Ich habe hier nie dazu geschrieben, aber ich habe mir im Spätsommer 2023 die Caribia gekauft, eine niederländische Segelyacht aus Stahl. Gebaut in den 60er Jahren, wunderschön, mit einem kassischen Schnitt mit Langkiel. Der Innenausbau war aus Holz mit viel Charme, wenn auch an der einen oder anderen Stelle abgewetzt und verbastelt. Relativ große Fenster und die Stehhöhe im Innenraum sorgten für eine große Gemütlichkeit.

Wer mehr über dieses Boot erfahren will der*die kann auf der Webseite eines der Vorbesitzer einiges dazu finden.

Der Voreigner der Caribia hat sie verkauft, da er selbst kaum dazu kam damit zu zu Segeln und die Kosten und Aufwände dazu in keinem angebrachten Verhältnis standen. Mir ging es seitdem ähnlich, ich habe viel an dem Boot gemacht, teilweise auch machen lassen, war aber kaum damit unterwegs. Ich habe schon das Gefühl mit ein paar der Arbeiten größere Themen etwas langfristiger gelöst zu haben, aber insgesamt habe ich den klassischen Ich kaufe mein erstes Boot Fehler begangen und laufende Arbeit, Kosten und auch Organisationsaufwand rund um Liegeplatz, Winterlager und regelmäßiges nach dem Rechten sehen dramatisch unterchätzt. Zwischendurch hatte ich das Boot schon wieder zum Verkauf inseriert, da gab es aber nur ein ganz paar Anfragen und bis zu einem Besichtigungstermin ist es bei keiner davon gekommen.

Diesen Winter stand gar nicht mehr viel auf der Aufgabenliste bevor es rund um den Monatswechsel März / April zurück ins Wasser und dann zu einem neuen Liegeplatz an der Elbe - deutlich näher an meinem Zuhause - gehen sollte. Wohlgemerkt außen rum über den Nord-Ostsee Kanal und Hamburg statt den direkten Weg über den Elbe-Lübeck Kanal, der nämlich auf Grund langjähriger Vernachlässigung von Infrastrukturinvestitionen seit Monaten gesperrt ist (erwähnte ich schon, dass ich die organisatorischen Themen unterschätzt hatte?). Es gab ein paar Stellen, die entrostet und mit Rostschutzfarbe behandelt werden sollten, die übliche Erneuerung des Anti-Fouling Anstrichs unter der Wasserlinie und drei Stellen, für die ich einen Freund¹ gebeten hatte alte Öffnungen im Bootsrumpf zu schweißen. An der Elbe kenne ich niemanden mit Schweißkenntsnissen und das professionell machen zu lassen würde dann doch deutlich ins Geld gehen (erwähnte ich schon, dass ich die Kosten für Instandhaltung deutlich unterschätzt hatte?). Jedes Loch, das zugeschweißt ist ist mir lieber als eine irgendwie abgedichtete Öffnung, die sich mehr oder weniger plötzlich zum Problem entwickeln könnte.

Ich hatte eine alte Logge (misst die Geschwindigkeit durchs Wasser) bereits einige Tage vorher demontiert. Die Logge sieht aus wie ein kleiner Propeller und dreht eine flexible Welle sich in einer Hülse. Der Tacho der am Ende mal montiert war existiert nicht mehr und als ich im Sommer das Ende der Welle im Boot mal unterhalb der Wasseroberfläche plaziert habe konnte ich leise Tropf-Geräusche hören. Der Freund hat draußen geschweißt, ich stand drinnen mit Feuerlöschern zur Brandwache bereit. Danach ging es zu Problemstelle zwei: ein kleiner Rohrstumpf, der ca. 10 cm ins Bootsinnere reicht und dort mit einer irgendwie abgedichteten Mutter verschlossen ist. Der Vor-voreigner hat mal in einem Telefonat eine früher verbaute Gas-Anlage erwähnt. Vermutlich war dies der Notfall-Ablauf, damit sich austretendes Gas nicht im Boot sammeln kann (Das gas aus den üblichen Gasflaschen ist schwerer als Luft), sondern bei einem Gasleck dadurch abfließen könnte. Die Gasanlage gibt es schon lange nicht mehr und dieser Rohr lässt sich nicht ordentlich gegen Rost behandeln. Hier sollte also auch eine kleine Platte von außen vor das Loch geschweißt werden, ich könnte dann im nächsten Winter in Ruhe von innen die Reste des Rohres abflexen und die Stelle mit Farbe und Spachtelmasse bearbeiten. Der Rohrstumpf endet innen in einer Backskiste unter den Bänken im Cockpit. Die Backskiste war mit Wänden aus Holz zum Motorraum und zu den anderen Backskisten abgetrennt. Ich räumte die Backskiste frei und stand als Brandwache im Cockpit bereit, der Freund schweißte wieder von außen. Drinnen zeichnete sich die Schweißnaht durch Verfärbung des Lackes ab, teilweise platzte der Lack auch komplett auf. Nichts ungewöhnliches. Als von unten der “so, das hätten wir” Ruf ertönte ging ich nochmal ins Boot um einen Schluck zu trinken, warf noch einen Blick in die Backskiste und ging dann runter um mich vorne am Boot mit der Rostschutzfarbe um ein paar weitere Stellen zu kümmern. Der Freund widmete sich noch einem kleinen Riss im Ruderblatt und fluchte viel da an der Stelle das Metall sehr dünn war und beim Schweißen immer weiter weg brannte. Er bekam den Riss dann doch noch gut zu und als ich zum bestaunen kam wunderten wir uns, dass es pritzelnde Geräusche gab. Diese schienen nicht aus dem Ruder zu kommen, wo es wegen der Restfeuchtigkeit darin beim Schweißen ein paar Geräusche gab, sondern von über uns.

