A Geek with Guns

The Return of Your Apps, Please

Christopher Burg — Fri, 15 May 2026 09:00:00 -0600

In my previous post</a> I discussed how the ability to attend concerts is increasingly locked behind using either an iOS device or a device running a Google approved version of Android. The issue I described isn't an isolated incident. More and more of our lives are being locked behind our smartphones. The two major smartphone operating system providers, Google and Apple, know this and are using their positions to lock us into their platforms. This is especially egregious of Google since it introduced Android as an open platform, which it no longer is.

Since introducing Android, Google has slowly been locking it down. Now there are effectively two tiers of Android: the Google blessed tier that can participate in our smartphone centric lives and the bastard child tier that can't. Less somebody think I'm being hyperbolic, Google demonstrated this fact with the latest update to reCAPTCH</a>:

Google has tied its next-generation reCAPTCHA system to Google Play Services on Android, meaning anyone running a de-Googled phone</a> will automatically fail verification when the system decides to challenge them. </blockquote>
reCAPTCHA is used by many websites, including government and educational websites, to thwart access by bots. Instead of providing an image-based puzzle, the new version of reCAPTCHA will require you to scan a QR code with your phone. The dirty trick, which is covered in more detail on this post</a> from GrapheneOS's Mastodon instance, is that on Android this authentication mechanism is tied to Google Play Services, which is Google's proprietary framework for Android, on a Google certified device. That means people with de-Googled phones, such as any phone running LineageOS or GrapheneOS, will be unable to access any website where reCAPTCHA suspects you're a bot.
With this change, attending concerts won't be the only thing locked behind using an iPhone or Google blessed Android device. Huge swaths of the web will be too. This also creates a potential Catch-22 situation. Since many government websites use reCAPTCHA, people not using a Google blessed Android device will inevitably be unable to access government websites, which could result in legal consequences depending on the website in question. Imaging being unable to renew your driver's license or pay your taxes because you don't own the right kind of smartphone.
This isn't the reality we're heading towards, it's the reality we're at right now. The European Union is working on a European Digital Identity, which will require Google Play Integrity</a>. Google Play Integrity, like the new version of reCAPTCHA, only works on Google certified devices. This not only expands the two tier system I mentioned to European citizenship, but also demonstrates that the European Union has no opposition to Google being a monopoly despite the rhetoric of its politicians. While the European Union makes a show of stopping Google's "monopoly" through lawsuits involving its app store, it hands Google a literal monopoly over the European Digital Identity application. To reiterate a long running theme of this blog, your government doesn't love you.

Your Apps, Please

Christopher Burg — Sat, 25 Apr 2026 19:00:00 -0600

I'm going to date myself. When I first started attending concerts, you bought physical tickets. These paper tickets could be purchased in several ways. You could visit the venue ticket box during business hours and purchase them. Ticket would normally be available weeks or even months ahead of a concert or you could buy them when you arrived for the concert if it wasn't sold out. If you lived too far from the venue, you could purchase tickets over the phone and either have them mailed to you or will call (that's and old term for picking your tickets up at the venue). As the Internet became more prominent, many venues started to offer online purchases. Tickets purchased online could be either mailed to you, will call, or printed at home using your printer. These were the halcyon days of concert ticket purchasing in my opinion.

All good things must come to an end though. Attending concerts today is often a pain in the ass because venues have moved to using apps for ticketing. This idea sounds convenient on paper. Everybody carries their phone with them to concerts so they can hold them up and record the entire show to post on social media so their friends know they were there. Since everybody has their phone with them all the time, making the device the method of acquiring tickets and entering concerts only makes sense, right? Except some of us don't carry our phones with us all the time. Some of us like to actually watch the concert with our own eyes rather than filtered through a screen. But more importantly, not all of us use venue approved smartphones.

There are several major problems with apps being used for tickets. The first one I will cover is the combination of shitty technology and nonexistent customer support that defines modern services. Anybody who has had a problem with a Google or Microsoft product will understand this pain. Getting a hold of a human being at either company is basically impossible. If your problem can't be solved through simple online methods, your problem often isn't going to be solved. One venue I used to frequent uses AXS</a>. I say used to frequent because AXS is a unique ticketing service in that they won't actually sell me tickets. You see, their website and app are both convinced that I'm a bot. Creating an account took long enough that one could legitimately write an epic poem about it. Once I managed to create an account, I couldn't use the service. Getting human support isn't an option. I did find their online support page and submitted a ticket thinking a human being would respond at some point. Instead, several days later, I received a link to chat with a large language model that was completely incapable of solving my issue. I'm calling out AXS in this case because it's my most recent encounter, but the same headaches are true of many ticketing apps.

The second major problem is the seemingly endless number of apps you need to install. Ticketmaster used to be the go-to app for ticketing, but they're a shower of bastards so venues rightly sought alternatives. This has lead to a seemingly endless number of apps. Each app also requires you to sign up for yet another service. Some services, like AXS, make signing up a tremendous pain in the ass. A few services, like Dice</a>, make the process straight forward and easy. Most are somewhere in between. It wouldn't be so bad if there appeared to be an end to the madness, but like Sisyphus pushing his rock, we seem to be damned to signing up for new services and installing new apps for all eternity.

The third major problem, and this is the biggest one in my opinion, is that you need to own a venue approved smartphone. This means you either need an iPhone or an Android phone running the stock OS. If you use anything else, good fucking luck. GrapheneOS works in most cases so long as you have Google Play Services installed (I install it in a separate, isolated profile along with all the stupid ticketing apps). If you don't have Google Play Services installed, you're out of luck for many apps (including Ticketmaster). What if you use something radically different, like a phone running mainline Linux</a>? Some ticketing apps can be made to run in an Android emulator with microG, but not all. If that doesn't work for the specific app you need for a concert, you won't get to attend that concert. The reliance on apps for ticketing helps Apple and Google maintain their duopoly over the smartphone market.

