traumweh

Immich's Smart Search

2025-03-30T16:02:00+02:00

Immich's Smart Search #</a></h1>
I’ve been using Immich for years at this point, but have never used its search feature. My images are sorted into albums, which means I don’t really need to use the search, but instead know where to find things.
But while updating Immich today, I read about new search-models being added, so I thought, why not, let’s give it a try. </section>

Machine Learning #</a></h2>
But before I get into my impressions of this search-system, we’ll first need to talk about the machine learning models it uses, and what that entails.
The search uses a pre-trained machine learning model which runs locally and gets further trained locally on one’s images. It finds associations between a text query and a set of images, to determine which ones fit the most.
One can choose from a couple of pre-trained CLIP models. CLIP stands for Contrastive Language-Image Pre-training and was originally created by OpenAI in 2021. But nowadays, there exist multiple implementations of CLIP, e.g. the OpenCLIP or Multilingual-CLIP projects. They are all trained with different compute-budgets and datasets. As far as I can tell, all datasets are based on some subset of the public web. I have read through a couple of the dataset’s research papers, and all of those use some subset of Common Crawl.
Common Crawl is a gigantic web-crawling project, which exists since 2008 and creates multiple datasets per year. As per the project’s website, “The corpus contains raw web page data, metadata extracts, and text extracts.” To create a dataset for CLIP models, this data gets filtered by images with a large enough resolution and sufficiently long alt-text. Duplicates get removed and images get further classified. This includes things like their resolution, the text’s language, or whether they are safe for work. But it also includes keyword-tagging and transformation: Let’s say the image description is: “Photograph of a pink building in Tokyo.” Then extracted tags could be: Photograph, pink, building and Tokyo. Transformations of the image and extracted tags could then also include: realistic image, aesthetic image, architecture and Japan.
These associations can then be used to train a CLIP model which learns how much an image can be associated with a given text query. This score can then be used to sort a list of images by association to the query. </section>
My Problem With This #</a></h2>
This is a really great application for machine learning, because it is very difficult to program classical algorithms for this. But I have one big problem with this: These datasets rely on publicly available data on the open web, but they do not take into account the data’s licenses. Not everything that is publicly available, is also public domain or under an open license.
I heavily oppose this methodology when it comes to Large Language Models (LLMs) and Generative AI (GenAI), because they create</del> hallucinate ‘new’ things directly from the stolen work of others, require enormous amounts of energy to train and run, and steal the jobs of many while actually doing a worse job.
But for this type of algorithm (i.e. image classification), I am split. On the one hand, yes, peoples works are used without asking for permission, but on the other hand, the data isn’t used to create anything new, and running many of these models require only very small amounts of energy. And it doesn’t steal anyone’s job either. Quite the opposite, it actually makes one’s life a lot easier by not needing to manually tag one’s entire collection of thousands of photographs and hundreds of videos.
And if we ignore OpenAI and Google, most alternative CLIP models reuse existing web-crawling databases, instead of constantly re-crawling every single webpage there is. Common Crawl actually does respect one’s `robots.txt</code>, both the Disallow</code> and the Crawl-delay</code> parameters.`
`In the end, I think I have decided for myself, that I am okay with the crawling by Common Crawl as well as with models built on it, which do not try and hallucinate something new, but actually try and make mundane tasks such as image-tagging more accessible and easy. </section>`
Search Results #</a></h2> Anyway, let’s talk about my actual experience with using the so-called Smart Search feature of Immich. I used the model ViT-B-32__laion2b-s34b-b79k</code>; an OpenCLIP model using the English language subset of the laion2b</code> dataset, which contains 2.3 billion samples from Common Crawl, although I could not find out, which snapshot of Common Crawl was used. The system runs a decade old Intel i7-4790 CPU with 24 GB of DDR3 RAM and no acceleration besides the CPU’s integrated graphics. My Immich instance contains many thousands of photographs from family, friends and personal events and trips. I did specifically use queries which I thought should have some chance of finding something. I won’t include all queries I tried (for privacy reasons) and I also did not follow any scientific methodology. This is just about me wanting to try out a feature and see if I’d deem it to work well. I started with single word queries such as red, cat, hat, mountain, cliff or railing. As long as I had enough images which could be associated with these words, the Smart Search feature was able to find them, without pretty much any false positives. After I couldn’t think of any more single words to try, I moved on to more abstract concepts. These included things like a birthday, school trip, train ride, sleepover or animal park. And once again, the first couple dozen or so images fit the criteria exactly. I do have photographs of a few childhood birthdays, sleepovers and school trips from different years in Immich and the search results were spanning across those, able to classify young people of varying age as school students. Satisfied, I decided to try some more complex queries. Sentences consisting of combinations of different criteria, to create the context of a specific type of event or trip. I was pretty surprised when it could successfully find photographs from a train ride on an old steam train, or distinguish between a children’s birthday inside and one outside or in the summer. It was also able to provide me with photographs showing a field in front of a forest on a cloudy day or a ruin of a concrete building in the forest. Overall I am really impressed by this. I wouldn’t be able to tag this number of photographs and videos at a level of detail required to achieve such depth of query specificity. I don’t know how much I will use this in the future, but I am nonetheless happy that it is possible, completely local using a decade old CPU. </section>



Don't use Freenom
2025-02-27T16:56:00+01:00

Don't use Freenom</span> #</a></h1>
After trying for over two years, to get my Freenom account deleted by making a complaint under the GDPR (Regulation (EU) 2016/679), said complaint is not going to be pursued further, because it only concerns me (no relevance for the public) and the effort would be too high to find out whether there is any legal basis at all that obliges the company to delete my account.</p>
I’m talking about the Dutch company Freenom</em>. A domain registrar that is primarily known for lending out domains of selected domain extensions free of charge. The company is also known for taking these domains away from users and selling them without notice. And last but not least, Freenom ignores any data protection concerns. The web interface does not give users an option to delete one’s account, and neither do their help pages mention account deletion at all. There is a support form, but let’s put it this way: I submitted my request for deletion in accordance with Article 17 GDPR on December 7, 2022 (and attached further information over time), but never received a response from Freenom. Not that the support is a sham, and doesn’t really exist. I did have a previously received a fairly unfriendly response to another service-related support request, which did not offer any support whatsoever, but was at least an answer.</p>

</section>

Involving the Data Protection Authorities #</a></h2>
So, after a period of almost three months, I first contacted Hamburg’s Data Protection Officer, and then, in September 2023, the Dutch Data Protection Authority, the Autoriteit Persoongegevens (herinafter referred to as AP, the AP or the authority). After I received a reply about six more months later stating that the authority had too much to do, and had to send back an attached form, confirming that the problem had not been magically resolved, nothing happened for another year. Until a few days ago.</p>
I received a letter in which the AP summarized the following: They looked at my complaint and reviewed the legal situation to determine what would be the minimum they needed to do. The AP came to the conclusion that they would send a letter to Freenom advising them of their obligations. That’s it. The AP will do nothing more. They justify this as follows:</p>

De AP kan bij uw klacht onvoldoende efficiënt en effectief optreden</span>

[The AP cannot act effiently and effectively enough in the case of your complaint.]</p>
</blockquote>
Wow, you said that really well! Here, have a gold star in the class log. But why can’t the AP do that?</p>

De AP zal namelijk verder onderzoek moeten doen naar de door u gestelde overtredingen door bijvoorbeeld een onderzoek ter plaatse en/of het opvragen van informatie.</span>

[The AP needs to review your alleged infringements in more detail, e.g. through investigations on site and/or by gathering information.]</p>
</blockquote>
Oh, right. Would be totally impractical if an authority would need to review a complaint by investigating it in order to review a complaint. But luckily they’ve got another argument!</p>