Es brannte. Nicht nur in der Backskiste, auch im Motorraum waren Flammen zu sehen. Ich sprang in die Kajüte um von dort zu löschen, der Freund rief weitere Leute aus dem Hafen herbei. Schnell war klar, dass wir das Feuer nicht gelöscht bekamen, und da mit den Flammen im Motorraum auch die Gefahr bestand, dass der Dieseltank aus Kunststoff schmolz und das Feuer sich mit Stichflamme (oder Explosion?) weiter ausbreitete sind wir schnell von Bord gegangen um uns zu schützen. Ein weiterer Feuerlöscher wurde noch von der Leiter aus in das Feuer entleert, hat aber kaum noch was gebracht. Wir haben dann mit einem der Wasserschläuche aus dem Hafen weiter gelöscht so gut es ging, die Feuerwehr alamiert und zwei Autos aus der Umgebung des Bootes weg geparkt. Drumherum war zum Glück viel Platz. Noch im Jahr davor standen die Boote dort recht dicht beieinander, aber in diesem Jahr war viel Platz und daher auch keine Gefahr, dass das Feuer auf andere Boote übergreifen würde.

Die Feuerwehr hat zunächst das mitgebrachte Löschwasser verwendet, dann ging das große Suchen nach Hydranten in der Umgebung los und schließlich wurde eine Pumpe auf dem Steg plaziert und Löschwasser aus der Trave gepumpt. Später war dann auch das Feuerwehrschiff Senator Emil Peters im Hafen und hat ebenfalls Löschwasser gepumpt. Die Feuerwehrleute waren zunächst an Bord zum löschen. Als klar war, dass sehr viel Wasser im Boot landen würde hat irgendwer die Frage aufgeworfen, ob der Hafentrailer denn auch das Boot mit zusätzlichem Gewicht wegen des ganzen Löschwassers sicher tragen könnte und ab da wurden die weiteren Löscharbeiten von einem nahestehenden Lagercontainer aus sowie dem Leiterwagen mit minimal hochgefahrener Leiter aus weiter durchgeführt.

Letztlich wurde das gesamte Boot mit Löschwasser und -schaum geflutet um den Brand zu löschen. Eine Person der Lübecker Umweltbehörde war vor Ort und hat veranlasst, das wir mit dem Hafenmeister gemeinsam die Gullis mit Plane soweit abgedichtet haben, dass der Löschschaum dort nicht reinfließt. Dann war es schon Abend, irgendwer hatte Abendessen beim Imbiss besorgt und der ganze Trubel war vorbei. Mein Autoschlüssel, Schlüssel, Portemmonaie und die Wechselklamotten lagen im Boot, so dass ich mit dem Zug zurück gefahren bin.

Das war mein Mittwoch.

Einige Tage später war ich wieder beim Boot. Die Polizei war zur Brandursachenermittlung da und als dazu alles besprochen war habe ich drumherum etwas aufgeräumt und mit Gummistiefeln und Handschuhen die Überreste meines Portemmonaies geborgen. Ein Schein ist noch komplett in Ordnung, ein paar weitere sind noch erkennbar als das, was sie mal waren. Damit gehe ich dann mal zur Bank und gucke ob ich das noch irgendwie ersetzt bekommen kann. Führerschein, Perso und Bankkarte taugen immerhin noch als Merkzettel, was ich alles neu beantragen muss. Alles andere was an Bord war ist hin.

Jetzt steht noch die Entsorgung an und ich hoffe, dass das ohne gigantisch viel Stress und Kosten über die Bühne geht.

Ihr könnt mich via E-Mail oder Mastodon kontaktieren.

In this context I had to debug some issues with the graphics stack that drove me nuts for a few days. Working with embedded linux systems both professionally and for fun I often touch a wide variety of software components. Each and every one of them is a complex beast by itself. There’s people and teams out there for whom the development and maintenance for any single of these projects is a full-time job spanning years to decades, they are without doubt experts in their domain. Stitching together those components into a full system, selecting, packaging and confgiuring them to work well together is a task that leaves me with a glimpse into a wide variety of components and technologies, but for very few of these I have deeper knowledge or insight. I’d thus consider myself a generalist. And that sometimes makes it hard to track down issues.

The generalist’s curse is that the toes are far out in unknown waters when tracking down an issue. Each of the many ponds around us could hold the key for solving it. But getting acquainted to one pond, aquiring the needed throughsight just to find out that the problem lays somewhere else takes a lot of energy and time. And this can be frustrating as hell.

For this project I’m using a Pine64 H64 (model B) board. It’s a nicely specced board and should be able to suffice for video streaming. But I couldn’t even get it to load th kodi GUI. Well no, that’s not true. It did. At first. But than it didn’t anymore. So I reverted to the previous NixOS configuration…

Aaaaaand

… it still didn’t work. Down the rabbit hole I went.

To let you parttake in this I’ll elaborate on the relevant bits of the tech stack a little. We’ve got:

• the Pine64 H64 board
  • ARM SoC
  • ARM Mali T720 GPU
  • Display connected via HDMI
• mainline 64-bit ARM (aarch64) Linux kernel (v 5.10)
• a 32-bit ARM (armv7l-hf) userland
• Mesa3D graphics libs with panfrost GPU driver
• cage wayland compositor
• kodi media center software using wayland backend
• kodi browser launcher plugin
• firefox web browser

“Why mix architectures?” you might ask. Well, I’m stubborn and don’t want to run a 32bit kernel on hardware that can do better. Besides, I don’t really know if building a 32bit Linux kernel for this SoC and board would even properly work since some relevant device-tree bits live in arm64 subdirs of the kernel source tree. The 32bit userland is needed because I want widevine to work, a proprietary library needed to play DRM¹ protected restricted media. Google doesn’t really release this library for ARM architectures, but their chromebooks ship a 32-bit ARM variant. There’s archane knowledge and utilities in the kodi community to extract the library from chromebook recovery images and use it inside kodi.

