<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/all.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-01-24T03:20:00+01:00</updated><entry><title>Do not forget about IPv6 DNS</title><linkhref="https://blog.ledoian.cz/forgetting-dns6.html"rel="alternate"></link><published>2024-01-24T03:20:00+01:00</published><updated>2024-01-24T03:20:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-01-24:/forgetting-dns6.html</id><summarytype="html"><p>Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
by forgetting to add AAAA records of the <em>nameservers</em>. This creates IPv4
requirement for the resolving even when the …</p></summary><contenttype="html"><p>Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
by forgetting to add AAAA records of the <em>nameservers</em>. This creates IPv4
requirement for the resolving even when the target is reachable using IPv6.</p>
<div class="section" id="quick-recap">
<h2>Quick recap</h2>
<p>Connecting to a website is easy, right? You type in the name, you get the front page.</p>
<h3>Reaching IPv4 land from IPv6-only</h3>
<p>There are few^H^H^Hmany sites that still only support IPv4. To reach them, we
need someone who can reach both the IPv4- and IPv6-land to go there on our
behalf – a proxy. This proxy can be ad-hoc (I often use <tt class="docutils literal">ssh <span class="pre">-D</span></tt>) or there
are well-known protocols like NAT64 with DNS64 to do that in a standard and
<p class="caption">And now we can reach the whole internet.</p>
</div>
<p>You might already know that you need some workaround like this to reach GitHub.
What I think you might not know, you need similar workaround to reach the Wikipedia.</p>
<p>Disclaimer: I like Wikipedia and this is not meant to shame them, just use as
an example. I am aware of several other sites suffering from the same problem,
including at least one IPv6 test. <a class="footnote-reference" href="#test-aaaa" id="footnote-reference-2">[2]</a> (It would be nice if they added
the missing piece in the puzzle, though.)</p>
</div>
</div>
<div class="section" id="enter-dns">
<h2>Enter DNS</h2>
<p>Our picture has one unexplored magic box: the DNS. As per the definition (which
I just made up and was not bothered to even fully formulate):</p>
<blockquote>
yada yada distributed database of records attached to the strings – domain
names. The records hold various information about the domain depending on the type.</blockquote>
<p>There are three interesting types of records: A records give IPv4 addresses,
AAAA give IPv6 addresses and NS give names of servers who know about the
particular subtree of the database. And to actually resolve the final AAAA
record the (recursive) resolver starts at the <em>root zone</em> and tries to find
the answer. <a class="footnote-reference" href="#dns-simplification" id="footnote-reference-3">[3]</a> The resolution algorithm can be visualised like this:</p>
<p>So, what is the deal. We <em>just</em> need to have a dual-stack DNS resolver
somewhere, and that's it, no? Well, yes but actually yes.</p>
<p>There are two problems with this: First, this means that any new ISP needs to
have <em>at least some</em> IPv4 address, even if they intend to just use IPv6
services. IPv4 addresses are scarce, <a class="reference external" href="https://blog.apnic.net/2021/12/16/opinion-ipv4-address-markets/">expensive</a> and small
new ISP's and from overal routing's point of view. It also hinders IPv6
deployment and postpones IPv4 abandonment, needlessly.</p>
<p>The second issue is that this is not very visible. We are building IPv6 world,
but deep inside it still relies on IPv4, which might lead to great surprise
when we start cutting off IPv4 internet. And it might lead to false sense of
having IPv6 deployed, which is not true to the whole extent.</p>
<p>Insert &quot;It was DNS&quot; meme here.</p>
</div>
<div class="section" id="solution">
<h2>Solution</h2>
<p>The solution of this state is simple: get IPv6 connectivity to your
authoritative DNS server (or use another) and do not forget to add an AAAA
record for it in DNS. If the DNS server already has IPv6 it is probably just
a matter of adding a single line to the zone file (and a second one for the DNSSEC
signature), which should not be a big deal.</p>
<p>Unfortunately, this needs to be done for the whole DNS chain.
Especially domain names at universities are infamous for very nested domains.
A domain name may look like
<tt class="docutils literal"><span class="pre">machine.department.location.faculty.university.some-common.suffix</span></tt>. That
tree is deep and so is the resolution of this problem.</p>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-1">[1]</a></td><td>This is very much the same as when you try to reach the
IPv4-public-land from IPv4-private-land, that is, from a private range of IP
addresses. This is called either just NAT, or NAT44 to denote IPv4-to-IPv4 NAT.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-2">[2]</a></td><td>There are several more tests that do not even have the AAAA
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-3">[3]</a></td><td>In my example, there is a single recursive DNS
resolver external to my machine in order not to complicate it too much.
