether or not the laptop is docked
+
+While it is possible to
+[hook into the docking and undocking ACPI events and run scripts](https://feeding.cloud.geek.nz/posts/hooking-into-docking-undocking-events-to-run-scripts/),
+there doesn't seem to be an easy way from a shell script to tell whether or
+not the laptop is docked.
+
+In the end, I settled on detecting the presence of USB devices.
+
+I ran `lsusb` twice (once docked and once undocked) and then compared the
+output:
+
+    lsusb  > docked 
+    lsusb  > undocked 
+    colordiff -u docked undocked 
+
+This gave me a number of differences since I have a bunch of peripherals
+attached to the dock:
+
+    --- docked	2017-07-07 19:10:51.875405241 -0700
+    +++ undocked	2017-07-07 19:11:00.511336071 -0700
+    @@ -1,15 +1,6 @@
+     Bus 001 Device 002: ID 8087:8000 Intel Corp. 
+     Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
+    -Bus 003 Device 081: ID 0424:5534 Standard Microsystems Corp. Hub
+    -Bus 003 Device 080: ID 17ef:1010 Lenovo 
+     Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
+    -Bus 002 Device 041: ID xxxx:xxxx ...
+    -Bus 002 Device 040: ID xxxx:xxxx ...
+    -Bus 002 Device 039: ID xxxx:xxxx ...
+    -Bus 002 Device 038: ID 17ef:100f Lenovo 
+    -Bus 002 Device 037: ID xxxx:xxxx ...
+    -Bus 002 Device 042: ID 0424:2134 Standard Microsystems Corp. Hub
+    -Bus 002 Device 036: ID 17ef:1010 Lenovo 
+     Bus 002 Device 002: ID xxxx:xxxx ...
+     Bus 002 Device 004: ID xxxx:xxxx ...
+     Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
+
+I picked `17ef:1010` as it appeared to be some internal bus on the Ultra
+Dock (none of my USB devices were connected to Bus 003) and then ended up
+with the following
+[port toggling script](https://github.com/fmarier/user-scripts/blob/master/toggle-pulseaudio-port):
+
+    #!/bin/bash
+    
+    if /usr/bin/lsusb | grep 17ef:1010 > /dev/null ; then
+        # docked
+        pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output
+    else
+        # undocked
+        pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output-speaker
+    fi
+
+[[!tag debian]] [[!tag nzoss]] [[!tag thinkpad]]

Comment moderation
diff --git a/posts/setting-up-a-network-scanner-using-sane/comment_4_11c177b11331f1d232176d768b571430._comment b/posts/setting-up-a-network-scanner-using-sane/comment_4_11c177b11331f1d232176d768b571430._comment
new file mode 100644
index 0000000..861621f
--- /dev/null
+++ b/posts/setting-up-a-network-scanner-using-sane/comment_4_11c177b11331f1d232176d768b571430._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="184.155.20.14"
+ claimedauthor="Paul K"
+ subject="Re: Point of Network Scanner... Windows"
+ date="2017-07-09T01:26:59Z"
+ content="""
+sane is supported on windows (Xsane for win32, SwingSane), but only as a network client. You can't plug a scanner into a windows machine with USB and use sane, but you can plug a scanner into a linux machine, run saned, and then connect sane on windows to that.
+
+Why would you do this? HP Multifunction printers are notorious for not supporting the latest version of windows. HP will make a \"universal print driver\" and ignore the scanner. So anyone with an older device (something made for XP or Win9x) can't scan from windows normally. saned keeps these devices alive.
+"""]]

Use another docking event which is triggered later
diff --git a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
index dc04f8d..eb22b74 100644
--- a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
+++ b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
@@ -24,7 +24,7 @@ as [suggested in this guide](http://phihag.de/2012/thinkpad-docking.html).
 
 Firstly, `/etc/acpi/events/thinkpad-dock`:
 
-    event=ibm/hotkey LEN0068:00 00000080 00004010
+    event=ibm/hotkey LEN0068:00 00000080 00006030
     action=su francois -c "/home/francois/bin/external-monitor dock"
 
 Secondly, `/etc/acpi/events/thinkpad-undock`:
@@ -36,6 +36,9 @@ then restart acpid:
 
     sudo systemctl restart acpid.service
 
+Note that I'm not using the real "docking" event (`ibm/hotkey LEN0068:00 00000080 00004010`)
+because it seems to be triggered too early and the new displays aren't ready.
+
 ## Finding the right events
 
 To make sure the events are the right ones, lift them off of:

