LINICKX.com

Wi-Fi (Broadcom BCM4331) for an old iMac (iMac13,1) in 2026

Nick Bettison — Sun, 11 Jan 2026 19:36:00 +0000

My Christmas project this year was to make my old 2012 iMac work; previously I have used OpenCore Legacy Patcher to keep MacOS going but that was become less useable -- Enter Linux! This note is specifically geared towards OpenSUSE Tumbleweed, but is hopefully helpful for anyone trying similar with any other distro.

TLDR;

Install b43-fwcutter
Download broadcom-wl-6.30.163.46.tar.bz2
sudo b43-fwcutter -w /usr/lib/firmware broadcom-wl-6.30.163.46.wl_apsta.o
Reboot & Hope!

Long form

Booting from the tumbleweed ISO/USB worked well, obviously the bluetooth keyboard/mouse don't work, but bluetooth is detected and will work later. Wi-Fi is not detected at all, an Ethernet cable was required to get networking up. Upon completing the install, I started to investigate how to fix Wi-Fi. On Tumbleweed, the pullin-bcm43xx-firmware package provides /usr/sbin/install_bcm43xx_firmware however, even tho it "runs", it has an error and Wi-Fi still doesn't work and the reason is because www.lwfinger.com/b43-firmware/ no longer exists.

Browsing the internet archive, I found a working snapshot for 8th July 2024: https://web.archive.org/web/20240708013600/http://www.lwfinger.com/b43-firmware/

Steps:

Download broadcom-wl-6.30.163.46.tar.bz2
If it's not installed, you'll need b43-fwcutter, so sudo zypper install b43-fwcutter.
Unpack the archive: tar -xjf broadcom-wl-6.30.163.46.tar.bz2
Install the driver: sudo b43-fwcutter -w /usr/lib/firmware broadcom-wl-6.30.163.46.wl_apsta.o
Reboot ... there's probably a way to avoid the reboot by restating Network Manager, but whatever!

After the reboot, you should see the WLAN adapter available.

Closing thoughts.

I am hosting a copy of the driver here, incase the archive goes down: www.linickx.com/files/2026/01/broadcom-wl-6.30.163.46.tar.bz2. For me, the driver only seems to be working on 2.4Ghz, even tho' the BCM4331 support 5Ghz 802.11a 🤷🏻‍♂️ ... and performance seems to be a poor 5Mb/s. But for now, I'm on with this as my plan is to use the iMac as a kinda distraction free SSH or Writing terminal; perhaps I can fix that later and update here.

If anyone knows how to get the nVidia driver working please hit me up as I'm having to manually tweak the screen brightness with each reboot.

DNSCrypt Proxy on Home Assistant

Nick Bettison — Sat, 27 Sep 2025 12:08:00 +0100

I have published a Home Assistant Addon for DNSCrypt Proxy.

TLDR:

In the HA Addon-store add my repository 👉🏻 https://github.com/linickx/ha-addons

Install DNSCrypt Proxy (and Start the addon)

Edit /addon_configs/ba53f40c-dnscrypt-proxy/dnscrypt-proxy.toml to suit your needs (restart addon to take effect)

Profit?!

What is DNSCrypt Proxy?

By default DNS traffic (TCP & UDP 53) is not encrypted, i.e. visible to snoopers; not all devices, especially IoT devices support modern encrypted DNS protocols like DoH or DoT so DNSCrypt Proxy is a way of securing DNS for those devices -- they send clear text DNS to the proxy, it encrypts the traffic up to your chosen DNS provider.

Why DNSCrypt Proxy?

This is choice depending on your security preferences/requirements, do you need or want encrypted DNS? Generally encrypting as much of your traffic as you can is a good thing, but if you don't agree that's ok:

How to install DNSCrypt Proxy.

DNSCrypt Proxy is presented as an addon, which are Home Assistant containers, get 3rd party addons you first have to setup a repository,

Step 1 - My Addon Repository

Within Home Assistant, perform the following:

Settings -> Add-ons -> ADD-ON STORE
In the top right 3x Dots, select Repositories
Add https://github.com/linickx/ha-addons

... Using the same top right 3x Dots, click check for updates. It also doesn't hurt to refresh your browser.

