A Geek with Guns

Disabling Homebrew in Dinosaur OS

2026-02-13T13:00:00-06:00

Since I released Dinosaur OS</a> last September, I've had to make very few changes to my image. This is a testament to the overall stability of Bluefin, the image upon which Dinosaur OS is based. But I started receiving error notifications a couple of weeks ago whenever the automatic update service ran. The initial error was actually due to a Flatpak problem. The developer of a package I installed uploaded a new version with the same version number as my currently installed version. This cause the Flatpak update program to fail. I managed to fix that, but the service was still displaying an error because it wasn't able to update Homebrew.

Homebrew is a package manager that was originally written for macOS. It was released back when I used macOS so I tried it and discovered that it was a train wreck and opted to use MacPorts</a> instead. Homebrew had a number of bizarre design decisions. The biggest was it wanted to install packages at a system level. Normally that's not a problem with a package manager, but Homebrew tied the system level directory to your user account's user ID number. Effectively Homebrew installed packages at a system level that only a single user account to use or modify. There was an option to install packages into your home directory, but a number of packages failed to run when you did that.

When it was announced that Homebrew was available for Linux, I dismissed it entirely. Why would I want a poorly designed package manager on a system that already has a plethora of very good package managers? My experience with Homebrew was so bad that I initially intended to remove it from Dinosaur OS. I ultimately decided that enough time had passed that I should give Homebrew another chance. My latest experience mirrored my previous experience.

Homebrew on Linux suffers the same problem as it does on macOS. It doesn't support systems with multiple user accounts well. When Bluefin installs Homebrew, it creates the /home/linuxbrew/</code> directory and sets its user and group IDs to 1000. Bluefin is based on Fedora and by default the first user account created on a Fedora system has the user and group IDs of 1000. All packages installed with Homebrew are installed into the /home/linuxbrew/</code> directory. This means Homebrew on Bluefin is configured so that only the very first user account created on the system can use it.

This is fine for most users, but I'm not most users. I have two user accounts on my system. The first is my administrator account, the second is a regular user account that I use for my day to day tasks. Administrator rights are required to create new user accounts so obviously I create my administrator account first. This means the actual account I use day to day, which has the user and group IDs of 1001 (the default on Fedora systems for the second user account created), can't use Homebrew.

There are ways around this. I could change the owner permissions on /home/linuxbrew/</code> to 1001. Homebrew on Bluefin is setup using the brew-setup.service</code> systemd service, which sets the permissions. I could change that unit file in my image to set the user and group IDs to 1001. Either option would allow my day to day user account to use Homebrew installed packages, but would prevent my administrator account from using them. The bottom line is Homebrew is a poorly designed package manager.

I chose a third option: ignore Homebrew entirely. There was no downside to this option at first, but a few weeks ago changes were made to Bluefin's automatic updater that caused me to reexamine my decision. As noted at the beginning of this article, I started receiving notifications that the automatic update service failed. Checking journalctl showed me the source of the error was that the update utility, UUPD</a>, was unable to upgrade Homebrew. This failure was caused by /home/linuxbrew/</code>, which normally contains the brew executable used to install and update packages, being empty (I didn't investigate why it was empty since I was already done with Homebrew).

Fortunately disabling and removing Homebrew from Bluefin is straight forward. Homebrew is installed by the brew-setup.service</code> systemd service, which is enabled by default on Bluefin. Disabling the service prevents it from automatically installing Homebrew so Dinosaur OS disables it. I also add a script, /usr/libexec/remove-brew</code>, to the image, which removes Homebrew from a system if it's already installed. This makes Dinosaur OS nondestructive in that it won't automatically remove Homebrew from a system where it's already installed. Removing Homebrew requires manual work. It also means Homebrew can be installed again by either starting or enabling brew-setup.service</code>.

I still had the problem where UUPD would throw an error because it was unable to update Homebrew (which was now missing entirely). UUPD on Bluefin accepts arguments that disable update modules though. The final change I made to Dinosaur OS is adding --disable-module-brew</code> to the ExecStart line of uupd.service</code>, which is activated by a timer periodically. uupd.service</code> is a system file, which means the user cannot edit it. Therefore, if you're running Dinosaur OS and install Homebrew, your Homebrew packages won't be automatically updated by uupd.service</code>. The best way to change this behavior is to copy /usr/lib/systemd/system/brew-update.service</code> to /etc/systemd/system/uupd.service</code> and remove --disable-module-brew</code> from the ExecStart line.

Overall I still like Bluefin a lot. I agree with most of the design decisions and appreciate that it's been easy for me to change the decisions I dislike. I continue to run Dinosaur OS on my desktop systems and haven't faced any catastrophic problems. If you want to create your own image based on Bluefin and want an example image to get started, check the Dinosaur OS repository</a>.



