![\"tobyx.com](\"https://tobyx.com/img/2020/darkmode-01.jpg\")
A year is Earth’s annual marathon around the Sun, clocking 940 million kilometers at 30 kilometers per second. Gravity keeps us tethered, inertia keeps us moving, and Earth spends the journey tilting and spinning like it’s auditioning for a dance competition. This relentless motion doesn’t just define time—it fuels life. Seasons shift, cycles renew, and we’re reminded that even the most “stable” systems are really just organized chaos in constant motion.
It’s a balancing act on a cosmic scale: axial tilts, elliptical orbits, and gravitational nudges syncing Earth’s rhythm with the Sun’s celestial calendar. Sure, the planet wobbles and the equinoxes drift, but somehow, it all works out. Meanwhile, humans—sitting on this spinning rock—like to think we’ve got it all figured out. Spoiler: we don’t.
For all our hubris, we imagine our actions rippling out to the cosmic scale. The truth is less flattering. Our grandest achievements amount to self-sabotage: destabilizing ecosystems, driving countless species to extinction, and reshaping our planet’s surface for worse. The Earth? She doesn’t care. Burn it, freeze it, flood it—she’ll keep spinning, unbothered, for millions of years. We’ll just be the fleeting footnote labeled “Experiment Gone Wrong.”
But here’s the kicker: knowing this doesn’t depress me—it motivates me. It’s oddly comforting to know the universe doesn’t revolve around us—literally or figuratively. It frees us up to focus on what actually matters: making life less terrible for each other. That’s all we can do. Nothing more, nothing less. So for 2025, how about we try something radical? Let’s be decent. Kindness isn’t just text on a postcard you send—it’s gravity for humans. It pulls us together, grounds us, and keeps us moving forward.
And let’s not stop there. Kindness alone isn’t enough. Racism, transphobia, inequality—they’re not cosmic inevitabilities; they’re human-made disasters, like pineapple on pizza but significantly worse. These problems persist because we let them. No, we don’t just let them, we pretend like they don’t exist. The more privileges you have, the easier it is to just sit in your happy bubble and ignore the injustices those less privileged than you suffer. Speak up. Amplify marginalized voices. Call out bigotry, even when it’s uncomfortable. Especially when it’s uncomfortable. Justice isn’t some lofty ideal—it’s the bare minimum we owe each other. Silence is complicity.
I want 2025 to be a year of growth. Not the “New Year, New Me” kind of growth, but the messy, uncomfortable, do-the-work kind. It will be fucking hard for me, and that’s good. Last year, I was dumbfounded to realize just how bigoted I was myself and how much of it remains in me. It’s hard work to make things better. Growth that happens when we build better communities, challenge our biases, and stop pretending that “neutrality” is a valid stance when people’s lives are on the line.
Kindness gets us started. Justice keeps us going. Let’s make 2025 the year we all step up, do more, and suck a whole lot less.
", "url": "https://tobyx.com/2025/in-the-year-2025", "date_published": "2025-01-06T11:30:00+00:00", "date_modified": "2025-01-06T11:30:00+00:00", "author": { "name": "" } }, { "id": "https://tobyx.com/2024/analytics", "title": "Privacy Preserving Analytics with Plausible", "content_html": "Google Analytics is free because you’re giving your visitors’ data over to Google. The GDPR has outlawed using it without getting prior explicit consent. How do you get that consent? It’s complicated.
I’m not going to have cookie banners. They are ugly, intrusive, and just leave a lingering feeling of “Why do they need my data? I just want to read this stupid blog post.”
I feel very uncomfortable giving away personally identifiable information to Google, who could use this data to track users across the web. Google says they are not doing this, but their incentives are just too high for me to be ok with it. I don’t want to feel filthy.
Companies already had to pay up for the use of Google Analytics and the subsequent transfer of user data across EU borders and rightfully so. This was with the use of cookie banners if I understand correctly. It appears even consent doesn’t make this behavior ok.
So I had to find a way to do analytics right. With my limited use of social media (for reasons I should elaborate on at some point) and the avoidance of far-right platforms like X, writing things on here is like writing into the void. I like to know if an article is performing well, but do so without gaining any knowledge on the person visiting this site.
Before this, I had a simple measurement of page views extracted from nginx access logs. My script would run once a month and just write a number into a text file. I’m not a developer so the script was hacked together, but it worked and at least gave me some data. Data I needed because I licensed fonts which need me to calculate monthly page views. This number was very inaccurate though because so many hits to this site are bots and intrusion attempts (it’s insane how many folks out there are probing for WordPress installations).
I could have self-hosted a tool like Matomo but this would add overhead to my hosting setup that I simply don’t accept. This site is static for a reason, and hosting a PHP application with potential security issues increases my attack surface substantially.