De AP ziet geen breder maatschappelijk belang</span>

[The AP does not see any broader social significance]</p>
</blockquote>
The authority always checks, whether an infringement had affected or could still affect many people, which would depend not least on the specific focus of the authority.</p>

De focus van de AP voor 2025 is algoritmes & AI (kunstmatige intelligentie), big tech, vrijheid & veiligheid, datahandel en de digitale overheid.</span>

[The focus of the AP in 2025 is algorithmes & AI (artificial intelligence), big tech, freedom & security, data trading and digital government.]</p>
</blockquote>
I would be so bold as to put this complaint in the “freedom” category. Meaning the argument must be based largely on social relevance, right?</p>

Uw klacht ziet alleen toe op u. Het aantal betrokkenen dat door uw situatie kan worden geraakt is dus beperkt.</span>

[Your complaint concerns only you. The number of people who could be affected by your situation is therefore limited.]</p>
</blockquote>
Oh, it only concerns me? Checks notes.</em> Oh, no, wait a minute. A quick internet search shows that apparently no one on this planet has ever managed to delete their Freenom account, because (as I also described in my complaint) there is no form for this on the part of Freenom, and the support team skillfully ignores any and all GDPR requests.</p>

</section>

Now what? #</a></h2>

De AP legt geen maatregel op aan de organisatie waarover uw klacht gaat. […] Uw klacht is altijd waardevol.</span>

[The AP does not impose any measure on the organization about which your complaint is made. […] Your complaint is always valuable.]</p>
</blockquote>
I’m overjoyed! Now back to eating my hat…</p>

[…] maar uw klacht helpt de AP evengoed persoonsgegevens in Nederland te beschermen. Als de AP bijvoorbeeld merkt dat een hoog aantal klachten over dezelfde organisatie gaat, dan kunnen we alsnog een verder onderzoek instellen. Verder kan uw klacht de AP bijvoorbeeld helpen bij een ander onderzoek dat we uitvoeren. Ook helpt de informatie de AP om onderzoeks- en beleidsonderwerpen te bepalen en om onze website te verbeteren.</span>

[[…] but your complaint helps the AP to protect personal data in the Netherlands. For example, if the AP notices that a high number of complaints are about the same organization, we may still investigate further. Furthermore, your complaint may help the AP in another investigation we are conducting. The information also helps the AP to determine research and policy topics and to improve our website.]</p>
</blockquote>
While the AP is absolutely right about this, this letter however also hightlights some of the major problems with the GDPR. The GDPR is completely inaccessible to the majority of people. It already requires a disproportionate amount of knowledge to make a request to a company under Article 17 of the GDPR, or money for a lawyer. As if anyone would be as foolish as me to voluntarily escalate</em> this into a complaint and send it to the relevant authority in case the company does nothing. And to do this in the Dutch language.</em> Only to find out that these authorities are completely overwhelmed and that every further request being submitted makes it worse, so they try to talk their way out of as many complaints as possible with arguments about efficiency and relevancy, in the hopes of being able to at least follow up on the more significant cases.</p>
The AP gives me six weeks from dispatch-date of its letter to lodge an appeal against the decision using a form. But I don’t know yet whether I am willing to make that effort. Otherwise, I dream</del> think my only chance of getting this account adeleted is if there are actually other people to file such a complaint.</p>

</section>


Nighttime Piano
2024-11-25T02:42:00+01:00

Nighttime Piano</span> #</a></h1>
Every once in a while I need to deal with my thoughts and emotions. And my piano sometimes helps me with that. I haven’t done this in a very long time. So I decided to quickly move around some things in my room, and bring my e-piano over from the other room to make some music.</p>
I learned to play the piano from a very young age and, especially in my teenage-years, used to play piano and guitar basically daily for many years. A little over ten years ago I also started writing my own songs, some only for piano, some also for guitar, and some for my small, broken-up band. Most of these songs I haven’t played in over five, some even in ten years. And tonight I did play some of them again from memory, as well as something new.</p>
I haven’t aimed at perfect recordings at all, I simply connected the piano to my audio interface and pressed record. In total, I recorded nearly one hour of audio (and silence). Below are some of the things I played, for you to listen to and download. I provide the tracks as CC BY-NC-SA 4.0</a>, which means you can adapt it (although adaptions need to follow the same terms) and use it for your own projects as long as you are giving me credit, and aren’t using it commercially (i.e. primarily directed towards commercial advantage or monetary compensation). If (for whatever reason and against all odds) that license doesn’t work for you, then contact me, and I’m sure we’ll figure things out.</p>
But now, I hope you enjoy this small track list. Be kind to yourself. And pause for a moment.</p>

</section>

dead names #</a></h2>
The first thing I played this night was a song I wrote for someone ruffly nine years ago. It is one of the few songs I do still play regularly (as in, whenever I do play piano), but even so it still was a bumpy ride. The song used to have a different name, but I do not want it to have that name anymore. So let’s just call it dead names</em>. Fitting, isn’t it?</p>
You can download it as an MP3</a>, WAV</a> or FLAC</a>. Or you can listen to it below:</p>
</audio></p>

</section>

untitled uplifting draft #</a></h2>
This second little something is a melody and chord-progression I had stuck in my head now for a couple of years, never knowing what to do with it or how to continue it. Maybe one day I will. But for know, it has its place here, as the untitled uplifting draft</em>.</p>
You can download it as an MP3</a>, WAV</a> or FLAC</a>. Or you can listen to it below:</p>
</audio></p>

</section>

lian #</a></h2>
Lian</em> was the name of one of my ex-bandmates. They were a really good friend of mine, but we sadly lost touch. But this song, as well as some Polaroid pictures, always remind me of them and make me miss the times together on stage and cuddled up on my couch. I never play it quite the same, and you might be able to hear, that it made be get lost in thoughts.</p>
You can download it as an MP3</a>, WAV</a> or FLAC</a>. Or you can listen to it below:</p>
</audio></p>

</section>

friendship #</a></h2>
Sometimes I liked to try out different musical functions and patterns. Things like non-typical measures, modulation and whatnot. I’m not gonna spoil what I did in this one, but if I remember correctly, then I didn’t use these functions on purpose, but instead improvised them and refined the track from there. I never gave it a name, but think friendship</em> would fit.</p>
You can download it as an MP3</a>, WAV</a> or FLAC</a>. Or you can listen to it below:</p>
</audio></p>

</section>

remedy #</a></h2>
This one did change name a couple of times because I was never quite happy. At some point, the title had something to do with socks. Don’t ask, there was a reason, alright? But for the longest part now I called it remedy</em>. I dunno why, but I do think it fits, simple as it is.</p>
You can download it as an MP3</a>, WAV</a> or FLAC</a>. Or you can listen to it below:</p>
</audio></p>

</section>

penance #</a></h2>
Even though I haven’t played in a while, and especially haven’t written anything new in an even longer while, this one was improvised one the spot while recording it, so please excuse me missing some of the keys. I think the title, penance</em>, suits it quite well. But why I am calling it penance</em> I will keep to myself.</p>
You can download it as an MP3</a>, WAV</a> or FLAC</a>. Or you can listen to it below:</p>
</audio></p>

</section>


Vegan Börek
2024-10-06T10:41:18+02:00
Vegan Börek</span></h1>


Ingredients #</a></h2>
Spinach Filling (for ca. 20 pieces)</h3>

1/2 onion, cut into cubes</li>
1–2 cloves of garlic, pressed</li>
150 g baby spinach, fresh/frozen</li>
150 g vegan Feta</li>
1–2 tbsp. cashews</li>
Salt and pepper as desired</li>
</ul>
Tomato Filling (for ca. 30 pieces)</h3>

