Phil's Notes

Systemd Targets and Dependencies

Phil Crockett — Sun, 25 Jan 2026 14:46:44 GMT

tl;dr: If you know the background details and just need some quick syntax reminders, checkout the summary at the bottom.

I modify systemd unit files maybe a couple of times per year. That’s often enough that it’s useful for me to understand them well, but not often enough for those details to stick in my brain.

So I wrote this for myself or for anyone else who might be in a similar situation. It’s for anyone who needs a quick refresher on systemd targets, Wants=, Requires=, WantedBy=, RequiredBy=, Before=, and After=.

Before I get into the real content, it’s useful to have an example systemd unit file in your head for context. I chose Tailscale (copy / pasted from my laptop running Archlinux):

# /usr/lib/systemd/system/tailscaled.service
[Unit]
# Details omitted for brevity
Wants=network-pre.target
After=network-pre.target NetworkManager.service systemd-resolved.service

[Service]
# Details omitted for brevity

[Install]
WantedBy=multi-user.target

The Dependency Graph

Systemd maintains a dependency graph of units.^[1] These units can include, for example, generic “targets” (which describe overall system states) such as network-online.target, or specific background services like tailscaled.service. There are other kinds of systemd units, but these are the most common types we interact with.

This dependency graph is important because as your system changes state (online vs. offline, starting up vs. shutting down, etc.), certain things must happen in a specific order. For instance, it doesn’t make sense to start the Tailscale service before your DNS resolver is ready.

A key strength of systemd’s design is that you can precisely add entries to this graph without performing invasive surgery on your operating system.

Most of what follows applies regardless of whether you’re working with targets, services, or other types of systemd units — the concepts are largely consistent across unit types.

Activation States

When a unit is activated, it eventually reaches a final activation state: either “active” or “failed.” If a unit was never intended to be activated, it remains “inactive.”

Understanding these states is important for understanding the difference between “wanting” and “requiring” another unit.

Establishing a Basic Dependency Relationship

When writing a unit file, the most basic way to establish a dependency on another unit is using Wants= and Requires=.

Wants= creates a soft dependency. If your unit includes Wants=, systemd will attempt to start the specified unit alongside yours. If that unit fails to activate, it doesn’t matter — your unit will still start.
Requires= creates a hard dependency. It behaves similarly to Wants=, but if the target unit ends up in a “failed” state, your unit will not start. Or, if both were being started in parallel, your unit will be stopped.

In both cases, Wants= and Requires= cause systemd to include the dependent unit in the same transaction. The difference lies in how failure is handled.

Reverse Dependencies

The WantedBy= and RequiredBy= directives let you define a dependency from another unit back to yours — effectively reversing the dependency direction.

These directives cause symbolic links to be created. For example, if your unit specifies:

WantedBy=multi-user.target

systemd creates a symlink:

/etc/systemd/system/multi-user.target.wants/my-service.service → /usr/lib/systemd/system/my-service.service

This ensures your unit starts during the activation of multi-user.target.

What’s up with the `[Install]` section?

You may have noticed that Wants= and Requires= appear in the [Unit] section of a unit file, while WantedBy= and RequiredBy= belong in the [Install] section. Why? And what does “install” even mean here?

The [Install] section defines what happens when you enable a unit (i.e., configure it to auto-start at boot). So when you run:

systemctl enable tailscaled.service

systemd reads the [Install] section, finds the WantedBy=multi-user.target, and adds the Tailscale service to the dependency list of the multi-user.target unit.

This is how auto-starting works: systemd already plans to activate multi-user.target during every boot process, and since Tailscale is now included as a dependency, the service starts along with it.

Note: The [Install] section has no effect until you enable the service. Before enabling, the unit exists, but the dependency relationship isn’t set up.

Why You Need `Before=` and `After=`

Important: Wants=, Requires=, and similar directives do not control startup order. They ensure that certain units are started together in the same transaction, but not necessarily in any particular sequence. systemd may still start your unit in parallel with its dependencies.

