Hyteck

Commitments

2025-12-18T20:30:00+02:00

In the past I have worked with various non-profit association, helping them with their IT. I have amd mixed experiences how productive and rewarding that was. After two particularly bad experiences I have decided I need a change, specifically I need more commitment.

The problem

The main problem boils down to indecision and missing capacity/priority. As an example: A group wrote an extensive google doc, detailing about 15 pages on a website that is to be created. After implementing this in a few weeks (mainly due to necessary changes of already outdated information) a section of the website was ready for final approval, another one was in a Proof-of-Concept phase. This was finished in September. Since then, I repeatedly asked for review so the site could go live. One person reviewed parts, but wanted another person to give feedback as well. Now, end of December, the finished section is still not live. I refuse to put more work in until the existing work is reviewed.

The solution

Tackle such projects, like I’d tackle a project in my day-job: Define stakeholders, a timeline and force decisions when necessary. Demand commitments.

Scenario 1: Basic Website

I believe the most common first step for organizations is to set up a website and be reachable via e-mail. For a first website there need to be the following things:

Homepage with short description and one Call-to-Action
Imprint
Data privacy statement

A typical process to set up such a website should be

Kick-Off call: Discuss basic content and style elements, clarify technology, cost and timeline
Basic implementation: The developer will set up a website with the basic style elements and sections for the content (not filled with real text yet)
Content generation The organization provides text for the website
Implementation: Content is added to the website by the developer
Testing: The organization checks the result, the dev will make minor adjustments
Go-Live: After confirming a successful test, the website will go-live

In order to keep risk low, the time between Kick-Off and Go-Live should be planned to last not longer than 6 weeks. Otherwise, there is a risk that one side puts in a lot of work that is then not rewarded with a Go-Live.

Here are some other commitments, one could think of:

Organization	Developer
Provide text within two weeks after basic implementation	Provide basic implementation within two weeks
Take not more than one week for testing	Make minor tweaks within a week
Provide actionable items when test result hinders Go-Live	Document infrastructure
Define central person for functional questions	Only implement what others could also maintain

Scenario 2: Joining an existing IT team

Another common scenario is joining an existing IT team. I’ve been on both sides of that process and here is how I think it should work

Welcome call: Who is everyone, who is responsible for what, how is the team organized? Define a first task that the new person can reasonably do. The smaller, the better.
Technical onboarding: Create admin users, invite to password manager, put SSH keys on server
Getting started: Newbie starts the task, knows who to ask when they need help - someone needs to be available to answer questions, otherwise frustration and mental overload will settle in soon
Integration in regular work Newbie is assigned responsibilities and part of the group

Ideally documentation already exists for the new person to learn. If not, this is a great opportunity to add it! If the Newbie has a question: Answer the question in detail and past the answer in your documentation. It will benefit you in the future, I promise!

So this seems reasonable right? But there are many ways to fuck it up.

Reasons for failure

Missing access: This is something I have experienced time and time again. From data protection concerns to trust issues, the problem was always power: Existing admins did trust the newbies with the power they have. And that is the core problem: if someone has access, they can mess up things. Even the most experienced admins. That’s why you should have backups and written agreements on data protection. If you don’t then your existing admin is more of a threat than the newbie.
Unclear processes: So often it’s unclear how decisions are made, whome to communicate a downtime, and so on. Newbies are overwhelmed because they don’t know what to do, existing teams are annoyed by newbies because they “don’t fit in”
Missing capacity: When you onboard people, this will take extra effort. There must be time made for that, you need new people to succeed. If you don’t do onboarding right, the new person will never become part of the team, will eventually leave and your team will shrink more and more until it fails.

Conclusion

New contributors are valuable. Don’t waste their time, don’t let them feel helpless. Then you will succeed.

Adding another post type to Hugo

2025-12-14T07:30:00+02:00

Notes are short posts that focus on a small bit of information. Other than my blogposts they do not try to give a complete picture or a full explanation. They are more of a brain-dump of mine with a low bar of typing them out.

So how did I add them?

Create a notes folder: The folder in content/notes will hold the notes
Add rendering template: Hugo needs to know what to do here, so add a rendering template in layouts/notes/list.html. A sample is provided below.
Add content/notes/_index.md with a short explanation of the

Styling template

{{ define "main" }}
<h1">Notes</h1>

<div>
 {{ .Content }}
</div>


<ul>
 {{ range .Pages.ByDate.Reverse }}
 <li
 ">
 <h2>
 <a href="{{ .Permalink }} "> {{ .Title }} </a>
 </h2>
 <small">{{ .Date.Format "2006-01-02" }}</small>
 {{ if .Params.subtitle }}
 <p>{{ .Params.subtitle }}</p>
 {{ end }}
 </li>
 {{ end }}
</ul>
{{ end }}

As you can see, I added an optional subtitel. They make it much easier to find a note that is interesting, but should not be necessary to lower the bar for the author. Subtitles can be specified like this

---
title: "Adding another post type to Hugo"
date: 2025-12-14T7:30:00+02:00
draft: false
subtitle: "How I added notes as content type to hugo in addition to the standard posts and pages."
---


Notes are short posts

How to manually check hundreds of animal shelters - every 14 days

2025-11-08T12:05:10+02:00

I run a website called Notfellchen that list animals that are waiting for adoption. It’s currently restricted to fancy rats in Germany and that for good reason: Running this website involves checking every shelter every two weeks manually. You need to visit the website, check if there are new animals, contact the shelter and add them to notfellchen if they allow it. This takes time. A lot.

This blog post will outline some of the things I did in order to streamline this and make it possible to check every german shelter in 2.5 hours.

General process

When you establish a process. want others to help you or if you want to find inefficiencies, it’s a good idea to formalize it. So here is a rough BPMN diagram of the whole process.

Rescue save process

List of animal shelters

Focusing on the first step: We want to check the website of an animal shelter - but where do we get a list of animal shelters from? Luckily there is an easy answer: OpenStreetMap and I wrote a whole other blog post on how I imported and improved this data.

Species-specific link

Importing this data provides us (most of the time) with a link to the shelter’s website. However, rats are usually not listed on the home page but on a subsite. In order to save time, I introduced the concept of a species-specific link per organization and species.

So for the Tierheim Entenhausen this might look like this

Species	Species specific link
Cat	https://tierheim-entenhausen.de/adoption/cats
Rats	https://tierheim-entenhausen.de/adoption/small-mammals

As animal shelter pages look very different from each other, clicking this link provides an enormous time benefit compared to clicking through a homepage manually.

Org check page

I set up a special page to make it most efficient to check shelters. It’s structured in four parts:

Stats: The stats show how many animal shelters are checked in the last two weeks and how many to go.
Not checked for the longest period: Shows the animal shelters to check next, it’s therefore sorted by the date they were last checked
In active communication: A overview of the organizations where there is communication (or an attempt thereof). This can take multiple das or even weeks so the internal comment field is very useful to keep track.
Last checked It sometimes happens that I accidentally set a organization to “Checked” by accident. I added this section to make it easier to revert that.

Shortcuts

To make it even faster to work through the organizations I added some shortcuts for the most common functionality and documented the browser own shortcut to close a tab.

O: Open website of the first organization
CTRL+W: Close tab (Firefox, Chrome)
C: Mark first organization as checked

Results

After implementing all this, how long does it take now to check all organizations? Here are the numbers

Measurement
Time to check one organization (avg.)	12.1s
Organization checked per minute	4.96 org/min
Time to check all (eligible) german animal shelters (429)	1 h 16 min

This excludes the time, it takes to add animals or contact rescue organizations. One of these actions must be taken whenever an eligible animal is found on a website. Here you can see how this interrupts the process:

And here is the breakdown of time per activity. A big caveat here is, that I did not follow up on previous conversations here, therefore the contacting number is likely an underestimation.

Activity	Time spent	Percentage
Checking	54 min 44s	72.3%
Adding	11 min 15s	14.9%
Contacting	9min 41s	12.8%

To me, this looks like a pretty good result. I can’t say which optimizations brought how much improvement, but I’d argue they all play a role in reaching the 12s per rescue organizations that is checked.

In order to check all german animal shelters, one needs to put in about 2 and a half hours every two weeks. That seems reasonable to me. Further improvements of the likely do not lie in the organization check page but the contact process and adoption notice form.

For now, I’m happy with the results.

Addendum: Common annoyances

When doing this over the last few months I encountered some recurring issues that not only were annoying but also take up a majority of the time. Here are some that stood out

Broken SSL encryption So many animal shelters do not have a functioning SSL certificate. It takes time to work around the warnings.
No results not indicated More often than not, animal shelters do not have rats. However, when you visit a page like this it’s hard to know if there is a technical issue or if there are no animals for your search.
No static links Sites where you have to click through a menu to get to the right page, but you can not link directly to it.
No website Seriously, there are some animal shelters that only use Instagram or Facebook to tell people about the animals they have. This is not only a privacy nightmare, it’s also incredibly hard to find out which information is up-to-date. Furthermore, there exists no data structure, so posts about animals often miss crucial information like the sex.

While I obviously have some grievances here, I know the organizations never have enough resources, and they’d usually love to have a nicer website. Just keep that in mind too.

Postmortem - how to completely screw up an update

2025-10-19T12:05:10+02:00

The fediverse instance gay-pirate-assassins.de was down for a couple of days. This postmortem will outline what went wrong and what I did to prevent things from going that wrong in the future.

Timeline

2025-10-05 17:26: Update announcement
2025-10-05 ~17:45: Update started
2025-10-05 ~18:00: Services restart
2025-10-05 ~18:00: GoToSocial doesn’t come up
2025-10-12 ~10:00: Issue is found
2025-10-12 10:30: Issue is fixed
2025-10-12 10:31: GoToSocial is started, migrations start
2025-10-12 15:38: Migrations finished successfully
2025-10-12 15:38: Service available again
2025-10-12 18:36:Announcement sent

All times are given in CEST.

The beginning: An update goes wrong

I run a small fediverse server with a few users called. gay-pirate-assassins which is powered by GoToSocial. The (amazing) GoToSocial devs released v0.20.0-rc1 and v0.20.0-rc2. As the new features seemed pretty cool, I’m inpatient and the second release candidate seemed stable, I decided to update to v0.20.0-rc2. So I stared a backup (via borgmatic), waited for it to finish and confirmed it ran successfully. Then I changed the version number in the mash-ansible playbook I use. Then I pulled the newest version of the playbook and it’s roles because I wanted to update all services that run on the server. I checked the Changelog, didn’t see anything and then started the update. It went through and GoToSocial started up just fine.

But the instance start page showed me 0 users, 0 posts and 0 federated instances. Something has gone horribly wrong!

Migrations

It was pretty clear to me, that the migrations went wrong. The GoToSocial Migration notes specifically mentioned long-running migrations that could take several hours. I assumed that somehow, during the running database migration, the service must have restarted and left the DB in a broken state. This issue happened to me before.

Well, that’s what backups are for, so let’s pull it.

Backups

Backups for this server are done two ways:

via postgres-backup: Backups of the database are written to disk
via borgmatic: Backups via borg are written to backup nodes, one of them at my home

They run every night automatically, monitored by Healthchecks. I triggered a manual run before the update so that is the one I mounted using Vorta.

And then the realization.


mash-postgres:5432 $ ls -lh
total 2.1M
-r-------- 1 moanos root 418K Oct 05 04:03 gitea
-r-------- 1 moanos root 123K Oct 05 04:03 healthchecks
-r-------- 1 moanos root 217K Oct 05 04:03 ilmo
-r-------- 1 moanos root 370K Oct 05 04:03 notfellchen
-r-------- 1 moanos root 67K Oct 05 04:03 oxitraffic
-r-------- 1 moanos root 931 Oct 05 04:03 prometheus_postgres_exporter
-r-------- 1 moanos root 142K Oct 05 04:03 semaphore
-r-------- 1 moanos root 110K Oct 05 04:03 vaultwarden
-r-------- 1 moanos root 669K Oct 05 04:03 woodpecker_ci_server

Fuck. The database gay-pirate-assassins is not there. Why?

To explain that I have to tell you how it should work: Services deployed by the mash-playbook are automatically wired to the database and reverse proxy by a complex set of Ansible variables. This is great, because adding a service can therefore be as easy as adding

healthchecks_enabled: true
healthchecks_hostname: health.hyteck.de

to the vars.yml file.

This will then configure the postgres database automatically, based on the group_vars. They look like this

mash_playbook_postgres_managed_databases_auto_itemized:
- |-
{{
({
'name': healthchecks_database_name,
'username': healthchecks_database_username,
'password': healthchecks_database_password,
} if healthchecks_enabled and healthchecks_database_hostname == postgres_connection_hostname and healthchecks_database_type == 'postgres' else omit)
}}

Note that a healthchecks database is only added to the managed databases if healthchecks_enabled is True.

This is really useful for backups because the borgmatic configuration also pulls the list mash_playbook_postgres_managed_databases_auto_itemized. Therefore, you do not need to specify which databases to back up, it just backs up all managed databases.

However, the database for gay-pirate assassins was not managed. In the playbook it’s only possible to configure a service once. You can not manage multiple GoToSocial instances in the same vars.yml. In the past, I had two instances of GoToSocial running on the server. I therefore followed the how-to of “Running multiple instances of the same service on the same host”.

Basically this means that an additional vars.yml must be created that is treated as a completely different server. Databases must be created manually as they are not managed.

With that knowledge you can understand that when I say that the database for gay-pirate-assassins was not managed, this means it was not included in the list of databases to be backed up. The backup service thought it ran successfully, because it backed up everything it knew of.

So this left me with a three-month-old backup. Unacceptable.

Investigating

So the existing database needed to be rescued. I SSHed into the server and checked the database. It looked completely normal. I asked the devs if they could me provide me with the migrations as they already did in the past. However, they pointed out that the migrations are too difficult for that approach. They suggested to delete the oldest migration to force a re-run of the migrations.

Here is where I was confused, because this was the bun_migrations table:

gay-pirate-assassins=# SELECT * FROM bun_migrations ORDER BY id DESC LIMIT 5;
id | name | group_id | migrated_at
-----+----------------+----------+-------------------------------
193 | 20250324173534 | 20 | 2025-04-23 20:00:33.955776+00
192 | 20250321131230 | 20 | 2025-04-23 19:58:06.873134+00
191 | 20250318093828 | 20 | 2025-04-23 19:57:50.540568+00
190 | 20250314120945 | 20 | 2025-04-23 19:57:30.677481+00

The last migration ran in April, when I updated to v0.19.1. Strange.

At this point I went on vacation and paused investigations, not only because the vacation was great, but also because I bamboozeld by this state.

After my vacation I came back, and did some backups of the database.

$ docker run -e PGPASSWORD="XXXX" -it --rm --network mash-postgres postgres pg_dump -U gay-pirate-assassins -h mash-postgres gay-pirate-assassins > manual-backup/gay-pirate-assassins-2025-10-13.sql

Then I deleted the last migration, as I was advised

DELETE FROM bun_migration WHERE id=193;

and restarted the server. While watching the server come up it hit me in the face:

Oct 12 08:31:29 s3 mash-gpa-gotosocial[2251925]: timestamp="12/10/2025 08:31:29.905" func=bundb.sqliteConn level=INFO msg="connected to SQLITE database with address file:/opt/gotosocial/sqlite.db?_pragma=busy_timeout%281800000%29&_pragma=journal_mode%>
Oct 12 13:38:46 s3 mash-gpa-gotosocial[2304549]: timestamp="12/10/2025 13:38:46.588" func=router.(*Router).Start.func1 level=INFO msg="listening on 0.0.0.0:8080"

The server is starting from a completely different database! That explains why

the last migration was never done
the server showed me 0 users, 0 posts and 0 federated instances even though the postgres database had plenty of those

All of a sudden a SQlite database was configured. This happened because of this commit which introduced SQlite support and set it as default. This was not mentioned in the Changelog.

So what happened is, that the config changed and then the server was restarted and an empty DB was initialized. The postgres DB never started to migrate.

Fixing

To fix it, I did the following

Configure the playbook to use postgres for GoToSocial:

# vars.yml
gotosocial_database_type: postgres

Run the playbook to configure GoToSocial (but not starting the service)

just run-tags install-gotosocial

Check the configuration is correct
Start the service

The migrations took several hours but after that, everything looked stable again. I don’t think there are any lasting consequences. However, the server was unavailable for several days.

Learnings

I believe the main issue here was not the change in the config that went unnoticed by me. While I’d ideally notice stuff like this, the server is a hobby, and I’ll continue to not check every config option that changed.

The larger issue was the backup. Having a backup would have made this easy to solve. And there are other, less lucky problems where I’d be completely lost without a backup. So to make sure this doesn’t happen again, I did/will do the following:

1. Mainstream the config

As explained, I used a specific non-mainstream setup in the ansible playbook because, in the past, I ran two instances of GoToSocial on the server. After shutting down one of them, I never moved gay-pirate-assassins to be part of the main config. This means important parts of the configuration had to be done manually, which I botched.

So in the past week I cleaned up and gay-pirate-assassins is now part of the main vars.yml and will benefit from all relevant automations.

2. Checking backups

I was confident in my backups because

they run every night very consistently. If they fail e.g. because of a network outage I reliably get a warning.
I verified successfully run of the backup job prior to upgrading

The main problem was me assuming that a successful run of the backup command, meant a successful backup. Everyone will tell you that a backup that is not tested is not to be trusted. And they are right. However, doing frequent test-restores exceeds my time and server capacity. So what I’ll do instead is the following:

mount the backup before an upgrade
tail the backup file as created by postgres-backup and ensure the data is from the same day
check media folders for the last changed image

This is not a 100% guarantee, but I’d argue it’s a pretty good compromise for now. As the frequency of mounting backups increases and therefore becomes faster, I’ll re-evaluate to do a test-restore at least semi-regulary.

Conclusion

I fucked up, but I was lucky that my error was recoverable and no data was lost. Next time this will hopefully be not due to luck, but better planning!

Any questions? Let me know!

Trying Twenty: How does an Open Source CRM work?

2025-08-03T06:10:10+02:00

I spend my day working with Salesforce, a very, very feature-rich CRM that you pay big money to use. Salesforce is the opposite of OpenSource and the many features are expensive. Salesforce business model is based on this and on the lock-in effect. If your company invested in implementing Salesforce, they’ll likely pay a lot to keep it.

So what does an alternative look like? Let’s have a look at Twenty, an OpenSource CRM that recently reached the magic 1.0 version.

Getting started

There are two options of getting started: Register at app.twenty.com and start right away on the devs instance or self-host Twenty on your own server. I did the ladder, so let’s discuss how that. The basic steps I took were

point twenty.hyteck.de to a server
Install traefik on the server (I cheated, traefik was already installed)
Deploy this docker-compose.yml with this env file

Then visit the domain and set up the first user.

Features

Twenty offers an initial datamodel that you should be familiar from other CRMs. the standards objects are

Persons A individual person. You can attach notes, E-Mails, etc..
Companies The same for organizations. Organization websites must be unique
Opportunities The classic opportunity with customizable stages
Notes They can be attached to any of the objects above
Tasks Items to work on
Workflows Automations similar to Salesforce flows. E.g. you can create a task every time an Opportunity is created.

