00:10 <JacobWeisz[m]> I'm just thinking for stuff we highlight should be stuff people really see the huge risk of. Like hosing people's sensitive documents is way scarier than someone fudging with my RSS reader.

00:18 <isd> Yeah, though the section about the kernel kinda gets the point across just with sheer volume...

00:44 <JacobWeisz[m]> This additional server you're working on for the powerbox stuff in TTRSS, is that going to be portable-ish/useful to other apps?

01:02 <isd> It probably won't be that hard to adapt it.

01:04 <isd> Haven't written down the plan yet, but basically: modify the app to include one extra <script>, which we provide. That script makes a websocket connection to the server we provide. The server acts as an http proxy for the app, using the websocket to make powerbox requests for things it doesn't already have a capability for.

01:05 <isd> So, you'll get prompted basically for each new domain ttrss tries to access.

01:05 <isd> It would make for a smoother experience to replace the reader's own UI for inputting a feed URL with something that just makes a powerbox request, and therefore only require the user to go through the one dialog

01:06 <isd> But that's a bit more work.

01:06 <abliss> why per domain, rather than per url?

01:06 <isd> Could do per URL, and I might experiment

01:07 <isd> But I think what's likely to happen is the app then wants to make 10 other requests based on stuff it finds at that URL, for images etc.

01:08 <isd> I'm in favor of narrower permissions if we can get away with them, but we'll see how it goes.

01:09 <JacobWeisz[m]> I suspect the experience of adding a new feed will be rough. Because a lot of blogs use other CDN URLs.

01:10 <JacobWeisz[m]> The one that'll be really interesting is I have a feed that collects a bunch of other feeds, so until that one has a regular cycle through common feeds, I'll get a lot of arbitrary Powerboxes for various image embeds.

01:11 <JacobWeisz[m]> I mostly use apps because the web experience sucks. Hopefully a 2020 TTRSS port has a better web experience...

01:12 <isd> Still no good on mobile. ☹️

01:43 <JacobWeisz[m]> I usually use an app even on desktop

16:58 <abliss> pty update: i've gotten tmux to boot, but lots is still shaky. i'm still on the knife's edge between 'this will never work' and 'i might be able to pull this off' (still no links to share, sorry)

19:40 <sesscon> Hey everyone, curious has anyone gotten the Acme-Cloudflare plugin to work?

19:40 <sesscon> For the life of me, unable to format the JSON configuration file correctly, and hoping to see if anyone has a working example

20:18 <JacobWeisz[m]> The default (Sandcats) uses Cloudflare uses it, so it definitely works. I would have to imagine that hence the correct config for it exists in the codebase?

20:34 <isd> ocdtrekkie: the cloudfare plugin is distinct from the sandcats one

20:37 <JacobWeisz[m]> Ah, I guess I imagined it probably embedded the Cloudflare configuration somewhere in there.

20:46 <isd> No, plugin talks to the sandcats server, sandcats talks to cloudflare.

20:54 <JacobWeisz[m]> Ahhhh

21:17 <sesscon> Ok, I am a little confused

21:17 <sesscon> On the default install, what webserver is being used?

21:17 <sesscon> Apache, Nginx?

21:18 <sesscon> 2nd question, in the admin panel it's asking for JSON format for the cloudflare plugin

21:18 <kentonv> sesscon, I just replied to your e-mail

21:18 <sesscon> I have all the correct information, just looking to how I can pass the info

21:18 <sesscon> Kenton, I saw... Thanks..

21:19 <kentonv> isd, sandcats doesn't use cloudflare (yet)

21:19 <sesscon> Are you suggesting that I setup Sandstorm for HTTP and use like NGINX, Caddy, Traefik to handle the SSL

21:19 <sesscon> ahh, kentonv so you're saying that option is there but not working yet?

21:19 <kentonv> sesscon, you can use sandstorm directly for HTTPS -- but this is a very new feature so it's a little rough right now

21:19 <sesscon> I have my own domain name, I can install certbot and have it do a post hook...

21:20 <kentonv> sesscon, are you using sandcats? If so, then you should NOT be trying to use the cloudflare plugin.

21:20 <sesscon> but I guess I need to know where should I push the certs...

21:20 <kentonv> if you're using your own domain, and it's on cloudflare, then it makes sense to use cloudflare

21:20 <sesscon> Yeah I am using Cloudflare for my own domain...

21:20 <kentonv> ok

21:21 <kentonv> so this is all very new, and you may need to edit your sandstorm.conf to get it to serve HTTPS... but Sandstorm can now serve HTTPS directly and cat fetch certificates automatically

21:22 <kentonv> once you've configured cloudflare DNS and successfully fetched a certificate, you'll need to add HTTPS_PORT=443 to /opt/sandstorm/sandstorm.conf and restart sandstorm.

21:22 <sesscon> using systemctl restart correct?