If you need your unit to start only after another unit has reached an active (or failed) state, you must explicitly use After=. Similarly, if your unit must start before another, use Before=.

Also note: Before= and After= do not imply a dependency. If systemd wasn’t already planning to start the referenced unit, these directives have no effect. They only matter when the other unit is part of the current activation transaction.

That’s why Wants= or Requires= are often paired with After=. In most real-world cases, you need both:

A dependency (to pull the other unit into the current transaction),
And an ordering constraint (to control when it starts during the transaction).

The Tailscale Example

In the Tailscale example, you see this:

[Unit]
Wants=network-pre.target
After=network-pre.target NetworkManager.service systemd-resolved.service

Here’s what this configuration does:

Wants=network-pre.target: Tailscale will start alongside network-pre.target. If, for some reason, you manually start tailscaled.service and network-pre.target hasn’t been activated yet, systemd will try to activate it (and its dependencies) as well.
- If network-pre.target fails, that’s acceptable — Tailscale still starts, because it’s a soft dependency.
After=...: Ensures Tailscale starts only after network-pre.target, NetworkManager.service, and systemd-resolved.service have reached a final state (either “active” or “failed”).

Notice that NetworkManager.service and systemd-resolved.service are not listed in Wants=. That’s because Tailscale doesn’t want to depend on them — Tailscale can move mountains to handle all kinds of Linux DNS and networking configurations. The unit file only ensures the Tailscale service starts after those services, if they are part of the current activation sequence.

You’ll also see this:

[Install]
WantedBy=multi-user.target

This means that when multi-user.target is activated (e.g., at boot), systemd will also start tailscaled.service — but only if you’ve previously run systemctl enable tailscaled.service.

Summary

Directive	Section	Purpose
`Wants=`	`[Unit]`	Soft dependency: start together, ignore failure
`Requires=`	`[Unit]`	Hard dependency: start together, fail if dependency fails
`Before=`	`[Unit]`	Start this unit before the listed ones
`After=`	`[Unit]`	Start this unit after the listed ones
`WantedBy=`	`[Install]`	Enable auto-start by adding to another unit’s wants
`RequiredBy=`	`[Install]`	Same, but with hard dependency

Rules of thumb:

For most cases…

Use Wants= + After= together when you want a service to start after another service or target.
Add WantedBy=multi-user.target in the [Install] section for services that you want to auto-start on boot.

Footnotes

Tools like systemd-analyze and systemctl list-dependencies let you inspect various parts of the dependency graph. On a typical desktop Linux system, the full dependency graph is huge. ↩︎

iPhone: Two Months In

Phil Crockett — Fri, 16 Jan 2026 05:26:54 GMT

I bought an iPhone two months ago. So far, it seems like a good decision.

My phone screen time has gone down to an average of less than 1 hour per day.^[1]
I’m surprised at how far I can get without any App Store downloads.^[2]
I have yet to activate iCloud.^[3] It (pleasantly) surprises me that Apple allows this to be optional.
Automation via the Shortcuts app is pretty great.^[4]

I thought it would be more of a struggle to resist the pull of Apple’s ecosystem, but so far I haven’t had any problems keeping Apple at arm’s length despite owning one of their devices.

Footnotes

Of course my laptop screen time has gone up significantly, but that was the intended effect. One of my goals was to get out of the mobile ecosystem as much as possible and spend more time on devices I control. ↩︎
You can setup Fastmail with minimal effort using iOS-native mail, calendar, and reminders apps. iOS’s support for open standards like iCAL is surprisingly great out-of-the-box. I have downloaded a few apps, but so far haven’t needed to buy any. ↩︎
Backing things up encourages me to feel like my device is “safe” and can be relied upon, which increases dependence. The whole goal of this experiment is to avoid dependence on the mobile ecosystem as much as possible, so I avoid backup solutions like iCloud intentionally. So far the only backup I have needed is for photos and videos, that that is handled by Ente. ↩︎
Example: My phone automatically turns airplane mode on and off when I join or leave a Wi-Fi network. My battery likes this; staying connected to cell towers sucks a huge amount of battery life compared to Wi-Fi. Since Wi-Fi calling works reliably on iOS, I now have a nearly seamless way to remain connected, while increasing battery longevity. ↩︎

iPhone

Phil Crockett — Thu, 13 Nov 2025 11:40:08 GMT

tl;dr: If you’re going for lowest total cost of ownership, iPhone will serve you better than Android or its derivative operating systems. You’ll have to sacrifice your software freedom, but then again… maybe we never had much freedom in any mobile ecosystem in the first place.