Step 2 - Install

With a little luck, now in Home Assistant under Settings -> Add-ons -> ADD-ON STORE, if you scroll to the bottom you should see this:

✨ Click it! ✨

Then, click Install, and once it's installed, click Start.

How to configure DNSCrypt Proxy.

DNSCrypt configuration is a .toml file; the easiest way to edit it in Home Assistant is with the VSCode Add-on, if your a terminal ninja use Vi in SSH.

Edit 👉🏻 /addon_configs/ba53f40c-dnscrypt-proxy/dnscrypt-proxy.toml

File Path Warning!

The DNSCrypt proxy runs as a container, the path you edit (from VSCode/SSH) is different to what the container sees, i.e.

/addon_configs/ba53f40c-dnscrypt-proxy/dnscrypt-proxy.toml == /config/dnscrypt-proxy.toml

So, if you need to include any external files, such as blocklists the use the later container path of /config/

/Done!

Home Assistant on KVM - Disable Secure Boot

Nick Bettison — Sun, 21 Sep 2025 13:48:00 +0100

The documentation for running HAOS on KVM is pretty good but not enough for me, in fairness it state that Secure Boot is not supported, but the clues given to disable that are a little cryptic, this post are my notes.

Preface: Some personal tweaks.

I used the virt-install command given, but the default tries to connect to the console -- which without secure boot disabled is just a blank screen, so --noautoconsole is needed.

Also, I don't have a default network, all my VM's are on a bridge interface which means I also need --network bridge=br0

So, my final install command looks like:

virt-install --name haos --description "Home Assistant OS" --os-variant=generic --ram=4096 --vcpus=2 --disk /opt/haos/haos_ova-16.2.qcow2,bus=scsi --controller type=scsi,model=virtio-scsi --import --graphics none --boot uefi --network bridge=br1 --noautoconsole

( Change your disk path as necessary )

Now: To disable secure boot.

You VM is probably running, but not working, shut it down with sudo virsh shutdown haos it might be stuck, so you might have to use sudo virsh destroy hasos to forcefully kill it.

Now run sudo virsh edit haos, this should open an XML like this screenshot:

It doesn't matter if it's not exactly the same, your hypervisor might have selected a different EFI firmware. Next steps:

Change enrolled-keys to no
Change secure-boot to no
👉🏼 Delete the line starting with <loader readonly='yes' ...
👉🏼 Delete the line starting with <nvram template= ...
Save

The final XML snippet should look something like:

<os firmware='efi'>
    <type arch='x86_64' machine='pc-i440fx-10.0'>hvm</type>
    <firmware>
      <feature enabled='no' name='enrolled-keys'/>
      <feature enabled='no' name='secure-boot'/>
    </firmware>
    <boot dev='hd'/>
</os>

First boot: Reset nvram.

After making the above changes, when you start (power-on) the machine for the first time you need to get KVM to select a new firmware, so run:

virsh start haos --reset-nvram

After that's been done once, then normal start should work, even autostart.

Done!

I use cockpit to manage my KVMs, this is what it looks like! 😊

References:

https://libvirt.org/kbase/secureboot.html#changing-an-existing-vm
https://www.home-assistant.io/installation/alternative#hypervisor-specific-configuration

Keebio IRIS layout & printout for MacOS

Nick Bettison — Mon, 21 Jul 2025 16:29:00 +0100

I spent 3 hours on this so you don't have too, well many credits goes to this guy, Ben Williamson for publishing his layout which I modified.

The nice people at Keeb.io ship their IRIS keyboards with a handy print out that shows all the default keys & layers, which is American. Out of the box, I needed to make some changes such as moving |, I also wanted the OSX Mission Control buttons, and then I moved Enter because I really don't understand the default thumb assignment, after 5 minutes tinkering I realised I no longer knew where a bunch of keys were and the print out wasn't helping.

This is my solution:

👉🏻 keeb-io-iris.use-via-layout.json - Load this into usevia.app
👉🏻 keeb-io-iris.print-layout.json - Load this into www.keyboard-layout-editor.com or click here to load this gist.

From there you can either print out the graphic and work, or make your customisations!

Removing Modules from Netatmo Weather Station

Nick Bettison — Thu, 06 Feb 2025 17:34:00 +0000

Last Year, storms in the UK caused damage to my Netatmo outdoor module, it became permanently disconnected from the indoor base station.