The problems manifested after small changes and a reboot. The graphics crashed whenever the cage compositor was started. The TTY1 console was displayed fine though. Reverting to the previous configuration didn’t bring the system back into a working state. This got me off track, since NixOS manages the system configuration in a declarative manner and thus should prevent exactly these runtime inconsistencies. But I hadn’t done any deeper inspection of the graphics or the general system before this error occured, so I was also lacking the reference to compare against.

I first blamed mesa and the panfrost GPU driver for this. The panfrost driver is still quite young. Mesa as a system library linking to hardware specific backends is complex and not 100% pure even in NixOS. Enough clues to start digging here. I spent some time recompiling mesa, ensuring it provided the panfrost driver and left out unrelated drivers. In the meantime I read up on mesa’s docs and the development state of the panfrost driver. By the time everything was ready for testing I had almost forgotten what the next planned step was. The long compile times of system components make it hard to stay focused on the assumption that I’m currently evaluating. I find hand-written notes quite helpful to keep some structure with this, whilest digital notekeeping add even more context switches and thus make things even worse.

I figured out it wasn’t panfrosts fault. Starting the system with a software rendering driver yielded the same result. Mesa’s documentation listed some environment variables that increased verbosity. The wall of text hinted at a problem with buffer allocation. After some research I tried increasing the memory region reserved for the kernels ContiniousMemoryAllocator (CMA) by adding a cma= argument to the kernel cmdline. It didn’t work and I moved on. In hindsight this was the correct approach probably just carried out wrong.

I trimmed down my test setup a bit, experienced the same issue with test programs like kmscube and started inspection of why I couldn’t get any core dumps (probably due to systemd-coredumpd and the kernel being incompatible due to the architecture mismatch). Many time consuming dead ends. At some intermediary point I had it mostly working again by hard coding the ExtendedDisplayIdentificationData (EDID) to use a lower display resolution. The graphics didn’t crash immediately anymore, the crash was delayed to some random point later in time. This and the fact that the crashlogs - where present - still mentioned buffer allocation errors made me revisit the CMA a few days later. Despite having tried it before. This time it worked.

I cursed. And I was happy to finally have a solution to the problem. I’ve learned some more about the linux graphics stack and especially mesa in the meantime, but I still feel like the next similar poroblem will probably be way above my head again. This is the curse of the generalist…

Feel free to contact me via mail or mastodon if you’ve got any notes on this post or start a public discussion via this blogs github issue tracker. You can also subscribe to the RSS feed to stay tuned!

There’s more posts about Nix and NixOS in the pipeline and I also want to document my recent encounters building a small multi-apartment network based on OpenWRT enabled hardware. They’ll be published when they’re done. Might be next week, but could just as well be next month. So give this blog an occasional visit or subscribe to the RSS feed if you’re interested in those topics. Thanks!

Feel free to contact me via mail or mastodon if you’ve got any notes on this post or start a public discussion via this blogs github issue tracker. You can also subscribe to the RSS feed to stay tuned!

Like mentioned in the post about printing I’ve got a Canon PIXMA TR4551 printer/scanner combo device with USB and Wi-Fi connectivity. I’ve used it for scanning with linux before, using Canons proprietary scanning application scangearmp2. Using it is no fun, it doesn’t remember any preferences like the preferred paper format. The worst part: the save dialog window is unusable with the keyboard. It doesn’t preselect the file name input field and the save button is absolutely inaccessible by keyboard.

In most applications there’s underlined letters in every button, menu item etc. when pressing the ALT key, that allow selecting them via the keyboard. Alternatively they accept ENTER for the default action (OK/SAVE/CONFIRM) and ESC to abort. This application does neither.

The scanner has an automatic document feeder (ADF) that is supported by the application, so scanning a multi-page document is OK, as long as it’s single-sided and fits into the feeder.

Well, I guess the impression, why I’d rather use some “better” software got across, so let’s boil this down into a list of requirements for a driver or scanner-application:

• works via network / Wi-Fi
• allows selection of default values (paper format, source, color-mode) or remembers the last used options
• doesn’t require manual input for the file name. A quick scan with a default filename should not involve any other button presses the OK, OK, NEXT, SAVE, OK, … (and not that many)
• is usable without reaching for the mouse
• supports the ADF
• (optional) Scanning the next page of a multi-page document can be triggered by pressing a button on the scanner
• (optional) Text recognition (OCR)

SANE

The usual setup for scanning on linux involves the SANE Project, with the acronym standing for ScannerAccessNowEasy. SANE has a huge selection of backends — the device-specific drivers — and provides a common API for their usage, so that the actual applications (the SANE frontends) are device independent. Regarding the frontends I’ve used gscan2pdf for documents and SimpleScan for quick scans of single pages or photos in the past and the combination of those tick all the frontend-related boxes of my requirements list from above. So all that’s missing is a network-enabled SANE backend for my printer which also supports the ADF and optionally can trigger the next scan via an on-device button.

Backends

Online-research led to quite a few options with a varying amount of information available:

pixma

Support for my scanner via the pixma backend might work. The list of features that are supported in general, but might or might not be supported for my device, is long, including niceties like button controlled scanning, adjusting image settings (gamma, brightness) or setting a wait time for when the automated document feeder runs empty, to allow reloading it and continue scanning the same document. The documentation mentioned networked scanning support via the proprietary Canon BJNP protocol, but I didn’t find any information, whether this was supported by my device.