75 g cashews (or vegan Feta)</li>
2 tbsp. sunflower seeds</li>
120 ml tomato puree out of fresh and dried tomatoes</li>
1–2 cloves of garlic, pressed</li>
Salt and pepper as desired</li>
Herbs, e.g. oregano, marjoram, basil, etc.</li>
</ul>
Yufka flatdough (ca. 20 pieces)</h3>

280 g (250 g) wheat flour, type 405</li>
50 g (80 g) Cornstarch</li>
2–3 pinches (1 g) of salt</li>
200 ml water</li>
2 tbsp. neutral oil</li>
</ul>
Additionally, to brush onto the dough:</p>

50–100 ml plant-based milk</li>
2 EL neutral oil</li>
</ul>

</section>
</p>

Preparation #</a></h2>
Spinach Filling</h3>

If using frozen spinach:</strong> defrost the spinach (e.g. in a water bath) and squeeze out; instead of fring, as described below, simply add it before step 3</li>
Heat up oil in a pan and fry the onion cubes for 1 to 2 minutes</li>
Add garlic and spinach (if fresh), fry for another 1 to 2 minutes</li>
Squeeze out the remaining water</li>
Chop up the mixture a bit</li>
Crumble the vegan Feta into the mixture</li>
Add salt and pepper as desired</li>
</ol>
Tomato Filling</h3>

Douse cashews and sunflower seeds with cooking water</li>
Soak for ca. 15 minutes; drain and rinse afterwards</li>
Add remaining ingredients and process into a paste (e.g. using a kitchen machine)</li>
Add salt, pepper and herbs as desired</li>
</ol>
Yufka Flatdough</h3>

Mix flour, starch and salt in a bowl</li>
Add half the water, mix slowly</li>
Add remaining water and oil</li>
Kneat into a soft dough</li>
Divide dough into 8 to 10 beads and wrap in cling film (or leave in bowls under towels)</li>
Rest for 1 hour</li>
Spread some flour on your work surface</li>
Only let one piece of dough at the air at a time to prevent dry out</li>
Roll dough into thin flat pieces, large enough for roughly two pieces of Börek</li>
Cut flatdough into two or three pieces of the desired size</li>
Brush the milk and oil mixture onto the dough</li>
Add desired filling two one end</li>
Roll up the dough from the filled side, ensuring that the endings are not left open but folded inwards</li>
Brush the milk and oil mixture onto the outside as well</li>
Add some poppy and sesame as garnish</li>
Bake for 15 to 20 minutes at 180 ˚C (fan oven) in a preheated oven</li>
Cool down for a couple of minutes (the filling will be very hot!)</li>
</ol>

</section>


Bootstrapping OpenSSH: Remote Disk Decryption
2024-08-09T16:12:00+02:00

Bootstrapping OpenSSH: Remote Disk Decryption</span> #</a></h1>
This is part two (of two) of my journey to remote unlocking encrypted (LUKS) root partitions using SSH during early boot. Here we’ll configure dracut to include the OpenSSH daemon in early boot to type in the passphrase remotely. In the first part, I outlined the steps required to configure a system to use dracut instead of mkinitcpio. If you want to read about that, you can find the first part here: Goodbye mkinitcpio, hello dracut!</a></p>
If you just want the details of what files need to be modified or created, which packages to be installed and stuff, you can skip to this section here</a>.</p>

</section>

What and why? #</a></h2>
Everyone should be using full disk encryption (FDE) at this point. If you aren’t, then you really should be! Otherwise, anyone with physical access to your computer can access all your files. And no, user passwords on linux don’t really mean anything if you have physical system access. Take a look at the concept of chroot</code>-ing and you’ll understand why. But FDE also comes with its own difficulties. Assuming one is using LUKS for FDE, there are many options how to protect the disk: passphrases, keyfiles, FIDO2 tokens, smartcards, etc. And all either require physical access at boot time, or decrese the FDE-security.</p>
Here, we’ll simply look at setups using passphrases which a system prompts for at boot time. Depending on the partition, either at early boot, or late boot. Essentially, if the disk is required to access the root filesystem and build up the actual userspace, then it gets prompted for at early boot. Otherwise at late boot. If your FDE disk or partition contains the root partition, then it will be early boot. And that is what this guide assumes, because in this case, the boot process is actively blocked by the FDE prompt and won’t continue without supplying a valid passphrase. But especially for servers, it is not always possible to have physical access to the system during (early) boot. And therefore, a solution would be to start an SSH daemon during early boot.</p>
Two fairly wide-spread SSH daemons, Dropbear</a> and tinyssh</a> are commonly used in scenarios where disk space is limited. Because boot partitions and initramfs image sizes are often limited, many people fall back to one of these solutions and simply include them as a module in initramfs. But Dropbear is known for implementing a very old and insecure SSH version without support for modern key algorithms, including FIDO2-based ones. And tinyssh, while more modern, is less known, a lot younger and way less tried-and-tested than OpenSSH. And considering that disk space is a lot less of a problem nowadays, even for embedded systems, adding a few dozens of extra megabytes to the initramfs image doesn’t really make the difference. So one might as well include a full OpenSSH daemon which supports modern, tried and tested key algorithms.</p>
So with that out of the way, let’s look at what steps are actually required.</p>

</section>

Prerequisites #</a></h2>
This configuration assumes your system is using the dracut initramfs builder and a root partition with FDE setup.</p>
Before we can start up an SSH daemon at early boot, we’ll need to ensure that a networking (IP) stack is up and running. This include setting up a network interface, too. We’ll be using systemd-networkd</code>, but legacy-network</code> and other network</code>-modules for dracut should work too. For starters, we’ll need to create a network configuration for systemd-networkd. The following configuration assumes you are using an ethernet interface that starts with e</code>, like eth0</code> or enp1s0</code>. If you use a wireless network interface, you need to change this to respect that. We’ll store this config in /etc/systemd/network/20-wired.network</code>:</p>
[Match]
</span></span>Name</span>=</span></span>e*</span>
</span>
</span>[Network]
</span></span>DHCP</span>=</span>ipv4
</span></code></pre>
Next we’ll ensure that dracut actually sets the networking stack up at early boot. To do that, we simply create a file like /etc/dracut.d/sshd.conf</code> with the following contents to start systemd-networkd</code> at early boot and include the network configuration from above:</p>
install_items</span></span>+</span>=</span>" /etc/systemd/network/20-wired.network "</span>
</span>add_dracutmodules</span></span>+</span>=</span>" systemd-networkd "</span>
</span></code></pre>

</section>

Setting up SSHD #</a></h2>
Next, we’ll need a dracut module that includes the OpenSSH daemon in the initramfs and loads it at early boot. Luckily, a person named Georg Sauthoff did the work and made a publicly available dracut-sshd module on GitHub</a>. It is very simple and easy to configure. But first, we’ll start by cloning the repository and copying the module directory 46sshd</code> to /usr/lib/dracut/modules.d/</code>:</p>
#</span></span> also available as a copr repository</span>
</span></span>git</span></span> clone https://github.com/gsauthof/dracut-sshd</span>
</span>cd</span></span> dracut-sshd</span>
</span>sudo</span></span> cp -</span>ri</span> 46sshd /usr/lib/dracut/modules.d/</span>
</span></code></pre>
This module reuses the host’s sshd private keys and includes them in the initramfs image. Depending on your threat model, this might be a problem. After all, if one’s root partition is encrypted, one might not want its secrets to be stored in the boot image unencrypted. If one doesn’t want their keys at /etc/ssh/ssh_host_*_key{,.pub}</code> to be used, simply add new keys at /etc/ssh/dracut_ssh_host_*_key{,.pub}</code>. If these exist, the module will use them instead. But be aware: you might want to consider creating a separate SSH config host entry for the early-boot daemon, or you’ll be greated by an host-key-missmatch error everytime you connect.</p>
Similarly for the authorized keys, the modules looks at different locations; in order of precedence:</p>

