I've been using elementary OS on an old MacBook Pro and there's surprisingly little that I hate about it. That, of course, has given me time to find things that I don't quite like as much as I want to and then poke around and see if I can make them better. Last week's effort was some fine tuning of my keyboard layout that resulted in me filing a bug report, but it also meant that I had many opportunities to be disappointed by the system's appearance during startup. The Linux startup experience is defined in two different places. If you want the experience to seem as seamless as possible, you have to fix both of them.

The first part of the puzzle is the boot loader, Grub. Grub is one of those things where somebody made a better boot loader than the one that had come before it, but stopped just after the point they'd made a better thing. As a functional boot loader Grub is fine, but it operates strictly in text mode and its default font can be tiny on a modern computer with a high resolution display. If you spend any time looking at it at all (such as when you're testing settings that require a reboot, or if you're switching back and forth between operating systems on the same computer), you start to wonder why it still looks like that. I started to wonder, anyway.

Some distributions package a larger font for Grub to use, but if your distribution doesn't have a large enough font, you can change it. The grub-mkfont command is provided for this purpose, because Grub can't just use a regular font (because of course it can't). I followed these instructions on Stack Exchange to make a Grub-compatible font.

While you're editing /etc/default/grub to point it at your new, larger font, you can also set a background image for Grub with the GRUB_BACKGROUND="/path/to/your/image". So I did that and used the same image I use as my wallpaper when I'm logged in. Then I ran sudo update-grub, rebooted, and discovered that I couldn't read Grub's white text against the sky in my wallpaper photo. So I made a copy of my wallpaper photo, opened it in an editor, and overlaid a black, slightly translucent box over it. But how did I figure out what size to make the box? Are the margins for Grub's old school ASCII box documented anywhere? It does not seem like they are.

So I downloaded a wallpaper that looked like a black and white sheet of grid paper, sized for my display. I measured the size of the grid in a photo editor (each square seemed to be 40 × 40 pixels), temporarily made it my Grub wallpaper, and then took a photo of it.

I wish I were joking

Then I counted boxes (eyeballing the fractions), divided by 40, and used those numbers to get an approximate size for the overlay. It took a few iterations to fine tune the image so the overlay fit precisely into Grub's ASCII box, but it looks nice now.

The image file itself, but with no Grub interface. You'll have to trust me that the overlay is the right size for Grub on my screen.

But that's only the first part of the Linux startup process. Once Grub actually loads an operating system, the operating system takes over the display. In this case, the system is using Plymouth, and even more specifically it is using a Plymouth plugin called two-step. Sadly, Plymouth documentation is scant and two-step itself seems almost entirely undocumented. I couldn't figure out how to place my wallpaper and get Plymouth to scale it properly for whatever resolution it's using (which for some reason is not the full resolution of the display) until I read the two-step source code.

It turns out that you can place a background image and get Plymouth to scale it simply by dropping a PNG file named background.png in the active theme's image directory and adding a single line of code to the theme's THEMENAME.plymouth file. By the time I found this I'd already cloned the base elementary theme in /usr/share/plymouth/themes/ but in retrospect I could have just added the file to the existing theme. The THEMENAME.plymouth configuration file is a plain text file. Find the [two-step] block and add a single line that says ScaleBackgroundImage=1 and Plymouth will scale your image to fit without you having to do any work. After you add the image and line of code, install it with the command sudo update-initramfs -u and reboot.

Now when my computer starts up, the same image seems to carry through the entire process from the boot loader all the way into my desktop wallpaper. It's actually three different images (a JPEG with an overlay for GRUB, a PNG for Plymouth, and a JPEG for the wallpaper), and if you sit there watching you can see the screen go blank briefly every time it switches between them. If you're not watching closely, however, it looks more or less like it's just one image and other stuff is happening around it. You almost can't see the duct tape holding it all together.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

But the reason I needed to configure the hardware watchdog at all was that it was crashing occasionally. After a few crashes I got the hardware watchdog working, and for a few weeks the watchdog would restart the box whenever it crashed. It didn't last. Eventually it started locking up in such a way that the hardware watchdog never restarted it, and no amount of BIOS resetting fixed it. There was nothing useful in the system logs, so I started to suspect that the crashes might be a hardware issue, and I contacted UGREEN.