In recent versions of the SANE list of supported hardware the device is listed as untested meaning its information has been added to the backend, to enable testing of the status of device-support without further modification to the source code. My switch to the nixos-20.03 channel containing the required SANE package was due anyhow, so I switched channels, waited for the system to update and installed SANE.

The scanner wasn’t found via the network even with temporarily disabled firewall, so the pixma backend won’t work for me. I did a quick check of all the other functions with the scanner connected via USB. Scanning from the flatbed worked, but I got an error when trying to use the ADF. This is now reported back to the SANE project.

If you encounter bugs or other annoyances in openly developed software, please do file a bug, provide fixes or suggest improvements to the documentation (some projects pay a lot of attention to keeping their barrier of entry low and their communication tone very welcoming, to make it easy for people with and without coding skills to contribute).

eSCL and airscan

The eSCL and airscan backends both use the HTTP-based eSCL¹ protocol and don’t need device-specific drivers. The protocol seems to be well known through Apples use of it and is supported by a quite broad palette of network connected scanners, but it seems to not be publicly documented. Work on reverse-engineering and reimplementing (parts of) it in free software drivers is has just started recently, with most documentation notes and work on the SANE backends dating to 2019.

Details on how to get those backends working in Nix will be part of a separate blog post, but I sure was surprised about the amount of work that can be associated with bumping up a packages version number.

Using the airscan backend scanner discovery, scanning from flatbed and ADF all work², so the remaining parts of my requirements list are covered and I guess I could stop at this point. But I’m trying to get an overview of the available options here and experiment with Nix packaging, so I can just as well go on and evaluate the remaining backends.

The eSCL backend has been a moving target while preparing this blog post. The version contained in release 1.0.29 of the SANE backends was unpolished, selecting the correct paper-size was buggy and it didn’t support the ADF yet. This changed as development went on and the most recent commit fixing some remaining ADF errors happened just a few days ago. Scanning from flatbed and ADF work when using the SimpleScan GUI application, but I get messed up image files when scanning via the commandline with the scanimage tool. I did open another bug report for this.

canon-pixma

This backend is written as a wrapper around the proprietary driver libraries, that are part of scangearmp2. The main contributor to this wrapper is also heavily involved in the SANE project, but the backend is not integrated into the SANE backends repository, I guess that’s due to licencing issues. As it isn’t packaged for NixOS yet, I had a little work to do here and write my first package definition in Nix. I’m still working on polishing it for a pull request_ to the nixpkgs repository, but for local testing it works already. I also packaged the scangearmp2 application, to have a first check, if the libraries and the printer work together. scangearmp2 didn’t find the scanner via Wi-Fi at first, but disabling the firewall made it work and there’s no difference between the scanner connected via USB and via Wi-Fi then. For further testing I used the USB connection and reenabled the firewall, but finding the correct ports to open in the firewall is still on my ToDo list. All functions provided by scangearmp2 seem to work, including scanning from the ADF.

SANE with the canon-pixma backend finds the scanner via USB and — with disabled firewall — via Wi-Fi as well. Scanning works fine from the flatbed, but the ADF doesn’t do anything. I haven’t yet found the cause for that and given that most of the functionality is hidden in proprietary, binary-only libraries, the debuggability is not so good. I’ll see, if I find the time and motivation to dig deeper into that phenomenen, but since my needs are covered by other backends and there’s no additional features to be expected to be usable via this backend, I probably won’t waste a lot more time on this.

Verdict

To sum up, here’s the list of supported features again, based on what I actually encountered:

I’ll be using the airscan backend for now, since it is packed for Nix and can easily be integrated into my system without me having to keep local package definitions around.

This post is part of the #15WeeksToBlog challenge.
Week 2/15. Technically I failed the challenge already, skipping more than a. I’ve been steadily working on the post though, ensuring my notes from the experiments a little while ago where still correct. The backends getting updated in the meantime led to me reevaluating some aspects. I’ll interpret this experience as a push toward smaller, more focused posts and publishing them faster.

Feel free to contact me via mail or mastodon if you’ve got any notes on this post or start a public discussion via this blogs github issue tracker. You can also subscribe to the RSS feed to stay tuned!

Getting it in there isn’t complicated and there’s several online resources on achieving that. Basically it’s just adding a URL in one of the mastodon profile metadata fields and then linking back to your mastodon profile on that website with a rel="me" attribute.

<a href="https://chaos.social/@dwagenk" rel="me">My Mastodon Profile</a>

One thing I didn’t see mentioned anywhere: The link verification doesn’t appear immediately, but needs some time. Apparently the mastodon instance server scans those URLs periodically instead of every time the profile is viewed (sounds like a reasonable design decision favoring lower load times). This irritated me, because it needed more than 9 hours for the checkmark to appear on my profile. The timespan got me thinking and double checking, whether I made any mistakes linking back, but in the end waiting was just the best solution for this problem…

This post is part of the #15WeeksToBlog challenge.
Week 1/15, 2nd post this week.

Feel free to contact me via mail or mastodon if you’ve got any notes on this post or start a public discussion via this blogs github issue tracker. You can also subscribe to the RSS feed to stay tuned!

In this and probably two future blog posts I want to document my last deep-dive into a new-to-me technology:

Nix/NixOS or more specifically getting my printer/scanner combo device to work well with NixOS.

Nix is a functional approach to packaging software, and approaching system configuration. The OS is configured declaratively by writing config files, instead of changing the system in an iterative way. I’ve used both Debian and Arch Linux based distributions before and experienced problems regarding software dependencies and malfunctioning packages now and then with them. Probably NixOS will have some challenges for me as well, but I’m more willing to tackle them. Whatever I do to mitigate those is documented and version controlled in my system configuration and won’t come back to haunt me (ooh, I remember I spent hours debugging and solving this problem, but what the heck did I do?). I’ve had NixOS installed on my personal laptop for 3 months, with barely enough configuration for it to serve my everyday needs, but without wrapping my head around it yet. So it’s about time to develop better skills around the system I’m using.

