PiHole with DNS-over-HTTP: Revised

More than a year later, the PiHole continues to work fine, but the process for installing the Cloudflare DoH machinery has evolved.

(And, yes, it’s supposed to be DNS-over-HTTPS. So it goes.)

To forestall link rot, the key points:

cd /tmp ;  wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz 
sudo cp cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
sudo cloudflared -v
sudo useradd -s /usr/sbin/nologin -r -M cloudflared
sudo nano /etc/default/cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream --upstream 
sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
sudo nano /etc/systemd/system/cloudflared.service
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Then aim PiHole’s DNS at It used to be on port #54, for whatever that’s worth.

Verify it at, which should tell you DoH is in full effect.

To update the daemon, which I probably won’t remember:

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz
sudo systemctl stop cloudflared
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
sudo systemctl start cloudflared
cloudflared -v
sudo systemctl status cloudflared

And then It Just Works … again!

Clearing The Noto Font Clutter

The Noto (“No Tofu”) font family includes nearly All. The. Languages., which is certainly a noble goal, but I’m just not ever going to need fonts like these:

… and so forth and so on …

A bit of searching & listing identified the few I might ever use, so armor those against the coming catastrophe:

cd /usr/share/fonts/truetype/noto/
sudo chmod a-w NotoMono-Regular.ttf
sudo chmod a-w NotoSans-Bold*
sudo chmod a-w NotoSansDisplay-*
sudo chmod a-w NotoSans-Italic.ttf
sudo chmod a-w NotoSansGothic-Regular.ttf
sudo chmod a-w NotoSansMono-*
sudo chmod a-w NotoSans-Regular.ttf 
sudo chmod a-w NotoSansSymbols-*
sudo chmod a-w NotoSerif-Bold*
sudo chmod a-w NotoSerifDisplay-*
sudo chmod a-w NotoSerif-Italic.ttf 
sudo chmod a-w NotoSerif-Regular.ttf

There seems no regex-ish way of picking those out; next time, I’ll recycle the list as a script.

With armor in place, remove the rest:

find . -perm -u=w -type f -exec sudo rm '{}' \;

Rebuild the font caches:

sudo fc-cache -v -f

Maybe do such things near the end of the day, when you’re going to shut down anyway, because you’ll want to restart any programs using fonts in any nontrivial way.

Making the desired fonts read-only may confuse the next update involving the Noto fonts, but this setup (Xubuntu 18.04 LTS) is getting old and maybe something else will happen when I get around to installing a whole new release.

Kensington Expert Mouse Scroll Ring Fix

Apparently the newest Kensington Expert “Mouse” trackballs have a hack re-orienting the scroll ring quadrature detector. The picture from my original writeup shows the previous situation:

Scroll ring IR emitter-detector quadrature pair
Scroll ring IR emitter-detector quadrature pair

The quadrature detector, the black block on the left, is oriented with its lens (and, thus, the actual detectors) pointed away from the IR emitter. I thought it might be an assembly screwup, but it’s actually worse: the PCB layout is wrong.

A note from Tristan in NZ explains the situation:

So I have a later model than yours. It has a 2nd PCB chunk between where the legs normally would be. Just a floating piece with two holes for the legs, holding the legs from the board […] to the main board.It is also pointing the correct way (with the lens towards the three leg emitter).

Kensington scroll wheel revision2
Kensington scroll wheel revision2

The new quad detector has only three pins and no convex lens, but the active area now faces the emitter across the gap.

Because the interposer PCB occupies the space previously devoted to the emitter & detector leads, Kensington apparently soldered the new parts directly to the top surface without any clearance:

It’s like they failed to put through-vias to the rear or didn’t route them to the bottom another way, hence the solder is under the component

Tristan managed to wreck the detector while attempting to re-solder the intermittent joints, a situation I’m painfully familiar with. He replaced it with a quad detector harvested from a mid-90s optical mouse and it’s back in operation.

So I think the correct “fix” for the old-style PCBs (without the new interposer) is to unsolder the detector, rotate it so the lens faces the emitter, then somehow rewire the pins to the original pads. This won’t be easy and definitely won’t be pretty, but as long as it’s pointed in the right general direction it should work:

mine works off axis quite a bit

Should either of my Expert Mouse trackballs fail, now I know what to do

Many thanks to Tristan for reporting his findings!