UGREEN, however, will only provide active support for their own software (UGOS), so I backed up my TrueNAS configuration and installed UGOS, which wiped out the startup drive in the machine. That's fine as far as it goes, since I had a backup, but UGOS doesn't support ZFS. That means that the entire time I had UGOS running I didn't have access to my existing files or services that depended on them (which is, uh, all of them). I ran UGOS for a few days and encountered no issues, but the system wasn't under any kind of load so it wasn't really a great test. After some back and forth with UGREEN and a failed attempt at imaging the startup drive with UGOS installed (so I could easily restore it), I gave up and made an emergency purchase of a new SSD so I could put TrueNAS on that and keep the UGOS SSD around to swap back in when I had more time to test it.

And once again, the box crashed while running TrueNAS, and the watchdog didn't restart it. At least the fact that TrueNAS was installed on a different SSD ruled that individual component out as the root cause, which was more information than I had before. When I had some downtime I put the UGOS SSD back in the box, and once again it ran for several days without any errors. Meanwhile it couldn't seem to make it 48 hours without crashing under TrueNAS.

Why was it crashing? Is there a hardware issue that's only exposed by TrueNAS? Some, maybe even most, of the crashes happened when the system was essentially idle, so it's hard to point the finger at hardware that fails at idle but only with certain software installed. Is it a software issue? Lots of people run TrueNAS, and I couldn't find much evidence that other people were having the same problems. Well, there was one guy, but he never posted a followup with any resolution (argh). Is it a problem with some containerized app I had installed? If so, how do I even figure out which one without evidence in the system logs? I don't really feel like digging through a dozen different containers' log files to try to find a culprit. I don't even like Docker anyway!

So, since I tend to prefer FreeBSD to Linux anyway (previously), last week I made one last backup of my TrueNAS configuration, wiped the (new) SSD, and installed FreeBSD on it. Since then I've been adding back all the services I had under TrueNAS, just mostly* by installing them directly and configuring NGINX by hand. I've rebooted it a bunch of times over the past week as I've made configuration changes, mostly to make sure that services all come back up after a restart, but it hasn't crashed once. Knock on wood.

* Two of the services are containerized, though. I put Nextcloud in a jail because I've dealt with PHP and PostgreSQL package weirdness on FreeBSD before, and I wanted to isolate any dependencies or fragile bits, and a jail seemed the best way to limit the scope of those problems. And Immich is pretty much Docker only, so I had to install Linux in a virtual machine, then install Docker in the VM, and use the Docker in the VM to install Immich in a container. I might not have bothered to get immich up if it hadn't been the single hardest thing about setting up TrueNAS, and I wanted to save all the effort that went into getting my photo library up.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

I've been using OpenCore Legacy Patcher to work around the lack of official support for all the old Macs, but it slows down the software update process, and the software update process on Intel Macs was already slow compared to Apple Silicon (I vaguely recall that Apple introduced some streamlining in Software Update a few years ago and restricted it to Apple Silicon, but this is too hard to find a citation for). With the advent of Liquid Glass I haven't bothered to update any of the old Macs to macOS 26, so they really are at the end of the line for software updates. And I have to wonder why I would expend the effort anyway, since most of what's new (like Liquid Glass) isn't actually better, it's just change for the sake of change.

Meanwhile, on the Windows side of things, I haven't updated anything in the house to Windows 11, because none of the hardware in the house is new enough to support it. Again, much like with OpenCore Legacy Patcher, you can just patch the installer and install Windows 11 on “unsupported” hardware, where it apparently runs just fine, but I have no interest in Copilot and I'm not sure what needs are served by Windows 11 other than those of capitalism.

