First and foremost, I really dislike the term because it’s laden with all sorts of militaristic and anti-free movement and all sorts of other problematic baggage, but it’s the term the industry is using, so we go with it I guess until the current push is over and we can quietly suggest a different term like happened with git branch names and replication terms. It's also annoying to spell correctly.

So what is it and why does it matter? Well, at the highest level, it means that data is kept within the EU for EU citizens. It’s more than that of course but that’s the premise that is underlying the situation.

We’re already done! eu-west-1.

So in that case, AWS’ eu-west-1 zone, based in Ireland fits the bill, right, and we can just deploy there and be sovereign? Well, turns out, no, that’s the “more than that” part. First of all, AWS (as with all the other cloud providers) has zone-based, region-based and importantly global services. Oh dear, so if you use any of the global services, now your data is replicated out of eu-west-1 and into us-tirefire-1 (officially known as us-east-1) and the other AWS regions.

So, just don’t use global services and good right? Well, theoretically, but see the legals section below. Also, if you’re doing much with AWS, you’re gonna use them, s3 for instance is a global service, which is a dealbreaker for most people. Bigger than that, all of the auth in AWS goes through us-east-1, yup, your logins, your “can this service talk to that service” rules. Also DNS, which no less than 13 AWS services depend upon to spin up, that’s not in your region, it’s in, you guessed it us-east-1.

Argh, okay, I guess we use this new AWS European Sovereign Cloud region?

Well… as of 2025-10-21 that’s still in “Coming Soon” status, it’s being delivered by really putting some people through the wringer in Berlin, with hugely optimistic deadlines, and as those who have waited for AWS regions to come online, chances are it will launch with a limited subset of services. Also, this is still legally gray as I’ll go into below.

What about this t-systems google sovereign cloud, same problems there? Google are a bit further on with this region but still are struggling to get it up to full parity from their europe-west3 (Frankfurt, most commonly used in the EU) or europe-west1 (Belgium, cheaper) regions. It also tries and fails to sidestep the legal issues here.

Microsoft Azure? Even more behind as I understand it (but I don’t have contact with them, as I avoid working with azure in general).

So these legal issues?

Here’s the meat of it. Simply put, an American company must comply with US law, seems reasonable, until it’s incompatible with EU law, and that’s the big issue here. Here’s the biggest example to me:

• Under US law, if a judge decrees it (or in some cases, government or intelligence agencies), any activity related to a potential crime can be accompanied by a “gagging order” – compelling, legally, people involved not to speak of it. The theory behind this is if someone has evidence that could lead to an arrest, they don’t want to tip off the perpetrator to the investigation so they can flee. This activity, crucially, could be seizure of (copies of) data.

• Under EU law if a citizen’s data is accessed by a third party, the provider must notify them. No exceptions.

This is the big stumbling block that has had multiple attempts to be solved, the Safe Harbour principles (in the Schrems I case CJEU found this invalid), the EU-US Privacy Shield (In the Schrems II case CJEU found this invalid) and the current Data Privacy Framework (which makes no mention of gagging orders that I could find for instance, so whilst it may work as it says the US companies must comply with EU law, no case has yet tested this where the US and EU laws are in conflict).

How does the AWS/Google/MS sovereign cloud stuff deal with this? It doesn’t. The closest is Google’s attempt, which puts the management of the cloud resources under T-Systems (a German company not a subsidiary, which is a great start), but is still using Google’s software stack and given that it’s a cloud provider, it would need security updates. What is to stop a Judge who doesn’t know what cloud even means saying “Yes, we need to compel google to put in a backdoor in their next security update and enforce a gagging order to prevent it being heard of.” when requested to do so by some government agency? AWS are just “Oh you pay AWS Europe, that’s a separate (subsidiary) company that has to comply with EU law”. Yeah, that’s not a good enough guarantee for me, as AWS Europe is entirely dependant on AWS for their software, job security, and well, their existence. Same for the Microsoft one. I’m willing to bet that all the other US cloud companies (Oracle, DigitalOcean, Salesforce cloud?!) are somewhere on the spectrum between Google’s approach or AWS’ approach or are just not doing “sovereign” at all.

EU way forward?

So how can companies use “the cloud” and not American companies? Simple, don’t use American cloud providers.

Yes, the EU “cloud providers” are lagging behind but they’re catching up. Scaleway, Herzner, and others are there, and you should check them out if you’re starting a business in the EU. You can even look at VPS providers and see what you can make with their offerings. Running VMs in multiple EU providers is going to be a challenge depending on your size of company, but it could make you pretty bulletproof.

If you’re considering a migration, then you’re really going to need to sit down and chew on your architecture, there’s no easy way around it, but please, for peoples’ sanity, don’t ask for a detailed plan and then say “Oh, we decided it’s not worth it and we’ll pay fines if we get them”.

Lastly if you’re looking at a cloud provider's Kubernetes offerings and don’t feel they’re great (frankly all “managed” kubernetes’ are semi-managed at best in my opinion), consider using siderolabs’ Omni to manage your own fleet of k8s nodes, it’s really very good.

Comments on this blog post? On Mastodon here.

I use ntfy.sh (self-hosted) for notifications on my degoolged android device, and forgejo (fork of gitea, which is a fork of gogs) for my source control.

Forgejo's webhooks don't currently support custom webhooks, but do support several “standard” webhook targets (like slack, discord etc.) and some others including other forgejo instances.

As I have renovate updating my argocd managed self-hosted kubernetes applications, I want notifications when there's an upgrade ready (PR opened).

Well, it turns out that ntfy.sh has the option to basically reformat any json provided as gotemplate (ugh, it's not nice but at least it works).

So, to get nice notifications I simply set up a forgejo webhook of type forgejo and give it the ntfy details as follows :

Target URL : http://ntfy.ntfy.svc.cluster.local./git?template=yes&title=ForgeJo%20Pull%20request%20%23%7B%7B.number%7D%7D%20%7B%7B.action%7D%7D&message=%7B%7B.pull_request.html_url%7D%7D%0A%0A%7B%7B.pull_request.title%7D%7D%0A%0A%7B%7B.pull_request.body%7D%7D HTTP Method : POST POST content type : application/json Authorization header : Bearer <<token I created in ntfy.sh>>

And personally I only have it send a notification on “Pull request events (modification)”

And done. Okay, let's break that down a bit :

There's some interesting things in the URL : ?template=yes enables gotemplate rendering of the title and message fields. Those fields unencoded look like this :

title: ForgeJo Pull request #{{.number}} {{.action}} message:

{{.pull_request.html_url}}

{{.pull_request.title}}

{{.pull_request.body}}

By switching to POST, the URL doesn't have anything overridden, and ntfy knows that if there's a body content type of application/json, to apply that data to the templated title and message fields.

The authorization header is a token created with ntfy token add <<username>> so yes, it's a secret, but not a high-value one.

If your ntfy client supports markdown, you can add &markdown=true to your message and use markdown in your templates, but the android app isn't great at it, so I went with plain-text, urls are automatically parsed.

Until someone implements custom webhooks, this will do me, and hopefully someone finds it useful as well.

Here I'm documenting the steps (in varying level of detail) for posterity and others to get an e-paper price tag with the next event of my day merging multiple calendars together.

This is what the end result looks like (that's a 2.9” epaper display and looks so much nicer in-person) :

So what do you need to make that happen?

• Calendars in Home Assistant
• OpenEPaperLink Access Point
• 2.9” tag with OpenEPaperLink firmware
• Some fun with jinja templating

Calendars in Home Assistant

Google Calendar

Where I work uses Google Calendar and have not disabled the iCal feed. Where you work may use something different, and also you might want to check with someone if it's against policy to have calendar entries exported.

To get that Google Calendar into Home Assistant is relatively simple, you add the ICS Calendar integration, give it the “Secret address in iCal format” from the settings of the calendar, name it something like “Work” and done.

NextCloud Calendar

I use NextCloud for my personal calendar so I don't miss out on things like game night.

Again, simple integration, this time the CalDAV one. Go into the Calendar app on NextCloud, click settings and scroll down until you get to “Copy primary CalDAV address”. Enter that, along with credentials into HomeAssistant, and calendar is set up.

Others

There are integrations for other calendars but I don't use them, so YMMV, but worth a shot.

OpenEPaperLink Access Point

Okay, this takes a little explaining. OpenEPaperLink (henceforth OEPL) is a combination of custom firmware for various price tags/ePaper displays and an Access Point for sending data to them.

Generally, these use the same radio (and therefore channels in the 2.4Ghz spectrum) as ZigBee (802.15.4) but without the ZigBee protocol layer. Yes, that means your existing ZigBee setup won't help you here.

Note: I'm ignoring the rarer price tag types, which need another radio (known as subghz) and bluetooth-only tags which to my understanding are currently problematic for the AP.

To make things easy, OEPL has created multiple types of access point. Usually this is an ESP32-S3 coupled with an ESP32-C6. You need both pieces to make an AP because you need to be talking wifi (s3) and 802.15.4 (c6) at the same time. I'm actually using a much older AP based on the ESP32-S2 and a spare segmented tag which is acting in place of the ESP32-C6, but that's not getting any updates now.

Choices are here : – The easiest (but definitely not the cheapest) AP is the LilyGo T-Panel AP. – If you're not so good at soldering, and want a cheap option you can use dupont cables and make the Spaghetti AP. – If you want a cheap but nice option and don't mind ordering PCBs and a bit of soldering, the Yellow AP is probably for you.

Bear in mind this blog post was written in February 2025, so you might want to browse the OEPL github wiki to see if things have changed here.

Once you have an AP, connect it to your network and it will talk to any flashed tags you have.

E-paper price tag

I'm using the most common tag, manufactured by Solum, the ST‐GR29000. There are a lot of tags that have OpenEPaperLink (OEPL) firmware, and getting them is sometimes hard. eBay sometimes has them, aliexpress rarely, and the discord (check the homepage for a current link) that's used for OEPL has some trading because when people find a tag they like, they often buy in bulk, and have spares.

The tags come in different shapes and sizes, the code on this page is for a 2.9” tag at a resolution of 296x128px. It should work for any tag that is the same resolution, or you might want to tweak the positions of things if you have a different resolution.

Also fun to know, ePaper usually comes in Black and White; Black, White and Red or Black White and Yellow. I like BWR myself, and if you only have a Black and White tag, you might need to change the Red to Black in the code, not sure what the integration would do if you sent red to a Black&White tag. I don't know if OEPL supports more colours (the integration doesn't) as colour ePaper screens are still quite rare.

Mine came pre-flashed with the OEPL firmware because they were used by someone else before. If you have to flash more than one, you probably want to make a jig for it.

Fun with templates

Once you have all the above, install the OpenEPaperLink (OEPL) integration. You can get this via HACS, which I recommend, and doesn't require your HA be connected to the “My Home Assistant” Cloud stuff.

Home Assistant uses the Jinja templating language to template text. The OEPL integration provides a new action called DrawCustom that you can call from an automation and allows you to describe in YAML form what you want to draw. That's a choice (one that the HA ecosystem leaves you with little choice in) but we work with what we have.

One of the people on the aforementioned discord (check the homepage for a current link) posted an agenda view automation and combined their calendars, and I iterated on that to provide this one.

Here's the juicy YAML:

alias: Next Event
description: ""
triggers:
  - hours: /1
    trigger: time_pattern
    minutes: /5
conditions:
  - condition: time
    after: "05:00:00"
    before: "23:00:00"
actions:
  - alias: Get events 0 day(s) from now (filtered out past events)
    data:
      start_date_time: "{{ now() }}"
      end_date_time: "{{today_at('00:00') + timedelta(days=1)}}"
    response_variable: cal_day_0
    target:
      entity_id:
        - calendar.personal
        - calendar.work
    action: calendar.get_events
  - alias: Get events 1 day(s) from now
    data:
      start_date_time: "{{ today_at('00:00') + timedelta(days=1) }}"
      end_date_time: "{{ today_at('00:00') + timedelta(days=2) }}"
    response_variable: cal_day_1
    target:
      entity_id:
        - calendar.personal
        - calendar.work
    action: calendar.get_events
  - alias: Get events 2 day(s) from now
    data:
      start_date_time: "{{ today_at('00:00') + timedelta(days=2) }}"
      end_date_time: "{{ today_at('00:00') + timedelta(days=3) }}"
    response_variable: cal_day_2
    target:
      entity_id:
        - calendar.personal
        - calendar.work
    action: calendar.get_events
  - alias: Get events 3 day(s) from now
    data:
      start_date_time: "{{ today_at('00:00') + timedelta(days=3) }}"
      end_date_time: "{{ today_at('00:00') + timedelta(days=4) }}"
    response_variable: cal_day_3
    target:
      entity_id:
        - calendar.personal
        - calendar.work
    action: calendar.get_events
  - alias: Extract events from all calendars
    variables:
      header: Next Event
      timeheaderstart: Start
      timeheaderstartx: 266
      timeheaderend: End
      timeheaderendx: 272
      events_day0: >
        {{ cal_day_0.values() | map(attribute='events') | list |
        sum(start=[])}} 
      events_day1: >
        {{ cal_day_1.values() | map(attribute='events') | list |
        sum(start=[])}} 
      events_day2: >
        {{ cal_day_2.values() | map(attribute='events') | list |
        sum(start=[])}} 
      events_day3: >
        {{ cal_day_3.values() | map(attribute='events') | list |
        sum(start=[])}} 
      days:
        - Today
        - Tomorrow
        - Ubermorgen
        - 3 Days away
  - alias: Send generated Event to OEPL
    metadata: {}
    data:
      rotate: 0
      dry-run: false
      background: white
      payload:
        - type: text
          value: |
            {{ header}}
          font: ../../media/OpenSans-Bold.ttf
          x: 10
          "y": 10
          size: 20
          color: black
        - type: text
          value: |
            {% if events_day0 | count > 0 %}
              {{ days[0] }}
            {% elif events_day1 | count > 0 %}
              {{ days[1] }}
            {% elif events_day2 | count > 0 %}
              {{ days[2] }}
            {% else %}
              {{ days[3] }}
            {% endif %}
          font: ../../media/OpenSans-Bold.ttf
          x: 10
          "y": 50
          size: 28
          color: red
        - type: text
          value: |
            {%- set events = [{}] %}    
            {% if events_day0 | count > 0 %}
              {%- set events = events_day0 | sort(attribute='start') | list %}
            {% elif events_day1 | count > 0 %}
              {%- set events = events_day1 | sort(attribute='start') | list %}
            {% elif events_day2 | count > 0 %}
              {%- set events = events_day2 | sort(attribute='start') | list %}
            {% elif events_day3 | count > 0 %}
              {%- set events = events_day3 | sort(attribute='start') | list %}
            {% else %}
              {%- set events = [{}] %}
            {% endif %}
            {%- set event = events[0] %}
            {%- if 'start' in event -%}
                {% if as_timestamp(event.start) | timestamp_custom('%H:%M') == "00:00"%}
                  All day:  {{ event.summary }}
                {% else %}
                  {{ event.summary }}
                {% endif %}
            {%- endif -%}
          font: ../../media/OpenSans-Bold.ttf
          "y": 105
          size: 14
          x: 10
        - type: text
          value: |
            {{ timeheaderstart }}
          font: ../../media/OpenSans-Bold.ttf
          x: |
            {{ timeheaderstartx }}
          "y": 5
          size: 11
          color: red
        - type: text
          value: |
            {{ timeheaderend }}
          font: ../../media/OpenSans-Bold.ttf
          x: |
            {{ timeheaderendx}}
          "y": 55
          size: 11
          color: red
        - type: multiline
          delimiter: §
          font: ../../media/OpenSans-Bold.ttf
          value: |
            {%- set events = [{}] %}    
            {% if events_day0 | count > 0 %}
              {%- set events = events_day0 | sort(attribute='start') | list %}
            {% elif events_day1 | count > 0 %}
              {%- set events = events_day1 | sort(attribute='start') | list %}
            {% elif events_day2 | count > 0 %}
              {%- set events = events_day2 | sort(attribute='start') | list %}
            {% elif events_day3 | count > 0 %}
              {%- set events = events_day3 | sort(attribute='start') | list %}
            {% else %}
              {%- set events = [{}] %}
            {% endif %}
            {%- set event = events[0] %}
            {%- if 'start' in event -%}
                {{- as_timestamp(event.start) | timestamp_custom('%H:%M') }}§{{as_timestamp(event.end) | timestamp_custom('%H:%M') }}
            {% endif -%}
          start_y: 32
          x: 190
          size: 40
          offset_y: 50
          color: black
    action: open_epaper_link.drawcustom
    target:
      device_id: b173ed2bf21ca8444c86afb61ef222e1
mode: single

You'll need to grab the font and put it in your Home Assistant media directory (mine is /config/media but your setup might be different).

I've made some config variable in Extract events from all calendars like the heading, and words for Today/Tomorrow/Übermorgen/In 3 days (I love the word Übermorgen), and you can left-align Start/End to the time by setting their x values in there to 190 if you prefer that look.

Comments on this blog post can be sent direct on the fediverse (any activitypub server like mastodon etc.) on @martyn@toot.martyn.berlin.

So, When I first read this article about using Apple's Airtag network to notify that post had been delivered, I was super intrigued, but as I investigated, it required a mac to run the server side and I got disheartened and didn't look at it again until recently.

Somewhere the macless-haystack project got linked to me and I found out they had found a way to not need a mac and I was super happy. In between times, I got really into homeassistant and have so many devices, I just assumed it would have support for it. Not so, but it is possible to add now. So how do we get to hass having a cheap tracker in it? Let's dive in.

The pieces

• A supported cheap tracker or make your own
• A working apple id with SMS 2factor auth – this can be tricky, there's a section below on this
• A linux machine, VM or place you can run docker containers
• The software :
  • Homeassistant
  • anisette – think of this as a proxy to the mac servers
  • (Optional but recommended)macless-haystack – web/mobile client to ensure everything is working before moving on.
  • hass-FindMy integration

The process

I'm going to assume you already have homeassistant installed and not go over that, but the rest is worth talking about.

Supported tracker

Okay, so it's time to play the aliexpress roulette game here. 99% of the trackers you can get on AliExpress will be one of the supported trackers :

• ST17H66
• TLSR825X
• CH592

Especially if you get an item that lists the chip in the title, you're probably good, but you probably want to buy one and open it up before proceeding because you won't be 100% certain until then.

biemster from the FindMy project is also looking at making a custom tracker.

No guarantees that the next batch from this supplier will be the same but I bought this one and got ST17H66-based trackers.

Opening and flashing

On a machine with python, clone the findmy repo and run the generate_keys.py script. You can generate a number of keys with -n if you want, -y to output in yaml all that fun stuff.

Put the keys somewhere safe, like in a password manager

Remove the battery, take a spudger and get that case open. It is possible that the case is heat-sealed, in which case, you might want to have a 3d printer handy. I thought mine was, took side cutters to it and it popped open even though I had tried to spudge it open. Oh well.

Depending on your fob type, you might have to do a bit of soldering. I found using magnet wire worked well to solder to the fob's test points. The documentation is a bit distributed, but this issue got me there on my ST17H66. Effectively, you connect your UART adapter's RX to P9, TX to P10, GND to GND and a 3.3v (not 5v) power supply to P15. Then you run the flash tool (which you have to edit to point at the right port), with your private key as a parameter whilst wiggling the 3.3v line until it goes into upload mode.

Once it's flashed, any passing iPhone user will report the tag's location (encrypted – here's how that works) to apple's servers. All good, but you might want to actually retrieve that data, so let's continue.

Anisette

Anisette is a reimplementation of omnisette, which is a http wrapper around a set of rust libraries that talk to apple's APIs. That's not that important, but it does a simple job, it talks to apples apis and exposes an api to get findmy devices by private key.

macless-haystack (somewhat optional)

By running macless-haystack you get two things – one is that you are able to validate that you can log in with your apple id, and the other is you can have a nice interface to where your tracker has been since you flashed it with the firmware.

Running it in docker (or in my case in k8s) in interactive mode starts up the login process, which is super important. If you can't get macless-haystack running because of a message like Account limit reached, then you're gonna need a “real” apple device to knock your apple account into a working state.

If you see serving at port 6176 over HTTP, you're golden and can skip the next section.

fixing your apple id

Your Apple ID needs to have :

• a working phone number for 2 factor auth via SMS
• an official device having logged into it like an iPhone, iPod or macbook
• probably a valid payment method

You can try some of these options :

• Borrow a friends' ipad, macbook or phone, login to your apple id, then remove yourself from it. (easiest but may expire at some point, maybe?)
• Register a new apple id via apple music, add a payment method, sign up for the free trial, add 2factor auth and maybe it will work. I couldn't get to set up 2fa so never got this working
• Run a macOS VM and login with your apple ID and shut it down without removing it. This is the one that worked for me.

I used https://github.com/sickcodes/Docker-OSX/ in the end, but on wsl2 getting the interface to appear is really hard, so I ended up with this command and accessing the VM with tightvncviewer localhost::1

docker run -it \
    --device /dev/kvm \
    -p 50922:10022 \
    -v /mnt/wslg/.X11-unix:/tmp/.X11-unix -v /run/desktop/mnt/host/wslg:/mnt/wslg \
    -e "DISPLAY=${DISPLAY:-:0}" \
    -e GENERATE_UNIQUE=true \
    -e MASTER_PLIST_URL='https://raw.githubusercontent.com/sickcodes/osx-serial-generator/master/config-custom.plist' \
    -e SHORTNAME=monterey -e EXTRA='-vnc :1' -p5901:5901 \
    sickcodes/docker-osx:latest

There's also https://github.com/kholia/OSX-KVM if you're on a real linux machine and a couple of very outdated blogs showing how to do it on VMWare/VirtualBox etc. but I've never got any of the blog posts to actually work.

homeassistant integration

The integration is seamless but has not yet been published to the HACS store yet, so open HACS, click the three dot menu, and go to “Custom repositories”. There you can add the github url – https://github.com/malmeloo/hass-FindMy and a name for the repo, it's of type Integration if you're asked. Once that's done you can install the integration and restart, before adding the integration in settings.

If you're running a containerised version of homeassistant, you'll probably need to add pip install FindMy==0.7.3 into the startup scripts because it often doesn't add dependencies from HACS which is quite annoying.

When you add the integration, it asks you to add a device, select Apple Account and give it your apple id details. Then add another device which is the tracker you want to monitor – for this you need the private key, which you stored somewhere safe when I suggested it above, right?!

If it can't login to your apple account, go back and check macless-haystack, and see if the message is account locked or account limit reached, if so, see the previous section.

Recently I was asked about my android phone setup where I don't have Google Play and yet seem to have no real issues with life without the Big G.

What prompted this ironically was a time where I actually did have an issue, but the fact that it is so rare is worthy of note, so have a note!

First, the hardware

I run a Poco 5G and this took some research as most handset manufacturers are refusing to unlock bootloaders and I want a relatively modern experience, not a slow ancient (in phone terms) device.

Poco is a sub-company of Xiaomi but it's easier to unlock them than some Xiaomi devices because they're a smaller company.

To unlock the phone required me to buy the phone, attach it to my PC, request unlock code, then put it back in it's box for 2 weeks. Yep, you read that right, they force a wait of 2 weeks to basically attempt to get you to use the phone the way they want you to. I persevered and continued 2 weeks later.

Then, the OS

I use LineageOS which is the successor to CyanogenMod which stopped being so open when they became a company and there was drama. Let's not go into that.

It is possible as with any custom “rom” to install the Gapps package, sign into a google account and everything work, but that's not my style. So no Gapps. Instead I use a project called MicroG.

Setting up MicroG can be a bit of a pain, and I can't really remember what I did to get it completely setup but once it's set up, it's solid.

What?! MicroG uses google servers!

Yep, that's an irritating fact of life. Almost anything that wants to send push messages to an android device without their app draining battery uses google servers, so you are a bit stuck here. I prefer that than a signed-in google account though, I can at least tell myself that it's harder to correlate that way. More on push later though.

It however doesn't use Google Maps or Play Services and instead reimplements these. There is a “fake store” app that you install and it uses OpenStreetmap for the mapping side of things.

Then I sideload using “Browser” (yep that's the AOSP browser right there) f-droid and we start installing apps.

And what apps would those be? f-droid only does open source, what about my bank, public transit etc.

Hold your horses, we're getting there. First, we get the opensource apps and set up the niceties like contacts and calendar sync.

• DAVx5 allows me to sync my contacts and calendar with my NextCloud account. I prefer to use this than the NextCloud app because it uses standards-driven stuff. I'm also used to doing it this way since in the early days OwnCloud didn't have an app.
• FairEmail – I use this because k9mail always had trouble with push notifications over IMAP and surprise surprise, I don't use Gmail on my phone (my legacy gmail address forwards to either my zoho or yunohost mailbox)
• FakeStore – as mentioned above, this is for allowing stuff to think it's installed by the Play Store.
• FFUpdater – this is an odd one, but it installs various browsers and keeps them updated – I use it for Bromite when I have to use “chrome”, Firefox Klar and Tor Browser.
• Molly – I use this signal fork, and to get it I had to add a separate repo to f-droid.
• NewPipe – a nice YouTube frontend that again, doesn't require a login.
• ntfy – This one rocks. I self-host an ntfy.sh server and my Tusky notifications go via this rather than google's servers – a growing standard called UnifiedPush enables this and it's worth checking out.
• OrganicMaps & OsmAnd~ – Organic is a lovely front-end to OpenStreetmap data, with routing and even transit routing built-in. It's really quite good. It will keep getting better I hope. I still have OsmAnd because whilst it's transit routing is slower and ostensibly worse, it does allow for more variations.
• QR Scanner (PFA) – this is a nice QRCode scanner that actually shows you the url before going to it.
• Telegram FOSS – yup, telegram is on f-droid.
• Tusky – I'm a fediverse fedizen and this is my preferred client.
• UntrackMe – This redirects links sent to me from twitter, reddit, youtube etc. to nitter, teddit, invidious etc. Really nice tbh.

Enough already, what about my banking app?

Okay, okay. The last app that I install from f-droid is the AuroraStore app. Until about a month ago it was perfect, but now, the search is somewhat broken. I might create a disposable gmail account to fix that. What it does is basically logged-out playstore.

If you have correctly set up microG – there's an app called microG Settings that is installed as part of flashing microG that has a handy Self-Check option – you're good to just install all the horrible tracker-filled software you want from play.

It even downloads the packages from google's servers – this is not ye olde skool “search apkpure.com and hope that it's the real apk”.

I have lots of things installed this way, and whilst they'll be full of trackers, some are actually necessary for my lifestyle.

• My banking apps – I have n26, tomorrow bank and revolut as backup banks in Germany, and they all “just work”.
• 1password – much as I love the company I doubt they will want an opensource client
• BVG Fahrinfo – the Berlin transit app, again, just works.
• Chwazi – this one is for the boardgamers, it's purely for choosing who goes first.
• DB Navigator – the German railways app, very nice to have for train travel without paper.
• FreeNow – Taxi app that works in Berlin with the real Taxis and has deals with Uber and other non-taxi rideshare drivers.
• Slack – yeah, kinda nice to have that.
• ÖBB tickets – again, I often use Vienna public transport. Just works.

Really, just works?

Okay, so the other day I had an issue where DB left me stranded in a town where FreeNow didn't have coverage so I had a bit of an emergency because there were no taxis and I didn't have Uber installed (still don't really know if it would have helped tbh). The search on Aurora wasn't working and I couldn't get it to trigger from the play store (which it can do, but google is trying to make it hard).

Whilst I was getting microg working, I did have trouble with the taxi app because it wasn't getting the mapping right and so would tell the taxi company I was a long way from where I was ordering and at the time they were not letting you order where your phone was not. That's a bad policy imo but also once I was getting green ticks throughout my MicroG settings, it's been glitch-free since.

Am I getting the best most privacy-respecting experience with zero hassle? No. Is it convenient enough for me, yes. Is it privacy-respecting enough for me, well, I want better, but for now, yes.

If you want to comment feel free to tag in @martyn@toot.martyn.berlin in your favorite fediverse client :–)

I've split the list into some sections :

Useful for most folks interested in self-hosting

• cryptpad – Collaborative “office type” suite, entirely clientside encrypted drive, docs, spreadsheets etc. very useful when sharing info with my parents that really shouldn't be public
• funkwhale – I make music sometimes, and this is a federated music site akin to soundcloud.
• gotosocial – a lightweight #fediverse #mastodon style server. I currently am having some issues with it, so my main account is on https://masto.host/
• hauk – Remember google latitude? where you could share your location with a friend on google maps and actually walk toward them and have it update? This is a self-hosted implementation of that kind of service.
• logitech media server – a completely offline multiroom audio capable music library. I have devices scattered through the apartment, and I can play music to all of them at once with them all in sync.
• nextcloud – very extensible personal “cloud” storage – I use this for ensuring my password manager is synced (webDAV), and my phone contacts (cardDAV) and calendar (calDAV) are up-to-date.
• ntfy – a UnifiedPush self-hosted notification system. It allows tusky to ask for notifications without google being involved, and also allows me to send push messages from scripts (e.g. attached to flexget) or other systems such as uptime-kuma
• owncast – a single-user twitch or youtube live replacement. Allows me to stream if I'm in the mood for that, without using a third party. NOTE: this is one of the few things I have on a free tier hosting platform as well because it does run better there.
• peertube – #peertube is video hosting, like youtube, only better, decentralised and federated #fediverse
• pihole – access the internet without the trackers and adverts.
• syncthing – an alternative way of syncing data between machines. Great for folders of files such as obsidian or other notetaking apps.
• whoogle – This is SO good. Google search without the javascript tracking. Okay, they can still track my IP, but it's so much better. I love the idea of duckduckgo and others, but they just don't get the results I need. I use libredirect to redirect any google results pages to whoogle, so even if someone gives me a link to a google search, I get to my whoogle instance.
• writefreely – this blog, running WriteFreely

Useful for the more geeky folks (programmers, arduino tinkerers, home automation geeks etc.)

• argocd – a #continuousDelivery platform, defines what is running in kubernetes in git and keeps it in sync with the git repo. Allows me to rebuild the cluster from scratch in theory.
• drupal – I have a very old site that I want to keep online, and ~15 years ago I migrated the content to drupal.
• code-server – vscode, but not built by microsoft, and in the browser. Allows me to access my dev environment anywhere I have a browser.
• (No longer running) domoticz – a home automation system written in c(++?) that used to run my home automation
• (Deprecated) drone – a CI system I no longer use for new projects because they switched to a proprietary license
• echo-server – a useful piece of debugging software that tells me how a request actually looks when it reaches a pod in the cluster
• esphome – a way to expose esp8266/esp32 devices to HomeAssistant for automation purposes without writing code.
• flexget – a download manager that lets me listen to rss feeds and download the files within them. I need this for reasons.
• gitea – Fork of Gogs – a nice little git server that looks and feels a lot like github.
• homeassistant – Home automation, done pretty well, and entirely offline (it can be online but the way I run it isn't).
• hyperion – creates an “ambient light” system from video streams – this is used to make my TV have an “ambilight” style colourwash behind it that changes based on the scene. I use wled, an esp8266 and a string of ws2812 addressable LEDs to achieve the lighting, and https://rootmy.tv to allow my LG tv to capture it's screen and send it to hyperion.
• jellyfin – My media library, completely offline, sat on my drives here, not on some cloud server.
• karaoke-eternal – My karaoke library exposed as a web service so I can plug a web browser into a projector or TV and create a karaoke party.
• minio – S3 compatible storage allowing me to upload files of any kind and link to them.
• mosquitto – I like to string things together using MQTT. Instead of letting homeassistant provide this, I point homeassistant at my own MQTT server.
• nodered – When I don't want to write code to automate my homeassistant stuff, this allows flow-based “programming” of things. e.g. if the smoke alarm above my 3d printer makes a loud noise, the esp8266 next to the fire alarm detects this, sends an MQTT message to mosquitto, and node-red sees this and sends a signal to turn off power to the printer.
• (deprecated) openvpn – a VPN solution that I don't really use any more but is slightly more supported than wireguard, the one I actively use. It's also a lot easier to debug.
• renovate – monitor your repos for outdated dependencies. a lot like dependabot. Works with gitea nicely.
• rhasspy – OFFLINE VOICE ASSISTANT! This is super cool and I haven't done enough with it, fairly new to me, but you can use the ai-thinker esp32 boards as satellites to a server with ESP32-Rhasspy-Satellite.
• uptime kuma – a system that checks if services are up and notifies if they are not, a lot like pingdom or uptime robot. NOTE: this is one of the few things I have on a free tier hosting platform as well because it lets me know if my home network is reachable from the internet then.
• wg-access-server – the first easy reliable wireguard (VPN) setup I've seen. Works well, allows me to enroll devices onto my network super easily.
• woodpecker ci – a fork of the drone CI system which allows me to automatically build code on a git push.

Useful for just me

• ledcontroller – I wrote this to make pretty patterns on an LED wall behind me when I'm streaming. The wall is wled on an esp8266 with strips of ws2812 leds

Part of the setup of my home kubernetes cluster

• cert-manager – Automatically gets me https certificates so everything I expose to the internet gets a nice certificate
• cluster-ingress – NGINX Kubernetes ingress controller that allows me to direct all inbound port 443 + 80 traffic to the appropriate service
• external-dns configures my dns records by what I put in my ingresses so I don't have to manually create dns records.
• grafana – dashboards for my prometheus monitoring.
• longhorn – a system that allows me to use all my disks in all the nodes on the cluster to create PVCs.
• metallb – by defining a kubernetes service of type LoadBalancer, it gets an IP on my home network.
• prometheus – gotta have that observability on the system. Super overkill for home use but hey, I like having it.
• samba – I expose some PVCs to my local network for windows based PCs.
• vault – I'll be honest here, I have never got this working the way I would like, and so my secrets are not as well encrypted.

Oh, and the cluster is running on very minimal debian boxes with k3s as the kubernetes cluster software.

Do you want to try an Owncast stream but don't have a VPS and don't want to spend money on it? How about we set up one on Oracle's “Always-Free” Tier?

First question out of the way: Is Oracle's “Always-Free” Tier good enough to run Owncast. Simple answer: yes.

Longer answer you can skip if that satisfies you : We can either run their VM.Standard.E2.1.Micro class machine which has 1Gb ram and a 2Ghz vCPU (ish) and that should be enough or an ARM machine with up to 4 CPUs and 24 Gb or RAM. Given Owncast has an arm distribution, that's pretty incredible and works perfectly fine for Owncast.

Is this the best way to set up Owncast on Oracle? No! I'm doing this the easy way, and as an SRE person I would say “nooooo, don't do that, this is production, no clickops”, but I'm making this easy for streamers who are not so techie.

So, without further rambling, here's the prerequisites and the how-to.

Prerequisites: – A credit card that Oracle accepts. Seems to be Visa, Mastercard and Amex. Not sure if debit cards for those networks work, but I see no reason why not, they're mostly after ID verification here to stop spammers and bots creating accounts. – A domain name that you can control – that can be annoying, but you should be able to use a service like afraid.org if you don't have your own domain name. You probably do want a real domain name as a streamer though, just saying...

So from the top:

1. Sign up for an Oracle cloud free account – https://signup.cloud.oracle.com – The steps are really quite simple and other than the card payment which was less than a euro for me and refunded, painless. Be sure to choose the region closest to you as your home region because that will cut down latency to the Owncast box.
2. Sign into your Oracle cloud account. Note that it's frustrating that they use two different usernames. The first is sent to you in the email, and you need to enter that to get to the real login page, then the second is your email address.
3. Navigate to create an instance – Burger menu –> Compute –> Instances then click Compartment and choose the one marked (root) and click “Create Instance”
4. Change the shape of the instance to meet our needs. I suggest using Ubuntu as they don't have Debian (my usual preference) and I recommend using half of your free tier allowance, allows you to use the other half if you need to try a new version out for instance.
   • Click “Edit” next to Image and shape
   • Click “Change Image” and select “Canonical Ubuntu” and click “Select Image”
   • Click “Change Shape” and select “Ampere” and “VM.Standard.A1.Flex”. Scroll down a little and change the “Number of OCPUs” to 2. The Memory should automatically change to 12, but if it doesn't set that as well. It's overkill but better than being too strict. Click “Select Shape”
   • Under “Add SSH keys” either click on the “Save private key” and “Save public key” links or if you know what an ssh key is and you already have one, click on upload or paste public keys.
   • Click “Create”
5. Once your newly created machine has booted, you should then allow web traffic to it. This is in a couple of places (well done to Oracle for making this secure by default, but it makes for a longer document here!)
   • In the instance page click on the blue link next to “Virtual cloud network” under Instance details.
   • Scroll down to “Security Lists” on the left hand side
   • Click “Add Ingress Rules” and fill in the following details :
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 80
   • – Description : (Optional but my recommendation) HTTP
   • Click + Another Ingress Rule and fill in almost the same details
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 443 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) HTTPS
   • Click + Another Ingress Rule and fill in almost the same details
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 1935 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) RTMP
   • Click Add Ingress Rules
   • Go back to the Burger menu, click Networking and Virtual Cloud Networks.
   • Click the VCN in the table (blue text, should be something like vcn-20220909-2138)
   • Click on Network Security Groups, click Create Network Security Group and give it a Name (I chose allowown because it's, allowing owncast, I'm creative like that) and click Next.
   • Enter almost exactly all the above stuff over again. 2/3 of network access is then done...:
   • – Direction: Ingress
   • – Source Type : CIDR
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 80
   • – Description : (Optional but my recommendation) HTTP
   • + Another rule
   • – Direction: Ingress
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 443 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) HTTPS
   • + Another rule
   • – Direction: Ingress
   • – Source CIDR : 0.0.0.0/0
   • – IP Protocol : TCP
   • – Source Port Range : LEAVE BLANK
   • – Destination Port Range : 1935 This is the difference from the previous rule
   • – Description : (Optional but my recommendation) RTMP
   • Create
   • Now we need to assign it to the instance NIC so Burger Menu –> Compute –> Instances
   • Click on the instance in the table
   • Network Security Groups: edit
   • + Another network security group
   • Select a value –> allowown –> Save changes
6. Now is a good time to assign a DNS name to the IP of the machine. This is pretty much out of scope but make an A record to the Public IP address listed in the instance machine. I'll use your.domain.here for an example from here.
7. Okay, so all the “infrastructure” is done now, we just need to connect to the machine by ssh and install Owncast and Caddy (this does the https stuff for us). First, connect via SSH to the Public IP of your machine using the ssh key you downloaded or used in creation. Again, fairly well documented elsewhere, feel free to use PuTTY or other client, but this is somewhat out of scope here.
   • If you're on windows, the simplest thing is to install the openssh client : https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/ – On mac or linux, it's already installed.
   • run on your local computer ssh -i {private key file} ubuntu@{IP From above}
8. The third and final network allow is to edit the iptables firewall on the ubuntu virtual machine. This is annoyingly a text edit, here's a sed line that should work, but you basically need to duplicate the line that ends with 22 -j ACCEPT three times, and change on the new lines 22 to 80, 443 and 1935.
   • Copy pasta: sudo sed -i s/"\(^.*22 -j ACCEPT\)"/"\1\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT"/ /etc/iptables/rules.v4
   • OR sudo nano /etc/iptables/rules.v4, duplicate the 22 line with 80 and 443 instead. LEAVE THE 22 LINE THERE!
   • sudo iptables-restore < /etc/iptables/rules.v4

From here I'm repeating some stuff from the official install docs here so feel free to check if there's updated instructions.

1. Stay connected to your virtual machine in oracle and run the following commands to get owncast up and running :
2. curl -s https://owncast.online/install.sh | bash
3. curl https://files.martyn.berlin/blog/oracle-owncast-systemd-unit.txt | sudo tee /etc/systemd/system/owncast.service †
4. sudo systemctl daemon-reload
5. sudo systemctl enable owncast
6. sudo systemctl start owncast
7. Stay connected and now it's the following commands from (Caddy's install docs)[https://caddyserver.com/docs/install#debian-ubuntu-raspbian]
8. sudo apt install -y apt-transport-https
9. curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
10. curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
11. sudo apt update
12. sudo apt install caddy
13. Create a Caddyfile for owncast :
14. curl https://files.martyn.berlin/blog/oracle-owncast-caddyfile.txt | sudo tee /etc/caddy/Caddyfile ‡ – Switch the hostname for yours (your.domain.here) : sudo sed -i /etc/caddy/Caddyfile s/streams\.martyn\.berlin/your.domain.here/g (again, you are welcome to use nano, vim etc. if you prefer!)
15. sudo systemctl daemon-reload
16. sudo systemctl enable caddy`
17. sudo systemctl stop caddy
18. sudo systemctl start caddy

Viola! all done! You can proceed to login http://your.domain.here/admin/ with user “admin” and password “abc123” (PLEASE CHANGE THIS as soon as you do!). Your stream key is the admin password.

Change the admin password (stream key), add extra resolutions, edit your home page, all the usual things, and you're good to go.

Final thoughts

This is a free way of getting your own owncast setup and will get you a working system, that should do you fine. What it doesn't do is updates, backups and helping you fix it if things go wrong. That might be fine for you, it might not. I'm just enabling you to give it a go.

I might terraform this at some point, and I long for a day where there's a good free-tier kubernetes where a lot of the above is nicely abstracted away, but here we are.

† Contents of that file in case it goes missing :

[Unit]
Description=Owncast Service

[Service]
Type=simple
User=ubuntu
WorkingDirectory=/home/ubuntu/owncast
ExecStart=/home/ubuntu/owncast/owncast
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

‡ The caddyfile contents :

streams.martyn.berlin {
encode gzip
reverse_proxy 127.0.0.1:8080
tls webmaster@mydomain.com
}

I'm gonna be doing a stream on Owncast soon and probably co-streaming to twitch where I already have some connections. That means I want both chats on screen, so twitch viewers can see the owncast chat and vice versa. So obviously I search the interwebs with whoogle “Chat Owncast OBS” and all the answers seem pretty complex. Example link that is well-written

Whilst I'm capable of setting up those things, I found it hard to believe that this was the best use of my time. So I searched a bit harder and found the right keywords to use – “embed” is the magic term. It's not perfect so I added some custom CSS and thought I'd make it easier for people to search for and document those changes I made.

So, to add your chat as an “overlay” in OBS you can simply add a Browser type source with the URL http://your.host/embed/chat/readonly – In my case, I use a local IP here via http rather than the external https url, that saves having to sort out hairpin mode on my router.

Here is the custom CSS I use for making the chat a bit more compact :

.message { margin-top: 0px;
margin-right: 0px;
margin-bottom: 2px;
margin-left: 0px;
padding-top: 1px;
padding-right: 1px;
padding-bottom: 1px;
padding-left: 5px; }
.message-author {
display: inline;
}
.message-author:after {
content: ": "
}
.message-text{
padding: 0;
display: inline;
}

Here is what it looks like before adding the custom css:

and after :

I'm still not “happy” with the appearance, but perhaps some cool frontend person might be able to make it look better than I can. Of course I could just go the difficult way, but that seems excessive for now.

(Restored: Original date: May 2, 2022)

There's a saying that goes along the lines of “Some people collect things, like stamps or fridge magnets, and that's their hobby, but geeks collect hobbies”. That's pretty true of me, here's a bit of a non-exhaustive list :

• Boardgaming
• Computer Gaming
• Programming & Infrastructure (that's my dayjob – SRE/Devops/Platform Engineering/latest buzzword...)
• Electronics
• 3D Printing / Laser Cutting / CNC
• Home metal casting (bizmuth)
• Airbrush painting stuff I've printed
• Home automation
• Singing and Songwriting

To that last one, lately I've decided I want to put some of my songs “out there” on music platforms so I can say “oh yeah, look me up on spotify, apple music etc. if you want to hear my stuff”. That requires having a bit of a bio, which is what this post will serve as the basis of.