/root/.ssh/dracut_authorized_keys</code></li>
/etc/dracut-sshd/authorized_keys</code></li>
/root/.ssh/authorized_keys</code></li>
</ul>
Remember to adjust the permissions of all these files accordingly, i.e. only read- and writeable by root:</p>
sudo</span></span> chmod 0600 [</span>FILES..]</span></span>
</span></code></pre>
By default, the early-boot SSH daemon listens on port 22. If you want to change this, create a file /etc/sysconfig/dracut-sshd</code> that defines SSHD_OPTS</code> with the option -p 22</code> (and possible other sshd-options as desired). And that should be it. All that’s left now, is to rebuild the initramfs image using dracut (and possible other arguments depending on your setup):</p>
sudo</span></span> dracut -</span>f</span> -</span>v</span> [</span>OTHER_ARGS..]</span></span>
</span></code></pre>
And if everything went well, on the next boot, while the passphrase prompt is displayed on screen, an OpenSSH daemon should be running and listening for connections. Simply connect to it, and it should give you the instruction to run systemd-tty-ask-password-agent</code> and supply it with your respective encryption passphrase. You can also use systemd-tty-ask-password-agent --list</code> to display a list of all pending prompts.</p>

</section>


Goodbye mkinitcpio, hello dracut!
2024-08-09T14:55:00+02:00

Goodbye mkinitcpio, hello dracut!</span> #</a></h1>
This is part one (of two) of my journey to remote unlocking encrypted (LUKS) root partitions using SSH during early boot. To achieve this, as a prerequisite, I needed to switch from mkinitcpio to dracut for building the initramfs on one of my systems. So I thought, I might share the few steps I needed to take, to successfully switch over to dracut on my archlinux system.</p>
If you just want the details of what files need to be modified or created, which packages to be installed and stuff, you can skip to this section here</a>. You can find the second part here: Bootstrapping OpenSSH: Remote Disk Decryption</a>.</p>

</section>

What an initramfs? #</a></h2>
If you already know, you can of course simply skip this section. Or read it and correct me where I am wrong.</p>
Essentially, the initramfs is a RAM disk, i.e. filesystem stored in memory, which is used to initialize the system to a point, where it can access the root filesystem. To achieve this, the kernel, which gets started by the bootloader, is responsible of unpacking a contained initramfs image and bootstrap the system. This initramfs image contains all the tooling required to e.g. unlock the filesystem in case of full disk encryption (FDE), load required drivers to e.g. read keyboard events, and load other components as configured (e.g. the networking/IP stack).</p>
This RAM disk is stored as a binary file at a place where your bootloader can find it. This depends on your boot method and bootloader. Using UEFI and Grub as an example, this file is simply located in the root of your EFI boot partition, which usually gets mounted as /boot</code>. The bootloader is then told, which image(s) to load at boot time.</p>
Tools like dracut or mkinitcpio can be used to configure the initramfs image. They essentially create the filesystem, add all the files to it, add some metadata, and pack them into an image file. On linux, the command lsinitrd</code> can be used, to inspect such an image. It displays information about the early CPIO (copy in, copy out</em>) files, the version (e.g. dracut), modules to load and the entire initramfs filetree.</p>

</section>

Why dracut? #</a></h2>
mkinitcpio is fine, but not widely adopted. Most distributions, including Debian, Ubuntu, Fedora, RHEL and many more, use dracut. This of course reflects on the amount of information and solutions available for each.</p>
For me, the main deciding factor was the ease of configuration. While neither option is really all that complex, dracut is</em> easier to configure and needing to administer multiple systems means I don’t want to maintain multiple solutions. So I wanted a common basis for all my systems. Therefore my decision fell on dracut.</p>

</section>

First build #</a></h2>
Now, regarding the actuall steps required to switch from mkinitcpio to dracut: firstly, we need to install dracut. On most systems it is typical, that before installing new packages, one should update the system. In this case, if the update pulled in a newer kernel version or other package version which required rebuilding the initramfs, then the system should be rebooted afterwards to make the first initramfs build using dracut will actually use the latest installed kernel and not the active but out-of-date version.</p>
Once rebooted (if necessary), we simply install our distributions dracut-package (e.g. dracut</code>) using the package manager. We won’t uninstall mkinitcpio yet, only once we have thoroughly tested that dracut actually works. Also, only then will we configure pacman to use dracut instead of mkinitcpio to rebuild the initramfs on kernel updates.</p>
The main configuration file for dracut is /etc/dracut.conf</code>, but we won’t edit that one directly. Instead, we’ll work on our own file in /etc/dracut.d/</code>, e.g. myflags.conf</code>. This allows for distribution maintainers to update /etc/dracut.conf</code> if needed on system updates, but also allow us to declutter our changes and keep them sorted. For now, we’ll simply add the following lines to our /etc/dracut.d/myflags.conf</code>:</p>
hostonly</span>=</span></span>"yes"</span>
</span>hostonly_cmdline</span>=</span></span>"no"</span>
</span></code></pre>
The second line prevents dracut from storing the kernel command line in the initramfs. This might not be useful for everyone. If you are configuring the command line using the bootloader (e.g. Grub), then there is no need for this. AFAIK, setting it to yes</code> can also cause some issues on some systems, especially on non-systemd ones, but don’t quote me on that. Also, dracut’s command line parameters take precedence over configuration files.</p>
The first line on the other hand, is also important for SSHD specifically. While simply telling dracut to build the initramfs image only for this device instead of a generic host, meaning it shouldn’t be used while chrooted, this is also important on some systems and versions of dracut to ensure that the root</code> user can actually be logged into via SSH. Wthout this option, the /etc/shadow</code> file, which contains the hashes of user passwords, might not be created/included in the image. Therefore, once you have built your initramfs image, you should verify whether your image contains an etc/shadow</code> file (note the absence of a leading slash!) and that it contains a line starting with root:</code> followed by either a hash (starting with $</code>), or an asterisk (*</code>) using the following command:</p>
lsinitrd</span></span> /boot/IMAGE_NAME.img -</span>f</span> etc/passwd</span>
</span></code></pre>
Now, simply running sudo dracut -f -v</code> should build a new initramfs for the current kernel. The -f</code> is used to force dracut to overwrite the existing initramfs image, -v</code> for verbosity (which is the default on some systems). On some systems the command might fail the first time. In that case, you might need to run sudo dracut -f -v --regenerate-all</code>, but your mileage may vary. You can also specify a path to overwrite a specific image file by simply appending it to the command above. If you didn’t reboot after a kernel update, you could also specify --kver ...</code> to build the image for a specific kernel version.</p>
Reboot the system to see whether your bootloader was able to detect the new initramfs image, and select it. If you use FDE for your root partition, enter the passphrase. Now, if your system boots correctly, dracut works and you can continue with the next steps. But if nothing seems to happen or you don’t get any passphrase prompt (but expected one, of course), you might want to press Escape to get more detailed information about the boot process. This is not necessary if your kernel command line doesn’t include quiet</code>. To get even more detailed information, you can specify the kernel command line options rd.shell</code>, rd.debug</code> and log_buf_len=1M</code>. This helped me to discover a boot loop which didn’t make sense and was fixed by simply rebuilding the initramfs. But for more concrete steps, consult the documentation or ask your system administrator (that’s a joke).</p>