The real deployment is often trickier.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-4">[4]</a></td><td>I have not yet tried to run a recursive DNS in a network
with DNS64 and NAT64. Could be fun :-D My wild guess is that I would need
CLAT (i.e. the full 464XLAT deployment) to make that work, since the
resolver is connecting directly to IPv4 addresses and would need to learn to
use NAT64 to resolve them. (The CLAT could be built right into the resolver,
though).</td></tr>
</tbody>
</table>
</div>
</content><categoryterm="networking"></category><categoryterm="ipv6-only"></category><categoryterm="dns"></category></entry><entry><title>About this blog</title><linkhref="https://blog.ledoian.cz/about-blog.html"rel="alternate"></link><published>2024-01-10T16:47:00+01:00</published><updated>2024-01-10T16:47:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-01-10:/about-blog.html</id><summarytype="html"><p>This is my blog and this article describes its setup and other details about my
intentions. The actual <a class="reference internal" href="#the-setup">setup</a> is probably the most
interesting tech-wise.</p>
<div class="section" id="what-is-this">
<h2>What is this?</h2>
<p>My own space on the internet where I can post whatever and link others to it.
It might end up containing rants …</p></div></summary><contenttype="html"><p>This is my blog and this article describes its setup and other details about my
intentions. The actual <a class="reference internal" href="#the-setup">setup</a> is probably the most
interesting tech-wise.</p>
<div class="section" id="what-is-this">
<h2>What is this?</h2>
<p>My own space on the internet where I can post whatever and link others to it.
It might end up containing rants, guides, ideas, or maybe nothing at all in the
end. Only the future will tell.</p>
<p>The blog might even serve as my personal web page/introduction. Maybe. Maybe not…</p>
<p>The main motivation is to have low-effort way to post random stuff. Which leads
to my requirements for this thing.</p>
</div>
<div class="section" id="requirements">
<h2>Requirements</h2>
<p>(The requirements are a bit too idealistic, so not all of them were satisfied…)</p>
<ul class="simple">
<li>low-effort, me-friendly, low-maintenance – I don't want to have to learn too
many new technologies to use this. This includes the required technologies:
<li>Technical and math content ~~friendly~~ compatible – I expect that to appear
here.</li>
<li>Static site – for security, coolness factor and control. Also static on the
front-end, because I don't like JavaScript and/or running untrusted code on
my machine (even when in a sandbox). The SSG should likely be aimed at
creating blogs, not documentation. Also, self-contained, as in not depending
on third-party sites.</li>
<li>No moving parts in the infrastructure (or as few as possible) – if it works
on my machine, it should just get mirrored to the public site with as few
modifications as possible.</li>
<li>Transparent – I should be able to understand it, maybe others could also use
it as a resource or take inspiration. (At one point, this deployment itself
started being interesting, so if I can share the background as well as the
final webpage, it would be cool.)</li>
<li>Followable – I know you internet guys like to ~~stalk~~ follow people :-)</li>
<li>Aligned with my values: minimalist, simple, extensible/hackable, FLOSS</li>
<li>If the platform could distinguish translations and do strikethroughs, it would
be nice, but that is not a hard requirement.</li>
</ul>
<p>There are several features of conventional blogs that I consider to be a
non-goals or even anti-goals. Mostly it is about interactivity – I don't aim
for having any kind of comments here, or really anything that would require
JavaScript or complex HTML/CSS. And appearance goes past me as well, I instead
try to let the browser decide how to display this page – more on that <a class="reference internal" href="#design-considerations">below</a>.</p>
<p>The workflow I wanted to achieve is something like: Write the content, git it,
build it (locally, no CI/CD), push it, done. Single write, single push, very
simple.</p>
<p>And I managed to achieve something like that, via learning (too much?) about
git.</p>
<!-- TODO: fix the worktree bug already! -->
</div>
<div class="section" id="the-setup">
<h2>The setup</h2>
<p>Naturally for a sysadmin/netadmin, the setup consists of 7 ~~ISO/OSI~~ layers:</p>
<ol class="arabic simple">
<li><strong>Physical layer</strong>: cheap Hetzner VPS. Not physical, but whatever.</li>
<li><strong>Persistence layer</strong>: <a class="reference external" href="https://gitea.ledoian.cz/LEdoian/blog">this git repo</a>. I will elaborate below why can
you see this both rendered here and in the source form in Forgejo.</li>
<li><strong>Content layer</strong>: Markdown or reStructuredText files.</li>
<li><strong>Business logic layer</strong>: <a class="reference external" href="https://getpelican.com">Pelican</a>. It's rather
popular and written in Python, I didn't look further.</li>
<li><strong>Presentation layer</strong>: I hacked my own theme, because I didn't like any in
the <a class="reference external" href="https://github.com/getpelican/pelican-themes">pelican-themes repo</a>.