The basic datamodel can be extended in the GUI. Here is how my “Company” model looks like

You can add any of the following fields to an object.

Workflows

Workflows are Twenty’s way of allowing users to build automations. You can start a Workflow when a Record is created, updated or deleted. In addition, they can be started manually, on a schedule and via Webhook (yeah!).

You can then add nodes that trigger actions. Available right now are

Creating, updating or deleting a record
Searching records
Sending E-Mails This is the only option to trigger e-mails so far
Code Serverless Javascript functions
Form The form will pop up on the user’s screen when the workflow is launched from a manual trigger. For other types of triggers, it will be displayed in the Workflow run record page.
HTTP request Although possible via Code, this is a handy shortcut to trigger HTTP requests

What is currently completely missing are Foreach-loops and conditions. I can not say “If Opportunity stage is updated to X do Y else, do Z”. Without this, Workflows are really limited in their power.

What already seems quite mature though is the code option. It allows to put in arbitrary code and output a result.

I did not try a lot, but I assume most basic Javascript works. I successfully built an http request that send data to a server.

If what you’re doing is straightforward enough to not use loops and conditions or if you are okay with doing all of them in the Code node, you can do basically anything.

API

Twenty offers an extensive API that allows you to basically do everything. It’s well documented and easy to use.

Here is an example of me, syncing Rescue Organizations from notfellchen.org to Twenty.

import requests

from fellchensammlung.models import RescueOrganization


def sync_rescue_org_to_twenty(rescue_org: RescueOrganization, base_url, token: str):
 if rescue_org.twenty_id:
 update = True
 else:
 update = False

 payload = {
 "eMails": {
 "primaryEmail": rescue_org.email,
 "additionalEmails": None
 },
 "domainName": {
 "primaryLinkLabel": rescue_org.website,
 "primaryLinkUrl": rescue_org.website,
 "additionalLinks": []
 },
 "name": rescue_org.name,
 }

 if rescue_org.location:
 payload["address"] = {
 "addressStreet1": f"{rescue_org.location.street} {rescue_org.location.housenumber}",
 "addressCity": rescue_org.location.city,
 "addressPostcode": rescue_org.location.postcode,
 "addressCountry": rescue_org.location.countrycode,
 "addressLat": rescue_org.location.latitude,
 "addressLng": rescue_org.location.longitude,
 }
 headers = {
 "Content-Type": "application/json",
 "Authorization": f"Bearer {token}"
 }

 if update:
 url = f"{base_url}/rest/companies/{rescue_org.twenty_id}"
 response = requests.patch(url, json=payload, headers=headers)
 assert response.status_code == 200
 else:
 url = f"{base_url}/rest/companies"
 response = requests.post(url, json=payload, headers=headers)
 assert response.status_code == 201
 rescue_org.twenty_id = response.json()["data"]["createCompany"]["id"]
 rescue_org.save()

The Company, Business Model and Paid Features

The company behind Twenty is called “Twenty.com PBC” and mostly seems to consist of former AirBnB employees in Paris. The company is probably backed by Venture Capital. The current business model is to charge for using the company’s instance of Twenty. It starts at 9$/user/month without enterprise features. SSO and support will cost you 19$/user/month.

Selfhosting is free but SSO is locked behind an enterprise badge with seemingly no way to pay for activating it. I suspect that in the future more features will become “Enterprise only” even when self-hosting. All contributors must agree to a Contributor License Agreement (CLA), therefore I believe they could change the License in the future, including switching away from Open Source.

AI Usage

The repo contains a .cursor directory and CLAUDE.md so I assume the devs make (heavy?) use of LLM generated code. The ethical and legal problems with this are for you to decide. I don’t know what effect this has on code quality, for now I’d say things are sometimes buggy (failed upgrades) and UX could be better tested (looking at the e-mail integration) - if this is due to AI slop I don’t know.

Conclusion

Twenty is a really promising start of building a good CRM. The ease of customizing the datamodel, using the API and a solid beginning to Flows allows users to get a lot of value from it already. Flows need some more work to become as powerful as they should be and the E-Mail integration needs to get better.

Stating the obvious: This is not something that could ever replace Salesforce. However, there are many organizations that would benefit a lot from a CRM like Twenty, they simply don’t need, can’t handle or don’t want to pay for all the features other CRMs like Salesforce offer.

If Twenty continues to focus on small to medium companies and the right mix of standard features vs. custom development options I see a path where it becomes a solid choice for these companies. On the other hand there are the usual problems of VC-backed OSS development, and we shall see how it goes for them. Unless there is a strong userbase that credibly threatens a hard fork, enshittification could start soon.

Addendum: Important Features

Here is a short list of features I missed and their place on the roadmap if they have one

Compose & Send E-Mails Planned Q4 2025
Foreach loops in Workflows Q3 2025
Conditions in Flows Q4 2025

Thoughts on HTML mails

2025-07-12T12:05:10+02:00

Lately I worked on notification e-mails for notfellchen.org. Initially I just sent text notifications without links to the site. Terrible idea! An E-Mail notification I send always has Call-to-Action or at minimum a link to more information.

I left the system like this for half a year because it kinda worked for me (didn’t suck enough for me to care), and I was the main receiver of these notifications. However, as the platform is developed further and more users join I need to think about more user-centric notifications.

So what do I imagine is important to a user? *

Information benefit: An e-mail has the purpose to inform a user. This information should be immediately visible & understandable.
Actionables: Users should be able to act on the information received. This is the bright red button “DO SOMETHING NOW!” you see so often.
Unsubscribing: Informing e-mails stop is not only a legal requirement and morally the right thing to do but it also gives users agency and - I hope - increases the User Experience

With these I naturally came to the next question: Plaintext or HTML?

Some people would say Plaintext is inherently better than HTML e-mails. Many of these reasons resonate with me including:

Privacy invasion and tracking
HTML emails are less accessible
Some clients can’t display HTML emails at all
Mail client vulnerabilities

These are all valid points and are a reason I generally enjoy plaintext e-mails when I receive them. But this is not about me but users. And there are some real benefits of HTML e-mails:

Visually appealing: This is subjective but generally most users seem to agree on that
User guidance: Rich text provides a real benefit when searching for the relevant information

Be honest: Do you read automated e-mails you receive completely? Or do you just skim for important information?

And here HTML-mails shine: Information can easily be highlighted and big button can lead the user to do the right action. Some might argue that you can also a highlight a link in plaintext but that nearly always will worsen accessibility for screen-reader user.

The result

In the end, I decided that providing plaintext-only e-mails was not enough. I set up html mails, mostly using djangos send_mail function where I can pass the html message and attattching it correctly is done for me.

For anyone that is interested, here is how most my notifications are sent

def send_notification_email(notification_pk):
 notification = Notification.objects.get(pk=notification_pk)

 subject = f"{notification.title}"
 context = {"notification": notification, }
 if notification.notification_type == NotificationTypeChoices.NEW_REPORT_COMMENT or notification.notification_type == NotificationTypeChoices.NEW_REPORT_AN:
 html_message = render_to_string('fellchensammlung/mail/notifications/report.html', context)
 plain_message = render_to_string('fellchensammlung/mail/notifications/report.txt', context)
 [...]
 elif notification.notification_type == NotificationTypeChoices.NEW_COMMENT:
 html_message = render_to_string('fellchensammlung/mail/notifications/new-comment.html', context)
 plain_message = render_to_string('fellchensammlung/mail/notifications/new-comment.txt', context)
 else:
 raise NotImplementedError("Unknown notification type")

 if "plain_message" not in locals():
 plain_message = strip_tags(html_message)
 mail.send_mail(subject, plain_message, settings.DEFAULT_FROM_EMAIL,
 [notification.user_to_notify.email],
 html_message=html_message)

Yes this could be made more efficient - for now it works. I made the notification framework too complicated initially, so I’m still tyring out what works and what doesn’t.

Here is the html template

{% extends "fellchensammlung/mail/base.html" %}
{% load i18n %}
{% block title %}
 {% translate 'Neuer User' %}
{% endblock %}

{% block content %}
 <p>Moin,</p>
 <p>
 es wurde ein neuer Useraccount erstellt.

 </p>
 <p>
 Details findest du hier
 </p>
 <p>
 <a href="{{ notification.user_related.get_full_url }}" class="cta-button">{% translate 'User anzeigen' %}</a>
 </p>
{% endblock %}

and here the plaintext

{% extends "fellchensammlung/mail/base.txt" %}
{% load i18n %}
{% block content %}{% blocktranslate %}Moin,
es wurde ein neuer Useraccount erstellt.
User anzeigen: {{ new_user_url }}
{% endblocktranslate %}{% endblock %}

Works pretty well for now. People that prefer plaintext will get these and most users will have skimmable html e-mail where the styling will help them recognize where it’s from and what to do. Accessibility-wise this seems like the best option.

And while adding a new notification will force me to create

a new notification type,
two new e-mail templates and
a proper rendering on the website

this seems okay. Notifications are useful, but I don’t want to shove them everywhere. I’m not running facebook or linkedin after all.

So for now I’m pretty happy with the new shiny e-mails and will roll out the changes soon (if I don’t find any more wired bugs).

PS: I wrote this post after reading blog & website in the age of containerized socials by ava. Maybe this “Thoughts on” format will stay and I will post these in addition to more structured deep dives.

Update

I did a rework of the notification function and it’s now much cleaner now. However, it’s less readable so this blogpost will stay as-is. If you want to check out the new code have a look on Codeberg.

Improve OpenStreetMap data by using it

2025-06-28T14:05:10+02:00

Introduction

In the last month I improved the mapping of about 100 german animal shelters - not only out of the goodness of my heart, but because it helped me.

Let me explain why: I develop notfellchen.org, where users can search animals in animal shelters, specifically rats, they might want to adopt. The idea is to have a central website that allows you to search for rats in your area.

This is necessary because only a small percentage of animal shelters has rats. As a user, just checking your next shelter doesn’t work. Some users will stop after checking the second or third one and just buy from a pet shop (which is a very, very bad idea).

Now a central platform for is nice for users but has one problem: How do I, as operator of notfellchen, know where rats are?

I need to manually check every animal shelter in the country and if they have rats, ask them for permission to use images of the rats on my site. So wait I need to have is a list of animal shelters in germany and have their website, e-mail and phone number.

The source for all of this: You guessed it - OpenStreetMap 🥳

Getting the data

Downloading all german animal shelters is surprisingly easy: You use Overpass Turbo and get a .geojson to download.

here is the query I used:

[out:json][timeout:25];
// fetch area “Germany” to search in
{{geocodeArea:Germany}}->.searchArea;
// Check search area for all objects with animal shelter tag
nwr["amenity"="animal_shelter"](area.searchArea);
// print results
out geom;

Now upload it to notfellchen.org and I’ll be fine right?

Data Issues

Yeah well, this only mostly works. There were two main problems:

Missing contact data is annoying because I quickly want to check the website of animal shelters.

More annoying were what I’d call mapping errors. Most commonly an animal shelter had multiple nodes/ways tagged as amenity:animal_shelter. The highlight was the “Tierheim München” where about 10 buildings were tagged as amenity:animal_shelter and the contact data was sitting on the building with name “Katzenhaus” (“cat house”).

Now the “Tierheim München” appeared in my list 10 times but 9 of them had no contact data at all.

Correcting it

I could have corrected this only in the notfellchen database. It would have been faster and I could even automate parts of it. But I didn’t.

For each issue I found, I opened OpenStreetMap and added websites, phone numbers or even re-mapped the area. For “Tierheim München” I even opened a thread in the forum to discuss a proper tagging.

That makes sense for me because I get one important thing:

What I get out of it: Updates

What if a new shelter was added later or a shelter changed? I already profit a lot from the time people spend adding information, so why stop?

My database stores the OSM ID, so I can regularly query the data again to get updates. But that only works if I take an “upstream” approach: Fix the data in OSM, then load it into notfellchen. Otherwise, any change in my database will be overwritten by “old” OSM data.

Result

In the last month, I made 86 changes to OSM adding the following information

Type of information	Number of times added
Website	66
Phone Numbers	65
Operator	63
E-Mail	49
Fax	9

Yes I sometimes even added fax numbers. It was easy enough to add and maybe there is someone might use it.

Looking forward

I’m of course not done. Only half of the rescues known to OSM in germany are currently checked, so I’ll continue that work.

After that I’ll start adding the shelters that are just in my database. Currently, 33 animal shelters are known to notfellchen that are not known to OSM. This number will likely grow, maybe double.

A lot to do. And luckily, this work both benefits me and everyone using OSM. Happy mapping!

Meine SciFi und Fantasy Empfehlungen - Schriftgelehrte gegen KI

2025-03-03T18:05:10+02:00

Einführung

KI ist überall. Große Teile des Internets werden gerade durch KI-generierten Inhalten überschwemmt. Teilweise zeigen KI-generierte Artikel auch gefälschte Daten (vor 2022) an um so den Anschein zu erwecken nicht KI-generiert zu sein. Verlässliche und authentische Informationen zu finden ist daher um so schwerer.

Deshalb beginnt das Zeitalter der Schriftgelehrten, denn Informationen zu sammeln und aufzubereiten, das ist, was sie tun. Schriftgelehrte*r verwende ich hier als Übersetzung des englischen Wortes “Librarian”. Und so maße auch ich mir an mich (nur) dafür Schriftgelehrte*r zu nennen und versuche auf diesem Blog immer wieder Informationen zu sammeln und zu teilen (ironischerweise in dem Wissen, dass dieser Blog von KI-Unternehmen gescrapt wird).

Starten möchte ich mit Folgendem:

Sci-Fi und Fantasy

Wenn ich nach Sci-Fi und Fantasy suche, will ich weg von profit-optimierten Listen von Online-Buchhändler*innen, und hin zu echten Empfehlungen. Viele solche Empfehlungen bekomme ich im lokalen Buchladen. Gerade junge Buchhändler*innen können oft super Empfehlungen geben. Leider sind diese wenigen Mitarbeiter*innen selten und in Buchläden sind SciFi und Fantasy oft nur wenig vertreten und die Regale viel zu oft voll mit Büchern weißer Männer.

Deshalb jetzt zu den Empfehlungen die versuchen, das anders zu machen!

Die Liste beschreibt die Bücher nur kurz und sollte ohne Spoiler auskommen. In allen Büchern kommen queere Charaktere vor. Alle Links zum führen zu einem lokaln Buchladen oder Websites der Autor*innen oder des Verlags.

Becky Chambers: “Der lange Weg zu einem kleinen zorningen Planeten”

Dieses Buch ist eine wirklich wunderschön geschriebene Space-Opera mit Charakteren, die man ins Herz schließt. Auf dem kleinen Schiff ist viel Alltag und auf dem langen Weg lässt einen jede Zwischenstation in eine weitere Welt eintauchen, egal ob in einen trubeligen Markt oder einen abgeschiedenen Eisplanet.

Der zweite und dritte Teil handeln im gleichen Universum, sind jedoch nur über wenige Personen/geteilte Themen mit der ersten Geschichte verbunden.

Alle anderen Bücher von Becky Chambers sind auch sehr empfehlenswert “A Psalm for the Wild-Built” ist eine kurze Solarpunk Utopie.

Link zum Buch beim Frauenbuchladen Thalestris

Judith & Christian Vogt: Ace in Space

Ace in Space ist eine tolle Erzählung von einer Raumjäger-Pilotin, einer Gruppe Space-Punks die ihr Leben auf Social Media teilen. Angesiedelt ist das Buch eher im Cyber-Punk. Es geht gegen Großkonzerne, es geht um schnelle Flieger und Bars in engen Quartieren. Außerdem hat es eine der besten Sexszenen, die ich je lesen durfte.

Judith schreibt oft dystopischere Geschichten als ich normalerweise lese. Aber Laylayland und Wasteland zwei fantastische Bücher die ich nicht missen will. Die Bücher sind feministisch, queer und tollerweise auch mit Haupt(Charaktere) mit Behinderungen. Progressive Phanastik der höchsten Klassen!

Verlagsshop

Wer eine ganze Kurzgeschichte “der Vögte” (also Judith und Christian Vogt) als Leseprobe haben will, findet diese am Ende des Artikels als PDF.

T.J. Klune: Mr. Parnassus’ Heim für magisch Begabte

Wunderschöne Geschichte über einen Beamten der aus der Stadt rauskommt und ein Haus an der See. Mehr verrate ich nicht, ist aber eins meiner Lieblingsbücher.

Link zum Buch beim Frauenbuchladen Thalestris

Lena Richter: Dies ist mein letztes Lied

Eine mitreisende Geschichte in der die Hauptperson durch ihre Musik von Welt zu Welt gerissen wird. Was sie in den einzelnen Episoden erlebt ist schön und herzzerreißend. Ich habe die Novelle am Stück verschlungen und mit der Hauptperson gelacht und geweint.

Verlagsshop

Rebecca Thorne: “Can’t spell treason without tea”

In einer Fantasy Welt brennt eine Leibwächterin der Königin mit einer Magierin durch und sie eröffnen einen Teeladen. Es gibt auch den Nachfolger “A Pirate’s Life for Tea”, den hab ich aber noch nicht gelesen

Link zum Buch beim Frauenbuchladen Thalestris (Deutsche Übersetzung)

Travis Baldree: “Legends&Latte”

Eine Ork, die lange Jahre mit einer Gruppe Abenteuer unterwegs war versucht nun einen Buch & Teeladen aufzumachen. Sehr unterhaltsam, unerwartet friedlich und macht unglaublich Lust mehr in Cafes zu gehen!

“Bookshops & Bonedust” ist die Vorgeschichte, die aber gut nach Legends & Latte gelesen werden kann und auch später geschrieben wurde.

Link zum Buch beim Frauenbuchladen Thalestris

Sammlung: Sonnenseiten - Street Art trifft Solarpunk

22 Autor*innen haben Geschichten zusammengetragen die die beiden Kunstformen Street Art und Solarpunk verbinden. Besonders empfehlen kann ich die Geschichte “Uferlos” von Lena Richter die eine schwimmende Stadt zum Denken anregt und “Cloudart” von Dominik Windgätter in der ein “Maskenmädchen” Kunstwerke in den Himmel zeichnet.

Link zum Buch beim Frauenbuchladen Thalestris

Schluss

Ich hoffe die Empfehlungen machen, trotz ihrer Kürze, Lust aufs Lesen! Kauft bei eurem lokalen Buchladen und unterstützt kleine Verlage!

Falls das nicht sowieso schon klar war: Ich bekomme für diese Empfehlungen kein Geld, die Links haben kein Tracking, keine Referral Codes oder sonst etwas.

Kurzgeschichte FiatLux

Die Kurzgeschichte ist von Judith und Christian Vogt und steht unter der Lizenz CC-BY-NC-SA, darf also mit Namensnennung, nichtkommerziell und unter gleichen Bedingungen geteilt werden (wie schön ist das denn bitte?!).

Download the PDF!