21:22 <kentonv> you can also do `sudo sandstorm restart`

21:22 <kentonv> either awy

21:22 <kentonv> way

21:22 <sesscon> I am asking how do i configure cloudflare DNS wfrom within sandstorm?

21:22 <kentonv> I answered your e-mail about that...

21:23 <sesscon> Ok, I will reread it

21:23 <sesscon> but I think i am sitll missing somehting

21:24 <kentonv> basically all you need to give the cloudflare plugin is a Cloudflare API token

21:25 <kentonv> and then it will talk to Cloudflare and Let's Encrypt in order to get a certificate issued

21:25 <kentonv> the format of the JSON blob is: {"token": "<your token here>"}

21:26 <kentonv> I gtg in a moment so if you have a question about this ask it soon... :)

22:17 <sesscon> kentonv so the three blobs would be email and token?

22:19 <sesscon> also regarding the wildcard host should it be WILDCARD_HOST=*.domain.com

22:19 <sesscon> ?

22:36 <isd> sesscon: yes re: WILDCARD_HOST

22:36 <sesscon> Thanks guys, now I just need to figure out the correct blobs for cloudflare

22:36 <sesscon> I am under the impression the only thing it should need is email address

22:36 <sesscon> and token

22:37 <sesscon> usually with the certbot plugin I do with dns_cloudflare_emai = email address, and dns_cloudflare_api_key= DNS key

22:38 <sesscon> just need to know what to label those values in the blob, or can someone show me where I should look for those values. I prefer to learn vice just be giving the answer

22:40 <abliss> i'd look in the source of the plugin

22:41 <isd> (We will at some point have a reasonable UI for this...)

22:42 <isd> From looking at: https://github.com/nodecraft/acme-dns-01-cloudflare#usage

22:43 <isd> I'm not sure you actually need to supply the email there? The example suggests just the single "token" field per kentonv's comment earlier

22:44 <isd> Have you tried just supplying the api key in the token field and nothing else?

23:05 <kentonv> sesscon, no, you need an API token.

23:06 <kentonv> certbot uses the old authentication method that uses email+key

23:06 <kentonv> that mode is deprecated by cloudflare

23:06 <kentonv> you need to create an API token as described in the acme-dns-01-cloudflare readme

23:09 <kentonv> API tokens are preferred because you can give them restricted permissions

23:44 <sesscon> kentonv hey bro, send me your address

23:44 <sesscon> I am sending a case of beer

23:45 <sesscon> Wow, You're right... Only the API token is needed... I've been using the Key + Email which threw me off...

23:45 <kentonv> haha, thanks but I've got plenty of beer. I'm happy it worked!

23:45 <kentonv> yeah API tokens were new last year

23:45 <kentonv> so a lot of things don't use them yet

23:45 <sesscon> Yeah right on.... Ok last question...

23:46 <sesscon> Thinking about using google for oauth...

23:46 <kentonv> (I work for Cloudflare -- and frankly it's embarrassing we didn't have API tokens sooner...)

23:46 <sesscon> I was halfway through the process, and it asked me to submit my app to google

23:47 <sesscon> Ok.. speaking of cloud flare should I just use them for Authentication?

23:47 <kentonv> there isn't an option for that currently (heh, maybe I should add Cloudflare Access integration...)

23:47 <sesscon> Trying to think the best way to handle this situation... Question 3... I liked, there is no internal DNS server in sandstorm?

23:47 <sesscon> Kenton, how old are you man?

23:47 <kentonv> Google changes their damned OAuth UI like every month, it's possible the instructions are no longer correct

23:48 <sesscon> kentonv, figured.... I will take my time and look through it again...

23:48 <sesscon> What would you use ldap, saml, etc?

23:48 <sesscon> Selfhosting of course...

23:49 <kentonv> I tend to prefer GitHub login personally, they don't make it so hard.

23:49 <kentonv> there is no internal DNS server, correct

23:49 <kentonv> I'm not a big fan of LDAP or SAML because they are really freeking hard to set up

23:49 <kentonv> but everyone has their own opinions on this

23:49 <abliss> I used the google oauth instructions in the last month, and they worked for me. you do indeed have to create a new 'application' identifier

23:50 <abliss> (it's not really 'submitting an app to google', just making up a unique string to use as a kind of namespace)

23:51 <kentonv> not sure what my age has to do with anything... :)

23:52 <sesscon> True, just curious

23:52 <sesscon> Hoping you're way older then me cause I have the feeling you're way smarter in many ways then me

23:53 <abliss> kenton's way smarter than all of us, i think, even the ones who are older :)

23:53 <kentonv> dunno about smart but I am getting old

23:54 <kentonv> recently a guy who was trashing my work on HN was like "I'm just telling you, as a person with two decades of programming experience, that blah blah", and I had to respond with "cool, I just hit three decades"

23:55 <JacobWeisz[m]> I did LDAP with my new home Active Directory setup.

23:57 <kentonv> aww, you should have tried SAML+ADFS (and pulled all your hair out)