I could have analyzed server log files with a tool like GoAccess but this turned out to be clumsy. My nginx installation is writing log files with IP addresses anonymized so I don’t store personally identifiable information in the file system at any point in time. This makes the analytics very inaccurate, but most of all, GoAccess doesn’t filter out intrusion attempts and bots effectively. It was a nice idea, but yielded unusable results for me personally.
I ended up with Plausible.io. Plausible is an EU company with just the right stance on privacy. In order to differentiate unique visitors, a daily rotating salt is used together with the domain name, IP address, and user agent in order to create a hash and only this hash is stored. After a day, each returning visitor would count as unique again, so there’s no way to identify returning users past 24 hours.
Look. When you use the Internet, you leak personally identifiable information left and right, starting with your IP address. This differs by access method, country, and device to some extent, and it can be mitigated by using tools like iCloud Private Relay. But even that doesn’t protect you fully. Are you logged into a Meta or Google account? Nice. Every site using social or login integrations with Facebook, Instagram, and Google now allows those companies to merge together your browsing habits, despite you using iCloud Private Relay or a VPN1.
That’s how the Internet was built. The GDPR doesn’t protect you from the reality of technology, nor does it demand that the technology changes. You have to protect yourself. GDPR isn’t going to do it. It’s a legal framework that over decades will fine big companies some pocket change here and there, but your privacy is still on you. Sorry.
Every single website and service out there can do their part in making sure privacy rights are protected. You have the choice of who you do business with. Start small. Look for those who do right. We need more of the Small Web and less of the Big Web.
I’m just trying to do my part, and with intent. The next step for me is moving off of a bigger cloud provider like Linode (I am hosting in Frankfurt, Germany) to a smaller hosting company that wasn’t slurped up by Akamai. Small steps. I’ll probably write about it when that is done.
Oh, no one paid me to write this by the way.
A VPN doesn’t protect you at all. As long as you’re logged into a service by big tech, they still know who you are. All that changes is your IP address. Sure, your Internet Service Provider now knows less about you, but those are not your prime enemy. Google and Meta are. A VPN does not protect you from them. ↩︎
Update: Apple Passwords just screwed up badly, so I went back to 1Password 😅 There will be a blog post on this soon.
Now that my blog is alive again, I decided to follow all those other bloggers with a list of defaults (and not so defaults) on App Defaults, inspired by the 97th episode of the Hemispheric Views podcast.
I’m a Mac user. I won’t be linking out to the Apple apps listed below that come preinstalled. Some entries have footnotes. 😄
📨 Mail Client: Apple Mail1
📮 Mail Server: Fastmail
📝 Notes: Apple Notes
✅ To-Do: Things
📷 iPhone Photo Shooting: Halide
🟦 Photo Management: Apple Photos
📸 Photo Editing: Apple Photos2
📆 Calendar: Apple Calendar
📁 Cloud File Storage: iCloud Drive (with Advanced Data Protection)
📖 RSS: Reeder
📇 Contacts: Apple Contacts3
🌐 Browser: Apple Safari
💬 Chat: Apple iMessage and Signal
🔖 Bookmarks: Safari Bookmarks
📑 Read It Later: Reeder and Safari Reading List
📜 Word Processing: iA Writer and Apple Pages4
📈 Spreadsheets: Apple Numbers
📊 Presentations: Apple Keynote5
✍🏻 Writing Books: Ulysses
🛒 Shopping Lists: Things
🍴 Meal Planning: Mela
💰 Budgeting and Personal Finance: bunq
📰 News: -
🎵 Music: Apple Music
🎤 Podcasts: Overcast
📚 Books: Apple Books6
🔐 Password Management: 1Password7
🔍 Search Engine: Google8
🍿 Movie Tracking: Callsheet
📝 Blogging Platform: Jekyll
🚚 FTP: Transmit
🧑🏻💻 Code: Nova
🎬 Visual Effects and Finishing: Autodesk Flame9
Sometimes I use the Fastmail web app which I’ve installed as a Safari Web App. ↩︎
I have Adobe Photoshop licensed due to my profession and if Apple Photos is not up to the task, I will default to Photoshop. ↩︎
iCloud + Fastmail on the server side with Linked Contacts) active. This quite fascinatingly works and keeps all changes to contacts up to date across servers. ↩︎
On the publishing side, I need to revert to Microsoft Word unfortunately, because it’s the industry standard and people expect Track Changes to work. ↩︎
This would be iA Presenter if I held presentations more often. What a nice app. ↩︎
I simply can’t stand Kindle anymore. The UI on their devices, the reading experience, and the horrendous companion apps on iOS and Android distract me from reading the actual books. At least the text looks nice in Apple Books, where I’m using the Paper Theme and Iowan as my font. ↩︎
Starting with macOS Sequoia and iOS 18, I was able to fully move from 1Password to Apple Passwords. Went back to 1Password within 2 weeks, because Apple Passwords screwed up. Blog post coming! ↩︎
I’m sorry, everything else is just very bad in 🇩🇪. ↩︎
Don’t look at the price. ↩︎
iCloud is the only major storage provider with the option for zero knowledge.
