April 2024 Bits#
April 7 - DNS Server#
I’ve tried out Pihole and Adguard Home before, but I want something that’s a little bit easier to understand and backup configuration for. I’m looking at a few options:
-
Uses a Web UI for configuration
https://github.com/0xERR0R/blocky
Grafana dashboard: https://github.com/0xERR0R/blocky-grafana-prometheus-example
Supports DNS over HTTPS server
Blocking can be temporarily disabled via CLI: https://0xerr0r.github.io/blocky/v0.23/interfaces/
https://github.com/Cottand/leng
A comparison: https://cottand.github.io/leng/AlternativesComparison.html
Supports DNS over HTTPS server
No premade Grafana dashboard, but has metrics: https://cottand.github.io/leng/Prometheus-Metrics.html
Both blocky and leng use a config file for configuration, but blocky seems to have a way to disable ad blocking temporarily, which is a requirement.
There’s also now a Hacker News thread on this: https://news.ycombinator.com/item?id=39968103 Some of the comments mention using https://oisd.nl/ as the blocklist, as that seems to break the least number of things.
April 8 - Downgrade NVIDIA Drivers#
Well, I did it again: I upgraded my NVIDIA drivers. Big mistake. Huge.
I’m currently running 550.67, and I think I will downgrade to the latest 535 driver: 535.161.07. I had 535.113.01 installed a while back, and that worked great, which is why I want to stick with the 535 series.
I will follow this:
sudo apt purge ~nnvidia
sudo apt install nvidia-driver-535-server
Might as well enable Wayland support while we’re at it
echo 'options nvidia_drm modeset=1' | sudo tee /etc/modprobe.d/zz-nvidia-modeset.conf
sudo vi /etc/gdm3/custom.conf # enable wayland
Now flatpak update && sudo reboot.
The most important thing that we’ve done is remove system76-driver-nvidia,
which seems to automatically update the NVIDIA fairly frequently.
As I expected, 535.161.07 is now installed!
lavender@lavender-legion:~$ nvidia-smi
Mon Apr 8 20:29:32 2024
+---------------------------------------------------------------------------------------+
| NVIDIA-SMI 535.161.07 Driver Version: 535.161.07 CUDA Version: 12.2 |
|-----------------------------------------+----------------------+----------------------+
| GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|=========================================+======================+======================|
| 0 NVIDIA GeForce RTX 4070 ... Off | 00000000:01:00.0 On | N/A |
| N/A 44C P4 13W / 55W | 2161MiB / 8188MiB | 29% Default |
| | | N/A |
+-----------------------------------------+----------------------+----------------------+
+---------------------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=======================================================================================|
| 0 N/A N/A 3669 G /usr/lib/xorg/Xorg 1393MiB |
| 0 N/A N/A 4034 G /usr/bin/gnome-shell 590MiB |
+---------------------------------------------------------------------------------------+
It’s good to finally be back on stable NVIDIA drivers. Now I don’t have to unplug my third monitor before suspending my computer (545 and 550), and unplugging my monitor and plugging it back in no longer causes the system to only support extremely basic graphics (550).
Update (April 10): It seems that sometimes after plugging external monitors back in, my refresh rates get locked at 60 and fractional scaling does not work. We’ll have to see if this continues, but I didn’t expect this to happen since the last time I used a 535 driver it worked about as perfectly as I could ask for.
April 10 - Choosing an apcupsd prometheus exporter#
I documented installing apcupsd a while ago (August 14 - Setting up apcupsd for my UPS). However, I have not been collecting metrics any of this time. Now that I have a decent Prometheus setup going, it makes sense to collect metrics from this.
I have a few options:
https://github.com/jirutka/apcupsd-snmp + https://github.com/prometheus/snmp_exporter + https://grafana.com/grafana/dashboards/12340-ups/
Fairly outdated
https://github.com/3VLINC/apcupsd-prometheus
Updated June 8, 2023
Supports docker - published on Docker Hub
Written in JavaScript
https://github.com/io-developer/prom-apcupsd-exporter
Updated February 5, 2024
Supports docker - published on Docker Hub
Written in Go
https://github.com/mdlayher/apcupsd_exporter
Updated March 14, 2022
No docker support
Third party support: https://hub.docker.com/r/jangrewe/apcupsd-exporter
Written in Go
https://brendonmatheson.com/2020/02/20/monitoring-apc-ups-units-with-prometheus-on-raspberry-pi.html
https://github.com/damomurf/apcupsd-exporter + https://grafana.com/grafana/dashboards/13525-apc-ups/
Updated May 19, 2019
No docker support
Written in Go
If I wasn’t running Proxmox, I would probably choose whichever one has the best docker support, but figuring out which one to choose might be difficult now as I don’t have docker installed inside of Proxmox. I’ll have to think on it.