Schwab / Symantec VIP Access vs. Yubikey

A Yubikey 5 NFC turns out to be perfectly compatible with any website using Symantec’s (no longer available) hardware key and VIP Access (definitely a misnomer) app to generate TOTP access codes, because the sites use bog-standard TOTP. The only difficulty comes from Symantec’s proprietary protocol creating the token linking an ID with a secret value to generate the TOTP codes, which is how they monetize an open standard.

Fortunately, Cyrozap reverse-engineered the Symantec protocol, dlenski mechanized it with a Python script, and it works perfectly:

python3 -m venv symkey-env
source symkey-env/bin/activate
pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
vipaccess provision -t SYMC

That spits out a file containing the ID and secret, from which you create a QR code for the Yubikey Authenticator app:

qrencode -t UTF8 'otpauth://totp/VIP%20Access:SYMCidnumbers?secret=longsecretgibberish&issuer=Symantec&algorithm=SHA1&digits=6'

Fire up the app, wave the Yubikey behind the phone, scan the QR code, wave the Yubikey again to store it, sign in to the Schwab site, turn on 2FA, enter the ID & current TOTP value from the Yubikey Authenticator, and It Just Works™.

Of course, you can kiss Schwab’s tech support goodbye, because you’re on your own. If you ever lose the Yubikey, make sure you know the answers to your allegedly secret questions.

Equally of course, you’re downloading and running random shit from the Intertubes, but …

Now, if only all my financial institutions would get with the program.

Huion H610Pro (V2) Tablet vs. xsetwacom

For unknown reasons, likely having to do with ordinary system updates, both the Huion H610Pro (V2) tablet’s device name and the display output’s name have changed. This came to light when I discovered the tablet’s stylus was no longer constrained to the landscape display, which worked fine when I set it up barely a month ago.

Running the setup command manually:

xsetwacom --verbose set "HUION Huion Tablet Pen stylus" MapToOutput "DP-1"
... Display is '(null)'.
... 'set' requested for 'HUION Huion Tablet Pen stylus'.
 <<< snippage >>>
... Checking device 'HUION Huion Tablet stylus' (11).
... Checking device 'HUION Huion Tablet eraser' (19).
Cannot find device 'HUION Huion Tablet Pen stylus'.

Apparently, the device formerly known as HUION Huion Tablet Pen stylus is now called HUION Huion Tablet stylus.

Fine, I can live with that. Try again:

xsetwacom --verbose set "HUION Huion Tablet stylus" MapToOutput "DP-1"
... Display is '(null)'.
... 'set' requested for 'HUION Huion Tablet stylus'.
 <<< snippage >>>
... Checking device 'HUION Huion Tablet stylus' (11).
... Checking device 'HUION Huion Tablet eraser' (19).
... Device 'HUION Huion Tablet stylus' (11) found.
... Found output 'VGA-1' (disconnnected)
... Found output 'DP-1' (disconnnected)
... Found output 'HDMI-1' (disconnnected)
... Found output 'DP-2' (connected)
... CRTC (2560x0) 1440x2560
... Found output 'HDMI-2' (disconnnected)
... Found output 'DP-1-8' (connected)
... CRTC (0x0) 2560x1440
... Found output 'DP-1-1' (disconnnected)
Unable to find output 'DP-1'. Output may not be connected.

Apparently, the video output formerly known as DP-1 has fissioned into DP-1-1 and DP-1-8, with only the latter connected. Weirdly, nothing happened to DP-2.

