kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
<JacobWeisz[m]> I'm just thinking for stuff we highlight should be stuff people really see the huge risk of. Like hosing people's sensitive documents is way scarier than someone fudging with my RSS reader.
<isd> Yeah, though the section about the kernel kinda gets the point across just with sheer volume...
<JacobWeisz[m]> This additional server you're working on for the powerbox stuff in TTRSS, is that going to be portable-ish/useful to other apps?
<isd> It probably won't be that hard to adapt it.
<isd> Haven't written down the plan yet, but basically: modify the app to include one extra <script>, which we provide. That script makes a websocket connection to the server we provide. The server acts as an http proxy for the app, using the websocket to make powerbox requests for things it doesn't already have a capability for.
<isd> So, you'll get prompted basically for each new domain ttrss tries to access.
<isd> It would make for a smoother experience to replace the reader's own UI for inputting a feed URL with something that just makes a powerbox request, and therefore only require the user to go through the one dialog
<isd> But that's a bit more work.
<abliss> why per domain, rather than per url?
<isd> Could do per URL, and I might experiment
<isd> But I think what's likely to happen is the app then wants to make 10 other requests based on stuff it finds at that URL, for images etc.
<isd> I'm in favor of narrower permissions if we can get away with them, but we'll see how it goes.
<JacobWeisz[m]> I suspect the experience of adding a new feed will be rough. Because a lot of blogs use other CDN URLs.
<JacobWeisz[m]> The one that'll be really interesting is I have a feed that collects a bunch of other feeds, so until that one has a regular cycle through common feeds, I'll get a lot of arbitrary Powerboxes for various image embeds.
<JacobWeisz[m]> I mostly use apps because the web experience sucks. Hopefully a 2020 TTRSS port has a better web experience...
<isd> Still no good on mobile. ☹️
<JacobWeisz[m]> I usually use an app even on desktop
_whitelogger has joined #sandstorm
_whitelogger has joined #sandstorm
_whitelogger has joined #sandstorm
xet7 has joined #sandstorm
vertigo_38 has quit [Ping timeout: 260 seconds]
sam_w has quit [Ping timeout: 260 seconds]
sam_w has joined #sandstorm
<abliss> pty update: i've gotten tmux to boot, but lots is still shaky. i'm still on the knife's edge between 'this will never work' and 'i might be able to pull this off' (still no links to share, sorry)
sesscon has joined #sandstorm
<sesscon> Hey everyone, curious has anyone gotten the Acme-Cloudflare plugin to work?
<sesscon> For the life of me, unable to format the JSON configuration file correctly, and hoping to see if anyone has a working example
<JacobWeisz[m]> The default (Sandcats) uses Cloudflare uses it, so it definitely works. I would have to imagine that hence the correct config for it exists in the codebase?
<isd> ocdtrekkie: the cloudfare plugin is distinct from the sandcats one
<JacobWeisz[m]> Ah, I guess I imagined it probably embedded the Cloudflare configuration somewhere in there.
<isd> No, plugin talks to the sandcats server, sandcats talks to cloudflare.
<JacobWeisz[m]> Ahhhh
<sesscon> Ok, I am a little confused
<sesscon> On the default install, what webserver is being used?
<sesscon> Apache, Nginx?
<sesscon> 2nd question, in the admin panel it's asking for JSON format for the cloudflare plugin
<kentonv> sesscon, I just replied to your e-mail
<sesscon> I have all the correct information, just looking to how I can pass the info
<sesscon> Kenton, I saw... Thanks..
<kentonv> isd, sandcats doesn't use cloudflare (yet)
<sesscon> Are you suggesting that I setup Sandstorm for HTTP and use like NGINX, Caddy, Traefik to handle the SSL
<sesscon> ahh, kentonv so you're saying that option is there but not working yet?
<kentonv> sesscon, you can use sandstorm directly for HTTPS -- but this is a very new feature so it's a little rough right now
<sesscon> I have my own domain name, I can install certbot and have it do a post hook...
<kentonv> sesscon, are you using sandcats? If so, then you should NOT be trying to use the cloudflare plugin.
<sesscon> but I guess I need to know where should I push the certs...
<kentonv> if you're using your own domain, and it's on cloudflare, then it makes sense to use cloudflare
<sesscon> Yeah I am using Cloudflare for my own domain...
<kentonv> ok
<kentonv> so this is all very new, and you may need to edit your sandstorm.conf to get it to serve HTTPS... but Sandstorm can now serve HTTPS directly and cat fetch certificates automatically
<kentonv> once you've configured cloudflare DNS and successfully fetched a certificate, you'll need to add HTTPS_PORT=443 to /opt/sandstorm/sandstorm.conf and restart sandstorm.
