A Geek with Guns - Me

Disabling Homebrew in Dinosaur OS

2026-02-13T13:00:00-06:00

Since I released Dinosaur OS</a> last September, I've had to make very few changes to my image. This is a testament to the overall stability of Bluefin, the image upon which Dinosaur OS is based. But I started receiving error notifications a couple of weeks ago whenever the automatic update service ran. The initial error was actually due to a Flatpak problem. The developer of a package I installed uploaded a new version with the same version number as my currently installed version. This cause the Flatpak update program to fail. I managed to fix that, but the service was still displaying an error because it wasn't able to update Homebrew.

Homebrew is a package manager that was originally written for macOS. It was released back when I used macOS so I tried it and discovered that it was a train wreck and opted to use MacPorts</a> instead. Homebrew had a number of bizarre design decisions. The biggest was it wanted to install packages at a system level. Normally that's not a problem with a package manager, but Homebrew tied the system level directory to your user account's user ID number. Effectively Homebrew installed packages at a system level that only a single user account to use or modify. There was an option to install packages into your home directory, but a number of packages failed to run when you did that.

When it was announced that Homebrew was available for Linux, I dismissed it entirely. Why would I want a poorly designed package manager on a system that already has a plethora of very good package managers? My experience with Homebrew was so bad that I initially intended to remove it from Dinosaur OS. I ultimately decided that enough time had passed that I should give Homebrew another chance. My latest experience mirrored my previous experience.

Homebrew on Linux suffers the same problem as it does on macOS. It doesn't support systems with multiple user accounts well. When Bluefin installs Homebrew, it creates the /home/linuxbrew/</code> directory and sets its user and group IDs to 1000. Bluefin is based on Fedora and by default the first user account created on a Fedora system has the user and group IDs of 1000. All packages installed with Homebrew are installed into the /home/linuxbrew/</code> directory. This means Homebrew on Bluefin is configured so that only the very first user account created on the system can use it.

This is fine for most users, but I'm not most users. I have two user accounts on my system. The first is my administrator account, the second is a regular user account that I use for my day to day tasks. Administrator rights are required to create new user accounts so obviously I create my administrator account first. This means the actual account I use day to day, which has the user and group IDs of 1001 (the default on Fedora systems for the second user account created), can't use Homebrew.

There are ways around this. I could change the owner permissions on /home/linuxbrew/</code> to 1001. Homebrew on Bluefin is setup using the brew-setup.service</code> systemd service, which sets the permissions. I could change that unit file in my image to set the user and group IDs to 1001. Either option would allow my day to day user account to use Homebrew installed packages, but would prevent my administrator account from using them. The bottom line is Homebrew is a poorly designed package manager.

I chose a third option: ignore Homebrew entirely. There was no downside to this option at first, but a few weeks ago changes were made to Bluefin's automatic updater that caused me to reexamine my decision. As noted at the beginning of this article, I started receiving notifications that the automatic update service failed. Checking journalctl showed me the source of the error was that the update utility, UUPD</a>, was unable to upgrade Homebrew. This failure was caused by /home/linuxbrew/</code>, which normally contains the brew executable used to install and update packages, being empty (I didn't investigate why it was empty since I was already done with Homebrew).

Fortunately disabling and removing Homebrew from Bluefin is straight forward. Homebrew is installed by the brew-setup.service</code> systemd service, which is enabled by default on Bluefin. Disabling the service prevents it from automatically installing Homebrew so Dinosaur OS disables it. I also add a script, /usr/libexec/remove-brew</code>, to the image, which removes Homebrew from a system if it's already installed. This makes Dinosaur OS nondestructive in that it won't automatically remove Homebrew from a system where it's already installed. Removing Homebrew requires manual work. It also means Homebrew can be installed again by either starting or enabling brew-setup.service</code>.

