[f957cf1ea9] u-root braindump | hi.imnhan.com

Repos / hi.imnhan.com / f957cf1ea9
commit f957cf1ea97489dd9040c4c12f706fdc3c043e92
Author: Nhân <hi@imnhan.com>
Date:   Thu Sep 14 20:11:55 2023 +0700

    u-root braindump

diff --git a/ideas/index.dj b/ideas/index.dj
index fccdf08..b37cdc9 100644
--- a/ideas/index.dj
+++ b/ideas/index.dj
@@ -10,6 +10,40 @@ Description: "The idea is there. It just needs implementation."
 
 ---
 
+## A Linux appliance with u-root
+
+Only the kernel and a Go runtime, plus [a bunch][1] of busybox-like utils.
+Doesn't get more minimal than that!
+
+Candidates:
+
+- rss reader: see below
+- git-in-a-box: see [go-git][5]
+- btrfs NAS: encryption can use either gocryptfs, or fscrypt when its btrfs
+  support lands in mainline... [apparently soon?][6]
+
+Why not gokrazy? Nothing wrong with it, though I don't really need most of its
+amenities. Also I recently tried to update my old gokrazy instance and it
+failed for no obvious reason. Searching existing issues yielded no result and
+I'm too lazy to investigate further.
+
+### Preliminary research
+
+No ufw, so learn to use nftables directly instead.
+[This][2] is a good starting point.
+
+No ca-certificates: [copy from host][3] instead, e.g. on Arch:
+
+```
+u-root -files '/etc/ca-certificates/extracted/tls-ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt'
+```
+
+To draw to fbdev, see [cmds/exp/fbsplash][4]. Helpful to draw a dashboard to
+hdmi out, like gokrazy.
+
+TODO: check if tailscale can run on this. That would cleanly solve the "enter
+disk encryption passphrase remotely after reboot" problem.
+
 ## Self hosted RSS reader in pure Go
 
 - Single executable, web based
@@ -39,3 +73,10 @@ Eyeing Linode's 4GB RAM tier at $0.03/hr. But in general it should work on any
 cloud VPS that supports (almost) instant VM launch via API, and snapshots.
 
 - Easy on/off/status commands via Discord bot maybe
+
+[1]: https://github.com/u-root/u-root/tree/main/cmds/core
+[2]: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+[3]: https://github.com/u-root/u-root/issues/2151#issuecomment-990124460
+[4]: https://github.com/u-root/u-root/blob/main/cmds/exp/fbsplash/main.go
+[5]: https://github.com/go-git/go-git/issues/234
+[6]: https://youtu.be/6YIc2fVLVPU?si=AEB-iTJhTF-Nxo_3&t=893
diff --git a/ideas/index.html b/ideas/index.html
index 0903b02..601d68d 100644
--- a/ideas/index.html
+++ b/ideas/index.html
@@ -40,6 +40,40 @@ <h1>Potential project ideas</h1>
 <p>The idea is there. It just needs implementation.</p>
 </blockquote>
 <hr>
+<section id="A-Linux-appliance-with-u-root">
+<h2>A Linux appliance with u-root<a href="#A-Linux-appliance-with-u-root" class="heading-link">#</a></h2>
+<p>Only the kernel and a Go runtime, plus <a href="https://github.com/u-root/u-root/tree/main/cmds/core">a bunch</a> of busybox-like utils.
+Doesn’t get more minimal than that!</p>
+<p>Candidates:</p>
+<ul>
+<li>
+rss reader: see below
+</li>
+<li>
+git-in-a-box: see <a href="https://github.com/go-git/go-git/issues/234">go-git</a>
+</li>
+<li>
+btrfs NAS: encryption can use either gocryptfs, or fscrypt when its btrfs
+support lands in mainline… <a href="https://youtu.be/6YIc2fVLVPU?si=AEB-iTJhTF-Nxo_3&amp;t=893">apparently soon?</a>
+</li>
+</ul>
+<p>Why not gokrazy? Nothing wrong with it, though I don’t really need most of its
+amenities. Also I recently tried to update my old gokrazy instance and it
+failed for no obvious reason. Searching existing issues yielded no result and
+I’m too lazy to investigate further.</p>
+<section id="Preliminary-research">
+<h3>Preliminary research<a href="#Preliminary-research" class="heading-link">#</a></h3>
+<p>No ufw, so learn to use nftables directly instead.
+<a href="https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server">This</a> is a good starting point.</p>
+<p>No ca-certificates: <a href="https://github.com/u-root/u-root/issues/2151#issuecomment-990124460">copy from host</a> instead, e.g. on Arch:</p>
+<pre><code>u-root -files '/etc/ca-certificates/extracted/tls-ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt'
+</code></pre>
+<p>To draw to fbdev, see <a href="https://github.com/u-root/u-root/blob/main/cmds/exp/fbsplash/main.go">cmds/exp/fbsplash</a>. Helpful to draw a dashboard to
+hdmi out, like gokrazy.</p>
+<p>TODO: check if tailscale can run on this. That would cleanly solve the “enter
+disk encryption passphrase remotely after reboot” problem.</p>
+</section>
+</section>
 <section id="Self-hosted-RSS-reader-in-pure-Go">
 <h2>Self hosted RSS reader in pure Go<a href="#Self-hosted-RSS-reader-in-pure-Go" class="heading-link">#</a></h2>
 <ul>