I’ll use this post to document the chunk that worked quite flawlessly: getting the printer to work. I’ll have a similar post for the scanner as well, which was more challenging to get running well.

I’ve bought a scanner/printer combo device (Canon PIXMA TR4551) with USB and Wi-Fi connectivity about one and a half years ago. It worked OK with my previous Arch Linux setup but needed proprietary software and drivers provided by the vendor.

IPP Everywhere

Before installing those drivers again on NixOS, I tried out using the printer with available free software drivers. The printer supports IPP (InternetPrintingProtocol) for access via the network. CUPS (CommonUnixPrintingService, the standard way to access printers on Linux) has a built-in Generic IPP Everywhere Printer driver. To get this working on NixOS I added the line

services.printing.enable = true;

to my configuration.nix file.

Turns out this driver works OK with my printer, but there are some pitfalls:

• The driver allows selecting the print quality in DPI from a drop-down with many many options. Selecting a value that’s not well-supported by my printer causes no error message, but weirdly scaled pages
• A similar issue arises with the color-profile selection
• The duplex printing function is inversed

Those pitfalls are more or less cosmetic, but would probably be a constant source of failed printouts in the future. I’m human and tend to forget which options I need to choose. I don’t want to be able to select unsupported modes.

It’s nice to have the printer supported kinda-out-of-the-box. I decided to try using Canon’s proprietary drivers as I remember them to work a little better.

Proprietary Driver

The drivers provided by Canon are already available as a package in NixOS! The right keyword to use in the Nix package search is cnijfilter2 which is also part of the filename of the driver archive offered for download at Canon’s website.

I went on extending my configuration.nix file like suggested in the NixOS wiki

services.printing.enable = true;
services.printing.drivers = [ pkgs.cnijfilter2 ];

This led to an error while rebuilding the NixOS system:

$ sudo nixos-rebuild switch
building Nix...
building the system configuration...
error: Package ‘cnijfilter2-5.30’ in /nix/store/ywjr6djpwc1cp4hp52yqwwgyb9vphkql-nixos-19.09.2426.9237a09d8ed/nixos/pkgs/misc/cups/drivers/cnijfilter2/default.nix:117 has an unfree license (‘unfree’), refusing to evaluate.

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnfree = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other _Nix_ command you can add
  { allowUnfree = true; }
to ~/.config/nixpkgs/config.nix.

(use '--show-trace' to show detailed location information)

following the hint in the error message and adding

nixpkgs.config.allowUnfree = true;

to configuration.nix solved the problem. The printer works with the new driver and I’m glad it offers fewer options and therefore fewer possibilities for me to screw up, but […]

A Note on Free Software

[…] I don’t like the allowUnfree = true setting. I’m a big fan of free software and use it whenever there’s a viable solution available. Being pragmatic I use proprietary software on my devices as well. The decision should remain on a per-package base though, not to give carte blanche for all unfree packages. I found the relevant section in the nixpkgs manual, but the solution presented there didn’t work. Turns out there’s also a github issue mentioning the documentation being incorrect and offering a working alternative for allowing individual unfree packages.

nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem
  pkg.pname [
    "cnijfilter2"
  ]
);

Network Printing

The printer offers USB and Wi-Fi as means of communication. Using the cnijfilter2 driver CUPS finds the printer via it’s USB connection, but not via Wi-Fi. Printing via Wi-Fi works after configuring the printer manually (ipp://123.ip.of.printer). It would be nice to have CUPS auto-detect network printers. Without going into detail (I really don’t know a lot about auto-discovery of networked devices and just followed the clues from the NixOS wiki) here’s what I had to add to my configuration.nix for CUPS to automatically find the printer via Wi-Fi:

services.avahi.enable = true;
services.avahi.nssmdns = true;

Note: the printer needs to be in the same IP-subnet as the computer for auto-discovery to work.

Declarative Printer Configuration

I’ve skipped over the part of actually configuring the printer, since I’ve not done it the Nix way yet. Configuring printers declaratively in NixOS seems to be possible and I’ll take a look into it later.

Config File

To summarize, this is the section in my configuration.nix related to printing

{
  #...

  services.printing.enable = true;
  services.printing.drivers = [ pkgs.cnijfilter2 ];

  nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem
    pkg.pname [
      "cnijfilter2"
    ]
  );

  services.avahi.enable = true;
  services.avahi.nssmdns = true;

  #...
}

Feel free to contact me via mail or mastodon if you’ve got any notes on this post or start a public discussion via this blogs github issue tracker. Like I mentioned above, I’ve got more posts planned on Nix and my printer/scanner, so if this interests you subscribe to the RSS feed to stay tuned!

CC-BY-SA-4.0

I started writing this blog post in a first attempt a couple days ago and it got way too verbose and lengthy, going into detail about the specifics of my setup and the reasoning behind it. So here’s a short version.

Goal

Adding Collabora to an existing Nextcloud instance to enable online collaborative document editing right inside the Nextcloud webinterface.

Step by Step

Prerequisites

I’m assuming you’ve got Nextcloud installed somewhere already (publically reachable, with it’s own domain or subdomain) and also installed the Collabora app (it’s listed as one of the official apps in the Office & Text section of Nextcloud’s list of apps). You also need a server for running Collabora, that has docker and docker-compose installed and a domain or subdomain pointing to it. If both, Nextcloud and Collabora, will be running on the same server, take a closer look at the jwilder/nginx-proxy, that I’ll be using anyhow. It should be no problem having both running behind the proxy on the same server, accessible through different subdomains.

