Following on from last night’s post, I needed a way to run Hugo to build the new entry and deploy it. Since I had to rebuild my environment from scratch I wanted to see if I could run Hugo and Go without installing them locally.

I know Go is unlikely to cause any stability issues, as it installs all its dependencies in the user’s home dir, rather than touching system files but I’m determined in my experiment to keep my new install as clean as possible.

Using some insight I’d gathered from using docker-tizonia a Docker version of Tizonia and using asolera’s Golang minimal Dockerfile image as a base, I was able to put together a minimal Dockerfile that does the following:

1. Creates a golang based build image to pull down the latest version of Hugo.
2. Build and install the Hugo binary
3. Copy the binary to a clean image
4. Set the image work directory to /site
5. Expose the Hugo server port 1313
6. Make Hugo the entry point and default to the help text if I forget to add a command.

The Dockerfile looks something like the following:

FROM golang:1.14.3-alpine3.11 AS build

RUN apk add --no-cache git

ARG HUGO_BUILD_TAGS

RUN go get -v github.com/gohugoio/hugo/source
WORKDIR /go/src/github.com/gohugoio/hugo

RUN go install

RUN apk del git

FROM alpine:3.11

COPY --from=build /go/bin/hugo /usr/bin/hugo

RUN mkdir /site
WORKDIR /site

# Expose port for live server
EXPOSE 1313

ENTRYPOINT ["hugo"]
CMD ["--help"]

Also thanks to jojomi of bits cribbed from their Hugo Dockerfile.

Many of the Hugo Dockerfiles I found would copy the website source to the container in preparation of serving the files from Docker. In my case I’m happy with my plain HTML to continue being served where it is, but didn’t want to lose out on the features you get when you’re using Hugo to develop locally - such as running a test server with live reloading.

With the help of a handy “hugo” wrapper shell script, I was able to fire up Hugo in the container, and serve my local files through a mapped volume with no appreciable difference to how Hugo was running for me before.

The wrapper is as follows:

#!/bin/bash

docker run -it --rm \
    --network host \
    --volume=$(pwd):/site \
    --name hugo \
    $(docker build -q .) "$@";

This wrapper

1. Runs the necessary Docker command to hook the image into the host network so I can check my changes on http://localhost:1313
2. Shares the working directory into the expected /site working directory on the image.
3. Passes in whatever argue I pass in.

I set this Hugo file to executable with chmod u+x hugo and I can now run the automatically updating Hugo server with

./hugo server

Now because the command hugo by itself is used the build the site, I now just pass in a harmless switch like -v (verbose) to build the site without triggering the default --help text.

Finally I use my previous ./deploy script to rsync the files to my host.

The two new files are in my personal-chronicle github repo for any good they can be to anyone, and I’m curious to know if there’s any way I can improve the Docker build to simplify it.

Some questions or areas I think I can improve are:

1. I’m not sure if the line ARG HUGO_BUILD_TAGS is necessary. It just happened to be there when I finally got it working, after removing other lines that were causing it to fail.
2. I’m getting the hugo source from github.com/gohugoio/hugo/source when the Hugo documentation says the main repo root is what you’d use to install it. I’m not sure if there was a better way to go get the Hugo project.
3. I think I’d prefer to freeze the version of Hugo at the current version until I choose to upgrade after testing. I’m not sure how to ‘go get’ a specific version of the git repo.
4. Is the RUN apk del git line necessary if I’m using a throwaway build image?

The thing that blows me away about Docker and Golang and a lot of modern developer technology is just how much “standing on the shoulders of giants” I’m able to do. Docker is not just a clever idea, but such a well built stack that even with a rudimentary understanding of what I wanted to achieve, I was able to do it with a few lines of code. And the Go ecosystem meant that go get etc.. pulled an entire projects worth of dependencies and built the entire Hugo app inside a black box. This is such a far cry from past experiences I’ve had trying to build software from source that I can only express gratitude for all the hard work donated by so many.