I did something naughty: Circumventing Authorized-Fetch as implemented by GoToSocial

2024-12-11T06:10:10+02:00

Yes the title is correct, but I had nothing malicious in mind!

What this is about

For @qzt@queereszentrumtuebingen.de we include the public feed in a sidbar on the homepage. Initially this was done using the standard API to fetch statuses /api/v1/accounts/{account_id}/statuses and worked like a charm. The problem started when GoToSocial (the fediverse server we use, similar to mastodon) implemented authorized fetch. This is a a good thing! Authorized fetch means, that every call to a endpoint needs to be authorized by an access_token. You get an access token from a fedi account. It’s what fediverse clients like Tusky or Phanpy do on your behalf to get the posts that make up you timeline.

Authorized fetch has major advantages as

data scraping can only be done by other fediaccounts
blocking can not be circumvented by using the public API

and much more. Sadly it also broke our website integration.

Possible Solutions

So what now? I initially wanted to turn of authorized fetch for @qzt@queereszentrumtuebingen.de by messing with the GoToSocial code and turning it off for the whole server. This would have been possible as this is the only user on the server. The GoToSocial devs helped me manage to find where to do that. But it’s not ideal and would make me build a custom docker image fore each update.

Next idea: The whole point of authorized fetch is, that only fedi-accounts (and apps they authorized) can access the API. So lets do that! Set up a new account, add app and authorize it as described in the GoToSocial documentation. I used #Bruno for that, that was much more comfortable than using curl for me. With that authorization code you can now get an access token for your app. Put that in the Javascript that loads posts and we are good right? Sadly no. It would totally work. But it would also allow anyone to read and post on behalf of the account. That calls for malicious actors using this for scraping or spamming.

So instead, we need a proxy that stores the access token securely and restricts the actions.

The proxy

Such a proxie must

offer the endpoint that provides the same data as the FediverseAPI
authorize itself to the FediverseAPI via access_token
restrict to read access of consenting accounts

The last point is really important, as we don’t want to allow others to use this endpoint to scrape data unauthorized.

I wrote a short FastAPI server that offers this. It only implements one method

@app.get("/api/v1/accounts/{account_id}/statuses")
async def fetch_data(account_id):
if account_id not in ALLOWED_ACCOUNTS:
raise HTTPException(status_code=401, detail="You can only use this proxy to access configured accounts")
headers = {"Authorization": f"Bearer {ACCESS_TOKEN}"}
response = requests.get(f"{EXTERNAL_API_BASE_URL}/api/v1/accounts/{account_id}/statuses", headers=headers)
return response.json()

Basically this is the whole API code, I only trimmed a few checks and error handling.

Deployment

To deploy, I put it in a docker container and started it via docker-compose. Reverse proxing is handled by Traefik, I won’t go into detail here.

services:
fediproxy.example.org:
image: docker.io/moanos/fediproxy
container_name: "fediproxy.example.org"
restart: unless-stopped
environment:
EXTERNAL_API_BASE_URL: ${EXTERNAL_API_BASE_URL}
ACCESS_TOKEN: ${ACCESS_TOKEN}
ALLOWED_ACCOUNTS: ${ALLOWED_ACCOUNTS}
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.fediproxy.rule=Host(`fediproxy.example.org`)"
- "traefik.http.routers.fediproxy.service=fediproxy-service"
- "traefik.http.routers.fediproxy.entrypoints=web-secure"
- "traefik.http.routers.fediproxy.tls=true"
- "traefik.http.routers.fediproxy.tls.certResolver=default"
- "traefik.http.services.fediproxy-service.loadbalancer.server.port=8000"
networks:
- traefik
networks:
traefik:
name: "traefik"
external: true

I added a short .env to configure:

ACCESS_TOKEN=VERYSECRETTOKENTHATISDEFINETLYREAL
EXTERNAL_API_BASE_URL=https://gay-pirate-assassins.de
ALLOWED_ACCOUNTS=ZGGZF4G8NNOTREAL81Z8G7RTC

Results

Now I can again use something like the wordpress plugin Include Mastodon Feed just by pointing to the proxy: [include-mastodon-feed instance="fediproxy.example.org.de" account="ZGGZF4G8NNOTREAL81Z8G7RTC"]

Hope you enjoyed the read. Source code for the proxy can be found here: https://git.hyteck.de/moanos/FediProxy If you want to play around a bit you can use https://git.hyteck.de/moanos/include-fedi

Sloth logo of GTS by Anna Abramek, Creative Commons BY-SA license.

Where are you? - Part 2 - Geocoding with Django to empower area search

2024-10-04T14:05:10+02:00

Introduction

In the previous post I outlined how to set up a Nominatim server that allows us to find a geolocation for any address on the planet. Now let’s use our newfound power in Django. Again, all code snippets are CC0 so make free use of them. But I’d be very happy if you tell me if you use them for something cool!

Prerquisites

You have a working geocoding server or use a public one
You have a working django app

If you want to do geocoding in a different environment you will still be able to use a lot of the the following examples, just skip the Django-specifics and configure the GEOCODING_API_URL according to your needs.

Using the Geocoding API

First of all, let’s define the geocoding API URL in our settings. This enables us to switch easily if a service is not available. Add the following to you settings.py

# appname/settings.py
""" GEOCODING """
GEOCODING_API_URL = config.get("geocoding", "api_url", fallback="https://nominatim.hyteck.de/search") # Adjust if needed

We can then add a class that interacts with the API.

import logging

import requests
import json
from APPNAME import __version__ as app_version
from APPNAME import settings


class GeoAPI:
 api_url = settings.GEOCODING_API_URL
 # Set User-Agent headers as required by most usage policies (and it's the nice thing to do)
 headers = {
 'User-Agent': f"APPNAME {app_version}",
 'From': 'info@example.org'
 }

 def __init__(self, debug=False):
 self.requests = requests # ignore why we do this for now

 def get_coordinates_from_query(self, location_string):
 result = self.requests.get(self.api_url, {"q": location_string, "format": "jsonv2"}, headers=self.headers).json()[0]
 return result["lat"], result["lon"]

 def _get_raw_response(self, location_string):
 result = self.requests.get(self.api_url, {"q": location_string, "format": "jsonv2"}, headers=self.headers)
 return result.content

 def get_geojson_for_query(self, location_string):
 try:
 result = self.requests.get(self.api_url,
 {"q": location_string,
 "format": "jsonv2"},
 headers=self.headers).json()
 except Exception as e:
 logging.warning(f"Exception {e} when querying Nominatim")
 return None
 if len(result) == 0:
 logging.warning(f"Couldn't find a result for {location_string} when querying Nominatim")
 return None
 return result

The wrapper is a synchronous interface to our geocoding server and will wait until the server returns a response or times out. This impacts the user experienc, as a site will take longer to load. But it’s much easier to code, so here we are. If anyone wants to write a async interface for this I’ll not stop them!

Fornow, let’s start by adding Location to our models.py

class Location(models.Model):
 place_id = models.IntegerField()
 latitude = models.FloatField()
 longitude = models.FloatField()
 name = models.CharField(max_length=2000)

 def __str__(self):
 return f"{self.name} ({self.latitude:.5}, {self.longitude:.5})"

 @staticmethod
 def get_location_from_string(location_string):
 geo_api = geo.GeoAPI()
 geojson = geo_api.get_geojson_for_query(location_string)
 if geojson is None:
 return None
 result = geojson[0]
 if "name" in result:
 name = result["name"]
 else:
 name = result["display_name"]
 location = Location.objects.create(
 place_id=result["place_id"],
 latitude=result["lat"],
 longitude=result["lon"],
 name=name,
 )
 return location

Don’t forget to make&run migrations after this

An finally we can use the API!

location = Location.get_location_from_string("Berlin")
print(location)
# Berlin, Deutschland (52.51, 13.38)

Looking good!

Area search

Now wee have the coordinates - great! But how can we get the distance between coordinates? Lukily we are not the first people with that question and there is the Haversine Formula that we can use. It’s not a perfect fomula, for example it assumes the erth is perfectly round which the earth is not. But for most use cases of area search this should be irrelevant for the final result.

Here is my implementation

def calculate_distance_between_coordinates(position1, position2):
 """
 Calculate the distance between two points identified by coordinates
 It expects the coordinates to be a tuple (lat, lon)

 Based on https://en.wikipedia.org/wiki/Haversine_formula
 """
 earth_radius_km = 6371 # As per https://en.wikipedia.org/wiki/Earth_radius
 latitude1 = float(position1[0])
 longitude1 = float(position1[1])
 latitude2 = float(position2[0])
 longitude2 = float(position2[1])

 distance_lat = radians(latitude2 - latitude1)
 distance_long = radians(longitude2 - longitude1)

 a = pow(sin(distance_lat / 2), 2) + cos(radians(latitude1)) * cos(radians(latitude2)) * pow(sin(distance_long / 2),
 2)
 c = 2 * atan2(sqrt(a), sqrt(1 - a))

 distance_in_km = earth_radius_km * c

 return distance_in_km

And with that we have a functioning area search 🎉

Where are you? - Part 1 - Geocoding with Nominatim to empower area search

2024-09-28T12:05:10+02:00

Introduction

Geocoding is the process of translating a text input like Ungewitterweg, Berlin into a location with longitude and latitude such as 52.544022/13.147589. So whenever you search in OpenStreetMap or Google Maps for a location, it does exactly that (and sometimes more, but we don’t focus on that now).

For a pet project of mine (notfellchen.org) I wanted to do exactly that: When a animal is added there to be adopted, the user must input a location that is geocoded and saved with it’s coordinates. When another user visits the site, that wants to adopt a pet in their area, they input their location and it will search for all animals in a specific radius.

How is that done? I’ll show you!

Nominatim

Nominatim is a software that uses OpenStreetMap data for geocoding. It can also do the reverse, find an address for any location on the planet. It is used for the geocoding on OpenStreetMap, so it’s quite production-ready. We could use the public API (while obeying the usage policy) but it’s nicer to have our own instance, so we don’t stress the resources of a donation funded organization and to improve user privacy.

Nominatim works by importing geodate from a PBF-file into a postgres database. This database will later be queried to provide location data. The process is described below.

DNS records

Se let’s start by setting the DNS records so that the domain geocoding.example.org points to your server. Adjust as needed.

Value	Type	Target
geocoding.example.org	CNAME	server1.example.org

Docker-compose Configuration

We will use Docker Compose to run the official Nominatim Docker image.

It bundles nominatim together with the database postgres. I usually prefere to have a central database for multiple services (e.g. allows easier backups) but for nominatim a seperate database is good for two reasons

import process (described later) will not slow the database for other services
it’s easier to nuke everything if things go wrong

The following environment variables will be used to configure the container

PBF_URL: The URL from where to download the PBF file that contains the geodate we will import. They can be obtained from Geofabrik. It is highly recommended to first download the file to a local server and then set this URL to that server so that the ressources from Geofabrik are not affected if something goes wrong. Feel free to use the pre-set URL for germany while it works if you want to test around.
REPLICATION_URL: Where to get updates from. For example Geofabrik’s update for the Europe extract are available at https://download.geofabrik.de/europe-updates/ Other places at Geofabrik follow the pattern https://download.geofabrik.de/$CONTINENT/$COUNTRY-updates/
POSTGRES_ Postgres tuning data, the current setting allows imports on a ressource constrained system. See postgres tuning docs for more info
NOMINATIM_PASSWORD: Database password.
IMPORT_STYLE: See below

Import Styles

Import styles will determin how much “resolution” the geocoding has. It has the following options

admin: Only import administrative boundaries and places.
street: Like the admin style but also adds streets.
address: Import all data necessary to compute addresses down o house number level.
full: Default style that also includes points of interest.
extratags: Like the full style but also adds most of the OSM tags into the extratags column.

It has a huge impact on how long the import will take and how much space it will require. Be aware that the import time is on a machine with 32GB RAM, 4 CPUS and SSDs, these are not fixed numbers. My import of admin took 12 hours.

Style	Import time	DB size	after drop
admin	4h	215 GB	20 GB
street	22h	440 GB	185 GB
address	36h	545 GB	260 GB

Explaining after drop (from the docs)

About half of the data in Nominatim’s database is not really used for serving the API. It is only there to allow the data to be updated from the latest changes from OSM. For many uses these dynamic updates are not really required. If you don’t plan to apply updates, the dynamic part of the database can be safely dropped using the following command: ./utils/setup.php --drop

I have not done this, so I don’t have any experince with that. But probably it’s a good idea if you don’t need up-to-date data.

Reverse Proxy

As with most of my projects, it runs on a server where the mash-playbook has deployed a Traefik, as Application Proxy. I’ll therefore use trafik labels to configure the revers proxy but the same could be achieved with Caddy or Nginx.

Complete configuration

services:
nominatim:
environment:
- PBF_URL=https://cdn.hyteck.de/osm/germany-latest.osm.pbf
- REPLICATION_URL=https://download.geofabrik.de/europe/germany-updates/
- POSTGRES_SHARED_BUFFERS=1GB
- POSTGRES_MAINTENANCE_WORK_MEM=1GB
- POSTGRES_AUTOVACUUM_WORK_MEM=500MB
- POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
- IMPORT_STYLE=admin
- NOMINATIM_PASSWORD=VERYSECRET
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.nominatim.rule=Host(`geocoding.example.org`)"
- "traefik.http.routers.nominatim.service=nominatim-service"
- "traefik.http.routers.nominatim.entrypoints=web-secure"
- "traefik.http.routers.nominatim.tls=true"
- "traefik.http.routers.nominatim.tls.certResolver=default"
- "traefik.http.services.nominatim-service.loadbalancer.server.port=8080"
container_name: nominatim
image: mediagis/nominatim:4.4
restart: always
networks:
- traefik
volumes:
- nominatim-data:/var/lib/postgresql/14/main
- nominatim-flatnode:/nominatim/flatnode
shm_size: 1gb
volumes:
nominatim-flatnode:
nominatim-data:
networks:
traefik:
name: "traefik"
external: true

Importing

Now we are ready to go! Before you type docker-compose up -d let me explain what it will do

Start the database
Download the PBF file from the given URL
Import the PBF file into the database. Here you are most likely to run into errors because of ressource constraints
Start the Nominatim server

If you are ready, lets go: docker-compose up -d. Monitor what nominatim is doing with docker logs -f nominatim and make a cup of tea. This will take a while (proably several hours).

Testing

You can test your server by visiting the domain. Try /?q=CITYNAME to see an actual search result.

Example: https://geocoding.example.org/?q=tuebingen

Result

You should now have a running Nominatim instance that you can use for geocoding 🎉. Initially I wanted to show in the same post how you’d use this server to power area search in django but that will be in part 2. Feel free to ping me for questions, preferably at @moanos@gay-pirate-assassins.de

Oh and one last thing:

Legal requirements

Data from OpenStreetMap is licenced under the Open Database License. The ODbL allows you to use the OSM data for any purpose you like but attribution is required. For showing map data, you’d usually display a small badge in the bottom left corner of the map. But geocoding also needs attribution, as per this guideline.

Styling an Django RSS Feed

2024-04-16T12:10:10+02:00

Introduction

RSS is amazing! While not everyone thinks that, most people that understand RSS, like it. This presents a problem, as most people don’t have chance to learn about it. Unless there is a person in the community that doesn’t shut up about how great RSS is (maybe that person is you), they might not even know what it is, let alone use it.

One big reason for this is, that when you click an link to an RSS feed you download a strange file that most people don’t know how to deal with. Maybe your browser is nice and renders some XML which is also not meant for human consumption. Wouldn’t it be better if people clicked on the RSS link and were greeted by a text explaining RSS and how to use it? And if the site would still be a valid RSS feed?

Luckily you don’t have to imagine that - it’s possible! You can even try it on this blog by clicking the RSS link in the menu (direct link).

Doing this has not been my idea. Darek Kay described this in the blog post Style your RSS feed and I just copied most of their work! This was fairly easy for this Hugo blog and is available in my fork of the hugo-nederburg-theme. However, in a Django project it get’s a bit more complicated. Let me explain.

The Problem

Django has the great Syndication feed framework, a high level framework to create RSS and Atom Feeds. This is great as we only need a few lines of code to create a feed. Here is an example from notfellchen.org that list animals that are in search for a new home. People should be able to follow the RSS feed to see new adoption notices. So lets do it

# in src/fellchennasen/feeds.py
from django.contrib.syndication.views import Feed

from .models import AdoptionNotice

class LatestAdoptionNoticesFeed(Feed):
 title = "Notfellchen"
 link = "/rss/"
 description = "Updates zu neuen Vermittlungen."

 def items(self):
 return AdoptionNotice.objects.order_by("-created_at")[:5]

 def item_title(self, item):
 return item.name

 def item_description(self, item):
 return item.description

# in src/fellchennasen/urls.py
urlpatterns = [
 path("", views.index, name="index"),
 path("rss/", LatestAdoptionNoticesFeed(), name="rss"), # <--- Added
 ...

Wait that’s it? Yeah! We have a working RSS feed. And it was very convenient, Django allows us to create by just pointing it to the right model and fields we want to display.

But here is the problem: How do we style this? We can’t just add a link to a stylesheet here.

The solution

First we need to add our styling files. I’ll not go into detail how they work her, just refer Darek’s blog post for that. In Django we add them to our static files

static/rss.xsl will be adjusted based on this file. It is responsible for creating a html rendering of your XML file
for static/css/rss-styles you can drop in this file, which is a basic CSS file you can edit to your liking.

After that comes the hard part. How do tweak this wonderfully simple Feed class to include a link to our style sheet? I first thought “that must be easy, just follow the docs on custom feed generators and add a root element. Something like this:

class FormattedFeed(Rss201rev2Feed):

 def add_root_elements(self, handler):
 super().add_root_elements(handler)
 # We want <?xml-stylesheet href="/static/rss.xsl" type="text/xsl"?>
 handler.addQuickElement("?xml-stylesheet", f'href="{static("rss.xsl")}"')

class LatestAdoptionNoticesFeed(Feed):
 feed_type = FormattedFeed
 title = "Notfellchen"
 ...

Looks good. Let’s try. Oh no what is this?

