This Howto explains how to set up a Linux server that runs SSH, WireGuard VPN, Forgejo (a fork of Gitea, a web-based git forge, kinda like self-hosted Github) behind a local nginx reverse proxy and a minimal DNS server so we can have an internal domain for pretty URLs. It also shows how to set up a minimal MTA/mail forwarder so the server can send mails, an iptables + SSHGuard-based firewall, automated backups and some basic self-monitoring. As a bonus there’s a short section that outlines how to set up OpenProject in this environment.

To follow this Howto you’ll need (very) basic Linux commandline knowledge, i.e. you should be able to navigate the file system in a terminal, use SSH and edit textfiles with a terminal-based text editor (like nano, joe or vim, whatever you prefer).
It will assume that you’re using Ubuntu Server 22.04, but it should be the same for other (systemd-using) Debian-based Linux distributions, and reasonably similar when using other distributions. You’ll also need full root privileges on the system.

Hopefully this Howto is also useful if you only want to do some of these things (maybe set up a public Forgejo instance, or just a Wireguard server without Forgejo on it).

UPDATE: There was a bug in the backup and monitoring scripts (shouldn’t have used bash_function | tee foolog.txt), so I updated them accordingly.
UPDATE 2: Added something about configuring [git] HOME_PATH in Forgejo’s app.ini, which works around a Forgejo bug that prevents blobless clones.
UPDATE 3: Some small changes, and added a section about denying Git users SSH access unless they’re coming through the Wireguard VPN.
UPDATE 4: Replaced suggestions for using Hetzner or vultr with warnings about them.

Creating application binaries for Linux that run on a wide range of distributions is a bit tricky, as different distributions ship different versions of various system libraries. These are usually backwards compatible, but not forwards compatible, so programs linked against older versions of the libraries also work with newer versions, but not (necessarily) the other way around.
So you want to link your application against older versions of those libs; however, especially when using C++11 or newer, this is not always feasible.

This post will show how to deal with these issues. It has a focus on videogames, but the general ideas apply to other kinds of applications as well (with normal GUI applications you may have more or more complex dependencies like Qt which may need extra care that is not detailed here).

I also somehow ended up writing a short introduction into dynamic libraries and symbol versioning on Linux (last section of the article).

Because of https://github.com/nothings/stb/issues/113 I was wondering how good/bad stb_image_write’s PNG compression really is in comparison to other encoders.

So I did a quick comparison between stb_image_write (v0.98) LodePNG (version 20150418), miniz’s tdefl_write_image_to_png_file_in_memory_ex() (v1.15) and libpng (version 1.2.50 from Ubuntu 14.04), always with the highest possible compression I could configure.

Let’s assume you have an image that you want to use as a window icon in your cross-platform application that uses libSDL2.
A suitable window icon is 64x64pixels big (other sizes should work as well, though) and has 32bit RGBA colors, which means it contains an alpha-channel.

Now it would be handy if the icon could just be part of the executable and if this could be achieved in a platform-independent way.
Furthermore it’d be great if it didn’t require additional dependencies (e.g. to decode image files).

In this tutorial I’ll show how to translate the image into C source file containing a struct that holds the image data + necessary metadata (width, height, color depth) and how to load that struct into a SDL_Surface* and to set that surface as a window icon.

I recently tried out Sean Barrett’s stb_image.h and was blown away by how fucking easy it is to use.
Integrating it into your project is trivial: Just add the header and somewhere do:

#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"

That’s all. (If you wanna use it in multiple files you just #include "stb_image.h" there without the #define.)

And the API is trivial too:

int width, height, bytesPerPixel;
unsigned char *pixeldata, *pixeldata2;
pixeldata = stbi_load("bla.jpg", &width, &height, &bytesPerPixel, 0);
// if you have already read the image file data into a buffer:
pixeldata2 = stbi_load_from_memory(bufferWithImageData, bufferLength,
                                   &width, &height, &bytesPerPixel, 0);
if(pixeldata2 == NULL)
    printf("Some error happened: %s\n", stbi_failure_reason());

There’s also a simple callback-API which allows you to define some callbacks that stb_image will call to get the data, handy if you’re using some kind of virtual filesystem or want to load the data from .zip files or something. And it supports lots of common image file types including JPEG, PNG, TGA, BMP, GIF and PSD.

So I wondered if there are any downsides regarding speed.

Don’t.
It’s a fucking pain in the ass.

Note: This refers to Windows 7 (and probably Vista and Server 2008 and older). Starting with Windows 8, the Windows installer should support UEFI better and things should be easier.

Buy a <= 2TB hard disk for Windows installations (additional Windows partitions can be on larger HDDs using GPT, it’s only painful for the system partitions). However, if you want to use a hard drive with >2TB for your Windows installation, you have to use GPT partitions (instead of the old MBR style which only supports <= 2TB disks - there you can only use the space > 2TB with ugly hacks and can’t have a continuous partition from 2TB) - and Windows can only boot from GPT partitions in UEFI mode.
To make things more challenging, Windows doesn’t offer creating a GPT partition table and partitions in the graphical installer (at least for Win7), so one has to use cmd.exe.
But don’t worry, the Linux part also sucks :-)
I’ll describe how I got Windows to install using GPT partitions on a 3TB harddisk, how to make an existing Linux (Debian Wheezy) installation boot via EFI (using grub-efi) and how I got my Mainboard ASUS Z87-A to boot this and GRUB to chainload (UEFI) Windows.