I still had the problem where UUPD would throw an error because it was unable to update Homebrew (which was now missing entirely). UUPD on Bluefin accepts arguments that disable update modules though. The final change I made to Dinosaur OS is adding --disable-module-brew</code> to the ExecStart line of uupd.service</code>, which is activated by a timer periodically. uupd.service</code> is a system file, which means the user cannot edit it. Therefore, if you're running Dinosaur OS and install Homebrew, your Homebrew packages won't be automatically updated by uupd.service</code>. The best way to change this behavior is to copy /usr/lib/systemd/system/brew-update.service</code> to /etc/systemd/system/uupd.service</code> and remove --disable-module-brew</code> from the ExecStart line.

Overall I still like Bluefin a lot. I agree with most of the design decisions and appreciate that it's been easy for me to change the decisions I dislike. I continue to run Dinosaur OS on my desktop systems and haven't faced any catastrophic problems. If you want to create your own image based on Bluefin and want an example image to get started, check the Dinosaur OS repository</a>.



Upgrades
2025-10-15T12:00:00+00:00
I've been more silent as of late than usual. This is because I've been spending a lot of my free time upgrading my network infrastructure in anticipation of a major Internet upgrade. Most of this involved backend work that you readers won't notice. Suffice to say that I made major edits to my Ansible playbooks and redid several parts of my home network.</p>
A bit more than five years ago my wife and I moved to this house located in the rural Wisconsin. We loved everything about the property except for one thing: the only Internet option was DSL. I had DSL when I was in college and wasn't looking forward to going back to it after having enjoyed cable Internet for a decade, but the property was good enough that I was willing to make the sacrifice. One upside is the DSL was decent at 20 Mbps down and 1.5 Mbps up. I was also able to get a static IP address so I could continue self-hosting my services.</p>
Eventually Starlink became available in my area so I signed up. It was a significant upgrade. I regularly got 200 Mbps down and between 15 and 20 Mbps up. The two downsides were that my Starlink connection went offline during severe storms and I couldn't get a static IP address. Therefore, I kept the DSL so I had a backup when the weather was bad and could continue hosting my services. My home network had two gateways and each client was assigned the appropriate gateway from my DHCP servers. My self-hosted services used the DSL gateway and everything else used the Starlink gateway unless there was severe weather. When there was severe weather, I ran an Ansible script that rebuilt my DHCP servers' configurations to assign every client the DSL gateway. Each client would start using the DSL connection when their DHCP lease expired and renewed (I use short leases for this reason). I admit it wasn't the most elegant solution, but it was good enough for how rarely the Starlink connection went offline.</p>
When I first bought this house, the DLS was provided by CenturyLink. CenturyLink are a shower of bastards. Whenever the DSL went offline, I had to suffer through a minimum of five phone transfers to get to a tech that could actually fix the issue. Eventually CenturyLink sold its DSL business to Brightspeed. Brightspeed somehow managed to be worse.</p>
About a year ago a contractor buried fiber down my road. I expected to receive some notice that an ISP would be providing fiber service in my area but no such notice ever arrived. I searched high and low for the ISP that owned the fiber but found none. A few months ago Brightspeed announced that my static IP address would change. My history with Brightspeed told me that the changeover wouldn't go well so I searched for the owner of the buried fiber once again. This time I found the ISP, which is Lakeland Communications. I gave them a call and they confirmed that they provided fiber to my area. The only downside to me was the cost of installing the fiber from the road to my house. My house is far from the road so the cost of connecting my house to the fiber wasn't cheap (it was reasonable though considering the distance).</p>
I was able to push off Brightspeed's static IP address assignment, which turned out to be a blessing. To say the static IP address change went poorly would be an understatement. They managed to fuck it up completely. I had no Internet connectivity after the change. I spent a total of two hours on the phone with their technical support, all of whom are worthless, to no avail. Fortunately, Lakeland was scheduled to complete the fiber installation two days after that so I was only without my self-hosted services for about 48 hours.</p>
Lakeland Communications proved to be competent and easygoing. Because I self-host services including e-mail, I expected to need to sign up for a business account (what I've always had to do with other ISPs), but was told that I could self-host from a residential connection without any issue. They were also more than happy to let me use my router instead of theirs, which made reconfiguration my network as easy as changing the static IP address in my UniFi Network Controller. The speeds are good enough that I have to upgrade my router since I'm running an old Ubiquiti Security Gateway 3P and my Wi-Fi access points.</p>
Now when you access this site, it should download significantly faster. I can finally make full use of a number of my self-hosted services too. It's nice to have these capabilities again after five years of DSL restricting me to making sparse use of my services when I'm not home.</p>