Over on the Aus Mastodon instance (where I choose to Toot, rather than Tweet) I posted that I’m frustrated over and over again that my Linux experience goes like this:

1. Install a new Linux distro. Be amazed and surprised just how smooth the experience is, and how little effort there was to get it working.

2. Get excited for more “Linux” and think “Great, time to try compiling something from scratch for the experience” or “Now I can install that technology stack I was reading about”

3. Install said stack, or attempt to compile said something.

4. Fail - due to having picked the wrong distro with the wrong version of Python, or having picked a desktop that runs on Wayland instead of X.

5. Find workarounds, tutorials on how to compile around the issue, or just instructions on how to install another version of Python. Be successful or not.

6. Get a notification that the Next Version of my distro is available - and look at all the neat new features and stability it has!

7. Install the new version and discover some new hellish torment that means that the rock solid stability I’ve b¹een enjoying up until this version is gone and no amount of scouring the internet, or trawling the logs will help me figure out how to restore my OS and with it, my sanity.

I’m not sure if step seven happens because of my tinkering in step five. The frequency with which it happens is makes me think it has to be me.

So I find another distro, or I download the installer for the new version, and I backup all my files and I rebuild my machine and repeat from step one. It’s getting tiresome.

So having pinned the problem on myself, I’ve decided this time around I’m going to containerise everything. For those only slightly behind me on the discovery of new technology concepts, containers (or sandboxes (or jails Rubenerd has been using for years)) are a way to put applications in their own little bubbles without access to anything else on your computer². They help keep everything from rubbing up against each other and getting computer juices everywhere - sort of like social distancing for computer software. Fedora Silverblue is container-based and looks amazing. I have loved using Fedora and learning how to sandbox everything is probably a good skill to learn moving forward. Also, @shlee generously gave me his time to teach me Docker and now I want to keep using it for everything.

BUT… Fedora (and Silverblue) have some downsides for me. Remeber step five? Almost every Linux tutorial or piece of software I’ve ever found anywhere assumes two things: you’re using apt as your package manager, and you’re using Xorg not Wayland as your display server. I was constantly hunting for the ‘dnf’ package, or checking to ensure that the new clipboard manager I was about to use could handle Wayland³. Critically, Docker is a second class citizen in Fedora in favour of Podman, and while Podman might be better in some ways - like Wayland: it’s not what everyone is using. In the end the perpetual dream I have to use the “superior” technology over the “winning” technology had to be put aside, and I’ve settled on Cinnamon flavoured Debian.

Debian is not containered. But it doesn’t insist on making me use Podman instead of Docker like Fedora does, and it’s the closest thing Linux has to a “default” distribution, so I’m making do. The first thing I did was install Flatpak to start my container journey and… immediately failed.

• Flatpak Firefox looks like shit. I spend almost all my computer time in Firefox and I want it to match my theme and the container version didn’t. That’s a really shallow reason not to use it though, so I’m going to try that again⁴.

• Docker is complex enough for a Docker n00b to learn. Trying to run a Sandboxed containerised Docker instance of some sort is right out, so it got a full install.

• The Flatpak version of VS Code is so isolated it can’t see Docker. I want to use the Docker plugin. I switched to the fully integrated version immediately.

So my ideals took a small beating when the rubber hit the road, but I swear to Woz that I will only use Docker and Flatpak for everything else. And one day when I’m more comfortable translating distro specific nonsense into my preferred flavour, I will give Silverblue or a fully containered distro a much better go.

And maybe one day my desktop will go more than a single major version without being replaced.

It’s time for round-two of a bunch of random stuff that’s slightly-interesting-but-not-interesting-enough-for-a-full-post.

• I’m sitting on a new office chair that’s called a Swopper that I got second-hand as a Christmas gift from my dear wife, and it’s bouncy and fun to sit on.