All data is encrypted in transit and on the server; the difference is who has access to it all. With Advanced Data Protection (ADP), Apple takes itself out of the equation for most services. With standard data protection, several services remain recoverable (and accessible) by Apple.
So why doesn’t Apple use Advanced Data Protection by default? It would be a customer service nightmare. Only activate it if you know what you’re doing. If you lose access to your account, you need to use the recovery contact or recovery key together with a trusted device passcode or iCloud account password to get your data back. If none of those are available, Apple will be able to restore access to your account, but most of the data will be lost. Irrevocably.
But I still implore you to use Advanced Data Protection if you know what you’re doing. It is a huge boost to privacy, especially if you store a lot of data in iCloud.
Here’s a list of iCloud services and how Apple treats their encryption as of November 2024:
| iCloud Service | Standard data protection | Advanced Data Protection |
|---|---|---|
| iCloud Mail | Apple has keys | Apple has keys |
| Contacts | Apple has keys | Apple has keys |
| Calendars | Apple has keys | Apple has keys |
| iCloud Backup (incl. Messages) | Apple has keys | Only you have keys (E2E) |
| iCloud Drive | Apple has keys | Only you have keys (E2E) |
| Photos | Apple has keys | Only you have keys (E2E) |
| Notes | Apple has keys | Only you have keys (E2E) |
| Reminders | Apple has keys | Only you have keys (E2E) |
| Safari Bookmarks | Apple has keys | Only you have keys (E2E) |
| Siri Shortcuts | Apple has keys | Only you have keys (E2E) |
| Voice Memos | Apple has keys | Only you have keys (E2E) |
| Wallet passes | Apple has keys | Only you have keys (E2E) |
| Freeform | Apple has keys | Only you have keys (E2E) |
| Passwords and Keychain | Only you have keys (E2E) | Only you have keys (E2E) |
| Health data | Only you have keys (E2E) | Only you have keys (E2E) |
| Journal data | Only you have keys (E2E) | Only you have keys (E2E) |
| Home data | Only you have keys (E2E) | Only you have keys (E2E) |
| Messages in iCloud | Only you have keys (E2E) | Only you have keys (E2E) |
| Payment information | Only you have keys (E2E) | Only you have keys (E2E) |
| Apple Card transactions | Only you have keys (E2E) | Only you have keys (E2E) |
| Maps | Only you have keys (E2E) | Only you have keys (E2E) |
| Keyboard vocabulary | Only you have keys (E2E) | Only you have keys (E2E) |
| Safari | Only you have keys (E2E) | Only you have keys (E2E) |
| Screen Time | Only you have keys (E2E) | Only you have keys (E2E) |
| Siri information | Only you have keys (E2E) | Only you have keys (E2E) |
| Wi-Fi passwords | Only you have keys (E2E) | Only you have keys (E2E) |
| W1 and H1 Bluetooth keys | Only you have keys (E2E) | Only you have keys (E2E) |
| Memoji | Only you have keys (E2E) | Only you have keys (E2E) |
The more control users have, the more responsibility they must bear.
Every time you attempt to access one of the E2E-encrypted services above in a web browser on icloud.com, Apple will send a request to your trusted devices, where you’ll have the option to approve the request. The device will then generate temporary keys for the browser session to decrypt and show your data.
An alternate recovery option is required in order to activate Advanced Data Protection. That’s either a recovery contact or a recovery key.
With a recovery contact, a trusted friend or family member gets the ability to receive a recovery code for you if you need one. Apple will not save any information on who your recovery contacts are, so remember who you picked. Your contact does not get access to your data, they will only get the code they can hand over to you if you request one.
With a recovery key, you’ll get a 28-character code to store in a safe place. This code can be used to regain access to your account and E2E encrypted data. If you turn on the recovery key option, the regular account recovery process from Apple will no longer be available. Store the key in a safe place!
If you’re interested in reading more details about iCloud security, head on over to iCloud data security overview (Apple Support).
And here’s Apple’s overview on How to turn on Advanced Data Protection for iCloud (Apple Support).
", "url": "https://tobyx.com/2024/icloud-advanced-data-protection", "date_published": "2024-11-09T20:30:00+00:00", "date_modified": "2024-11-09T20:30:00+00:00", "author": { "name": "" } }, { "id": "https://tobyx.com/2020/dark-mode", "title": "Dark Mode for All the Things", "content_html": " Before the introduction of Dark Mode support in macOS Mojave in 2018, many websites had offered manual Dark Mode support with a JavaScript toggle. In principle, this method implemented a “Dark Mode Switch” somewhere in the UI. On click, the site would load a Dark Mode CSS alternative to switch colors using JavaScript. Persistence was offered through setting a cookie to remember the setting.
