Add RSS feed

.gitignore

@@ -1 +1,2 @@
 .vscode
+.DS_Store

Gemfile

@@ -5,3 +5,4 @@ source "https://rubygems.org"
 # gem "rails"
 
 gem "jekyll", "~> 4.3"
+gem "jekyll-feed"

Gemfile.lock

@@ -10,6 +10,9 @@ GEM
       http_parser.rb (~> 0)
     eventmachine (1.2.7)
     ffi (1.17.0)
+    ffi (1.17.0-arm64-darwin)
+    ffi (1.17.0-x86_64-darwin)
+    ffi (1.17.0-x86_64-linux-gnu)
     forwardable-extended (2.6.0)
     google-protobuf (3.25.5)
     google-protobuf (3.25.5-arm64-darwin)
@@ -34,6 +37,8 @@ GEM
       safe_yaml (~> 1.0)
       terminal-table (>= 1.8, < 4.0)
       webrick (~> 1.7)
+    jekyll-feed (0.17.0)
+      jekyll (>= 3.7, < 5.0)
     jekyll-sass-converter (3.0.0)
       sass-embedded (~> 1.54)
     jekyll-watch (2.2.1)
@@ -61,6 +66,12 @@ GEM
     sass-embedded (1.69.5)
       google-protobuf (~> 3.23)
       rake (>= 13.0.0)
+    sass-embedded (1.69.5-arm64-darwin)
+      google-protobuf (~> 3.23)
+    sass-embedded (1.69.5-x86_64-darwin)
+      google-protobuf (~> 3.23)
+    sass-embedded (1.69.5-x86_64-linux-gnu)
+      google-protobuf (~> 3.23)
     strscan (3.1.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
@@ -79,6 +90,7 @@ PLATFORMS
 
 DEPENDENCIES
   jekyll (~> 4.3)
+  jekyll-feed
 
 BUNDLED WITH
    2.5.19

_config.yml

@@ -7,3 +7,5 @@ collections:
 include: [".well-known"]
 sass:
     style: compressed
+plugins:
+  - jekyll-feed

