squirrelitude | Entries tagged with query

Does anyone know of a source in Camberville for organic corn tortillas (the soft kind) that don't have a bunch of extraneous weird-ass ingredients?

We've been in the habit of buying "Food For Life" brand sprouted corn tortillas, but I've only found them at Harvest Co-op, and Harvest will either be going out of business or changing into a different grocery store soon, so I'll likely need a new source. (Also, they aren't always in stock.)

I know there's also some local vendor that makes corn tortillas, which I've only seen at farmers markets and one time at Cambridge Naturals. I'm guessing Whole Foods is my best bet, but I'm trying to avoid shopping there now that it's a pseudopod of Amazon, and I couldn't find any there the last time I went, anyhow.

Acceptable ingredients: Corn, water, salt, mineral lime. Products that I find in the store introduce thickeners and preservatives like guar gum and propionic acid and go downhill from there to things I've never heard of and don't feel like researching, sometimes to the tune of 20 ingredients. For tortillas!

(We used to have a tortilla press, and would make our own from masa harina (flour from corn that was soaked in limestone water), salt, and hot water. It's pretty time-consuming, though!)

[public post]

I have a server I use to host Jabber instant messenger for brainonfire.net. I currently use an SSL cert from StartSSL, but they're known to be sketchy and I don't know how long various IM clients will continue to trust them. I'd like to set up the server to use certs from Let's Encrypt, but it's not clear to me what the least worst way of doing this is, given that the website for that domain is hosted elsewhere.

I host www.brainonfire.net on nearlyfreespeech.net, which has a nice little utility to automatically get and install certs from Let's Encrypt. The cert files end up in a place I can SSH to. The home server I host Jabber on (named kibble) just has Jabber-related ports open, and in particular ports 80 and 443 on that IP go to a different server, named toster. Here are the options I can picture:

Manually copy the certs over every 30 days. (I could start with this.)
Have kibble automatically SSH into my web host and grab the certs periodically, then install them into Prosody. (I would be *really* leery of doing this -- that SSH environment in my web host has a ton of access, and this would require passwordless SSH keys.)
Point the A record for brainonfire.net to toster, which would use haproxy or nginx to forward brainonfire.net requests to kibble, which would just intercept ACME challenges and otherwise send redirects to www.brainonfire.net just like nearlyfreespeech.net would normally do. (This is awful in several ways.)
ETA: Have a cron job on the web host copy the keys directly to kibble, into a limited user directory, and then have a cron job on kibble pick up the keys and install them. (This... might work?)

I don't think I can manipulate brainonfire.net's DNS from any of my servers (this is a good thing) and I don't think my web site can see the cert files in order to serve them up to kibble via an authenticated request (this is probably *also* a good thing). I don't want to host my website on kibble, and I can't host Jabber at nearlyfreespeech.net. Are there any other options I've missed?

Edit 2: A coworker suggested what sounds like the right way: Generate the key on kibble, sign a CSR with it, transfer the CSR to the web host. Then periodically use the CSR for cert generation, copying the results back to kibble, as in the last idea above. Much safer!

Edit 3: Success! Here's what I did:

Generate a private key and a CSR on the Jabber server:

mkdir -p /opt/keys/prosody/brainonfire.net/
(umask 077; openssl genrsa -out /opt/keys/prosody/brainonfire.net/privkey.pem 4096)
openssl req -out /opt/keys/prosody/brainonfire.net/csr.pem -key /opt/keys/prosody/brainonfire.net/privkey.pem -new -sha256 -subj "/CN=brainonfire.net"
cp /opt/keys/prosody/brainonfire.net/privkey.pem /etc/prosody/certs/brainonfire_net.NFSN-LE.key

Copy the CSR to the web host.
Set up the dehydrated ACME client config with an appropriate BASEDIR -- certs will go in here, as will registration.
Register with Let's Encrypt: /usr/local/bin/dehydrated --register --accept-terms --config path/to/dehydrated.config

Create a script (create cron job to run once a month) that will ship the certs off to the Jabber server:

CO=/home/private/sync/cert-oracle

. "$CO/dehydrated.config"
mkdir -p -- "$BASEDIR"

/usr/local/bin/dehydrated --signcsr "$CO/brainonfire.net-csr.pem" \
                          --config "$CO/dehydrated.config" \
                          --domain brainonfire.net \
                          --full-chain \
                          > "$BASEDIR/latest-chain.pem"