This method used to be the most elegant way to offer users a dark theme since you couldn’t store your preference anywhere globally. The preference needed to be saved on a per-site basis, and while setting a cookie for this has no real privacy implications, EU law disagrees with that1 and makes the solution in the very least cumbersome to deal with.
macOS added support for prefers-color-scheme, because now there was a reason to. You could set your preference for a dark theme across the operating system and when switching, all apps with support as well as Safari and all currently loaded websites would switch accordingly.
The code for this is deceptively simple:
@media (prefers-color-scheme: dark) { /* add your dark theme changes here */}It’s important to check your light and dark themes thoroughly. I personally use a light theme when I’m in well-lit rooms during the day and a dark theme later in the day when my surroundings are darker.
If you find images on your site to be too bright in dark mode, you can swap them out in your dark theme. If your background color is neutral (all RGB channels with the same value), you can also try reducing the opacity of the respective img elements a bit. With a neutral background color, you’ll avoid changing the overall chroma of the images.
In the end, all issues with the JavaScript and cookie-preference method aside, you could still offer a manual switch for users. You may consider only showing the UI element for this on browsers not supporting prefers-color-scheme.
macOS, iOS, and iPadOS all support Dark Mode system-wide and Safari supports CSS @media query prefers-color-scheme.
macOS added Dark Mode support with macOS Mojave (10.14) in 2018. iOS added Dark Mode support with iOS 13.0 in 2019. iPadOS supports it just the same since the name change with iPadOS 13.1.
Microsoft Edge supports Dark Mode. If you set your Windows to Dark Mode, Microsoft Edge will by default use that preference to also interpet prefers-color-scheme appropriately.
In addition to that, users can enable Dark Mode only for Edge directly in the browser.
Android supports a system-wide Dark Theme since Android 10 in 2019 and Google’s mobile Chrome browser will adhere to that preference.
Google Chrome on desktop platforms will adhere to system-wide settings of macOS and Windows to also offer Dark Mode @media query support according to user preference.
The GDPR mandates that cookies may only be stored on a user’s computer after specific consent is given, except for strictly mandatory cookies. While most law experts agree on e.g. cookies for load balancer operation or shopping carts being required, thus requiring no prior consent, the discussion is a bit more difficult on topics like setting a theme preference. Since any data stored to differentiate a user’s preference could potentially be labelled “personally identifiable information”, we’re in for a wild ride. The biggest drawback of these privacy laws is big corporations continuing with what they’re doing, gaining a competetive advantage over those who can’t simply weather lawsuits coming their way. ↩︎
![\"Image](\"https://tobyx.com/img/2016/jekyll-rsync-01.jpg\")
When you locally build your site with Jekyll, you end up with a finished generated site in the _site folder that you can simply upload to your web host.
But instead of using SFTP to do this, we’ll be making it a little fancier. Let’s assume you have your host ready and can SSH into it.
The following script will use rsync to mirror your local folder to your remote server. rsync is quite intelligent in doing so, only transferring the changed portions of your site on subsequent commits.
Make sure to edit the variables above. Note: rsync will in fact wipe the destination folder clean and only leave the mirrored content there so double-check the path.
I have had issues with wrong permissions on files and folders on the destination host, so you might want to adjust permissions at the target location. This requires a newer version of rsync that’s not available on a default installation of macOS.
Simply install a more current version of rsync with:
brew install rsyncThe user-installed version should automatically get priority.
The script will attempt to change permissions on files and folders accordingly.
If your sshuser is unprivileged—he definitely shouldn’t be root—, make sure that the content in your web root is owned by him, the group can stay at www-data or whichever group your web server belongs to. The script will also leave hidden files and directories alone and not change or delete them, ensuring compatibility with the web root functionality of letsencrypt.
#!/bin/sh# -----------------------------------------------------------# commit-vps.sh# -----------------------------------------------------------# Variableslocaljekyll=\"/Users/tobyx/websites/tobyx.com/current\"remotewebroot=\"/var/www/tobyx.com/public_html\"instancehost=\"yourinstance.example.com\"sshuser=\"admin\"sshport=\"22\"sshidentity=\"~/.ssh/your-private-key.key\"# Executioncd $localjekyll# bundle installbundle exec jekyll build --config=_config.yml,_config_production.ymlecho \"rsync to SSH host $instancehost ...\"rsync -vrh -e \"ssh -p $sshport -i $sshidentity\" --exclude \".*\" --delete-after \\ --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r \\ $localjekyll/_site/ $sshuser@$instancehost:$remotewebrootecho \"SSH connection closed. Done. Committed.\"Check out other methods of Jekyll deployment.
", "url": "https://tobyx.com/2016/jekyll-rsync", "date_published": "2016-12-11T00:00:00+00:00", "date_modified": "2020-02-02T12:00:00+00:00", "author": { "name": "" } }, { "id": "https://tobyx.com/2016/aws-ssh-ports", "title": "On-demand Opening of SSH Ports on AWS", "content_html": "![\"Image](\"https://tobyx.com/img/2016/aws-ssh-ports-01.jpg\")
Update 19-03-01: The script has been amended to support IPv6 as well and will allow access coming from your public IPv4 and IPv6 address simultaneously. I will also use CIDR notation for letting both addresses in, which is optional for IPv4 but mandatory for IPv6.