As a freedom-loving FOSS nerd, my mobile device of choice has traditionally been Android-based. In particular, I have been very happy using a Pixel 5a with GrapheneOS.

And then the phone died. And I’m frustrated that the total cost of ownership (TCO) for that old phone (it was already old when I bought it) was 11 Euros per month.^[1]

If you are fine with upgrading your mobile device every 2 years, then Android is compelling. You’re going to be dropping a lot of cash on phones this way, so you might as well buy the cheaper devices.

However if your goal is to avoid using your mobile device as much as possible, and you want to spend as little money as possible on this horrible^[1:1] ecosystem… Android makes zero sense. While iPhones may be more expensive up front, they offer better hardware and longer software support. Apple devices are useable in practice for twice as long as their equivalent Android devices, yet do not cost twice as much.^[2]

So today I bought a refurbished iPhone 13 mini with a new battery. Along with a case and screen protector, it cost around 300 Euros. This is a 4-year-old phone. If I can get it to last another 4 years (until 2029) (with perhaps one battery replacement), I can expect TCO to be around 7 Euros per month. My stretch goal will be to get it to last 6 years, bringing TCO down to less than 5 Euros per month.

Footnotes

I like to think of mobile device ownership cost in per-month terms. It makes it feel like a subscription. However since basically everyone needs a mobile device in order to function in modern society, it’s more like a tax than a subscription. And most of those taxes go directly to either Google or Apple. ↩︎ ↩︎
Of course if you go the iPhone route, you’re giving away a lot of software freedom and replacing it with a walled garden. Though honestly folks, if you want reasonably-priced software freedom, Android (including its derivatives) isn’t the place to go. The mobile ecosystem is broken, and will stay broken until our governments figure out a way to uproot this insane Google / Apple duopoly. Choose a device that gives you a reasonable degree of privacy, use it when you’re forced to, and get back to a Linux device for everything else. ↩︎

PIPESTATUS

Phil Crockett — Mon, 20 Oct 2025 16:27:54 GMT

tl;dr: Bash’s $PIPESTATUS allows you to inspect the exit status of every command in a pipeline.

According to Bash’s manpage, $PIPESTATUS is…

An array variable… containing a list of exit status values from the commands in the most-recently-executed foreground pipeline, which may consist of only a simple command… Bash sets PIPESTATUS after executing multi-element pipelines, timed and negated pipelines, simple commands, subshells created with the ( operator, the [[ and (( compound commands, and after error conditions that result in the shell aborting command execution.

So it’s almost like $?^[1] on steroids. Especially useful when using the yes command^[2] with interactive commands.

For example:

set -o pipefail
yes | some_interactive_command

If some_interactive_command closes its stdin stream while yes is trying to write to it (which is not uncommon), yes will exit with an exit status of 141. Since we ran set -o pipefail, that will crash the script (even though some_interactive_command may have exited with status 0 “success”).

Let’s modify the script a bit:

set -o pipefail
yes | some_interactive_command || {
  echo "Exited with status $?"
}

This allows the script to keep running, but… sadly it reports the exit status of yes, rather than some_interactive_command.