The old ways were better. Anybody who could afford the tickets could attend a concert. Now being able to afford the tickets isn't enough. You must also own an iOS or Android device, be lucky enough to not be tagged as a bot by the ticketing service, and have the wherewithal to not blow your brains out while you navigate the Byzantine account sign up process that many services utilize. Rubbing salt into the wound is the fact you don't have ticket stubs you can tack into a scrapbook to remember all the concerts you attended (for you younger folk, tickets at two pieces and the venue ripped off one piece when you got to the concert and you kept the other, which is referred to as the stub, and a scrapbook is a physical book you could paste photographs, ticket stubs, and other paper objects in).

The Endless Cycle of Enshitification

Christopher Burg — Thu, 16 Apr 2026 16:00:00 -0600

I've lived through a few epochs, moments in time where things changed so dramatically that we commonly talk about our world as it existed before and after. 9/11 was the first epoch that I was aware of living through (the fall of the Soviet Union happened when I was too young to know or care about it). COVID-19 is another. The differences between the pre-COVID-19 years and post-COVID-19 years are significant. During COVID-19 we experienced a dramatic drop in quality of life. Not because of the disease, but because of the fallout from the worldwide response to the disease. The world has never recovered from this. It's been caught in a continuous cycle of enshitification ever since.

The damage to education caused by the response to COVID-19 is hard to understate. Math and literacy rates were already trending downward before COVID-19, but they fell off of a cliff during and keep dropping after. It's not just K-12 schools either. College level education quality has been dropping too. The popularity of large language models (commonly and incorrectly referred to as AI) has exacerbated this trend. This isn't helped by the fact that education is no longer focused on the exercise of learning itself but on making the grade (which are often divorced from each other). It's common for stories covering this phenomenon to focus on students using large language models to skip doing the work. I submit this story</a> penned by a college instructor as exhibit one:

But since the appearance of ChatGPT, the instructor’s job isn’t just to teach the subject and frantically attempt to keep every student’s plate spinning. Increasingly, it’s to moonlight as a detective and prosecutor because students without the motivation to do the work don’t have to skip it anymore. They can turn in a work-shaped simulacrum almost as easily. And a substantial number do—in a recent College Board survey</a> of 600 high school students, 84 percent said they had used generative AI for schoolwork. </blockquote>
This part of the story wasn't what jumped out at me though. This part was:

For the last few years, I’ve been exclusively teaching asynchronous online courses, meaning recorded videos rather than live sessions. </blockquote>
Enshitification in education isn't coming solely from lazy students trying to make the grade without doing any work. It's coming from both sides of the teacher-student relationship. Before COVID-19 college classes were largely in-person. There were remote classes, but they were the exception rather than the rule. During COVID-19 most classes became remote. This resulted in an overall drop in quality for both the teachers and students. After COVID-19 many classes remain remote despite no remaining restrictions against in-person classes.
It's easy to blame students who use large language models to avoid doing their work for being lazy. But it's equally true that instructors prerecording video lessons (asynchronous learning to use the academic buzzword) are being lazy and avoiding doing their work. An instructor's job isn't to simply regurgitate information. If students want that, they can go on YouTube. An instructor's job is to help students learn. That not only requires covering material but also requires helping students understand the material. This may require explaining the material in several different ways, having one-on-one conversations with students, pointing students to additional resources, developing hands-on exercises that can help students walk through the logic, etc.
If an instructor is simply recording videos for students to watch, those students are going to pick up on the instructor's laziness. They will respond in kind with their own laziness. After all if the instructor doesn't care why should the students? The enshitification cycle feeds on itself like an ouroboros. The cycle can't be stopped and certainly can't be reversed unless one or more of the people responsible for perpetuating it stop. I will argue that in the case of the teacher-student relationship the teacher should be the one to stop perpetuating the cycle. Amongst the responsibilities of an instructor is the responsibility to demonstrate a belief that the material is worth learning.
I'm sure there are teachers who stand out in your memory because they seemed to be exceptionally good at teaching. I can recall many. One of my high school science teachers excelled at her job. Part of her success was her obvious love of the topic. Her excitement when it came to science demonstrated that she truly believed that the material was worth learning. Many of my college professors were the same way. They obviously loved the subjects they taught and their love of the subject alone could convince students that the material was worth learning.
Thwarting students' use of large language models is actually quite simple. Return to in-person classes and the use of hand written (they were called blue book exams when I was in college) and oral examinations. Will some students still find a way to cheat? Yes. But I suspect most won't because successful cheating under these conditions requires far more sophistication. The bigger challenge is overcoming students' apathy. I believe that requires teachers to first overcome their own apathy, which is an equal challenge.

Disabling Homebrew in Dinosaur OS

Christopher Burg — Fri, 13 Feb 2026 13:00:00 -0600

Since I released Dinosaur OS</a> last September, I've had to make very few changes to my image. This is a testament to the overall stability of Bluefin, the image upon which Dinosaur OS is based. But I started receiving error notifications a couple of weeks ago whenever the automatic update service ran. The initial error was actually due to a Flatpak problem. The developer of a package I installed uploaded a new version with the same version number as my currently installed version. This cause the Flatpak update program to fail. I managed to fix that, but the service was still displaying an error because it wasn't able to update Homebrew.

Homebrew is a package manager that was originally written for macOS. It was released back when I used macOS so I tried it and discovered that it was a train wreck and opted to use MacPorts</a> instead. Homebrew had a number of bizarre design decisions. The biggest was it wanted to install packages at a system level. Normally that's not a problem with a package manager, but Homebrew tied the system level directory to your user account's user ID number. Effectively Homebrew installed packages at a system level that only a single user account to use or modify. There was an option to install packages into your home directory, but a number of packages failed to run when you did that.

When it was announced that Homebrew was available for Linux, I dismissed it entirely. Why would I want a poorly designed package manager on a system that already has a plethora of very good package managers? My experience with Homebrew was so bad that I initially intended to remove it from Dinosaur OS. I ultimately decided that enough time had passed that I should give Homebrew another chance. My latest experience mirrored my previous experience.

Homebrew on Linux suffers the same problem as it does on macOS. It doesn't support systems with multiple user accounts well. When Bluefin installs Homebrew, it creates the /home/linuxbrew/</code> directory and sets its user and group IDs to 1000. Bluefin is based on Fedora and by default the first user account created on a Fedora system has the user and group IDs of 1000. All packages installed with Homebrew are installed into the /home/linuxbrew/</code> directory. This means Homebrew on Bluefin is configured so that only the very first user account created on the system can use it.

This is fine for most users, but I'm not most users. I have two user accounts on my system. The first is my administrator account, the second is a regular user account that I use for my day to day tasks. Administrator rights are required to create new user accounts so obviously I create my administrator account first. This means the actual account I use day to day, which has the user and group IDs of 1001 (the default on Fedora systems for the second user account created), can't use Homebrew.

There are ways around this. I could change the owner permissions on /home/linuxbrew/</code> to 1001. Homebrew on Bluefin is setup using the brew-setup.service</code> systemd service, which sets the permissions. I could change that unit file in my image to set the user and group IDs to 1001. Either option would allow my day to day user account to use Homebrew installed packages, but would prevent my administrator account from using them. The bottom line is Homebrew is a poorly designed package manager.

I chose a third option: ignore Homebrew entirely. There was no downside to this option at first, but a few weeks ago changes were made to Bluefin's automatic updater that caused me to reexamine my decision. As noted at the beginning of this article, I started receiving notifications that the automatic update service failed. Checking journalctl showed me the source of the error was that the update utility, UUPD</a>, was unable to upgrade Homebrew. This failure was caused by /home/linuxbrew/</code>, which normally contains the brew executable used to install and update packages, being empty (I didn't investigate why it was empty since I was already done with Homebrew).

Fortunately disabling and removing Homebrew from Bluefin is straight forward. Homebrew is installed by the brew-setup.service</code> systemd service, which is enabled by default on Bluefin. Disabling the service prevents it from automatically installing Homebrew so Dinosaur OS disables it. I also add a script, /usr/libexec/remove-brew</code>, to the image, which removes Homebrew from a system if it's already installed. This makes Dinosaur OS nondestructive in that it won't automatically remove Homebrew from a system where it's already installed. Removing Homebrew requires manual work. It also means Homebrew can be installed again by either starting or enabling brew-setup.service</code>.

I still had the problem where UUPD would throw an error because it was unable to update Homebrew (which was now missing entirely). UUPD on Bluefin accepts arguments that disable update modules though. The final change I made to Dinosaur OS is adding --disable-module-brew</code> to the ExecStart line of uupd.service</code>, which is activated by a timer periodically. uupd.service</code> is a system file, which means the user cannot edit it. Therefore, if you're running Dinosaur OS and install Homebrew, your Homebrew packages won't be automatically updated by uupd.service</code>. The best way to change this behavior is to copy /usr/lib/systemd/system/brew-update.service</code> to /etc/systemd/system/uupd.service</code> and remove --disable-module-brew</code> from the ExecStart line.

Overall I still like Bluefin a lot. I agree with most of the design decisions and appreciate that it's been easy for me to change the decisions I dislike. I continue to run Dinosaur OS on my desktop systems and haven't faced any catastrophic problems. If you want to create your own image based on Bluefin and want an example image to get started, check the Dinosaur OS repository</a>.