  I read an article somewhere that said active chairs encourage you to move more and put weight on your legs and fill that niche between standing desks and vanilla sitting. What I was finding with my fancy-schmancy office chair was that I was cutting circulation in my legs, my butt was always sore, and I just felt bad after sitting for a day of work. While the Swopper has some problems of it’s own, I’m definitely feeling more active while using it, and (surprisingly) I have sore core muscles after using it, like I’ve done a couple of situps.

  I’ll get back to you if my opinion changes, the main downside is that it seems wildly over priced if you buy it new.

• We took a family holiday to Buninyong to visit my sister, and went with my brother’s family and my mum. It’s the first big family holiday I’ve been on with my mum and brother and sister since well before I got married, and it was a lot of fun to just hang out with them all.

• We took the opportunity to go to Sovereign Hill, which I visited once when I was a boy, and I remembered why I thought it was so dull when I was a kid. It’s fascinating, but not very hands-on for children, but we spent a good hour panning for gold, so the kids will have some good memories I hope.

• We stepped up our new car plan before we went so we’d have a bigger car to squash the kids into before we drove over the border. I’ve said goodbye to the beautifully cheap-to-run Prius that has done me well for the last five years, and purchased a second hand Holden Commodore wagon. The running costs are higher, but my daughter can now fit in the back seat again. Plus other men are no longer threatened by the care-free way I drove my smaller, lower-emission car.

• Australia is on fire. Well, parts of it are. Important parts that have people in them. It’s forced a lot of them to uproot, and has a lot of people very cross that successive governments have done so little to address climate change. I donned a cap of political apathy after the country decided that just because Tony Abbott was no longer the public face of the Liberal party it meant that they were probably the best party we had. I pulled the cap lower and raised my collar after the country decided a second time that a party who is very clearly uninterested in tackling the biggest issues we’re leaving to our kids was their best hope for a bigger tax rebate. These fires would be just as bad if anyone else was in charge, but maybe if we’d given enough of a shit 10 years ago we might have actually been in the middle of trying to do something now.

• I’m still trying to find somewhere online that can scratch that itch that Reddit used to fill. I’m still resolute that I’m not returning, but I don’t have anywhere to find new things to read, and nowhere to participate in discussion. I’ve been using Hacker News, but as much as I like to think of myself as a “hacker”, only about 20% of posts there interest me, and I’ve almost never felt the desire to contribute to the discussion. In the last two days I’ve discovered Lobste.rs, Hubski, and Tildes. Lobste.rs and Tildes are invite-only, while Hubski is open for registrations.

  Lobste.rs is even more niche than Hacker News, but I love the technical design decisions they’ve made. If I wanted to make a similar site, the Lobste.rs source would be an excellent starting point.

  Hubski is less niche, but despite the open registration seems to have far less activity. As an example: as at time of writing, the fourth article down is about the impeachment of Donald Trump, posted 23 days earlier. It’s big news, and it’s off the back of the Christmas break, but I’d expect more recent news than that on the front page of a news aggregator. The discussion on it is thoughtful though a little sparse, so the community is definitely not the sort of people who left Reddit for Voat, but with so little happening, there’s not a lot of reason to stick around and see if it’s worth it.

  I’ve settled on giving Tildes a try for a week. Their community is big enough that I keep seeing new stuff on the front page, even across the space of a single day. The diversity of discussion is also much better than HN or Lobste.rs, and I’ve found myself with actual things to say while reading some threads (although I can’t do so yet). And although I don’t like using it for webpages - it’s much better for a text editor or terminal - the fact that they offer Solarized Dark as one of the out-of-the-box color schemes means that someone there understands sophistication.

• In the process of trying out Lobste.rs I have also installed WeeChat for IRC. I love the idea of IRC, but I’ve never found myself in a room where I’ve wanted to say anything. Can anyone suggest a good room for IRC newbies to just hang out in and chat with nice people? Leave a comment below, or chat in Keybase, Discord, or directly with me on the aus.social Mastodon instance. I’d set up a Geekorium IRC channel but from what I can gather, I’d need a server that’s amenable to randos making channels.