The docker-compose.yml file

is stitched together from this thread:

version: '2'

services:
  proxy:
    image: jwilder/nginx-proxy
    container_name: proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./proxy/conf.d:/etc/nginx/conf.d
      - ./proxy/vhost.d:/etc/nginx/vhost.d
      - ./proxy/html:/usr/share/nginx/html
      - ./proxy/certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - proxy-net

  letsencrypt-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt-companion
    volumes_from:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./proxy/certs:/etc/nginx/certs:rw

  collabora:
    image: collabora/code
    container_name: collabora
    expose:
      - 9980
    cap_add:
      - MKNOD
    environment:
      - domain=NEXTCLOUD_DOMAIN
      - VIRTUAL_HOST=COLLABORA_DOMAIN
      - VIRTUAL_NETWORK=proxy-net
      - VIRTUAL_PORT=9980
      - VIRTUAL_PROTO=https
      - LETSENCRYPT_HOST=COLLABORA_DOMAIN
      - LETSENCRYPT_EMAIL=ADMIN_EMAIL
    networks:
      - proxy-net


networks:
  proxy-net:
    external:
      name: proxy-net

You’ll just need to adapt NEXTCLOUD_DOMAIN, COLLABORA_DOMAIN (2x) and ADMIN_EMAIL. Also the Network, that connects the services (=collabora) with the proxy is declared as external, so you’ll have to create it by running

docker network create --driver bridged proxy-net

before starting the containers with

docker-compose up

Note: if you also want to have access to Collabora’s admin interface at https://COLLABORA_DOMAIN/loleaflet/dist/admin/admin.html also provide username and password in the environment section for the Collabora container.

Link Nextcloud and Collabora

All that’s left to do is enter the domain of your collabora service into the settings of your nextcloud collabora app and start editing documents right inside your nextcloud!

CC-BY-SA-4.0

I planned writing some posts about embedded systems development. Well, I’ve been too busy to actually get started with that and although I’ve got some half-baked posts somewhere on my hard drive, this blog has been empty up to now. This post is a little out of the embedded systems programming scope I had in mind for this blog, but I’ve spent quite some time on getting it all together and felt the urge to properly document it. Leastwise to give some guidance to my future self about the setup of my PGP keys.

The desired PGP setup

I’m not a heavy duty PGP user, but I’ve had keys setup for my e-mail addresses for about 5 years now. I’m using one e-mail address for personal, but more or less formal correspondence, and one, that is based on a pseudonym of mine and that I use for correspondence with just a few people.

Let’s use an (partly realistic, partly fictional) example:

Suppose I’m a person called Daniel Wagenknecht and mainly I’m using the e-mail address dwagenk@mailprovider.org. I’m also enthusiastic about comics and in those circles I’m known as comicfreak_dan, using the e-mail address comicfreak_dan@comics.com. Since I’m privacy aware I’m using PGP whenever it is not tooooo inconvenient. Putting both of my e-mail addresses into the same PGP identity results in something like this:

sec   rsa4096/0x73E8D88F 2019-03-12 [SCE]
uid           [ultimate] Daniel Wagenknecht <dwagenk@mailprovider.org>
uid           [ultimate] comicfreak_dan <comicfreak_dan@comics.com>

It looks wrong, using it is like introducing myself as Daniel Wagenknecht a.k.a comicfreak_dan when I’m opening a bank account or meeting my doctor. I don’t want to link my pseudonym to all my formal email correspondence.

That’s why, when I first got started using PGP, I decided to use two identities instead. One is linked to my main, formal e-mail address and a second one goes with my pseudonymous email address.

The handling was easy, I just needed both private keys on my computer and for convenience set the same password for both of them.

In comes the Yubikey

Now after having had a Yubikey for a couple months and using it for 2-Factor-Authentication with some services, I also wanted to use it for PGP encryption and signing. But a single Yubikey has exactly one PGP subkey slot for each:

• encryption
• signing
• Authentication

So to keep the two PGP identities separate I could either use two Yubikeys, or transition only one PGP identity to the Yubikey and keep the other one in the traditional way. Both solutions didn’t really satisfy me.

My idea now was to use two identities, meaning two separate PGP masterkeys, but both holding the same subkeys for encryption, signing and authentication. So the desired key structure looks similar to this:

sec   rsa4096/0x73E8D88F 2019-03-12 [C]
uid           [ultimate] Daniel Wagenknecht <dwagenk@mailprovider.org>
ssb   rsa4096/0x87D67E3D 2019-03-12 [S] [expires: 2020-03-11]
ssb   rsa4096/0xA4C5604D 2019-03-12 [A] [expires: 2020-03-11]
ssb   rsa4096/0xC26C348F 2019-03-12 [E] [expires: 2020-03-11]

sec   rsa4096/0xDD6AA744 2019-03-12 [C]
uid           [ultimate] comicfreak_dan <comicfreak_dan@comics.com>
ssb   rsa4096/0x87D67E3D 2019-03-12 [S] [expires: 2020-03-11]
ssb   rsa4096/0xA4C5604D 2019-03-12 [A] [expires: 2020-03-11]
ssb   rsa4096/0xC26C348F 2019-03-12 [E] [expires: 2020-03-11]

Of course there is a drawback. As you can see above, someone who has both my public keys will be able to reach the conclusion, that both keys belong to me. If both keys are present on the keyservers, then searching for one of the subkey ids there will also list both master keys and make it pretty obvious, that both belong to me. I’m not living a dual life, so avoiding any link between the two of my identities by all means is not necessary and I’m fine with the solution. Of curse this could very well differ for you. Maybe you are a superhero and need to separate your identities? Maybe you’re just living in a country where you’re better off staying incognito as a political activist (always a good idea e.g. looking at Turkey right now or at the repression linked to the G20 summit in Hamburg, Germany about 1 ¹/₂ years ago).