<?xml-stylesheet href="/static/rss.xsl"/>

Yes, we can’t correctly close this tag. There is (to my knowledge) no easy way to do this. So let’s take the hard road an implement a custom write function. In the following the write function will be copied from django.utils.feedgenerator.RssFeed. We make two important changes to the class:

Changing the content type from content_type = "application/rss+xml; charset=utf-8" to content_type = "text/rss+xml; charset=utf-8. This will make a browser display the content rather than opening it in a app.
Adding our xml-stylsheet information. This is done in the write() function with this line

handler._write(f'<?xml-stylesheet href="{static("rss.xsl")}" type="text/xsl"?>')

Putting it all together we still have a relativly simple solution with only the necessary adjustments. Here is the full feeds.py:

from django.contrib.syndication.views import Feed
from django.utils.feedgenerator import Rss201rev2Feed
from django.templatetags.static import static
from django.utils.xmlutils import SimplerXMLGenerator

from .models import AdoptionNotice


class FormattedFeed(Rss201rev2Feed):
 content_type = "text/xml; charset=utf-8"
 def write(self, outfile, encoding):
 handler = SimplerXMLGenerator(outfile, encoding, short_empty_elements=True)
 handler.startDocument()
 handler._write(f'<?xml-stylesheet href="{static("rss.xsl")}" type="text/xsl"?>')
 handler.startElement("rss", self.rss_attributes())
 handler.startElement("channel", self.root_attributes())
 self.add_root_elements(handler)
 self.write_items(handler)
 self.endChannelElement(handler)
 handler.endElement("rss")


class LatestAdoptionNoticesFeed(Feed):
 feed_type = FormattedFeed
 title = "Notfellchen"
 link = "/rss/"
 description = "Updates zu neuen Vermittlungen."

 def items(self):
 return AdoptionNotice.objects.order_by("-created_at")[:5]

 def item_title(self, item):
 return item.name

 def item_description(self, item):
 return item.description

And finally we have what we want! A RSS feed displayed in the browser, with beginner-friendly explanation and still completely spec-compliant.

Outlook

Now you may recognize I’m not a frontend person. The style could be prettier and provide a better overview. But I’d argue the improvement is immense and might help a user to get started with RSS.

There are still a couple things to improve:

Translation: The current text is only displayed in english
The rss.xsl file has a hard-coded link to the css stylesheet in it

<link rel="stylesheet" type="text/css" href="/static/fellchensammlung/css/rss-styles.css"/>

Both can be solved by templating the rss.xsl instead of serving it as static file.

So have fun playing around! If you have created or found a nice-looking RSS feed let me know. Let’s keep RSS alive and thriving!

Tracking blog readers with OxiTraffic

2023-11-10T12:10:10+02:00

I recently stumbled upon OxiTraffic, a self-hosted, simple and privacy respecting website traffic tracker which is well suited for blogs. What that means is

No personal data is logged
one binary or simple docker container
Readers are only counted if they spend >20s per site

As I currently have no analytics on my blog and I am not inclined to use anything that adds more than 2 sentences to my privacy disclaimer I thought I give it a try. Naturally I wrote an ansible role for this, which can be found under mother-of-all-self-hosting/ansible-role-oxitraffic. I now have this neat graph.

As the main prupose of a blog is to describe how to host the blog, I’ll continue in this tradition and describe my process below.

The Ansible Role & Playbook Integration

The ansible role is pretty simple so I won’t go into detail. It set’s up the configuration file based on your environment variables and sensible defaults and adds a labels file for traefik to use later. The systemd service that starts the container ensures it runs read-only and as non-root user (which worked out of the box, kudos to the developer).

The mash-playbook integration is wiring the OxiTraffic to the Traefik reverse proxy and the Postgres database.

After running just install-all everything was set up*.

* Actually I found a bug which was fixed very fast

Hugo Theme Integration

I maintain a fork of the hugo-nederburg-theme by Appernetic and naturally wanted to include it there. Adding the following to themes/hugo-nederburg-theme/layouts/partials/head.html is all I needed

{{ with .Site.Params.oxitraffic_url }}
 <script src="{{ . }}" defer></script>
{{ end }}

I could then make us of this by setting the Oxitraffic URL in the theme settings

[params]
 slogan = "Blog of Julian-Samuel Gebühr"
 description = "Blog of Julian-Samuel Gebühr" # meta description
 [...]
 oxitraffic_url = "https://traffic.hyteck.de/count.js"

And that was it. You can have a look at the traffic of this blog at traffic.hyteck.de.

Advanced: Setting up multiple sites in on one MASH host

You might have multiple sites that need tracking, but an instance of OxiTraffic can only monitor one site. Setting up multiple instances of OxiTraffic is more complicated in MASH, but can be done. Here is how (always replace s3 and other with you own names):

Re-Do your Inventory as described in running-multiple-instances. I’ll use s3 as my “main” host here and s3.other as new host.
Add the following in inventory/host_vars/s3.other

# PLAYBOOK STUFF
mash_playbook_generic_secret_key: 'LONGSECRET'

mash_playbook_service_identifier_prefix: 'mash-other-'
mash_playbook_service_base_directory_name_prefix: 'other-'

# OXITRAFFIC configuration
oxitraffic_enabled: true
oxitraffic_hostname: traffic.other-service.de
oxitraffic_tracked_origin: https://other-service.de

oxitraffic_database_hostname: mash-postgres
oxitraffic_database_port: 5432
oxitraffic_database_name: other-oxitraffic
oxitraffic_database_password: VERYSECRET
oxitraffic_database_username: other-oxitraffic


oxitraffic_systemd_required_services_list: |
 {{
 (['docker.service'])
 +
 (['mash-postgres.service'])
 }}

oxitraffic_container_additional_networks: |
 {{
 (['traefik'])
 +
 (['mash-postgres'])
 }}

oxitraffic_container_labels_traefik_enabled: "true"
oxitraffic_container_labels_traefik_docker_network: "traefik"
oxitraffic_container_labels_traefik_entrypoints: "web-secure"
oxitraffic_container_labels_traefik_tls_certResolver: "default"

Create the database

Unlike for other mash services th database will not be created automatically. You therefore need to set it up yourself. Here are the steps that you need to run in the postgres CLI (which cou can access by running /mash/postgres/bin/cli)

Create a user: CREATE USER "other-oxitraffic" with ENCRYPTED PASSWORD 'PASSWORD_FROM_ABOVE';
Create database: CREATE DATABASE other-oxitraffic;
Grant privileges: GRANT ALL PRIVILEGES ON DATABASE "other-oxitraffic" TO "other-oxitraffic";
Grant ownership: ALTER DATABASE "other-oxitraffic" OWNER TO "other-oxitraffic";

Deploying a django app with docker, ansible and traefik

2023-07-24T22:10:10+02:00

This blog post will try to outline the process of deploying ILMO (a Django app) by building a docker image, using ansible to install&configure it on our server and use Traefik as webserver that is readily configured and obtains certificates for us.

I will go through the steps one by one and link more extensive documentation.

Building the docker image

Building the docker image is pretty straightforward as it closely resembles the steps of manual deployment. The docker file is probably terribly inefficient as it is to large and should be build in stages. Consider this a working example, not a best practice. Also feel free to give me pointers on how to improve it. Specifics I want to point out are:

static files are collected when building the image
pip install -e . is used to install the python package. Without -e the apps static files will not be collected correctly. I haven’t figured out why.
the CMD ilmo is executed when starting the container and maps to the script in docker/ilmo.bash (see below).

FROM python:3-slim
MAINTAINER Julian-Samuel Gebühr

ENV DOCKER_BUILD=true

RUN apt update
RUN apt install gettext -y
ENV VIRTUAL_ENV=/var/ilmo/venv
RUN python -m venv $VIRTUAL_ENV
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
COPY src/requirements.txt requirements.txt
RUN pip install -r requirements.txt
WORKDIR /var/ilmo
COPY . .
RUN pip install -e . # Without the -e the library static folder will not be copied by collectstatic!
RUN mkdir /ilmo
RUN mkdir /ilmo/static
RUN ilmo-manage collectstatic --noinput
RUN ilmo-manage compilemessages --ignore venv

COPY docker/ilmo.bash $VIRTUAL_ENV/bin/ilmo

EXPOSE 8345
CMD ["ilmo"]

The standard command of the container is a small bash script located at docker/ilmo.bash that

activates the virtual environment
sets a number of workers based on the available CPU cores
applies migrations to the database
executes gunicorn as WSGI HTTP Server on port 8345

#!/bin/bash

set -eux

cd /var/ilmo/src
export DATA_DIR=/var/ilmo/
source /var/ilmo/venv/bin/activate

AUTOMIGRATE=${AUTOMIGRATE:-yes}
NUM_WORKERS_DEFAULT=$((2 * $(nproc --all)))
export NUM_WORKERS=${NUM_WORKERS:-$NUM_WORKERS_DEFAULT}

if [ "$AUTOMIGRATE" != "skip" ]; then
 ilmo-manage migrate --noinput
fi

exec gunicorn ilmo.wsgi \
 --name ilmo \
 --workers $NUM_WORKERS \
 --max-requests 1200 \
 --max-requests-jitter 50 \
 --log-level=info \
 --bind 0.0.0.0:8345

Using WhiteNoise to serve static files

Django apps usually put their static files in the directory you define in STATIC_ROOT after running python manage.py collectstatic and expect a webserver like nginx to serve theses files. Now as discussed before traefik does not easily serve static files. Luckily there is a solution for that: WhiteNoise. It allows a django app to serve it’s own static files pretty efficiently while it also takes care of best-practices for you, for instance:

Serving compressed content (gzip and Brotli formats, handling Accept-Encoding and Vary headers correctly)
Setting far-future cache headers on content which won’t change (useful if working with CDNs).

To get it to work we have to:

add WhiteNoise to the dependencies (see my pyproject.toml)
add the WhiteNoise middleware directly after the SecurityMiddleware

MIDDLEWARE = [
 # ...
 "django.middleware.security.SecurityMiddleware",
 "whitenoise.middleware.WhiteNoiseMiddleware",
 # ...
]

define the storage backend (this is new for django >4.2, for previous version use STATICFILES_STORAGE). This is not strictly necessary but improves performance.

STORAGES = {
 "staticfiles": {
 "BACKEND": "whitenoise.storage.CompressedManifestStaticFilesStorage",
 },
}

When testing if the new configuration works you should test with DEBUG=False. Otherwise django will serve static files by itself (which is not safe for production). If you encounter problems check the Whitenoise Documentation.

Traefik as webserver

Traefik is a HTTP(S) reverse proxy and load balancer. It is focused on containers and supports dynamic configuration. This means we can spin up a docker container with the --label /path/to/label_file flag and traefik will use the configuration in the label file to register a new service and router, obtain SSL certificates and start routing traffic to your application.

For ILMO our traefik configuration adds some sensible response headers, defines an entrypoint (web-secure stands for HTTPS via port 443), add a SSL certificate resolver (default is here LetsEncrypt) and tells traefik where to send traefik to traefik.docker.network=traefik and traefik.http.services.mash-ilmo.loadbalancer.server.port=8345. It assumes traefik and the application are both in the docker network called traefik.

Everything together looks like this:

traefik.docker.network=traefik

traefik.http.middlewares.mash-ilmo-add-response-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block
traefik.http.middlewares.mash-ilmo-add-response-headers.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN
traefik.http.middlewares.mash-ilmo-add-response-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff
traefik.http.middlewares.mash-ilmo-add-response-headers.headers.customresponseheaders.Content-Security-Policy=frame-ancestors 'self'
traefik.http.middlewares.mash-ilmo-add-response-headers.headers.customresponseheaders.Permission-Policy=interest-cohort=()
traefik.http.middlewares.mash-ilmo-add-response-headers.headers.customresponseheaders.Strict-Transport-Security=max-age=31536000; includeSubDomains

traefik.enable=true
traefik.http.routers.mash-ilmo.rule=Host("ilmo.example.com")
traefik.http.routers.mash-ilmo.middlewares=mash-ilmo-add-response-headers
traefik.http.routers.mash-ilmo.service=mash-ilmo
traefik.http.routers.mash-ilmo.entrypoints=web-secure
traefik.http.routers.mash-ilmo.tls=true
traefik.http.routers.mash-ilmo.tls.certResolver=default
traefik.http.services.mash-ilmo.loadbalancer.server.port=8345

Ansible to deploy

The ansible role will set up everything we did so far on the server. I will not discuss the inner workings of the role in detail as the role is mostly derived from the generic role layout we use in MASH for a large variety of services.

The role features: Install, uninstall and creating the first user. It does so by installing a config and data path, configuring the traefik labels and configuration file, pulling the docker image and finally setting up a systemd service to start the container.

Used together with the MASH playbook it will also set up a database user and database and install traefik.

The full role can be found at ansible-role-ilmo

Final thoughts

The process of deploying a django app via docker sure is somewhat complicated. In the end I am still glad to have done it as I think it a) will make deployment more reliable & easier to maintain b) encouraged me to make some design decisions that improved the app itself.

Reach out if you have questions or think this blog post could be improved!

Hosting static sites with Traefik

2023-07-16T15:10:10+02:00

Hosting Static Sites with Traefik and Static Web Server

Traefik is amazing to host complex services like with containers. On the other hand it’s harder than you’d think to host a simple static html site. I wanted to share my current approach that is based on Static Web Server Project.

Static Web Server (SWS)

Static Web Server (or SWS abbreviated) is a simple and really fast web server with the goal to serve static web files or assets. The tiny docker image is only 4 MB with a small memory footprint. We can therefore afford to run a container for each static site.

Architecture

On the server we set up all static sites in one folder called static-sites. As we run the SWS with docker-compose we add the docker-compose.yml to this folder too. The following is an example setup with two static sites on seperate domains.

| static-sites
|
| docker-compose.yml
| - domain1.example.org
| - index.html
| - domain2.example.org
| - index.html
| - fonts
| - Open-Dyslexic.odf

For each domain we add a folder. I like to name them by the domain name but this is not necessary (just remember the volume in the docker-compose.yml too).

With this done we can now fill the appropriate information in the docker-compose.yml. Copy the following and replace domain1.example.org, domain2.example.org, site-one and site-two.

version: "3.3"

services:
 domain1.example.org:
 image: joseluisq/static-web-server:2
 container_name: "domain1.example.org"
 environment:
 # Note: those envs are customizable but also optional
 - SERVER_PORT=8080
 - SERVER_ROOT=/public
 - SERVER_LOG_LEVEL=info
 volumes:
 - ./domain1.example.org:/public
 labels:
 - "traefik.enable=true"
 - "traefik.docker.network=traefik"
 - "traefik.http.routers.site-one.rule=Host(`domain1.example.org`)"
 - "traefik.http.routers.site-one.service=site-one"
 - "traefik.http.routers.site-one.entrypoints=web-secure"
 - "traefik.http.routers.site-one.tls=true"
 - "traefik.http.routers.site-one.tls.certResolver=default"
 - "traefik.http.services.site-one.loadbalancer.server.port=8080"
 networks:
 - traefik

 domain2.example.org:
 image: joseluisq/static-web-server:2
 container_name: "domain2.example.org"
 environment:
 # Note: those envs are customizable but also optional
 - SERVER_PORT=8080
 - SERVER_ROOT=/public
 - SERVER_LOG_LEVEL=info
 volumes:
 - ./domain2.example.org:/public
 labels:
 - "traefik.enable=true"
 - "traefik.docker.network=traefik"
 - "traefik.http.routers.site-two.rule=Host(`domain2.example.org`)"
 - "traefik.http.routers.site-two.service=site-two"
 - "traefik.http.routers.site-two.entrypoints=web-secure"
 - "traefik.http.routers.site-two.tls=true"
 - "traefik.http.routers.site-two.tls.certResolver=default"
 - "traefik.http.services.site-two.loadbalancer.server.port=8080"
 networks:
 - traefik

networks:
 traefik:
 name: traefik
 external: true

This assumes traefik runs in a docker-network called traefik. This network must already exist.

As a last step add at least a index.html in the appropriate folder. Then you can start the webserver with docker-compose up. Add -d to run it in the background.

Deploying static sites

Deploying files manually (via Filezilla, scp or rsync) is not something I like to do. I therefore normally set up a CI job to automatically deploy the site when I push a new commit to GitHub, either via GitHub Actions or my Woodpecker CI instance.

I order to do that I

create a new user on the server, specifically for that purpose (one per site). The command is useradd USERNAME -m
create a SSH key without a password ssh-keygen -t ed25519 -a 100 -C "COMMENT" -f FILENAME
copy the public key that was just created at FILENAME.pub on the server in the textfile /home/USERNAME/.ssh/authorized_keys
Add the private key to the secrets of your CI

A typical CI configuration will look like this with a static site and GitHub Actions

name: Deploy Production Website via SSH

on:
 push:
 branches: [main]

jobs:
 build:

 runs-on: ubuntu-latest

 steps:
 - uses: actions/checkout@v1
 - name: Deploy to Server
 uses: easingthemes/ssh-deploy@main
 env:
 SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
 ARGS: "-rltgoDzvO --delete"
 SOURCE: ""
 REMOTE_HOST: ${{ secrets.REMOTE_HOST }}
 REMOTE_USER: ${{ secrets.REMOTE_USER }}
 TARGET: ${{ secrets.REMOTE_PRODUCTION_TARGET }}
 EXCLUDE: ".github/, .gitignore"

or this, when using HUGO and Woodpecker CI

---

pipeline:
 build:
 image: klakegg/hugo 
 commands:
 - hugo

 deploy:
 image: appleboy/drone-scp
 settings:
 strip_components: 1
 host:
 - example.org
 username: moanos
 target: /home/USERNAME/static-sites/
 source: public/
 key:
 from_secret: ssh_key

not manually put the files on the server

Moitoring IoT devices with MASH - Part 1

2023-07-07T15:10:10+02:00

This article is about monitoring some IoT devices (e.g. a CO2 sensor) with a combination of Mosquitto (a MQTT broker), Telegraf (a metric collector), InfluxDB (a time-series database) and Grafana (for displaying everything nicely). All mentioned services should run on a server that can be reached from the monitoring device(s) and your PC where you want to check the data. We will use MASH (see below) to deploy the services.

In the end this will enable you to get to something like this:

While writing, I decided to split this into two parts. Part 1 will set up our server infrastructure, Part 2 will show how to integrate some real sensors.

Let’s get started with Part 1 and answer:

What is MASH?

MASH is short for “Mother of all self-hosting”. It’s a collection of ansible roles, tied together by a playbook that can help deploy and maintain a large number of services. It was inspired by the matrix-docker-ansible-deploy follows the same philosophy and is maintained partly by the same people.

MASH includes services like

Nextcloud
Authentik
Gitea
Peertube
Funkwhale

and more than 50 others at time of writing this blogpost (List of all supported services).

The motivation for this playbook is to have all services run in docker, be as configurable as possible, while maintaining easy upgrades and reproducible deployments. The documentation IMHO is very good, so if people are willing to use ansible this might be a lot easier than writing roles themself.

Architecture

In the end we will have a IoT device that sends data to a MQTT topic on the MQTT broker Mosquitto. Telegraf will listen to this topic and write this into InfluxDB. When you want to have a look at the data, you can access Grafan which will query InfluxDB.

Prerequisits

To have everything it needs to use MASH you should ensure the following things are done and working

Configure DNS

By following this guide we will set up some services which will be reachable from via web interface (Grafana and InfluxDB) while others will not (Telegraf, Mosquitto). We will set a domain name for the server itself, one for Grafana and one for InfluxDB. This allows you to move services more easily. Feel free to adjust the setup to your needs (but don’t forget to change tha _hostname variables accordingly later).

Service	Domain	Type	Target
Server general	s0.example.com	A	`<IPv4-IP>`
Server general	s0.example.com	AAAA	`<IPv6-IP>`
Grafana	grafana.example.com	CNAME	s0.example.com
InfluxDB	influxdb.example.com	CNAME	s0.example.com

Set up the services

Setting up the services will require three steps. The first will set up the general server with Mosquitto and Influxdb. Then we configure mosquitto and influxdb and use this to set up Telegraf and Grafana.

