Merge branch 'master' of adelie:/srv/git/knowledge

2 files changed, 137 insertions, 0 deletions

diff --git a/film/to-watch.page b/film/to-watch.page
index 689ebef..4d1a0ff 100644
--- a/film/to-watch.page
+++ b/film/to-watch.page
@@ -53,7 +53,21 @@ Films To Watch
  * Hunger (2008, McQueen)
  * True Grit
  * Cinema Paradiso
+ * The Man from Earth
+ * 500 Days of Summer
+ * God Bless America
+ * The Game
+ * American Psycho
+ * Chinatown
+ * Before Sunrise
+ * Network
+ * The Tree of Life
+ * Glengarry Glen Ross
+ * The Man Who Wasn't There (2001, Coen Brothers)
+ * House of Games
+ * Christiane F. – We Children from Bahnhof Zoo
  * Flash Gordon
+ * Terminator Salvation
 
 Documentaries: 
 
@@ -71,4 +85,15 @@ Documentaries:
  * Aatsinki: The Story of Arctic Cowboys
  * The Pervert's Guide to Cinema
  * All In This Tea
+ * The Third Wave (2007, tsunami)
 
+Maybes:
+ * Diving Bell and the Butterfly
+ * Yi Yi
+ * 25th Hour
+
+Ref:
+
+ * "15 Great Films That You Never Hear About on r/movies"
+   http://imgur.com/a/BwuZY
+ * http://www.reddit.com/r/fullmoviesonyoutube
diff --git a/software/ssl.page b/software/ssl.page
new file mode 100644
index 0000000..fc8d0cb
--- /dev/null
+++ b/software/ssl.page
@@ -0,0 +1,112 @@
+
+SSL Notes
+=============
+
+You can generate stong random strings with, eg: openssl rand -base64 24
+
+Warning: as context, you generally need to go through an identity verification
+procedure before being issued SSL certificates other than the most trivial
+single-virtual-host kind. This process can take weeks, so start early!
+
+Warning: the whole crypto thing is obviously pedantic and way more of a pain in
+the ass than needs to be.
+
+Note: read this entire file before starting. In particular see the listing of
+host names towards the bottom, which should be kept up to date.
+
+### HOWTO: Get a new certificate and have it signed by StartSSL
+
+Following the union of directions (dated Nov 16, 2009) at both:
+https://library.linode.com/security/ssl-certificates/subject-alternate-names
+https://library.linode.com/security/ssl-certificates/commercial
+
+Run this (mostly) on the remote machine.
+
+NB: it may or may not be necessary to do much of this because StartSSL will
+re-generate most fields? Ugh.
+
+NB: if you are replacing an existing cert you need to revoke the old one first.
+This costs $25. "deal with it".
+
+Create, eg, /etc/ssl/localcerts/server_20140429.cnf, copying from
+/usr/lib/ssl/openssl.cnf. In that file, set the following at the top:
+
+    SAN="email:webmaster@example.com"
+
+and after the '[ v3_ca ]' line add:
+
+    subjectAltName=${ENV::SAN}
+
+On the command line (edit these for the specific cert):
+
+    export SAN="DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:static.example.com, DNS:git.example.com, DNS:docs.example.com"
+    openssl req -new -newkey rsa:4096 -sha256 -days 729 -nodes -config /etc/ssl/localcerts/server_20140429.cnf -keyout /etc/ssl/localcerts/server_20140429.key -out /etc/ssl/localcerts/server_20140429.csr
+
+fill in options *exactly* like on your startcom profile:
+
+    Country: US
+    State: Massachusetts
+    Locality: Cambridge
+    Organization Name: <your name>
+    Organization Unit: <blank>
+    Common Name: <FQDN, eg server.example.com>
+    Email: webmaster@example.com
+    Challenge password: <random string that you write down>
+    Company name: <blank>
+
+When done, remove most permissions on all the resulting files:
+
+    chmod 400 *
+
+Ok, now snarf down the resulting .csr to your local machine (it's short, just
+'cat' it).
+
+On the StartSSL website, figure out how to use the toolbox and validations and
+all that jazz (come back in an hour), then once all that is configured start a
+certificate generation process. You get, eg, "example.com" automatically, even
+though this isn't indicated anywhere. The user inteface sucks, "deal with it".
+Save the resulting .crt to, eg, /etc/ssl/localcerts/server_20140429.crt. chmod
+it 400, root:root.
+
+We need to create a "combined" certificate. Fetch the startssl intermediate and
+CA certs (WARNING: over https!), and combine a la:
+
+    wget https://startssl.com/certs/sub.class2.server.ca.pem
+    wget https://www.startssl.com/certs/ca.pem
+    mv ca.pem startssl_ca.pem
+    cat server_20140429.crt >> server_20140429.combined.crt
+    cat sub.class2.server.ca.pem >> server_20140429.combined.crt
+    cat startssl_ca.pem >> server_20140429.combined.crt
+
+Now copy the .key to /etc/ssl/private, give it group "ssl-cert", and give it
+chmod 440. Put the .combined.crt and .crt (for, eg, postfix) in /etc/ssl/certs
+and chmod it 444 (no group change).
+
+Now edit nginx, prosody, postfix, dovecot, etc config and reboot and check logs
+and test everything to use the new keys. Whew!
+
+Before you celebrate, add a calendar entry for N days before the expiration of
+the certificates you just created, so you have plenty of time to replace them
+before they expire.
+
+### example infrastructure needs
+
+server:
+    example.com
+    www.example.com
+    mail.example.com
+    static.example.com
+    git.example.com
+    docs.example.com
+
+### References
+
+https://library.linode.com/security/ssl-certificates
+https://www.ssllabs.com/ssltest/
+https://www.ssllabs.com/projects/best-practices/
+
+### StartCom Alternatives
+
+gandi.net: used by debian.org
+    https://www.gandi.net/ssl/grid
+    http://wiki.gandi.net/en/ssl/regenerate