Getting Started with Kettlebells
Christopher Burg — Fri, 06 Feb 2026 20:00:00 -0600
Introduction</h1>
I developed an interest in physical fitness about a decade and a half ago. This interest lead me to pursue martial arts, biking, and eventually kettlebell lifting (along with many other activities). The reason I got into kettlebell lifting is because I wanted to improve my strength and endurance. Kettlebells were tools I could use in the comfort of my small apartment. Now I have a home and a gym in my basement. I still lift kettlebells three or four times a week.</p>
Getting started is the hardest part of any journey. This post is intended to help anybody who's interested in starting kettlebell lifting. It's not intended to be all encompassing. Too much information can be as bad as too little. Decision paralysis thwarts as many journeys as fear and laziness. Therefore, this post is opinionated. It will provide only a handful of options. Wherever options are provided, know that there are many more options out there. They aren't brought up to cut down on the noise. The hardest part of any journey is also the most important. It's more important to get started than to travel the optimal path. Any progress forward is better than no progress while you try to develop the optimal plan.</p>
Note on Units</h1>
Weights in this post will be provided in kilograms. Why would a post written by an American living in the United States use metric units? Two reasons. First, the historical unit of weight for kettlebells is the pood. The pood is an old imperial Russia unit. It's equal to about 16 kg. This means kettlebell weights divide nicely into kilograms. Second, kettlebell lifting is an international sport. International sports use the metric system because almost everybody outside of the United States does.</p>
To make your life a bit easier, here are the American equivalents to the weights used in this post (along with the weight in poods to illustrate my point about dividing nicely into kilograms):</p>
16 kg = 35 lb (1 pood)
20 kg = 44 lb (1.25 poods)
24 kg = 53 lb (1.5 poods)
28 kg = 62 lb (1.75 poods)
32 kg = 70 lb (2 poods)</p>
Types of Kettlebells</h1>
There are two major types of kettlebells: hard style and competition style. Hard style are typically made out of cast iron. The size of the bell depends on the weight. Heavier hard style kettlebells are larger than lighter ones. Competition style kettlebells are typically made out of steel. The size of the bell is the same regardless of the weight. A 16 kg competition style kettlebell is the same size as a 32 kg one.</p>
I exclusive used hard style kettlebells until this year. Now I own both. I recommend hard style kettlebells when you're starting out though. Hard style kettlebells are typically cheaper, often much cheaper, than competition style ones. You can do all of the traditional kettlebell lifts with either style of kettlebell so you might as well save yourself some money.</p>
You'll see articles online claim that competition kettlebells don't work well for two handed lifts such as two handed swings due to the handle size and shape. This isn't my experience. I have no issue doing two handed swings with competition style kettlebells and I have large hands. You'll also see articles claim that competition style kettlebells are more durable because they're made of steel instead of cast iron. This is a distinction without a difference. The only way you'll break either style of kettlebell is by being a complete dumbass.</p>
The two hard style kettlebells I typically recommend are REP Fitness</a> and Bells of Steel</a>. Both offer reasonably priced high-quality cast iron kettlebells with "free" shipping (free shipping means the price of shipping is baked into the price of the kettlebell). Buy whichever is cheaper at the time or in stock.</p>
If your budget is tight, I've read reviews for Yes4All</a> kettlebells and they seem to be decent. I can't recommend them since I've never seen them in person.</p>
Another option I'll note is Bells of Steel adjustable kettlebells</a>. These are adjustable competition style kettlebells. They're a good option if space is tight and you can afford to pay more upfront. I prefer fixed weight kettlebells because sometimes I like to switch weights during my workouts and changing an adjustable kettlebell's weight is a slow process. That doesn't matter when you're starting out though.</p>
Starting Weight</h1>
Recommending a starting weight is tricky. Everybody is different. If you know anybody who owns kettlebells or dumbbells, ask them if you can press a few overhead. You want a weight that you can press overhead a few times. I'll cite the most common rule of thumb. Men and women who haven't done any strength training should start with 16 kg and 8 kg respectively. Men and women who have done some strength training should start with 20 kg and 12 kg respectively.</p>
The difficulty of most kettlebell lifts can be adjusted through technique. If 20 kg is too light for two handed swings, change to one handed swings. If 20 kg is too heavy to strict press overhead, push press it. If a weight is beginning to feel too light, you can do more reps in less time to increase the difficulty. There are limits to this. If you can strict press a 24 kg kettlebell overhead, an 8 kg kettlebell isn't going to be a challenge no matter what (that's not to say an 8 kg kettlebell will be completely without value). Likewise, if you can barely strict press a 16 kg kettlebell overhead, you're not going to get a 32 kg kettlebell overhead.</p>
It's better to go a bit light than a bit heavy when you're starting. Beginners should focus on technique. It's almost impossible to focus on technique if you're barely able to move the kettlebell you're using.</p>
Programs</h1>
There are two programs I recommend to beginners: Rite of Passage</a> and Simple and Sinister</a>.</p>
Both programs require a single kettlebell. Both books do a good job of covering the technical aspects of the lifts they use. This is important. There are books for beginners, which go into detail on the how of lifts, and books for people who have experience, which typically don't explain how to perform lifts. You want to learn how to properly perform lifts. There are also a lot of good videos online that go over the hows of lifts. If you can find a coach in your area, you can also hire them to teach you how to perform lifts (this is probably the fastest and safest option).</p>
Rite of Passage is covered in the book Enter the Kettlebell. Between the two programs, I like this one slightly better because I like to press weight overhead. The program uses cleans, strict presses, swings, and snatches. There is also the option to add pull ups. The strict press is probably the lift that gives you the most bang for your buck. It's the staple of many great kettlebell programs such as The Giant, Dry Fighting Weight, and The Armor Building Formula. Swings add an endurance component to the program. Snatches are something you will need to study for a while, but once you learn how to snatch, you unlock another lift that provides tremendous bang for your buck. Rite of Passage is a three day a week program.</p>
Simple and Sinister used to be the</em> recommended program for beginners. It's the program I ran when I started. I've seen a number of people in online kettlebell communities argue that Simple and Sinister isn't a good program. They're full of shit in my opinion. Although I like Rite of Passage better, Simple and Sinister is an excellent program for people who haven't done any strength training. The program uses Turkish get ups and swings. Turkish get ups teach you the invaluable skill of getting up off the ground while holding weight. It will improve your overall movement quality. It can also be run more frequently than Rite of Passage.</p>
It doesn't matter which program you pick. If you want to press weight overhead, go with Rite of Passage. If you want to get up off of the ground while holding weight, go with Simple and Sinister. If you can't decide, flip a coin.</p>
Conclusion</h1>
That's it. That's the guide. Buy a kettlebell of appropriate weight, pick a program, and start lifting.</p>


Complex Systems, Simple Answers
Christopher Burg — Fri, 06 Feb 2026 13:00:00 -0600
The universe we occupy is a very complex system that contains an uncountable number of complex systems within itself. One of the most common illustrations of this fact is weather forecasting. Weather forecasts are notorious for being inaccurate. The reason for this isn't because the weatherman is incompetent, it's because weather is a complex system. Edward Norton Lorenz, a meteorologist who founded chaos theory, noted the complexity of weather systems through the butterfly effect</a>:</p>

He noted that the butterfly effect is derived from the example of the details of a tornado (the exact time of formation, the exact path taken) being influenced by minor perturbations such as a distant butterfly flapping its wings several weeks earlier.</p>
</blockquote>
The terrestrial weather system isn't the only complex system. Space weather is a thing and a great deal of effort is put into predicting it. Like predicting terrestrial weather, predicting space weather is notoriously inaccurate. A few other complex systems are the movement of tectonic plates, propagation of electromagnetic radiation, and human behavior.</p>
The human brain prefers simple answers. Prescientific man often explained complex phenomenon like weather as the action of gods and other supernatural beings. A typhoon wiping out a coastal city might be explained as the god of the sea punishing the inhabitants because they did something he didn't like. Postscientific man isn't that different. Although our scientific understanding has largely done away with accusing the gods for all that happens, we still end up creating simple answers for complex systems.</p>
This comes up most frequently when people try to blame an individual or group for events that are the result of complex systems. Crime rates are a good example. Many factors play into crime rates. Socioeconomic conditions are the most commonly cited factors, but there are many more. The laws themselves play a huge role because an act isn't a crime unless there's a law against it. If the government passes a law against an until then lawful and very common activity (see Prohibition in the United States), the rate of crime increases. Weather plays a factor in crime rates. Cities in the northern hemisphere typically have a higher rate of violent crime during the summer. Individual attitudes are a major factor. If there is a large number of people who are unhappy with their current conditions, they are more likely to perform criminal acts such as vandalism. Many people ignore all of these factors and instead blame crime rates on blacks or immigrants and call it a day.</p>
Political systems are also complex. A political system involves many people acting in the name of a government. These government vary from dictatorships to democracies. Different systems have different numbers of participants. The laws that get passed depend on a number of factors. Consider the legislative process in a common democratic system. A law might be introduced by a politician on behalf of a lobbyist. The lobbyist may want the law passed to prevent new competitors from entering their market. The politician might received benefits from the lobbyist ranging from paid vacations to promises of employment after they exit politics. Another law might be introduced because a politician sees people participating in activities they personally find immoral (again, see Prohibition in the United States). Once a law is introduced, there is a complex system of wheeling and dealing that commonly happens before the law is either rejected or passed into law. Many people ignore all of these factors and instead blame one political party for all the political ills in their country. Or they might blame the Jews or, more recently, British royalty (a new conspiracy theory gaining headway here in the United States).</p>
What is an answer that doesn't correctly answer a question? It's bullshit. This provides some incite into why all of the perceived ills in the world seem to go unaddressed. Too many people have opted for bullshit rather than answers. But don't be too harsh of those people. We humans aren't well adapted to analyzing and addressing complex systems. All of us opt for bullshit. Some of us opt for it more than others, but we all do it. We especially do it when an answer can't be identified. Our brains prefer simple answers and absolutely despise having no answers. When an individual accumulates too many questions without answers they often succumb to some form of nihilism, but that's not the only option.</p>
If you're willing to accept the fact that there are many questions without answers and come to peace with that fact, you can live in a sort of harmony. Many religions and philosophies exist around this idea. Stoicism emphasizes that you cannot control things outside of yourself but you can control how you react to events. Even though I cannot control who rules the nation, I can prevent myself from become emotional because of it. You don't have to be angry because you don't like the ruler of a nation. Daoism is centered on the Dao, the source of all existence. Critically Daoism teaches that the Dao is beyond our comprehension and therefore cannot be completely understood. This is a good frame of mind when living in a universe full of unanswerable questions. Accepting that you cannot fully comprehend events that are happening can help avoid falling under the influence of those who claim to have the answer and therefore from being manipulated by them.</p>
I can't say for certain what will make you happy in life. I will say that my life became happier once I accepted that I don't know the answer to everything. That acceptance has allowed me to achieve peace by not getting worked up over things outside of my control. I know the universe is composed of complex systems that are incomprehensible to me and I enjoy that there is mystery in this universe. I live my life how I want and care not at all about the opinions of others. They don't know the answers either. I strongly urge you to explore the same frame of mind and see if it bring you peace too.</p>


