1. Why I'm not hosting Matrix / Mastodon / etc. services

    This is a frequently asked question, and here's the answer. I love decentralized and federated protocols, but for security reasons I won't host Matrix or Mastodon services on this domain. If I had the time and patience, I'd love to create my own Matrix implementation, but it's a tall order. Matrix has always been a very complicated protocol to implement, and with the recent release of Matrix 2.0 it got even more complicated. Similarly, I'd love for the social features on this site to interoperate with Mastodon, but it has a very particular implementation of the ActivityPub protocol which would be a ton of work to recreate.

    The vast majority of individuals hosting these services appear to be using publicly released Docker containers, or similar, which is great for spinning servers up quickly but bad (IMO) from a security standpoint. Trusting other people with the specifics of your packages is one thing, but spinning up other people's virtual machines on your own network(s) is a dangerous game. Attack surface is a big deal in cybersecurity, which is why I prefer to roll my own protocol implementations when possible. At least that way, if I fuck up, I know who to blame when shit goes south.

    Matrix, Mastodon, and the Fediverse in general are amazing innovations, and likely the future of social interactions online. There are very smart people with domain expertise running and hosting these services, but I'm not one of them, nor do I care to be.

    For people with shared goals and vision, don't fret. Obsessive Facts is a small operation, and I am likely not the threat actor you're looking for. Again, there are smart people with domain expertise working on the problems listed on the About Us page. You can either trust their implementation or roll your own, but sending toots on this domain won't change the inevitable outcome.

    Posted 2023-09-24 01:42:00 CST by henriquez. Comments
  2. How to mount a LUKS encrypted Linux drive in Windows

    Become the world’s top super hacker with this one weird trick

    This is kind of fun, but probably no one will need to do this ever. But the point is you can! So why not? Anyway, suppose you have an encrypted Linux drive and you want to mount it in Windows for whatever reason. Just follow along.

    1. Install Windows Subsystem for Linux 2

      WSL 2 allows you to run a virtualized Linux environment that integrates tightly with the Windows OS. To install it, search for "Turn Windows features on or off" in the Start menu and click the shortcut to open the Settings pane. Scroll down towards the bottom and check the box for "Windows Subsystem for Linux". Then click "OK" to install WSL 2.

    2. Open the Microsoft Store app and install Ubuntu Linux 22.04 LTS

      This is trippy as hell. Ubuntu Linux on an App Store? We have entered the end times indeed.

      Screenshot of Microsoft Store app

    3. Confirm it worked by opening Linux in Windows Terminal

      Start the Terminal app, which should be pre-installed. By default it will probably open to a Powershell or Command Prompt. Click the dropdown arrow on the tab bar and you should see "Ubuntu 22.04.2 LTS" or something similar in the dropdown menu. Click it to start Linux!

      Screenshot of Windows Terminal app

    4. Run an Administrator Powershell and give WSL 2 access to your physical drive

      These instructions are adapted from Microsoft's own documentation so check that out if you need help. Basically, open a new Powershell as Administrator (right click the shortcut and then "Run as administrator").

      List your physical drives by entering: GET-CimInstance -query "SELECT * from Win32_DiskDrive"

      The command should give you output similar to the following:

      DeviceID           Caption                   Partitions Size          Model
      --------           -------                   ---------- ----          -----
      \\.\PHYSICALDRIVE3 Samsung SSD 980 PRO 2TB   1          2000396321280 Samsung SSD 980 PRO 2TB
      \\.\PHYSICALDRIVE0 WD_BLACK SN850X 4000GB    3          4000784417280 WD_BLACK SN850X 4000GB
      \\.\PHYSICALDRIVE1 Samsung SSD 970 PRO 512GB 1          512105932800  Samsung SSD 970 PRO 512GB
      \\.\PHYSICALDRIVE2 WDBRPG0020BNC-WRSN        1          2000396321280 WDBRPG0020BNC-WRSN

      So, one of the DeviceIDs in the output should map to your LUKS encrypted Linux. Suppose for example it was \\.\PHYSICALDRIVE3, then you can give your WSL 2 environment access to that drive with the following commmand:

      wsl --mount \\.\PHYSICALDRIVE3 --bare

      PROTIP — If you need to do this a lot, you can put that command in a .bat file and run it (as Administrator) anytime you want to mount the drive in WSL 2.