Setting up the basis, Mosquitto and InfluxDB

Setting up will be based on one configuration file of the playbook. <your-domain> is the one you set up as Server General (s0.example.com).

Execute the following these steps inside the playbook directory:

create a directory to hold your configuration (mkdir -p inventory/host_vars/<your-domain>)
copy the sample configuration file (cp examples/vars.yml inventory/host_vars/<your-domain>/vars.yml)
copy the sample inventory hosts file (cp examples/hosts inventory/hosts)
edit the inventory hosts file (inventory/hosts) to your liking

Now you are ready to modify the main configuration file atinventory/host_vars/<your-domain>/vars.yml.

Add the following to your playbook and replace the default values (IN_CAPS)

############
## Basics ##
############


# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
# Various other secrets will be derived from this secret automatically.
mash_playbook_generic_secret_key: ''

mash_playbook_docker_installation_enabled: true
devture_docker_sdk_for_python_installation_enabled: true

# To ensure the server's clock is synchronized (using systemd-timesyncd/ntpd),
# we enable the timesync service.

devture_timesync_installation_enabled: true


#############
## traefik ##
#############

# Traefik will be our revers proxy that makes grafana and influxdb accessible from the outside. It will automatically obtain SSL certificates for us

mash_playbook_reverse_proxy_type: playbook-managed-traefik
# The E-Mail address that traefik will use to obtain certificates with
devture_traefik_config_certificatesResolvers_acme_email: certs@example.com

##############
## influxdb ##
##############
influxdb_enabled: true
influxdb_hostname: influxdb.example.com

influxdb_init: true
influxdb_init_username: "USERNAME"
influxdb_init_password: "SECURE-PASSWORD"
influxdb_init_org: "YOUR-ORG"
influxdb_init_bucket: "monitoring"


#################
## Mosquitto ##
#################

mosquitto_enabled: true

Installing

Before installing and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running just roles. just roles is a shortcut to download the latest Ansible roles. If you don’t have just, you can also manually run the roles commands seen in the justfile (this gets tedious fast).

To install you should can just install-all. That’s it.

Congratulations! You installed your first services and can now visit influxdb.example.com and login with the credentials you set above!

Configuring Mosquitto and InfluxDB

Mosquitto

To configure mosquitto you only need to set up users. I would recommend to set up seperate users for telegraf and your IoT devices as you might want to restrict the IoT users permissions (not covered here).

Setting up mosquitto users can be done just run-tags mosquitto-add-user --extra-vars=username=<username> --extra-vars=password=<password>. For the setting to take effect, you must restart the container. To do that you can use just start-group mosquitto.

InfluxDB

We will now create a configuration that will automatically be read by telegraf.

Got to Load Data -> Telegraf and press Create configuration. Choose the bucket monitoring and search for the MQTT consumer as data source.

Add the following replace the [[inputs.mqtt_consumer]] with the following configuration (and make sure that you replace the example values).

[[inputs.mqtt_consumer]]
 servers = ["tcp://s0.example.com:1883"]

 ## Topics that will be subscribed to.
 topics = [
 "sensors/#",
 ]
 data_format = "value"
 data_type = "float"
 username = "USERNAME_SET_WHEN_CONFIGURING_MOSQUITTO"
 password = "PASSWORD_SET_WHEN_CONFIGURING_MOSQUITTO"

Now got to Setup Instructions and copy the INFLUX_TOKEN. It will only show once! Also copy the config URL. You will need both in the following step.

Setting up Telegraf and Grafana

You now have everything for the last step: Setting up Telegraf and grafana. We did not do this in the first step as wee needed the access tokes/configuration link which we have now. Therefore you should now add two new sections to your vars.yml.

##############
## telegraf ##
##############
telegraf_enabled: true
telegraf_influx_token: TOKEN-YOU-GOT-FROM-INFLUX
telegraf_config_link: https://influxdb.example.com/api/v2/telegrafs/0b6d11ca6bb1b000

#############
## grafana ##
#############

grafana_enabled: true
grafana_hostname: grafana.example.com
grafana_default_admin_user: USERNAME
grafana_default_admin_password: 'SECURE-PASSWORD'

grafana_provisioning_datasources:
 - name: InfluxDBs3
 type: influxdb
 access: proxy
 url: "https://{{ influxdb_hostname }}"
 jsonData:
 version: Flux
 organization: YOUR-ORG
 defaultBucket: monitoring
 secureJsonData:
 token: "TOKEN-YOU-GOT-FROM-INFLUXDB"

After that, once again do just install-all. You should now have a working setup of all services. Now

Let’s put some data in and display it

To send some data that you can display you can use the following python script. Save it as cli.py

import argparse
import paho.mqtt.client as mqtt
import random
import numpy as np
import time


def gen_time():
 return time.strftime("%H:%M:%S", time.localtime())


def gen_temp():
 """
 amplitude: amplitude of temperature changes
 mean: mean of the simulated temperature
 offset: offset of the signal in seconds
 period: periond time in seconds
 """
 amplitude = 5
 mean = 20
 offset = 0
 period = 900
 temp = np.sin((time.time() + offset) % (period) * 2 * np.pi) * amplitude + mean
 return temp


def fake(client, data_type="temperature", topic="sensors/temperature"):
 if data_type == "temperature":
 data_generator = gen_temp
 elif data_type == "time":
 data_generator = gen_time

 while True:
 print("Publishing")
 if data_type == "temperature":
 client.publish(topic, gen_temp())
 elif data_type == "time":
 client.publish(topic, gen_time())
 time.sleep(2)


def on_message(client, userdata, msg):
 print(msg.topic + " " + str(msg.payload))


def on_connect(client, userdata, flags, rc):
 print("Connected with result code " + str(rc))
 if rc == 5:
 raise ConnectionError("MQTT server refused connection")


def connect_broker(server, port, username="", password=""):
 client_id = f'python-mqtt-{random.randint(0, 1000)}'
 client = mqtt.Client(client_id)
 client.on_connect = on_connect
 client.username_pw_set(username=username,
 password=password)
 client.connect(server, port, 60)

 return client


def cli():
 parser = argparse.ArgumentParser(description='Do basic MQTT operations')
 parser.add_argument('action', choices=['sub', 'pub', 'fake'], help="")
 parser.add_argument('-t', '--topic', help="The MQTT topic")
 parser.add_argument('--type', help="The type of data to fake")
 parser.add_argument('-b', '--broker', help="Hostname of the MQTT broker")
 parser.add_argument('--port', type=int, default=1883, help="The MQTT brokers port (default: 1883)")
 parser.add_argument('-u', '--user', help="User for the MQTT broker")
 parser.add_argument('-p', '--password', help="Password of the MQTT broker")
 parser.add_argument('-d', '--payload', help="The payload to send with a set command")

 args = parser.parse_args()

 client = connect_broker(args.broker, args.port, args.user, args.password)
 if args.action == "sub":
 client.subscribe(args.topic)
 client.on_message = on_message
 client.loop_forever()
 elif args.action == "pub":
 r = client.publish(args.topic, payload=args.payload)
 print(r)
 elif args.action == "fake":
 fake(client, args.topic)


if __name__ == "__main__":
 cli()

Start the script with

python cli.py fake -t sensors/temperature -b s0.example.com -u USERNAME -p SECURE_PASSWORD`

This will fake a temperature sensor and publish the results to the MQTT topic sensors/temperature. To make sure the MQTT broker works correctly you can subscribe with

python cli.py sub -t sensors/temperature -b stats.hyteck.de -u qzt -p fisch-salz-hof

Now let’s display this data in Grafana. Add a new dashboard and then use Add->Visualization.

In the panel select InfluxDB as datasource (1+2) put in the folowing query (3).

from(bucket: "monitoring")
|> range(start: v.timeRangeStart, stop: v.timeRangeStop)
|> filter(fn: (r) => r["_measurement"] == "mqtt_consumer")
|> filter(fn: (r) => r["_field"] == "value")
|> filter(fn: (r) => r["topic"] == "sensors/temperature")
|> group(columns: ["topic"])
|> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)
|> yield(name: "mean")

add a nice title (4) and apply to see tha data (5). You should now have a nice display of your fake sensor!

Some last words

Please let me know when you follow this guide - wheter sucessful or not! I would love to improve it.

I know this seems like a lot of effort to get a few numbers to display a few numbers nicely. On the other hands, once set up this setup can do a lot of stuff, from monitoring, to alerting. Upgrades should be taken care of by MASH, check out how to do that here. Also setting up more services is a breeze. Either check the list of existing services, or add a new role to the playbook. If you don’t know how, I am happy to help!

So make sure to follow my RSS feed or any of my socials to get notified when Part 2 comes around.

Troubleshooting

When something doesn’t work feel free to

Consult the docs
- Mosquitto
- Telegraf
- InfluxDB
- Grafana
Message me

Garage distributed object storage via Ansible

2023-02-27T10:12:54+02:00

I recently build a beginner-friendly ansible playbook for Garage, a S3 compatible distributed object storage.

What is garage-docker-ansible-deploy?

Garage is an open-source distributed object storage service tailored for self-hosting. The ansible playbook garage-docker-ansible-deploy helps you to set up such a cluster.

It comes with “batteries included” so it will automatically install docker and set up a reverse proxy (traefik).

You may be familiar with some related ansible playbooks that this playbook is based on

matrix-docker-ansible-deploy - for deploying a fully-featured Matrix homeserver
gitea-docker-ansible-deploy - for deploying a Gitea (self-hosted Git service) server
vaultwarden-docker-ansible-deploy - for deploying a Vaultwarden password manager server (unofficial Bitwarden compatible server)

These playbooks are masterfully maintained by spantaleev and community. I copied the design und re-use roles e.g. to install traefik.

Opinionated Design

Garage is a very flexible software that can server a lot of use-cases. The playbook is opinionated in the sense that it reduces the flexibility of garage in favor of an easy deployment that should serve common use cases. The playbook currently encourages a layout where

1 garage data node is used per physical drive that should be used by the cluster
1 gateway node is used per host to make redundant setups possible

Each host is assumed to habe a public IPv4/IPv6 address and every node should have a dedicated subdomain + one subdomain per gateway on the host.

When all of this comes together a garage host might look something like this

Example layout with one host that has 2 nodes (as it has two drives where data will be stored)

The playbook will need you to configure the DNS records to point to server1 and will make everything else happen with the following configuration.

garage_garage_node1_base_path: "/media/drive1/garage/node1"
garage_garage_node2_base_path: "/media/drive2/garage/node2"
garage_garage_nodes:
- name: "gateway1"
metadata_path: "{{ garage_garage_meta_path }}/gw1"
data_path: "{{ garage_garage_data_path }}/gw1"
gateway: true
rpc_bind_port: 3901
node_addr: "garage-gw1.example.com"
s3_api_addr: "s3.example.com"
- name: "node1"
gateway: false
capacity: 3
metadata_path: "{{ garage_garage_node1_base_path }}/metadata"
data_path: "{{ garage_garage_node1_base_path }}/data"
rpc_bind_port: 3911
node_addr: "garage-node1.example.com"
- name: "node2"
gateway: false
capacity: 3
metadata_path: "{{ garage_garage_node2_base_path }}/metadata"
data_path: "{{ garage_garage_node2_base_path }}/data"
rpc_bind_port: 3921
node_addr: "garage-node2.example.com"

Limitations

While the playbook should of course be reusable and fairly modular it will never be a solution to all use cases. The playbook does not cover

Setting up domains (but there are instructions)
Detailed management of the buckets and keys: There are basic features to create buckets and access keys but management will not be in the scope of the playbook
connecting nodes via (mesh) VPN as metioned in the project documentation

Getting started

Go to the garage-docker-ansible-deploy README with detailed installation instructions
For any problems you can find help in #garage-docker-ansible-deploy:hyteck.de
If you think there is something wrong/missing open a GitHub issues: moan0s/garage-docker-ansible-deploy/issues

Be aware that the playbook is not yet used widely so I don’t have much more than my own experiences. I am happy to help if you experience bumps in the road

Rules, Terms and Privacy for GoToSocial: gay-pirate-assassins.de

2022-11-20T04:56:10+02:00

Rules

"Be excellent to each other" is easier said than done, and means different things to different people.

The following rules are a (non-exhaustive) list of behaviours that may lead to deletion of toots, silencing or suspension of accounts, at the descretion of the instance administrators, as described in our Terms

Please report behaviour that bothers you. We will keep your report confidential.

We do not tolerate discriminatory behaviour and content promoting or advocating the oppression of members of marginalised groups. These groups may be characterised by any of the following (though this list is naturally incomplete):
- ethnicity
- gender identity or expression
- sexual identity or expression
- physical characteristics or age
- disability or illness
- nationality, residency, citizen status
- wealth or education
- religious affiliation, agnosticism or atheism
We do not tolerate threatening behaviour, stalking, and doxxing
We do not tolerate harassment, including brigading, dogpiling, or any other form of contact with a user who has stated that they do not wish to be contacted.
We do not tolerate mobbing, including name-calling, intentional misgendering or deadnaming.
We do not tolerate violent nationalist propaganda, Nazi symbolism or promoting the ideology of National Socialism.
We do not tolerate conspiracy narratives or other reactionary myths supporting or leading to the above-mentioned (and/or similar) behavior.
Actions intended to damage this instance or its performance may lead to immediate account suspension.
Content that is illegal in Germany will be deleted and may lead to immediate account suspension.

Best practices

The list below is a collection of behaviour that we expect to see from our users. If you see a user go against these best practices in a way that bothers you, please file a report and we will talk to them. While these best practices are designed to be guidelines for a good communal instance, repeated malicious unwillingness to follow the best practices will be considered just like breaking a rule.

In general, use the tools provided to foster a considerate and accessible atmosphere. This includes the liberal use of content warnings (especially on potentially disturbing or controversial topics), and alt-text captioning of media files.
When possible, provide credit for creative works in your posts that are not your own.
Uninvited comments about another user's personal choices, lifestyle or family are strongly discouraged and may be considered harassment. Inappropriate sexual attention, comments about appearance and implication of physical contact will not be tolerated toward any non-consenting user.
If you post sexual content or gore, use content warnings.
If you post advertisements, use a content warning. Advertisements should not be excessive or automated.
Bots may only interact with a user when they're invited by that user to do so.
Automated posts and high-frequency posts should be unlisted (rendering visible to everybody, but not appearing on the local timeline) to keep the local timeline of our instance a place of community dialogue and human interaction. This extends to bots, feed posters, Twitter "retweets" and Twitter crossposts with broken mentions ("…@twitter.com"). Crossposter accounts that stop being active participants in our community may be removed at the discretion of the moderators.
In discussions, please remain civil, do not insult the people you're talking to. Note that irony, sarcasm, or similar modes of language don't translate well to written language and tend to escalate discussions or misunderstandings.

(These best practices were inspired by the Terms of bsd.network. Thank you!)

Resources

I am maintaining this instance on my spare time, hardware and nerves. Don't push either of those.

Terms of Service

adapted from chaos.social which was in turn adepted by the bsd.network ToS

It is our intention that you use this service for personal enjoyment and respectful, friendly interaction. To that end, we hope to foster a welcoming and inclusive environment.

The server is privately owned and open to users voluntarily, not a public space. Users wishing to join this community are expected to act without malice and in good faith. Doing otherwise may lead to removal from the service, independent of whether a user violates any rules outlined below.

The administrators and moderators of this instance are

moanos

The server hosting the instance is located in Germany.

The following statements apply regardless of privacy level and instance of the users involved. In rare cases, public or private offline conduct or conduct on a separate instance may constitute grounds for removal from the service.

Policies and Rules

Our instance is subject to a set of rules governing user behaviour. The rules are defined above.

These rules are designed to maintain a friendly and open atmosphere, and to prevent harassment and discrimination. As such, they are a set of guidelines, but by necessity incomplete. Users violating the spirit of these rules will be treated no differently than users violating a specific rule.

Please note that our rules contain a section on best practices, and users who repeatedly and despite warnings disregard these best practices may be seen to be in violation of our rules.

The moderators may remove accounts who spam the instance, or are suspected of camping just to reserve an account name. Violation of the policies and rules may also lead to account removal at the discretion of the moderators.

Data Access

Content on this instance must not be used for the purposes of machine learning or other "research" purposes without the explicit consent of the users involved.

Content on this instance beyond this page must not be archived or indexed wholesale by automated means by any user or service. Active users may export their following lists and posts through the export provided on their settings page, or the API.

Privacy Policy

Information collection

Mandatory account information: Username (always public), e-mail address, and password.
Optional account information: Display name, biography, profile information fields, profile picture, and header image. Display name, biography, profile picture and header image will always be public.
Statuses and interactions: We retain all your posts including attachments, and other interactions (such as favourites, follows and reblogs). In addition to the content and people involved, we also store the timestamps for all of the listed data entries. If these interactions impact another server (eg. following, boosting, or messaging a user on a different server), this other server will receive all required information. Public, unlisted, and pinned posts are available publicly. Follower-only posts are available to your followers, and direct messages are available to you and all people mentioned in the message. Please note that since we cannot control other servers, this means that we cannot guarantee the privacy status of your messages as soon as they leave our server.
Cookies: We use cookies to keep you logged in and save your preferences for future visits.
Other metadata: We do log and store your IP address. We retain the name of your browser application to allow you to review your currently logged in sessions for security reasons.

Information usage

Any of the information we collect from you may be used in the following ways:

To provide the core functionality of GoToSocial. You can only interact with other people's content and post your own content when you are logged in. For example, you may follow other people to view their combined posts in your own personalized home timeline.
To aid moderation of the community – when a status or account is reported, we will look into the matter as part of our moderation tasks.
The email address you provide may be used to send you information, notifications about other people interacting with your content or sending you messages, and to respond to inquiries, and/or other requests or questions.
To aid debugging and reliable providing service.

Information protection

We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information. Among other things, your browser session, as well as the traffic between your applications and the API, are secured with HTTPS, and your password is hashed using a strong one-way algorithm. You may enable two-factor authentication to further secure access to your account.

Information deletion and retention

You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.

You may irreversibly delete your account at any time.

If we judge you to be breaking our instance rules, we may irreversibly delete your account at any time.

Information disclosure

Information is not disclosed unless you explicitly permit it. The only exception is the provider of our server, who is a trusted and unavoidable third party.

Contacting or permitting contact from a user from a different instance implies your consent that the required data is shared with the server in question.

Authorization of a third-party application grants information access depending on the scope of permissions you approve. The application may access your public profile information, your following list, your followers, your lists, all your posts, and your favourites. Applications can never access your e-mail address or password.

Attribution ¶

This text was adapted from https://chaos.social/about and is free to be adapted and remixed under the terms of the CC-BY (Attribution 4.0 International).

Raspberry Pi as Offsite Backup

2022-10-23T10:12:54+02:00

Use Case

You have one (or more) servers at a hosting provider and a raspberry pi at home. You want to have an offsite backup of the websites, apps and databases at home.