So that’s me for another four months - still trying half-hearted-ly to push air through the blue lips of this website.

I’ve scoured Soundcloud to find the best Christmas music I could find. It’s chock full of Christmas favourites that are guaranteed to:

1. Bring Christmas cheer
2. Not suck

This years playlist includes:

Many originals and covers of well known Christmas songs such as ‘Christmas (Baby Please Come Home)’, ‘O Come All Ye Faithful’, ‘Joy To The World’, ‘We Wish You A Merry Christmas’, ‘Up On The Housetop’, ‘Auld Lang Syne’, ‘Have Yourself A Merry Little Christmas’, and many more reimagined in ways that don’t suck.

The whole Christmas Playlist That Doesn’t Suck (2019) is up on Soundcloud right now, go have a listen!

Thank you to all the artists who have shared their Christmas songs on SoundCloud for the rest of us!

The very next day after our successful chick sky-drop, one of the eggs our broody hen had been diligently sitting on hatched too, bringing on chickpocalypse.

chick·poc·a·lypse

/ ˈtʃɪk pɒk ə lɪps /

noun

A great and scary change brought about by the birth
(or purchase) of too many young domestic fowl at one time

In the space of two days we’ve jumped from five to eight chickens, and while we have some time to plan for it, this means one of two things:

1. We prepare to sell two or three chickens when they’re older
2. We prepare to keep two or three chickens when they’re older and I build another coop that can house 8 or more chickens at once.

As I have three children, option 1 was discussed, but never once taken seriously by anyone involved in the discussions, and now I need to learn how to build things with wood.

Hard hard can it be?

Here are some chickens:

My greatest hurdle to writing here is myself. I have plenty of opinions, but nothing I feel is worth inflicting on anyone else (unless you sit within a few feet of me at work). I have lots of ideas, but very few fully formed, or that survive a withering stare. I have drafts galore, but rarely hit publish because on the path to writing things, I so very often disappoint myself with what I actually write.

Then today Kat posted and published her first blerg post and reminded me that the reason I love this can-and-bits-of-string style of old-school post is because they’re not polished thought pieces on the nature of mortality, but simply a glimpse into what other people are thinking and doing in their lives¹. Rubenerd has being doing exactly this for many many years and I still love reading what he’s doing and thinking, even though it’s not hosted on Medium or written like he’s got VC funding he needs to justify. They’re just slice-of-life observations and thoughts, and they’re the good stuff.

Even the above is more waffle than I meant to do in this post, but this time I mean to cut through the attempt to formulate a thesis and simply put down stuff that was on my mind tonight while I did the dishes. So, some things I’ve observed today in no particular order:

• I tried a new coffee place. My boss incredulously asked if we really walked to get coffee two blocks away. So I thought I’d see what the coffee was like at the new(-ish?) place at the end of our street. The coffee was good, but a large was miniscule, and I can’t imagine the thimble size I would have got if I’d asked for a regular. I had to get another coffee later in the day to make up for it.
• My partner and kids are excitedly buzzing about two new chicks we got to give to one of our broody hens. We couldn’t make her take them yesterday, but we just successfully executed a Mission: Impossible style coordinated operation to drop the chicks in in the dead of night, and it seems to have worked. Apparently you know it worked when the new mother purrs like a cat. I’m only disappointed I didn’t get to use the mask I’d made to infiltrate the coop by impersonating our rooster.
• I’m still struggling with my self-imposed Reddit ban (which is my most recent shunning of social media after Twitter and Facebook). I’ve replaced it in some small part with a combination of the ABC news app, Hacker News (top stories), an Aussie Mastodon instance with a bunch of people I met through Twitter, and Dev.to, but none of them are a drop-in replacement (minus the crap I was getting tired of). I really miss the not-thinking-ness of being able to just witlessly scroll through Reddit when I’m not doing anything better.
• Speaking of Dev.to - I can’t find a simple way to just see top posts in any field. As far as I can tell, my feed (and the week/month/year/all-time) feeds are only the tags I’ve subscribed to, and ’latest’ is the only un-filtered list I can see. Maybe I’m missing something, but one thing I really appreciate about HN and Reddit is that I get posts on topics I’ve never even heard of before, and I really need it. 100 posts on “#javascript” is not my idea of a good time.
• I chiselled a hole in my desk this week in my never-ending crusade against cables. This hid a further 30cm of cable beneath the desk, bringing me ever closer to the glorious day when everything I own will hover fractionally above the desk and nothing will be connected to anything except by invisible forces.