Exited with status 141

That’s almost never what you want. Nobody cares about yes. We only care about the interactive command.

set -o pipefail
yes | some_interactive_command || {
  echo "Programs in the pipeline exited with these exit statuses: ${PIPESTATUS[*]}"
}

Here we’ll see this output:

Programs in the pipeline exited with these exit statuses: 141 0

yes exited with status 141
some_interactive_command exited with status 0

So taking it just one step further…

set -o pipefail
yes | some_interactive_command || {
  echo "Exited with status ${PIPESTATUS[1]}"
}

Exited with status 0

That’s more like it. Now we’re looking at the exit status of the command we actually care about. Putting it in a real-world script could look something like this:

set -o pipefail

panic() {
  echo "$*" >&2
  exit 1
}

yes | some_interactive_command || {
  result=${PIPESTATUS[1]}
  test ${result} -eq 0 || panic "some_interactive_command exited with status ${result}"
}

Footnotes

$? expands to the exit status of the most recently used command ↩︎
yes (manpage) is super handy for answering “yes / no” prompts in interactive commands. By default it just writes y to stdout over and over, which is usually enough to get through all those prompts, and effectively makes an interactive command suitable for scripting. ↩︎

tmpshell

Phil Crockett — Thu, 16 Oct 2025 04:49:59 GMT

I wrote a handy fish function for those times when you just want to go to a temporary directory, mess with some files and environment variables, and then clean up afterward:

# in ~/.config/fish/functions/tmpshell.fish
function tmpshell
  set temp_dir (mktemp --directory)
  cd $temp_dir
  echo "Run `exit` when finished"
  fish
  cd -
  rm -rf $temp_dir
  echo "Cleaned up $temp_dir"
end

Here’s what an interactive session looks like:

.config/fish/functions on  main [!]
❯ tmpshell
Run `exit` when finished
direnv: unloading

/tmp/tmp.rkxc5HRMOM
❯ echo "foo" > foo.txt

/tmp/tmp.rkxc5HRMOM
❯ exit
Cleaned up /tmp/tmp.rkxc5HRMOM

.config/fish/functions on  main [!] took 6s
❯

Google clicks on GitHub notifications for you

Phil Crockett — Sat, 11 Oct 2025 13:59:25 GMT

At work I use GitHub notifications heavily. However lately I’ve been noticing a strange / annoying phenomenon: GitHub notifications randomly mark themselves as “read” without me looking at them. This is actually quite disruptive to my workflow, since I use the “read” status to determine what things haven’t yet gotten my attention.

After a long time trying to figure out what the problem was, I finally found a GitHub discussion including people who experience the same issue. Apparently this has been happening for a while, but for some reason I haven’t been falling victim to it until now.

In short: I have notification emails set up in GitHub. Notification emails contain tracking pixels. Once a tracking pixel is downloaded, the notification is marked as read. Since Gmail^[1] automatically downloads email contents like tracking pixels upon reciept (rather than when opening the email), notifications will often be marked as read before I ever get the chance to see them.

This is a good example of a problem that’s hard to troubleshoot, but easy to fix. You have two options:

Disable email notifications at https://github.com/settings/notifications.
Get an email provider that doesn’t prefetch all your email contents.

Footnotes

sadly, my work email provider 😭 ↩︎

Kudos to the Fish Devs

Phil Crockett — Tue, 04 Mar 2025 20:28:01 GMT

Just look at this monumental feat.

I gotta say, the dev team behind fish really seems to know how to dev. They:

pulled off a rewrite
care enough about their users to…
- keep track of breaking changes and communicate them in great detail
- understand when to break things vs deprecate them
value POSIX compatibility while at the same time not allowing POSIX to ruin their project

etc.

Of course we’ll see for sure how well it turns out after a few point releases, but so far at least, it seems like they deserve a standing ovation. I wonder how old they are, because it looks to me like they have a lot of hard-won experience and discernment.^[1]

Footnotes

I originally posted this on a lobste.rs thread. However lately I have started wanting to “own my words,” so I decided to duplicate the post here. ↩︎

Tiny Tools: fztotp

Phil Crockett — Sun, 23 Feb 2025 18:32:10 GMT

This is my first Tiny Tools post.

fztotp (“fuzzy TOTP”) is a relatively simple tool built on top of fzf (as are all of my most useful scripts) and ykman. I’m a little biased, but this is the best TOTP authenticator app I have ever used (though it’s only for Yubikey).