Prerequesits

You configure your raspberry pi to be reachable from the internet using DynDNS. In the following we assume that it is reachable at offsite.example.com.

Preparing your backup raspberry pi

We want to make sure that backups on the raspberry pi can come from multiple sources and one source can not delete another.

Create an additional user

and change to that user afterwards. You can change service1 to the name of the service that this user should backup.

sudo useradd service1_backup
sudo su service1_backup
cd ~

Create an SSH key for the user

This SSH key will later be used by your server to push backups automatically. Therefore you should not set a passphrase for the key (just press enter until the key is generated)

$ ssh-keygen -t ed25519

Create your backup directory

mkdir backup && cd backup

If you want to use an external drive you can mount it to this users home directory.

Initialzie the borg repository

borg init --encryption=repokey ./

Make sure to set a strong passphrase and note it down somewhere safe. Without it you will not be able to access you backup!

Make sure the user can only access the backup directory

Put the following in ~/.ssh/authorized_keys and make sure everything is in one line. The last values are simply your public key that can be found in ~/.ssh/id_ed25519.pub

command="borg serve --restrict-to-repository /home/<user>/backup",restrict <key type> <key> <key host>

Done with the raspberry pi

Configure your server

In this guide we will use borgmatic to configure and automatically run the backup in the server.

Install borgmatic

sudo pip3 install --user --upgrade borgmatic

Configure borgmatic

The following is a small configuration example. Place it in /etc/borgmatic.d/servic1.yaml. If you need more options check out the full configuration file reference

location:
source_directories:
- /home/service1/static
repositories:
- ssh://service1_backup@offsite1.example.com/./backup
storage:
encryption_passphrase: "ThePassphraseouUsedOnYourRaspi"
ssh_command: ssh -i /etc/borgmatic.d/service1_backup_key
retention:
# Number of daily archives to keep.
keep_daily: 7
hooks:
# List of one or more shell commands or scripts to execute
# before creating a backup, run once per configuration file.
before_backup:
- echo "Starting a backup."
# List of one or more shell commands or scripts to execute
# after creating a backup, run once per configuration file.
after_backup:
- echo "Finished a backup."
after_everything:
- echo "Completed actions."
postgresql_databases:
- name: service1
# mysql_databases:
# - name: users

Place the private SSH key

The server will need the private SSH key so connect to your raspberry pi

On the raspberry pi use

cat ~/.ssh/id_ed25519

to get the private key and place it on your server in the file /etc/borgmatic.d/service1_backup_key. As this is a private SSH key it must only be readable by the user. Ro change its permissions correctly use

chown 600 service1_backup_key

Check if the backup works

Create your backup with

sudo borgmatic create --verbosity 1 --list --stats

Now check out the borgmatic configuration on how to properly set up automated backups

Done

Congrats, you should now have a fully functioning backup configuration!

Vim shortcuts to execute current line

2022-05-25T15:15:55+02:00

I recently had to write a lot of SQL code and thought it would be very neat to have some vim shortcuts to execute the current line or the current command. I want to share this with everyone as the second command needed some try-and-error on my part.

Adding the following to ~/.vimrc

map <F2> :.w !psql<CR>
map <F3> :.,/;/w !psql<CR>
map <F4> :w !psql<CR>

will enable you to execute the current line in psql with F2. F3 executes the current line and the next lines until a;. F4 executes the whole file.

This can easily adapted to your needs. If you have any questions or improvemnts feel free to use the chat below.

Disappearing messages with matrix

2021-12-31T20:00:00+02:00

Introduction

I am a HUGE fan of matrix. It allows me to organize my chats in a sensible way, it works with multiple identities and completly anonymous if I want it to. Spaces made Matrix my favourite messenger by far. Yet, there is one feature I have been missing: Disappearing messages!

Regarding the security and usability, only Signal is comparable to matrix. But: Signal offers the possibilty to define disappearing messages for groups and direct messages ranging from 30 seconds to 4 weeks. No Matrix client (to my knowledge) offers this functionality. Nevertheless, it is possible to configure matrix rooms to have the same feature. This needs a special server configuration and the sending of a special event in the room. This post tries to show both steps. If you do not administer a server you can probably skip to Room configuration

Be aware that this blogpost was written at the end of 2021 - Matrix develops fast and this could be subejct to changes.

Instance configuration

To make disappearing messages possible you need to enable retention on your matrix instance. Retention allows server and room admins to configure how long messages should be kept in the instances database before being purged from it. It is not part of the matrix specification, yet it is supported by synapse.

A client SHOULD not display these messages anymore after the max_lifetime is exceeded. This was NOT true for element web an desktop while staying logged in. Nevertheless, a newly logged in client did not have access to the messages.

To configure Synapse to make use of retention you will need to enable it in your homeserver.yaml

retention:
enabled: true # enables the retention, is enough to enforce it once per day
purge_jobs: # configures a job that delete the events from the database after some tome
- longest_max_lifetime: 3d
interval: 1h
- shortest_max_lifetime: 3d
interval: 1d

The example configuration creates two jobs that delete messages from the database. One only focuses on events that should be deleted after three days or less. These events will be deleted every hour. It is therefore possible for a message that was send in a room with a max_lifetime=7200000 (equals 2h) to be deleted one hour after the maximum lifetime.

Ansible

If you use the Ansible/Docker setup to deploy your server you can add the following to inventory/host_vars/matrix.example.com/vars.yml

matrix_synapse_configuration_extension_yaml: |
retention:
enabled: true
purge_jobs:
- longest_max_lifetime: 1d
interval: 2h
- shortest_max_lifetime: 1d
interval: 1d

Room configuration

If you are a user on a server that has retention enabled, you can enable disappearing messages yourself for each room. Sadly, this is still experimental - but managable! You have to craft a m.room.retention event that defines the maximum lifetime of a message. You will need to access the rooms settings in order to do this.

First you need to open the developer tools in the rooms settings.

Then click “Send custom event” to create your event

And fill the event with the appropriate max_liftime. The time is an integer in milliseconds. X hours is therefore a value of X*3 600 000. Make sure to click the red event button. The State Key can be left empty nevertheless.

Depending on your choosen lifetime the client should not show the messages anymore.

Limitations

The process of deleting messages can not be enforced. A malicious server or chat partner could ignore the request to delete the messages or they could have saved them elsewere. You should not rely on a deletion actually happening. Nevertheless I think this is a good step to take to improve your security in real life.

Further Information

Relevant part of the Synapse configuration file: https://github.com/matrix-org/synapse/blob/v1.36.0/docs/sample_config.yaml#L451-L518
Synapse documenation on message retention policies https://matrix-org.github.io/synapse/v1.41/message_retention_policies.html

What else?

Thanks to Tastytea for helping me get this to work!

Comments

If you have questions, corrections or want to leave something else, please feel free to use the comments!

Cactus comments via Matrix

2021-08-25T11:08:55+02:00

Integration

Following the quickstart documentation I tried to add cactus comments to this blog. I currently rely on infrastructure by cactus.chat as I do not host a private synapse server.

I currently implemented this as a shortcode with hard-coded site title and a variable room name.

Quickstart with HUGO

Register your site

There is a registration system, that ensures that you are moderater in your comment section(s). I order to register your site you have to send a message to @cactusbot:cactus.chat . First try help to ensure that the bot answers you, then register your site e.g. register hyteck. The bot should inform you of success and add you to a moderation room.

Embedd comment section via Shortcode

HUGO, the static site generator I use, has an option to use shortcodes that provide a nice interface to hide some HTML, CSS and JavaScript.

The shortcode chat.html must be added to layouts/shortcodes/ and looks like this

<script type="text/javascript" src="https://latest.cactus.chat/cactus.js"></script>
<link rel="stylesheet" href="https://latest.cactus.chat/style.css" type="text/css">
<div id="comment-section"></div>
<script>
initComments({
node: document.getElementById("comment-section"),
defaultHomeserverUrl: "https://matrix.cactus.chat:8448",
serverName: "cactus.chat",
siteName: "hyteck",
commentSectionId: "{{ index .Params 0 }}"
})
</script>

If you want to use this, replace the site name with the one you registered in the previous step.

You can then use it as simple as

{{< chat cactus-comments >}}

where cactus-comments is the name of the chatroom. You can decide if you want to create a new one for each post (change the name to somthing like the post title) or if you want to use only one (keep the same name).

Organisation

I try to make a comment with my main matrix account, so that I am automatically joined to the room (tbh. I don’t know if this is necessary). Then I organize the rooms by adding them to a private space.

Community

CW: Homophobia, Slur

The community in the official chat seemed helpful and nice. Nevertheless I want to mention, that the first time I tried the demo page a user (that does not seem to be associated with the develoipment or involved in the community) insulted me with a homophobic slur. The “reason” behind this were the prounouns I had in my name. I reported the comment and it was removed by a moderator. The moderator made it clear that this behaviour is agains the Code of Conduct and that the user is not active in the community. For me this is a very good indication of a functioning community, cheers!

Comments

Owncast & Streaming a talk

2021-05-20T16:08:55+02:00

I recently installed an Owncast server and wanted to share my experience. Here it is:

What is owncast?

Owncast is a streaming server that you can selfhost, a Twicht in a box as the developers call it. You host owncast on your server (a small VM with good downlink is enough) and can stream your own own content like you would do on Twicht, YouTube etc…

It has a chat, a admin panel for customization and thats it! You don’t need more to e.g. stream while you are playing minecraft or want to share a talk.

Getting started

Get the latest release on GitHub by using

$ mkdir owncast
$ cd owncast
$ wget https://github.com/owncast/owncast/releases/download/v0.0.7/owncast-0.0.7-linux-64bit.zip
$ unzip owncast-0.0.7-linux-64bit.zip
$ rm owncast-0.0.7-linux-64bit.zip

And move the webroot to your document root and make sure the permissions fit

$ cd ..
$ mv owncast /var/www/owncast
$ cd /var/www/
$ chown -R www-data:www-data owncast

Now create a new NGINX site e.g. /etc/nginx/sites-enabled/owncast with the following content

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/stream.hyteck.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/stream.hyteck.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name stream.hyteck.de;
# Set header
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Permissions-Policy interest-cohort=(); #Anti FLoC
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://127.0.0.1:8080;
}
}
server {
listen 80;
listen [::]:80;
server_name stream.hyteck.de;
return 301 https://$server_name$request_uri;
}

Make sure to adjust the server name and SSL certificats (I will not go into detail on how to obtain them, but feel free to ask me!).

Start server

Now start owncast to test

$ cd /var/www/owncast
$ ./owncast/owncast

and visit https://yourdomain.org! If everything works you should see your site now. By visiting https://yourdomain.org/admin you can configure your server. The default credentials are admin and your stream key which is abc123. Change this immediately!

Before you configure, let’s make sure this runs whenever your server starts. Goback in the terminal and cancel with Ctrl+C.

Run as system service

You want to install owncast as a system service. Therfore create /etc/systemd/system/owncast.service with the following content:

[Unit]
Description=Owncast
After=network.target
[Service]
Type=simple
Restart=always
RestartSec=1
WorkingDirectory=/var/www/owncast
ExecStart=/var/www/owncast/owncast
[Install]
WantedBy=multi-user.target

Update the daemon with systemctl daemon-reload enable systemctl enable owncast and start with systemctl start owncast. Make sure everything is correct with systemctl status owncast.

Configuration

You can now change back to yourdoiman.org/admin and configure, title, logo and more.

Streaming

You can now use OBS or similar software to start streaming. Got to settings and configure your server.

Concept for talks

To livestream we have a few important things to take care of:

The speaker
The presentation
The streaming software
The streaming server
The chat

I suggest the following setup. Moderation and Speaker are in a BigBlueButton conference. The meet 15 minutes in advance, enough time to upload a presentation. Also in this room is a user called stream. This user does only listen and has OBS configured to record audio and the (fullscreen) window of the BBB room.

Before the talk starts, it is a good opportunity to play some videos via the stream, or simply put on a picture, saing the talk will start soon.

When the speaker an moderation are ready they tell the streamer and the scene is switched to the BBB room. The recording is started (if needed).

A weakness of the setup is the streaner. If they loose their network connection, the stream stops.

There is a neat project for live streaming directly from a BBB room, but it is quite complicated to set up and a crash of the BBB server would make stop the stream. Also the start of the stream is not as beautiful.

Performance

It can be hard to estimate the needed server capacities for a livestream that is why I want to share my experiences. All of this was done on a Strato Linux V40 with 16 GB of RAM, 8 vCPUs and 500 MBit/s.

On the following screenshots you see the configuration and the monitoring data of a talk with 40 participants. We pplayed high-quality videos from 17:43 to 18:05. At 18:05 we changed to the presentation. You see the decrease in CPU load, as the compression of the videos was easier with a steady picture. At 19:05 we invited the participents to join us in the BBB room, some left the stream.

The network load scales linear with the participants that are watching. You can simply calculate the needed downlink capacity with

Downlink capacity = Num. participants x Outbound Video Stream Rate

Here this was

40 participants x 1200 kbps = 48 Mbps

which matches the observed network traffic quite well.

The CPU load is determined by the compression the server has to do. The more different stream formats the server has to put out, the higher the load becomes. On the given Screenshot you see that only one downlink format was advertised, so the inbound stream had to be compresse only once. Matching imbound and outbound stream formats help reducing the server load.

If your bottleneck is the bandwidth you can try to add a second low streamrate, maybe ome clients will take that one.

Final notes

Owncast is a great project. Be aware that it is still not in version 1.0 so expect some limitations. This is e.g. the unability to block a user from chat. If you have any questions let me know in the comments below.

Transparency

2021-02-08T15:00:10+02:00

Deutsch

Wir haben die bisherigen Kosten für Server-Hardware in der Tabelle unten angegeben. Das beinhaltet nicht die Kosten für die Domain und unseren Monitoring-Server.

An alle die bisher gespendet habe: Ganz ganz vielen Dank euch!

English

We summarized the cost of hardware in the table below. This does not include costs of the domain and our monitoring server.

To everyone that contributed: Thank you so so much!

Überblick/Overview

Kosten	Spenden	Saldo
-321.63 €	235.5 €	- 86.13 €

Kostenaufstellung / Exact cost

Date	Cost (€)
27.04.2021	-25
1.04.2021	-25
26.02.2021	-25
22.01.2021	-25
22.12.2020	-24.78
25.11.2020	-24.37
22.10.2020	-24.37
22.09.2020	-24.37
22.08.2020	-24.37
22.07.2020	-24.37
22.06.2020	-25
22.05.2020	-25
22.04.2020	-25
Total	-321.63

Die wechselnden monatlichen Kosten sind durch die temporär gesenkte Mehrwertsteuer bedingt.

The altering monthly costs are explained by a decrease in sales tax in Germany.

Spenden / Donations

Date	Donation (€)
03.05.2021	7.50
06.04.2021	7.50
02.03.2021	7.50
01.03.2021	100
12.02.2021	33
12.02.2021	20
09.02.2021	50
09.02.2021	10
Total	235.5

Letzte Aktualisierung / Last update

21.05.2021

Kontak / Contact

Bei Fragen meldet euch gerne bei: bbb@hyteck.de

If you have any questions regarding this ask us via: bbb@hyteck.de

Set up and secure an MQTT broker on Ubuntu

2021-01-01T18:18:10+02:00

I had some IoT devices that I wanted to integrate in my monitoring. For this I set up a MQTT broker as the MQTT protocol is a simple solution to send data from IoT devices to a server. This tutorial is focusing on setting up the server, but I also introduce a Python based MQTT client to test our installation.

On your server, first install mosquitto, our MQTT server/broker.

sudo apt-get install mosquitto

Allow standard mqtt port in firewall (if you have ufw installed)

sudo ufw allow 1883

Now on the client side connect to the server and publish some fake sensor values. First install the mqtt client

sudo pip install phao-mqtt

and then use the following python code on your client side to send fake values to your server. You only need to change mqtt.example.com to your servers IP/domain.

import time
import paho.mqtt.client as mqtt
import numpy
import numpy as np

def calc_temp():
 temp = np.sin(time.time()%(3600)*2*np.pi)*5+20
 return temp

def on_connect(client, userdata, flags, rc):
 print("Connected with result code " + str(rc))

client = mqtt.Client()
#client.username_pw_set(username="username",password="my_super_secret_pw")
client.on_connect = on_connect

client.connect("mqtt.example.com", 1883, 60)

client.loop_start()

while True:
 time.sleep(2)
 client.publish("test/temperature", calc_temp())

You can check if the broker accepts the values by subscribing to the topic:

#!/usr/bin/env python
import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
 print("Connected with result code " + str(rc))
 client.subscribe("test/#")

def on_message(client, userdata, msg):
 print(msg.topic + " " + str(msg.payload))

client = mqtt.Client()
#client.username_pw_set(username="username",password="my_super_secret_pw")
client.on_connect = on_connect
client.on_message = on_message

client.connect("mqtt.example.com", 1883, 60)

client.loop_forever()

Now secure your broker by creating a user with a password

sudo mosquitto_passwd -c /etc/mosquitto/passwd <username>

and configure mosquitto to use it in /etc/mosquitto/conf.d/default.conf:

allow_anonymous false
password_file /etc/mosquitto/passwd

Now restart mosquitto to enable the protection

sudo systemctl restart mosquitto

Test the installation by uncommenting client.username_pw_set(username="username",password="my_super_secret_pw") and filling in your credentials. The result code 0 indicates a valid connection. 5 indicates a authentication error.

I hope this helps setting up a MQTT broker. Hopefully I will have the time to write how to connect such a broker to Grafana via Telegraf and Influx DB.

JA zur Corona-Warn-App

2020-12-10T07:00:00+02:00

JA zur Corona-Warn-App und Nein zu unbegründeter Verunsicherung!

Ich beziehe mich im Folgenden auf einen Blogbeitrag der bei Schwarzer Pfeil veröffentlicht wurde. Gesschrieben wurde er von capulcu.

Beginnen wir mit dem Start: Die Freiwilligkeit der Installation wird in Frage gestellt. Behauptet wird, dass der Staat hier die Angst der Bevölkerung ausnutze.

Es geht weiter mit sehr abstrakten Vorstellungen von “prädiktiven Modellen” die von solchen “Verhaltensdaten” trainiert werden sollen. Doch welche sollen das denn sein? Wie im Text später zu lesen ist verbleiben die Corona-IDs auf dem lokalen Gerät.

Das gilt auch im Infektionsfall wie sie selbst schreiben. Woher soll also diese “Einteilung der Bevölkerung in Risikogruppen” und die “algorithmische Verwaltung” kommen?

Beschrieben werden außerdem Bluetooth-Sicherheitslücken. Diese sind zwar durchaus schwerer Natur, stechen jedoch nicht aus der Masse besonders heraus oder stellen Grundlagen des Protokolles infrage. Eine massenhafte Ausnutzung erscheint unwahrscheinlich.

Zugegeben, Bluetooth ist nicht zwingend die sicherste Technologie. Obwohl die Sicherheitslücke schnell geschlossen wurde ist die Kritik an der Android Update Verbreitung berechtigt. Das der CWA anzulasten ist jedoch etwas weit hergeholt.