</section>

Automatic updates #</a></h2>
This section assumes a system using the pacman package manager (like archlinux). For other systems, similar solutions probably exist using hooks for the respective package managers. These steps are based on this section in the archlinux wiki entry on dracut</a>.</p>
For starters, we’ll create two executable scripts to be run automatically by pacman using so-called hooks. The first one simply automatically copies the vmlinuz binary (single binary that contains the kernel) to /boot</code> and calls dracut to build both the new initramfs as well as a generic fallback image for the latest kernel version. Simply create the file /usr/local/bin/dracut-install.sh</code> (the exact path doesn’t matter but must match the ones used in the hooks further below) with the following contents:</p>
#</span></span>!/usr/bin/env bash</span>
</span></span>args</span>=</span>(</span>'</span>--force'</span></span> '</span>--no-hostonly-cmdline'</span></span>)</span>
</span>
</span>while</span> read</span></span> -</span>r</span> line</span>;</span> do</span>
</span>	if</span> [[</span> "</span>$</span>line</span></span>"</span></span> ==</span> '</span>usr/lib/modules/'</span></span>+</span>(</span>[</span>^</span>/]</span>)</span>'</span>/pkgbase'</span></span> ]]</span></span>;</span> then</span>
</span>		read</span></span> -</span>r</span> pkgbase <</span> "</span>/$</span>{</span></span>line</span></span>}</span></span>"</span></span></span>
</span>		kver</span>=</span>"</span>$</span>{</span></span>line#</span></span></span>'</span>usr/lib/modules/'</span></span></span>}</span></span>"</span></span></span>
</span>		kver</span>=</span>"</span>$</span>{</span></span>kver%</span></span></span>'</span>/pkgbase'</span></span></span>}</span></span>"</span></span></span>
</span>
</span>		install</span></span> -</span>Dm0644</span> "</span>/$</span>{</span></span>line%</span></span></span>'</span>/pkgbase'</span></span></span>}</span></span>/vmlinuz"</span></span> "</span>/boot/vmlinuz-$</span>{</span></span>pkgbase</span></span>}</span></span>"</span></span></span>
</span>		dracut</span></span> "</span>$</span>{</span></span>args[</span>@</span>]</span></span></span>}</span></span>"</span></span> --</span>hostonly</span> "</span>/boot/initramfs-$</span>{</span></span>pkgbase</span></span>}</span></span>.img"</span></span> --</span>kver</span> "</span>$</span>kver</span></span>"</span></span></span>
</span>		dracut</span></span> "</span>$</span>{</span></span>args[</span>@</span>]</span></span></span>}</span></span>"</span></span> --</span>no-hostonly</span> "</span>/boot/initramfs-$</span>{</span></span>pkgbase</span></span>}</span></span>-fallback.img"</span></span> --</span>kver</span> "</span>$</span>kver</span></span>"</span></span></span>
</span>	fi</span>
</span>done</span>
</span></code></pre>
The second file, /usr/loca/bin/dracut-remove.sh</code>, simply removes old images. If you want to retain the previous version, simply modify this script to do so. It should look something like this:</p>
#</span></span>!/usr/bin/env bash</span>
</span></span>while</span> read</span></span> -</span>r</span> line</span>;</span> do</span>
</span>	if</span> [[</span> "</span>$</span>line</span></span>"</span></span> ==</span> '</span>usr/lib/modules/'</span></span>+</span>(</span>[</span>^</span>/]</span>)</span>'</span>/pkgbase'</span></span> ]]</span></span>;</span> then</span>
</span>		read</span></span> -</span>r</span> pkgbase <</span> "</span>/$</span>{</span></span>line</span></span>}</span></span>"</span></span></span>
</span>		rm</span></span> -</span>f</span> "</span>/boot/vmlinuz-$</span>{</span></span>pkgbase</span></span>}</span></span>"</span></span> "</span>/boot/initramfs-$</span>{</span></span>pkgbase</span></span>}</span></span>.img"</span></span> "</span>/boot/initramfs-$</span>{</span></span>pkgbase</span></span>}</span></span>-fallback.img"</span></span></span>
</span>	fi</span>
</span>done</span>
</span></code></pre>
Don’t forget to make both files executable:</p>
chmod</span></span> +x /usr/local/bin/dracut-{</span>install,</span>remove}</span></span>.sh</span>
</span></code></pre>
Now all that’s left to do, is creating the pacman hooks themself, one for each script. Hooks are placed in /etc/pacman.d/hooks</code>. This directory might not be created initially, so ensure it exists. Then just create the pacman hook /etc/pacman.d/hooks/90-dracut-install.hook</code> and add the following to it:</p>
[Trigger]
</span></span>Type</span> =</span></span> Path
</span>Operation</span> =</span></span> Install
</span>Operation</span> =</span></span> Upgrade
</span>Target</span> =</span></span> usr/</span>lib/</span>modules/</span>*</span>/</span>pkgbase
</span>
</span>[Action]
</span></span>Description</span> =</span></span> Updating linux initcpios (with</span> dracut!</span>).</span>.</span>.</span>
</span>When</span> =</span></span> PostTransaction
</span>Exec</span> =</span></span> /</span>usr/</span>local/</span>bin/</span>dracut-</span>install.</span>sh
</span>Depends</span> =</span></span> dracut
</span>NeedsTargets
</span></span></code></pre>
Followed by /etc/pacman.d/hooks/60-dracut-remove.hook</code>:</p>
[Trigger]
</span></span>Type</span> =</span></span> Path
</span>Operation</span> =</span></span> Remove
</span>Target</span> =</span></span> usr/</span>lib/</span>modules/</span>*</span>/</span>pkgbase
</span>
</span>[Action]
</span></span>Description</span> =</span></span> Removing linux initcpios.</span>.</span>.</span>
</span>When</span> =</span></span> PreTransaction
</span>Exec</span> =</span></span> /</span>usr/</span>local/</span>bin/</span>dracut-</span>remove.</span>sh
</span>NeedsTargets
</span></span></code></pre>
That’s it. A fairly straight forward process. If you are curious about why I needed this in the first place, then you can find the second part here: Bootstrapping OpenSSH: Remote Disk Decryption</a>.</p>

</section>


SFTP, but with jailtime
2024-07-30T22:26:00+02:00

SFTP, but with jailtime</span> #</a></h1>
Let’s talk about what problem I tried to solve. Essentially, I wanted to give my devices access to a fairly large set of files. But I didn’t want to use Syncthing, partially because I seem to attract sync-conflicts, but more importantly because some of the devices don’t even have enough free storage space. Of course some might ask: why don’t you just host a Nextcloud instance? Simple: I neither like Nextcloud, nor do I need any</em> of its Groupware, Sharing, and other magic features</em>. I just need a place to put my files to retrieve them at a later point.</p>
So I did the only logical thing: I hosted a Samba server.</del> I looked at SFTP. The server is already accessible via its OpenSSH server using authorized FIDO-based SSH keys, limited to my Wireguard VPN. So I created a nas</code> user and mounted some HDD-based storage to its home directory and done.</p>