    5. Find your encrypted drive in your WSL 2 shell

      Go back to your Terminal with the Ubuntu Linux shell running, and if everything worked, you should be able to find your encrypted drive with the following command: lsblk -l

      The command should give you output similar to the following:

      sda             8:0    0 363.3M  1 disk
      sdb             8:16   0     8G  0 disk  [SWAP]
      sdc             8:32   0     1T  0 disk  /snap
      sdd             8:48   0     2T  0 disk
      sdd1            8:49   0     2T  0 part

      In this example the sdd1 identifier maps to the encrypted partition on your physical drive.

    6. Decrypt and mount the encrypted drive

      You will need a package called cryptsetup if it's not installed. From your Linux shell, enter sudo apt install cryptsetup if needed.

      Now you can decrypt the volume by entering (for example): sudo cryptsetup luksOpen /dev/sdd1 samsung_980_pro

      ^ The name you put in the last argument of that command is any arbitrary name you want to assign the drive in the device mapper. Just be sure that you use the correct device name for the encrypted partition listed from lsblk (in this example /dev/sdd1).

      Once it's decrypted, you can mount the drive with the following command(s):

      • sudo mkdir /mnt/my_encrypted_drive (if needed)
      • sudo mount /dev/mapper/samsung_980_pro /mnt/my_encrypted_drive

      Obviously you can customize the names and mount location however you see fit.

    7. Now you can access your encrypted drive from Windows Explorer!

      Open a new Explorer window and scroll down the left sidebar until you see "Linux." Click this and you'll be able to browse the filesystem from your Ubuntu 22.04 installation. Simply navigate to /mnt/my_encrypted_drive or wherever you mounted the drive, and you'll have access to your encrypted volume!

      Screenshot of Windows Explorer

    One nice use case for this...

    Having an encrypted drive is just a good idea in general. If your computer is lost or stolen you can keep your private files protected and not worry so much about identity theft or any other bad outcomes from people maliciously accessing your files. Many Windows computers ship without any kind of drive encryption, and Microsoft's own BitLocker disk encryption is only available in "Pro" editions of Windows.

    Speaking of BitLocker, who can even trust that shit? It's a closed source system and Microsoft can swear up and down that it's safe and secure, but for all anyone knows it's backdoor'ed six ways from Sunday. By using Linux LUKS drive encryption in Windows, you at least have open source and provable security. Just make sure your passphrase is strong enough and you're good to go!

    Posted 2023-09-12 11:04:00 CST by henriquez. Comments
  3. gemini-proxy

    A Gemini browser, inspired by Netscape Navigator 2.0

    One of the best and worst things about the Gemini Project is the barrier to entry. It's a sort of walled off part of the web, akin to a nuclear bunker for nerds. The whole thing has this sort of retro cyberpunk vibe, and browsing Geminispace feels a lot like browsing the early, pre-"Web 2.0" World Wide Web, where everything you see is created by ordinary people, not controlled by monopolistic corporations and spy-bots. I totally dig it, but I didn't want it to be so walled off. So I made a proxy.

    Click here to check out gemini-proxy!

    Gemini-proxy gives you the user experience of Netscape Navigator 2.0 running in Windows 98 SE, with the style and beauty of the excellent Lagrange Gemini Client, all running in the comfort and safety of your familiar web browser. I don't think it hurts anything to make Geminispace accessible to people who don't have the time or expertise to set up specialized software, and it was a fun way to learn about the Gemini Protocol, which was dead simple to implement.

