Milieudefensie ICT – Friends of the Earth NL ICT

Why open source works

This is a short story written in an attempt to describe what open source is and why it works. It is tongue-in-cheek, hyperbolic and simplistic, but still a pretty accurate representation of reality in my opinion. I wrote this in English, even though it is not my native language, to reach more people. The grammar and expressions might be a bit off because of this, silliness and cheesiness are intended. Please enjoy and share if you did, feel free to modify the story if you want.

Jane has a child, Johnny, he is bored and because of that annoying. He whines and won’t sleep. Luckily Jane read about the perfect solution in a magazine. Have your child play outside together with friends. Because there is nothing but an empty field in the backyard, Jane decides a play thing of some sort should keep the kids entertained. Jane starts thinking and draws the perfect thing.

A climbing frame play set!

This will keep them entertained for a long time Jane thinks. She starts building and before long a wonderful structure is erected. Johnny is super happy and invites all his friends. They play all day long, he never whines again and sleeps really well. Jane also is super happy, all is well at their house now.

One kid has a stupid face though, Johnny does not like him because of that, he can’t come and play. Jane rejects the politics of some of the parents, their children can’t come over. Johnny does not like girls or poor kids either, they also cannot come and play.

Twenty years later, Johnny is all grown up, he has a great life. A wife, two kids, a dog and a cat. He often plays golf with his friends he still knows from back in the day. They talk about how they run their companies and the country they live in. Sometimes though Johnny is sad and cries himself to sleep. The kid with the stupid face he once knew never had anywhere to play and make friends, so he started torturing small animals. He grew up to be a serial killer, but luckily was caught after his seventh murder. This was too late for Jane though.

The poor kids did find each other and became friends. But they never had a fine climbing frame like Johnny and his friends. To this day they resented this and only hated them more now. They never did manage to get out of poverty. Despite their efforts Johnny and his friends closed all opportunities. One of the poor kids decides to start a popular movement and has great success. Turns out there are a lot of poor people and their new leader wins the elections. The leader is not happy though, the laws of the country are to restrictive and he cannot do what he needs to stay in power. A military coup ensues, Johnny and his friends are either locked up or tossed out in the ocean. The leader creates the atom bomb, just for protection. But he gets scared of another country’s leader who in response made these bombs and a world war happens.

Everybody is sad now, most die, nuclear winter follows, ecosystems collapse and revert to microbial life forms only.

But wait, what would have happened in an alternate reality, where Jane makes different choices…

Jane still drew up the plans for the climbing frame, but does not build it in her back yard. Instead she talks to the local council and her neighbors about building it on public land. All the kids are annoying, they need exercise and friends to become happy so everybody agrees. Jane can build it on an empty field, the neighbors help out and everybody pitches in. Some give materials, others help to build or refine the original design together with Jane. Johnny is super proud and films the building process which he shares with all his friends. The video goes viral and soon requests for the plans come in from all over the world.

Meanwhile Johnny is able to play to his hearts content and all the neighborhood kids join in. The poor kids and the girls also join the fun. The kid with the stupid face turns out not to have such a stupid face after all and happily plays along with them. They all become friends and because their parents taught them about sharing, arguments are quickly resolved.

Jane shares the plans of the play set with the people who watched the video Johnny made. Soon after millions of climbing frames pop up all around the world and people start adding things of their own. Someone designs a slide and another a wonderful playhouse. They in turn share their refinements and Jane incorporates the changes together with her neighbors in their play set, making it more fun it could ever be!

Twenty years later, Johnny is all grown up, he has a great life. A wife, two kids, a dog and a cat. He often plays golf with his friends he still knows from back in the day. They talk about how they love working together and living on their little place of the earth. Johnny is very happy and sleeps very well knowing the kid with the fun face became a nurse. He takes care of Jane who has become to old to do some things on her own.

The poor kids are no longer poor, the girls never where excluded and everybody works together making the world a better place. Climate change is averted, ecosystems flourish and world peace is established soon after.

The end.

Fixing trailing spaces in directory names

We had a situation where trailing spaces in directory names on a Ubuntu server caused issues with a Nextcloud instance. As a temporary fix I found a script here to deploy.

https://github.com/nextcloud/server/issues/5843#issuecomment-493822639

Here is a slightly modified version we run daily using cron.