Also I don’t know, if people having more experience with PGP than I do, will disapprove with this concept, because different masterkeys sharing the same subkeys is something not intended by PGP.

HowTo: use the same subkeys on a Yubikey with different master keys

There’s a couple of tutorials online, on how to set up PGP / GPG / Yubikey to work together. I’d recommend reading https://github.com/drduh/YubiKey-Guide. Here’s just a quick summary:

1. Use an offline computer for the key generation and keeping your master key. If you want to play around and do a dry-run, use a temporary GNUPGHOME (export GNUPGHOME=$(mktemp -d) ; echo $GNUPGHOME)
2. Ensure you’ve got a secure GPG configuration following best practices, both on your regular and your computer for key generation
3. create a new key with only the certification capability
4. add subkeys for signing, encryption and authentication
5. backup your keys to a secure location
6. configure your Yubikey
7. move the subkeys to your Yubikey
8. copy, import and trust your public key on your devices
9. use it!

I’ll not be going into detail about the common parts of this procedure, but focus on the two masterkeys sharing identical subkeys part. GPG comes with a way to import existing keys, using something called the keygrip, that allows us to copy the subkeys from one master key to another. On my first try using the subkeys with the second master key I failed, because the imported subkeys had different fingerprints then the original ones despite being made up of the same private key material. The cause: fingerprints hash not only the private key, but also it’s timestamp. So to have identical fingerprints for our subkeys we’ll have to create a timewarp later…

Now let’s get started!

1. Teach your computer how to create a timewarp, install faketime.
   • Ubuntu: sudo apt-get install faketime
   • Arch: sudo pacman -Sy libfaketime
   • Mac: faketime should be available, too
   • Windows: I’ve seen a tool called RunAsDate, that could work for our purposes

   Reach out to me, if you’ve got more information about how to make it work on Windows/Mac and I can include it here.

2. create a master key with only the certification capability

    NAME="Daniel Wagenknecht"
    MAIL="dwagenk@mailprovider.org"
    COMMENT=""
    {
    echo 8          # RSA (set your own capabilities)
    echo S          # Toggle off signing
    echo E          # Toggle off encryption
    echo Q          # Finished with setting own capabilities
    echo 4096       # Key length
    echo 0          # Key does not expire
    echo y          # is this correct?
    echo $NAME      # Real Name
    echo $MAIL      # Email address
    echo $COMMENT   # Comment
    echo O          # Okay
    } | gpg2 --command-fd=0 --status-fd=1 --expert --full-generate-key
   
    # Save the key-id of the generated key in environment for later use
    KEYID=id_of_your_just_created_key
   

   Since I like to program, meaning I’d rather spent hours on automating a task, than repeatedly answering interactive prompts, I’m using bash syntax and some flags for GPG to pass in input to GPG. Check out this answer on StackExchange/ServerFault for details.

   You should just need to adjust the variables at the top and copy the whole block into a terminal. The password prompts will still be interactive.

   If you want to know what’s actually happening, do the steps interactively by running gpg2 --expert --full-generate-key and using the echo statements above as guidance on what to select.

3. Create the second master key As I mentioned above we need to bend time a little and GPG will complain, if it notices what we’re doing. Creating the second master key before the subkeys will prevent that.

    NAME="comicfreak_dan"
    MAIL="comicfreak_dan@comics.com"
    COMMENT=""
    {
    echo 8          # RSA (set your own capabilities)
    echo S          # Toggle off signing
    echo E          # Toggle off encryption
    echo Q          # Finished with setting own capabilities
    echo 4096       # Key length
    echo 0          # key does not expire
    echo y          # is this correct?
    echo $NAME      # Real Name
    echo $MAIL      # Email address
    echo $COMMENT   # Comment
    echo O          # Okay
    } | gpg2 --command-fd=0 --status-fd=1 --expert --full-generate-key
   
    # Save the key-id of the generated key in environment for later use
    KEYID2=id_of_your_just_created_key
   

4. add subkeys to the first master key

    # Signing
    {
    echo addkey
    echo 8          # RSA (set your own capabilities)
    echo E          # Toggle off encryption
    echo Q          # Finished with setting own capabilities
    echo 4096       # Key length
    echo 1y         # Key is valid for 1 year
    echo y          # is this correct?
    echo y          # really create?
    echo save   
    } | gpg2 --command-fd=0 --status-fd=1 --expert --edit-key $KEYID
   
    # Encryption
    {
    echo addkey
    echo 8          # RSA (set your own capabilities)
    echo S          # Toggle off signing
    echo Q          # Finished with setting own capabilities
    echo 4096       # Key length
    echo 1y         # Key is valid for 1 year
    echo y          # is this correct?
    echo y          # really create?
    echo save   
    } | gpg2 --command-fd=0 --status-fd=1 --expert --edit-key $KEYID
   
    # Authentication
    {
    echo addkey
    echo 8          # RSA (set your own capabilities)
    echo S          # Toggle off signing
    echo E          # Toggle off encryption
    echo A          # Toggle on Authentication
    echo Q          # Finished with setting own capabilities
    echo 4096       # Key length
    echo 1y         # Key is valid for 1 year
    echo y          # is this correct?
    echo y          # really create?
    echo save   
    } | gpg2 --command-fd=0 --status-fd=1 --expert --edit-key $KEYID
   

5. collect all the necessary data about the subkeys

   We need each subkeys so called keygrip and it’s creation timestamp.