Update instructions for systemd
diff --git a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
index b7bc5de..dc04f8d 100644
--- a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
+++ b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
@@ -32,9 +32,9 @@ Secondly, `/etc/acpi/events/thinkpad-undock`:
     event=ibm/hotkey LEN0068:00 00000080 00004011
     action=su francois -c "/home/francois/bin/external-monitor undock"
 
-then restart udev:
+then restart acpid:
 
-    sudo service udev restart
+    sudo systemctl restart acpid.service
 
 ## Finding the right events
 
@@ -46,7 +46,7 @@ and ensure that your script is actually running by adding:
 
     logger "ACPI event: $*"
 
-at the begininng of it and then looking in `/var/log/syslog` for this lines
+at the begininng of it and then looking in `/var/log/syslog` for lines
 like:
 
     logger: external-monitor undock

Replace "lenovo" tag with "thinkpad" and add it to docking post
diff --git a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
index 45d6e0d..b7bc5de 100644
--- a/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
+++ b/posts/hooking-into-docking-undocking-events-to-run-scripts.mdwn
@@ -71,4 +71,4 @@ I used:
     xrandr -d :0.0 --output eDP1 --auto
     xrandr -d :0.0 --output DP2 --left-of eDP1
 
-[[!tag debian]] [[!tag nzoss]]
+[[!tag debian]] [[!tag nzoss]] [[!tag thinkpad]]
diff --git a/posts/upgrading-lenovo-thinkpad-bios-under-linux.mdwn b/posts/upgrading-lenovo-thinkpad-bios-under-linux.mdwn
index 1b2b5f7..364bd47 100644
--- a/posts/upgrading-lenovo-thinkpad-bios-under-linux.mdwn
+++ b/posts/upgrading-lenovo-thinkpad-bios-under-linux.mdwn
@@ -45,4 +45,4 @@ partition name, for the USB stick):
 then restart and boot from the USB stick by pressing Enter, then F12 when
 you see the Lenovo logo.
 
-[[!tag debian]] [[!tag nzoss]] [[!tag lenovo]] [[!tag thinkpad]]
+[[!tag debian]] [[!tag nzoss]] [[!tag thinkpad]]

Comment moderation
diff --git a/posts/using-dnssec-and-dnscrypt-in-debian/comment_7_8d2220b92f520d2b021df5764746d2ec._comment b/posts/using-dnssec-and-dnscrypt-in-debian/comment_7_8d2220b92f520d2b021df5764746d2ec._comment
new file mode 100644
index 0000000..a6cc05f
--- /dev/null
+++ b/posts/using-dnssec-and-dnscrypt-in-debian/comment_7_8d2220b92f520d2b021df5764746d2ec._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="109.163.234.2"
+ claimedauthor="Martin"
+ url="blog.mdosch.de"
+ subject="Captive Portal"
+ date="2017-07-07T14:34:50Z"
+ content="""
+I'm doing a lot of business trips so I'm using a lot of Airport and Hotel WiFis. So far I could reach all the captive portals when directly typing http://1.1.1.1 into my browser address bar. I don't know if this a standard but so far it seems all the captive portals are reachable this way.
+If it won't work I would have a look at the IP DHCP gave, e.g. 192.168.10.42, and then would try to acces 192.168.10.1 (but I never needed to try this as 1.1.1.1 always worked for me).
+"""]]

Comment moderation
diff --git a/posts/setting-up-raid-on-existing/comment_15_ea7bf9dd2aaddafefc2ca34aebd387a4._comment b/posts/setting-up-raid-on-existing/comment_15_ea7bf9dd2aaddafefc2ca34aebd387a4._comment
new file mode 100644
index 0000000..14281bc
--- /dev/null
+++ b/posts/setting-up-raid-on-existing/comment_15_ea7bf9dd2aaddafefc2ca34aebd387a4._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ ip="83.208.32.87"
+ claimedauthor="TyNyT"
+ subject="Proper Grub approach"
+ date="2017-06-25T18:33:53Z"
+ content="""
+Hi, I found the Grub reconfig too complex and not working well in case the /boot is on a separate partition, failing to rescue mode.
+
+Instead of fiddling with the grub console, one can fix the issue before reboot - just to chroot into the mounted md partitions (be aware, CHOOSE TO INSTALL GRUB TO MD-ENABLED DRIVE _ONLY_, just not to touch the \"source\" drive):
+
+    mount -t proc /proc /mnt/mntroot/proc
+    mount --rbind /sys /mnt/mntroot/sys
+    mount --make-rslave /mnt/mntroot/sys
+    mount --rbind /dev /mnt/mntroot/dev
+    mount --make-rslave /mnt/mntroot/dev
+    chroot /mnt/mntroot /bin/bash
+    source /etc/profile
+    dpkg-reconfigure grub-pc  
+
+I consider this approach to be much cleaner.
+"""]]