You can find the script on GitHub.

Its job is quite simple:

Show the list of TOTP auth credentials you have stored in your Yubikey, in an fzf user interface
allow the user to fuzzy-select one of the credentials in the list, and then
copy the TOTP code for that site to your clipboard (if you have xsel installed).

This enables me to get through multi-factor auth dialogs in just a few keystrokes. All with just ~50 lines of code.

If you have fzf and ykman installed already, you can install fztotp on a Linux machine with:

curl -SsfL https://philcrockett.com/yolo/v1.sh \
    | bash -s -- fztotp

Comments?

If you have a Mastodon account, you can reply to my post on the Fediverse.

FOSDEM N00b Tips

Phil Crockett — Mon, 03 Feb 2025 09:00:00 GMT

So this year (2025) was my first year to visit FOSDEM. It was also my first time in Belgium. I started writing down these tips as I learned them. If you are more experienced and you want to correct anything here, please do let me know.

Preparing for FOSDEM

If you’re an Android person, install FOSDEM Companion^[1] and start bookmarking tracks you’re interested in. That will come in handy on FOSDEM day, trust me.
If you can, pack your own lunch and bring it with you to the conference. The food trucks are ok, but expect to pay 10 EUR for lunch, and the lines get really long around lunchtime.
Bring a water bottle and snack while you’re at it.
You can pay for pretty much everything you need by card when you get to Brussels, if you don’t want to carry much cash. Even the food trucks at FOSDEM accept cards.
FOSDEM is a conference with a lot of people packed into small spaces. Bring a face mask and hand sanitizer. As they said during the opening talk, “FOSDEM Flu is real.”

Getting to the conference

FOSDEM has a page with instructions to get to the conference, and it’s really good high-level information. For the 2025 conference it was here.
If you’re coming from the airport, there are kiosks where you can buy train tickets^[2]. A ticket to the central train station (Bruxelles Centraal) cost me about 11 EUR.
The busses to the university are packed with FOSDEM attendees. If you get hot or claustrophobic, take off your coat before you get on the bus. It gets warm and cozy.
The easiest way to pay the bus fare is to swipe a bank card on the contactless payment doodad thingy. You don’t even need to talk to the bus driver or push any buttons. Just swipe your card.^[3]

At the conference

If you see a ridiculously long line when you arrive at the university first thing in the morning, it’s not for registration.^[4] Instead, it’s probably a line for buying t-shirts and hoodies. They are apparently very high-demand, especially in the morning because they will run out of certain sizes later. So I do recommend standing in that line… if buying some swag is important to you.
The lines for coffee in the morning are long. If you can bring your own, do it. Or alternatively use the long lines as an opportunity to get into conversations with other fellow nerds.
Show up at rooms early. They often reach full capacity long before the talk starts.^[5]
If you’re interested in a talk that’s being given by a relatively famous person, you may need to get into the room for the preceeding talk before the one you’re actually interested in.^[6]

Leaving Brussels

If you’re flying out of Brussels, I saw one place to fill up a water bottle for free after you’ve been through security. It’s at gate A43, labelled “free water refills.” It’s in an area where there are other signs for overpriced airport food and beverages, so it’s easy to miss if you don’t know it’s there.

Other tips

I’m not the first person to produce content like this on the Internet. A quick search, for example, yielded this very good first-timer FOSDEM guide which has more useful information. I’m sure there are plenty of others.