The iPhone app seems to require a working module to remove it, i.e. it wants to connect first before letting you delete it, which not only is a bit weird but of course doesn't work if the module is broken. After logging a ticket with Netatmo's support team, they eventually shared these two links...

With this, you can connect the base station to your Mac/PC and delete the modules from there, nice!

Python: Uploading to Legacy SharePoint On Premise

Nick Bettison — Thu, 16 Jan 2025 17:36:00 +0000

Finding this solution via Google/Bing/etc was just impossible, so this post is an attempt to make this easier.

Some Important Information: If you're using SharePoint online, i.e. a cloud solution, something part of office365 or whatever it's called today, this post is NOT for you; there are plenty of python posts, libraries and packages for that, this is what you need to do if you business is still running a legacy on-prem solution and the normal things don't work.

This solution uses the old REST API, now there is some kind of relationship with accounts.accesscontrol.windows.net and I have no idea why?!

My story.

For "reasons" my $work has both online and on-prem solutions, the online one works great and that's what I normally dealt with but due to "reasons" I needed to upload to on-prem. After hours of googling, and trying different things in python, I gave up and wrote my solution in PowerShell using the PNP PowerShell Module which got me over the initial hurdle but since the rest of my project was in python it was only a tactical fix.

To solve this in python, I started initially with Wireshark and a man-in-the-middle proxy and pulling out the REST calls, get_access_token() was written that way but it was painful, it really wasn't clear to me how file uploads was working. I left it for a while, the tactical fix was still ok.

My first AI win!

A new scenario came up, I needed to get data from my DB and create a file in this legacy SharePoint, so either I was gonna have to start talking to my DB in PowerShell or solve this in python. As is the trend in ~2024~ 2025 we now ask GenAI, OF COURSE THE CODE SUGGESTED WAS WRONG AND DIDN'T WORK but that's what we expect right?

However, the code suggested did give me some clues, based on the suggestion I was able to start tweaking the code and ta-da! it works, I could upload the file! A few more questions, a bit of googling and tweaking I even managed to update the metadata. I did not get as far as listing/finding existing files and performing a download as currently I don't need to, but if I do, maybe I'll update this post.

Some Sharepoint Stuff...

On my SharePoint document library, I've created a custom column/field for the sha256 sum of the uploaded file; if you want that replace x0034_ha256 with whatever your field code is... notice the code is not the name, so create the column, then edit it and in the address bar of your browser you can see the code.

If you don't need the sha256, just comment out & remove update_file_properties()

My Python Code.

I hope this is useful to someone, good luck!

#!/usr/bin/env python
# coding=utf-8
# Python linter configuration.
# pylint: disable=W0718 # Broad Except
import logging
import requests # pip install requests

logging.basicConfig(level=logging.DEBUG)

CLIENT_ID = "replace_me"
CLIENT_SECRET = "replace_me_too"
SITE_HOST = 'sharepoint.domain.com'
SITE_NAME = 'ABC123'
SITE_URL = f'https://{SITE_HOST}/sites/{SITE_NAME}'
UPLOAD_FOLDER = "Documents/Uploaded Files"
SHAREPOINT_LIBRARY = "Documents"
FILE_PATH = "test.txt"
FILE_TITLE = "this is a title for test.txt"
FILE_HASH_COL = '_x0034_ha256'
FILE_HASH_VALUE = 'abc123' # Replace with the actual hash value

def get_access_token():
    """
        # Step 1: Obtain an access token
    """
    r = requests.get(f"{SITE_URL}/_vti_bin/client.svc", timeout=10, headers={'Authorization': 'Bearer', 'Accept': 'application/json'})

    logging.debug(r.status_code) # <- 401
    logging.debug(r.headers['WWW-Authenticate'])

    auth_headers = {}
    for ah in str(r.headers['WWW-Authenticate']).split(','):
        key = str(ah.split('=')[0]).strip()
        try:
            val = str(ah.split('=')[1]).replace('"', "")
        except IndexError:
            val = None

        auth_headers[key] = val

    logging.debug(auth_headers)
    logging.debug(r.json())

    data = {
        'grant_type':'client_credentials',
        'client_id':f"{CLIENT_ID}@{auth_headers['Bearer realm']}",
        'client_secret':CLIENT_SECRET,
        'scope':f"{auth_headers['client_id']}/{SITE_HOST}@{auth_headers['Bearer realm']}",
        'resource':f"{auth_headers['client_id']}/{SITE_HOST}@{auth_headers['Bearer realm']}",
    }
    response = requests.post(f"https://accounts.accesscontrol.windows.net/{auth_headers['Bearer realm']}/tokens/OAuth/2", timeout=10, data=data)
    logging.debug(response.status_code) # <- 200
    logging.debug(response.json())

    if response.status_code == 200:
        return response.json().get('access_token')

    response.raise_for_status()
    return None


def upload_file(access_token):
    """
        # Step 2: Upload the file to SharePoint
    """
    upload_url = f"{SITE_URL}/_api/web/GetFolderByServerRelativeUrl('{UPLOAD_FOLDER}')/Files/add(url='{FILE_PATH}', overwrite=true)"

    with open(FILE_PATH, 'rb') as file:
        headers = {
            "Authorization": f"Bearer {access_token}",
            "Accept": "application/json;odata=verbose",
            "Content-Type": "application/octet-stream"
        }
        response = requests.post(upload_url, headers=headers, data=file, timeout=10)

    logging.debug(response.json())

    if response.status_code == 200:
        logging.info("File uploaded successfully!")
        return response.json()  # Return the response to use the returned file info

    response.raise_for_status()
    return None

def update_file_properties(access_token, file_info):
    """
    # Step 3: Update the file properties (Title and Custom Column)
    """
    update_url = file_info['d']['ListItemAllFields']['__deferred']['uri']
    logging.debug(update_url)
    file_type = file_info['d']['__metadata']['type']
    logging.debug(file_type)
    e_tag = file_info['d']['ETag']
    logging.debug(e_tag)

    # Payload for the update
    payload = {
        '__metadata': {'type': 'SP.Data.Internal_x0020_DocumentsItem'},
        'Title': FILE_TITLE,
        'OData__x0034_ha256': FILE_HASH_VALUE
    }

    headers = {
        "Authorization": f"Bearer {access_token}",
        "Accept": "application/json;odata=verbose",
        "Content-Type": "application/json;odata=verbose",
        "IF-MATCH": "*",            # Update the file regardless of the current version
        "X-HTTP-Method": "MERGE"    # Specify the method for updating
    }

    response = requests.post(update_url, headers=headers, json=payload, timeout=10)

    if response.status_code == 204:
        logging.info("File properties updated successfully!")
        logging.debug(response.text)
    else:
        response.raise_for_status()

if __name__ == "__main__":
    try:
        token = get_access_token()               # Obtain access token
        json_info = upload_file(token)           # Upload the file with the token
        update_file_properties(token, json_info) # Update the file properties
    except Exception as e:
        logging.error("An error occurred: %s", e)

References

ha-ha-ha, GenAI doesn't do that... but this is relevant: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest

IoT DNS Anomaly Detection with Home Detector

Nick Bettison — Sun, 05 Jan 2025 18:01:00 +0000

After implementing an Open-Canary based home honeypot in part 1, for my research project I moved onto implementing a DNS based anomaly detection intrusion detection system ... try saying that 3 times fast after a few pints! 😆

📝 This post assumes that you already have Home Detector installed on your Home Assistant server.

The idea is an internal, home network honeypot would only trigger if there was already a threat on your LAN, in order to attempt to catch someone/something earlier I built a simple DNS anomaly detection engine; there's an important gotcha here, although the honeypot was low-effort-drop-in (plug-n-play), DNS inspection is a bit more technical you will need a method of updating the DNS settings on your IoTs to make this work, either by changing your DHCP setting, doing something on your router, or by touching each device (if they support custom DNS that is!).

How it works

Home Detector acts as a local DNS forwarder, point your IoT/Smart-Things at it and for 30days it'll start recording the DNS lookups. After 30days, it'll consider what it saw as the baseline and therefore anything new after that point will generate an alert.

The baseline is per IOT thing, which can be a single host IP, a range of IPs or a subnet depending on your home setup, so you're going to need the real-source-ip of your IOT thing hitting Home Assistant (The Home Detector Add-on)

Enable DNS Interception

The DNS interception is opt-in which means there's 2x steps:

Step 1

The first is point your system at it, i.e. update the DNS settings of the IOT device to have Home Assistant's IP as a DNS server.

How you do this will vary, you might be able to update your router to use Home Assistant as the DNS server for all your LAN. You might be able to change the DNS server on the IoT device it's self. Or if you cannot change DNS anywhere, disable DHCP on your router and install a DHCP server add-on and set the DNS server IP to that of Home Assistant.

Step 2

It's ok if all your DNS hits Home Detector (Home Assistant) as by default, the add-on will pass through, not touching the responses and everything should continue to work.

To enable the detection, under add-on settings, enable interception for specific IP addresses, like this:

Tweak any other settings you fancy from the Docs as necessary.

Enjoy the DNS goodness

Within the Home Detector Dashboard, there are 3x views.

(i) The Alerts

By default, Home Detector will generate dns-domain alerts, there are alarms for new domains being queried, the SOA record is used to determine domain ownership.

If you enabled Detected on Host Query then Home Detector will generate dns-query alerts, these are alarms for new host queries.

Here you can see a bunch of Amazon Alexa alerts on my console, these are new domains that the very talkative little box has started calling out to...

(ii) The DNS Domains

On the Domains page, you can review the domains that are in pass state or block state, for the first 30days (by default) all domains will be in pass, only after the baseline is created will blocks start to appear.

🔥 By Default, Block does not mean Block, it means 🚨 alarm 🚨 (perhaps not my best choice). Only if you enable the DNS Firewall under settings will the DNS be blocked, Home Detector will send NXDOMAIN (domain not found) responses.

This is what my domains page looks like, the first range for ntp.org is for my shelly devices, the next 5x are for my heating/themostat, and then the bottom ranges are for alexa's... as you can see there's 135 row, quite a lot of learnt traffic in my LAN.... and this is JUST the IoT devices, Phones/Laptops/etcs do not log here and in my documentation I warn against doing that 😬

(iii) The Queries

Like the domains page, the queries page allows you to review all the look-ups from a device in either pass or block state.

Why am I doing this?

If you've got this far, 👍🏼 nice 👍🏼 !

The point of this is to monitor what your IoT/Smart-Things are doing, you should get an idea quickly of what is normal, and IF a device got compromised it would certainly start doing different queries, like downloading malware-firmware, or downloading scripts from compromised sites... Command-and-Control needs DNS to function.

A word of Warning

The noise from my home stuff has been low, shelly, etc have a couple of domains and everything works as expected, but with 👾 Amazon Alexa devices there be monsters ahead! 👾 ... those things seem to be constantly using new hosts and new domains, it's eye-opening but also annoying, so intercept those things with care.

Next Steps

There's a fair amount of future work I'd like to look at, changing domains from pass to block by typing instead of drop-downs is quite annoying 💩 ... also, I'd like to implement some built-in signatures to assert what is normal before the learning phase is completed. Pull requests are welcome but the first thing I need to do is update all the dependencies, as since finishing the project, github's dependabot has been going mental!

Honeypot: Running Open Canary on Home Assistant

Nick Bettison — Wed, 01 Jan 2025 12:43:00 +0000

This project, 🎉 Home Detector 🎉 , started life as an academic project and is something I hope to continue, if you're interested in some home intrusion detection, read-on!

Some Background & Context

In my 40s, I have decided to go back to school and for my MSc final thesis I researched intrusion detection for home networks 😱 . The lens was simple do we know if our home LAN/Wi-Fi is under attack, does your Dad, Nan, Uncle or Aunt... even as a nerd reading this blog, do you have any intrusion detection at home?! (Hint: I didn't!)

It turns out, intrusion detection at home is hard, sure you can install HIDS (Host Intrusion Detection Systems) on your Laptop/PC but what about your phone, table or internet-enabled-fridge! 🤔

The last-one is the kicker, as a Home Assistant fan, I've got more and more smart-home, IoT stuff, how would I detect Mira-worm style compromise? ... do I even know what my IoT stuff is doing when I'm not looking?! NIDS (Network Intrusion Detection Systems) of course are an answer but not that practical, do you have a pinch-point to inspect/tap... what about networks with all-in-one Wi-Fi+Router, how do you inspect that?