Google und Apple wird unterstellt die über die Bluetooth-Schnittstelle der CWE gewonnen Daten zur Erstellung von Social Graphs nutzen zu wollen. Aber sind wir ehrlich Standort und Telefonbuch sind da aussagekräftig genug.

Dass Google und Apple maßgeblich dafür Verantwortlich sind, dass sich der datenschutzfreundliche dezentrale Ansatz durchgesetzt hat wird als Beweis der Macht der Konzerne angesehen und als den versuch “unausweichliche Instanz zu sein”. \

Dass dem nicht so ist und der offene, dezentrale Ansatz sogar Macht von Google und Apple sinken lässt zeigt die in Deutschland verfügbare Google-freie CWA: https://f-droid.org/en/packages/de.corona.tracing

Fazit

Skepsis bzgl. Technik bleibt wichtig. Die Corona-Warn App schafft aus meiner Sicht jedoch eine durchaus bemerkenswerte Leistung, nämlich sennsible Kontaktdaten datensicher zu verarbeiten. Das ist vielen Datenschützer*innen zu verdanken, die sich für eine dezentrale Open-Source Lösung eingesetzt haben. Kritik an der App ist teilweise faktisch falsch und überschätzt Risiken stark. Statt zur Verunsicherung beizutragen, sollte solidarisch für solche guten Lösungen geworben werden!

PS: Der Thread/Blogbeitrag erhebt keinen Anspruch auf Vollständigkeit. Eine Beschäftigung mit dem gesamten Orginal hätte sehr viel länger gedauert und meine Kapazitäten gesprengt.

Einen guten Thread hat auch Waweic dazu geschrieben: https://chaos.social/@waweic/105335074439772081

Translation for video conferences

2020-07-23T07:30:00+02:00

Although physical meetings are not possible, many groups and organizations are dependent on multilingual meetings. In videoconferencing, concepts such as a whispered translation are not intuitive. Therefore a friend and I have developed a concept for translation in videoconferencing. The concept was planned for a conference with 80 participants who will discuss and make decisions over two days either in large groups or in sub-groups. The videoconferencing software that was used was BigBlueButton (BBB).

Translation via subtitles

BBB offers the possibility to write subtitles simultaneously to video conferencing. This feature is especially aimed at hearing impaired people. For translation, one person would translate and type in one language at a time. Due to the limited typing speed, this procedure is associated with large losses of content. However, it is a great option for hearing-impaired people and can be combined with a simultaneous oral translation.

Simultaneous translation

The concept of simultaneous translation is based on the fact that there is a seperate BBB-room for each language. These are communicated to the participants in advance.

The room whose language most of the participants speak will be the main room. People who do not speak the language of the main room will still join it, as moderation tasks and the presentation will be only in this room.

All statements in the main room will be translated by overseers in the other rooms. The translators should be present in the main room with the microphone switched off. If a person from a secondary room wants to speak they indicate this in the chat of the main room, - preferably with “* (language)”. They will then be allowed to speak by the moderator and speak in their respective room. The translator will unmute their microphone in the main room and translates to the primar language.

Breakout Rooms

Breakput rooms are often formed to debate in smaller groups. To ensure a reasonable amount of translation effort, all participants and translators of one language are assigned to one breakout room (in the main room). If the Breakout Rooms become too full, Breakout Rooms can also be formed in the secondary rooms, but translators are then required for each room.

Tips and tricks

Use two translators per language. One person cannot do this even at a moderate speed of discussion. It also allows for better reproduction of conversations by alternating the translators.
Ask participants to set their names according to the “Name [pronouns] (language)” scheme. This makes it easier for moderation and translators.
Participants do not need to join the audio in the main room, but they can, so that their contributions can be heard in the original. However, they should mute the browser window of the main room.

Conclusion

Whispered translation is possible in BBB; in order to use it, the possibility must be announced in good time by the moderator and enough translators must be found. The concept of oral translation has already proven itself at a large meeting.

If you are interested in implementing the concept you are welcome to contact me at fluesteruebersetzung@hyteck.de or in the comments below.

Übersetzung in Videokonferenzen

2020-07-23T07:30:00+02:00

Auch wenn physische Treffen nicht möglich sind sind viele Gruppen und Organisationen abhängig von mehrsprachigen Treffen. In Videokonferenzen sind Konzepte wie eine Flüsterübersetzung nicht intuitiv umzusetzen. Ich habe daher mit einer anderen Person zusammen ein Konzept für die Übersetzung in Videokonferenzen erarbeitet. Das Konzept wurde geplant für eine Konferenz mit 80 Teilnehmenden, die über zwei Tage hinweg entweder in großer Gruppe oder in Untergruppen diskutieren und Entscheidungen treffen. Die Videokonferenzsoftware die dabei zum Einsatz kam war BigBlueButton (BBB).

Übersetzung via Untertitel

BBB bietet die Möglichkeit simultan zu Videokonfernz Untertitel zu schreiben. Das Feature richtet sich insbesondere an hörgeschädigte Personen. Für die Übersetzung würde eine Person jeweils eine Sprache übersetzen und eintippen. Dieses Vorgehen ist aufgrund der begrenzten Tippgeschwindigkeit mit großen inhaltlichen Verlusten verbunden. Für hörgeschädigte Personen ist es jedoch eine tolle Möglichkeit und lässt sich mit eine mündlichen Simultanübersetzung kombinieren.

Mündliche Übersetzung

Das Konzept der mündlichen Überetzung basiert darauf, dass es für jede Sprache einen Raum gibt. Diese werden vorher an die Teilnehmenden koummuniziert.

Der Raum, dessen Sprache die meisten Teilnehmenden beherrschen wird dabei der Hauptraum. Personen die nicht die Sprache des Hauptraums sprechen treten diesem trotzdem bei, da Meldungen und andere Moderationsaufgaben in diesem Raum koordiniert werden.

Alle Äuserungen im Hauptraum werden in den anderen Räumen von Übersezer*innen übersetzt. Die Simultanübersetzer*innen sollten dafür mit ausgeschaltetem Mikro im Hauptraum anwesend sein. Wenn eine Person aus dem Nebenraum sich meldet tut sie dies auch im Hauptraum,

am besten mit “* (Sprache)”. Sie wird dann von der Moderation aufgerufen und spricht in ihrem jeweiligen Nebenraum, die Übersetzerinnen unmuten sich im Hauptraum und bringen den Wortbeitrag dort ein.

Breakout Rooms

Oft werden Breakput Rooms gebildet um in kleineren Gruppen zu sprechen. Um einen vertretbaren Überstzungsaufwand zu gewährleisten werden alle, Teilnehmende und Übersetzende einer Sprache gemeinsam einem Breakout Room (im Hauptraum) zugewiesen. Falls die Breakout Rooms zu voll werden, können auch im Nebenraum Breakout Rooms gebildet werden, es sind jedoch für jeden Raum Übersetzende notwendig.

Tipps und Tricks

Nutzt zwei Übersetzer*innen pro Sprache. Eine Person kann das selbst in einer moderaten Diskssionsgeschwindigkeit nicht leisten. Außerdem ermöglicht es Gespräche durch Abwechseln der Übersetzenden besser wiederzugeben.
Bittet Teilnehmende ihren Namen nach dem Schema “Name [Pronomen] (Sprache)” einzustellen. Das macht es Moderation und Übersetzenden leichter.
Teilnehmende müssen im Hauptraum nicht dem Audio beitreten, können dies aber, sodass ihre Wortbeiträge im Orgninal gehört werden können. Jedoch sollten sie selbst das Browserfenster auf stumm schalten.

Fazit

Flüsterübersetzung ist in BBB möglich; Um es zu nutzen, muss die Möglichkeit frühzeitig durch die Moderation angekündigt werden und sich genügend Übersetzer*innen finden. Das Konzept der mündlichen Übersetzung hat sich bereits bei einem großen Treffen bewährt.

Wenn ihr Interesse habt das Konzept umzusetzen schreibt mir gerne an fluesteruebersetzung@hyteck.de

Antwort auf einen Impfgegner

2020-05-04T00:00:00Z

CW

Tod, Krankheit, Spritzen

Petition gegen Masernimpfung

Ich habe von einem Freund einen Link zu einer Impfgegner Petition bekommen. Da ich solche Petitionen für hochgefährlich halte habe ich mir Zeit für eine Antwort genommen.

Antwort

Hi, ich habe mir die Petition angeschaut und werde sie nicht unterschreiben - aus verschiedenen Gründen.

In der Petition steht: “Masern sind eine harmlose Kinderkrankheit, wenn sie richtig behandelt werden.” Das stimmt für die Mehrheit. Aber 1 von 1000 erleidet eine Gehirnentzündung und 4-11 von 100.000 gesunden Menschen erkrankt an SSPE das immer tödlich verläuft. (https://link.springer.com/article/10.1007/s11910-020-1023-y)

“In Deutschland stirbt daran jährlich ein Mensch” Das stimmt eventuell nach akuten Infektionen (kann ich nicht nachprüfen), and den Spätfolgen sind es jedoch 30 Menschen pro Jahr (die Zahl schwankt sehr stark, also mit Vorsicht genießen).

“Der diesjährige Maserntote starb 8 Tage nach einer Masernimpfung in die akute Masernerkrankung hinein.” Das stimmt grundsätzlich (wenn damit 2019 gemeint ist). Erwähnt wird aber nicht, dass der Mensch sich impfen lassen hat nachdem es es in der Familie einen Masernfall gab. Die Impfung hat leider nicht schnell genug geholfen (sie ist erst nach 10-18 Tagen wirksam). Allerdings hätte der Mensch aller Wahrschinlichkeit nach überlebt, hätte er sich irgendwann vorher impfen lassen (Bericht zu dem Fall https://www.n-tv.de/panorama/Masernkranker-stirbt-in-Niedersachsen-article21010218.html). Die niedrige Anzahl der Toten (und durch die Erkrankung dauerhaft geschädigten) ist aber eben auch der hohen Durchimpfungsquote zu verdanken. Sie ist der einzige Faktor dafür, wie viele Erkrankungen es pro Jahr gibt. (Quelle: https://www.atlantis-press.com/journals/jegh/125919426)

“Es gibt also keine epidemiologische Begründung, die Impfungen überhaupt auszuweiten. Auch in Ländern mit 100% Durchimpfungsrate gibt es Masernfälle. Die von Herrn Spahn vorgegebene “Ausrottung” ist gar nicht möglich.” Zunächste einmal: Es kann kein Land eine Durchimpfungsquote von 100% erreichen. In jedem Land gibt es immunschwache Personen die sich nicht impfen lassen können, zB. nach einer Krebserkrankung). Warum genau eine Ausrottung nicht möglich sein soll verstehe ich nicht ganz. Es gibt sehr klare Beweise, dass mit mehr Impfungen weniger Fälle auftreten (https://www.atlantis-press.com/journals/jegh/125919426). Polio ist dank der Impung in Europa nahezu ausgerottet. Ich sehe keinen Grund warum das nicht mit den Masern gelingen sollte.

Außerdem ist das ganze auch eine Sache der Solidarität: Ein krebskrankes Kind wird sich nicht impfen können und eine Erkrankung stellt eine deutlich größere Gefahr da. Damit solche Menschen in die Schule, in die Stadt und so weiter können müssen alle anderen geimpft sein. Deswegen bezog sich der Gesetzentwurf von Spahn auch auf Schulen und KiTas/KiGas.

Dazu kommt, dass die Petition von 2019 ist, die Impfpflicht ist seit 1.März 2020 schon in Kraft.

Sorry dass die Quellen auf Englisch sind, aber ich wollte möglichst auf die orginalen Artikel verlinken. Der Wikipedia Artikel ist aber auch ganz gut: https://de.wikipedia.org/wiki/Masern#Europa

Travelling around Jericoacoara

2020-02-01T18:00:00+01:00

TL;DR

Jeri to Sao Luis is hard by bus. Try the route Jericoacoara -> Jijoca -> Camocim -> Paranaiba -> Sao Luis

Introduction: From Fortaleza to Jericoacoara

As my girlfriend and I were traveling from Salvador to Sao Luis we mostly relied on bus connections. Nevertheless we had some difficulties getting from the beautiful town of Jericoacoara to the trip’s last station Sao Luis.

Jericoacoara

Jericoacoara is a town surrounded by a National Park. Therefore anyone visiting Jericoacoara has to use an authorized vehicle to make the last part of the trip from Jijoca de Jericoacoara to Jericoacoara itself. The vehicles that make this trip must be off-roaders so mainly the so called D-20 or Buggys are used. The trip takes approximately 50 minutes and should cost not more than 25 real per person.

On our way to Jeri we drove by bus from Fortaleza to Jijoca. At the stop in Jijoca there were already Jeeps waiting for us. The bus company Expresso Guanabara which operated the bus to Jijoca offered to buy tickets from Jijoca to Jericoacoara for 30 real. After paying the tourist fee (5 real per person and night) we drove through forest, dunes and some annoyed donkeys to Jeri. The driver dropped us directly at the Pousada where we stayed.

From Jericoacoara to Sao Luis

In Jeri we realized that it would be not as easy as we thought to travel to Sao Luis as there was no bus going west from Jijoca. After some research we found the following solution:

1. 8:00 am Jericoacoara -> Jijoca

We waited at the main street in the city center for a Jeep to Jijoca. There are also several wooden benches around the city where drivers with Jeeps that are not yet full pick up people. Ask in your accomodation! The trip takes about 50 minutes. People will get of at different locations in Jijoca, tell the driver you want to go to Camocim!

2. 9:45 am Jijoca -> Camocim

From Jijoca there are regular busses to Camocim, a town further west. The bus stop is not well known, you will recognize it by the sign in the following picture and people waiting. Next to the stop is a small cafe, perfect for breakfast or buying some water. Link to the exact location of departure

Journey	Manhã (Morning)	Tarde (Afternoon)
Jijoca -> Camocim	7:00, 8:00, 9:45	1:40, 4:00, 6:30
Camocim -> Jijoca	5:00, 6:30, 8:30, 11:00	1:15, 5:30
Jijoca -> Prea.	6:45, 8:15, 11:15	12:45, 3:00, 7:20

Do not be late! The bus is mainly taken by locals and can be very full. There is only limited space for luggage in the back. There is no seat reservation.

If you are not alone: Let one person reserve seats and the other person cares about the luggage. The trip is 17.25 real per person which will be paid during the drive. Camocim is the last stop. We arrived at 11:20 at the Prefeitura de Camocim, the last of three stops in Camocim. From there it is ~500m to the Terminal Rodoviário de Camocim. A nice bus driver might take you there (without charging extra).

It seems that there are two companies operating busses to Camocim and that the other company appareantly has also a bus at 11:30. Taking this bus would reduce your time waiting in Camocim. Nevertheless we did NOT try this so the risk is yours.

If you tried it let me know: E-Mail

3. 3:20 pm Camocim -> Parnaìba

In Camocim we waited for the 3:20 pm bus to Paranaíba operated by Expresso Guanabara. The Terminal has WiFi, bathrooms and a small restaurant offering a typical buffet and cold drinks. Opposite the street there is a burger shop with inexpensive Burgers. There was always an employee present in the small office of Expresso Guanabara

The bus ride has to be pre-booked. The best website for finding booking options is buscaonibus.com.br which will provide links to booking sites like Busbud or BrazilByBus.

Attention: This bus is not listed on Busbud!

4. 21:00 Parnaìba -> Sao Luis

From Paranaíba to Sao Luis there are two busses each day, one at 9 am one at 9 pm. Therefore this city can be a good place for some rest after the already long journey. After getting some sleep you can continue the trip in the morning. Those that want to reach Sao Luis as fast as possible should wait at the Terminal for the 9pm connection. It reaches Sao Luis at around 6:30. The bus has “normal” seats and the leito (bed) option. It is not an actual bed, but a very comfortable seat in the lower deck that can be leaned far back. You feel bumps significantly less in the upper deck. Furthermore this option provides you with the possibility to recharge your phones via USB. The WiFi is a game of luck as in all other busses :)

Important: Overnight busses mostly arrive too early - 30 minutes up to two hours. My strategy for getting off at the right station was to set an alarm 90 minutes before scheduled arrival and then check the position on an offline map and setting an alarm accordingly the bathroom will be used frequently in the morning - plan some waiting time.

You will arrive at the Terminal Rodoviario do Sao Luís

The bus ride also has to be pre-booked. Check on buscaonibus.com.br.

Improve this

I hope this helps you when planning your trip.

If you tried this trip yourself or if you have any comment or questions let me know: E-Mail

Further information:

Site for booking of bus connections buscaonibus.com.br

PS

This is not a travel blog or anything. I just found it hard to navigate this trip an thought this might help others. So this is more a tutorial that got out of hand :)

Services

2019-11-14T09:56:10+02:00

Services

This is a non-extensive list of services I offer. All services are hosted in Germany and come with monitoring of service uptime.

Library management

The library management software ILMO is devoloped by me. It is a perfect tool for the management of small to middle-sized libraries. It offers user management, reminders on loans and an easy borrow procedure. The software is open source so you can host it yourself. If you do not want the hassle of self-hosting I offer managed hosting.

Livestreams

I offer livestreams for online talks. During the global COVID pandemic, a lot of lectures, seminars and talks had to be held online. I want to offer you a way to still reach and interact with people while maintaining a high level of data protection. This is what Owncast in combination with other solutions offers: Just reach out and we can discuss a concept that will work for you!

List of all services

I host some services that are publicly available, some that are only for friends and some that are private. Get in touch if you want me to host a service like this exclusively for yourself or your organization.

Service	Description	Access	Status
Nextcloud	Cloud storage with collaboration suite	Upon request	Live
Matrix	Encrypted chat for teams	Upon request/Einladung	Live
GoToSocial	Social Media server in the Fediverse (Mastodon-compatible)	Public	Live
Funkwhale	Music sharing & streaming	Upon request	Live
Owncast	Livestreams	Upon request	Live
Notfellchen	Find animals and give them a loving home. Not available as commercial hosting - happy to do do this non-profit.	Public	Live
Forgjo & Forgjo actions	Git hosting and automations	Invitiation-only	Live
Grafana	Display telemetry data	Private	Live
Prometheus	Monitoring system & time series database	Private	Live
Influx DB	Time series database	Private	Live
ILMO	Library management tool	Test instance offered upon request	Testing
BigBlueButton	Videoconferencing software	Public	Discontinued April 21. Use Senfcall

Usage policy (german)

Unless a contract specifies otherwise the services are provided free of charge and as-is, without warranty of any kind, expressed or implied. The usage of the services can be restricted or blocked permanently immediately and without warning.

This is especially true for anything that goes against the following rules. The rules are a (non-exhaustive) list of behaviours that may lead to deletion of content or suspension of accounts. In some cases, public or private offline conduct or conduct in using other services may constitute grounds for removal from the service.

