Almost out of summer
Almost out of summer
And now we have chickens
TTPYC Spring Regatta in Des Moines
CYCT Habor Series #3
My weather station hasn't been working right for awhile. I've got a handful of ESP8266 boards sitting here, so I've decided to repurpose the housing and sensors to build my own direct-to-wifi WX station. Most of the sensors are straightforward: a moving piece with a magnet attached triggers a reed switch to count the movements as pulses (wind speed, rainfall). The temp and humidity sensor is a very common I2C chip (SHT21). The wind direction indicator, however, is fascinating. The wind position indicator is the black circle with four concentric grooves cut in it. An LED slides in near the outside edge and illuminates a reflector/diffuser under the groves. Four more LEDs mounted on the PCB lined up over the groves. Since LEDs produce a small voltage in the presence of light, those four LEDs detect which grooves are exposed, producing four-bit indication of the wind angle. To reuse the wind indicator, I'll need to build a new PCB with holes for the sensor LEDs in just the right spots. Measuring small things is hard...
After much procrastination, I've finished building my TR-35 kit. Next up, a portable antenna to go with it.
I've been building a OAuth2 (and IndieAuth)-based single-sign on system, with the intention of using it as the auth layer for a few things I plan to build for my own use. Along the way, I've been contemplating how I could use the same system for... well... everything. This morning I wondered if I could use it for my own git repositories.
Currently, my git repositories are in GitHub (I oscillate back and forth between self-hosting various things or using other services). I use a ssh key hidden away in a hardware key (Yubikey) for authentication. One downsides of my current setup is that I need somewhat finicky setup (GPG SSH Agent) on any machine that I want to use the key. Another is that that only the most expensive Yubikeys have the ability to run the GPG Applet, I only have the one, and it's not always next to me when I want it. I have a handful of u2f-only security keys, so there's always one nearby.
GitHub's solution appears to be something like Gmail's app passwords. Basically a special password that you use for git operations, presumably each password is only used on a single machine. However, it's still a long-lived credential (floating around a disk in plain text even). Can I do better?
I dig a bit of reading on how Git works over HTTP and came across a config option to pass extra HTTP headers. That would allow me to send an OAuth2 bearer token. So I could put a Git behind an reverse proxy, which could be responsible for checking the access token. Now I just need to make getting and refreshing the access token somewhat convenient.
I recently built a command line tool for getting access tokens from the SSO service. It has two sub-commands: login, which will request or refresh an access token using the OAuth2 device flow, and curl, which will passes the rest of the arguments to curl and adds an authorization header with the current token. I'm thinking of adding a new git-setup command, which would modify my git config with a new block for the git server, with the authorization header in the extraHeaders option. This would be a short-lived credential that would last for a day. Future login commands would update the access token in the config. In a pinch, if I was in an environment where I couldn't use the CLI tool, I could get an access token from the website and pass the token into git.
So the initial setup would look something like this:
$ sso git-setup https://git.jesterpm.net
Go to https://... and enter code ABCD-EFGH to authorize access.
$ cat ~/.gitconfig
[http "https://git.jesterpm.net"]
extraHeader = Authorization: Bearer xxxxxx
Then the day-to-day flow would look like:
$ sso login # Assuming it hasn't already been done for some other reason
Go to https://... and enter code JKMNP-QRST to authenticate yourself.
$ git push
I think I could arrive at a solution that was even more portable (that didn't need the sso tool to be installed). For example, I could have a hosted shell script so that I run curl https://git.jesterpm.net/login.sh | sh to set everything up, but I really don't find myself trying to access code on random machines much anymore.
Last weekend's progress on raised beds.
This is the private signal flag that I fly from my boat (or anywhere, really). A private signal (or a house flag) was traditionally a flag that represented the owner of the boat. They aren't very common anymore—the closest I usually see is someone flying Blackbeard's flags —but given my interest in archaic communication systems, here we are...
As best as I can describe it, it's a blue swallowtail flag, charged with two green right triangles, each surmounted by a white chevron, the peak of the first at the first third and the peak of the second at the crutch, with the second overlapping the first.
I designed it near the end of the summer of 2021. This was the favorite of a half-dozen or so iterations. All of them were blue, green, and white and vaguely represented both mountains and the letter M. All of those are fairly common elements, but I wanted the flag to be somewhat unique. After searching through Flags of the World, Wikipedia, and reverse image search, the most similar flags I could find were Ed Mitchell's reimagined flag for Montana and the flag for the city of Seward, Alaska. The swallowtail shape helps set it apart from most flags. It fits with the theme, since private signals were traditionally swallowtailed (perhaps for the same reason...). Along the way I also found the FlagWaver web app, which was really helpful to visualize how the flag would look with and without wind.
If, somehow, you found this page after seeing the flag, do let me know.
I finally decommissioned Californium, my 12 year old Linode instance first launched 2009-12-19. It was a Gentoo installation that was so out of date that portage couldn't update anymore. I started this migration so long ago that it's replacement has already been replaced once.