#!/bin/bash

NEXTCLOUD_DATA_DIR=/nc/data/directory
NEXTCLOUD_INSTALL=/nc/web/root

find_cmd=(
  find                 
  $NEXTCLOUD_DATA_DIR  
  -depth               
  -type d              
  -name '*[[:space:]]' 
  -print0              
)

shopt -s extglob                            
while IFS= read -r -d '' source_name; do    
  dest_name=${source_name%%+([[:space:]])}  
  mv -v "$source_name" "$dest_name"         
done < <("${find_cmd[@]}")                  

cd $NEXTCLOUD_INSTALL
php occ files:scan --all --quiet

exit 0

Turn server configuration for Spreed WebRTC

To run WebRTC reliably a Turn server is required. Configuration can be very complicated, this post describes a basic working configuration using Coturn on Ubuntu Xenial (16.04).

Install Coturn on your server, it is best to install a separate server for this.

apt install coturn

Next add the following configuration to /etc/turnserver.conf

listening-port=443
alt-listening-port=3478
listening-ip=YOURIPHERE
relay-ip=YOURIPHERE
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=YOURSECRETHERE
realm=spreedbox.local
total-quota=100
stale-nonce
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
no-loopback-peers
no-multicast-peers

On the Spreed server define the server in /etc/spreed/webrtc.conf

...
turnURIs = turn:turn.yourdomain.com:443?transport=udp turn:turn.yourdomain.com:443?transport=tcp
turnSecret = YOURSECRETHERE
..

That is it, restart Coturn and then Spreed and all should be working.

Ubuntu desktop automated maintenance with Ansible

When running enough desktop office machines doing maintenance and making changes like installing new software quickly becomes a problem. You can configure unattended upgrades but this becomes a problem when it does not work. Often a update won’t install and you’ll need to intervene.

To resolve this we decided to try Ansilbe, which has worked out great for us. We start up the machines using wake on lan at night, apply any changes run the updates and clean up the system.

If you do not know how Ansible works, read up on it here. We needed to work around some bugs in Ansible but the playbook below is what works right now.

---
- hosts: desktops
 strategy: free
 serial: 10
 connection: local
 tasks:
 - name: wake up desktop
 local_action: command /usr/bin/wakeonlan {{ macaddress }}

- name: wait for desktop to start
 wait_for: >
 host={{ inventory_hostname }}
 port=22
 delay=1
 timeout=360
 delegate_to: localhost
 ignore_errors: True

- hosts: desktops
 strategy: free
 remote_user: ansibleuser
 become: yes
 become_user: root
 serial: 5
 tasks:

- name: update
 apt: update_cache=yes

- name: check for updates
 command: /usr/lib/update-notifier/apt-check --package-names
 register: packages

- name: upgrade
 apt: upgrade=dist
 when: packages.stderr != ""

- name: autoremove
 command: apt-get -y autoremove

- name: cleanup
 command: apt-get clean

- name: shutdown
 command: /sbin/shutdown -h +1

You’ll need to add all the desktop host names and mac addresses to /etc/ansible/hosts defining the mac address like this:

[desktops]

desktop1.example.com macaddress=00:EE:EE:EE:00:EE
desktop2.example.com macaddress=00:EE:EE:EE:00:EE
desktop3.example.com macaddress=00:EE:EE:EE:00:EE

You can add any task to run on the desktops in the playbook.

OPNsense router on a XS4ALL VDSL connection

With a Dutch XS4ALL VDSL connection you only get a basic VDSL modem with router which cannot be bridged. So using your own router and firewall is not possible. To make this possible we got a Draytek Vigor 130 and a OPNsense router which gives us a lot more capabilities and control for the small office environment it is installed at.

Thanks to two separate posts I found on this topic it was possible to do this. First the post by Harold Schoemaker who explains the configuration of the modem.

The modem just needs to talk to the DSLAM and allow the router to setup a PPPoE session. Login to the modem and configure the following under “Internet Access” and “General Setup”.

Next go to the MPoA settings and configure the following:

MPoA (RFC1483/2684): Enable
Bridge Mode: Enable Bridge Mode

Once saved the status of the modem should say ‘SHOWTIME” and show the correct speeds.

Now we can configure the OPNsense appliance. With the help of a post by FirewallOnline.nl I got this to work.

First a vlan needs to be configured, for XS4ALL internet this is VLAN 6. In the menu go to “Interfaces”, “Other Types” and “VLAN”.

Create a new VLAN and make the parent interface your wan interface, re1 in my case. Add the VLAN tag 6, add a Description and save.

Next under “Interfaces” go to WAN and configure the following.

Description: WAN_INTERNET
IPv4 configuration type: PPPoE
IPv6 configuration type: none
Username (under PPPoE configuration): whatever@xs4all.nl (it does not matter what you fill out here, it cannot be emtpy though.)
Password: 1234
Block private networks en Block bogon networks need to be on.

Save the configuration and under “Lobby” go to the “Dashboard”, you should see your external ip address here at the WAN interface.