    P.S. — I have disabled web crawlers from scraping Gemini URIs via robots.txt but if you hate gemini-proxy and don't want it touching your capsule, block

    Posted 2023-09-01 09:11:03 CST by henriquez. Comments
  4. How to host a Gemini capsule with Node and Nginx

    Project Gemini is a text-based web protocol, like a mash-up of TLS + Gopher. It's hyped as a "Small Internet" with outer space imagery, where instead of web sites, we have Gemini capsules. Some people love it, some people hate it, but it's there and I think it's kind of cool. Anyway, recently I was playing with it and I realized there aren't good docs on how to get it running with nginx. So here's a quick howto:

    1. Enable the nginx stream module

    Depending on your environment, you may need to install the nginx stream module (eg. sudo apt install libnginx-mod-stream), or it might just need to be enabled. Assuming it's installed, simply add this to the very top of your nginx.conf to enable it (the path may be different in your environment): load_module /usr/lib/nginx/modules/;

    2. Set up a stream directive in nginx.conf

    This should be in your nginx.conf as a sibling to the http directive (i.e. not within the http directive or sites_available). Basically in your actual nginx.conf, put it underneath the http directive, like this:

    http {
        # Basic Settings
        # ...
        # ... skipping ahead ...
        # ...
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
    stream {
        # Configure ngx_stream_module for Gemini
        limit_conn_zone               $binary_remote_addr zone=addr:10m;
        limit_conn_log_level          warn;
        limit_conn                    addr 1;
        log_format                    basic '$remote_addr $upstream_addr [$time_local] '
                                      '$protocol $status $bytes_sent $bytes_received '
        access_log /var/log/nginx/gemini-access.log;
        error_log  /var/log/nginx/gemini-error.log;
        server {
            listen                    1965;
            proxy_buffer_size         16k;
            proxy_pass                'localhost:9003';  # set your actual port here

    3. Have a Gemini server listening on the local port specified in nginx.conf

    This is really easy to setup using the gemini-server npm package, which is modeled after Express (but really you can use any Gemini server). Here's a simple Node.js server written in TypeScript:

    import { readFileSync } from 'fs';
    import gemini, { Request, Response, status } from 'gemini-server';
    const PORT = 9003;
    const app = gemini({
      cert: readFileSync('./cert.pem'),
      key: readFileSync('./privkey.pem'),
      titanEnabled: false
    app.on('/', (_req: Request, res: Response) => {
    // Get the facts.
    app.on('/facts/:file', (_req: Request, res: Response) => {
      try {
        res.file('pages/facts/' + _req.params.file);
      } catch(error) {
        res.error(40 as status, 'File not found.')
    app.listen(PORT, () => console.log('Gemini listening on ' + PORT + '...'));

    Note that Gemini requires TLS, so you'll have to use a real cert.pem and privkey.pem, but if you already have these for your HTTPS domain you can reuse them. Otherwise check out this wiki to set up a cert.

    That's it. Have fun!

    Posted 2023-08-12 17:59:59 CST by henriquez. 2 comments
  5. My review of Pop!_OS 22.04 vs. MacOS and Windows

    TL;DR: Pop!_OS > Windows > MacOS

    I've been building and tinkering with computers since I was a small child. Originally I would salvage old computer parts that schools and businesses were throwing away, swapping broken parts for whatever working hardware I could find, in the process converting my parents' family room into a junkyard of resurrected IBM PS/2s and dot matrix printers, all of them beeping and clicking and running my childish attempt at an artificial general intelligence.

    Now that I'm grown up, my life is much the same, although instead of finding old junk, I've blown altogether way too much money buying computers and experimenting with new builds. This means I've never been a "PC guy" or a "Mac guy" or a "Linux nerd" or anything else. I'm intimately familiar with Windows, MacOS and many flavors of Linux and I appreciate all of them for what they are.

    But recently, I sold off my Windows and Mac setups and made 2023 my year of Linux on the desktop. And so far I am loving it, thanks in great part to Pop!_OS 22.04, the only Linux distro I've used that fits me like a glove. So in the following post, I will ramble on about Pop!_OS and why I took the plunge.

    Read More

    Posted 2023-08-05 23:11:00 CST by henriquez. Comments