  

I’m going to stop here. Observing-ness maybe shouldn’t be a brain dump of everything I’ve thought this week.

Maybe I’ll be back again soon with more observation… nesses?

I’ve been listening to a podcast called Team Human ever since the host Douglas Rushkoff was a guest on another favourite podcast, You Are Not So Smart. The basic premise of the podcast, book of the same name, and indeed the guest episode he appeared on, was about taking back society for humans.

It took me a while to warm up to the argument. Rushkoff was writing about the cyberpunk movement when I was still in high school, and wears his counter-culture credentials with pride. Me with my quiet Australian suburban Christian upbringing know nothing about what was happening in technology circles in that time, or what anyone was really even railing against back then.

So the idea that technology today isn’t really serving humans any more made me stop and think. And it’s stupidly obvious when you give it more than a moment’s thought, but it hadn’t really occurred to me that it’s the exact reason I’m lost on the internet nowadays.

Today we’re served by technology more than ever, and the internet is responsible for the feeling that we’re getting more done, and we’re more connected than ever before, but despite the vision of early internet visionaries, we’re also stuck in tiny silos, and fighting bigger and bigger monopolies for control of our data.

Instead of really serving us, technology is being used to sell us, divide us, and make us happy to hand over everything that makes us human. Which isn’t to say that we should head back to caves and poop in the open, but we need to be able to make informed choices about how our data is used.

Full disclosure: I’ve tried to write this article before, and encourage you all to switch to fastmail.com, and duckduckgo.com, but every time I start it, I see the little Google Home on my wall blasting out electro swing and telling me when my pomodoro timer is complete, and I wail and gnash my teeth for being a godless hypocrite.

The upshot is, I’m extremely interested in how we can maintain our privacy and autonomy while still enjoying the benefits of connected technology. I don’t want to miss out on the benefits that these big companies can provide, but I also want to know that it’s serving me, not the other way around. I believe we forfeit too much data to large companies, but I also believe the benefits and fun of technology can make the trade off worthwhile if we do not enter into it with our eyes closed.

I’m looking for is a community of people who are also treading that fine line between tin-foil-hattery and open embrace of our corporate overlords to work within the system to make it safer for humans.

Rushkoff would argue that this isn’t possible online. He wants people to get out there and make real face-to-face connections with people. I get where he’s coming from - by communicating online, we’re letting algorithms and companies decide who we talk to - pushing us into silos of like-minded people. That happens in real life too, but the process is manual - we have to decide to stop talking to someone whose ideas aren’t our ideas. Online, the algorithms are getting better and better at showing us similarly minded people, sheltering us from “the other” before we have to ask.

Take YouTube for instance - I recently discovered a Star Trek youtuber who also happens to also do videos about rationalism and atheism. He’s exactly my cup of tea, and I spent a good few evenings listening through his back catalogue. Then another guy popped up who makes videos poking fun at far-right youtubers and then another who makes videos about the differences between right and left. I’ve thoroughly enjoyed them all, and they give me just that little tickle of satisfaction that I’ve discovered someone else who “shares my thoughts” on these topics. In some sense they play a role to help cement or crystallise thoughts I hadn’t yet properly synthesised into my own words, so it’s not bad that I get these recommendations, but over time if YouTube’s AI does it’s job, it does mean I’m going to see fewer and fewer alternative ideas, hear fewer voices, and fall deeper and deeper into that filter bubble that people talk about a lot lately¹.

