00:01 <isd> If you just want a thing that makes self hosting traditional-ish server stuff easier, there's https://yunohost.org though I can't vouch for it as I haven't tried it

00:01 <isd> There are a lot of things about sandstorm that are pretty unique though.

00:02 <isd> The powerbox stuff has quite a lot of potential, but it isn't used extensively by very many apps yet.

00:03 <isd> I don't actually know if they support arm, now that I think of it.

00:03 <isd> Ah, yes they do.

00:13 <limbo_> ah, I've used yunohost before. Thought In remembred it, but couldn't get the name.

00:20 <limbo_> I can't seem to find a site for powerbox, would you mind linking it?

00:40 <limbo_> isd: ^

00:57 <isd> limbo_: the powerbox is a feature of sandstorm: https://docs.sandstorm.io/en/latest/developing/powerbox/

00:58 <limbo_> ahh.

01:20 <ocdtrekkie> isd: I think heavy work on apps is going to lead to heavy work on core. Nothing brings people to a project like being able to do something with it.

01:21 <ocdtrekkie> One of the reasons I'm so excited about the background scheduling API. It not only will make some existing apps, like TinyTinyRSS, better, but it opens up a whole new class of apps that will work on Sandstorm.

01:21 <isd> Indeed.

01:22 <ocdtrekkie> I think turning off the update checker is simply a matter of not specifying an update branch in the config.

01:22 <ocdtrekkie> And then sandstorm update doesn't work (and doesn't occur automatically)

01:22 <ocdtrekkie> And you can update manually with "sandstorm update dev"

01:22 <isd> speaking of which: have you looked into using the powerbox stuff to do http requests, instead of relying on the (temporary) lack of Content-Security-Policy enforcement.

01:23 <isd> ?

01:23 <ocdtrekkie> I am not much of a developer and haven't looked at much at all relating to using the Powerbox.

01:23 <isd> It would be nice to close that hole, TinyTinyRSS is the only app I know of off the top of my head that really *needs* it.

01:24 <ocdtrekkie> TTRSS doesn't use client-side AFAIK.

01:24 <ocdtrekkie> There's an API to just make HTTP requests, IIRC.

01:24 <ocdtrekkie> Which is also a hole, just not a CSP one.

01:25 <isd> How is TinyTinyRSS doing it?

01:27 <ocdtrekkie> https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/hack-session.capnp

01:27 <ocdtrekkie> isd: That

01:28 <ocdtrekkie> I am a shoddy developer and really only port things that work as-is. But I am reasonably good at quickly finding information about Sandstorm. :)

01:29 <isd> Ah, yup

01:30 <isd> Is anything actually using the CSP hole that needs it?

01:30 <ocdtrekkie> Nothing intentional, AFAIK.

01:30 <ocdtrekkie> There is probably some unintentional stuff. Might be some Google Fonts or crud here and there, I tried to open issues on most of that when I saw it.

01:31 <isd> I think we should break things sooner rather than later. I'm going to stirr the issue.

01:31 <TimMc> Wait, there's a CSP hole?

01:32 <ocdtrekkie> Client side you can request whatever you want.

01:32 <ocdtrekkie> But you can also monitor that with things like Privacy Badger on the browser side.

01:32 <ocdtrekkie> It's technically a less worse hole than HackSession's HttpGet.

01:32 <TimMc> Oh, I thought Sandstorm imposed CSP already.

01:32 <ocdtrekkie> Not yet

01:33 <TimMc> TIL

01:33 <ocdtrekkie> Or at least not to the extent desired, I think.

01:36 <isd> Yeah, this was a surprise to me as well at one point: https://github.com/sandstorm-io/sandstorm/issues/2906

01:36 <ocdtrekkie> But anyways, on the backend side an app would have to specifically use the HackSession API, so it's reasonably easy to check that an open source app you use doesn't use it. And on the client side, Privacy Badger is gonna show it.

01:36 <ocdtrekkie> So it's manageable at the moment, though obviously room for improvement.

01:38 <ocdtrekkie> There was a bookmark app using the CSP hole to load site icons, but it didn't get published.