Additionally, I want to eventually look into these things for monitoring Proxmox:
April 12 - A domain for my internal services#
I’m planning on self-hosting some applications on my laptop, and I want to access them via a domain name and a self-signed certificate. The domain I use will have to not be in use by anything else, so it’s best I find a top level domain I can use.
-
Recommends the use of
.internal
https://datatracker.ietf.org/doc/html/rfc8375
Describes the use of
home.arpa.
April 13 - Secure connections between remote docker containers#
In all of my docker services that I manage, I try to make them easy to understand and I also try to assume that anything can become compromised at any time, so not everything should be able to communicate with each other. I knew I wanted to setup WireGuard. I looked at this post: https://www.procustodibus.com/blog/2022/06/multi-hop-wireguard/ but I soon realized that I didn’t need something that complicated.
I set up a wireguard container using cmulk/wireguard-docker:buster (https://hub.docker.com/r/cmulk/wireguard-docker) today.
I choose it because it allowed me to manually configure my WireGuard configuration file and it didn’t try to do anything via environment variables.
I even configured ALLOWED_IPS on both ends to be able to route local network traffic back and forth.
That’s cool, but my actual use case is the docker services on each device need to communicate with each other.
Now, I could make everything have a network_mode: container:wireguard-container,
but I don’t want all of my containers to have the same IP address, thus sharing ports and able to communicate with one another through localhost.
It’s possible to set up some iptables rules to route specific subnets through a specific gateway (the wireguard container in my case).
But I don’t really want to do that.
I want something that’s easy to setup and maintain.
So, I thought about a simple SOCKS5 proxy.
The SOCKS5 proxy can have a network mode that is the WireGuard container.
Once I do that, now I just have to get some container on the same network as my WireGuard container and it will have access to the proxy.
The question is which proxy to use.
There are plenty of proxies that don’t even require the use of a WireGuard connection.
Shadowsocks seems to have its own tunnel built into it.
If I used that I might as well not use the WireGuard network.
It looks like socks5-server () is going to be my best bet.
A simple test of running docker run -it --rm -p 1080:1080 serjs/go-socks5-proxy worked perfectly without any configuration.
If I ever need to come back to choose a different container, I might consider docker-socks-tunnel, which uses Microsocks under the hood.
Eventually I get everything setup and I get this:
root@ed03976dcfd4:/usr/share/grafana# curl -x socks5://wireguard-gold:1080 192.168.210.3:9090
<a href="/graph">Found</a>.
root@ed03976dcfd4:/usr/share/grafana# curl -x socks5://wireguard-gold:1080 prometheus.gold.lavtop.internal:9090
<a href="/graph">Found</a>.
Both of those work! Yay! Now that I can do that from within the Grafana container, I need to set up a SOCKS5 proxy for Grafana: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/proxy/
Grafana seems to recommend that the proxy be secure, but this is all inside docker networks, so I can just set allow_insecure to true. Now I have this:
[secure_socks_datasource_proxy]
enabled = true
; root_ca_cert =
; client_key =
; client_cert =
server_name = wireguard-gold
# The address of the socks5 proxy datasources should connect to
proxy_address = wireguard-gold:1080
allow_insecure = true
# default of show_ui is true, but specify anyway
show_ui = true
Now I added this inside of an existing prometheus.yml file for provisioning:
apiVersion: 1
datasources:
# ...
- name: 'Lavtop Prometheus'
type: prometheus
access: proxy
orgId: 1
uid: 98855a68-8eb8-41a6-a6a0-df8968f70ab4
url: http://prometheus.gold.lavtop.internal:9090
jsonData:
enableSecureSocksProxy: true
editable: true
The only problem is that is seems that Grafana is also letting the proxy resolve the hostname prometheus.gold.lavtop.internal.
Not a huge deal. It just means I need to add that as an extra_host somewhere else.
I tried my server’s WireGuard container. That didn’t work. Even the pings to that hostname didn’t work.
I tried my server’s proxy container, but I get conflicting options: custom host-to-IP mapping and the network mode.
Hmm. Well, I guess I’ll just have to hard code to 192.168.210.3 for now. I’ll just have to change that URL parameter above.
And… Success! Well, I finally got there after some tinkering. It’s a bit weird that Grafana seems to only support a single SOCKS5 proxy. Maybe I’ll have to create an issue about that.
April 23 - DietPi Time Sync#
BatteryPi had a power outage today, so I went in and configured its time sync to “Boot + Hourly” in dietpi-config > Advanced Options > Time sync mode
https://dietpi.com/forum/t/wrong-time-after-power-off/3181/3