_site/feed.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.3.4">Jekyll</generator><link href="https://hexaitos.com/feed.xml" rel="self" type="application/atom+xml" /><link href="https://hexaitos.com/" rel="alternate" type="text/html" /><updated>2024-11-11T19:16:30+01:00</updated><id>https://hexaitos.com/feed.xml</id><title type="html">Hexaitos’ Personal Website</title><entry><title type="html">Hosting my websites at home but I only have a public IPv6 subnet</title><link href="https://hexaitos.com/2024/10/29/hosting_at_home.html" rel="alternate" type="text/html" title="Hosting my websites at home but I only have a public IPv6 subnet" /><published>2024-10-29T00:00:00+01:00</published><updated>2024-10-29T00:00:00+01:00</updated><id>https://hexaitos.com/2024/10/29/hosting_at_home</id><content type="html" xml:base="https://hexaitos.com/2024/10/29/hosting_at_home.html"><![CDATA[<p>I wanted to write a small series of blog posts detailing how I made it so that my websites that are hosted at the server in my apartment (which only has a public IPv6 address) can be accessed from the Internet even if you’re in an IPv4-only network and I wanted to start by writing a post about how I delegated an IPv6 prefix to my OPNsense installation from my FRITZ!Box. (Un)fortunately, just as I finished writing it, I found out that the official (I think) <a href="https://docs.opnsense.org/manual/how-tos/ipv6_fb.html">OPNsense documentation</a> has the <em>exact</em> thing I wrote about documented already, so there’s really no point in my posting my own version that is almost literally the same thing.</p>
+
+<p>Therefore, I’ll just be skipping that portion of my blog post. If you’re in Germany and a customer of Vodafone’s, then you should have been assigned a /59 IPv6 subnet and you can quite simply follow the instructions on the official documentation that I linked above.</p>
+
+<p>Before I start this off, it is important to note that this will <em>only</em> work if you’re using Cloudflare’s proxy. I have not found any other DNS provider that allows you to do this, unfortunately. I know there are some who have quite strong (and often negative) opinions about Cloudflare, so if you’re one of those, then you will probably not be able to do this. If you’re not sure what I’m talking about, you should probably read up on Cloudflare and how their proxy functions first and try to form your own opinion on this matter. If you know of another (free!) way to do this <em>without</em> using Cloudflare, then I’d be <a href="/contact">happy to hear about it</a>.</p>
+
+<p><em>Also</em>, I’m not claiming that anything I’m about to explain is necessarily the best way of going about this; it’s simply what I found works quite well for me. If I wrote something that’s terrible advice or if you found something that I could improve, you are more than welcome to <a href="/contact">contact me about that</a>, too!</p>
+
+<p>And lastly, please note that a lot of ISPs do not technically allow the hosting of webservers if you only have a consumer contract and you might have to pay for a (usually more expensive) business contract instead. Or they might just straight up block certain ports from working in the first place on consumer contracts. Therefore, before you do anything, I urge you to check your ISP’s terms of service.</p>
+
+<p>With that out of the way, let’s get started!</p>
+
+<h2 id="setup-overview">Setup overview</h2>
+<p>Before we start, a quick rundown of my setup. I have a FRITZ!Box 6660 Cable (my main router) to which my server running Proxmox is connected. The FRITZ!Box gets a /59 IPv6 prefix but no public IPv4 (CGNAT). Running on the Proxmox host as a VM is an OPNsense installation. Its WAN network is connected to the <em>LAN</em> network of my FRITZ!Box (it, therefore, gets an IPv4 address in my FRITZ!Box’ LAN, <code class="language-plaintext highlighter-rouge">192.168.178.0/24</code>) and the OPNsense’s LAN network is a virtual network that all other VMs running on my Proxmox installation are connected to. Additionally, I have assigned a /64 IPv6 prefix to the LAN network of my OPNsense (see OPNsense documentation above) and all VMs get both a private IPv4 address (in the OPNsense’s <code class="language-plaintext highlighter-rouge">10.10.10.0/24</code> network) via DHCP and an IPv6 address either via SLAAC or DHCPv6.</p>
+
+<p>For my webserver in particular I made a separate and really small (/30) IPv4 subnet with a virtual IP in OPNsense, mostly so this public-facing LXC is in a different network from the VMs and LXCs that are <em>not</em> open to the public. I’ll probably switch that over to a VLAN instead of a virtual IP soon. I feel like this is a bit overkill (and probably doesn’t add that much security anyway), but I wanted to do it anyway. However, this means that my webserver has a static IPv4 in a different network, namely <code class="language-plaintext highlighter-rouge">10.11.10.2/30</code> with <code class="language-plaintext highlighter-rouge">10.11.10.1/30</code> being the virtual IP I assigned to the OPNsense installation and it cannot talk to any other VM or LXC.</p>
+
+<p>I don’t want to share the exact IPv6 prefix I get from my ISP, but let’s just pretend it’s <code class="language-plaintext highlighter-rouge">2001:db8:0:e280::/59</code> where <code class="language-plaintext highlighter-rouge">2001:db8:0:e280::/64</code> is used by the FRITZ!Box itself and where <code class="language-plaintext highlighter-rouge">2001:db8:0:e291::/64</code> has been delegated to the OPNsense’s LAN interface. I have assigned a static IPv6 to the LXC which is running my webservers, namely <code class="language-plaintext highlighter-rouge">2001:db8:0:e291::1000:1/128</code>.</p>
+
+<p>My webserver is running Caddy and I’m using a module for Caddy called <code class="language-plaintext highlighter-rouge">dns.providers.cloudflare</code> so that Caddy can create an SSL certificate even when it’s behind Cloudflare’s proxy.</p>
+
+<p>Okay, that was probably quite a bit of information. The best tl;dr I can think of is: the public IPv6 my webserver gets is <code class="language-plaintext highlighter-rouge">2001:db8:0:e291::1000:1/128</code> (the prefix is not my actual prefix, this is just as an example).</p>
+
+<h2 id="setting-up-cloudflare">Setting up Cloudflare</h2>
+<p>I’ll assume that you already are somewhat familiar with Cloudflare and how it works, especially after what I mentioned earlier in the blog post and I’ll also assume that you have already added your domain to Cloudflare. If you have not yet done so, please refer to <a href="https://developers.cloudflare.com/fundamentals/setup/manage-domains/add-site/">Cloudflare’s own documentation</a> on how to do this.</p>
+
+<p>What you have to do is go into your domain’s DNS settings and create <strong>only a single AAAA record with the proxy enabled</strong>. Do not add another <code class="language-plaintext highlighter-rouge">AAAA</code> record or even an <code class="language-plaintext highlighter-rouge">A</code> record; simply add a <code class="language-plaintext highlighter-rouge">AAAA</code> pointing to the IPv6 address of your server. This should look as follows:</p>
+
+<p><img src="/assets/images/blog_posts/hosting_at_home/bateleur_org.png" alt="A screenshot from Cloudflare’s website showing a single AAAA record set for the domain bateleur.org" /></p>
+
+<p>This is probably the most important aspect of this entire thing if you want your website to be reachable even in networks that do not support IPv6. If you only set a <code class="language-plaintext highlighter-rouge">AAAA</code> record and no <code class="language-plaintext highlighter-rouge">A</code> record, Cloudflare will automatically translate requests from IPv4 networks so that your website can be reached even from those networks.</p>
+
+<p>You may also have to change the SSL settings of your domain. By default, the SSL setting is set to <q>flexible</q> which ended up not working for me and I had to set it to <q>full</q> instead:</p>
+
+<p><img src="/assets/images/blog_posts/hosting_at_home/cloudflare_ssl.png" alt="A screenshot of Cloudflare’s SSL settings" width="30%" /></p>
+
+<p>While you’re here, you might as well also create an API key either for your entire account or only for a particular zone / domain. For more information about what permissions need to be set, you can look at the <a href="https://github.com/caddy-dns/cloudflare">GitHub page for Caddy’s Cloudflare module</a>.</p>
+
+<h2 id="firewall-rules">Firewall rules</h2>
+<p>The first thing you’d have to properly set up are the firewall rules, especially the WAN rules. Since the only thing running on my LXC that needs to be accessed from the Internet is a webserver, it only really needs to have ports <code class="language-plaintext highlighter-rouge">443</code> and maybe also port <code class="language-plaintext highlighter-rouge">80</code> open to the public. I created an <a href="https://docs.opnsense.org/manual/aliases.html">alias</a> that includes both ports so that I don’t have to create <em>two</em> rules and I simply named it <code class="language-plaintext highlighter-rouge">allowed_ports_default</code>.</p>
+
+<p>However, we can refine this rule a bit further: since <em>all the traffic</em> going to our webserver should come from Cloudflare (as we’re using their proxy), you change the rule so that only traffic from Cloudflare’s network is accepted.</p>
+
+<p>To do this, you can simply create yet another alias that includes all the networks that Cloudflare uses. Luckily, Cloudflare publishes the list of their IPv6 subnets which you can find it here: <a href="https://www.cloudflare.com/ips-v6/#">https://www.cloudflare.com/ips-v6/#</a>. So all we need to do is create an alias that includes all seven (at the time of writing) subnets and put that alias into the <q>Source</q> field of our created WAN rules. The alias should end up looking as follows:</p>
+
+<p><img src="/assets/images/blog_posts/hosting_at_home/cloudflare_ips.png" alt="A screenshot showing a firewall alias containing all of Cloudflare’s IPv6 subnets" /></p>
+
+<p>And the rule should end up looking as follows:</p>
+
+<p><img src="/assets/images/blog_posts/hosting_at_home/wan_rule.png" alt="A screenshot of an OPNsense rule" /></p>
+
+<p>Additionally, you also have to set up the rules on the LAN interface. I created two LAN rules, one for the IPv6 and one for the IPv4 address of my webserver and I allowed only ports <code class="language-plaintext highlighter-rouge">443, 80, 123, 53</code> for both IPv4 TCP/UDP and IPv6 TCP/UDP. I also set up a LAN rule that blocks access from my webservers LAN network to all of my other LANs.</p>
+
+<h2 id="caddy-configuration">Caddy configuration</h2>
+<p>I’m assuming you know how to get a website up and running with Caddy. If not, I highly recommend looking at their <a href="https://caddyserver.com/docs/">documentation</a>, it’s really quite simple!</p>
+
+<p>However, getting Caddy to work with the Cloudflare DNS was a little bit annoying at first, because the Debian 12 LXC that I’m running did not have the newest version of Caddy in its repositories, apparently, and the version that was available did not have the <code class="language-plaintext highlighter-rouge">add-package</code> command which is needed to install the Cloudflare DNS module. So I simply downloaded the newest <code class="language-plaintext highlighter-rouge">.deb</code> file from Caddy’s GitHub, installed that and installed the Cloudflare DNS module using the command <code class="language-plaintext highlighter-rouge">sudo caddy add-package github.com/caddy-dns/cloudflare</code>. Afterwards, simply follow the instructions on their GitHub page on how to add the API key to your configuration.</p>
+
+<p>If you then restart Caddy after adding your configuration (or simply starting it for the first time), it should automatically generate an SSL certificate for you and your website should become reachable from <em>both</em> IPv6- and IPv4-only networks.</p>
+
+<h2 id="conclusion">Conclusion</h2>
+<p>Your website should now be accessible from the Internet! I hope you enjoyed reading this and I hope it will end up helping someone in the future. If you have any further questions, critique or whatever, <a href="/contact">feel free to reach out to me</a>. This is the first blog post I have written in a <em>long</em> time, so if there’s anything you think could be improved in the next one, I would love to hear about it.</p>]]></content><author><name>hexaitos</name></author><summary type="html"><![CDATA[I wanted to write a small series of blog posts detailing how I made it so that my websites that are hosted at the server in my apartment (which only has a public IPv6 address) can be accessed from the Internet even if you’re in an IPv4-only network and I wanted to start by writing a post about how I delegated an IPv6 prefix to my OPNsense installation from my FRITZ!Box. (Un)fortunately, just as I finished writing it, I found out that the official (I think) OPNsense documentation has the exact thing I wrote about documented already, so there’s really no point in my posting my own version that is almost literally the same thing.]]></summary></entry><entry><title type="html">My first blog post</title><link href="https://hexaitos.com/2024/09/30/first_blog_post.html" rel="alternate" type="text/html" title="My first blog post" /><published>2024-09-30T00:00:00+02:00</published><updated>2024-09-30T00:00:00+02:00</updated><id>https://hexaitos.com/2024/09/30/first_blog_post</id><content type="html" xml:base="https://hexaitos.com/2024/09/30/first_blog_post.html"><![CDATA[<p>Hello everyone! This is my first blog post, mostly just to try out how everything works.</p>]]></content><author><name>hexaitos</name></author><summary type="html"><![CDATA[Hello everyone! This is my first blog post, mostly just to try out how everything works.]]></summary></entry></feed>

