A small firewall of China

There's been quite a few spam{bots,turks} lately passing through Drupal Captcha , reCAPTHA, Honeypot module… After a bit of research, I decided to block China from accessing my site. It turned out to be easy:

# install geoip filter into iptables
apt-get install xtables-addons-common
# download the existing geoip database
/usr/lib/xtables-addons/xt_geoip_dl
# set up csv parser in perl
apt-get install libtext-csv-xs-perl
# create a directory for geoip filter's database
mkdir /usr/share/xt_geoip
# build the database
/usr/lib/xtables-addons/xt_geoip_build  -D /usr/share/xt_geoip  *.csv
# load the geoip filter module
modprobe xt_geoip
# block China
iptables -A INPUT -m geoip --src-cc CN -j DROP

PROFIT!!!

P.S. Next in sight is US. US an CH account for 97% of Drupal spam.

Hosting Drupal on bare metal vs. cloud (Acquia)

We hosted Drupal websites at Hetzner for a few years. While it's unbeatable on price, it requires a skilled Linux sysadmin, which weights on personnel costs. Our guesstimate was that we'll pay a third more for a Drupal hosting, but our sysadmin costs would go down by ⅔. Add in non-material considerations, such as lower personnel turnover risks and better DDoS protection, and alternatives to Hetzner start to look almost attractive.

So, we decided to check Drupal cloud hosting solutions and asked for quotes from Pantheon and Acquia. Pantheon was less expensive and had more features. It also edged out Acquia on technology by using Linux containers instead of Amazon Web Services as underlying infrastructure. Unfortunately, Pantheon servers were located near Chicago, while most of our readers are from Europe, so we had no choice but to go for Acquia.

Notes on setting up Debian with ChromeOS kernel on a SD card plugged into Samsung ARM Chromebook

Two main sources of my inspiration were this post by Daniel P. Berrangé and this very detailed HOWTO on Debian User Forums.

There's also a great, albeit a bit stripped down rootfs from Vassilis Laganakos for those who don't want to bother using debootstrap.

Here's my script to run in root shell on ChromeOS to put the signed kernel onto the SD card:

echo "console=tty1 debug verbose root=/dev/mmcblk1p3 rootwait rw lsm.module_locking=0" > /tmp/config
dd if=/dev/mmcblk0p2 of=/tmp/oldblob
vbutil_kernel --repack /tmp/newkern --keyblock /usr/share/vboot/devkeys/kernel.keyblock --version 1 \
  --signprivate /usr/share/vboot/devkeys/kernel_data_key.vbprivk --config=/tmp/config --oldblob /tmp/oldblob
dd if=/tmp/newkern of=/dev/mmcblk1p1
dd if=/tmp/newkern of=/dev/mmcblk1p2
cgpt add -i 1 -S 1 -T 5 -P 10 -l KERN-A /dev/mmcblk1
cgpt add -i 2 -S 1 -T 5 -P 5 -l KERN-B /dev/mmcblk1

Note the use of --oldblob option -- newer ChromeOS does now mount /boot anymore, but HOWTOs out there still suggest to point to the kernel using --vmlinuz . Also, lsm.module_locking=0 is important. Without it, you won't be able to load kernel modules in Debian.

How to backup to an external disk once it is plugged in

How it should work:

  • insert a disk with a partition labelled as backup
  • wait until the beep
  • remove the disk

To label an ext3/ext4 disk, use

e2label device [newlabel]

Then, create an udev rule that runs your script when you insert a disk with a partition named backup:

echo 'KERNEL=="sd*", ENV{ID_FS_LABEL}=="backup", RUN+="/usr/local/bin/backup.sh"' 
   >> /etc/udev/rules.d/99-backup.rules

your backup script can be as simple as this:

#!/bin/sh
/bin/mount /dev/disk/by-label/backup /media/backup && \
  /usr/bin/rsync -r /home/* /media/backup && \
  /bin/umount /media/backup && \
  /usr/bin/beep

Watch out, $PATH is not set, you shoud use absolute paths everywhere.

To make it all work, reload udev rules with

udevadm control --reload-rules

Convert a git repository from submodules to subtrees

Git submodules and git subrees are well explained in the git-scm book.

Here's a small script that automatically converts the former to the later:

cat .gitmodules |while read i
do
  if [[ $i == \[submodule* ]]; then
    mpath=$(echo $i | cut -d\" -f2)
    read i; read i;
    murl=$(echo $i|cut -d\  -f3)
    mcommit=`eval "git submodule status ${mpath} |cut -d\  -f2"`
    mname=$(basename $mpath)
    echo -e "$name\t$mpath\t$murl\t$mcommit"
    git submodule deinit $mpath
    git rm -r --cached $mpath
    rm -rf $mpath
    git remote add $mname $murl
    git fetch $mname
    git branch _$mname $mcommit
    git read-tree --prefix=$mpath/ -u _$mname
fi
done
git rm .gitmodules

OK… Here's another way to add random signatures to Gmail. Now using Google Apps Script.

It almost works. It will update signatures that you store in a Google Sheet at regular intervals. The only problem is… You have to be a Google Apps for Business administrator to run this thing, because the only way to update a Gmail signature programmatically is via the Google Apps for Business Admin SDK. Ha-ha. Another problem is tha the signature only gets updated when you refresh the page. But that's a minor thing ;-)

Check it out and make a copy to have access to the script.. And here's the code:

On the usefulness of Akoma Ntoso

There's been very few laws that I followed closely, but all of them had a direct impact on my life, so I took this seriously. I didn't actually follow laws, but rather legislative processes because I either wanted a change or I was averse to it. In both cases, the object of interest was not a law itself, but its evolution.

You should already know that most laws are hand-crafted patches applied to previous laws. There are virtually no laws that are written from scratch, one notable exception is the constitution. Other laws refer to past laws.

For example, today's law that extends the powers of the Belgian intelligence service is a patch applied to the law that created the service in 1996, and it says literally this:

  • Go the the article 3 of the past law and append this extra paragraph
  • commit your changes in the legislative branch
  • push to the executive branch

If you go and search for the original law, you won't find it that easily, because laws were digitized back to 1998, while the original law dates from 1996. If you are lucky, you'll have free online access to the so-called 'consolidated' version of the law. That is, a version with all the patches applied. However:

Pages