Triaxx Web Log

Some notes on anything… Most of the stuff noted here are probably (i) not really clear, (ii) not really true and (iii) not really useful.

ACL

Access Control List

Set read + execute permissions to /etc/fooctl for jdoe user:

setfactl --modify user:jdoe:rX /etc/fooctl
ls -adl /etc/fooctl
drwxr-x---+ 2 root root 4096 Apr  8 11:59 /etc/fooctl

Set read permission to /etc/fooctl/fooctl.conf for jdoe user:

setfactl --modify user:jdoe:r /etc/fooctl/fooctl.conf
ls -adl /etc/fooctl/fooctl.conf
-rw-rw-r--+ 1 root root 1943 Apr  8 11:59 /etc/fooctl/fooctl.conf
getfacl /etc/fooctl/fooctl.conf
getfacl: Removing leading '/' from absolute path names
# file: etc/fooctl/fooctl.conf
# owner: root
# group: root
user::rw-
user:jdoe:r--
group::rw-
mask::rw-
other::r--

Remove read permission from /etc/fooctl/fooctl.conf for jdoe user:

Netstat

Show listening TCP connections:

netstat --listening --tcp

Show programs associated to listening TCP and UDP connections (root privilege needed):

netstat --listening --tcp --udp --program

Xen

Dom0 is here Debian GNU/Linux Trixie. Install hypervisor:

apt install xen-hypervisor
systemctl reboot

OpenBSD as DomU

Add file /etc/xen/auto/obsd.cfg

type       = "hvm"
name       = "obsd"
memory     = 4096
vcpus      = 2
disk       = [ '/opt/xen/install78.iso,,xvdc,cdrom', '/dev/vg0/lv-obsd,,xvda' ]
vif        = [ 'mac=00:16:3e:a1:ff:01,bridge=xenbr0' ]
serial     = "pty"
vnc        = 1
vnclisten  = 127.0.0.1
vncdisplay = 42

Create bridge interface:

cat > /etc/network/interfaces.d/xenbr0 << EOF
auto xenbr0
iface xenbr0 inet static
  address 192.168.100.1
  netmask 255.255.255.0
  bridge_ports none
EOF

Redirect output to serial console:

xl create -c /etc/xen/auto/obsd.cfg

From the VNC viewer:

boot> set tty com0

LVM

Initialize partition sda5 for use by LVM:

pvcreate /dev/sda5

Create Volume Group vg0 on partition sda5:

vgcreate vg0 /dev/sda5

Create Logical Volume lv-data in Volum Group vg0:

lvcreate --size 64g vg0 --name lv-data

Reduce size of Logical Volume lv-data in Volum Group vg0 when lv-data does not contain filesystem:

lvreduce --size 16g vg0/lv-data

Disk encryption

LUKS

Erase table and filesystem signatures and overwrite device with random data:

wipefs --all /dev/sde
dd if=/dev/urandom of=/dev/sde bs=4M status=progress

Initialize a LUKS partition and open it:

cryptsetup luksFormat /dev/sde

WARNING!
========
This will overwrite data on /dev/sde irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sde: 
Verify passphrase:
cryptsetup open /dev/sde foo
Enter passphrase for /dev/sde:

Make filesystem and mount it:

mkfs.ext4 /dev/mapper/foo
mke2fs 1.47.4 (6-Mar-2025)
Creating filesystem with 111616 1k blocks and 27888 inodes
Filesystem UUID: e4805c08-4d97-48c8-921f-91b203279131
Superblock backups stored on blocks: 
        8193, 24577, 40961, 57345, 73729

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done 

mount /dev/mapper/foo /mnt

GPG

Configuration

See short key id when listing keys:

echo "keyid-format short" >> ~/.gnupg/gpg.conf

Generation

Generate a main key to sign and to certificate and a subkey to encrypt:

gpg --full-generate-key
gpg (GnuPG) 2.5.18; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
  (16) ECC and Kyber
Your selection?
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: John Doe
Email address: john@doe.net
Comment: 
You selected this USER-ID:
    "John Doe <john@doe.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/jdoe/.gnupg/openpgp-revocs.d/4960E99609DA1753CC6798800DB4D7504AFFB5E4.rev'
public and secret key created and signed.

pub   ed25519/4AFFB5E4 2026-03-25 [SC]
      4960E99609DA1753CC6798800DB4D7504AFFB5E4
uid                    John Doe <john@doe.net>
sub   cv25519/D76499B8 2026-03-25 [E]
      58C2231CAEAF923DB403051E3CFD617FD76499B8

Edit key to add a signing subkey:

Restic

Use restic to backup a set of files/directories on several repositories.