Setup IPv6 in WireGuard
Christopher Burg — Tue, 30 Dec 2025 15:30:00 -0600
Introduction</h1>
Over the holiday break I finished upgrading all of my self-hosted services to make them available via IPv6. The upgrade was straightforward for all of my services except one: my WireGuard VPN</abbr> server. I wanted to provide my VPN clients with IPv6 connectivity without using NAT</abbr>. Unfortunately most of the guides online use NAT for IPv4 and IPv6. NAT is necessary for IPv4, but goes against the very design of IPv6. I wanted to provide each client with a globally routable IPv6 address. This ended up being simple once I figured it out.</p>
I previous wrote a guide for setting up WireGuard to share a public static IPv4 address</a>. The formatting was ruined in the transition from my old WordPress blog to this statically generated one, but it explains how to setup a WireGuard VPN server for IPv4. This post will explain how to setup a WireGuard VPN server for IPv6.</p>
Preamble</h1>
First a major caveat. As of this writing, I've had this iteration of my VPN server running for two days. I've tested it on my home network, on my phone's cellular network, and on an IPv4 only network through my travel router. IPv6 appears to work in all cases. I haven't finished thorough testing though. There may be a number of corner cases that don't work. I will update this guide as I find and fix them. Therefore, if you find something broken, check back and I might have discovered it and posted the solution already.</p>
I also pieced my setup together by taking bits and pieces of several online guides. I pillaged from this guide</a>, this guide</a>, this guide</a>, and this guide</a>. If there are unnecessary configuration steps in this guide, I likely took it from one of these guides and didn't test my final setup without the configuration. Such mistakes are entirely my fault.</p>
In order to follow this guide, you need a source of IPv6 addresses and specifically a separate subnet from your hosting network. My ISP</abbr> provides me with a /48 prefix. This gives me roughly a bajillion addresses and subnets.</p>
Conventions Used in This Guide</h1>
For the purposes of this guide, I'm going to use the following IP addresses (2001:db8</code> is the prefix reserved for examples and documentation</a> for those not aware):</p>
2001:db8:1234::/48</code>: The prefix provided by our ISP.</p>
2001:db8:1234:9999::/64</code>: The subnet of our hosting network. The subnet 9999</code> was chosen for readability purposes.</p>
2001:db8:1234:ffff::/64</code>: The subnet provided to our WireGuard VPN clients. Throughout this guide remember that the subnet with numbers is for our hosting network and the subnet with letters is for our VPN clients.</p>
2001:db8:1234:9999::1</code>: The IPv6 address used by clients to connect to our WireGuard VPN server.</p>
2001:db8:1234:ffff::1</code>: The IPv6 address of the WireGuard interface. This differs from the above address in that a client only uses it after it has connected to the WireGuard VPN server through the above address. Once connected, clients will use this address as their gateway.</p>
2001:db8:1234:ffff::1:1</code>: The IPv6 address provided to the first of our WireGuard VPN clients. This address will be incremented subsequently so our second client will have an IPv6 address of 2001:db8:1234:ffff::1:2</code>, our third 2001:db8:1234:ffff::1:3</code>, etc.</p>
I will also use en0</code> as the name of the network interface of our WireGuard VPN server, 51820</code> as the port used to connect to WireGuard on our server, and wg-vpn.conf</code> as the name of our WireGuard configuration file.</p>
The Actual Guide</h1>
The first thing you will need to do is ensure that the router between your hosting network and ISP is setup to route the subnet for our VPN clients to our VPN server. How you do this will depend on both your ISP and your router. For my Ubiquiti Cloud Gateway Ultra, I created a static route that routes the entire 2001:db8:1234:ffff::/64</code> subnet to 2001:db8:1234:9999::1</code>. You will also need to configure your router's firewall to allow incoming WireGuard traffic to your VPN server.</p>
I'm hosting my VPN server on Fedora Server. By default, IPv6 forwarding isn't enabled on Fedora Server. I enabled it by adding net.ipv6.conf.all.forwarding=1</code> to /etc/sysctl.conf</code> and issued the sysctl -p</code> command to load the changes. I also added several other lines. /etc/sysctl.conf</code> on my VPN server contains the following contents:</p>
net.ipv4.ip_forward=1
</span>net.ipv6.conf.en0.proxy_ndp=1
</span>net.ipv6.conf.all.forwarding=1
</span>net.ipv6.conf.en0.accept_ra=2
</span></code></pre>
The first line enables IPv4 forwarding. It's enabled by default on Fedora Server, but I added the line just to ensure it's always enabled. The second line enables proxying NDP</abbr> packets, which is used by IPv6 to discover neighboring devices. The final line enables router advertisements while IPv6 forwarding is enabled. I added it to the file when I was trying to dole out IPv6 addresses through another method. I'm not sure if it's needed for my final setup. This is one of those potentially unnecessary configuration steps I mentioned in the preamble for this guide.</p>
The only port I opened on my VPN server's firewall is 51820</code> for UDP</abbr> packets. WireGuard only uses UDP so you don't need to open the port for TCP</abbr>. I also enabled masquerading capabilities. Masquerading capabilities are only needed for NAT, which means it's only necessary for IPv4. You don't need to enable it if you're only using IPv6 on your VPN server.</p>
Everything else happens in the WireGuard configuration file located at /etc/wireguard/wg-vpn.conf</code>. The first section of the configuration file sets up the interface:</p>
[Interface]
</span>PrivateKey = <Your Server's Private Key>
</span>Address = 2001:db8:1234:ffff::1/64
</span>SaveConfig = false
</span>ListenPort = 51820
</span></code></pre>
This is all pretty basic. PrivateKey</code> obvious contains your server's private key that was generated with wg genkey</code>. Address</code> is the IPv6 address of the WireGuard interface. Clients will use this address as their gateway once they've connected to our VPN server. SaveConfig</code> determines if the current configuration is saved when the WireGuard interface is shutdown. I generate my configuration files with Ansible so I don't want any state maintained and disable this feature. ListenPort</code> is the port through which clients will connect to the VPN server.</p>
The next section is where the heavy lifting is done. PostUp</code> commands run when the WireGuard server is being started. PostDown</code> commands run when the WireGuard server is being stopped. In this case, the PostDown</code> commands simply undo the PostUp</code> commands. Also note that %i</code> stands for the WireGuard interface name, which is wg-vpn</code> since the configuration file is wg-vpn.conf</code>.</p>
PostUp = ip6tables -A FORWARD -i en0 -o %i -j ACCEPT;
</span>PostUp = ip6tables -A FORWARD -i %i -j ACCEPT;
</span>
</span>PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:1 dev en0
</span>PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:2 dev en0
</span>PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:3 dev en0
</span>
</span>PostDown = ip6tables -D FORWARD -i en0 -o %i -j ACCEPT;
</span>PostDown = ip6tables -D FORWARD -i %i -j ACCEPT;
</span>
</span>PostDown = ip -6 neighbor del proxy 2001:db8:1234:ffff::1:1 dev en0
</span>PostDown = ip -6 neighbor del proxy 2001:db8:1234:ffff::1:2 dev en0
</span>PostDown = ip -6 neighbor del proxy 2001:db8:1234:ffff::1:3 dev en0
</span></code></pre>
PostUp = ip6tables -A FORWARD -i en0 -o %i -j ACCEPT;</code> and PostUp = ip6tables -A FORWARD -i %i -j ACCEPT;</code> enable IPv6 forwarding between the server's network interface (en0</code> in this example) and the WireGuard interface (wg-vpn</code> in this example). This allowed IPv6 traffic originating from our clients to be forwarded out of the VPN server's network interface and return traffic routed from the VPN server's network interface to the appropriate client.</p>
PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::1:1 dev en0</code> and the following two lines setup NDP proxies for each client. You could probably replace all of these lines with PostUp = ip -6 neighbor add proxy 2001:db8:1234:ffff::/64 dev en0</code>. Again I generate my configuration file with an Ansible playbook so it's just as easy for me to loop through my list of clients and add a line per client. As mention above, the PostDown</code> lines simply undo the PostUp</code> lines when the WireGuard interface is stopped.</p>
The final part of the file contains configuration information for each peer:</p>
[Peer]
</span>PublicKey = <The Client's Public Key> 
</span>AllowedIPs = 2001:db8:1234:ffff::1:1/128
</span>
</span>[Peer]
</span>PublicKey = <The Client's Public Key> 
</span>AllowedIPs = 2001:db8:1234:ffff::1:2/128
</span>
</span>[Peer]
</span>PublicKey = <The Client's Public Key> 
</span>AllowedIPs = 2001:db8:1234:ffff::1:3/128
</span></code></pre>
This is straightforward. PublicKey</code> contains the client's public key and AllowedIPs</code> contains the IPv6 address we're assigning to the client. Running systemctl start wg-quick@wg-vpn.service</code> will bring the WireGuard interface up so clients can start connecting.</p>
The configuration file for each client is simple:</p>
[Interface]
</span>Address = 2001:db8:1234:ffff::1:1/64
</span>PrivateKey = <The Client's Private Key>
</span>
</span>[Peer]
</span>AllowedIPs = ::/0
</span>Endpoint = [2001:db8:1234:9999::1]:51820
</span>PublicKey = <Your Server's Public Key>
</span></code></pre>
Address</code> is the globally routable IPv6 address our VPN server is assigning to the client. PrivateKey</code> is the client's private key. There's similarly little to say about the [Peer]</code> section, which contains connection information for the VPN server.</p>
AllowedIPs = ::/0</code> tells the client to route all IPv6 traffic through the WireGuard interface. Endpoint</code> contains the IPv6 address clients use to connect to the VPN server. Note the square brackets. Because IPv6 addresses use ':' as a separator and ':' is also used by convention to separate an IP address from a port number, the square brackets are used to disambiguate the ':' in the IPv6 address from the ':' differentiating the port number.</p>
When the client connects to the VPN server, it will have the globally routable IPv6 address of 2001:db8:1234:ffff::1:1</code>. If you connect to a website that tests IPv6 connectivity such as this IPv4 and IPv6 connectivity test</a>, it should show 2001:db8:1234:ffff::1:1</code> as your IPv6 address.</p>
There you have it, a WireGuard VPN server that provides clients with globally routable IPv6 addresses.</p>


Advice for Self Hosters
Christopher Burg — Tue, 23 Dec 2025 19:45:00 -0600
I just finished upgrading my final self hosted service to be available over IPv6. This was a staged upgrade handled over several months. All of the upgrades went smoothly. I attribute this success to years of stupidity. I've made a number of mistakes over the years. Some of them cost me a great deal of time and grief. But they all taught me valuable lessons. This post is a collection of some of those lessons. If You're interested in self-hosting, I hope this advice proves valuable to you.</p>
1. Automate everything.</h2>
This is probably the most important lesson I've learned over the years. The reason my server upgrades went so well is because all of my builds are automated. This allows me to treat all of my servers like cattle. When the time is right, I slaughter them. The time is usually right when there's a major Fedora release. This is because most of my services run on Fedora Server at the moment. When a new major version is released, I don't do a dnf system-upgrade. Instead I nuke the virtual machine that hosts my service, create a new one, and install everything from scratch.</p>
My builds weren't always automated. I manually built all of my servers for many years. Because of how arduous building some of my servers was, I would sometimes let the host operating system get woefully out of date. Eventually they would get to a point where I had to rebuild them. Sometimes this was due to a hardware failure. Sometimes it was due to a security vulnerability in my stack. What I discovered is that I didn't remember all of the ins and outs of building the server. The task would take much longer because I had to rediscover everything I forgot. That isn't a problem now that everything is automated.</p>
This advice doesn't apply only to building servers. Your backups should be automated. If your backups aren't automated, they won't get done. TLS certificate renewals should also be automated, especially now that certificate lifetimes are becoming shorter and shorter. Everything</em> should be automated.</p>
You'll hear a lot of advice about the best automation tools. Each automation tool has ups and downs. I settled on Ansible for automating my system builds. It's a good tool in general but configurations are done in YAML and YAML sucks. NixOS is an option more people seem to be adopting. The upside is the entire system build is declared in a configuration file. The downside is you have to use NixOS (I don't think NixOS is bad, I just want to note that you can't use the NixOS method with other operating systems). Don't let yourself succumb to decision paralysis. Look up a few automation tools, pick one that looks good, and learn it. Even shell scripts are better than nothing.</p>
2. Consider maintenance.</h2>
Every self hosted service will require maintenance. How easy or hard the maintenance is will determine how often it gets done. I'll use TLS certificate management as an example. TLS certificates have a lifetime. That lifetime is becoming shorter and shorter</a>:</p>


From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.</li>
As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.</li>
As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.</li>
As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.</li>
</ul>
</blockquote>
Certificate management used to be much more complicated than today. You had to create an account with a certificate authority. Once you had an account, you had to verify your identity, usually by providing a picture of your government ID. Then you could get a certificate for your domains that was good for one to two years. The maintenance wasn't insignificant, but you only had to go through the process every one or two years. However, it was often easier to create your own certificate authorities if your self hosted services that were only available on your local network or were only used by devices you controlled.</p>
Now the maintenance burden is changing. As certificate lifetimes shrink, it'll become infeasible to manually manage your TLS certificates. If automating your certificate maintenance isn't possible, which it might not be for a service only available on your local network, you can still provide a secure connection to it using something like WireGuard. WireGuard keys have no prescribed lifetime. Depending on your situation, it might be easier to make your self hosted service only available over a WireGuard connection so you can avoid the hassle of dealing with certificates.</p>
3. Simple is usually better.</h2>
The best illustration of this rule is my post about Caddy</a>. I migrated my reverse proxy server (and since then all of my HTTP servers) from Nginx to Caddy. The reason for this migration was that Caddy is much simpler to configure than Nginx. What can easily require two dozen lines of configuration in Nginx can often be done in a single line in Caddy.</p>
My migration from OpenVPN to WireGuard was done for similar reasons. OpenVPN is a very flexible protocol. Unfortunately that flexibility comes with significant complexity and that complexity hides a lot of footguns. WireGuard on the other hand is opinionated. There's very little flexibility. That lack of flexibility means configuring a WireGuard interface is simple and there are no obvious footguns.</p>
Another example is my self hosted Nextcloud instance. My original Nextcloud instance was built (using Ansible, of course) by setting up the database backend, installing all of the required packages, copying the Nextcloud PHP files to the web root, and bringing everything up with systemd services. Then the Nextcloud team released their All-in-One Docker container</a>. Installing the All-in-One Docker container is much</em> easier than building everything from scratch. I use it now because it's simple to install and maintain (it can do automatic updates).</p>
I'll point to this blog as my final example. For many years this was a WordPress blog. Last year I finally migrated it to a static website</a>. I can't overstate how much simpler this blog is to maintain. I no longer need a database or PHP-FPM. I don't have to worry about the seemingly endless security issues that WordPress suffers. Best of all is I don't have to worry about a WordPress update enshitifying writing and editing posts</a> (Gutenberg was such a terrible experience that I had a WordPress plugin to bring back the old editor). Now I can write my posts with any text editor I please.</p>
I won't go so far as to say that the simpler option is always better. But preferring the simpler option is a sane default.</p>
4. Practice your recovery plan.</h2>
I noted that you should have automated backups in my first suggestion. But a backup isn't useful if you can't restore the data. The only thing harder than getting people to backup their data is getting them to test restoring it.</p>
Since I automate (see how important my first suggestion is) building my systems and I rebuild them every time there's a major Fedora release, I have an opportunity to test my recovery plan roughly every six months (Fedora releases a new major version about twice a year). Part of my automated builds involves pulling data from my hot backup system. I know my restores work because I test them frequently. Get in the habit of testing yours. It's much better to know how to restore backups when you don't need them than to find out you can't restore them when you do need them.</p>
5. Have fun.</h2>
I'll level with you. If playing with operating systems, building servers, and learning networking doesn't sound fun to you, self-hosting isn't for you. If you're not having fun when things are working, you definitely won't have fun when things aren't working.</p>
Self-hosting is part research, part engineering, and part detective work. The research is the easy part. You think of a service you need, find what options are ability that fulfill that need, read the documentation (if there is no documentation, don't use it), and end up with an idea of how well the service will fill your need and how easy it will be to setup and maintain. Then comes building the service. This is where the engineering part comes in. If you listen to my advice, you'll automated the building process. But even manually building a service will require engineering effort. Then eventually something will go wrong. This is where the detective part comes in. What went wrong? What are the likely causes? How can those causes be address? Is it DNS? It can't be DNS. It was DNS!</p>
Life is too for voluntary suffering. If self-hosting isn't a fun hobby to you, go find a hobby you'll enjoy instead.</p>