Update 24-11-07: I am no longer running on AWS, and this script will not be updated. It might still work.
While other cloud providers usually force you to leave SSH open, restrict access with your own firewalls, or set up IP ranges from which access is possible, AWS has the major advantage of security groups1. You can stop any traffic dead in its tracks before your server has to deal with it.
You can configure Security Groups in a few ways:
Some people just leave their SSH port open. This is arguably ok with public key authentication in place, but being able to prevent automated login attempts from around the world gives you peace of mind. You can also restrict access to your static IP or IP ranges, but people on ISPs with dynamically changing IP addresses are out of luck.
The AWS-CLI website has information on how to install the CLI, with most Linux distros having packages for it for an easy install. On macOS, you can go the Homebrew route.
If you haven’t already done so, install Homebrew. Homebrew is a package manager for all the developey things your Mac lacks—which is usually not much compared to Windows, but still a lot for a developer to be sad. Use Homebrew and its version of Python.
/usr/bin/ruby -e \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)\"Make sure you know what this command does, refer to the Homebrew website.
Now we install Python and the AWS CLI.
brew install pythonpip install --upgrade --user awscliI’m using a script to connect to my AWS instances. The script will open an SSH port in the associated Security Group, connect me via SSH, and when the connection ends or disconnects, remove that rule again, closing access to the instance off.
Here’s the script connect-aws.sh:
#!/bin/bash# -----------------------------------------------------------# connect-aws.sh# -----------------------------------------------------------# Variablesinstancehost=\"yourhost.example.com\"sshuser=\"admin\"sshport=\"22\"sshidentity=\"~/.ssh/yourprivatekey.key\"securitygroup=\"sg-1234a12345b1cd12e\"region=\"eu-central-1\"# Executionip=`curl -s https://api.ipify.org`ip6=`curl -s https://api6.ipify.org`if [ \"$ip\" != \"$ip6\" ]; then ip6avail=1fiecho \"Current IP address: $ip\"if [ $ip6avail ]; then echo \"Current IPv6 address: $ip6\"else echo \"IPv6 is not available.\"fiecho \"Instance Host: $instancehost\"echo \"AWS Security Group ID: $securitygroup\"echo \"Adding IP $ip to AWS Security Group $securitygroup in region \\ $region ...\"aws ec2 authorize-security-group-ingress --group-id $securitygroup \\ --region $region --ip-permissions \\ IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=$ip/32}]if [ $ip6avail ]; then echo \"Adding IP $ip6 to AWS Security Group $securitygroup in region \\ $region ...\" aws ec2 authorize-security-group-ingress --group-id $securitygroup \\ --region $region --ip-permissions \\ IpProtocol=tcp,FromPort=22,ToPort=22,Ipv6Ranges=[{CidrIpv6=$ip6/128}]fiecho \"Connecting via SSH to $instancehost ...\"ssh $instancehost -l $sshuser -p $sshport -i $sshidentityif [ $ip6avail ]; then echo \"SSH connection closed. Removing IP $ip and $ip6 from AWS \\ Security Group $securitygroup ...\" aws ec2 revoke-security-group-ingress --group-id $securitygroup \\ --region $region --ip-permissions \\ IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=$ip/32}] aws ec2 revoke-security-group-ingress --group-id $securitygroup \\ --region $region --ip-permissions \\ IpProtocol=tcp,FromPort=22,ToPort=22,Ipv6Ranges=[{CidrIpv6=$ip6/128}]else echo \"SSH connection closed. Removing IP $ip from AWS Security \\ Group $securitygroup ...\" aws ec2 revoke-security-group-ingress --group-id $securitygroup \\ --region $region --ip-permissions \\ IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=$ip/32}]fiecho \"Done.\"You only need to modify the # Variables:
instancehost: Hostname or IP address of your AWS instance.sshuser: The local user name you’re using to login via SSH.sshport: The SSH port, default is 22.sshidentity: The path to the private key used for connecting to your AWS instance.securitygroup: The Security Group identifier.region: Your AWS region (since you can have instances in multiple regions).
Note: To get the current IP address programmatically, I’m using https://www.ipify.org. By default, they will simply output your current IP address as plain text. There are more options, so please have a look at their site. Their traffic is encrypted.
Make the script executable:
$ chmod u+x connect-aws.shNow, simply execute the script to open a SSH shell to your instance:
$ ./connect-aws.shAWS Security Groups are virtual firewalls, not only giving you fine-grained control over external access to your instances, but also isolating your instances from each other if needed. Great great great. ↩︎
![\"Image](\"https://tobyx.com/img/2015/search-01.jpg\")
I’m serving this website statically, no exceptions. I’m doing this for security and performance reasons. But since I did want to have a search feature on here, I had to come up with something inventive.