Footnotes

FOSDEM recommends this app, and others, on their mobile schedule apps page. ↩︎
Public transport is a good way to get around, but there are things like taxis as well. I’ve never used those, but I bet they’re expensive. ↩︎
Concerningly, I don’t actually know how much I paid because it didn’t show me a price… ↩︎
FOSDEM doesn’t require you to register, check in, or anything like that. ↩︎
FOSDEM staff is really good and strict about room capacity. Some rooms allow people to stand or sit along the walls when all the seats fill up, but others have a strict max capacity that is enforced, and there will be staff at the door to prevent people from coming inside when that max capacity has filled up. ↩︎
For example, during FOSDEM 2025 most of the people in the Security room just stayed in their seats after one particular talk, which means only a handful of people in the hallway got in to hear Daniel Steinberg speak. ↩︎

Tiny Tools

Phil Crockett — Sat, 29 Jun 2024 05:09:20 GMT

A couple years ago I wrote about what I want in a programming language. I then decided to try OCaml even though it was missing a few important points in my list of requirements for a “dream language.” I never took OCaml much farther than an over-engineered Hello World test run, though I did generally enjoy the experience.

I was looking for a good load-bearing language – something that scales well, makes a large codebase easy and enjoyable to maintain, and which you could use to build big tools or systems with. In hindsight, I should have been looking for a language that makes it easy and fun to create tiny tools. Since I have a small child and other priorities, I don’t have too much time or energy to build big things, and I’m ok with that.

Which is why since then I have mostly been enjoying Bash and Nushell.

Nushell

I don’t recommend Nushell as your day-to-day interactive shell (yet). But writing small scripts in Nushell is insanely fun. I like the syntax, type safety, functional style. I like the polish around displaying things, parameter parsing, help messages, and JSON parsing. I like how it encourages you to create a sort of well-defined data flow and transformation pipeline in your scripts.

It makes me happy.

But I really only use it for personal scripts, because it hasn’t reached a stable 1.0 yet and not many people have it installed. I’ve also had trouble using it seriously with programs like fzf, which I also love.

So for everything else, there’s…

Bash? srsly?

I never thought I would say this, but Bash is actually really fun. I’ve gotten quite good at it. Don’t get me wrong: It is a terrible, horrible, no-good language for a lot of use cases. But it is still incredibly good at gluing bigger programs together in interesting ways with very few lines of code.

It’s also shippable – I can publish Bash scripts with an open source license, and other people might actually benefit from them. I’ve developed a certain style in writing Bash that makes the code surprisingly bearable to read, more robust, and avoids a lot of common landmines.

In other words, Bash allows me to leverage other people’s hard work with load-bearing languages to solve my own problems using just a few lines of code.

I’ll write more

I’m trying to keep these posts short, and my son is starting to wake up. I’m gonna go hang out with him. Perhaps later I’ll write a followup post about some of my Bash projects (which are mostly published on GitHub) and some of the tools I find to be indispensable for making nice CLIs and TUIs.

Comments?

If you have a Mastodon account, you can reply to my post on the Fediverse.

2.4 GHz WiFi Trouble? Disable Bluetooth.

Phil Crockett — Thu, 22 Jun 2023 19:20:42 GMT

tl;dr: Bluetooth and 2.4 GHz WiFi don’t play nicely together. Here’s how I figured it out.

I have both 2.4 and 5 GHz networks running in my home. I have found that my personal laptop has a really hard time scanning for / connecting to 2.4 GHz networks. It’ll eventually connect, but it takes up to a few minutes to find the 2.4 GHz network and work out a connection.

I got tired of it and started searching the Interwebz.

At some point in my web searches, I learned that I’m running an Intel wireless network card using the built-in Linux kernel iwlwifi driver. Here’s partial output of lspci -k:

02:00.0 Network controller: Intel Corporation Wireless 8265 / 8275 (rev 78)
    Subsystem: Intel Corporation Wireless 8265 / 8275
    Kernel driver in use: iwlwifi
    Kernel modules: iwlwifi