01:39 <isd> Yeah, that's actually what prompted this -- the author even noted this and said the app would degrade gracefully.

01:41 <isd> I poked at the issue.

01:54 <TimMc> I wonder if each Sandstorm instance should have its own CSP violation reporting grain. :-)

12:06 <sandcut> Hi! My sandcats.io server is unreachable and I can't figure out why!

12:07 <sandcut> Need some help

12:08 <sandcut> Any problem with sandcats.io DNS maybe?

12:09 <JonTheNiceGuy> works for me - want me to check yours out?

12:59 <sandcut> I sent you a PM JonTheNiceGuy

13:01 <JonTheNiceGuy> sandcut: I'm not seeing it :( I'm using the IRC bridge from Matrix.org, so that's probably eaten it :( Do you want to mail jon@sprig.gs and I'll take a look

13:28 <JonTheNiceGuy> sandcut: DNS resolves OK, it's redirecting properly from HTTP to HTTPS, but the HTTPS isn't loading. It's seems like there's probably an issue there. Check to make sure the sandstorm service is running (`systemctl status sandstorm`), and that it's listening to https (`sudo netstat -antp | grep sandstorm`).

13:41 <sandcut> Thanks JonTheNiceGuy. But the service is running and listening :/

13:42 <JonTheNiceGuy> Check firewall rules on your host (`iptables -L`), port forwarding from your router and failing all that, tcpdump to see if your device is actually receving the packets.

13:43 <JonTheNiceGuy> Also, if you HTTPS to the device's IP address inside then network (barring certificate errors because you're addressing the IP address not the machine name), do you get a response?

13:44 <sandcut> Let's see...

13:46 <sandcut> It's not accessing through the local address either https://192.168.1.x

13:46 <JonTheNiceGuy> iptables and tcpdump it is then!

13:46 <JonTheNiceGuy> Good luck!

13:47 <sandcut> Ohmy! Thanks Jon!

13:50 <JonTheNiceGuy> no worries. If you're not OK with tcpdump, let me know - I'll tell you what to take a look at.

13:50 <sandcut> Never done it yet :) Will see how it goes ^^)

13:51 <JonTheNiceGuy> np

15:18 <sandcut> Hi again, I'm still quite lost, tbh. Could you give me some more hints on what to look :/ I'm on the verge of making a new reinstall and restore, but I'm afraid it'll happen again...

15:20 <JonTheNiceGuy> OK, so with `tcpdump -i eth0 port 443` (note, your interface might not be eth0, it might be enp0s3 or something equally confusing), try to establish an HTTPS session to the device. If you don't see it, then there's something outside the box which is preventing the HTTPS packets from getting in. If you *do* see it, but no response is firing, then there's something wrong in Sandstorm. If you see a request and a response, but

15:20 <JonTheNiceGuy> you're not seeing the response on your machine, then it's back to being something outside the box.

15:22 <JonTheNiceGuy> Oh, and also, it might be worth pastebin'ing the results of `iptables -L` (sanitize as necessary)

16:42 <JonTheNiceGuy> sandcut: that shows your box is responding, so something else on your network is stopping the traffic from flowing.

16:48 <sandcut> I can't reach to it. :(

16:49 <sandcut> I'm going to reboot x) the Host machine. IDK I feel like that lab dog of the meme. T.T

16:50 <sandcut> I'll be back

16:56 <deadcert> Hi! My sandcats.io server is throwing a certificate problem

17:23 <JonTheNiceGuy> deadcert: have you got a proxy like nginx in front of it?

17:29 <TimMc> They're gone.

17:52 <JonTheNiceGuy> Rats, so they did. Ah well

19:08 <DanC_> I'm stuck at "create account"; how do I get back to "sign in" from https://oasis.sandstorm.io/grain

19:10 <DanC_> well, that did it

19:10 <DanC_> what prompted me to sign in: Hakyll CMS

19:11 <DanC_> I played with it once but didn't want to maintain my own installation

19:14 <DanC_> markdown to HTML is haywire. hm.

19:16 <DanC_> ah. now I see how the .md is supposed to work

19:17 <DanC_> grr.... now publish doesn't work: 404 not found: /index.html