Google offers custom search for websites to search only that site’s domain, but my disdain for Google’s pratices ruled that out. I’m not serving any external trackers, so I most certainly wasn’t going to start now by giving visitor data freely to Google. It’s an extremely clumsy and ugly implementation as well.
While I might eventually end up building a search feature in my backend, the amount of content on here is still small enough to do the search client-side.
When building a new version of the site, I’m also creating a JSON file with all articles and content listed, as well as a few keywords that people might be searching for. This JSON file is parsed in your browser. The benefits are clear:
However, once the site grows large enough, downloading and handling the JSON file client-side might become too cumbersome. Then again, I post so infrequently that this solution might serve me well for the next few decades.
I wrote the JavaScript search myself and built cool features into it like full keyboard navigation. Just hit s or f to immediately jump to the search bar and set focus on it. You can navigate the results with ⬆ and ⬇. Confirm with ENTER.
Since I am tagging my articles with invisible made-up keywords, you can also search for related words. For example, my Arch Linux with Whole Disk Encryption article also responds to wde or lvm.
Things to consider:
search.json until after someone enters thesearch field deliberately. This might delay the search results by a tinybit, but users won’t have to download the search dataset if they never use the search in the first place.![\"Image](\"https://tobyx.com/img/2015/jekyll-vs-world-03.jpg\")
Heavy with confidence, I would deposit my lumbering frame in the centerof the room. My choice to go all static had been a good one. It wasquite a serene scenery—nothing could touch me.
There were website owners running around wildly, chasing WordPresssecurity vulnerabilities1, while at the same time trying to plugholes, which the dubious free plug-ins they downloaded had ripped intotheir very essence.
I saw a man standing at the window and bashing his head against it in aslow rhythmic pace. This wasn’t a medical condition. He was simplyrepeating the rate at which his PHP-based and database-driven publishingsolution would accept new requests.
From the corner of my eye I could make out a woman who was franticallyflailing her arms about. She was trying to get into the room.Unfortunately, no one would let her in—her website had been infectedwith malware and whenever someone tried to visit it, there was awarning, urging users to run away as fast as they could.
Static publishing, oh blissful serenity. Why do I like you so much?
It’s not, really. But bear with me for a moment.
Imagine you’re publishing a new post on your site. How often does thatcontent change? Is it really necessary to recreate the final HTML outputyou deliver to your users every single time someone accesses your site?Query the database, run it through the templating engine, run it throughplugins, render HTML, deliver. That’s a lot of work.
Most likely, you won’t notice this immediately. But if your sitesuddenly becomes popular, chances are, it won’t scale very well. Itcould go down. Of course there’s options for you if you wish to staydynamic and have that flexibility. You could use caching plugins or evenfull-fledged web accelerators likeVarnish.To me, this is just throwing huge piles of code and applications at theproblem.
The problem is: Your static content should be generated statically,delivered to your visitors as is. That’s dealing with the problem in theright way.
Easy for me to say, right?
There are downsides.
![\"Jekyll](\"https://tobyx.com/img/2015/jekyll-vs-world-01.jpg\")
Look, that’s my Terminal running Jekyll in serve mode. It launches atiny web server and let’s me live preview all the changes in my site inmy browsers of choice. Locally.
This is actually quite amazing. The setup for a database-driven CMSsolution is usually so cumbersome that most people will work with thelive site on a server somewhere else in the world. Bad for you if youdon’t have an Internet connection. And do you really want to write yourcontent in a browser? Really?
This setup is so easy that I can always work on a local master and pushmy changes to my server. I let my server do the build (just like I couldlocally, but why not) and refresh what’s currently in my web root.Automatically.
Whenever an article is done, I just commit my changes via git. It’sactually really simple to set up.
And it is oh so flexible. And safe! There’s hundreds of plugins tochoose from to do fun stuff with your content during the build process.The end result will always be static pages. Nothing to break into.
Find out more at jekyllrb.com.
With Jekyll, you start out with nothing. Nothing at all.
It actually allows you to generate a very simple blog-ready site withjekyll new, but it’s just something to start from and learn thestructure of how a Jekyll site can be built.
You should really be interested in starting from scratch.
If all you want to do is download a theme and start writing, you shouldprobably go elsewhere. TryMedium,it’s a well-designed new service with a great community, made for peoplewho just want to write. Now you can evenpublish directly to Medium from the best editor in the world.
If you think this sounds like loads of fun, go for it. You will notregret it.
So now I’m sitting here withBBEditandUlysses,coding and writing. Which is really all I ever wanted. I do it in theenvironment I desire to be in. It frees me.