Getting Started with Kettlebells
2026-02-06T20:00:00-06:00
Introduction</h1>
I developed an interest in physical fitness about a decade and a half ago. This interest lead me to pursue martial arts, biking, and eventually kettlebell lifting (along with many other activities). The reason I got into kettlebell lifting is because I wanted to improve my strength and endurance. Kettlebells were tools I could use in the comfort of my small apartment. Now I have a home and a gym in my basement. I still lift kettlebells three or four times a week.</p>
Getting started is the hardest part of any journey. This post is intended to help anybody who's interested in starting kettlebell lifting. It's not intended to be all encompassing. Too much information can be as bad as too little. Decision paralysis thwarts as many journeys as fear and laziness. Therefore, this post is opinionated. It will provide only a handful of options. Wherever options are provided, know that there are many more options out there. They aren't brought up to cut down on the noise. The hardest part of any journey is also the most important. It's more important to get started than to travel the optimal path. Any progress forward is better than no progress while you try to develop the optimal plan.</p>
Note on Units</h1>
Weights in this post will be provided in kilograms. Why would a post written by an American living in the United States use metric units? Two reasons. First, the historical unit of weight for kettlebells is the pood. The pood is an old imperial Russia unit. It's equal to about 16 kg. This means kettlebell weights divide nicely into kilograms. Second, kettlebell lifting is an international sport. International sports use the metric system because almost everybody outside of the United States does.</p>
To make your life a bit easier, here are the American equivalents to the weights used in this post (along with the weight in poods to illustrate my point about dividing nicely into kilograms):</p>
16 kg = 35 lb (1 pood)
20 kg = 44 lb (1.25 poods)
24 kg = 53 lb (1.5 poods)
28 kg = 62 lb (1.75 poods)
32 kg = 70 lb (2 poods)</p>
Types of Kettlebells</h1>
There are two major types of kettlebells: hard style and competition style. Hard style are typically made out of cast iron. The size of the bell depends on the weight. Heavier hard style kettlebells are larger than lighter ones. Competition style kettlebells are typically made out of steel. The size of the bell is the same regardless of the weight. A 16 kg competition style kettlebell is the same size as a 32 kg one.</p>
I exclusive used hard style kettlebells until this year. Now I own both. I recommend hard style kettlebells when you're starting out though. Hard style kettlebells are typically cheaper, often much cheaper, than competition style ones. You can do all of the traditional kettlebell lifts with either style of kettlebell so you might as well save yourself some money.</p>
You'll see articles online claim that competition kettlebells don't work well for two handed lifts such as two handed swings due to the handle size and shape. This isn't my experience. I have no issue doing two handed swings with competition style kettlebells and I have large hands. You'll also see articles claim that competition style kettlebells are more durable because they're made of steel instead of cast iron. This is a distinction without a difference. The only way you'll break either style of kettlebell is by being a complete dumbass.</p>
The two hard style kettlebells I typically recommend are REP Fitness</a> and Bells of Steel</a>. Both offer reasonably priced high-quality cast iron kettlebells with "free" shipping (free shipping means the price of shipping is baked into the price of the kettlebell). Buy whichever is cheaper at the time or in stock.</p>
If your budget is tight, I've read reviews for Yes4All</a> kettlebells and they seem to be decent. I can't recommend them since I've never seen them in person.</p>
Another option I'll note is Bells of Steel adjustable kettlebells</a>. These are adjustable competition style kettlebells. They're a good option if space is tight and you can afford to pay more upfront. I prefer fixed weight kettlebells because sometimes I like to switch weights during my workouts and changing an adjustable kettlebell's weight is a slow process. That doesn't matter when you're starting out though.</p>
Starting Weight</h1>
Recommending a starting weight is tricky. Everybody is different. If you know anybody who owns kettlebells or dumbbells, ask them if you can press a few overhead. You want a weight that you can press overhead a few times. I'll cite the most common rule of thumb. Men and women who haven't done any strength training should start with 16 kg and 8 kg respectively. Men and women who have done some strength training should start with 20 kg and 12 kg respectively.</p>
The difficulty of most kettlebell lifts can be adjusted through technique. If 20 kg is too light for two handed swings, change to one handed swings. If 20 kg is too heavy to strict press overhead, push press it. If a weight is beginning to feel too light, you can do more reps in less time to increase the difficulty. There are limits to this. If you can strict press a 24 kg kettlebell overhead, an 8 kg kettlebell isn't going to be a challenge no matter what (that's not to say an 8 kg kettlebell will be completely without value). Likewise, if you can barely strict press a 16 kg kettlebell overhead, you're not going to get a 32 kg kettlebell overhead.</p>
It's better to go a bit light than a bit heavy when you're starting. Beginners should focus on technique. It's almost impossible to focus on technique if you're barely able to move the kettlebell you're using.</p>
Programs</h1>
There are two programs I recommend to beginners: Rite of Passage</a> and Simple and Sinister</a>.</p>
Both programs require a single kettlebell. Both books do a good job of covering the technical aspects of the lifts they use. This is important. There are books for beginners, which go into detail on the how of lifts, and books for people who have experience, which typically don't explain how to perform lifts. You want to learn how to properly perform lifts. There are also a lot of good videos online that go over the hows of lifts. If you can find a coach in your area, you can also hire them to teach you how to perform lifts (this is probably the fastest and safest option).</p>
Rite of Passage is covered in the book Enter the Kettlebell. Between the two programs, I like this one slightly better because I like to press weight overhead. The program uses cleans, strict presses, swings, and snatches. There is also the option to add pull ups. The strict press is probably the lift that gives you the most bang for your buck. It's the staple of many great kettlebell programs such as The Giant, Dry Fighting Weight, and The Armor Building Formula. Swings add an endurance component to the program. Snatches are something you will need to study for a while, but once you learn how to snatch, you unlock another lift that provides tremendous bang for your buck. Rite of Passage is a three day a week program.</p>
Simple and Sinister used to be the</em> recommended program for beginners. It's the program I ran when I started. I've seen a number of people in online kettlebell communities argue that Simple and Sinister isn't a good program. They're full of shit in my opinion. Although I like Rite of Passage better, Simple and Sinister is an excellent program for people who haven't done any strength training. The program uses Turkish get ups and swings. Turkish get ups teach you the invaluable skill of getting up off the ground while holding weight. It will improve your overall movement quality. It can also be run more frequently than Rite of Passage.</p>
It doesn't matter which program you pick. If you want to press weight overhead, go with Rite of Passage. If you want to get up off of the ground while holding weight, go with Simple and Sinister. If you can't decide, flip a coin.</p>
Conclusion</h1>
That's it. That's the guide. Buy a kettlebell of appropriate weight, pick a program, and start lifting.</p>


Complex Systems, Simple Answers
2026-02-06T13:00:00-06:00
The universe we occupy is a very complex system that contains an uncountable number of complex systems within itself. One of the most common illustrations of this fact is weather forecasting. Weather forecasts are notorious for being inaccurate. The reason for this isn't because the weatherman is incompetent, it's because weather is a complex system. Edward Norton Lorenz, a meteorologist who founded chaos theory, noted the complexity of weather systems through the butterfly effect</a>:</p>