Once more, into the bleach:

xsetwacom --verbose set "HUION Huion Tablet stylus" MapToOutput "DP-1-8"
... Display is '(null)'.
... 'set' requested for 'HUION Huion Tablet stylus'.
 <<< snippage >>>
... Checking device 'HUION Huion Tablet stylus' (11).
... Checking device 'HUION Huion Tablet eraser' (19).
... Device 'HUION Huion Tablet stylus' (11) found.
... Found output 'VGA-1' (disconnnected)
... Found output 'DP-1' (disconnnected)
... Found output 'HDMI-1' (disconnnected)
... Found output 'DP-2' (connected)
... CRTC (2560x0) 1440x2560
... Found output 'HDMI-2' (disconnnected)
... Found output 'DP-1-8' (connected)
... CRTC (0x0) 2560x1440
... Setting CRTC DP-1-8
... Remapping to output area 2560x1440 @ 0,0.
... Transformation matrix:
... 	[ 0.640000 0.000000 0.000000 ]
... 	[ 0.000000 0.562500 0.000000 ]
... 	[ 0.000000 0.000000 1.000000 ]

Well, that worked.

Actually, I had to constrain the stylus to DP-2, then jam it back on DP-1-8, to spread the tablet’s horizontal extent over the entire monitor. Updating the startup script started the tablet properly the next morning.

The new device name certainly makes more sense and, perhaps, the X output connection now recognizes the landscape monitor’s ability to pass its DisplayPort video stream along to a second monitor.

Raspberry Pi: Adding a PIXEL Desktop Launcher

The Raspberry Pi’s Raspbian PIXEL Desktop UI (not to be confused with the Google Pixel phone) descends from LXDE, with all the advantages & disadvantages that entails. One nuisance seems to be the inability to create a launcher for a non-standard program.

The stock task bar (or whatever it’s called) has a few useful launchers and you can add a launcher for a program installed through the usual Add/Remove Software function, as shown by the VLC icon:

LXDE launcher icons
LXDE launcher icons

Adding a bCNC launcher requires a bit of legerdemain, because it’s not found in the RPi repositories. Instead, install bCNC according to its directions:

… install various pre-requisites as needed …
pip2 install --upgrade git+https://github.com/vlachoudis/bCNC 

Which is also how you upgrade to the latest & greatest version, as needed.

You then launch bCNC from inside a terminal:

python2 -m bCNC

The installation includes all the bits & pieces required to create a launcher; they’re just not in the right places.

So put them there:

sudo cp ./.local/lib/python2.7/site-packages/bCNC/bCNC.png /usr/share/icons/
sudo cp .local/lib/python2.7/site-packages/bCNC/bCNC.desktop /usr/share/applications/bCNC.desktop

The bCNC.desktop file looks like this:

[Desktop Entry]
Comment=bCNC Controller

Set Terminal=false if you don’t want a separate terminal window and don’t care about any of the messages bCNC writes to the console during its execution. However, those messages may provide the only hint about happened as bCNC falls off the rails.

With all that in place, it turns out LXDE creates a user-specific panel configuration file only when you change the default system panel configuration. Add a VLC launcher to create the local ~/.config/lxpanel/LXDE-pi/panels/panel file.

With that ball rolled, then add the bCNC launcher:

nano .config/lxpanel/LXDE-pi/panels/panel
… add this stanza …
Plugin {
  Config {
    Button {

Log out, log back in again, and the bCNC icon should appear:

LXDE launcher icons - additions
LXDE launcher icons – additions

Click it and away you go:

bCNC - Running from LXDE Launcher
bCNC – Running from LXDE Launcher

At least you (and I) will start closer to the goal when something else changes …

Obsolete DRAM Collection

As you might expect by now, I harvest various bits & pieces from the PCs falling off the trailing edge of my assortment. The bag of obsolete DRAM recently floated to the top of the heap:

DRAM Assortment - overview
DRAM Assortment – overview

Half a gig of ECC RAM from what might have been a fire-breathing Pentium Pro box:

DRAM Assortment - 256 MB ECC
DRAM Assortment – 256 MB ECC

The PCBs along the top apparently filled vacant memory slots.

Some 32 and 64 MB DRAM from a few IBM laptops I turned into picture frames:

DDR2 DRAM in assorted sizes & speeds:

DRAM Assortment - PC2 DDR
DRAM Assortment – PC2 DDR

PC133 DDR DRAM, with four sticks of 1 GB PC3 along the bottom:

DRAM Assortment - PC133
DRAM Assortment – PC133

If you look closely, you may see something you can use. No reasonable offer refused …