We do not tolerate discriminatory behaviour and content promoting or advocating the oppression of members of marginalised groups. These groups may be characterised by any of the following (though this list is naturally incomplete):
- ethnicity
- gender identity or expression
- sexual identity or expression
- physical characteristics or age
- disability or illness
- nationality, residency, citizen status
- wealth or education
- religious affiliation, agnosticism or atheism
We do not tolerate threatening behaviour, stalking, and doxxing
We do not tolerate harassment, including brigading, dogpiling, or any other form of contact with a user who has stated that they do not wish to be contacted.
We do not tolerate mobbing, including name-calling, intentional misgendering or deadnaming.
We do not tolerate violent nationalist propaganda, Nazi symbolism or promoting the ideology of National Socialism.
We do not tolerate conspiracy narratives or other reactionary myths supporting or leading to the above-mentioned (and/or similar) behavior.
Actions intended to damage a service or its performance may lead to immediate suspension.
Content that is illegal in Germany will be deleted and may lead to immediate account suspension.

You can report content that goes against these rules even if you are not the affected person. The report will be kept confidential. Contact

Availability

There is no guarantee of availability, unless specified in a separate contract. There is no guarantee of data backups. Suspension of a service will usually be announced but this is not guaranteed. Join Announcements for this purpose.

Contact

See here

Introduction to git

2019-10-22T19:00:00+02:00

As you man now I work in a research lab. Nearly everyone in our lab needs to do at least some programming. There are trained software engineers next to people how write their first line of code here. As we produce a lot of code that is only scripts not many people used git or any other version control system. For all the good reasons (some are mentioned in the guide) we everybody to learn git in a way that is tradeoff between good version control and fast development. As most of us work on separate projects there is not so much need to collaborate which is reflected ind this guide as I completely excluded branching and merge conflicts. Yet I hope this will maybe help some learners of git or some people that need to introduce git to others.

I will not be updating this guide, for the newest version please visit https://github.com/GerJuli/introduction-to-git

Now enjoy the guide!

Installation

On Windows: Download git here: https://git-scm.com/download/win and install it
On Linux: execute ‘sudo apt install git’ in the terminal

Configuration

Basics

$ git config --global user.name "John Doe"
$ git config --global user.email johndoe@example.com

Run these commands without –global to apply changes only for local repository.

Advanced

Change from default editor by executing $ git config --global core.editor vim
Create aliases by:
- git config --global alias.unstage 'reset HEAD --': Introduces new command unstage
- git config --global alias.hist 'log --pretty=format:"%h - %an, %ar : %s" --graph': Is an pretty alternative to git log.
Check the configuration by $ git config --list

Getting started

Create an directory

Select an directory of your choice e.g. ~/Desktop/git-training/, open the terminal there and type

$ git init

Congratulations you have your first git repository!

Committing files

Create some text files e.g. hallo.txt or hello_world.py. To start version-controlling them add the file to git by using the command

$ git add filename

You can also add multiple files. E.g. you want to add all text files the do

$ git add *.txt

Now we can commit these changes by typing

$ git commit

This will open your preferred text editor where you can type in a commit message.

Commit messages

Commit messages are important

Why are the so important? Because it is much easier to track bugs with it, they describe the process of development, make it easier for others to work with your code (e.g. code review) and will help you in two years to understand what you did. They extend your labbook in its function.

How to write commit messages

Use present tense and use imperative
Tell why you did changes.
Limit yourself to 50 characters in the first line.
Wrap the body at 72 characters

Good commit messages

For short commits that need only few explanation it is convenient to use

$ git commit -m "Fix typo in introduction to user guide"

For long commit message you use

$ git commit

which opens a text editor and lets you describe your changes in detail. Do not forget the line between header and body of the commit message.

Summarize changes in around 50 characters or less
More detailed explanatory text, if necessary. Wrap it to about 72
characters or so. In some contexts, the first line is treated as the
subject of the commit and the rest of the text as the body. The
blank line separating the summary from the body is critical (unless
you omit the body entirely); various tools like `log`, `shortlog`
and `rebase` can get confused if you run the two together.
Explain the problem that this commit is solving. Focus on why you
are making this change as opposed to how (the code explains that).
Are there side effects or other unintuitive consequences of this
change? Here's the place to explain them.
Further paragraphs come after blank lines.
- Bullet points are okay, too
- Typically a hyphen or asterisk is used for the bullet, preceded
by a single space, with blank lines in between, but conventions
vary here

Hall of shame

Here you see some examples of bad commit messages.

“bug fix”, “more work”, “minor changes”: Bad because it contains no useful information
“Change X constant to be 10”: Bad as it does not tell why. What was changed is easy to find out by git diff.
“super long commit message goes here, something like 100 words and lots of characters woohoo!”: Bad because it is unreadable.

Storing changes on remote server

To store changes on a remote server e.g. Github you need to push your repository there. If you are doing this for the first time you first need to define where to push your repository to. Use

$ git remote add origin https://github.com/GerJuli/introduction-to-git.git

The URL can be replaced with any URL that points to an existing repository. This can even be a USB drive! Now push by using git push -u origin master. With this command you created an upstream to your remote ‘origin’ where you branch ‘master’ will be pushed. As this is set up you can use git push from now on.

Cloning existing repositories

Downloading existing repositories is called ‘cloning’. You can do this by using

$ git clone https://github.com/GerJuli/introduction-to-git.git

That is it. Now you can start working on it.

Workflow

Check status

With

$ git status

you can check the status of your current directory. This will look like this:

$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working directory clean

Add file

If you now add a file to the repository e.g. README then the status changes.

$ echo 'My Project' > README
$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Untracked files:
 (use "git add <file>..." to include in what will be committed)

 README

 nothing added to commit but untracked files present (use "git add" to track)

You can also run

$ git diff

which will show you the changes that where made.

Now track the file by adding it to the staging area via

$ git add README

If you want to commit only a part of the changes you made use

git add -p

git will ask you for every “hunk”(part of the file) if you want to add it to the staging area. The main options are:

y stage this hunk for the next commit
n do not stage this hunk for the next commit
q quit; do not stage this hunk or any of the remaining hunks

Committing

The changes are now ready to be committed

$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
 (use "git reset HEAD <file>..." to unstage)

 new file: README

Now commit this change with a suitable commit message. You forgot what you changed and git diff does not work? If you already added the file to the staging area you can run

$ git diff --staged

Push to remote

Push this now to your repository with

$ git push

Show last changes

$ git log

shows you a log of recent commit messages.

If you want to have a look at the changes source use

$ git log -p

A much prettier version is

$ git log --pretty=format:"%h - %an, %ar : %s" --graph

Get latest changes

An amazing thing of git is to work together with others. This guide will not go into the details of this, yet you will often have to get the latest changes of a project.

You can do this easily by using

$ git pull

which is a short version of two different commands. It first executes git fetch that downloads the latest changes. Then it runs git merge FETCH_HEAD which tries to apply the newest changes to your local repository. This is also the difficulty of this as any file that was changed locally and in the remote repository will cause a merge conflict as git does not know which file/parts of the file to keep. The resolution of such a conflict can be complicated and goes beyond the intentions of this guide.

A brief overview can be found here.

Gitignore

Sometimes you do not want git to track every file in your repository. Typically this applies for log files, configuration files (where maybe passwords are stored) and compiled sources. For this purpose you can create the file .gitignore in your repository. This file will be read by git. An example .gitignore looks like this:

# ignore all .log files
*.log
# ignore all files in any directory named config
build/
# but do track sample.log, even though you're ignoring .log files above
!sample.log
# only ignore the TODO file in the current directory, not subdir/TODO
/TODO
# ignore all files in any directory named build
build/

You can generate gitignore files here.

Undoing things

Make changes to the last commit

You forgot to add one file to your commit? You are unhappy with your commit message? Use git --amend!

$ git commit -m 'Pretty commit message'
$ git add forgotten_file
$ git commit --amend

Do not do this if you already pushed to remote.

Unmodifying a Modified File

You made changes to a file but the changes messed everything up? You can always go back to the version of the last commit by

git checkout -- filename

Warning: This is dangerous as you delete all changes that you made locally. Do NOT use this command unless you are absolutely sure what you are doing.

Time machine

Something went terribly wrong. When using git this is no problem. Just use reflog and select the commit where still everything was alright.

$ git reflog
9bff138 HEAD@{0}: commit: Document limitations of this guide
8d9dac8 HEAD@{1}: commit (amend): Adjust script to nice print
[...]
2b66f53 HEAD@{7}: commit: Introduce git log
8835c33 HEAD@{8}: commit: Fix of formating of headings
2f0f500 HEAD@{9}: commit: Improve order of comments on workflow
249dc14 HEAD@{10}: commit (amend): Explain git diff
f5ba1d3 HEAD@{11}: commit: Explain git diff
0a2ce1c HEAD@{12}: commit: Remove trailing whitspaces
735511f HEAD@{13}: commit (initial): Initial commit

$ git reset HEAD@{index_where_everything_was_fine}
$ git reset --hard origin/master

Warning: This is dangerous as you delete all changes that you made locally. Do NOT use this command unless you are absolutely sure what you are doing.

USB sticks as remote

Sometimes (e.g. you are working on a machine that is not connected to the internet) it can be helpful to use an USB drive as remote.

How to prepare the drive

Go to the USB drive

$ cd /media/username/git-stick/

Create a directory for your repository

$ mkdir my-repo

Initialize the repo

$ cd my-repo
$ git init --bare

How to push to a USB drive

To push to a USB drive you need to add a remote. Go to your local repository and use

$ git remote add usb /media/username/git-stick/my-repo/

Be aware that your stick will have a different name and will be at a different location, depending on your operating system. You named the remote “usb” here, of course you can change that name.

Now push your repo

$ git push usb

To list all repositories just type

$ git remote
origin
usb

If you want to push to the USB drive by default you can use

$ git push -u usb master
Branch 'master' set up to track remote branch 'master' from 'usb'

What this guide does not cover

Branching
- Creating branches
- Merging branches (and merge conflicts)
- Remote branches
- Tagging
- Forks
Usage of Github
Hooks

Logo

Git Logo by Jason Long

Why Hyteck

2019-09-16T18:18:10+02:00

TL;DR

Hy - Water
Teck - Castle nearby
Summary: Bad name pun

Why the name Hyteck?

I am not very good at finding names I really like. My nickname changed several times, I was never able to stick to one. As hard as finding a nickname was finding a domainname for me.

Nevertheless I really started to like the name Hyteck. The idea came during a hackathon in Tübingen where two friends and I worked as a team on a project to help elderly adults drinking. We the decided on the teamname HyHack (Hy for Hydration).

What we first did was not so High - Tech (I will post about this sometime), yet we called it that.

I later chenged the Tech to Teck which is a local castle (my hometown is called Kirchheim under Teck) that in the german pronounciation is a Homophone of Tech.

The Hy stayed as I always had a close connection to water.

I feel like I overexplained this a bit, so poor you if you read till the end.

However, you earned a !

ILMO

2019-09-15T22:00:55+02:00

ILMO

is my first bigger FOSS-project. It aims at managing small libraries as found in a department of a university. You can finde the project on Github.

History:

I started to create ILMO for the (rather small) library in the study rooms of mediacal engineering. It contains about 300 books, 120 labcoats and safty glasses and some more stuff. As I was in charge of the lends I started to get annoyed by our paper-based solution. Especially when a bunch of people was trying to lend things it took to much time. Also reminding people to return stuff was unnecessary complicated. Therfore I started to programm this library management tool from scratch. I only reused some basic database and session functions. The project is still a field of learning how to do things for me. Nevertheless after about half a year of development and many tests the system went live in Winter 2018. Since then I fill the bugtracker and slowly improve workflows and add functions.

License

Of course the program is open-source and licensed under GPLv3.

Demo

Right now there is no public available demo but if you are interested I will lead you the way to my test server.

Using ILMO

You know someone who could use somthing like this? I would love to see this software in more libraries. Right now the programm is optimized to the needs of our student union but I would be happy to work more on this.

Imprint & Privacy

2019-09-15T20:51:08+02:00

Impressum

Angaben gemäß § 5 TMG

Hyteck vertreten durch Julian-Samuel Gebühr
Eugenstraße 38
72076 Tübingen
USt-IdNr.: DE348521794
Kontakt:
E-Mail: kontakt@hyteck.de

Copyright

Die meisten der Inhalte dieser Website, so von mir erstellte Texte und Bilder fallen unter die CC-BY Lizenz sofern nicht anders gekennzeichnet oder vereinbart. Das gilt nicht für Inhalte Dritter, so zum Beispiel Logos von Diensten. Sehr gerne einfach kurz Nachfragen, in den meisten Fällen sollte auch CC-0 kein Problem sein.

Haftungsausschluss

Für die Richtigkeit, Vollständigkeit und Aktualität der Inhalte auf dieser Seite kann ich keine Gewähr übernehmen. Bei Bekanntwerden von einer Rechtsverletzung auf dieser Seite durch Dritte werden ich diese Inhalte umgehend entfernen.

Datenschutz

Datenschutz ist wichtig. Deshalb sammeln die Dienst so wenig Daten wie möglich und diese werden gut geschützt. Verantwortlich für die Datenverarbeitung sind die im Impressum genannten Personen.

Blog hyteck.de

Beim Aufruf des Blogs werden folgende Informationen übertragen:

IP-Addressen: Werden übertrtagen, aber nicht gespeichert

Wenn Beiträge mit Chat-Funktion aufgerufen werden, werden Daten wie IP Addressen an cactus.chat übertragen um Kommentare abzurufen.

Durch Nutzung der Kommentarfunktion a) wird ein Profil auf cactus.chat erstellt, dabei werden Daten im Browser gespeichert die das Profil mit dem Broser verknüpfen. b) oder durch ein Einloggen mit einem bereits bestehenden Account werden Daten mit dem Anbieter des Account und zwischen Anbieter und Cactus.chat ausgetauscht.

Konten

Eine Applikationen dieser Website können die Erstellung eines Kontos erfordern. Durch Erstellung eines Kontos werden die angegebenen Daten und von die auf dem Server erstellten oder hochgeladen Inhalte auf dem Server gespeichert. Des weiteren können Trackingdaten erhoben (Seitenaufrufe, Seitenverweildauer) und dem Konto zugeordnet werden. Die Daten werden ausschließlich im eingeloggten Zustand erfasst.

Rechte von Nutzer*innen

Nutzer*innen haben das Recht auf Auskunft über die ihnen zugeordneten, personenbezogenen Daten. Ein Auszug über gespeicherte Daten wird innerhalb von 4 Wochen nach Eingang des Auskunftsersuchens erstellt und elektronisch bereitgestellt. Nutzer*innnen haben das Recht auf Korrektur oder Löschung der ihnen zugeordneten, personenbezogenen Daten. In beiden Fällen ist ein entsprechendes Ersuchen an die im Impressum genannten, aktiven und aktuellen Kontaktdaten zu stellen.

Speicherort

Die Server werden im Auftrag durch uberspace, strato oder hetzner bereitgestellt und betrieben. Ein Vertrag zur Auftragsdatenverarbeitung liegt vor. Eventuelle Backups werden auf Rechnern/Datenträgern der Impressum genannten Person gespeichert. Auch ist eine Speicherung durch Dritte möglich, in diesem Fall liegt ein Vertrag zur Auftragsdatenverarbeitung vor.

Hello World

2019-09-14T16:35:58+02:00

Hello world

Welcome to my new blog! I don’t know what this will all be about - but I will sort this out. As a start I decided to blog in English, but I can imagine that there will be a mix between English and German in the future.

The blog is created with the static site generator HUGO and the theme Nederburg.

About

2019-08-20T19:56:10+02:00

Hyteck

Hyteck is a company for online services that I founded. It provides smaller SaaS contracts, e.g. for Hosting ILMO. Currently available are the services listed here

About me

I work at DKMS, a nonprofit that fights blood cancer by registering potential blood stem cell donors and raising awareness and funds. My role is “Business Analyst” in our Salesforce team. That means I spend my day trying to figure out the business departments need, sketching solutions and translating between product and business teams.

After work, I spend my time with programming, activism and my pet rats.

My background

After finishing school, I studied Medical Engineering in a joint course at University Stuttgart and University Tübingen.

In March 2020 I finished my bachelor thesis “Real-time EEG analysis - Phase dependent effects of TMS on MEP” at the Institute for Neuromodulation and Neurotechnology in the University Hospital Tübingen led by Prof. Gharabaghi. After that I was working there as a researcher.

In November 2020 I started studying Medical Informatics Tübingen and finished in April 2024 with my master thesis " Development and Validation of a Software Platform for Classification and Correction of Pathological Movement in Daily Activities by Multi-modal Sensor Analysis". This work focused on helping Ataxia and Parkinson’s disease as part of a larger project in the Section for Computational Sensomotorics at the Hertie Institute for Clinical Brain Research (HIH). My advisor for this work was Winfried Ilg, and it was examined by Prof. Dr. habil. Michael Menth and Prof. Dr. Martin Giese.

Open-source work

My work on various Open-Source projects involves

Project	Description
Notfellchen	An app for helping fancy rats get adopted from rescues
ILMO	A library management tool, available as SaaS
mash-playbook	An Ansible playbook which helps you host a large catalog of FOSS services as Docker containers on your own server
https://github.com/spantaleev/matrix-docker-ansible-deploy	Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker

and many more you can find on GitHub, Codeberg. or my own Gitea server.

Commercial Services

I offer to host some Software-as-a-Service. This is especially true for [ILMO], a library management solution I developed. Commercial support for software I maintain is also available, as well bespoke software. Be aware that I have a fulltime job, and I’m limited in the time I can make for your projects.

If you are a non-profit organization, I can offer reduced pricing. If you want to see what’s possible, have a look at the documentation of the Queer Center Tübingen where I set up

a chat server (Matrix)
a cloud collaboration platform Nextcloud)
a SocialMediaServer (GoToSocial)
a shared password manager (Vaultwarden)
a automatically embedded calendar on the Website

and all is connected via SingleSignOn (Authentik) and backed up by BorgBackup.

I also host(ed) some (semi-)public services including BigBlueButton, Matrix, Nextcloud, Funkwhale and Cryptpad. All current active systems can be found in a list

Technologies I like to use

My favourite framework is Django, powered by Python. It makes development incredibly efficient and enjoyable.
I have extensive experience in Ansible and use it to deploy nearly all my services
I use JavaScript sometimes and even dabbled a bit into React
Coding started with Java, and PHP for me, however my PHP is a bit rusty now, while I regularly used Java during my studies.
For programming of real time applications, mostly for medical devices, I learned * Structured Text* (a programming language based on pascal focused on programming PLCs) and C. I don’t enjoy C that much, but I’m proud of what I managed to do anyway.
More recently I started learning Rust and implemented a smaller backend service using axum.

Contact

E-Mail: julian-samuel@gebuehr.net Public key
Matrix: @moanos:hyteck.de (Deprecated: @moanos:matrix.org)
Mastodon: @moanos@chaos.social
Twitter: j-s.gebuehr@twitter.com
Signal, Whatsapp, Phone: Available, use one of the other options to get my phone number
XMPP: moanos@anoxinon.me (Inactive)
Threema: 2A724TYR (Inactive)