I also learned about the various config parameters for this driver. Here’s partial output of modinfo iwlwifi:

parm:           swcrypto:using crypto in software (default 0 [hardware]) (int)
parm:           11n_disable:disable 11n functionality, bitmap: 1: full, 2: disable agg TX, 4: disable agg RX, 8 enable agg TX (uint)
parm:           amsdu_size:amsdu size 0: 12K for multi Rx queue devices, 2K for AX210 devices, 4K for other devices 1:4K 2:8K 3:12K (16K buffers) 4: 2K (default 0) (int)
parm:           fw_restart:restart firmware in case of error (default true) (bool)
parm:           nvm_file:NVM file name (charp)
parm:           uapsd_disable:disable U-APSD functionality bitmap 1: BSS 2: P2P Client (default: 3) (uint)
parm:           enable_ini:0:disable, 1-15:FW_DBG_PRESET Values, 16:enabled without preset value defined,Debug INI TLV FW debug infrastructure (default: 16)
parm:           bt_coex_active:enable wifi/bt co-exist (default: enable) (bool)
parm:           led_mode:0=system default, 1=On(RF On)/Off(RF Off), 2=blinking, 3=Off (default: 0) (int)
parm:           power_save:enable WiFi power management (default: disable) (bool)
parm:           power_level:default power save level (range from 1 - 5, default: 1) (int)
parm:           disable_11ac:Disable VHT capabilities (default: false) (bool)
parm:           remove_when_gone:Remove dev from PCIe bus if it is deemed inaccessible (default: false) (bool)
parm:           disable_11ax:Disable HE capabilities (default: false) (bool)
parm:           disable_11be:Disable EHT capabilities (default: false) (bool)

Well hey, what’s this bt_coex_active:enable wifi/bt co-exist business? Some web searching led me to this very old SuperUser answer:

The 2.4 GHz Wifi band and bluetooth spectrums have a great deal of overlap and can conflict with each other

So apparently you can configure your driver to not allow Bluetooth and 2.4 GHz WiFi to be activated simultaneously, which can be important because their operating frequencies overlap.

I don’t use (or like) Bluetooth anyway, so instead of messing with my driver, I just decided to turn Bluetooth off permanently.

sudo systemctl disable --now bluetooth

Problem solved.

SSH: Security Liability?

Phil Crockett — Sun, 22 Jan 2023 11:30:33 GMT

SSH is pretty handy. As a hobbyist who actually enjoys managing a few Linux boxes, I use it all the time. However I can’t shake the feeling that it’s a significant security liability for a server administrator, despite the fact that the first S in SSH stands for “secure.”

It has too much in common with projects like PGP / GPG and OpenVPN, which:

were designed a long time ago
have huge C / C++ codebases
are difficult to understand, configure, and use correctly
make it really difficult to fall into the pit of success

After all, if you need configuration auditing software and a myriad of “hardening” guides on the Internet, then it just might be too complex.^[1]

Learning From WireGuard

I’m not aware of any widely-used alternatives that are secure. But if the WireGuard developers ever come up with something, it’ll probably be exactly what I’m looking for.

WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.

A great example of this is how WireGuard approaches versioning, which is exactly the opposite of PGP, OpenVPN, and SSH:

WireGuard restricts the options for implementing cryptographic controls, limits the choices for key exchange processes, and maps algorithms to a small subset of modern cryptographic primitives. If a flaw is found in any of the primitives, a new version can be released that resolves the issue.

From Wikipedia

What I Do

I don’t bother with SSH configuration on my servers anymore. Instead, I rely on Tailscale (which uses WireGuard) to connect to my servers. My firewall only allows SSH access via the Tailscale interface. At this point I could almost discard SSH entirely and use Telnet instead (though I don’t).^[2]

Of course I have the luxury of being a self-hosted hobbyist, so I don’t have a very complex threat model, and this works well for me. I doubt if the same strategy would be feasible for someone who needed to manage a bunch of servers at scale.

Comments?

If you have a Mastodon account, you can reply to my post on the Fediverse.

Footnotes

Though to be fair, you could make exactly the same arguments about the Linux kernel or any Linux distribution. I’m not 100% sure why I give the operating system a pass, while being skeptical of SSH 🤔. ↩︎
Splitting things into separate independent pieces (VPN + Telnet) would be a step backward. See TunnelVision for an example of how this can go wrong. It would be really cool if someone built an integrated SSH-like remote control mechanism where the transport was basically WireGuard. ↩︎

Trying OCaml

Phil Crockett — Tue, 27 Dec 2022 18:44:34 GMT

I used my list of requirements for a “dream” programming language to create a spreadsheet. I use that spreadsheet to calculate a score for each language based on how well it fits my list of requirements.