This is just a very short roundup of the relevant commands needed to reinstall grub, e.g. when migrating a Linux installation to a new hard drive.

• boot live Linux system (from CD/DVD or USB key, I use grml, any other live Linux should do)
• mount root-fs of your installation (e.g. /dev/sda2) to /mnt/
• if they’re in separate partitions, mount the /boot/, /usr/, … partitions of your installation to /mnt/boot, /mnt/usr/, …
• mount --bind /dev/ and /sys/ to /mnt/dev and /mnt/sys (maybe also /proc for older versions of grub?), grub will need those
• chroot /mnt
• execute grub-install $device (e.g. /dev/sda) to install grub to the MBR of $device
• update-grub to upgrade the grub menu entries
• If names of partitions changed, don’t forget to adjust /etc/fstab
• reboot, remove live linux
• configure your BIOS/UEFI to boot from that harddisk

That’s all - you should now be greeted by a fresh grub that lets you boot your Linux, BSD, Windows, .. installations

I recently got myself a Lenovo Thinkpad T500 (2055V1X) . I chose this older model over the T510 and such, because I prefer a screen resolution of 1680x1050 over a crippled 1600x900 or worse. I write and read a lot of code so I need vertical space on the display and I’d definitely miss the 150pixels additional vertical space my old Laptop (Samsung X20 with a resolution of 1400x1050) has.

However, I shrunk the Windows 7 partition (I didn’t want to dump Windows entirely) and installed Debian Squeeze (AMD64) in the resulting free space. I’m very pleased how painless everything was, almost all hardware ran out of the box, but I’ll document some interesting stuff (how to shrink windows partition without breaking it, how to make special keys work and display information on Linux, how to make the touchpad and trackpoint behave the way I want, …) anyway.

This is a follow-up to debian bug #541658 for Iceweasel: “cannot open research.microsoft.com”. It turned out that this bug applies to all (tested) browsers with cookie-support (Iceweasel, Opera, Chrome, Arora, Kazehakase), but only very few people are experiencing it.
First I’ll tell how to reproduce the bug, then I’ll sum up the facts I already collected in that bugreport and then I’ll document my further attempts to narrow down the problem.

UPDATE: The reason for that strange behaviour was found and I filed a new bugreport: No. #587789
UPDATE 2: Debians Kernel maintainer considers this expected behavior and told me to file a bugreport upstream and I did: Netfilter bug #622.
UPDATE 3: I think Microsoft has fixed their server. Of course the Linux kernel should be fixed anyway but there doesn’t seem to be much interest in doing so :-/
UPDATE 4: Three years later it had been fixed in the Linux kernel.

I’m using a eSATA external harddrive and want to be able to safely unplug it without shutting down my PC. While just removing the drive after unmounting worked so far, I’m not sure if it’s really safe - I’d really prefer to cleanly disconnect it and spinning it down before pulling the plug. I googled that and stumbled upon http://www.sakana.fr/blog/2009/05/04/linux-sata-hot-plug-unplug/ which seems to be a clean and safe way to do it, so I just wrote a script to do that.

My favorite desktop environment is XFCE, because it’s fast, doesn’t need much memory¹ and still is convenient (automounting of CDs and memory sticks, easy unmounting by clicking, a real desktop, etc). I also use SLiM as a display manager because it is slim and looks much better than xdm.

On my Laptop I also use GNOME’s NetworkManager because I haven’t yet found a better and less bloated alternative for handling wireless networks and VPNs. NetworkManager is able to store your passwords (WPA-keys etc) in the GNOME Keyring so you don’t need to enter them each time your laptop connects to a wireless network. But you still have to enter the password to unlock the keyring.. unless you let PAM handle that on login.

Like most computer-savvy people I am frequently asked to give tech support to my family etc. Because telling them on the telephone what to do is a major pain in the ass, VNC is my weapon of choice, if SSH isn’t sufficiant (got to show how something is done, SSH impossible/hard because the other side uses Windows or is behind a NAT, …).

I’ll describe how to set up a normal and reverse VNC-connections using x11vnc and TightVNC.

After years of using centericq for ICQ and Jabber I switched to gajim (ICQ via transport), because centericq didn’t have any useable UTF8 support. I was never really satisfied with gajim though, because I happen to switch between my PC and my Notebook multiple times a day, resulting in inconsistent chat-histories etc - a console based solution in a screen is so much nicer.

So I tried MCabber, that turned out to be really great once you’ve configured it to your needs. After installing MCabber (most Linux/BSD distributions should have a package or port) you’ll want to configure it to your needs.