Introducing Dinosaur OS
2025-09-05T12:00:00+00:00
Along with my new laptop</a>, I decided to try a new operating system. I've been running Fedora Workstation since I bought my ThinkPad P52s in 2018. It's a great distribution. However, I've been interested in immutable Linux distributions for a long time. Unfortunately, getting the proprietary Nvidia driver (the P52s has an Nvida GPU) working on Fedora Silverblue without having to disable SecureBoot was a hurdle I didn't want to jump over. Fortunately, my new laptop has an AMD processor and integrated GPU so I don't have to deal with Nvidia's shenanigans anymore. I originally intended to run Fedora Silverblue, but then I came across Bluefin</a>, which is a Universal Blue</a> image, which is a Silverblue based image meant to be a foundation for building images.</p>
Immutable Linux distributions differ from typical distributions in a number of ways. The biggest difference, which is in the name, is that the base system is immutable. This means you can't install packages in the normal manner. Silverblue has support for overlay packages, but installing overlay packages on an immutable distribution can cause headaches down the road (especially when performing major version upgrades). The advantage is that upgrades are simple and rolling back to a previous version is as simple as rebooting. Rebasing to other immutable images is also simple (as is rolling back if you decide you don't like the new image).</p>
I chose Bluefin over Silverblue for a few reasons. First, Silverblue uses the Fedora flatpak repository by default and all of the included flatpaks are sourced from that repository. I prefer to use Flathub because the packages are up-to-date. Bluefin uses Flathub. Second, Bluefin includes Distrobox</a>. Silverblue includes Toolbox, which I find inferior to Distrobox. Third, Bluefin includes Bazaar as its graphical Flatpak manager. Silverblue, like Fedora Workstation, still uses GNOME Software, which is so buggy that I end up managing flatpaks via the command line when I use Workstation. Fourth, dinosaurs. Bluefin's theme involves dinosaurs and dinosaurs are cool (hence the name of my modification of Bluefin).</p>
There's just one problem with Bluefin (Silverblue has this problem too). It doesn't include libvirt. I rely heavily on libvirt. It's my virtual machine manager of choice. Installing libvirt on Fedora Workstation was a simple dnf command away. But Bluefin is immutable so dnf isn't a lot of help. Bluefin does offer a solution out of the box in the form of the Bluefin Developer Experience (DX). Bluefin includes an easy way to rebase to Bluefin DX. The problem with Bluefin DX is that it includes a lot of tools I don't want to use such as Docker, Visual Studio Code, and Incus. This lead me down a rabbit hole of learning how to make my own modified version of Bluefin.</p>
Modifying Bluefin or any other Universal Blue image is dead simple. There's a handy template</a> that you can fork to get started. From there you can modify the Bluefin build process to add, remove, or modify whatever you want. The result of my efforts is Dinosaur OS</a>. Dinosaur OS is basically Bluefin with libvirt added. There are a few other minor modification too, but the inclusion of libvirt is the main difference. Switching from Bluefin to Dinosaur OS is as simple as issuing the sudo bootc switch ghcr.io/christopherburg/dinosaur-os</code> command. Once it completes downloading and staging the image, reboot your computer and you'll be in my modified version of Bluefin.</p>
The instructions to get started are all in the template's README.md file. But there are two files that will contain a lion's share of your changes. The first is Containerfile. The second is /build_files/build.sh. I've organized my repository since my initial release, but most of the changes are made by the shell scripts in /build_files/. For example, /build_files/base/00-install-libvirt.sh executes dnf to install the libvirt packages. It also adds the libvirt group to the image so you can add user accounts to the group. It also enables a systemd service that fixes some SELinux permission issues. None of this was my original idea. I pieces together how Bluefin DX</a> installs libvirt and made those modification in my image.</p>
Now that it's configured, my GitHub repository rebuilds the image once a day. This pulls in the updates from Bluefin, which in turn pulls in the updates from its base Universal Blue image. Dinosaur OS downloads new images automatically so when I reboot my computer, I boot into the latest image.</p>
I don't expect anybody to run Dinosaur OS themselves. It's custom tailored to my use case. My hope is that it can work as a template or example for anybody who wants to make their own image. The coolest thing about image based distributions is that it's trivial to make a bespoke image that fits your use cases. The coolest thing about using Universal Blue as the foundation is that it automates most of the work.</p>