/usr/bin/scp -i /home/private/sync/cert-oracle/ID_certs-to-kibble \
  -P 8443  \
  "$BASEDIR/latest-chain.pem" \
  cert-recv-bof@k.timmc.org:/home/cert-recv-bof/recv/brainonfire.net/

On Jabber server, create a script (set to run daily) that will install the cert and restart Prosody if it has changed:

#!/bin/bash

src_dir=/home/cert-recv-bof/recv/brainonfire.net
dest_dir=/etc/prosody/certs

function install {
  hash_src=`sha256sum < "$1"`
  hash_dest=`sha256sum < "$2"`
  if [[ "$hash_src" = "$hash_dest" ]]; then
    echo "Not installing file, hasn't changed: $1 -> $2"
    return 2
  fi
  echo "Installing file: $1 -> $2"

  touch -- "$2"
  chown prosody:prosody -- "$2"
  chmod o= -- "$2"
  cat < "$1" > "$2"

  return 0
}

if install "$src_dir/latest-chain.pem" "$dest_dir/brainonfire_net.NFSN-LE.chain.pem"; then
  echo "Restarting prosody"
  service prosody stop
  service prosody start
else
  echo "Nothing to do"
fi

For a few months now I've been running a Sandstorm server, which effectively produces a website with an app store. Invited users can install apps and create instances of them ("grains") in a couple clicks, including dropboxes, chatrooms, concurrently-editable documents (Etherpad), and photo galleries. There are some pretty cool sharing features, with granular permissions.

I'd like to offer this as a service to my community -- friends, housemates, neighbors, maybe a couple degrees out. I still have some work to do in making the service "safe to use" (automated backups, own TLS cert, etc. -- there's a checklist.) Beyond backups, I don't think I'll be able to promise any particular level of Availability, running it on a residential internet connection, but I do want to put some work into the other two main infosec categories: Confidentiality and Integrity.

But there's also one big step remaining: Picking a domain name! Right now I'm using the free sandcats.io service because it offers wildcard DNS and TLS certs (Let's Encrypt won't work, here). I don't want to change the domain *after* offering the service around, because Sandstorm doesn't have a way to automatically redirect if called with the wrong domain name, and I don't want to set up the necessary nginx or haproxy redirect, with the concomitant cert wrangling. Gotta do it now.

I'm thinking something like https://apps.timmc.org. Sandstorm is an unusual product, so I want to communicate "this is a lot like phone apps". (Actually, a lot more secure than phone apps, since all the apps are sandboxed away from each other.) Or maybe https://community.timmc.org since it's a community offering. AT suggested https://sandstorm.timmc.org -- make it really specific. Anything else I should be thinking of?

I'm thinking of hosting an afternoon or evening event where people bring crafts they've been meaning to work on or items they've been meaning to repair. For instance, I have some pants to patch, a wooden tortilla press to build, and a chair whose seat needs re-caning. By holding an event, I'd like to arrange for three things:

If I bring together people who like building/repairing things, they will be able to pool knowledge and tools to mutually support each other's projects.
There would be social pressure to actually get shit done instead of getting distracted by YouTube and the like. (There's no TV in our living room, and I would ask people not to use their pocket TVs either.)
An excuse to have relaxed social time with friends.

So, this post is to gauge interest and work out scheduling. Here are some prompts; answer as many or as few as make sense to you.

Would this be of interest to you? (What about some variation that you think would be better?)
What are your scheduling preferences? (Weeknight, weekend morning/afternoon/evening.)
What sorts of projects would you like to bring? What sorts would you like to help with?
Are there any tools you would need that you don't have? Are there any tools you could bring that someone else might need?

This would be in the 2nd floor living room at our house in lower Allston. We also have a basement work area, complete with bandsaw of unknown usefulness and a random assortment of hand tools.

I'm also sending this out as an email, but I actually don't know either the LJ/DW names or the email addresses of many of my friends and acquaintances! So I've almost certainly left out some folks by accident -- if you know a friend who didn't get this and really should, feel free to pass it along!

S	M	T	W	T	F	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Scamperings

Entries tagged with query

Local tortilla question

Setting up a Jabber/XMPP IM server with Let's Encrypt SSL? [public]

What should I name my sandstorm server?

Gauging interest: Repair & Crafts Night?

Profile

August 2024

Syndicate

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags