Skip navigation

Author Archives: hrbrmstr

Don't look at me…I do what he does — just slower. #rstats avuncular • ?Resistance Fighter • Cook • Christian • [Master] Chef des Données de Sécurité @ @rapid7

Almost Bare Bones WebR Starter App

Let’s walk through how to set up a ~minimal HTML/JS/CSS + WebR-powered “app” on a server you own. This will be vanilla JS (i.e. no React/Vue/npm/bundler) you can hack on at-will.

TL;DR: You can find the source to the app and track changes to it over on GitHub if you want to jump right in.

In the docs/ directory in the GH repo you’ll see an example of using this in GH Pages.Here it is live: https://hrbrmstr.github.io/webr-app/index.html. Info on what you need to do for that is below.

If all went well, you should see the output of a call to WebR right here (it may take a few seconds):

Getting Your Server Set Up

I’ll try to keep updating this with newer WebR releases. Current version is 0.1.0 and you can grab that from: https://github.com/r-wasm/webr/releases/download/v0.1.0/webr-0.1.0.tar.gz.

System-Wide WebR

You should read this section in the official WebR documentation before continuing.

I’m using a server-wide /webr directory on my rud.is domain so I can use it on any page I serve.

WebR performance will suffer if it can’t use SharedArrayBuffers. So, I have these headers enabled on my /webr directory:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

I use nginx, so that looks like:

location ^~ /webr {
  add_header "Cross-Origin-Opener-Policy" "same-origin";
  add_header "Cross-Origin-Embedder-Policy" "require-corp";
}

YMMV.

For good measure (and in case I move things around), I stick those headers on my any app dir that will use WebR. I don’t use them server-wide, though.

And They Call It a MIME. A MIME!

WebR is a JavaScript module, and you need to make sure that files with an mjs extension have a MIME type of text/javascript, or some browsers won’t be happy.

A typical way for webservers to know how to communicate this is via a mime.types file. That is not true for all webservers, and I’ll add steps for ones that use a different way to configure this. The entry should look like this:

text/javascript  mjs;

Testing The WebR Set Up

You should be able to hit that path on your webserver in your browser and see the WebR console app. If you do, you can continue. If not, leave an issue and I can try to help you debug it, but that’s on a best-effort basis for me.

Installing The App

We’ll dig into the app in a bit, but you probably want to see it working, so let’s install this ~minimal app.

My personal demo app is anchored off of /webr-app on my rud.is web server. Here’s how to replicate it:

# Go someplace safe
$ cd $TMPDIR

# Get the app bundle
# You can also use the GH release version, just delete the README after installing it.
$ curl -o webr-app.tgz https://rud.is/dl/webr-app.tgz

# Expand it
$ tar -xvzf webr-app.tgz
x ./webr-app/
x ./webr-app/modules/
x ./webr-app/modules/webr-app.js
x ./webr-app/modules/webr-helpers.js
x ./webr-app/css/
x ./webr-app/css/simple.min.css
x ./webr-app/css/app.css
x ./webr-app/main.js
x ./webr-app/index.html

# ? GO THROUGH EACH FILE
# ? to make sure I'm not pwning you!
# ? Don't trust anything or anyone.

# Go to the webserver root
$ cd $PATH_TO_WEBSERVER_DOC_ROOT_PATH

# Move the directory
$ mv $TMPDIR/webr-app .

# Delete the tarball (optional)
$ rm $TMPDIR/webr-app.tgz

Hit up that path on your web server and you should see what you saw on mine.

WebR-Powered App Structure

.
├── css                  # CSS (obvsly)
│   ├── app.css          # app-specific ones
│   └── simple.min.css   # more on this in a bit
├── index.html           # The main app page
├── main.js              # The main app JS
└── modules              # We use ES6 JS modules
    ├── webr-app.js      # Main app module
    └── webr-helpers.js  # Some WebR JS Helpers I wrote

Simple CSS

If you sub to my newsletter, you know I play with tons of tools and frameworks. Please use what you prefer.For folks who don’t normally do this type of stuff, I included a copy of Simple CSS b/c, well, it is simple to use. Please use this resource to get familiar with it if you do continue to use it.

JavaScript Modules

When I’m in “hack” mode (like I was for the first few days after WebR’s launch), I revert to old, bad habits. We will not replicate those here.

We’re using JavaScript Modules as the project structure. We aren’t “bundling” (slurping up all app support files into a single, minified file) since not every R person is a JS tooling expert. We’re also not using them as they really aren’t needed, and I like to keep things simple and as dependency-free as possible.

In index.html you’ll see this line:

<script type="module" src="./main.js"></script>

This tells the browser to load that JS file as if it were a module. As you read (you did read the MDN link, above, right?), modules give us locally-scoped names/objects/features and protection from clobbering imported names.

Our main module contains all the crunchy goodness core functionality of our app, which does nothing more than:

  • loads WebR
  • Tells you how fast it loaded + instantiated
  • Yanks mtcars from the instantiated R session (mtcars was the third “thing” I typed into R, ever, so my brain defaults to it).
  • Makes an HTML table from it using D3.

It’s small enough to include here:

import { format } from "https://cdn.skypack.dev/d3-format@3";
import * as HelpR from './modules/webr-helpers.js'; // WebR-specific helpers
// import * as App from './modules/webr-app.js'; // our app's functions, if it had some

console.time('Execution Time'); // keeps on tickin'
const timerStart = performance.now();

import { WebR } from '/webr/webr.mjs'; // service workers == full path starting with /

globalThis.webR = new WebR({
    WEBR_URL: "/webr/", # our system-wide WebR
    SW_URL: "/webr/"    # what ^^ said
}); 
await globalThis.webR.init(); 

// WebR is ready to use. So, brag about it!

const timerEnd = performance.now();
console.timeEnd('Execution Time');

document.getElementById('loading').innerText = `WebR Loaded! (${format(",.2r")((timerEnd - timerStart) / 1000)} seconds)`;

const mtcars = await HelpR.getDataFrame(globalThis.webR, "mtcars");
console.table(mtcars);
HelpR.simpleDataFrameTable("#tbl", mtcars);

globalThis is a special JS object that lets you shove stuff into the global JS environment. Not 100% needed, but if you want to use the same WebR context in in other app module blocks, this is how you’d do it.

Let’s focus on the last three lines.

const mtcars = await HelpR.getDataFrame(globalThis.webR, "mtcars");

This uses a helper function I made to get a data frame object from R in a way more compatible for most JS and JS libraries than the default JS object WebR’s toJs() function converts all R objects to.

console.table(mtcars);

This makes a nice table in the browser’s Developer Tools console. I did this so I could have you open up the console to see it, but I also want you to inspect the contents of the object (just type mtcars and hit enter/return) to see this nice format.

We pass in a WebR context we know will work, and then any R code that will evaluate and return a data frame. It is all on you (for the moment) to ensure the code runs and that it returns a data frame.

The last line:

HelpR.simpleDataFrameTable("#tbl", mtcars);

calls another helper function to make the table.

HelpR

I may eventually blather eloquently and completely about what’s in modules/webr-helpers.js. For now, let me focus on just a couple things, especially since it’s got some sweet JSDoc comments.

First off, let’s talk more about those comments.

I use VS Code for ~60% of my daily ops, and used it for this project. If you open up the project root in VS Code and select/hover over simpleDataFrameTable in that last line, you’ll get some sweet lookin’formatted help. VS Code is wired up for this (other editors/IDEs are too), so I encourage you to make liberal use of JSDoc comments in your own functions/modules.

Now, let’s peek behind the curtain of getDataFrame:

export async function getDataFrame(ctx, rEvalCode) {
    let result = await ctx.evalR(`${rEvalCode}`);
    let output = await result.toJs();
    return (Promise.resolve(webRDataFrameToJS(output)));
}

The export tells the JS environment that that function is available if imported properly. Without the export the function is local to the module.

let result = await ctx.evalR(`${rEvalCode}`);

A proper app would use JS try/catch potential errors. There’s an example of that in the fancy React app code over at WebR’s site. We just throw caution to the wind and evaluate whatever we’re given. In theory, we should have R ensure it’s a data frame which we kind of can’t do on the JS side since the next line:

let output = await result.toJs();

will show the type as a list (b/c data.frames are lists).

I’ll likely add some more helpers to a more standalone helper module, but I suspect that corporate R will beat me to that, so I will likely also not invest too much time on it, at least externally.

Await! Await! Do Tell Me (about await)!

Before we can talk about the last line:

return (Promise.resolve(webRDataFrameToJS(output)));

let’s briefly talk about async ops in JS.

The JavaScript environment in your browser is single-threaded. async-hronous ops let pass of code to threads to avoid blocking page operations. These get executed “whenever”, so all you get is a vapid and shallow promise to of code execution and potentially giving you something back.

We explicitly use await for when we really need the code to run and, in this case, give us something back. We can keep chaining async function calls, but — if we need to make sure the code runs and/or we get data back — we will eventually need to keep our promise to do so; hence, Promise.resolve.

Serving WebR From GitHub Pages

The docs/ directory in the repo shows a working version on GH pages.

main.js needs a few tweaks:

// This will use Posit's CDN

import('https://webr.r-wasm.org/latest/webr.mjs').then( // this wraps the main app code
    async ({ WebR }) => {

        globalThis.webR = new WebR({
            SW_URL: "/webr-app/"            // ?? needs to be your GHP main path
        });
        await globalThis.webR.init();

        const timerEnd = performance.now();
        console.timeEnd('Execution Time');

        document.getElementById('loading').innerText = `WebR Loaded! (${format(",.2r")((timerEnd - timerStart) / 1000)} seconds)`;

        const mtcars = await HelpR.getDataFrame(globalThis.webR, "mtcars");
        console.table(mtcars);
        HelpR.simpleDataFrameTable("#tbl", mtcars);

  }
);

Moar To Come

Please hit up this terribly coded dashboard app to see some fancier use. I’ll be converting that to modules and expanding git a bit.

WebR IS HERE!

WebR 0.1.0 was released! I had been git-stalking George (the absolute genius who we all must thank for this) for a while and noticed the GH org and repos being updated earlier this week, So, I was already pretty excited.

It dropped today, and you can hit that link for all the details and other links.

I threw together a small demo to show how to get it up and running without worrying about fancy “npm projects” and the like.

View-source on that link, or look below for a very small (so, hopefully accessible) example of how to start working with WASM-ified R in a web context.

UPDATE:

Four more links:


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>WebR Super Simple Demo</title>
<link rel="stylesheet" href="/style.css" type="text/css">
<style>
li {
  font-family:monospace;
}
.nospace {
  margin-bottom: 2px;
}
</style>
</head>
<body>
<div id="main">
<p>Simple demo to show the basics of calling the new WebR WASM!!!!</p>

<p><code>view-source</code> to see how the sausage is made</code></p>

<p class="nospace">Input a number, press "Call R" (when it is enabled) and magic will happen.</p>

<!-- We'll pull the value from here -->
<input type="text" id="x" value="10">

<!-- This button is disabled until WebR is loaded -->
<button disabled="" id="callr">Call R</button>

<!-- Output goes here -->
<div id="output"></div>

<!-- WebR is a module so you have to do this. -->
<!-- NOTE: Many browsers will not like it if `.mjs` files are served -->
<!-- with a content-type that isn't text/javascript  -->
<!-- Try renaming it from .mjs to .js if you hit that snag. -->

<script type="module">

  // https://github.com/r-wasm/webr/releases/download/v0.1.0/webr-0.1.0.tar.gz
  //
  // I was lazy and just left it in one directory

    import { WebR } from '/webr-d3-demo/webr.mjs'; // service workers == full path starting with /

    const webR = new WebR(); // get ready to Rumble 

  await webR.init(); // shot's fired

    console.log("WebR"); // just for me b/c I don't trust anything anymore

  // we call this function on the button press

    async function callR() {

        let x = document.getElementById('x').value.trim(); // get the value we input; be better than me and do validation
        console.log(`x = ${x}`) // as noted, i don't trust anything

    let result = await webR.evalR(`rnorm(${x},5,1)`); // call some R!
    let output = await result.toArray(); // make the result something JS can work with

        document.getElementById("output").replaceChildren() // clear out the <div> (this is ugly; be better than me)

    // d3 ops

        d3.select("#output").append("ul")

        const ul = d3.select("ul")

        ul.selectAll("li")
            .data(output)
            .enter()
            .append("li")
            .text(d => d)

    }

  // by the time we get here, WebR is ready, so we tell the button what to do and re-enable the button
    document.getElementById('callr').onclick = callR;
    document.getElementById('callr').disabled = false;


</script>

<!-- d/l from D3 site or here if you trust me -->
<script src="d3.min.js"></script>

</div>
</body>
</html>

“Bizarre” DNS Hacks For Fun And, Um…, Fun

I’ve been (slowly) making my way through FOSDEM `23 presentations and caught up to Peter Lowe‘s “Bizarre and Unusual Uses of DNS • Rule 53: If you can think of it, someone’s done it in the DNS” talk. DNS oddities are items I collect whenever I see them, and while I knew about a good number of the ones in Peter’s presentation, the ones where DNS is used to retrieve your external IP address were oddly missing from my collection.

His presentation mentioned both a Google DNS hack and OpenDNS DNS hack, and I learned of a similar DNS hack from Akamai from John Payne. I keep saying “hack” because these folks are most certainly abusing the original intentions and design of DNS. “Hack” is not being used pejoratively, as this is a pretty cool and efficient way of discovering your external IP address vs setting up a full-blown HTTP TLS session, making a GET request and retrieving the payload.

I’ve been Down and Out on COVID Street for the past few weeks (#4 brought it home from high school, making multiple years of being overly cautious and careful outside the house quite moot), and had a bit of a level drain relapse over the weekend, so I decided to get my mind directed away from malicious spike proteins and build a client for the existing services and then a server anyone could run to host the same type of service.

I’ve been nerding out on Rust for the past few years, but chose Go (also calling it “Golang” in this parenthetical for the sake of SEO) since I really wanted a small binary, and DNS ops are part of Go’s “batteries included” libraries (and, I’ve worked with them before).

dig-ging The Hacks

Shaft Silhouette with Can You Dig It below

You don’t need a special client for these hacks. dig can do all the hard work for you, and it is (for the most part) on every modern system (or easily installed).

Here are three shell executable statements that will return your external IP address into a shell variable (just remove the VAR= and outer $() to see the result vs store it):

MY_OPENDNS_IP="$(dig myip.opendns.com @resolver1.opendns.com +short)"

MY_GOOGLE_IP="$(dig o-o.myaddr.1.google.com @ns1.google.com TXT +short | tr -d '"')"

MY_AKAMAI_IP="$(dig +short TXT whoami.ds.akahelp.net @$(dig +short +answer NS akamai.com | head -1) | grep ns | sed -e 's/[^0-9\.\:]//g')"

The Akamai one is a bit longer since I didn’t want to lock it in to a pre-specified Akamai resolver (you never know when orgs are going to change things). So, it looks up the nameserver first, then does the IP check.

Remove the pipes to see the “raw” output.

[Client] Hacks In Go

Go's mascot in a hacker hoodie

I’ll eventually set up a GitHub Action to build out binaries for various platforms (and setup a Homebrew tap for it) but you can get started using the nascent Go CLI via:

go install -ldflags "-s -w" github.com/hrbrmstr/extip@latest

the extra flags are there to make the binary size smaller than it otherwise would be (Go and Rust both make larger binaries than I care for, but they do that for good reasons).

At present, there are no command line options, so when you run extip, the executable makes the DNS calls to all three services and will return just your IP address if they all agree (if you’re being service intercepted in a really nasty way, that might not be the case). If any fail, the discrepancies are shown.

Serving Up Your Own Hack

Another reason to use Go is that building a DNS server in it is super straightforward, thanks to Miek Gieben‘s battle tested DNS library.

Now, thanks to this tiny, hacky DNS server I whipped up, you can:

go install -ldflags "-s -w" github.com/hrbrmstr/extip-svr@latest

and run it anywhere you’d like to have the same type of service.

It supports A, AAAA and TXT queries, though I’d use the TXT one if I were you, since you don’t need to know what type of network you’re on or interface the request is coming from. I’ve got it running on one of my random internet nodes, so you can try it out before running it:

dig myip.is TXT @ip.rudis.net

(any FQDN ending in .is can be used)

FIN

Peter’s talk was super fun and informative, so you should 100% watch it. It was great being able to have something to focus on whilst getting better, and also cool to stretch some Golang muscles.

If you have any opines on the CLI argument parser I should use, drop a comment or issue on the repos. I’ll be tweaking both the client and server quite a bit over the coming weeks.

Do Not Purchase Kucht Appliances

I’ll follow up with a more detailed post in a ~week or so, but if you are considering purchasing a Kucht appliance, please, please reconsider your decision. They have repeatedly lied to us (I have proof) and are incapable of manufacturing functioning equipment.

Thanks to them, we are out thousands of dollars and are in the process of contacting the Maine AG and having our personal legal counsel help us to recoup our losses. I’m just thankful our “professional” oven didn’t harm any of our family as it continued to malfunction and degrade whilst the Kucht representatives just ignored us.

2022 Hanukkah of Data • Puzzle 2

Ref: https://rud.is/b/2022/12/19/2022-hanukkah-of-data-puzzle-1/

library(tidyverse)

cust <- read_csv("~/Downloads/noahs-csv/noahs-customers.csv")
orders_items <- read_csv("~/Downloads/noahs-csv/noahs-orders_items.csv")
orders <- read_csv("~/Downloads/noahs-csv/noahs-orders.csv")
products <- read_csv("~/Downloads/noahs-csv/noahs-products.csv")

orders_items |> 
  left_join(products) -> oip

orders |> 
  left_join(oip) -> orders

orders |> 
  filter(
    2017 == lubridate::year(ordered),
    grepl("cleaner|bagel", desc, ignore.case=TRUE)
  ) |> 
  group_by(customerid, orderid) |> 
  summarise(
    ord = paste0(desc, collapse="; "),
    n = n()
  ) |> 
  arrange(desc(n)) # look for bagel + rug cleaner

cust |> 
  filter(customerid == '####') |> 
  select(phone)

2022 Hanukkah of Data • Puzzle 1

Visiting #2 and doing some $WORK-work, but intrigued with Hanukkah of Data since Puzzle 0 was solvable with a ZIP password cracker (the calendar date math seemed too trivial to bother with).

Decided to fall back to R for this (vs Observable for the Advent of Code which I’ll dedicate time to finishing next week).

R has a {phonenumber} package, so we’ll cheat and use that despite it being very brutish in how it does the letterToNumber() conversion.

No spoilers besides the code.

library(phonenumber)
library(tidyverse)

cust <- read_csv("~/Downloads/noahs-csv/noahs-customers.csv")

cust |> 
  filter(!grepl("[01]", phone)) |> # only care abt letters
  mutate(
    last_name = stri_replace_all_regex(name, "(II|III|IV|Jr\\.)", ""), # get rid of suffix if any
  ) |> 
  separate( # get only the last name
    col = last_name,
    into = c("x1", "x2", "last_name"),
    sep = " ",
    fill = "left"
  ) |> 
  filter(
    nchar(last_name) == 10 # only complete last names
  ) |> 
  mutate(
    last_name = toupper(last_name),
    phone = gsub("-", "", phone) # we're going to compare so remove the '-'
  ) |> 
  select(last_name, phone) |> 
  mutate(
    trans = strsplit(xx$last_name, "") |> 
      map_chr(~map(.x, letterToNumber) |> paste0(collapse="")) # feels like I cld optimize this
  ) |> 
  filter(trans == phone)

Arc You Ready For A New Browser?

Cross-post to Substack where I dropped some details on the newest browser in town: Arc. Intro:

It feels like it’s been forever since The Browser Company started teasing us about their new browser, Arc. I did the dance many of you almost certainly did and typed in my throwaway email address to try to get access to the beta when it came out. I noticed some tech rags starting to cover Arc in-depth this past week, so I checked my email (50/50 chance I’m reading email on any given day), and — sure enough — I had my download link as well.

I won’t be able to give a multi-thousand word review today, especially since I did not get time to capture Netflow over a couple hours to see how skeezy Arc may be, so consider this an Arc introduction vs full review. (I am also, sadly, out of invite codes but drop me a message if you want one as I’m trying to get more invites).

Honk If You Like The Fediverse!

This is a re-post from today’s newsletter. I generally avoid doing this but the content here is def more “bloggy” than “newslettery”.

You can now receive these blog posts in your activity stream. Just follow @hrbrmstr@rud.is and the new posts from here will slide right into your timeline.

So, you’ve committed to abandoning the bird site, joined a ? instance, or three, and are now a citizen of the Fediverse. This is ??! But, what if you want to dig into this brave new universe a bit and see how it works? Or, perhaps you would like to engage with a specific set of other folks without committing to a particular BBSnode?

Running a full-on Mastodon instance means dealing with PostgreSQL, Redis, Ruby (ugh), and NodeJS. Sure, Docker is an option, but this is still a big project, and it’s more than likely that you’re not a Ruby programmer (which makes it difficult to poke at the code to bend it to your will).

What if I told you there’s a way to run your own ActivityPub (et al.) server that:

  • is built with Golang (requires libsqlite3)
  • uses SQLite for persistence
  • compiles in seconds
  • sets up in minutes
  • takes almost no system resources
  • supports custom emojis
  • allows markdown in posts (including source code block syntax highlighting)
  • features location check-ins (like Foursquare back in the old days)
  • enables filtering and censorship (for abuse prevention)
  • sports a tiny but quite useful API
  • lets folks consume your activity stream as an RSS feed

If that sounds more to your liking, let me introduce you to Honk by Ted Unangst (@tedu@honk.tedunangst.com), and walk you through my Honk (@bob@honk.hrbrmstr.de) setup.

Prepare To Honk

You can either use Mercurial and:

$ hg clone https://humungus.tedunangst.com/r/honk

or grab a tarball and expand it (do either of these things on the box you will be running Honk). Then, just:

$ cd honk
$ make

and in a few seconds you’ll have a honk server binary ready to use.

Now, you’re also going to need a “TLS terminating reverse proxy”. We’ll be using Nginx since it is nigh ubiquitous and straightforward to setup. If you’ve never set up an HTTPS Nginx instance. Nginx drops in nicely almost everywhere, and this isn’t a terrible certbot/nginx ‘splainer. The rest of this drop assumes you have an Nginx instance ready to configure for honking.

I’m hosting my actual Honk instance on an overkill home data science server (you can use a Raspberry Pi to run Honk), which is exposed to one of my internet-facing Nginx reverse proxy servers via Tailscale. Using a setup like this means you can go super-cheap ($5/mo) on a VPS. You can also 100% just run Honk on the same internet-facing box as you do Nginx, just make sure to follow the specific guidance for that setup below, and mebbe spring for a slightly bigger server. FWIW I use SSD Nodes (full-disclosure: that is an affiliate link).

Finally, you’ll need a FQDN configured that points to your reverse proxy. Mine is honk.hrbrmstr.de which has an A record pointing to my internet-facing VPS. Your ActivityPub handle will be @user@ThisFQDNyouChose, so pick one you can live with.

Make sure all three of those things are ready for the remaining steps.

Configure + Run Honk

This part is pretty straightforward. Run:

$ ./honk init

on the box you’re running Honk from. It’s going to ask you for four pieces of information:

  • username: the username you want. Again, this will be your @username@TheHonkFQDNyouChose identity, so pick one you can live with.
  • password: the password you want; pick a long passphrase from a password manager generator that you’ll keep in said password manager. Honk does not support MFA. Attackers will find you. You cannot hide. Just make it hard for them.
  • listenaddr: host + port Honk will listen on. If running Honk on the same system as Nginx make it something like 127.0.0.1:31337 so Honk itself is only accessible locally. I used my VPS’ Tailscale IP address.
  • servername: the FQDN you configured in the previous section.

If you mess up, just remove the SQLite databases Honk just made and start over.

Feel free to get all fancy with whatever system service runner you like, but I just run Honk from a custom application directory with:

$ nohup ./honk &

You leave out the nohup and &, or tail -f nohup.out, if you want to see the log as you configure Nginx in the next section.

Configure Nginx

Remember that this bit assumes you’ve installed Nginx and set it up with a certbot TLS certificate. See above for links to resources to help you do that.

Now you need to tell Nginx where to serve up your honk instance. Modify your base config to look something like this:

server {

  server_name honk.example.com;

  location / {
    proxy_pass http://127.0.0.1:31337;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme; 
  }

  listen 443 ssl; # managed by Certbot

  ssl_certificate /etc/letsencrypt/live/honk.example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/honk.example.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

  if ($host = honk.example.com) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80;

  server_name honk.example.com;

  return 404; # managed by Certbot

}

Replace the proxy_pass, honk.example.com, and 127.0.0.1:31337 values with your specific config.

Restart Nginx and go to honk.example.com. If you don’t see the Honk main page, check the Nginx logs and the Honk logs and give it a go again.

Go Honkin’ Crazy

The Honk docs are useful and quite fun reads.