If You're Reading This
2025-08-30T12:00:00+00:00
If you you're reading this, I've configured my new reverse proxy correctly. I've spent the last couple of days performing a major overhaul of my network infrastructure. This overhaul gave me the opportunity to rethink a few of my servers. The biggest rework was with my reverse proxy. For years I've been using Nginx to provide TLS connections for my various self-hosted services. Many of my Nginx configuration files were nightmares to read and edit because of the complexity of some of the services I self-host. It was finally bad enough that I started searching for alternatives. I eventually came across Caddy</a></p>
Caddy fucks. Consider the Nginx reverse proxy configuration for this blog, which is one of the simplest configurations on my reverse proxy server:</p>
map $http_upgrade $connection_upgrade {
</span>    default upgrade;
</span>    '' close;
</span>}
</span>
</span>server {
</span>    listen *:80;
</span>    server_name www.christopherburg.com;
</span>
</span>    include conf.d/certbot.conf;
</span>
</span>    location / {
</span>        return 301 https://www.christopherburg.com$request_uri;
</span>    }
</span>}
</span>
</span>server {
</span>    listen *:443 ssl http2;
</span>    server_name www.christopherburg.com;
</span>
</span>    autoindex off;
</span>    access_log <path to the access logs>;
</span>
</span>    ssl_certificate <path to the certificate>;
</span>    ssl_certificate_key <path to the certificate key>;
</span>
</span>    ssl_trusted_certificate <path to the trust chain>;
</span>
</span>    # A bunch of TLS configurations to ensure old, weak ciphers aren't used.
</span>    include conf.d/ssl.conf;
</span>
</span>    location / {
</span>        proxy_pass http://<actual server hosting site>;
</span>
</span>        include conf.d/headers.conf;
</span>
</span>        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
</span>        proxy_set_header X-Forwarded-Port $server_port;
</span>        proxy_set_header X-Forwarded-Scheme $scheme;
</span>        proxy_set_header X-Forwarded-Proto $scheme;
</span>        proxy_set_header X-Real-IP $remote_addr;
</span>        proxy_set_header Host $host;
</span>
</span>        proxy_request_buffering off;
</span>        proxy_read_timeout 86400s;
</span>        client_max_body_size 0;
</span>
</span>        # Websocket
</span>        proxy_http_version 1.1;
</span>        proxy_set_header Upgrade $http_upgrade;
</span>        proxy_set_header Connection $connection_upgrade;
</span>    }
</span>}
</span></code></pre>
Now look at the Caddy equivalent:</p>
www.christopherburg.com {
</span>    reverse_proxy <actual server hosting site>
</span>}
</span></code></pre>
Caddy handles most of the heavy lifting. It ensures TLS is enabled, automatically pulls certificates for your sites via Let's Encrypt, automatically redirects HTTP to HTTPS, and has sane defaults for all the reverse proxy configurations. Writing the Ansible playbook to build my reverse proxy took me about an hour and that's with zero Caddy experience beforehand.</p>
With this change comes another. I finally shutdown the old Wordpress blog. It's URL, blog.christopherburg.com, now redirects to here. Setting up this redirect in Caddy was as simple as:</p>
blog.christopherburg.com {
</span>    redir https://www.christopherburg.com/blog/
</span>}
</span></code></pre>
Caddy is working so well that I'm wondering when the other shoe will drop. When will a weird edge case rear its ugly head and bring me hours of frustration as I try desperately to fix it? I don't know the answer to that. Until it does appear though, I'm very impressed with Caddy. If you're self-hosting websites, I strongly encourage you to check it out.</p>