He noted that the butterfly effect is derived from the example of the details of a tornado (the exact time of formation, the exact path taken) being influenced by minor perturbations such as a distant butterfly flapping its wings several weeks earlier.</p>
</blockquote>
The terrestrial weather system isn't the only complex system. Space weather is a thing and a great deal of effort is put into predicting it. Like predicting terrestrial weather, predicting space weather is notoriously inaccurate. A few other complex systems are the movement of tectonic plates, propagation of electromagnetic radiation, and human behavior.</p>
The human brain prefers simple answers. Prescientific man often explained complex phenomenon like weather as the action of gods and other supernatural beings. A typhoon wiping out a coastal city might be explained as the god of the sea punishing the inhabitants because they did something he didn't like. Postscientific man isn't that different. Although our scientific understanding has largely done away with accusing the gods for all that happens, we still end up creating simple answers for complex systems.</p>
This comes up most frequently when people try to blame an individual or group for events that are the result of complex systems. Crime rates are a good example. Many factors play into crime rates. Socioeconomic conditions are the most commonly cited factors, but there are many more. The laws themselves play a huge role because an act isn't a crime unless there's a law against it. If the government passes a law against an until then lawful and very common activity (see Prohibition in the United States), the rate of crime increases. Weather plays a factor in crime rates. Cities in the northern hemisphere typically have a higher rate of violent crime during the summer. Individual attitudes are a major factor. If there is a large number of people who are unhappy with their current conditions, they are more likely to perform criminal acts such as vandalism. Many people ignore all of these factors and instead blame crime rates on blacks or immigrants and call it a day.</p>
Political systems are also complex. A political system involves many people acting in the name of a government. These government vary from dictatorships to democracies. Different systems have different numbers of participants. The laws that get passed depend on a number of factors. Consider the legislative process in a common democratic system. A law might be introduced by a politician on behalf of a lobbyist. The lobbyist may want the law passed to prevent new competitors from entering their market. The politician might received benefits from the lobbyist ranging from paid vacations to promises of employment after they exit politics. Another law might be introduced because a politician sees people participating in activities they personally find immoral (again, see Prohibition in the United States). Once a law is introduced, there is a complex system of wheeling and dealing that commonly happens before the law is either rejected or passed into law. Many people ignore all of these factors and instead blame one political party for all the political ills in their country. Or they might blame the Jews or, more recently, British royalty (a new conspiracy theory gaining headway here in the United States).</p>
What is an answer that doesn't correctly answer a question? It's bullshit. This provides some incite into why all of the perceived ills in the world seem to go unaddressed. Too many people have opted for bullshit rather than answers. But don't be too harsh of those people. We humans aren't well adapted to analyzing and addressing complex systems. All of us opt for bullshit. Some of us opt for it more than others, but we all do it. We especially do it when an answer can't be identified. Our brains prefer simple answers and absolutely despise having no answers. When an individual accumulates too many questions without answers they often succumb to some form of nihilism, but that's not the only option.</p>
If you're willing to accept the fact that there are many questions without answers and come to peace with that fact, you can live in a sort of harmony. Many religions and philosophies exist around this idea. Stoicism emphasizes that you cannot control things outside of yourself but you can control how you react to events. Even though I cannot control who rules the nation, I can prevent myself from become emotional because of it. You don't have to be angry because you don't like the ruler of a nation. Daoism is centered on the Dao, the source of all existence. Critically Daoism teaches that the Dao is beyond our comprehension and therefore cannot be completely understood. This is a good frame of mind when living in a universe full of unanswerable questions. Accepting that you cannot fully comprehend events that are happening can help avoid falling under the influence of those who claim to have the answer and therefore from being manipulated by them.</p>
I can't say for certain what will make you happy in life. I will say that my life became happier once I accepted that I don't know the answer to everything. That acceptance has allowed me to achieve peace by not getting worked up over things outside of my control. I know the universe is composed of complex systems that are incomprehensible to me and I enjoy that there is mystery in this universe. I live my life how I want and care not at all about the opinions of others. They don't know the answers either. I strongly urge you to explore the same frame of mind and see if it bring you peace too.</p>


Setup IPv6 in WireGuard
2025-12-30T15:30:00-06:00
Introduction</h1>
Over the holiday break I finished upgrading all of my self-hosted services to make them available via IPv6. The upgrade was straightforward for all of my services except one: my WireGuard VPN</abbr> server. I wanted to provide my VPN clients with IPv6 connectivity without using NAT</abbr>. Unfortunately most of the guides online use NAT for IPv4 and IPv6. NAT is necessary for IPv4, but goes against the very design of IPv6. I wanted to provide each client with a globally routable IPv6 address. This ended up being simple once I figured it out.</p>
I previous wrote a guide for setting up WireGuard to share a public static IPv4 address</a>. The formatting was ruined in the transition from my old WordPress blog to this statically generated one, but it explains how to setup a WireGuard VPN server for IPv4. This post will explain how to setup a WireGuard VPN server for IPv6.</p>
Preamble</h1>
First a major caveat. As of this writing, I've had this iteration of my VPN server running for two days. I've tested it on my home network, on my phone's cellular network, and on an IPv4 only network through my travel router. IPv6 appears to work in all cases. I haven't finished thorough testing though. There may be a number of corner cases that don't work. I will update this guide as I find and fix them. Therefore, if you find something broken, check back and I might have discovered it and posted the solution already.</p>
I also pieced my setup together by taking bits and pieces of several online guides. I pillaged from this guide</a>, this guide</a>, this guide</a>, and this guide</a>. If there are unnecessary configuration steps in this guide, I likely took it from one of these guides and didn't test my final setup without the configuration. Such mistakes are entirely my fault.</p>
In order to follow this guide, you need a source of IPv6 addresses and specifically a separate subnet from your hosting network. My ISP</abbr> provides me with a /48 prefix. This gives me roughly a bajillion addresses and subnets.</p>
Conventions Used in This Guide</h1>
For the purposes of this guide, I'm going to use the following IP addresses (2001:db8</code> is the prefix reserved for examples and documentation</a> for those not aware):</p>
2001:db8:1234::/48</code>: The prefix provided by our ISP.</p>
2001:db8:1234:9999::/64</code>: The subnet of our hosting network. The subnet 9999</code> was chosen for readability purposes.</p>
2001:db8:1234:ffff::/64</code>: The subnet provided to our WireGuard VPN clients. Throughout this guide remember that the subnet with numbers is for our hosting network and the subnet with letters is for our VPN clients.</p>
2001:db8:1234:9999::1</code>: The IPv6 address used by clients to connect to our WireGuard VPN server.</p>
2001:db8:1234:ffff::1</code>: The IPv6 address of the WireGuard interface. This differs from the above address in that a client only uses it after it has connected to the WireGuard VPN server through the above address. Once connected, clients will use this address as their gateway.</p>
2001:db8:1234:ffff::1:1</code>: The IPv6 address provided to the first of our WireGuard VPN clients. This address will be incremented subsequently so our second client will have an IPv6 address of 2001:db8:1234:ffff::1:2</code>, our third 2001:db8:1234:ffff::1:3</code>, etc.</p>
I will also use en0</code> as the name of the network interface of our WireGuard VPN server, 51820</code> as the port used to connect to WireGuard on our server, and wg-vpn.conf</code> as the name of our WireGuard configuration file.</p>
The Actual Guide</h1>
The first thing you will need to do is ensure that the router between your hosting network and ISP is setup to route the subnet for our VPN clients to our VPN server. How you do this will depend on both your ISP and your router. For my Ubiquiti Cloud Gateway Ultra, I created a static route that routes the entire 2001:db8:1234:ffff::/64</code> subnet to 2001:db8:1234:9999::1</code>. You will also need to configure your router's firewall to allow incoming WireGuard traffic to your VPN server.</p>
I'm hosting my VPN server on Fedora Server. By default, IPv6 forwarding isn't enabled on Fedora Server. I enabled it by adding net.ipv6.conf.all.forwarding=1</code> to /etc/sysctl.conf</code> and issued the sysctl -p</code> command to load the changes. I also added several other lines. /etc/sysctl.conf</code> on my VPN server contains the following contents:</p>
net.ipv4.ip_forward=1
</span>net.ipv6.conf.en0.proxy_ndp=1
</span>net.ipv6.conf.all.forwarding=1
</span>net.ipv6.conf.en0.accept_ra=2
</span></code></pre>
The first line enables IPv4 forwarding. It's enabled by default on Fedora Server, but I added the line just to ensure it's always enabled. The second line enables proxying NDP</abbr> packets, which is used by IPv6 to discover neighboring devices. The final line enables router advertisements while IPv6 forwarding is enabled. I added it to the file when I was trying to dole out IPv6 addresses through another method. I'm not sure if it's needed for my final setup. This is one of those potentially unnecessary configuration steps I mentioned in the preamble for this guide.</p>
The only port I opened on my VPN server's firewall is 51820</code> for UDP</abbr> packets. WireGuard only uses UDP so you don't need to open the port for TCP</abbr>. I also enabled masquerading capabilities. Masquerading capabilities are only needed for NAT, which means it's only necessary for IPv4. You don't need to enable it if you're only using IPv6 on your VPN server.</p>
Everything else happens in the WireGuard configuration file located at /etc/wireguard/wg-vpn.conf</code>. The first section of the configuration file sets up the interface:</p>
[Interface]
</span>PrivateKey = <Your Server's Private Key>
</span>Address = 2001:db8:1234:ffff::1/64
</span>SaveConfig = false
</span>ListenPort = 51820
</span></code></pre>
This is all pretty basic. PrivateKey</code> obvious contains your server's private key that was generated with wg genkey</code>. Address</code> is the IPv6 address of the WireGuard interface. Clients will use this address as their gateway once they've connected to our VPN server. SaveConfig</code> determines if the current configuration is saved when the WireGuard interface is shutdown. I generate my configuration files with Ansible so I don't want any state maintained and disable this feature. ListenPort</code> is the port through which clients will connect to the VPN server.</p>
The next section is where the heavy lifting is done. PostUp</code> commands run when the WireGuard server is being started. PostDown</code> commands run when the WireGuard server is being stopped. In this case, the PostDown</code> commands simply undo the PostUp</code> commands. Also note that %i</code> stands for the WireGuard interface name, which is wg-vpn</code> since the configuration file is wg-vpn.conf</code>.</p>
PostUp = ip6tables -A FORWARD -i en0 -o %i -j ACCEPT;
</span>PostUp = ip6tables -A FORWARD -i %i -j ACCEPT;
</span>
</span>PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:1 dev en0
</span>PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:2 dev en0
</span>PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:3 dev en0
</span>
</span>PostDown = ip6tables -D FORWARD -i en0 -o %i -j ACCEPT;
</span>PostDown = ip6tables -D FORWARD -i %i -j ACCEPT;
</span>
</span>PostDown = ip -6 neighbor del proxy 2001:db8:1234:ffff::1:1 dev en0
</span>PostDown = ip -6 neighbor del proxy 2001:db8:1234:ffff::1:2 dev en0
</span>PostDown = ip -6 neighbor del proxy 2001:db8:1234:ffff::1:3 dev en0
</span></code></pre>
PostUp = ip6tables -A FORWARD -i en0 -o %i -j ACCEPT;</code> and PostUp = ip6tables -A FORWARD -i %i -j ACCEPT;</code> enable IPv6 forwarding between the server's network interface (en0</code> in this example) and the WireGuard interface (wg-vpn</code> in this example). This allowed IPv6 traffic originating from our clients to be forwarded out of the VPN server's network interface and return traffic routed from the VPN server's network interface to the appropriate client.</p>
PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:1 dev en0</code> and the following two lines setup NDP proxies for each client. You could probably replace all of these lines with PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::/64 dev en0</code>. Again I generate my configuration file with an Ansible playbook so it's just as easy for me to loop through my list of clients and add a line per client. As mention above, the PostDown</code> lines simply undo the PostUp</code> lines when the WireGuard interface is stopped.</p>
The final part of the file contains configuration information for each peer:</p>
[Peer]
</span>PublicKey = <The Client's Public Key> 
</span>AllowedIPs = 2001:db8:1234:ffff::1:1/128
</span>
</span>[Peer]
</span>PublicKey = <The Client's Public Key> 
</span>AllowedIPs = 2001:db8:1234:ffff::1:2/128
</span>
</span>[Peer]
</span>PublicKey = <The Client's Public Key> 
</span>AllowedIPs = 2001:db8:1234:ffff::1:3/128
</span></code></pre>
This is straightforward. PublicKey</code> contains the client's public key and AllowedIPs</code> contains the IPv6 address we're assigning to the client. Running systemctl start wg-quick@wg-vpn.service</code> will bring the WireGuard interface up so clients can start connecting.</p>
The configuration file for each client is simple:</p>
[Interface]
</span>Address = 2001:db8:1234:ffff::1:1/64
</span>PrivateKey = <The Client's Private Key>
</span>
</span>[Peer]
</span>AllowedIPs = ::/0
</span>Endpoint = [2001:db8:1234:9999::1]:51820
</span>PublicKey = <Your Server's Public Key>
</span></code></pre>
Address</code> is the globally routable IPv6 address our VPN server is assigning to the client. PrivateKey</code> is the client's private key. There's similarly little to say about the [Peer]</code> section, which contains connection information for the VPN server.</p>
AllowedIPs = ::/0</code> tells the client to route all IPv6 traffic through the WireGuard interface. Endpoint</code> contains the IPv6 address clients use to connect to the VPN server. Note the square brackets. Because IPv6 addresses use ':' as a separator and ':' is also used by convention to separate an IP address from a port number, the square brackets are used to disambiguate the ':' in the IPv6 address from the ':' differentiating the port number.</p>
When the client connects to the VPN server, it will have the globally routable IPv6 address of 2001:db8:1234:ffff::1:1</code>. If you connect to a website that tests IPv6 connectivity such as this IPv4 and IPv6 connectivity test</a>, it should show 2001:db8:1234:ffff::1:1</code> as your IPv6 address.</p>
There you have it, a WireGuard VPN server that provides clients with globally routable IPv6 addresses.</p>


Advice for Self Hosters
2025-12-23T19:45:00-06:00
I just finished upgrading my final self hosted service to be available over IPv6. This was a staged upgrade handled over several months. All of the upgrades went smoothly. I attribute this success to years of stupidity. I've made a number of mistakes over the years. Some of them cost me a great deal of time and grief. But they all taught me valuable lessons. This post is a collection of some of those lessons. If You're interested in self-hosting, I hope this advice proves valuable to you.</p>
1. Automate everything.</h2>
This is probably the most important lesson I've learned over the years. The reason my server upgrades went so well is because all of my builds are automated. This allows me to treat all of my servers like cattle. When the time is right, I slaughter them. The time is usually right when there's a major Fedora release. This is because most of my services run on Fedora Server at the moment. When a new major version is released, I don't do a dnf system-upgrade. Instead I nuke the virtual machine that hosts my service, create a new one, and install everything from scratch.</p>
My builds weren't always automated. I manually built all of my servers for many years. Because of how arduous building some of my servers was, I would sometimes let the host operating system get woefully out of date. Eventually they would get to a point where I had to rebuild them. Sometimes this was due to a hardware failure. Sometimes it was due to a security vulnerability in my stack. What I discovered is that I didn't remember all of the ins and outs of building the server. The task would take much longer because I had to rediscover everything I forgot. That isn't a problem now that everything is automated.</p>
This advice doesn't apply only to building servers. Your backups should be automated. If your backups aren't automated, they won't get done. TLS certificate renewals should also be automated, especially now that certificate lifetimes are becoming shorter and shorter. Everything</em> should be automated.</p>
You'll hear a lot of advice about the best automation tools. Each automation tool has ups and downs. I settled on Ansible for automating my system builds. It's a good tool in general but configurations are done in YAML and YAML sucks. NixOS is an option more people seem to be adopting. The upside is the entire system build is declared in a configuration file. The downside is you have to use NixOS (I don't think NixOS is bad, I just want to note that you can't use the NixOS method with other operating systems). Don't let yourself succumb to decision paralysis. Look up a few automation tools, pick one that looks good, and learn it. Even shell scripts are better than nothing.</p>
2. Consider maintenance.</h2>
Every self hosted service will require maintenance. How easy or hard the maintenance is will determine how often it gets done. I'll use TLS certificate management as an example. TLS certificates have a lifetime. That lifetime is becoming shorter and shorter</a>:</p>


From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.</li>
As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.</li>
As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.</li>
As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.</li>
</ul>
</blockquote>
Certificate management used to be much more complicated than today. You had to create an account with a certificate authority. Once you had an account, you had to verify your identity, usually by providing a picture of your government ID. Then you could get a certificate for your domains that was good for one to two years. The maintenance wasn't insignificant, but you only had to go through the process every one or two years. However, it was often easier to create your own certificate authorities if your self hosted services that were only available on your local network or were only used by devices you controlled.</p>
Now the maintenance burden is changing. As certificate lifetimes shrink, it'll become infeasible to manually manage your TLS certificates. If automating your certificate maintenance isn't possible, which it might not be for a service only available on your local network, you can still provide a secure connection to it using something like WireGuard. WireGuard keys have no prescribed lifetime. Depending on your situation, it might be easier to make your self hosted service only available over a WireGuard connection so you can avoid the hassle of dealing with certificates.</p>
3. Simple is usually better.</h2>
The best illustration of this rule is my post about Caddy</a>. I migrated my reverse proxy server (and since then all of my HTTP servers) from Nginx to Caddy. The reason for this migration was that Caddy is much simpler to configure than Nginx. What can easily require two dozen lines of configuration in Nginx can often be done in a single line in Caddy.</p>
My migration from OpenVPN to WireGuard was done for similar reasons. OpenVPN is a very flexible protocol. Unfortunately that flexibility comes with significant complexity and that complexity hides a lot of footguns. WireGuard on the other hand is opinionated. There's very little flexibility. That lack of flexibility means configuring a WireGuard interface is simple and there are no obvious footguns.</p>
Another example is my self hosted Nextcloud instance. My original Nextcloud instance was built (using Ansible, of course) by setting up the database backend, installing all of the required packages, copying the Nextcloud PHP files to the web root, and bringing everything up with systemd services. Then the Nextcloud team released their All-in-One Docker container</a>. Installing the All-in-One Docker container is much</em> easier than building everything from scratch. I use it now because it's simple to install and maintain (it can do automatic updates).</p>
I'll point to this blog as my final example. For many years this was a WordPress blog. Last year I finally migrated it to a static website</a>. I can't overstate how much simpler this blog is to maintain. I no longer need a database or PHP-FPM. I don't have to worry about the seemingly endless security issues that WordPress suffers. Best of all is I don't have to worry about a WordPress update enshitifying writing and editing posts</a> (Gutenberg was such a terrible experience that I had a WordPress plugin to bring back the old editor). Now I can write my posts with any text editor I please.</p>
I won't go so far as to say that the simpler option is always better. But preferring the simpler option is a sane default.</p>
4. Practice your recovery plan.</h2>
I noted that you should have automated backups in my first suggestion. But a backup isn't useful if you can't restore the data. The only thing harder than getting people to backup their data is getting them to test restoring it.</p>
Since I automate (see how important my first suggestion is) building my systems and I rebuild them every time there's a major Fedora release, I have an opportunity to test my recovery plan roughly every six months (Fedora releases a new major version about twice a year). Part of my automated builds involves pulling data from my hot backup system. I know my restores work because I test them frequently. Get in the habit of testing yours. It's much better to know how to restore backups when you don't need them than to find out you can't restore them when you do need them.</p>
5. Have fun.</h2>
I'll level with you. If playing with operating systems, building servers, and learning networking doesn't sound fun to you, self-hosting isn't for you. If you're not having fun when things are working, you definitely won't have fun when things aren't working.</p>
Self-hosting is part research, part engineering, and part detective work. The research is the easy part. You think of a service you need, find what options are ability that fulfill that need, read the documentation (if there is no documentation, don't use it), and end up with an idea of how well the service will fill your need and how easy it will be to setup and maintain. Then comes building the service. This is where the engineering part comes in. If you listen to my advice, you'll automated the building process. But even manually building a service will require engineering effort. Then eventually something will go wrong. This is where the detective part comes in. What went wrong? What are the likely causes? How can those causes be address? Is it DNS? It can't be DNS. It was DNS!</p>
Life is too for voluntary suffering. If self-hosting isn't a fun hobby to you, go find a hobby you'll enjoy instead.</p>


Gun Restrictions Do Not Work
2025-12-15T17:30:00-06:00
There's been another mass shooting in Australia</a>. The investigation is ongoing so I have no desire to focus on the minutia currently being reported. Much of it will likely change as the investigation progresses. What I want to focus on is that, despite promises made by Australian politicians and gun grabbers, gun restrictions failed once again. Australia already has strict restrictions on gun ownership</a>. Australian law explicitly states that gun ownership is a privilege. Owning a gun requires a license and getting the license requires an applicant to provide a "genuine reason" that cannot be self-defense. If the government decides to bestow you with the privilege of a license, you must renew it every set number of years (which varies slightly depending on region).</p>
Despite these already stringent restrictions, the Australian government has promised even more restriction</a> in response to the most recent mass shooting. Even I was a bit surprised by this announcement since I can't imaging what other restrictions they can put in place. (That was sarcasm. I wasn't even slightly surprised.) To use the phrase commonly misattributed to Einstein, "The definition of insanity is doing the same thing over and over again and expecting a different result."</p>
Advocates for restricting gun ownership have long promised that doing so would end gun violence. When the policies they advocate are passed into law, their promise goes unfulfilled. Their response is that gun ownership wasn't restricted enough</em> and demand even more restrictions. When those are passed into law, their promise still goes unfulfilled. It's an endless cycle of innocent gun owners being punished without the promised end being reached. Australia is a prime example of this point. Australian gun owners have been ruthlessly bludgeoned by their politicians and yet mass shootings continue to happen there. Punishing them further won't end gun violent in that country.</p>
Advocates for restricting gun ownership always find a boogeyman to blame for the failure of their policies. A common one here in the United States is that state level gun restrictions fail because people smuggle guns from neighboring states that have fewer restrictions. This shouldn't be an issue in Australia since the entire country has strict restrictions and is surrounded by an ocean. Their only noteworthy neighbor has arguably stricter restrictions</a>. A boogeyman that has become trend in the last few years is 3D printers. This boogeyman at least relates to the real reason gun restrictions don't work.</p>
The reason gun restrictions will never work is because guns are mechanically simple devices. Anybody can build a viable gun from parts found in a hardware store as Tetsuya Yamagami demonstrated</a>. Restrictions against gun ownership only work against those who desire to remain within the law. People who desire to commit acts of violence have no concern about remaining within the law so gun restrictions don't work against them. They will acquire the means to commit violence one way or another. The only outcome of gun restrictions is that the law abiding are made defenseless against the lawless.</p>


Just Do It
2025-11-28T12:00:00+00:00
Knowledge builds upon knowledge. If you study two different fields of knowledge, you inevitably discover connections between them. The more I study physical fitness, the more associations I discover between it and economics.</p>
Ludwig von Mises in his magnum opus Human Action</a> opens part one with the chapter appropriately titled Acting Man wherein he describes the field of praxeology, the study of human action. Whether you subscribe to the Austrian tradition of economics or not, I would highly recommend reading part one of Human Action. What it states applies to many fields including physical fitness. For the purposes of this post, I will open with the following excerpt:</p>