I don’t know how to socialise in the real world any more. It’s a lost art for many people, and even close to impossible for others. The internet brought on a golden age of social interaction for some people who in years gone by might have lived lives of utter loneliness. I’m not one of them, but I’ve let myself lose a lot of the skills I once had to leave the house and be “real”. Finding the time and strength to put myself in places the algorithm can’t get me is going to be hard work. I would even like to think there might be a technological solution, but it would have to be radically different from anything else that currently exists, or it risks being susceptible to the same problems as today’s social technology.

The upshot is that I’m starting to see the cracks, and I don’t have the tools to even understand them, let alone fix them by myself. I fix problems better when I have other people to work with, and I don’t know if other people around me are also seeing the cracks and wondering if they should say something or just keep quiet. If you’re reading this, and you’re concerned about what we can do to balance safety and progress, then get in touch with me. Leave a comment here², or say hello on Telegram, Discord or now Mastodon or Keybase. Maybe you don’t think the way I do - and I look forward to it.

Something really weird and special happened a couple of weeks ago, and I didn’t and still don’t really know what I want to say about it. It was a big enough event though that I want to talk about it because it involves one of my favourite people in the world.

My sister went and did something foolish, and got herself made a full blown minister of the Australian Uniting church. As in, she’s actually an honest-to-god reverend. And like, she can put that on forms she fills out (see below).

Title:      Reverend
First name: Cazbutt
Last name:  Nunn

Growing up, I admired my father for becoming a minister, and although I didn’t think I could ever actually do it, I often thought it might be the path I might take one day - carrying on some sort of family tradition¹. When I left my faith, that was a small dream I left behind as well, and although I didn’t want it any more, I still missed it.

To see Carlynne take up the mantle now makes me happy to see that dream become a reality somehow in a silly sort of way.

Which isn’t to say that my sister’s faith and chosen path are anything like my father’s. Carlynne isn’t so much following tradition as she is taking tradition firmly by the shoulders, walking it firmly to the door, and asking it politely to leave.

The ordination ceremony itself was a rich and beautiful celebration of Carlynne’s journey so far. It was an honor to have been invited and to have been able to attend. Afterwards, my sister’s band Terry Towelling and the Tank Tops played a full set while the church family at Brunswick catered a lovely party to both celebrate and say farewell.

What I loved most about the day was this: religion might not be my thing, and the (nebulous, worldwide) church might have a lot of explaining to do, but when I think of my sister as a minister it just makes so much sense to me. What I recognise when she dons the Alb is that my own silly childhood fantasy of becoming a minister was always about my own status - about the title - being able to put reverend on the form.

When I look at my sister’s road to ordination, I instead see a truly humble servant who only wants to meet people where they are. She has already spent much of her adult life learning to accept people how they are just because they’re human. It’s a trait I admire so much in her, and I’m overjoyed when I see her keep embracing it, using it.

The world has always been pretty fucked up, and too often we hear about the people who take their positions and leverage their power to look after themselves, leaving it just a little more fucked than it was before. What I love about my sister and the path she’s chosen is that she really will leave it a little less fucked than how she found it. This step is just another on that road.

Congratulations The Reverend Carlynne @mygirlbetty. You’re a Starasaurus and I love you and I’m proud of you. Keep making the world more awesome.

Just to help out anyone else who’s brain is turning to mush trying to figure this out:

I went to write a new post tonight and discovered that Hugo flat out refused to render the new post. Nothing I did would make Hugo display or serve up the new page. Digging further, Hugo wouldn’t convert the post using the conversion functions, and running –verbose or –debug showed that as far as Hugo was concerned, the new pages flat out didn’t exist.