Diet Cleanup
2025-07-20T12:00:00+00:00
The diet of the average American is revolting. It seems to be made up primarily of carbohydrates. While it's trendy and easy to blame this on the food pyramid (the base of which is carbohydrates and top includes more carbohydrates), the average American diet is even worse than that. The side effect of this diet is easy for anybody with eyes to see. Everywhere you go is populated with obese people. The upside for us Americans is that there's an easy starting point for cleaning up our diet: cut back on the carbohydrates.</p>
I've gone through several iterations of diet cleanup. My first one was simple. I all but completely stopped drinking carbonated high fructose corn syrup (commonly referred to as pop or soda). The only thing I didn't eliminate entirely was root beer. I'll drink two or three in a year. But the only things I regularly drink are water, milk, tea, and coffee. Simply cutting out soda can remove a tremendous amount of empty calories.</p>
My previous cleanup efforts focused on two things. The first was my main weakness when it comes to food: salty snacks like potato chips, pretzels, etc. Like my efforts with soda, I didn't completely eliminate those junk foods from my diet. I prefer moderation over elimination for my diet. The second was eating more vegetables. Each weak I'd cut up a bunch of vegetables, put them into containers, and eat them with meals throughout the week. I ended up abandoning that effort because it resulted in some unpleasant digestive side effects. I still eat vegetables, but not as many as I was.</p>
At this point my diet is pretty decent. I've eliminated most of the common American problems and am now focusing on tweaking things. My latest efforts have focused on further increasing protein intake. Recommendations for protein intake vary. I've seen numbers as low as 0.8 g per kilogram of body weight and as high as 3.1 g per kilogram of body weight. I'm aiming for a daily intake between 1.5 to 2 g per kilogram of body weight. Part of my diet being pretty decent is that I'm consuming enough calories to maintain (I'm neither losing or gaining) body weight. I want to keep it that way. In order to accomplish that, I need to increase the amount of protein I intake per calorie. Another thing I want to do is increase my intake of dietary fiber. I, like most Americans, consume an inadequate amount.</p>
The first change I made was to what I call mobile meals. I need to drive into the office two days a week. I have three options for lunch on those days: eat out, pack a lunch, or fast. Eating out is expensive and eating healthy at a restaurant is challenging (actually damn near impossible). I'm already maintaining body weight so I'm not interested in fasting. That leaves the option of packing a lunch. On one of those two days I also have martial arts classes in the evening so I leave home in the morning and don't return until late at night. That means I need to pack dinner too. Since the dinner will be sitting in a lunch box all day, I also need something that will keep without refrigeration and doesn't require cooking (admittedly I could bring my small camp stove to cook on the go, but I'm lazy).</p>
My wife and I buy half a cow every year from a friend of ours who raises beef cattle. When you buy half a cow, you end up with a lot</em> of ground beef. This gives me a great option for mobile meals: homemade beef sticks. I bought a dehydrator at the beginning of this year specifically for this. Unlike store bought beef sticks, homemade ones don't need to be loaded up with salt, sugar, and other common ingredients I want to avoid. While they do require refrigeration (we don't use curing salts in ours) for long term storage, they easily survive the day without it. If you don't have a dehydrator and supply of ground beef, summer sausage also works well (but you'll need to keep the ingredient list in mind when buying from a grocery store). I also buy mixed nuts from the grocery store, which are a decent source of protein along with other nutrients. My mobile meals typically consist of a sandwich, homemade beef sticks, and mixed nuts. I might toss in a protein bar too (all of the ones I've tried taste like ass though so I only eat them when I need to in order to meet my protein intake goal).</p>
The second change I made was to breakfast. I developed an overnight oats recipe that consists of rolled oats; vanilla protein powder; a mix of chia, flax, and hemp seeds; collagen; creatine; milk; and nonfat Green yogurt. When I pull it out of the fridge, I mix in a bunch of berries too. This ends up being a huge intake of both protein and fiber. It's also easy to prepare. On Sunday I toss all of the dry ingredients into mason jars. Every evening I add the milk and yogurt to a jar, stir the contents up, and place the jar in the fridge.</p>
There are three key points I want you to take away from this post. First is the importance of diet. It's one of my three pillars of fitness along with exercise and sleep. All three pillars are weak for most Americans, but the diet pillar is probably the easiest to improve quickly because there is an obvious strategy: reduce carbohydrate intake. Second is improving your diet in stages. You don't need to drastically change your entire diet immediately. Most people who do this fail long term. Instead start with easy targets. Cut down on the biggest culprits like soda and candy. Then address the next biggest culprits. Continue this over time (the timeframe can be months or years) until you develop a diet that is pretty decent. Once your diet is pretty decent you can tweak it for specific goals. Third is moderation. You don't need to completely eliminate things like soda, candy, and junk food. You can, but simply cutting down the amount you consume over time is also an effective strategy.</p>