</section>

Some more constraints #</a></h2>
Except… I neither need, nor want a full secure-shell for this user. It should only be able to access the files on the designated drive; i.e. no access (not even read-access) to /tmp</code>, /etc</code> or similar. On top of that, I was wandering if it was possible to prevent access to the user’s authorized_keys</code> file. That is, can I prevent someone with access to the nas</code> user from changing who can access it?</p>
Turns out: yes! And it is surprisingly simple, too. An OpenSSH server by default hosts an internal SFTP server, so no need to anything in this regard. To verify that your’s has SFTP enabled too, simply verify that your /etc/ssh/sshd_config</code> or a file in /etc/ssh/sshd_config.d/</code> contains the line:</p>
Subsystem</span> </span>sftp /</span>usr/</span>libexec/</span>openssh/</span>sftp-</span>server
</span></code></pre>
If it doesn’t, you can either add it to your /etc/ssh/sshd_config</code>, or add it to the file that we’ll craete in a moment. Read on to understand the difference, and what benefits the latter has.</p>
To start, let’s create a new subconfiguration /etc/ssh/sshd_config.d/20-sftp.conf</code> and, for those who don’t know, talk about what this file-path and -name even are:</p>
Maybe you stumbled across something.d</code> directories are that are littered throughout /etc</code> and elsewhere in Linux before and wandered what they were. Think of them as extensions to the regular configuration files like /etc/ssh/sshd_config</code>. The regular files are often provided by the distributions package manager and can get overwritten by package updates. Files in something.d</code> on the other hand, are (normally) garanteed to persist updates. On top of that, if they specify options which are already specified in the regular file something</code>, then the something.d</code>-file overrides the values in the regular one.</p>
You might have notices, that we prefixed the file with 20-</code>; this is a priority. Most software loads the files in something.d</code> in the order specified by these priorities (low to high), excepting values from 0 (or 1) to 100. It depends on the application whether or not a priority can be specified more than once. Everything after the seperating hyphen (-</code>) is (normally) up to you; use something self-documenting.</p>

</section>

To the jail you go! #</a></h2>
I stumbled across an OpenSSH option to redefine, what a connected user sees as root (to be read as /</code>). The ChrootDirectory</code> option does just that. It changes the root directory a user sees (let’s call that directory the “chroot”). I also found another option, ForceCommand</code>, which forces a user to execute a specific command, including internal commands provides by the OpenSSH server. But just these options alone don’t really help us. After all, we don’t want all</em> users to follow these rules.</p>
Its like the OpenSSH developers had thought about this. Because there is also the Match</code> directive, which allows one to apply a set of options only to a set of connections. So let’s look at a minimal example and go over it:</p>
Match</span> </span>user nas
</span> ChrootDirectory</span> </span>%h</span>
</span> ForceCommand</span> </span>internal-</span>sftp
</span></code></pre>
In the first line, we apply the configuration options only to the connections of the user nas</code>. We could also match users of a specific group, which could e.g. be used to allow multiple users to access the drive and use either file-ownership, permissions or other configuration options to further limit specific users.</p>
The %h</code> in the second line specifies the user’s home directory as the chroot. One could also use %u</code> to build a path like /path/to/drive/%u</code> based on the user name (obviosuly not useful with the specified Match</code> line above).</p>
Lastly, we can limit the user to only use SFTP using OpenSSH’s internal SFTP command. This results in connection resets for all other types of connections like regular ssh</code> or scp</code> connections.</p>
We can also specify many more options to override rules not matches to a specific user. To give some examples of this, the following snippet prevents users from accessing graphical X11-sessions or tunnel TCP ports. It also requires them to use asymmetric keys instead of passwords for authentication:</p>
Match</span> </span>user nas
</span> ChrootDirectory</span> </span>%h</span>
</span> ForceCommand</span> </span>internal-</span>sftp
</span> X11Forwarding</span> </span>no</span>
</span> AllowTcpForwarding</span> </span>no</span>
</span> PasswordAuthentication</span> </span>no</span>
</span> PubkeyAuthentication</span> </span>yes</span>
</span></code></pre>

</section>

Some happy little caveats #</a></h2>
The ChrootDirectory</code> option requires that the chroot (but not its contents) must be owned by the root user. This means, that it should contain at least one more directory writable by the user(s), or otherwise this whole endeavour would have been useless. In my case, I have the two directories volatile</code> and persistent</code>, the latter being included in daily backups.</p>
A more welcome caveat is the way, public keys are authorized. Because the home directory gets overwritten to be the /</code>, the user’s regular ~/.ssh/authorized_keys</code> path doesn’t work anymore. We could of course just change the chroot to a different directory, but either way, the authorized_keys</code> file wouldn’t be accessible anymore.</p>
But this is fine. After all, we don’t want connected users to change who has access, anyway. Instead, we can simply add the following line to the top of our subconfiguration:</p>
AuthorizedKeysFile</span> </span>/</span>etc/</span>ssh/</span>authorized_keys/</span>%u</span> .</span>ssh/authorized_keys</span>
</span>
</span>Match</span> </span>user nas
</span> ChrootDirectory</span> </span>%h</span>
</span> ForceCommand</span> </span>internal-</span>sftp
</span> X11Forwarding</span> </span>no</span>
</span> AllowTcpForwarding</span> </span>no</span>
</span> PasswordAuthentication</span> </span>no</span>
</span> PubkeyAuthentication</span> </span>yes</span>
</span></code></pre>
Now we can simply use the file /etc/ssh/authorized_keys/nas</code> to authorize ssh public keys. Its syntax is equivalent to that of regular authorized_keys</code> files.</p>

</section>

Conclusion #</a></h2>
While this seems like an unnecessarily comlex way to achieve a simple file share, it is still a lot less complex, and way simpler to update than hosting a Nextcloud instance or dealing with sync-conflicts. And to my very specific use-case, this is a good enough solution.</p>

</section>


About
2024-05-30T12:50:00+02:00

About</span> #</a></h1>
Heya! I’m happy you found my corner of hell</del> the internet. I hope you like it!</p>
I am traumweh</span>, pronounced [tʁaʊ̯mˌveː]</span>, but you can also call me lilith</strong>. Both are my online nicknames, but lilith is probably easier to pronounce for many people. You can address me using she/her, they/them and it/its pronouns. I am a queer, antifascist computer science student, feminist and privacy advocate</strong>. I like to spend my time coding in C, Rust or C++ and enjoy learning about all things privacy</strong>, security</strong>, accessibility</strong> and selfhosting</strong>.</p>

</section>

What I do #</a></h2>
In my free time I like to do some programming. Some of the things I enjoyed working on are:</p>

Lyx: A Link Shortener</a></li>
DuckyPad Daemon</a></li>
Hetzner DynDNS service</a></li>
WIP Lost+Found website</a></li>
FSM Designer</a></li>
Not Monetizable</a></li>
</ul>
I also discovered 3D printing and creating my own models using OpenSCAD. In most cases I will publish the models under the CC BY-NC-SA 4.0 license on my own forgejo instance:</p>

Clip to securely hold things like gloves</a></li>
Case for an ESP C3 Super Mini running WLED</a></li>
Clamp for a pipe to hold on to bottle-nametags</a></li>
WIP bottle-nametags</a></li>
Inserts for a utility travelcase</a></li>
</ul>
I also onjoy helping out at events related to the Chaos Computer Club. For example, I help with logistics at the Congress or work on the design for the Easterhegg 2025.</p>
I also write up some of the things I learned or accomplished recently</a> in more detail. I call them bytes</em>. Because they are often related to programming or system administration, but can also be actual cooking recipes. This makes it a double pun, and how could I possibly say no to that?</p>

</section>

Friends #</a></h2>

lilly</a>↗</li>
kritzl</a>↗</li>
Vic Wrobel</a>↗</li>
</ul>

</section>

I'm here #</a></h2>

Forgejo: @traumweh</a></li>
Codeberg: @traumweh</a>↗</li>
GitHub: @traumweh</a>↗</li>
Mastodon: @traumweh</a>↗</li>
Email: hello@lyx.sh (PGP Publickey</a>)</li>
</ul>