To express wishes and hopes and to announce planned action may be forms of action in so far as they aim in themselves at the realization of a certain purpose. But they must not be confused with the actions to which they refer. They are not identical with the actions they announce, recommend, or reject. Action is a real thing. What counts is a man's total behavior, and not his talk about planned but not realized acts.</p>
</blockquote>
Here is where most people falter. They recognize that they exist in a less satisfactory state and express a desire to move to a more satisfactory state and that's where they stop. They never take action the action that they express.</p>
This came up recently in a conversation between a friend and myself. More than a year ago after an uncomfortable discussion with her doctor she had expressed a desire to lose weight and improve her overall fitness. To her credit, she sought out a personal trainer. Unfortunately she found a personal trainer who is too ready to tell clients what they want to hear, not what they need to hear. My friend went through a few life changes that let her slip into the vortex of 'being too busy.' She had reverted to old dietary habits and was skipping workout sessions. The progress she made over the last year started to slip away.</p>
This is when her personal trainer should've taken a page from Mises and told her that expressing intent and taking action towards achieving that intent are not the same. Instead she said a bunch of platitudes like saying that the important part is wanting the change. The implication being that wanting the change will motivate my friend to take action 'when she's ready.' While there are efforts that can be obtained through words, physical fitness isn't one of them.</p>
Friends don't come to me to hear what they want to hear. They come to me to hear my opinion, which is typically expressed with the subtlety of a sledgehammer to the face. My friend explained her recent situation. I told her she should find a different personal trainer, one who is willing to be upfront with clients. I closed with a phrase that I'm probably saying too often now, "To quote the Nike motto, you need to 'just do it.'"</p>
From a praxeological perspective, wanting to lose weight and be more physically fit is no different than wanting a new car or house. You exists in a less satisfactory state; being fat, unfit, without a new car, or without a new house; and you want substitute it with a more satisfactory state. Expressing your desire is an action, but it is not the action being expressed. Expressing a desire to lose weight is the act of expression, not the act of controlling calories or exercising.</p>
In order to realize your goals in life, you need to perform the actions you express. Wanting the change, despite the claims of a certain personal trainer, is not the important part. It is a part, you need to feel that you are in a less satisfactory state before you can move to a more satisfactory one, but it is not the part that will allow you to realize your goal.</p>


Why I Don't Have A Smart Home
2025-11-22T12:00:00+00:00
Based on the title of this post, you probably assume that this post will be a long rant about the privacy nightmare that is smart devices. It's not. I've covered that ad nauseam and they don't apply if you make use of self-hosted open source projects like Home Assistant</a>. I self-host all of my own services already so I have the technical knowhow to setup a smart home using Home Assistant. I still don't though.</p>
My reason can be summed up in a single word: maintenance. The older I get, the more I find myself considering the future maintenance of any project I undertake. I won't undertake a project unless the gains outweigh the maintenance that will be required down the road. A dumb home is relatively low maintenance (as far as homes go). Light switches, thermostats, and garage door buttons seldom break. If one of those dumb controls isn't working, troubleshooting is pretty straight forward. The first culprit is usually power. Is the breaker off? Is the control on a circuit with a ground fault circuit interrupter? If so, is that tripped? If all else fails, a quick prodding with a multimeter will tell you whether there's power at the control. If the control is receiving power and is still not working, there's a pretty good chance the control is broken. Swapping out things like light switches, thermostats, and garage door buttons is straight forward.</p>
The devices that those controls control are often more complicated. Troubleshooting your furnace in the dead of winter or your air conditioner in the height of summer can require some knowhow, but that doesn't change if you have a smart home. My biggest gripe with smart homes is they add complexity to the troubleshooting and repair process. Troubleshooting a basic electrical circuit is fairly straight forward. If I turn on a light switch and the associated light doesn't come on, the first thing I check is the light bulb. Swapping a light bulb takes seconds. If the light still doesn't come on, I check the breaker box, which also takes seconds. I've never had a light switch break, but if I get to the point where I discover the switch itself is bad, I go to the hardware store, buy a replacement, and spend a few minutes replacing the bad one of the good one.</p>
When you introduce smart devices, you necessarily introduce networking and software. Both are complicated. Many smart controls and devices are wireless, which adds complexity on top of networking. Anybody who has had to troubleshoot an intermittent Wi-Fi issue knows how much of a pain in the ass it can be. With a dumb home, if my Wi-Fi goes down, my lights, heating, air conditioning, and garage doors still work.</p>
The complexity introduces another problem too. I maintain the entire technology infrastructure in my home because my wife doesn't have the technical background I do. I periodically have to travel for work. With a dumb home, if something goes wrong when I'm away, she can call one of several people we know who can come over and likely figure out the problem. If something is seriously broken, she can call an electrician or plumber. This isn't the case with a smart home. An electrician or plumber isn't going to troubleshoot a complex networking issue. Even a system administrator won't be able to fix it because they don't know how the network is setup and even if they did, they don't have access to any of the systems.</p>
Smart homes have a lot of interesting capabilities, but none of them are worth the maintenance for me. Were I single and didn't have work, shooting competitions, martial arts, and a bunch of other things fighting for my limited time, I'd be more inclined to explore the idea. But I'm not single and I'd much rather spend my time at the gun range and dojo than debugging a networking issue so I can get my lights to turn on again.</p>