A Fresh Start
2024-10-29T01:53:00+00:00
Did you come to this site from my old blog? If so, welcome. If not, welcome all the same.</p>
For the two of you who read my old blog, you noticed the almost complete lack of new content appearing in the last few years. Part of this is because after blogging regularly for 10 years, I got sick of creating new content constantly. I also decided to pull back from online discourse because things have become so divisive in the United States that it's damn near impossible to hold a civil conversation about anything but the weather (and even that can be controversial).</p>
Why the return? I still like writing and a blog is a good excuse to do so. It also has the benefit of providing me the delusion that I have an audience. Why the new site? If you're not aware, the old blog is/was run on WordPress. I've long wanted to move away from WordPress for a number of reasons. The biggest of which is it's a nightmare to maintain. I self-host almost everything and maintaining a self-hosted WordPress site required maintaining the website the site runs on, which involved maintaining PHP and MariaDB, as well as the WordPress software. The WordPress developers have also implemented a number of interface changes that I don't like. Although most of them can be undone with add-ons, add-ons are also the single biggest security issue facing WordPress sites. I also don't need a lot of the features. For example, comments. See my remark about discourse above. If you want to comment on something I write, you can do it on your own website.</p>
Static site generators are the hip thing and there are several strong technical reasons for that. The foremost being it's easy to host a static site. You don't need PHP or a database. The entire site can be committed to a git repository for easy version controlling. I also like that the writing tool is separate from the server. In 2023, WordPress moved to its new Gutenberg interface for writing articles and it's shit. I installed an add-on to disable it. With a static site, I use my preferred text editor to write articles with Markdown. It's easy and clean.</p>
I'm writing this article in vim like a civilized person. The site you're reading was generated with Zola</a>, which I chose because it's written in Rust and Rust is the single greatest programming language on Odin's blood soaked planet. Also, I found a theme I like called Duckquill</a>. As dumb as it sounds, I spent a lot of time looking for a theme I liked. It has dark mode too so your eyes won't get blasted if you use that like I do.</p>
What about the old site? I'm going to keep it running for a while longer mostly to create a post that gives everyone still subscribed to my RSS feed a heads up that the site is moving. For the reasons I mentioned above, I don't want to maintain that old WordPress site forever so I used the excellent wordpress-export-to-markdown</a> application (and the also excellent Distrobox</a> to isolate that NPM garbage in an easily destroyable container) to migrate all of my old WordPress articles to this site. They are available at the Archive</a>. The archive is crude. None of the links for my old blog will work because the URL format changed from WordPress to this site. The old tags are also missing. They're embedded in the Markdown source code, but don't show on the site. There are probably a bunch of other issues with the archived articles due to the automated way I ported them. I have zero motivation to go through 10 years of articles and correct them so they are as-is. The search at the top should help you find an old article if, for some reason, you're looking for one.</p>