![\"A](\"https://tobyx.com/img/2015/jekyll-vs-world-02.jpg\")
I’m back to where it all began. I have a text editor and I fill it withwords. When I’m done, I save the file and that’s it. I can preview to myheart’s content. And once happy, I will simply commit.
You know you want it.
Simplify.
You don’t want a site that’s not really you. A site filled with socialbuttons and widgets and gadgets and analytics and tracking cookies andbanner ads and pop-up ads and everything else that makes your visitorsscream at you from afar. Generated anew every time someone visits yoursite. Every. Single. Time.
Be that person in the middle of the room. Perfectly rooted, smilingcontentedly.
They cannot touch you.
WordPress is a wonderful but complex system that’s majorly responsible for the blogging revolution of the past decade. Its security track record isn’t the best and you can like it’s code or not. The fact remains that it is software running on a public-facing server, installed and run by people who shouldn’t touch a server if their life depended on it. WordPress perpetuates this with their “famous 5-minute installation”. ↩︎
I really wanted search to work on tobyx.com, so I wrote it myself. Can’t hurt to freshen up that rusty JavaScript. If you have JavaScript activated, a small JSON file containing the sitemap will be loaded and can be queried from the search bar up above. It’s super fast. Try it. ↩︎
Note: This guide is from 2015 and now most likely broken. Use from it what you will, but consider yourself warned.
For some reason, it brings me great joy to reinstall fresh Linuxes on mynon-Mac systems. While my servers usually run Debian,my personal computers almost exclusively run Arch. Arch Linux isbleeding edge, rolling release and just awesome in general. The Arch Wayrequires you to do it all on your own, with the help of online resourcesto guide you along the way.
Having said that, this guide will lead you through the installation ofArch Linux. You will also encrypt your whole root volume so it’s saferin every day use. This kind of goes against the Arch Way because astep-by-step instruction makes it way too easy for you. Therefore, Isuggest you follow all the links I provide as background information andreally read up on the subject matter.
Needless to say, all of this can be done with the help of the wonderfulArch Linux wiki. It is a marvelousresource of Linux computing splendor. If you have a question, you willmost likely find the answer there. I’m not kidding. It’s incrediblythorough.
General installation hints can be found at the Arch Wiki - Installation Guide and there’s also a wonderful Arch Wiki - Beginners’ guide.
Prepare an EFI USB drive with Arch Linux. If you need help creating such a contraption, go help yourself at Arch Wiki - USB flash installation media.
Boot it! This will be different on every system so it’s kind ofpointless to make a generic guide for that. Make sure that your systemis able to boot from USB. Bring up the boot menu. There should beshortcuts displayed during boot-up, if not, try hitting F12 or F8. Nowlaunch the UEFI boot loader it finds on the installation media youcreated.
If this is successful, you should end up with a command prompt similarto this:
Arch Linux 4.2.2-1-ARCH (tty1)archiso login: root (automatic login)root@archiso ~ #Before we continue, we’re assuming a US keyboard layout for theinstallation. If you however want to setup a different locale for the next 15 minutes, you can do so!
Let’s edit /etc/locale.gen. Go through the file and uncomment the linerepresenting your chosen locale.
nano /etc/locale.genWe shall generate the locale!
locale-genNow that we’re done with that, we just need to set the locale.
localectl set-locale LANG=en_US.UTF-8You can read more on this here: Arch Wiki - Locale.
It is time to partition your drive. Like, the one your old stuff is on.I can’t stress this enough. This guide assumes you only want Arch Linuxon your system and will most likely erase everything else you have. Youwill have to carefully adapt the workflows in here in order to installArch Linux elsewhere and/or alongside other operating systems. If you have old datayou need, back it up!
We want to be modern and use GPT, so we’re using gdisk for partitioning:
gdisk /dev/sdaIf you want more information on what gdisk does, type ? and [ENTER].
We’re going for the most simple setup here. We want an EFI bootpartition and put all the rest in an LVM partition that will beencrypted. I will assume an EFI partition of 512 MiB in size with thesecond partition filling the rest of it. I will also assume you want todo all this on the first internal drive there is, this should be/dev/sda.
Here’s a list of steps:
p and [ENTER] to print all your current partitions. Does itlook familiar, does it make sense? If so, good. We’re going to erasethem all. THIS WILL DESTROY YOUR DATA ON THESE PARTITIONS!d and [ENTER] to delete partitions, and type in a number todelete it. Do this until all are gone.n and [ENTER] to create the EFI system partition now.[ENTER] again to confirm the default next partition, which is 1.We have no other.[ENTER] once more to confirm the default first sector.512M and hit [ENTER] to set the size for our partition.EF00 and hit [ENTER].Same procedure for our LVM partition.
n then [ENTER].[ENTER], confirming the default.[ENTER], confirming the default.[ENTER], confirming the default of maximum size.8E00 and hit [ENTER].w and [ENTER].y.You can check what you just did with gdisk -l /dev/sda. It shouldstill make sense. If it doesn’t make sense anymore, stop now.