I was a bit inspired by the layout of <a class="reference external" href="https://eev.ee/blog">eevee's blog</a>, but I wanted a dark theme. And as you can see, I
can't do quality frontend, so it ended up horrible… :-D</li>
<li><strong>Stalking layer</strong>: Pelican's built-in RSS and Atom feed generators. Not
linked from anywhere at the moment, but <a class="reference external" href="https://gitea.ledoian.cz/LEdoian/blog/src/branch/blog/output/feeds">the repo will tell you</a> what
hides under the <tt class="docutils literal">/feeds/</tt> path. Or you can utilize the repo (for personal
use – the content's license is not decided at the moment)…</li>
</ol>
<p>Most of this is straightforward, the fancy part is my repo. The repo contains
both source and rendered content, so that I can point Nginx right at a checkout
and have Git solve both persistence and deployment without additional moving
parts.</p>
<p>There are two tricks in the configuration of Git repositories: pushing to a
checked out repo is enabled by configuring <tt class="docutils literal">receive.denyCurrentBranch =
updateInstead</tt> in the target repository (which is just a normal repo, not a
bare one), and then I just told my source repositories <a class="footnote-reference" href="#multiple-src" id="footnote-reference-1">[1]</a> to use
two push targets for the remote (the first line <em>replaces</em> the original push
<p>The blog user is just a user with SSH access via authorized keys, no special
sauce there. Nginx is then pointed to serve <tt class="docutils literal">~blog_user/blog_dir/output/</tt> at
<tt class="docutils literal">blog.ledoian.cz</tt>. (The <tt class="docutils literal"><span class="pre">git-remote(1)</span></tt> manpage requires me to have both
repositories in sync, but as long as I configure all my repositories this way,
I should be safe, and I think I could get away with my blog checkout getting
<h2>My workflow and lots of drafts</h2>
<p>It's Git so it's only natural for me to use various branches and repositories
even for a dumb blog. There are in fact 4 stages an article may go through <a class="footnote-reference" href="#skipping-stages" id="footnote-reference-2">[2]</a>:</p>
<ol class="arabic">
<li><p class="first">A private draft: lives on a branch <tt class="docutils literal">priv/something</tt>, may contain private
infos (like when I would just copy-paste from terminal without redaction)
and this branch will probably never be merged to the main repo. Nothing
about these branches is guaranteed.</p>
</li>
<li><p class="first">A public WIP draft: uses a branch called <tt class="docutils literal">pub/something</tt> which is pushed
to Forgejo (and in fact also to the blog itself, but that is just an
implementation detail). The draft is either does not build or is very
incomplete and I expect to add stuff in a way that could break the build, so
I put it on a separate branch. The branch will be probably merged to the
main branch (called <tt class="docutils literal">blog</tt>) when it is ready.</p>
<p>The <tt class="docutils literal">pub/…</tt> branches can be created either manually or by cherry-picking
from the respective <tt class="docutils literal">priv/…</tt> branch, but that will likely not be
distinguishable. (I am too lazy to keep the references even in the commit
logs.)</p>
</li>
<li><p class="first">When a draft is almost ready (or the content has simple syntax), it gets
placed on the <tt class="docutils literal">blog</tt> branch. The only thing that designates it as a draft
is <tt class="docutils literal">status: draft</tt> in the frontmatter, which means that the article will
get rendered and put somewhere on the public blog, but not reachable from
the title page (&quot;unlisted&quot;).</p>
</li>
<li><p class="first">Of course, eventually (and hopefully) the article gets published for
everyone to see. At that point, it is complete (or at least that is what I
thought when marking it as published). Possibly it might be updated in the
future, but no such update is anticipated at the moment of publishing. <a class="footnote-reference" href="#update-this" id="footnote-reference-3">[3]</a></p>
</li>
</ol>
<p>I use Git to synchronize my private branches among machines, so there are
actually two &quot;server-side&quot; repositories (private and public one) and thus two
<p>As for the actual workflow, for the main branch it usually consists of: writing
content, committing it, building the web, checking it locally, committing the
built blog and pushing it. Sometimes I do the commits together, but I always
separate the rendering/building commits from the content-creating ones, so that
I can handle those differently if needed (i.e. there is no point in
cherry-picking the built content, I can generate it). <a class="footnote-reference" href="#git-purists" id="footnote-reference-5">[5]</a></p>
<p>For other branches I use some applicable subset of the steps above, probably.</p>
<p>The appearance of the blog is maybe not nice. That is for two reasons: I don't
have the right idea about how to make it much better and I want to have a
rather simple CSS for the web. The latter wish is because I tend to tweak
appearance of sites I visit using my own styles, so I would like you to be able
to do the same.</p>
<p>And for the former reason, if you have any ideas / improvements (including user
styles), hit me at <a class="reference external" href="mailto:blog&#64;pokemon.ledoian.cz">blog&#64;pokemon.ledoian.cz</a> :-)</p>
<p>My overall idea is a dark-by-default <a class="footnote-reference" href="#light-theme" id="footnote-reference-6">[6]</a> minimalist page with a single menu on the
right containig all the relevant links. The page should not dictate too much
but rather let the user agent decide the rendering (<a class="reference external" href="https://html.spec.whatwg.org/multipage/rendering.html#rendering">it does anyway…</a>).</p>
<p>I want my blog to render similarly in Gecko-, WebKit- and Blink-based browsers
(e.g. Firefox, Badwolf, Qutebrowser). Others should be usable.