Two languages so far score the highest:

Gleam

Gleam is so close to what I’m looking for. It only misses one mark: native executables^[1]. Gleam runs on the Erlang VM or compiles to JavaScript, which is a showstopper for the kind of little hobby command line programs I want to write. However if I ever decide to create a service that can be deployed to a server, I’ll be super excited to try out Gleam.

OCaml

The next best contender I could find for the kind of software I want to write is OCaml. I must say, I have never enjoyed writing / over-engineering a hello world program so much. The language does sadly use exceptions for error handling, though thankfully exceptions are no longer considered idiomatic.

I’m going to continue playing with it. We’ll see where this goes.

Comments?

If you have a Mastodon account, you can reply to my post on the Fediverse.

Footnotes

Well, Gleam also misses the object capabilities requirement, but almost all other languages miss that feature as well. As of this writing, the few languages that have object capabilities are in the experimental stage. ↩︎

My Dream Programming Language

Phil Crockett — Sat, 17 Dec 2022 00:00:00 GMT

I’m on the hunt for a fun programming language that I can pick up and mess with in my free time. I have a few fairly normal requirements that a lot of people ask for, plus a few less common requirements. I don’t think this programming language exists as of 2022. If it does, do me a solid and let me know!

The Usual Requirements

Functional programming paradigm (primarily)
Compiles to native, dependency-free executable
- I could compromise on this if it were a small scripting language
Robust type system
Intuitive / enjoyable syntax
Reasonable learning curve
- While I like Rust, I’m looking for something with lower standards
- … but with higher standards than Go
Reasonably efficient performance-wise
Open source
Runs well on Linux (cross-platform a bonus)

The Unusual Requirements

Uses object capabilities
- no more static / global APIs for file, network, and other resources
- encourages dependency injection instead
Result types instead of exceptions
Option types instead of nulls
Robust pattern matching (important for the above two points)
Doesn’t require a heavyweight IDE or excessively complex “new project” structure

Comments?

If you have a Mastodon account, you can reply to my post on the Fediverse.

What is this?

Phil Crockett — Mon, 07 Nov 2022 00:00:00 GMT

This is the beginning of my collection of notes.

No, this is not a blog. I’ve tried maintaining a blog before, and always had trouble keeping up with it or finding things to write. Instead, I hope to keep this all very small and informal. It’s just a place to quickly dump my thoughts.

Sure, I’ll use this to write about what I’ve struggled with, or maybe I’ll turn it into a sort of Zettelkasten. In any case, I do not guarantee that these pages will stay around long-term or remain immutable. I will edit or prune them whenever I feel like it.

Phil's Notes

Systemd Targets and Dependencies

The Dependency Graph

Activation States

Establishing a Basic Dependency Relationship

Reverse Dependencies

What’s up with the [Install] section?

Why You Need Before= and After=

The Tailscale Example

Summary

Footnotes

iPhone: Two Months In

Footnotes

iPhone

Footnotes

PIPESTATUS

Footnotes

tmpshell

Google clicks on GitHub notifications for you

Footnotes

Kudos to the Fish Devs

Footnotes

Tiny Tools: fztotp

Comments?

FOSDEM N00b Tips

Preparing for FOSDEM

Getting to the conference

At the conference

Leaving Brussels

Other tips

Footnotes

Tiny Tools

Nushell

Bash? srsly?

I’ll write more

Comments?

2.4 GHz WiFi Trouble? Disable Bluetooth.

SSH: Security Liability?

Learning From WireGuard

What I Do

Comments?

Footnotes

Trying OCaml

Gleam

OCaml

Comments?

Footnotes

My Dream Programming Language

The Usual Requirements

The Unusual Requirements

Comments?

What is this?

What’s up with the `[Install]` section?

Why You Need `Before=` and `After=`