Now we’ll create and mount our encrypted container on the partition wecreated. The wiki has more information on Arch Wiki - Disk Encryption.
Read what’s on your screen in the following steps carefully! You will also have to pick a passphrase for your encrypted volume.
cryptsetup -y luksFormat /dev/sda2cryptsetup luksOpen /dev/sda2 lvmLet’s create some filesystems.The EFI boot partition will be a FAT partition.
mkfs.vfat /dev/sda1Now we’ll do some logical volumes inside the encrypted container we justmade. I picked 16GB for the swap partition, you can decidedifferently. Make sure not to mix up upper and lower case here.
pvcreate /dev/mapper/lvmvgcreate vg /dev/mapper/lvmlvcreate --name cryptswap -L 16GB vglvcreate --name cryptroot -l 100%FREE vgLet’s make a swap partition and an ext4 partition for the rest.
mkswap /dev/mapper/vg-cryptswapswapon /dev/mapper/vg-cryptswapmkfs.ext4 /dev/mapper/vg-cryptrootAnd mount it all.
mount /dev/mapper/vg-cryptroot /mntmkdir /mnt/bootmount /dev/sda1 /mnt/bootWe’ll do a default Arch Linux installation on our new system now. If youneed a wireless network connection supported by the current Linuxkernel, you can simply connect to one with:
wifi-menuRemember that if you’re connected via Ethernet, you most likely alreadyhave networking running. Try pinging something on the Internet withping.
If you rely on wireless networking, make sure to include necessarypackages. The wifi-menu that just worked so flawlessly willotherwise not be there when you reboot. There is help for you atArch Wiki - Wireless network configuration.
pacstrap -i /mnt base base-develgenfstab -U -p /mnt >> /mnt/etc/fstabHooray! Let’s chroot into our new system.
arch-chroot /mnt /bin/bashWe’re at that point again where we want to setup our system-widelocale(s). As before, we’re going to edit /etc/locale.gen. Go throughthe file and uncomment the locales you want.
nano /etc/locale.genWe’re generating the locales again:
locale-genWe could use the wonderful new localectl to set our locale but sincewe’re chrooted, we have no DBus and thus it doesn’t work. Bummer.
Let’s do it the old way (put your locale after LANG= accordingly):
echo LANG=en_US.UTF-8 > /etc/locale.confexport LANG=en_US.UTF-8Once again, you can read more on this here on the Arch Wiki - Locale.
I expect systems to be running UTC, because time zones are badinventions of humankind. You can pick a default timezone that suits youbetter of course. There’s lots to choose from in/usr/share/zoneinfo/, just have a look around.
ln -s /usr/share/zoneinfo/UTC /etc/localtimehwclock --systohc --utcSet your root password:
passwdDo I need to say it? Make at least one non-privileged user to work in.More on this at Arch Wiki - Users and Groups and Arch Wiki - Sudo.
And a fun hostname:
echo \"funhostname\" > /etc/hostnamesystemd comes with its own boot manager by default, which is basedon gummiboot. We don’t need to install it ourselves anymore, it’s justthere. For our configuration, it works perfectly.
All you do is:
bootctl installFor more information on systemd-boot, refer to the Arch Wiki - systemd-boot.
We need to find the UUID of /dev/sda2, which is the partition hostingour encrypted container. That is, if you followed the guide. If you mademodifications, partitioned things differently, you need to adapt this toyour specifications.
Just like gummiboot did before, systemd-boot has its boot loaderentries at /boot/loader/entries and that’s where we’re going to putour arch.conf.
First, we’ll use blkid to filter out our UUID and put it in thearch.conf we want:
blkid -s UUID -o value /dev/sda2 > /boot/loader/entries/arch.confWe should edit the boot entry now. Make sure the UUID wanders in placeof putUUIDhere.
title Arch Linuxlinux /vmlinuz-linuxinitrd /initramfs-linux.imgoptions cryptdevice=UUID=putUUIDhere:lvm resume=/dev/mapper/vg-cryptswap root=/dev/mapper/vg-cryptroot quiet rwNow we should update our systemd-boot:
bootctl updateIn order to boot with the necessary kernel modules loaded for decrypting our fancy container, edit the mkinitcpio.conf:
nano /etc/mkinitcpio.confFind the line starting with HOOKS and edit it as follows:
HOOKS=\"base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck\"Have mkinitcpio create its ramdisk environment again:
mkinitcpio -p linuxAnd that’s it!Reboot.
exitumount /mnt/bootumount /mntshutdown -r nowThis should be all. Enjoy your new encrypted system.
Note: Once you’re done, the /boot partition will still not beencrypted. There are ways around this, please consult theArch Wiki - dm-crypt/Specialties Securing the unencrypted boot partition.If you go this far, also consider how you could make your systemtamper-evident—this means once you notice a tamper event, you can consider your computer compromised and happily throw it out the window.