Long Cycle Training
2025-11-21T12:00:00+00:00
If you could only do one exercise for the rest of your life, what would it be? Setting aside the absurdity of the question, most thought exercises are built on absurdity after all, I would say the double kettlebell clean and jerk. If a particularly clever person asked the question and pointed out that those are two exercises, I would say double kettlebell long cycle. Checkmate smartass.</p>
Long cycle training is a shorthand way of saying chained clean and jerks. I believe the term comes from the kettlebell sport world, but every time I think I know the source of a term, somebody proves me wrong. Suffice to say that long cycle is a kettlebell sport event. It's also a damn good strength training exercise. The thing I love about the exercise is the efficiency. If we analyze the clean and jerk through Dan John's five basic human movements; push, pull, hinge, squat, and loaded carry; the clean and jerk definitely involves four of them and can arguably involve all five. The clean is a hinge and a pull and the jerk is a squat (two actually) and a push. If you hold the weights in the rack position, you can argue it's a loaded carry too. The clean and jerk basically hits everything. When you chain them together into long sets, they also work your cardio system (which is great if you, like me, don't really enjoy dedicated cardio work). In a half hour of long cycle training, you get a lot of work done that hits most if not all of your basic movements.</p>
I've trained long cycle on and off over the years, but this year I really discovered my love for it. Besides a few short breaks to train other lifts, this year I've focused on long cycle training. Last month I read Denis Vasilev's Kettlebell Sport Training Methodology</a>. This was my first foray into kettlebell sport. I've always focused on hard style. I'm still performing hard style clean and jerks, but I wanted to read about a different training perspective.</p>
For those who don't know, the long cycle event in kettlebell sport involves the lifter performing clean and jerks for 10 minutes without putting the kettlebells down. Denis Vasilev is one of the greats and won numerous world championships. He's completed over 100 clean and jerks in 10 minutes with a pair of 32 kg kettlebells. I figured it was worth my time to read what the man has to say. The most useful fact I took from his book was the total volume of clean and jerks he's performed. It makes sense. The more you practice something, the better you get at it. If you want to get good at writing, you need to write a lot. If you want to get good at running, you need to run a lot. If you want to get good at clean and jerks, you need to do clean and jerks a lot.</p>
Based on that idea, I've been experimenting with a slightly different training methodology over the last two weeks. I have a nice set of kettlebells. I have pairs of every weight from 8 kg up to 48 kg in 4 kg increments. That gives me a lot of flexibility. My methodology for the last two weeks is broken down into three days: a high rep with light weight day, a medium rep with medium weight day, and a low rep with heavy weight day (light, medium, and heavy for me obviously). I use ladder sets and add more rungs with lighter weights. Each day I set my timer for 30 minutes and crank out as many good quality ladder sets as I can.</p>
I had to move my Sunday session to Monday due to a septic backup (the joys of owning a home). So on Monday I did ladders of 2, 3, 5, and 10 using a pair of 24 kg kettlebells. The sets of 10 were brutal. I completed 50 total reps. Tuesday I did ladders of 2, 3, and 5 using a pair of 28 kg kettlebells. Again I completed 50 total reps. I wasn't expecting that since I completed 40 total reps with this setup last week. I'm not complaining. Tonight I did sets of two with a pair of 32 kg kettlebells. I can squeeze out a set of three, but the third rep isn't a clean as I want so I'm sticking to sets of two for now. I completed a total of 28 reps. Therefore, I completed a total of 128 clean and jerks this week.</p>
It's too early for me to declare this methodology good, bad, or merely adequate. I am enjoying it though and each day is challenging for different reasons. The high reps with light weight day challenges my endurance, especially the sets of 10. It's as much a mental game as a physical game to get through those sets. The medium reps with medium weight day is a good overall challenge of strength and endurance. The high reps with heavy weight day is a challenge of my strength. I think this will be a good method for closing the year. I'll try to remember to report back my thoughts after week six.</p>


The Discipline to Do Less
2025-10-20T12:00:00+00:00
The topic of discipline usually comes up in conversations about physical fitness in the context of needing to do the work. You need to develop the discipline to do your workouts every week. You need to develop the discipline to eat a healthy diet. You need to develop the discipline to get enough sleep. But there's another side to discipline as it pertains to physical fitness. You need the discipline to do less.</p>
This will likely sound crazy to anybody who doesn't workout regularly. Why would anybody need discipline to do less, they are likely to wonder. The fact of the matter is exercise becomes addictive once you get into the habit of doing it regularly. This isn't surprisingly since strength training, like running and other forms of physical exercises, releases endorphins. But I don't think you can fully understand this until you experience it. Suffice to say that once you regularly workout, you want to workout more.</p>
There is such a thing as too much of a good thing. Exercise is definitely an example of this. Your body requires two things to grow: stimulus and time to adapt. Exercise is the stimulus. Recovery is the time to adapt. If you exercise too much, your body doesn't have the necessary time to recover. The sinister thing about this is that it doesn't happen immediately. It often takes a few weeks before you feel the effects of too much exercise. When you do feel the effects, it's often in the form of an injury.</p>
I recently finished going through a modified version (I replaced the overhead presses and front squat days with clean and jerk days) of phase one of Geoff Neupert's Maximorum program. It's a deceptive program. The first few weeks look fairly reasonable. This has lead a lot of people on various kettlebell forums to ask what they should add to the program. I've run through this program as written. I can tell you that you shouldn't add anything to it. The reason is cumulative fatigue. While the program is pretty reasonable for the first two or three weeks, the cumulative fatigue plus the more challenging sets makes the tail end of the first six weeks brutal. Then there are six more weeks after that.</p>
Maximorum isn't the only program like this. I've seen people ask what they can add to Pavel Tsatsouline's Rite of Passage, Dan John's Armor Building Formula, and most other popular kettlebell programs. Rite of Passage includes an optional variety day. It's meant to be a day where you practice movements, do mobility work, and other low impact things. People often turn it into a full blown lifting day and it bites them in the ass. Turning the variety day into a full blown lifting day invites cumulative fatigue to the show up and before you know it cumulative fatigue brings its good friend injury.</p>
Any off days are a great opportunity to do too much. Depending on my schedule, I run either a three or four days a week kettlebell program. Two days a week I do two different martial arts. One art is a form of kenjutsu and the other is a form of iaido. Both are much lower in intensity than combat sports like judo, boxing, or Brazilian jujitsu. This allows me to use them as active recovery days. That leaves me with one or two free days. I admit that I have a problem with filling that day or two with extra work that I shouldn't be doing. It takes real discipline for me to leave those as recovery days where I do, at most, light to moderate cardio. It's too easy to do a "light" lifting session on those days. Those sessions might seem easy, but they interfere with my recovery from my actual lifting days by adding to the cumulative fatigue. Whenever I give into that urge, I end up regretting it after a week or two.</p>
Developing the discipline to regularly exercise is important. Once you're regularly exercising, developing the discipline to not do too much is equally important.</p>