So, to paint a picture with words artist Martyn looks like this :

Always been surrounded by music my whole life, Dad is a Bass player and producer, Mum sings and writes lyrics. I'm named after “John Martyn” and my middle name means Harmony (thanks mum!) so early on, I had the right stuff in alignment. I played Cornet in a brass band and also a “Big band” in my teens, picked up and never got great at saxaphone in my 20s, don't have the callouses or muscle memory for guitar and can kinda “plinky-plonk” on a keyboard to make melodies or chord progressions in my daw.

Some people like to see a list of influences, and who am I to blow against the wind*? It's a very long list so I'll just list a few here : Paul Simon, Peter Gabriel, Phil Collins, The Police, Pet Shop Boys, Propaganda, Pulp, Placebo... Okay, it's not just Ps, that's just a start, let's add some more : Alan Menken, Blue Oyster Cult, The Carpenters, David Bowie, Elvis Costello, Fleetwood Mac, George Michael, Heart, Imagine Dragons, Janis Joplin, Kate Bush, Limp Bizkit, The Mamas & Papas, Nightwish, Orchestral Manoeuvres in the Dark, Paramore, Queen, REM, Sting, Trent Reznor, Ultravox, Vivaldi, Wagner, XTC, Yazoo, ZZ Top and MANY more. *If you know the song, you know.

Like my parents, music isn't my dayjob, it's a passion, not a grind for me. My muse strikes and a song is in my head, and has to “get out”. Sometimes it's a lyric, sometimes it's a beat, sometimes it's a funky bass line.

In 2021 I attempted “Songtober” which was to write and record a song a day, from a set of prompts. I didn't manage 30 songs (31st was a day off!), but I did manage 25, of varying quality.

I have two “Personas” for music :

“LycanSong” – that's me, my DAW and so many plugins (instruments), and sometimes now my producer, his DAW and many more plugins! This is the name I compose music under, and in general I don't stick to a Genre. If you had to pin me down it would probably be Folk/Pop/Rock but that doesn't cover it all and is already three!

“AcapellaWolf” – that's me, my DAW as effectively a loopstation, and no instruments. Think Pentatonics but only one person, or aspiring to be like Jared Halley, Peter Hollens, Smooth McGroove or Mike Tompkins. I don't “write” music under this persona, but I might cover LycanSong tracks this way. This is also my streaming persona when I do stream on twitch, and I also mod for (currently) one other Music streamer, and help out in the Twitch Music and associated discords.

Am I looking to be “discovered”, well, not really, I'm not after fame, and I'm fairly certain fortune is not on the cards for me with music either (should probably have “pursued” it earlier in life).

(Restored: Original date: January 9, 2022)

If you've been following my previous blog posts, you have now a dual-boot pinenote with debian, but you have a rather black-looking e-ink screen and only a terminal entry. You probably want a GUI, wifi, the touchscreen working and pen configured so you can interact with the device.

So let's start. First, wifi.

create a file with your wifi configuration (change “home” to the ssid of your wifi and “SuperSecretPassword” to the wifi password) :

cat > /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
        ssid="home"
        scan_ssid=1
        key_mgmt=WPA-PSK
        psk="SuperSecretPassword"
}

(Press Control+D on a blank line to finish creating the file) Then run wpa_supplicant in the background :

wpa_supplicant -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -B

After about a minute, you'll have an IP on wlan0 :

ip a show wlan0
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
     inet 192.168.5.156/24 brd 192.168.5.255 scope global noprefixroute wlan0 
         valid_lft forever preferred_lft forever
     inet6 dead::beef:1010:1010:0001/64 scope link       
          valid_lft forever preferred_lft forever

So we can use apt to install xwindows and a DE. For now, we'll use xfce as it's lightweight :

apt install -y xfce4 onboard xserver-xorg-input-evdev network-manager-gnome

That's a lot of packages. Eventually though, you'll be returned to the prompt.

Note: I included network-manager-gnome in the package list above as wicd no longer seems to be in debian and xfce's own network management tool is abandoned. You can decide not to include it but to get network you'd have to use wpa_supplicant manually. You can remove it from the list if you prefer to manage wifi a different way.

Now you have some more config files to create :

First, the xorg config for rotating the pen and enabling touch input :

cat > /etc/X11/xorg.conf.d/pinenote.conf
Section "InputClass"
        Identifier "evdev touchscreen"
        MatchProduct "tt21000"
        MatchIsTouchscreen "on"
        #MatchDevicePath "/dev/input/event5"
        Driver        "evdev"
EndSection

Section "InputClass"
        Identifier    "RotateTouch"
        MatchProduct    "w9013"
        Option    "TransformationMatrix" "-1 0 1 0 -1 1 0 0 1"
EndSection

Control-D again for the prompt on a blank line.

And to enable the greeter to switch to the onscreen keyboard (note TWO chevrons!):

echo "keyboard=onboard" >> /etc/lightdm/lightdm-gtk-greeter.conf

Now's also as good a time as any to create a normal user (you don't have to call it fred!) and enable them to sudo:

adduser fred

Put in the password twice, enter for the other details then when the prompt returns:

apt install -y sudo
addgroup fred sudo

Now, I'm not usually a fan of saying this, but the easiest thing to do here is reboot, as dbus, lightdm and all sorts of other things need to talk to each other and it would be fiddly to get them to do so. So issue reboot, Spam your Interrupt and use the last u-boot commands from the previous article. You should be greeted by the lightdm greeter.

To bring up the onscreen keyboard so you can log in, you can press F3 on the keyboard. I kid you not, that's the default. You can also enable it by clicking the “person in a bubble” icon in the top right though.

There you have it, a “minimal” XFCE desktop with working touch and pen.

I want to give a shout out here to everyone who has been involved with getting Linux on the pinenote up to this stage.

MASSIVE props to smauel who has been doing the kernel work that gets the panel and sound working! Thanks to everyone in the pine64 irc/discord/matrix pinenote channel for support too. Without them, I'd probably still be fighting stuff. Special thanks to irrenhaus, vveapon and pgwipeout there for their patience with me. Also a quick thanks to DorianRudolph who's docs form some very important basis for my own. And of course, pine64 themselves, this is such a cool device!