<sesscon> using systemctl restart correct?
<kentonv> you can also do `sudo sandstorm restart`
<kentonv> either awy
<kentonv> way
<sesscon> I am asking how do i configure cloudflare DNS wfrom within sandstorm?
<kentonv> I answered your e-mail about that...
<sesscon> Ok, I will reread it
<sesscon> but I think i am sitll missing somehting
<kentonv> basically all you need to give the cloudflare plugin is a Cloudflare API token
<kentonv> and then it will talk to Cloudflare and Let's Encrypt in order to get a certificate issued
<kentonv> the format of the JSON blob is: {"token": "<your token here>"}
<kentonv> I gtg in a moment so if you have a question about this ask it soon... :)
dckc has joined #sandstorm
<sesscon> kentonv so the three blobs would be email and token?
<sesscon> also regarding the wildcard host should it be WILDCARD_HOST=*.domain.com
<sesscon> ?
<isd> sesscon: yes re: WILDCARD_HOST
<sesscon> Thanks guys, now I just need to figure out the correct blobs for cloudflare
<sesscon> I am under the impression the only thing it should need is email address
<sesscon> and token
<sesscon> usually with the certbot plugin I do with dns_cloudflare_emai = email address, and dns_cloudflare_api_key= DNS key
<sesscon> just need to know what to label those values in the blob, or can someone show me where I should look for those values. I prefer to learn vice just be giving the answer
<abliss> i'd look in the source of the plugin
<isd> (We will at some point have a reasonable UI for this...)
<isd> I'm not sure you actually need to supply the email there? The example suggests just the single "token" field per kentonv's comment earlier
<isd> Have you tried just supplying the api key in the token field and nothing else?
<kentonv> sesscon, no, you need an API token.
<kentonv> certbot uses the old authentication method that uses email+key
<kentonv> that mode is deprecated by cloudflare
<kentonv> you need to create an API token as described in the acme-dns-01-cloudflare readme
<kentonv> API tokens are preferred because you can give them restricted permissions
<sesscon> kentonv hey bro, send me your address
<sesscon> I am sending a case of beer
<sesscon> Wow, You're right... Only the API token is needed... I've been using the Key + Email which threw me off...
<kentonv> haha, thanks but I've got plenty of beer. I'm happy it worked!
<kentonv> yeah API tokens were new last year
<kentonv> so a lot of things don't use them yet
<sesscon> Yeah right on.... Ok last question...
<sesscon> Thinking about using google for oauth...
<kentonv> (I work for Cloudflare -- and frankly it's embarrassing we didn't have API tokens sooner...)
<sesscon> I was halfway through the process, and it asked me to submit my app to google
<sesscon> Ok.. speaking of cloud flare should I just use them for Authentication?
<kentonv> there isn't an option for that currently (heh, maybe I should add Cloudflare Access integration...)
<sesscon> Trying to think the best way to handle this situation... Question 3... I liked, there is no internal DNS server in sandstorm?
<sesscon> Kenton, how old are you man?
<kentonv> Google changes their damned OAuth UI like every month, it's possible the instructions are no longer correct
<sesscon> kentonv, figured.... I will take my time and look through it again...
<sesscon> What would you use ldap, saml, etc?
<sesscon> Selfhosting of course...
<kentonv> I tend to prefer GitHub login personally, they don't make it so hard.
<kentonv> there is no internal DNS server, correct
<kentonv> I'm not a big fan of LDAP or SAML because they are really freeking hard to set up
<kentonv> but everyone has their own opinions on this
<abliss> I used the google oauth instructions in the last month, and they worked for me. you do indeed have to create a new 'application' identifier
<abliss> (it's not really 'submitting an app to google', just making up a unique string to use as a kind of namespace)
<kentonv> not sure what my age has to do with anything... :)
<sesscon> True, just curious
<sesscon> Hoping you're way older then me cause I have the feeling you're way smarter in many ways then me
<abliss> kenton's way smarter than all of us, i think, even the ones who are older :)
<kentonv> dunno about smart but I am getting old
<kentonv> recently a guy who was trashing my work on HN was like "I'm just telling you, as a person with two decades of programming experience, that blah blah", and I had to respond with "cool, I just hit three decades"
<JacobWeisz[m]> I did LDAP with my new home Active Directory setup.
<kentonv> aww, you should have tried SAML+ADFS (and pulled all your hair out)