I was wracking my brain for hours over this - checking and double-checking paths, ensuring file permissions were correct, removing old posts, attempting to disable caches - until I did some frontmatter splitting and discovered that if I left the date field off, the posts showed up.

It turned out that something in my config has changed since I created my last posts, and Hugo is now rendering posts relying on the post’s timezone to determine when it should be published. I recently updated my version of Hugo to v0.54.0, and I also specifically altered the way my dates are generated in archetypes\default.md to match how I’d like them to be stored, and one or both of those changes meant that Hugo went from generating new posts in a consistent timezone, to generating them in my local timezone but acting as though they were in UTC. This meant that posts were being ignored but would have published without a problem +1030 hours from the time I wrote them.

Now I’ve simply altered my archetype to include -0700 to tell Hugo to append my local TZ to new dates, and now a hugo new posts/whatever.md generates a file that shows up immediately when I serve the file.

In my archetypes\default.md file I’ve set date to:

date: "{{ dateFormat "2006-01-02 15:04:05 -0700" .Date }}"

After having followed in his footsteps and converted my site to Hugo, Rubenerd also prompted me to check out my HTTPS score on Mozilla’s Observatory with his post on the topic.

Using Wordpress my grade was an F, but the change wasn’t enough in-and-of-itself to change the grade at all. It turns out Mozilla is super persnickety about HTTPS security and focuses on your site’s Content Security Policy as one of it’s primary measures.

The CPS is not something I’d ever heard of before. Other sites gave my site a clean bill of health when I’d checked to see if my SSL certificate was doing it’s job, so I figured my site was safe. It turns out that browsers now support a Content Security Policy header that can tell the browser to ignore any potentially dangerous content that isn’t explicitly allowed by the creator.

What this means is that the webmaster identifies where all their Javascript, CSS, iframe embedded content, images and other content might come from, then set up a ruleset that tells the browser to block anything else.

My ruleset (via Headers in .htaccess) looks something like the following:

default-src 'none';
object-src 'none';
frame-ancestors 'none';
base-uri 'none';
frame-src https://www.youtube.com;
form-action 'self'
    https://*.staticman.net
    https://duckduckgo.com;
font-src https://fonts.gstatic.com/;
img-src 'self'
    https://turbo.geekorium.au
    https://visitors.geekorium.au
    https://*.flickr.com
    https://*.staticflickr.com
    https://www.gravatar.com;
script-src 'self'
    https://cdnjs.cloudflare.com
    https://visitors.geekorium.au;
style-src 'self' https://fonts.googleapis.com
    https://cdnjs.cloudflare.com;

• default-src is the base level rule, and by setting it to ’none’, we tell the browser to ignore anything that isn’t explicitly spelled out below.
• frame-src is set to allow only youtube.com iframes (eg. this post)
• form-action only allows submitting forms to staticman.net for comments and duckduckgo.com for the search form on the front page
• font-src is set to allow google fonts
• img-src allows images from my amazon s3 bucket, Flickr, Gravatars, and an image for visitor statistics (using Matomo so your data isn’t going anywhere).
• script-src allows cloudflare hosted JS because the theme I’m using uses some libraries there.
• style-src allows CSS from googleapis.com and cloudflare, again for the theme.

By specifying ‘self’ for JS and CSS, and explicitly not using ‘unsafe-inline’ I’ve forced myself to move everything to self-hosted CSS and JS files, instead of using inline style on html elements or onClick JS. From the Mozilla docs on the matter:

Inline JavaScript – either reflected or stored – means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.

And with comments enabled, I want as much protection from XSS as possible.

Now The Geekorium scores a delightful A+ on the Mozilla Observatory, and a score of 125/100, which is the sort of ’extra-credit’ number I’m looking for in my security.