In my paper, I proposed 2x solutions, this is Part 1 - A Honeypot.

A honeypot is know as Intrusion Detection via Deception, that is you place a juicy target on your network to draw attention away from your real stuff, when the threat actor trips the alarm you know about it; of course the threat actor is already on a device, but this is the point, how would you know? The honeypot approach is a something-is-better-than-nothing approach, if your CCTV is compromised, and the threat is looking for another device and they fire your honeypot you have an alarm to respond to. 🚨

Installing my Home Detector Add-On

I've wrapped up Open Canary into a Home Assistant Add-on, so installation is easy:

1. Install my Add-on Repository

To get my add-on, you can either click this link to add my repository or follow these manual steps:

Click Settings,
Click Add-ons,
Click Add-On Store,
Click The three dots in the top-right,
Click Repositories,
Type in: https://github.com/linickx/ha-addons and Click Add
Click The three dots in the top-right,
Click Check for Updates
Refresh the page a couple of times

2. Install Home Detector

Once you've got the repo' setup, scroll down to the bottom and install Home Detector.

Make sure the add-on is started & you're done.

Look Ma! I'm running a Telnet Honey Pot

With no config, and just a running add-on you have a Telnet honeypot. If you try to connect (& fail auth) you'll get a pop-up notification in Home Assistant.

And an entry in the Home Detector dashboard.

If you have SSH running, telnet will look like a weaker target for anyone running a sneaky port-scan on your LAN.

Enabling the HTTP (NAS Like) Honeypot

If you want to step-up, you can enable The HTTP honeypot which presents a NAS like log-in page.

Enabling is simply opening the port and re-starting the add-on!

To enable the port, within Home Assistant go to Settings -> Add-Ons -> Home Detector -> Configuration , scroll to the bottom to Network and toggle Show disabled ports, then type in 80 where it says HoneyPot (Fake) WebServer Port.

The cyber-kill-chain

At this point, it's important to remember the modus operandi of a threat actor. The first step is always some kind of reconnaissance even after compromise, there's usually another round of reconnaissance to pivot and further secure the footing, so if your CCTV is compromised, the default port-scan of home assistant (without SSH by default) doesn't look that interesting, the default admin port (8123) is above nmap's default range, by enabling the Telnet (& HTTP) honeypot, these interesting ports will appear in a default nmap, so the likelihood of detection increases and therefore the opportunity to kill the threat actors chain of actions.

Contributing

Open Canary has ✨ loads ✨ of features & customisation, none of which have been implemented here yet, but I would certainly love to implement some more features... top of my list, custom Web Theme for the HTTP Honeypot, pull requests welcome, I am only just about ready to start accepting merges, I had to wait for marking of my paper to be completed and 😊

Coming up in Part 2...

For my paper I moved onto DNS anomaly detection, as a way of detecting compromised IoT earlier than a threat actor trying to pivot, please take a look 👉🏻 HERE 👈🏼 if you're interested in home cyber security.

Goodbye root-cookie

Nick Bettison — Sat, 14 Dec 2024 15:59:00 +0000

TLDR: 🔥🔥🔥 If you still use root-cookie, please delete it from your WordPress/Website 🔥🔥🔥🔥

Today I have requested that the Plugins team over at WordPress.org org delete my root-cookie plugin. I started it back in 2008 for WP 2.6, probably before if you dig into the SVN history, back when things were very different.

Back in the early days of WordPress, it was a "sub directory", i.e. you setup your site with a home page, and then WordPress (blog) was a below that. The problem root-cookie was designed to solve, is that there was no way of accessing the WordPress authentication cookie outside the WordPress folder, so if you wanted to something as simple as change a banner, or theme based on being logged in, you could't. root-cookie was very simple, it hooked into WordPress's authentication functions and stripped the folder out of the cookie, and assigned it to the "root" of the domain, then from your custom code you could read it and do whatever.