</section>


Recommendations: Music, Podcasts and Blogs
2024-05-30T12:24:20+02:00

Music, Podcasts and Blogs</span> #</a></h1>
Whenever I can—and neither need silence nor want to actively think about things—I’m probably listening to an album or podcast. Or I might be reading a blogpost or book. But sometimes just sitting/walking in silence is great too. Because these things mean so much to me, I thought I might as well create lists of my favourite podcasts</a>, some great blogs</a> and most importantly for me, of incredible music and artists</a> for you to check out.</p></p>

</section>

Podcasts #</a></h2>

  
    Midst</b>

    This is by far the best story podcast I have ever heard! Available at midst.co, three unreliable narrators chaotically tell the story of midst</a>↗, an english science-fiction space western! It's amazing! They also have episode transcripts available.
  </li>
  

    Late Night Linux (Family)</b>

    This is a family of english podcasts about Linux, open source software and systems administration. A list of the different shows can be found on latenightlinux.com</a>↗. Sadly there isn't much diversity in the set of hosts. There are also no transcripts</b> available.
  </li>
  

    Haecksenwerk</b>

    A German podcast about feminism, technology, culture and more. The podcast as well as transcripts are available at haecksen.org</a>↗.
  </li>
  

    Tech Won't Save Us</b>

    An english technopolitical podcast about current problems regarding Web3 (crypto-currencies, AI, ...), tech-billionairs and other reasons why tech won't save us. The podcast can be found at techwontsave.us</a>↗. It sadly doesn't have transcripts available.
  </li>
  

    Kill James Bond!</b>

    An english podcast by November Kelly, Abigail Thorn and Devon about the James Bond movies and why James Bond is a problem. The podcast---but sadly no transcripts---can be found at killjamesbond.com</a>↗.
  </li>
</ul>

</section>

Blogs #</a></h2>

  
    Xe Iaso</b>

    Xe writes long post about a variety of stuff, mostly in regards to software development and can be found at xeiaso.net</a>↗.
  </li>
  

    Amos (faster than lime</span>)</b>

    Amos writes long posts about software development, often about Rust and can be found at fasterthanli.me</a>↗.
  </li>
  

    JeanHeyd Meneide</b>

    On their blog The Pasture</i> at thephd.dev</a>↗ they write about the C and C++ standards and their wonderful terribleness. The fairly technical long-posts are always a delight to read.
  </li>
</ul>

</section>

Music #</a></h2>

  
    Joashua Lee Turner and Bob Barrick - Heartache Here</b>

    Available on youtube.com</a>↗. The video does have proper subtitles.
  </li>
  

    Sugadaisy - Where the wildflowers grow.</b>

    Available on youtube.com</a>↗, but the video only has bad auto-generated subtitles.
  </li>
  

    Scruffy</b>

    All their music is available on scruffymusic.com</a>↗, but the website is a lot (visually), has bad tab navigation and malformed HTML.
  </li>
  

    Qumu</b>

    All their music is available on qumumusic.com</a>↗. The website has low contrast.
  </li>
  

    Erin Snape</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Sufjan Stevens</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Envoi</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Fewjar</b>

    Their music is available on their bandcamp.com page</a>↗ and physical media as well as merch on fewjar.de</a>↗.
  </li>
  

    Autumn Orange</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    In Love With A Ghost</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Saint Motel - Voyeur</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Mutemath - Play Dead</b>

    Honestly, I couldn't find a proper place to buy it, so I bought it from a random music distribution service.
  </li>
  

    Bug Hunter - The Rough Draft</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    GussWhat? - M.J.</b>

    Available on youtube.com</a>↗, but the video only has bad auto-generated subtitles.
  </li>
  

    Meganeko - Nascens</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Gotye</b>

    Available on gotye.com</a>↗, but the website has bad tab navigation.
  </li>
  

    Miracle Of Sound - Level 5</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    aivi & surasshu - The Black Box</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Birdmask - I'm Fine and other lies.</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Johnny Manchild and The Poor Bastards - Insomnia</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Ricky Montgomery - Montgomery Ricky</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    GameChops</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Unknown Mortal Orchestra - SB-01</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    moow - I can't tell you how much it hurts</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    The Altogether</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Ken Ashcorp - Blue</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Aviators - Stargazers</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    The Revivalists - Men Amongst Mountains</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Parcels - Parcels</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Fish in a Birdcage - Waterfall</b>

    Available on fishinabirdcage.com</a>↗. The website is a bit much (visually).
  </li>
  

    Jacob Collier</b>

    Available on shop.jacobcollier.com</a>↗, but the website has bad tab navigation.
  </li>
  

    Polyphia</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    To The Rats And Wolves - Cheap Love</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    To The Rats And Wolves - Dethroned</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    TWRP</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Starbomb</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    NSP</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Aberdeen</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Berlinist - Gris OST</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Boqeh</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Lena Raine - Celeste OST</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Danny Baranowsky - Crypt of the Necrodancer OST</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Christopher Larkin - Hollow Knight OST</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Curtis Schweitzer - Starbound OST</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Big Thief - Dragon New Warm Mountain I Believe In You</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Fredrik - Trilogi</b>

    Available on their bandcamp.com page</a>↗.
  </li>
  

    Mystery Skulls</b>

    Available on mysteryskullshq.com</a>↗.
  </li>
  

    Paramore</b>

    Available on paramore.net</a>↗, but the site is a lot (visually) and tab navigation can be confusing.
  </li>
  

    Periphery</b>

    Available on periphery.net</a>↗. The website has low contrast in some places.
  </li>
  

    Systemabsturz</span></b>

    Available on systemabsturz.band</a>↗.
  </li>
</ul>

</section>


Raspberry Crumble Pie
2024-05-19T21:55:00+02:00
Raspberry Crumble Pie</span></h1>


Ingredients #</a></h2>

375 g flour</li>
250 g margarine</li>
150 g raspberry confiture</li>
200 g raspberries</li>
150 g sugar</li>
1 pinch of salt</li>
1 packet of vanilla sugar</li>
</ul>

</section>
</p>

preparation #</a></h2>

Mix and knead the flour, margarine, sugar, salt and vanilla sugar</li>
Grease the baking tin or cover it with baking paper</li>
Spread 2/3 of the dough as a flat base with higher rim in the baking tin</li>
Spread the confiture over the base (more jam requires a thicker base)</li>
Spread the raspberries evenly</li>
Make the rest of the dough into crumbles and spread evenly</li>
Bake at 175 °C for approx. 45 minutes</li>
</ol>

</section>


Reduced Motion: Handling Animations and GIFs
2024-05-19T20:00:00+02:00

Reduced Motion</span> #</a></h1>
When designing websites—well, anything, really—it is important to think about what impacts your designs can have on people with disabilities. Motion-heavy animations, animated GIFs and similar, can cause discomfort for people with, e.g. vestibular motion disorders. For this reason, browsers have had support for the prefers-reduced-motion</code> media query for a long time, allowing users to set motion preferences at both the browser and even the operating system level.</p>