Gun Restrictions Do Not Work
Christopher Burg — Mon, 15 Dec 2025 17:30:00 -0600
There's been another mass shooting in Australia</a>. The investigation is ongoing so I have no desire to focus on the minutia currently being reported. Much of it will likely change as the investigation progresses. What I want to focus on is that, despite promises made by Australian politicians and gun grabbers, gun restrictions failed once again. Australia already has strict restrictions on gun ownership</a>. Australian law explicitly states that gun ownership is a privilege. Owning a gun requires a license and getting the license requires an applicant to provide a "genuine reason" that cannot be self-defense. If the government decides to bestow you with the privilege of a license, you must renew it every set number of years (which varies slightly depending on region).</p>
Despite these already stringent restrictions, the Australian government has promised even more restriction</a> in response to the most recent mass shooting. Even I was a bit surprised by this announcement since I can't imaging what other restrictions they can put in place. (That was sarcasm. I wasn't even slightly surprised.) To use the phrase commonly misattributed to Einstein, "The definition of insanity is doing the same thing over and over again and expecting a different result."</p>
Advocates for restricting gun ownership have long promised that doing so would end gun violence. When the policies they advocate are passed into law, their promise goes unfulfilled. Their response is that gun ownership wasn't restricted enough</em> and demand even more restrictions. When those are passed into law, their promise still goes unfulfilled. It's an endless cycle of innocent gun owners being punished without the promised end being reached. Australia is a prime example of this point. Australian gun owners have been ruthlessly bludgeoned by their politicians and yet mass shootings continue to happen there. Punishing them further won't end gun violent in that country.</p>
Advocates for restricting gun ownership always find a boogeyman to blame for the failure of their policies. A common one here in the United States is that state level gun restrictions fail because people smuggle guns from neighboring states that have fewer restrictions. This shouldn't be an issue in Australia since the entire country has strict restrictions and is surrounded by an ocean. Their only noteworthy neighbor has arguably stricter restrictions</a>. A boogeyman that has become trend in the last few years is 3D printers. This boogeyman at least relates to the real reason gun restrictions don't work.</p>
The reason gun restrictions will never work is because guns are mechanically simple devices. Anybody can build a viable gun from parts found in a hardware store as Tetsuya Yamagami demonstrated</a>. Restrictions against gun ownership only work against those who desire to remain within the law. People who desire to commit acts of violence have no concern about remaining within the law so gun restrictions don't work against them. They will acquire the means to commit violence one way or another. The only outcome of gun restrictions is that the law abiding are made defenseless against the lawless.</p>


Just Do It
Christopher Burg — Fri, 28 Nov 2025 12:00:00 +0000
Knowledge builds upon knowledge. If you study two different fields of knowledge, you inevitably discover connections between them. The more I study physical fitness, the more associations I discover between it and economics.</p>
Ludwig von Mises in his magnum opus Human Action</a> opens part one with the chapter appropriately titled Acting Man wherein he describes the field of praxeology, the study of human action. Whether you subscribe to the Austrian tradition of economics or not, I would highly recommend reading part one of Human Action. What it states applies to many fields including physical fitness. For the purposes of this post, I will open with the following excerpt:</p>

To express wishes and hopes and to announce planned action may be forms of action in so far as they aim in themselves at the realization of a certain purpose. But they must not be confused with the actions to which they refer. They are not identical with the actions they announce, recommend, or reject. Action is a real thing. What counts is a man's total behavior, and not his talk about planned but not realized acts.</p>
</blockquote>
Here is where most people falter. They recognize that they exist in a less satisfactory state and express a desire to move to a more satisfactory state and that's where they stop. They never take action the action that they express.</p>
This came up recently in a conversation between a friend and myself. More than a year ago after an uncomfortable discussion with her doctor she had expressed a desire to lose weight and improve her overall fitness. To her credit, she sought out a personal trainer. Unfortunately she found a personal trainer who is too ready to tell clients what they want to hear, not what they need to hear. My friend went through a few life changes that let her slip into the vortex of 'being too busy.' She had reverted to old dietary habits and was skipping workout sessions. The progress she made over the last year started to slip away.</p>
This is when her personal trainer should've taken a page from Mises and told her that expressing intent and taking action towards achieving that intent are not the same. Instead she said a bunch of platitudes like saying that the important part is wanting the change. The implication being that wanting the change will motivate my friend to take action 'when she's ready.' While there are efforts that can be obtained through words, physical fitness isn't one of them.</p>
Friends don't come to me to hear what they want to hear. They come to me to hear my opinion, which is typically expressed with the subtlety of a sledgehammer to the face. My friend explained her recent situation. I told her she should find a different personal trainer, one who is willing to be upfront with clients. I closed with a phrase that I'm probably saying too often now, "To quote the Nike motto, you need to 'just do it.'"</p>
From a praxeological perspective, wanting to lose weight and be more physically fit is no different than wanting a new car or house. You exists in a less satisfactory state; being fat, unfit, without a new car, or without a new house; and you want substitute it with a more satisfactory state. Expressing your desire is an action, but it is not the action being expressed. Expressing a desire to lose weight is the act of expression, not the act of controlling calories or exercising.</p>
In order to realize your goals in life, you need to perform the actions you express. Wanting the change, despite the claims of a certain personal trainer, is not the important part. It is a part, you need to feel that you are in a less satisfactory state before you can move to a more satisfactory one, but it is not the part that will allow you to realize your goal.</p>