I really, really cannot remember what the admin page did or looked like, there's probably some screenshots around here but apparently it contains a Cross Site Request Forgery (CSRF) vulnerability, the steps (apparently, I've not tested) to reproduce are:

Make a logged in admin click a link with the following HTML (replace the domain)

<!DOCTYPE html>
<html>
<body onload="document.forms[0].submit()">
<form action="http://{domain}/wp-admin/options-general.php?page=root-cookie" method="POST">
<input type="hidden" name="rootcookie_submit_hidden" value='Y' />
<input type="hidden" name="rootcookie_subdomain_manual" value='&"><script>alert(1)</script>' />
</form>
</body>
</html>

REF: https://patchstack.com/

👉🏻 Given that I have not maintained this plugin for over 13 years, I do NOT intend to publish an update and have requested the plugin be deleted.

From: Nick
To: plugins wordpress.org
Date: 14 Dec 2024, 15:47
Subject: Please Delete "root-cookie"
Body:

Hello, Please delete https://wordpress.org/plugins/root-cookie/

The plugin has not been maintained in 13years, apparently recently it was discovered to contain a CSRF vulnerability, I do not intend to fix it therefore it would be safer for the community if the plugin is removed from wordpress.org.

Stats show only 11 downloads per week, I don't suppose the plugin is needed anymore, the first version was released in 2008 for WP2.6, I expect a lot has changed since then :)

Many Thanks in advance for your support.
Kind Regards,
Nick

Fly.io - Docker NGINX with s3fs

Nick Bettison — Thu, 29 Aug 2024 08:22:00 +0100

I've been experimenting with fly.io; applications are Docker containers, here are some instructions to get NGINX up-n-running, with Fuse (s3fs) mounting an S3/Tigris bucket. The goal I was looking for was directy listings for the bucket, but honestly I wouldn't recommend it because it's very slooooow! ... about 5 seconds on first load.

If you want to play along anyway, download a copy of my github repo, the instructions assume that fly-cli and amazon-cli are both already installed.

Step 1 - Fly Launch

Run fly launch --no-deploy

╰─❯ fly launch --no-deploy
Scanning source code
Detected a Dockerfile app
Creating app in /home/nick/fly-docker-nginxs3fs
We're about to launch your app on Fly.io. Here's what you're getting:

Organization: NB                     (fly launch defaults to the personal org)
Name:         fly-docker-nginxs3fs   (derived from your directory name)
Region:       London, United Kingdom (this is the fastest region for you)
App Machines: shared-cpu-1x, 1GB RAM (most apps need about 1GB of RAM)
Postgres:     <none>                 (not requested)
Redis:        <none>                 (not requested)
Tigris:       <none>                 (not requested)

? Do you want to tweak these settings before proceeding? (y/N) Y

Select Yes

In the Browser window that opens, scroll down and create a bucket...

Back on your console, some keys have been generated...

Opening https://fly.io/cli/launch/xxx[REDATED]xxx ...

Waiting for launch data... Done
Created app 'fly-docker-nginxs3fs' in organization 'personal'
Admin URL: https://fly.io/apps/fly-docker-nginxs3fs
Hostname: fly-docker-nginxs3fs.fly.dev
Run `fly tokens create deploy -x 999999h` to create a token and set it as the FLY_API_TOKEN secret in your GitHub repository settings
See https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions
Your Tigris project (mys3fstest) is ready. See details and next steps with: https://fly.io/docs/reference/tigris/

Setting the following secrets on fly-docker-nginxs3fs:
AWS_ACCESS_KEY_ID: tid_yyy[REDATED]yyy
AWS_ENDPOINT_URL_S3: https://fly.storage.tigris.dev
AWS_REGION: auto
AWS_SECRET_ACCESS_KEY: tsec_zzz[REDATED]zzz
BUCKET_NAME: mys3fstest

Wrote config file fly.toml
Validating /home/nick/fly-docker-nginxs3fs/fly.toml
✓ Configuration is valid
Your app is ready! Deploy with `flyctl deploy`
╰─❯

Take a backup of these, as you'll never see them again!

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

Step 2- Fly Deploy

Now Deploy fly deploy --dns-checks=false (Disabling the ping to 8.8.8.8 because it's annoying!)