_site/index.html

@@ -47,7 +47,7 @@
             
         <p>If you want to get in touch, look at the <a href="contact.html">contact</a> page! You can find me on plenty of websites or just send me an email – I am always happy to talk to new people! I don’t usually bite. Unless you want me to >:3</p>
 
-        <p>This website is still very much a work-in-progress and it was last updated on the following day: 5 November 2024. I also have a <a href="blog.html">blog</a> where I will be posting things mostly about computers, games and birds (<i>who’d’ve thunk?</i>).</p>
+        <p>This website is still very much a work-in-progress and it was last updated on the following day: 11 November 2024. I also have a <a href="blog.html">blog</a> where I will be posting things mostly about computers, games and birds (<i>who’d’ve thunk?</i>).</p>
         
         <p>You can also find me on <a href="https://bateleur.org">bateleur.org</a>. At the moment, it is simply a mirror of hexaitos.com but hosted entirely at home. Additionally, you can find me on Gemini as well. Just go to <a href="gemini://terathopius.com">gemini://terathopius.com</a> or to <a href="https://terathopius.com">https://terathopius.com</a> for an HTTPS proxy of my Gemini capsule. I also have my own Gitea instance over on <a href="https://git.bateleur.org">git.bateleur.org</a>.</p>
 

_site/sitemap.xml

@@ -4,7 +4,7 @@
   <url>
     <loc>https://hexaitos.com/art.html</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>
@@ -13,7 +13,7 @@
   <url>
     <loc>https://hexaitos.com/blog.html</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>
@@ -22,7 +22,7 @@
   <url>
     <loc>https://hexaitos.com/contact.html</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>
@@ -31,7 +31,7 @@
   <url>
     <loc>https://hexaitos.com/</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>
@@ -40,7 +40,7 @@
   <url>
     <loc>https://hexaitos.com/refsheet.html</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>
@@ -49,7 +49,7 @@
   <url>
     <loc>https://hexaitos.com/sitemap.xml</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>
@@ -58,7 +58,16 @@
   <url>
     <loc>https://hexaitos.com/assets/css/styles.css</loc>
     
-      <lastmod>2024-11-05T21:05:31+01:00</lastmod>
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
+    
+    <changefreq>monthly</changefreq>
+    <priority>0.3</priority>
+  </url>
+  
+  <url>
+    <loc>https://hexaitos.com/feed.xml</loc>
+    
+      <lastmod>2024-11-11T19:16:30+01:00</lastmod>
     
     <changefreq>monthly</changefreq>
     <priority>0.3</priority>