</section>

Animations #</a></h2>
Let’s take the following CSS animation, which is played when clicking an anchor next to a heading on this page, as an example:</p>
section</span>:</span>target</span> </span>{</span>
</span></span>  animation</span></span>:</span> </span>highlight 3s</span></span></span>;</span>
</span></span></span>}</span>
</span></code></pre>
We could add the following snippet below, to disable the animation if a user prefers reduced motion:</p>
@</span>media</span> (</span>prefers-reduced-motion: reduce)</span> </span>{</span>
</span>  section</span>:</span>target</span> </span>{</span> animation</span></span>:</span> </span>none</span></span>;</span></span> }</span>
</span>}</span>
</span></code></pre>
But this disables the animation entirely, meaning when the animation would trigger, users with this preference are left out, not seeing anything. So instead, it might be better to instead show something, although with less motion in it, like this for example:</p>
@</span>media</span> (</span>prefers-reduced-motion: reduce)</span> </span>{</span>
</span>  section</span>:</span>target</span> </span>{</span>
</span></span>    animation</span></span>:</span> </span>highlight 3s</span></span></span>;</span>
</span></span>    animation-timing-function</span></span>:</span> </span>steps</span>(</span>1</span></span>)</span></span></span></span>;</span>
</span></span></span>  }</span>
</span>}</span>
</span></code></pre>
Using the steps()</code> function, one can specify the number of animation steps, which in this case only causes the first step of the animation to appear for three seconds, and then immediately disappear.</p>
We can do one more thing, to also include the people using browsers that don’t support the media query, by using no-preference</code> instead of reduce</code> and swapping the rules:</p>
section</span>:</span>target</span> </span>{</span>
</span></span>  animation</span></span>:</span> </span>highlight 3s</span></span></span>;</span>
</span></span>  animation-timing-function</span></span>:</span> </span>steps</span>(</span>1</span></span>)</span></span></span></span>;</span>
</span></span></span>}</span>
</span>
</span>@</span>media</span> (</span>prefers-reduced-motion: no-preference)</span> </span>{</span>
</span>  section</span>:</span>target</span> </span>{</span> animation</span></span>:</span> </span>highlight 3s</span></span></span>;</span></span> }</span>
</span>}</span>
</span></code></pre>
You can verify these results, by enabling reduced motion either in your operating system settings or in your browsers preferences and simply clicking on the anchor mark of one of these sections (the hash character behind a heading).</p>

</section>

GIFs #</a></h2>
To respect a users choice for reduced motion in regard to animated GIFs, one might implement one of these two (non-exhaustive) options:</p>

Show a freeze-frame of the GIF, keeping the alt-text of the original. This could also allow for reduced network traffic because only a single frame would need to be downloaded.</li>
Create a different, static visualisation of the GIF’s information which doesn’t require motion. In this case the question would be, whether the GIF was even needed in the first place.</li>
</ol>
The second case could be solved in multiple ways, and as already stated, could be interpreted as a lack of need for the GIF in the first place. So instead let’s look at the more interesting case of showing a still.</p>
When I first started thinking about this problem, I couldn’t come up with a solution that didn’t require JavaScript. But then I discovered the HTML <picture></code> element. It can be used to offer alternative versions of an image for different scenarios by specifying <source></code> elements as alternatives to a foundamental <img></code> element. And of these <source></code> elements, the best match is chosen by the browser. So let’s take this snippet here, which loads the animated cover-image for this website:</p>
<</span>img</span> src</span>=</span>"</span>https://traumweh.dev/black_cat_x32.png"</span></span></span> alt</span>=</span>"</span>(Removed for readability.)"</span></span></span>></span></span>
</span></code></pre>
This is a fairly fast, looping animation, which might very well cause discomfort for some individuals. So using thee <picture></code> element mentioned above, we could instead write the following code, which uses the media</code> attribute for <source></code> elements, to specify that a resource is a good match for a certain media preference:</p>
<</span>picture</span>></span></span>
</span>  <</span>source</span> class</span>=</span>"</span></span>coverart</span>"</span></span></span> srcset</span>=</span>"</span>https://traumweh.dev/black_cat_x32.gif"</span></span></span> media</span>=</span>"</span>(prefers-reduced-motion: no-preference)"</span></span></span>></span></span>
</span>  <</span>img</span> class</span>=</span>"</span></span>coverart</span>"</span></span></span> src</span>=</span>"</span>https://traumweh.dev/black_cat_x32.png"</span></span></span> alt</span>=</span>"</span>(Removed for readability.)"</span></span></span>></span></span>
</span></</span>picture</span>></span></span>
</span></code></pre>
This produces the following result, which you can verify by enabling reduced motion either in your operating system settings or in your browsers preferences:</p>

  
  
</picture>
</section>


Spelt Rolls
2024-05-19T19:00:00+02:00
Spelt Rolls</span></h1>


Ingredients #</a></h2>
Yeast:</p>

2 cubes of yeast</li>
some lukewarm water</li>
some spelt flour</li>
some sugar</li>
</ul>
Dough:</p>

500 g spelt flour</li>
300 g lukewarm water</li>
4 tablespoons olive oil</li>
2 teaspoons salt</li>
</ul>

</section>
</p>

preparation #</a></h2>

Mix the yeast with small parts of lukewarm water, flour & sugar</li>
Leave yeast to rise</li>
Knead together with the remaining ingredients for approx. 2.5 minutes</li>
Divide dough into equal portions</li>
Bake at 200 °C for approx. 20 minutes</li>
</ol>

</section>


Spelt Pizza
2024-05-19T17:00:00+02:00
Spelt Pizza</span></h1>


Ingredients #</a></h2>

1 cube of yeast</li>
375 g spelt flour</li>
250 ml lukewarm water</li>
1 teaspoon salt</li>
1 teaspoon sugar</li>
1 teaspoon pizza flavour</li>
2 tablespoons olive oil</li>
</ul>

</section>
</p>

preparation #</a></h2>

Mix and knead all the ingredients together</li>
Spread the dough on a tray</li>
Leave to rise for one hour</li>
Decorate pizza with toppings of your choice</li>
Bake at 180 °C for approx. 20–25 minutes</li>
</ol>

</section>

traumweh

Immich's Smart Search

Don't use Freenom

Nighttime Piano

Vegan Börek

Vegan Börek</span></h1> Ingredients #</a></h2> Spinach Filling (for ca. 20 pieces)</h3> 1/2 onion, cut into cubes</li> 1–2 cloves of garlic, pressed</li> 150 g baby spinach, fresh/frozen</li> 150 g vegan Feta</li> 1–2 tbsp. cashews</li>

Ingredients #</a></h2> Spinach Filling (for ca. 20 pieces)</h3> 1/2 onion, cut into cubes</li> 1–2 cloves of garlic, pressed</li> 150 g baby spinach, fresh/frozen</li> 150 g vegan Feta</li> 1–2 tbsp. cashews</li>

Spinach Filling (for ca. 20 pieces)</h3> 1/2 onion, cut into cubes</li> 1–2 cloves of garlic, pressed</li> 150 g baby spinach, fresh/frozen</li> 150 g vegan Feta</li> 1–2 tbsp. cashews</li>

Tomato Filling (for ca. 30 pieces)</h3> 75 g cashews (or vegan Feta)</li> 2 tbsp. sunflower seeds</li> 120 ml tomato puree out of fresh and dried tomatoes</li> 1–2 cloves of garlic, pressed</li> Salt and pepper as desired</li>

Bootstrapping OpenSSH: Remote Disk Decryption

Goodbye mkinitcpio, hello dracut!

SFTP, but with jailtime

About

Recommendations: Music, Podcasts and Blogs

Raspberry Crumble Pie

Raspberry Crumble Pie</span></h1> Ingredients #</a></h2> 375 g flour</li> 250 g margarine</li> 150 g raspberry confiture</li> 200 g raspberries</li> 150 g sugar</li> 1 pinch of salt</li>

Ingredients #</a></h2> 375 g flour</li> 250 g margarine</li> 150 g raspberry confiture</li> 200 g raspberries</li> 150 g sugar</li> 1 pinch of salt</li>

Reduced Motion: Handling Animations and GIFs

Spelt Rolls

Spelt Rolls</span></h1> Ingredients #</a></h2> Yeast:</p> 2 cubes of yeast</li> some lukewarm water</li> some spelt flour</li>

Ingredients #</a></h2> Yeast:</p> 2 cubes of yeast</li> some lukewarm water</li> some spelt flour</li>

Spelt Pizza