  • The user manual should be required reading so, at the very least, you can grok the honking terminology.
  • The server manual shows you some options you can use when starting Honk, explains how to customize Honk’s (it supports some fun customizations), explains user management, and some additional care and feeding tips. Read this thoroughly.
  • The composition manual is a must-read since it shows off all the post composition features.
  • The filtering and censorship system manual will help you deal with any abuse.
  • The ActivityPub manual explains what Honk does and does not support in that protocol.
  • The API manual has all the information you need to use your Honk instance via some programming language or just curl.

Stuff To Try!

  • Follow folks on other servers! Hit me up at @hrbrmstr@mastodon.social or @bob@honk.hrbrmstr.de if you want to test following out (and get a reply).
  • Customize your site CSS! Make it yours. The manuals provide all the information you need to do this.
  • Add custom emoji and other components (again, the manuals are great).
  • Write an API wrapper package so you can use your instance programmatically (this is a good way to make an ActivityPub bot).
  • Look at the toys/ subdirectory. It has some fine example programs you can riff from (or just use):
    • autobonker.go – repeats mentioned posts
    • gettoken.go – obtains an authorization token
    • saytheday.go – posts a new honk that’s a date based look and say sequence
    • sprayandpray.go – send an activity with no error checking and hope it works
    • youvegothonks.go – polls for new messages
  • Import your toots or Twitter archive
  • Start a Honk instance for one of the communities you’re in. Honk really cannot support a large community, but small clubs can use Honk vs deal with a full-on Mastodon instance.
  • Poke around the SQLite databases Honk uses.
  • Help someone else setup a Honk instance
  • Customize the Honk codebase and show off your additions

Get Familiar With The Protocols

WebFinger (mentioned yesterday) is the on-ramp to poking at things, and I prefer playing with instances I own vs annoy folks trying to run “real” Mastodon servers. Honk lets you play without being a bad netizen.

$ webfinger acct:bob@honk.hrbrmstr.de

drops the following to the terminal:

{
  "aliases": [
    "https://honk.hrbrmstr.de/u/bob"
  ],
  "links": [
    {
      "href": "https://honk.hrbrmstr.de/u/bob",
      "rel": "self",
      "type": "application/activity+json"
    }
  ],
  "subject": "acct:bob@honk.hrbrmstr.de"
}

Visit the aliases in a private browser session (so no cookies/etc are used and you see what the world sees) or just curl it from the terminal.

Explore links:

$ curl --header "Accept: application/activity+json" https://honk.hrbrmstr.de/u/bob

drops the following to the terminal (see what happens w/o that custom Accept header, too):

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "followers": "https://honk.hrbrmstr.de/u/bob/followers",
  "following": "https://honk.hrbrmstr.de/u/bob/following",
  "icon": {
    "mediaType": "image/png",
    "type": "Image",
    "url": "https://honk.hrbrmstr.de/a?a=https%3A%2F%2Fhonk.hrbrmstr.de%2Fu%2Fbob&hex=1"
  },
  "id": "https://honk.hrbrmstr.de/u/bob",
  "inbox": "https://honk.hrbrmstr.de/u/bob/inbox",
  "name": "bob",
  "outbox": "https://honk.hrbrmstr.de/u/bob/outbox",
  "preferredUsername": "bob",
  "publicKey": {
    "id": "https://honk.hrbrmstr.de/u/bob#key",
    "owner": "https://honk.hrbrmstr.de/u/bob",
    "publicKeyPem": "CLIPPED B/C TOO BIG FOR SUBSTACK"
  },
  "summary": "BIO CLIPPED B/C TOO BIG FOR SUBSTACK",
  "tag": [
    {
      "href": "https://honk.hrbrmstr.de/o/rstats",
      "name": "#rstats",
      "type": "Hashtag"
    },
    {
      "href": "https://honk.hrbrmstr.de/o/blm",
      "name": "#blm",
      "type": "Hashtag"
    }
  ],
  "type": "Person",
  "url": "https://honk.hrbrmstr.de/u/bob"
}

Try all those endpoints and see what they drop (feel free to hit my server)

FIN

Honk is a great way to explore the various components of the Fediverse and I encourage folks to use it to get more familiar/comfortable with this tech. Drop comments if you run into any issues or have q’s (feel free to honk/toot q’s as well). ☮