Repo initialization

mkdir -p ~/.config/restic

echo "sftp:bak.triaxx.io:/srv/restic-repo" > .config/restic/repo-bak

restic --repository-file ~/.config/restic/repo-bak init

Backup

find /etc /home -print > ~/.config/restic/files

restic --repository-file ~/.config/restic/repo-bak \
       backup \
       --files-from-verbatim ~/.config/restic/files \
       --skip-if-unchanged

Linux Automation

Create a systemd template service to execute restic backup for each repository:

mkdir -p ~/.config/systemd/user

cat > ~/.config/systemd/user/restic-backup@.service << EOF
[Unit]
Description=Restic backup service for %i repository
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/restic backup --files-from-verbatim %E/restic/files --skip-if-unchanged
ExecStartPost=/usr/bin/restic forget --keep-last 5 --prune
Environment="RESTIC_PASSWORD_COMMAND=%E/restic/passcmd"
Environment="RESTIC_REPOSITORY_FILE=%E/restic/repo-%i"

[Install]
WantedBy=default.target
EOF

Create a target to backup on several repositories:

EFI

Efibootmgr

List UEFI entries:

efibootmgr

Delete entry 0013:

efibootmgr -B -b 0013

Create new entry:

efibootmgr --create --label "HD001" --loader "\EFI\BOOT\BOOTX64.EFI"

Disk check

Bad blocks

badblocks is used to search for bad blocks on a device. It can be installed on NetBSD with:

pkgin install e2fsprogs

or on macOS with:

brew install e2fsprogs

A test can be launched by executing the following command:

# Device must first be unmounted on macOS
sudo diskutil unmountDisk /dev/<device>
badblocks -n -s -v /dev/<device>

where <device> can be identified by executing:

dmesg | tail

right after plugging in the USB flash storage on GNU/Linux or NetBSD and

Arch Linux

Installation

Boot image

curl --output archlinux-x86_64.iso https://mirror.srv.fail/archlinux/iso/2026.03.01/archlinux-x86_64.iso
# on macOS
sudo dd if=archlinux-x86_64.iso of=/dev/disk4 bs=1m status=progress
# on NetBSD
dd if=/home/triaxx/archlinux-x86_64.iso of=/dev/sd2d bs=1m progress=100

System configuration

After booting from USB disk:

localectl list-keymaps | grep fi
loadkeys fi
timedatectl set-timezone Europe/Helsinki

Partitionning

Erase table or filesystem signatures:

wipefs --all /dev/sda

Create empty partition table:

echo 'label: gpt' | sfdisk /dev/sda

List available types for GPT:

sfdisk --label gpt --list-types

Create partitions:

echo "size=512MiB, name=efi, type=efi-system" | sfdisk /dev/sda
echo "size=512MiB, name=boot, type=linux-extended-boot" | sfdisk /dev/sda --append
echo "size=36GiB, name=linux-swap, type=linux-swap" | sfdisk /dev/sda --append
echo "size=128GiB, name=linux-root, type=linux-root-x86-64" | sfdisk /dev/sda --append
echo "size=36GiB, name=freebsd-swap, type=freebsd-swap" | sfdisk /dev/sda --append
echo "size=128GiB, name=freebsd-root, type=freebsd-ufs" | sfdisk /dev/sda --append
echo "size=+, name=data, type=freebsd-zfs" | sfdisk /dev/sda --append

Make filesystems:

Figlet

File header

figlet Makefile | sed -e "s|^|# |" > Makefile

Mercurial

Initialization

hg init
cat >> .hg/hgrc << EOF
[ui]
username = triaxx <triaxx@triaxx.io>
EOF

Usage

hg status
hg add <file>
hg forget <file>
hg commit
hg log --graph

Change the message of the last commit:

hg commit --amend

Revert to the last commit version:

hg revert
hg revert --no-backup

Extensions

Enable histedit:

cat >> .hg/hgrc << EOF
[extensions]
histedit =

Hugo

Abstract

Hugo is an open-source static website generator. It is written in Go and uses Markdown file format as input to produce static HTML website.

Initialization

Site

hugo new project <path>
cd <path>
cat > hugo.toml << EOF
baseURL = 'https://triaxx.io/'
languageCode = 'fr-FR'
title = 'Triaxx Web Log'
EOF

Theme

A theme is mandatory to build sites.

hugo new theme <name>
echo "theme = '<name>' >> hugo.toml

A example menu can be copied from themes/<name>/hugo.toml: