About Andreas

yay! Life is great ;)

blocking youtube, insta and facebook once and for all

I have been busy for a while figuring out just how much freedom and control I need to use to keep my children from harm from the online world.. after all I know how much trolling is going on and how much hate is being generated/amplified there.
At the same time I am still that blind optimist that believes as long as people talk to each other eventually the good guys will pravail and win because they work together.
Now, with facebook and google using smart algorithms mining big data that they generate from millions of hosts and applying that with addiction-generating systems that generate revenue.. I must admit that is a) very smart, b) a dick move and by all means c) unacceptable if it happens on the back of innocent, uncorrupted and ignorant beings (namely my children)

so I have been using google family link to control the devices of my kids for a while now.
I don’t care what websites they use and who they chat with, they need to learn that some people don’t want to be your friend themselves.
But I have created a blacklist that contains three words:
– youtube
– instagram
– facebook

these three started out wonderful and creative and are now what McDonalds feels like. Fat, lethargic and only interested in making more money. In my eyes they don’t exist anymore but I realize how much the peers of my children are pushing them back and always back again into these platforms.
Everyone who knows a bit about data mining will understand that even without a facebook account, the fact that 5 of your friends have one and they have your number in their address book, that facebook app has access to that address book (to help you “find your friends faster”) and that they get location and demographic information about you by banner ads and tracking cookies that are sent to your device will pretty much tell them all about you without you having an account. It is highly efficient and super scary.

So… while I can more or less control the mobile devices I can not do this for the PC at home.
Also I was looking for a time keeper to control how many hours they are busy.
(Again.. I don’t care if it’s music videos, reddit or minecraft.. but there has to be a balance)

Also laptops can be carried to the neighbors, so installing a pi-hole or DNS blocklists won’t work once they are at the neighbors, whos mother things I am paranoid (I am!) so.. another solution was needed. > see below

It comes in multiple stages.
For mobiles: (Android only – we don’t use Apple iDevices anymore, sorry)
– google family link – create parental account and child account
– restrict all PG/R rated stuff (get rid of that once they are 14)
– restrict all browsers except chrome (otherwise the blacklist won’t work)
– restrict all new software installs / parental approval needed
– blacklist URLs/domains for chrome – block insta, facebook, youtube by keyword
– restrict time by hours / day and bedtime (no activity after 21:00 and before 06:00)

the parent app can create “single-use” keys that disable the restriction for a day, so if they can explain to me why they used the phone for 3 hours for school reasons (the school has a e-learning app) – I can see that in the “usage” overview and send them a code to disable for the day.

the same works for the nintendo switch – it is set to lock after one hour during week and 2 hours in the weekend > I can disable it remotely using my phone for a day (switch parental controls) – also there.. don’t care what exactly they play (as long as it is not rape simulator 2020 or whatever it is these days…) just the time matters.

For the PC: (Windows/Ubuntu)
– there are timekeeping and app tracking apps that are super-scary, like.. I really don’t want to think about the poor children who have to have their parents whitelist every single contact they want to email with – but I want to know if you used the 2 hours for minecraft or for school or for videos.
So – Windows parental controls – track app usage and time. Also bedtime.
Ubuntu: Timekpr-next (had been deprecated twice, this is the most recent version)

And for the last part.. how do I block those sites without using the WLAN router and a DNS profile that can be bypassed easily by going to the neighbor?

> enter the hosts file. (Ubuntu: located in /etc/hosts and windows: Find it in \Windows\System32\drivers\etc\hosts )

I will upload the file here but it basically forces static DNS resolve addresses that point to or or whatnot.. something that is NOT the Internet. apps.facebook.com connect.facebook.net facebook.com fbcdn.com fbsbx.com fbcdn.net graph.facebook.com login.facebook.com s-static.ak.facebook.com static.ak.connect.facebook.com static.ak.fbcdn.net www.connect.facebook.net www.facebook.com
and so on .. there are people on reddit that make a list.. it is still changing so don’t assume this will work forever.
hosts <– grab the entire file here

Also if your kids learn how DNS and networking works (and they manage to assume root) you can’t do much here, either.. but I kinda dream of the day being pwn’d by my daughter.. so I’ll allow it.

automated Plex backup 2019 style

2019 – ubuntu is now using systemd (18.04LTS), my home server is running a ryzen processor, CIFS is almost as fast as NFS now and the automated rsync jobs have stopped.
Time to re-build them!
Note: This is a closed system, I am not taking care of security here much as my network is considered “secure” – this is probably not going to win many security awards

Step 1: Networking

Ubuntu 18.04 uses systemd and netplan so no more hacking around /etc/network/interfaces. The config is in /etc/netplan – the default file is 50-cloud-init.yaml

version: 2
dhcp4: false
mtu: 9000

and apply the settings with sudo netplan apply
and verify withip addr
ST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
however, this did not bring the mtu to 9000 so we need another thing:
> sudo ip link set mtu 9000 enp2s0
and from what I hear this may not be transitory / survive reboots.. in that case it needs to go into the startup scripts.
Anyway: that’s what I wanted:
enp2s0: MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP

Step 2: Mount the NAS

verify shares are working (NFS and CIFS)

andreas@plexcloud:/$ showmount -e
Export list for
/shares/public *
/shares/andreas *
andreas@plexcloud:/$ smbclient -L // -U andreas
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\andreas's password:
Sharename       Type      Comment
---------       ----      -------
public          Disk      public
andreas         Disk      Andreas sein Zeug

try to mount is manually: (as root because I will mount using fstab later)

root@plexcloud:~# mount -t cifs -o username=andreas,password=xxxxxxxxxxxx,iocharset=utf8,file_mode=0777,dir_mode=0777,soft,user,noperm,vers=1.0 // /mnt/NAS/

root@plexcloud:~# ls /mnt/NAS

actually. it’s 2019.. I changed my mind wrt fstab.. let’s use automount (As I never know if my NAS will be up or not while I move to my new place)
https://help.ubuntu.com/community/Autofs <<< that’s supposed to be easy?

apt install autofs
edit /etc/auto.master and add the line
/mnt /etc/auto.smb
(which should tell autofs to look at /etc/auto.smb and perform its magic in /mnt) – basically mounting SMB shares in the /mnt directory. CIFS would be a better way.. which doesn’t work for me.. so it’s the manual mode for me for now

for the lazy me: edit fstab and add:
// /mnt/NAS/ cifs username=YOURUSERNAME,password=YOURPASSWORD,iocharset=utf8,file_mode=0777,dir_mode=0777,soft,user,noperm,vers=1.0
vers=1.0 is to bypass the “host is down” error (assuming proper authentication should be used) and the rest is to bypass said authentication and not to fuck around with file permissions (just behave like a fucking USB stick, damn it.. no one else is using you!)
yeah, I know.. “guest” would probably work, too.. but I had bad experiences with permissions afterwards.

so now I have a mountpoint, let’s do backups!

Step 3: test and automate rsync jobs

motivation: rsync with delete – whatever I delete from the source can be deleted on the backup, too
full sync for the server directory, only check by size for the media files
I like -v and “–progress” as it gives me an indication what is going on (on the first run…)
however not in the scripts, a simple –stats will have to do, there…

so for the server backup:
rsync -ahv /var/lib/plexmediaserver/ /mnt/NAS/backups/plexmediaserver/ --progress --delete --stats --dry-run
non-verbose and “live” mode:
rsync -a /var/lib/plexmediaserver/ /mnt/nas/backups/plexmediaserver/ –delete

(I removed the -z because the data dir is 7 GB and the compression too too long on that stupid atom-based nas)

and for files:
rsync -ahv /plex/ /mnt/NAS/plex/ --progress --size-only --delete --stats --dry-run
and non-verbose:
rsync -aq /plex/ /mnt/NAS/plex/ --size-only --delete

first version of the script used copy but this took AGES to finish so rsync all the way now. After all it seems my old seagate NAS does rsync :D

the /var/lib/plexmediaserver dir still takes way too long.. so I will tar and zip it and rsync it over instead – much faster – also –delete-source-files is handy (as mv can not overwrite and I don’t feel good calling rm -rf in a script executed by root….)

tar -zcvf plexmediaserver.tar.gz /var/lib/plexmediaserver/

finished script: added to crontab

0 4 * * * cd /home/andreas && sh backup_plex.sh>>plex_backup.log

echo "+++stopping plex media server"
systemctl stop plexmediaserver.service
sleep 5
echo "+++backing up server and cache"
#rsync -ahz /var/lib/plexmediaserver/ /mnt/NAS/backups/plexmediaserver/ --stats --delete
tar -zcf /opt/plex/plexmediaserver.tar.gz /var/lib/plexmediaserver/
echo "+++copying tarball over to NAS"
#rsync -ahv /opt/plex/ /mnt/NAS/backups/plex/ --remove-source-files --progress --stats
rsync -ah /opt/plex/ /mnt/NAS/backups/plex/ --remove-source-files
echo "+++restarting plex media server"
systemctl start plexmediaserver.service
echo "+++server backup complete - now for the files"
#rsync -ahv /plex/ /mnt/NAS/plex/ --progress --size-only --delete --stats
rsync -ah /plex/ /mnt/NAS/plex/ --size-only --delete

ubuntu 19 vanilla gnome

The ubuntu flavor and look+feel has been added to the stock gnome3 – which is not much but I dislike the fat font and the unity-style dock.. also there is something about that purple.

anyway, easy fix: get these packages (in order of how much you want to be gnome-ified)
1) apt install gnome-session
2) update-alternatives –config gdm3.css (select gnome-shell.css)
3) apt install ubuntu-gnome-default-settings
4) apt install vanilla-gnome-default-settings vanilla-gnome-desktop

key differences are:

  • No Ubuntu Dock
  • No app indicator support
  • Adwaita GTK and icon theme
  • Cantarell font is used
  • Default Shell theme
  • App windows only show a ‘close’ button
  • Symbolic icons used in App Menu
  • Activities Hot Corner


the laws of humanity

  1. A human should not harm the world (the universe) or by inaction allow the world (the universe) to come to harm.
  2. A human should not harm humanity or by inaction allow humanity to come to harm, except where this behavior would conflict with the first law.
  3. A human should not harm another human or by inaction allow another human to come to harm, except where this behavior would conflict with the previous two laws.
  4. A human should protect its own existence, except where such protection would conflict with the previous three laws

adapted/stolen from Eric Bubela – ‘stuck’
who adapted it from the laws of robotics as defined by Isaac Asimov


I really want to know when these started to be used in a negative/derogatory way.. as if someone had the intention to keep people “low” in order to.. .well.. what?

  1. Blood is thicker than water.
    The full saying is actually “the blood of the covenant is thicker than the water of the womb.” Basically, it means exactly the opposite of what most people think. It refers to the idea that the bonds you choose to make can mean much more to you than the ones you were born into and don’t have much of a say in.
  2. Curiosity killed the cat.
    This phrase continues: “but satisfaction brought it back.” This makes sense, considering the whole idea that cats get nine lives. I often heard the first half when I was little and asking too many questions, but the full phrase suggest that there is no such thing as too many questions.
  3. A jack of all trades is a master of none.
    This saying got cut short as well and originally said “A jack of all trades is a master of none, but oftentimes better than a master of one.” Unlike what our version would lead you to believe, having multiple interests but not being an expert in anything could actually prove advantageous.
  4. Great minds think alike.
    “Small minds rarely differ” is the following line to this once reassuring quote. I would advise you try not to think about that too much the next time you and your classmates are on a roll with your group project, sometimes phrases get cut short for good reason.
  5. Money is the root of all evil.
    Again, the original version is a little longer. This biblical phrase originally reads “The love of money is the root of all sorts of evil.” There’s a difference in making more money than you could possibly spend and keeping it.
  6. My country, right or wrong.
    This is often used to justify supporting bad wars, the original actually says “My country, right or wrong; if right, to be kept right; and if wrong to be set right.” This puts the responsibility on the citizen to make sure their country is a good one, not the other way around.
  7. Starve a cold, feed a fever.
    I’ve only heard this a couple times and it could have multiple meanings just by reading it differently. Not only is it terrible advice, it’s poorly quoted. The original states “if you starve a cold, you’ll have to feed a fever.” Now, that’s advice I can take to heart.


Pi-Hole, FritzBox, and IPv6

it is the year 2019 and IPv6 still “almost works” – Today’s exhibit: The Pi-Hole

Long story short: Pi-Hole needs a couple checkboxes and command line options to properly do IPv6. Also most home routers still suck when it comes to IPv6.

I am also stubborn enough to identify and engineer ways around the issues that arise. Especially with an ISP like XS4ALL this just has to work.

The pi-hole is a nice project based on a raspberry Pi that adds a DNS resolver/cache combined with an ad-blocker in your network. That way you don’t need to use dubious browser plugins plus it also works for all mobile devices and appliances in your network.

Personally I even find it speeds up browsing as many requests are served from cache a lot better than from your typical home router. Also you can chose different DNS resolvers like OpenDNS and friends, which are not subjected to patriot act and/or corporate censorship. But more about that later.

The pi-hole does assign a IPv6 address and reacts to DNS requests on that address but now the fun begins. Every SoHo router has a way to assign static IP addresses or create static DHCP entries by mac address. IPv4 addresses… But try doing that in IPv6 and you will learn quickly that there is a difference between “works with IPv6” and “does IPv6 just like IPv4”

Also things like “global address” meaning the address should just be routed, not NAT-ted (typcial IPv4 home router has one IPv4 address that is used with PAT/overloading) – IPv6 should make that redundant. but its difficult to “draw the line” between net and host there. (also people seem to not understand that opening a port on a firewall is just as secure as hiding that host behind NAT/PAT. In fact, it should even be easier but hey..

so long story short: (needs more screenshots)

it used Google’s DNS as a forward target.

difference from default setup:
– IPv6 forwarding is enabled (settings > DNS)
– /etc/pihole/setupVars.conf needed editing > IPv6 address was changed after reboot
– I also edited /etc/pihole/pihole-FTL.conf, and added AAAA_QUERY_ANALYSIS=yes
– I restarted pihole-FTL with: systemctl restart pihole-FTL

check in the Fritz Box under advanced > network > IPv6 addresses and set up the new IPv6 address as advertised DNSv6 server (confirm with phone)

do the same for ipv4 (instead of itself, the box should advertise the pi-hole as DNS server/cache/resolver)

somehow I think I should use one of my remote machines to monitor availability for IPv4 and IPv6 – I don’t trust this setup just yet but I also need to read a lot on how IPv6 is “supposed” to be done (static seems weird. SLAAC seems a workaround. Three has to be a better way)



Zwift – or how I learned to enjoy working out

So I eat too much. Or my metabolism is too efficient. Either way, if I don’t work out I get fat. Slowly but steady. Also, I eat when I am stressed so it’s a spiral that I need to avoid. (not even thinking of the benefits of exercise on my mental health. yea.. Depression, I am talking about you!)

I have been to the Gym, I have had a personal trainer, had the evening walks scheduled and I found out I have gotten really good at finding excuses not to go to sports – even to the point of creating escalations at work so I can not make it home in time for the sports class.

Also I love biking so a friend pointed me to zwift. It is basically a MMO sports “game” – I will come to the point of game later but I must say, this eliminates all but one of the possible reasons for me not to exercise. Rain, cars, darkness, time, etc.. all do not apply anymore. And it is either recreational or follows a strict schedule. I can decide on the workout.

the “view” in 1st person. Obviously I need that. I am not a console gamer, FPV FTW!

I chose for the “budget” setup, re-purposing a cheap racebike – there are also solutions out there that work directly with zwift (and other setups) and are a lot more powerful, like the Tacx Neo 2 Smart but that’s something for when the bike and/or the trainer dies.

Right now I used the following components, most of them I had in house already, I only had to buy the actual trainer and the ANT+ sensor (I learned later that you can even save on that by routing the heart and cadence/rpm/wattage signal via your phone and bluetooth using the companion app)

  • Tacx Flow Smart trainer (Decathlon exclusive) – 250,- euro
  • A mat to absorb vibration / protect against sweat (you will sweat!) – 20 euro
  • ANT+ sensor for USB – 15 – 40 euro (amazon vs. branded)
  • pulse meter – bluetooth and/or ANT – 35 euros
  • two fans for cooling/airflow – honeywell – 25 euro each
  • A Zwift subscription (15/month. that one hurts. There is free software out there, like bkool and rouvy but I like the ‘data porn’ approach of Zwift and I dig the massive multiplayer aspect.

the rest of the things I already owned / they accumulate and some things were donated by friends.

  • an old bike (second hand, 100 euro)
  • an old TV / large monitor used as a monitor (free as I had it over)
  • a computer that can run 3d software (anything above Intel 4000 GMA will do)
  • an old soundbar and subwofer. Motivation comes at 140-160 bpm
  • a table / stand to get the TV higher

Been doing this for a year now.. so far it works and I am neither bored, nor annoyed, nor do I get embarrassed or otherwise distracted. Also no excuses. That thing stands in front of me and I can not ignore it. No matter the time or mood or weather.

It’s only me, music and Rule 5 ;)

My next home will have a dedicated training room. That much I know.

a life hack for men…?

Someone on the internet pointed out that there are two things that men should understand in order to evolve beyond neandertal/patriarcy mindset.

  • being nice does not entitle you to sex, it is the bare minimum (on which you can (and should) build up from) – you can always improve!
  • sexism is not ok. never.

But I also found out (by talking to people and observing people) that many men are not even aware they are being sexist. This may have multiple reasons (I blame the parents but it could also be something hard-wired.. or hormones.. or a combination of the three…)

Anyway: it’s called “The Rock Test” 
Source: Medium

it basically comes down to:

before you open your mouth and make that comment, replace the visual image of the woman with The Rock. Would you still make that comment?

or. as the author said herself:

It’s as clear cut as this: Treat all women like you would treat Dwayne “The Rock” Johnson.

Fedora 27 install log

installing Fedora 27 on my laptop, some notes on qemu/libvirt and rpmfusion

rpmfusion is still needed for vlc and other goodies although it gets less important

qemu/virt-manager can now nicely run windows 10, just keep a few things in mind:
from: https://pve.proxmox.com/wiki/Windows_10_guest_best_practices


To obtain a good level of performance, we will install the Windows VirtIO Drivers during the Windows installation.

Create a new VM, select “Microsoft Windows 8/2012” continue and mount your Windows 10 ISO in the CDROM drive
For your virtual hard disk select “VirtIO” as bus and “Write back” as cache option for best performance (the No cache default is safer, but slower)
Configure your memory settings as needed, continue and set “VirtIO (paravirtualized)” as network device, finish your VM creation.
For the VirtIO drivers, upload the driver ISO (use the stable VirtIO ISO, get it from here) to your storage, create a new CDROM drive (use “Add -> CD/DVD drive” in the hardware tab), and load the Virtio Drivers ISO in the new virtual CDROM drive
Now your ready to start the VM, just follow the Windows installer.

Launch Windows install using DVD .iso

After starting your VM launch the console
Follow the installer steps until you reach the installation type selection where you need to select “Custom (advanced)”
Now click “Load driver” to install the VirtIO drivers for hard disk and the network. (successfully tested with “virtio-win-0.1.118.iso”)
hard disk: Browse to the CD drive where you mounted the VirtIO driver and select folder “viostor\w10\amd64” and confirm. Select the “Red Hat VirtIO SCSI controller” and click next to install it. Now you should see your drive.
Network: Repeat the steps from above (click again “Load driver”, etc.) and select the folder “NetKVM\w10\amd64”, confirm it and select “Redhat VirtIO Ethernet Adapter” and click next.
Memory Ballooning: Again, repeat the steps but this time select the “Balloon\w10\amd64” folder, then the “VirtIO Balloon Driver” and install it by clicking next. With these three drivers you should be good covered to run a fast virtualized Windows 10 system.
Choose the drive and continue the Windows installer steps.

Now, Cortana will chat, mute her or talk to her, this installs windows 10.

Once the install is done, make sure to check device manager for missing drivers, use the ISO to install them.

4 GB RAM and 2 CPUs work reasonably fine for me. 3D acceleration is.. I didn’t get SPICE to work properly with my intel integrated graphics.

The normal display driver however works quite well when installing the qxldod driver
from the CD: viostor\w10\amd64\ right-click the .inf file and install

also, install the 64 bit version of the guest-agent.