╰─❯ fly deploy --dns-checks=false
==> Verifying app config
Validating /home/nick/fly-docker-nginxs3fs/fly.toml
✓ Configuration is valid
--> Verified app config
==> Building image
Remote builder fly-builder-weathered-forest-2010 ready
Remote builder fly-builder-weathered-forest-2010 ready
==> Building image with Docker
--> docker host: 24.0.7 linux x86_64
[+] Building 2.0s (12/12) FINISHED
 => [internal] load .dockerignore 0.4s
 => => transferring context: 2B 0.4s
 => [internal] load build definition from Dockerfile  0.5s
 => => transferring dockerfile: 541B 0.5s
 => [internal] load metadata for docker.io/library/nginx:alpine-slim 0.6s
 => [1/7] FROM docker.io/library/nginx:alpine-slim@sha256:2be9e698d136d4d9be33d1852b1259bc1b80e20aed0c964cbcd6086da7fad5c7 0.0s
 => [internal] load build context 0.5s
 => => transferring context: 1.14kB   0.5s
 => CACHED [2/7] RUN apk update       0.0s
 => CACHED [3/7] RUN apk add --no-cache openssl s3fs-fuse   0.0s
 => CACHED [4/7] RUN mkdir /etc/nginx/templates             0.0s
 => [5/7] COPY etc/nginx/templates/default.conf.template /etc/nginx/templates/default.conf.template   0.0s
 => [6/7] COPY docker-entrypoint.d/40-s3fs.sh /docker-entrypoint.d/40-s3fs.sh   0.0s
 => [7/7] RUN chmod 755 /docker-entrypoint.d/40-s3fs.sh     0.1s
 => exporting to image                0.0s
 => => exporting layers               0.0s
 => => writing image sha256:73f897416cd820470a05839773fa3efc9109325985d2e4fa5c81477c14a3a5d2    0.0s
 => => naming to registry.fly.io/fly-docker-nginxs3fs:deployment-01J6CZAKTZP2WXQ2QC5MP4MM    0.0s
--> Building image done
==> Pushing image to fly
The push refers to repository [registry.fly.io/fly-docker-nginxs3fs]
0aa928e18663: Pushed
41551b3786e0: Pushed
3033ae542f6f: Pushed
8ad7f7ee614a: Layer already exists
bafbe3c5986a: Layer already exists
deployment-01J6CZAKTZP2WXQ2QC5MP4MM: digest: sha256:96b381cd48b63cd55c4a35e8c58ae2f5129152a11a74d9825ad10b7156fd1c12 size: 3026
--> Pushing image done
image: registry.fly.io/fly-docker-nginxs3fs:deployment-01J6CZAKTZP2WXQ2QC5MP4MM
image size: 25 MB

Watch your deployment at https://fly.io/apps/fly-docker-nginxs3fs/monitoring

-------
Updating existing machines in 'fly-docker-nginxs3fs' with rolling strategy

-------
 ✔ [1/2] Cleared lease for 328716d1f00668
 ✔ [2/2] Cleared lease for e7843060b496d8
-------

Visit your newly deployed app at https://fly-docker-nginxs3fs.fly.dev/
╰─❯

Step 3 - Files in a bucket

If you browse to the URL in the terminal, you'll see a default NGINX index page. If you browse to your URL + Bucket Name, like https://fly-docker-nginxs3fs.fly.dev/mys3fstest/ you'll see an empty bucket.

To add some files, remember those credentials, you can use them with AWS's CLI.

╰─❯ 
export AWS_ACCESS_KEY_ID="tid_yyy[REDATED]yyy"
export AWS_ENDPOINT_URL_S3="https://fly.storage.tigris.dev"
export AWS_REGION="auto"
export AWS_SECRET_ACCESS_KEY="tsec_zzz[REDATED]zzz"
╰─❯ aws s3 ls
2024-08-28 17:52:20 mys3fstest
╰─❯

So, let's do a Hello World example...

╰─❯ echo 'hello world' > test.txt
╰─❯ aws s3 cp ./test.txt s3://mys3fstest
upload: ./test.txt to s3://mys3fstest/test.txt
╰─❯ aws s3 ls s3://mys3fstest
2024-08-28 18:26:20         12 test.txt
╰─❯

And view the results in the browser...

End

References:

https://github.com/s3fs-fuse/s3fs-fuse
https://hub.docker.com/_/nginx