   Enter gpg2 --list-secret-keys --with-keygrip --with-colons and extract the needed information. See the highlighted parts in the output.

   [...]
    sec:u:4096:1:AE299F4373E8D88F:1552427224:::u:::cC:::+:::23::0:
    fpr:::::::::4C5A569630B7FFEEF29A811BAE299F4373E8D88F:
    grp:::::::::C020F1AC4B24B51C71E2481547DA6B926E8E7001:
    uid:u::::1552427224::B2FC8BCA72AC2CD7656861523F4B4F6752E42F3C::Daniel Wagenknecht <dwagenk@mailprovider.org>::::::::::0:                    
    ssb:u:4096:1:074D014F87D67E3D:1552427749:1583963749:::::s:::+:::23:
    fpr:::::::::814F2B6C98BCE6F780187695074D014F87D67E3D:
    grp:::::::::0F3765677327A472B3FE52F01B93A22A5E202D13::
    ssb:u:4096:1:571C4F86C26C348F:1552427813:1583963813:::::e:::+:::23:
    fpr:::::::::AB9F307FA0D9A648ED165193571C4F86C26C348F:
    grp:::::::::008FF4813D7897EE8DD33A27FDA533F9AF71C7DC: 
    ssb:u:4096:1:1428372BA4C5604D:1552427780:1583963780:::::a:::+:::23:
    fpr:::::::::3B1D7D423AABBDF6EB62B38D1428372BA4C5604D:
    grp:::::::::E703AA6F7A9FCA9F91E1FFC4F38B30081021CFA4:
    [...]

   So in my case the values are

   Subkey	Timestamp	Keygrip
   s = sign	1552427749	0F3765677327A472B3FE52F01B93A22A5E202D13
   e = encrypt	1552427813	008FF4813D7897EE8DD33A27FDA533F9AF71C7DC
   a = authenticate	1552427780	E703AA6F7A9FCA9F91E1FFC4F38B30081021CFA4

6. import the subkeys to the second master key

   I haven’t found a way to automatically feed the keygrips to gpg, you’ll need to copy them into the interactive prompts.

    # Signing
    TIMESTAMP_S=1552427749
    {
    echo addkey
    echo 13         # Existing key 
    echo E          # Toggle off encryption
    echo Q          # Finished with setting own capabilities
    echo 1y         # key is valid for 1 year
    echo y          # is this correct?
    echo y          # really create?
    echo save   
    } | faketime "$(date -d@$TIMESTAMP_S)" gpg2 --command-fd=0 --status-fd=1 --expert --edit-key $KEYID2
   
   

    # Encryption
    TIMESTAMP_E=1552427813
    {
    echo addkey
    echo 13         # RSA (set your own capabilities)
    echo S          # Toggle off signing
    echo Q          # Finished with setting own capabilities
    echo 1y         # key is valid for 1 year
    echo y          # is this correct?
    echo y          # really create?
    echo save   
    } | faketime "$(date -d@$TIMESTAMP_E)" gpg2 --command-fd=0 --status-fd=1 --expert --edit-key $KEYID2
   
   

    # Authentication
    TIMESTAMP_A=1552427780
    {
    echo addkey
    echo 13         # RSA (set your own capabilities)
    echo S          # Toggle off signing
    echo E          # Toggle off encryption
    echo A          # Toggle on Authentication
    echo Q          # Finished with setting own capabilities
    echo 1y         # key is valid for 1 year
    echo y          # is this correct?
    echo y          # really create?
    echo save   
    } | faketime "$(date -d@$TIMESTAMP_A)" gpg2 --command-fd=0 --status-fd=1 --expert --edit-key $KEYID2
   

   Now we’re done with the two masterkeys sharing identical subkeys part. You can go on with the regular procedure already outlined.

7. backup your keys to a secure location
8. configure your Yubikey. You can set a pub key url, and the corresponding key will work out of the box on any machine that has a working PGP / GPG setup and can reach that url.
9. move the subkeys to the Yubikey (only once, although they are associated with 2 master keys)
10. copy, import and trust your public key on your devices
11. use it!

A note on Openkeychain for Android

On my smartphone I’m using K9Mail and Openkeychain for my encrypted mails. Openkeychain has support for the Yubikey via NFC (or USB-C, depending on which device you got), so there’s no worries about jeopardizing my private keys when reading and writing encrypted mail on there. When configuring Openkeychain with a Yubikey, it will read the subkeys ids from the Yubikey and search for a matching master key in your keychain and online. It works fine for the first masterkey, but will not import the second one without using a trick.

1. open Openkeychain and go to manage private keys (name could be slightly off, I’ve got it installed in german)
2. select use security-token
3. if it finds one of your public keys (through keyserver or the url saved on the Yubikey), this key should be ready to use. If not provide it as a file.
4. test the first key on the device
5. backup the first key
6. delete the first key
7. repeat steps 1.-3. but make sure it doesn’t find the first public key, but the second (e.g. set your phone to airplane mode and provide the second public key via file)
8. test the second key on the device
9. restore the first key
10. it should work with both keys now

With this setup I’ve experienced both, GPG / Enigmail and Openkeychain mentioning the wrong user id / masterkey when trying to decrypt something, but decryption works anyway. The same could happen on any device, that has both of my public keys in the keychain, so someone who’s got both my public keys imported might get the notice, that an email is signed by dwagenk@mailprovider.org, whilst it was sent by comicfreak_dan@comics.com. This is unfortunate, but I guess with a setup like this it’s better to really separate the use of the keys: each of your correspondents should only have one of your public keys.

Thanks for reading. Send me an e-mail or open an issue in the repo if you’ve got any comments on this post. I’m interested in some discussion about my PGP setup!

CC-BY-SA-4.0