Browser-/engine-specific styles are not welcome – let's keep it simple. And no
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-1">[1]</a></td><td>I also use multiple machines on which I can write stuff.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-2">[2]</a></td><td><p class="first">I am lazy and chaotic (good), so the stages are optional
and non-linear, and sometimes involve paper. This article is a prime
example: parts of it were on two different private branches, but at the end
I wrote it from scratch directly on the main branch. And the requirements
were written on a paper originally.</p>
<p class="last">Nevertheless, the general idea still holds and may inspire others, so it
makes sense to keep this part in the article. (Also, this footnote might not
make sense before reading the definition of the stages, but I didn't find a
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-3">[3]</a></td><td>Well, given this article contains some future plans, I
actually anticipate update of this one, but maybe not in the near future. So
the outline is not really correct, but I make the rules :-) (There
were some build breaks on the main branch, too :-D)</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-4">[4]</a></td><td>I would love if my Forgejo could have &quot;private
branches&quot;, but I understand that the overhead for doing this is not nice,
since it would need to be able to decide for any object, whether it is
public or not (you can do <tt class="docutils literal">git fetch &lt;remote&gt; <span class="pre">&lt;object-hash&gt;</span></tt>) and somehow
keep track even with rebases, merges, force-pushes, many branches, … Having
a separate private repository is not a big problem in comparison.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-5">[5]</a></td><td>Git purists might want to tell me that committing build
artifacts is not good practice. I know and I explicitly don't care in case
of this repo, because here I prioritise my own comfort of being able to
check everything locally and then be reasonably sure the deployed version
will also work, all this with only a single push somewhere. Of course, one
could argue that with that there is no reason to create two commits, but it
does not really bother me to run something like <tt class="docutils literal">git commit <span class="pre">-m&quot;render&quot;</span>
output/</tt> when I am sure it works, and this keeps readable diffs separate
from the non-readable ones (i.e. the changes in generated HTML).</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-6">[6]</a></td><td>Having the page be dark-by-default is my preference, but I
respect that others may prefer light sites. However, I have not yet
determined what colors should be used (probably still cyan / blue / maybe
purple-ish, but I don't know what shade) nor understood how to use
<tt class="docutils literal"><span class="pre">&#64;media(prefers-color-scheme)</span></tt> in a maintainable and simple way (in the
context of my theme). So naturally, this is postponed to the future…</td></tr>
</tbody>
</table>
</div>
</content><categoryterm="technology"></category><categoryterm="meta"></category><categoryterm="infrastructure"></category></entry><entry><title>Smršť 2023 (CZ)</title><linkhref="https://blog.ledoian.cz/smrst2023-cs.html"rel="alternate"></link><published>2023-12-02T18:00:00+01:00</published><updated>2023-12-02T18:00:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2023-12-02:/smrst2023-cs.html</id><contenttype="html"><p>Na <a class="reference external" href="https://ksp.mff.cuni.cz/akce/smrst/2023/">Smršti</a> jsem přednášel o distribuci SW a o technicky zajímavých železničních neštěstích.</p>
<li><a class="reference external" href="https://blog.ledoian.cz/static/talks/smrst2023/talk.pdf">Slidy ke přednášce o neštěstích</a></li>
</ul>
<p>(Pozn.: Možná se ještě změní adresa téhle stránky, protože je to celé WIP…)</p>