And this is where we are. I don't want what Apple or Microsoft want to sell me, and it feels like software is just getting worse. Reportedly Apple's next OS release will be a Snow Leopard style focus on quality instead of new features (🤞🏻), but it's really starting to feel like Apple is focusing primarily on the funnel into a subscription cloud services, and their cloud services just aren't good enough for that. I still reluctantly pay for the 2TB iCloud plan because it's never a good time to ask my wife to migrate, but Apple has broken my music library more times than I care to count, and I've got duplicates of a bunch of documents because my Documents folder kept getting cloned instead of synced (so I have a Documents folder that contains multiple, nearly identical, subfolders named Documents – computername).

So I did the unthinkable and installed Linux Mint on the old MacBook Pro and it was … fine? All the hardware works, it starts up fast, and it doesn't seem to make anything impossible. I even spent some time getting the (few) Windows games I own to run in Lutris and Steam (all but Civilization VI, which requires newer video hardware than this old Mac has. But I also got it for free, so I'm not complaining).

Anyway, Linux Mint Cinnamon has a well deserved reputation as the “just install it, it's fine” Linux for Windows users, but it's maybe a little too Windows-y for me. So I looked around for Linux distributions that seem a little more Mac like, and found Zorin and elementary OS. Between the two of them, Zorin defaults to the Brave browser (ew (1), ew (2) although they turn off the misfeatures), while elementary OS has a strong policy against AI contributions, so I figured I'd try installing elementary OS alongside Linux Mint.

I ran into a couple problems with that plan, one of which was more significant than the other. First, it turned out that the installer elementary OS uses is inflexible with its assumptions about storage and EFI partitions, and my existing EFI partition was too small for it. I had to delete my Linux Mint partition and the existing EFI partition, manually create a newer, larger EFI partition, and then assign elementary OS to a new, unformatted partition. After that it installed just fine, but when I reinstalled Linux Mint after that, Linux Mint took ownership of my startup partition. To get it to boot elementary OS by default, I had to boot Linux Mint and change its Grub configuration. There may have been another way to change the default, but this was the first way that worked. Second, elementary OS hides uncommon keyboard layouts from its selection screen and doesn't have an obvious option to enable them (Linux Mint also hides them, but it has a checkbox for this purpose). I run the Carpalx QGMLWY layout, which is in the uncommon bucket, and the only way I could figure out how to enable it was to edit a file you're not supposed to edit.

Other than those two configuration issues, I'm actually quite happy with elementary OS and recommend it for the Linux-curious Mac user. The biggest positive in my book is that the trackpad gestures match what I'm used to, so the various two- and three-finger swipes I use for forward and back, or app and space selection, work the way I expect them to. Linux Mint got a few of these gestures right, but I couldn't figure out where or how to enable the other UI gestures I'm used to. Both distributions give you access to Flatpak apps, so you can pretty much install all the same GUI software on both with the same amount of effort. I have pointed a few default directories in my $HOME folder in both OSes to a shared partition so I'm not downloading all the same stuff twice, but I was able to point Lutris to the same games I had already installed, and everything worked without me having to futz around installing patches and no-CD cracks all over again.

Unfortunately, I don't think this is the last time I'm going to have to think about what's in my OS (or what isn't). I really appreciate how elementary OS has a clear no-AI policy, but I'm not sure how they're going to get around the AI generated code in the Linux kernel or in systemd. Depending on how things shake out on that front, I might have to spend even more time looking into alternatives.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

Until it wasn't.

Here is a recap of everything that went at least a little stupid if not a lot wrong over the course of installation, setup, and app deployment. Some of these things are like stepping on rakes; some are merely like stepping on stray construction toys in your bare feet.

1. In the 25.04.1 release, TrueNAS had a broken configuration of acme.sh for Let's Encrypt, making it impossible to request the certificate that the UI really wants you to have. As of when I set it up a fix had been committed to the next major release, but they hadn't yet ported it back to the current one. (25.04.2 is out now, presumably with this fix, but I haven't yet verified that it works). Pain rating: rake.

2. When setting up storage volumes, I set up the SSD before I set up the hard drives. I told it to use the SSD volume for its “System Dataset.” Then I configured the ZFS volume on the hard drives, and TrueNAS silently assigned its System Dataset to that volume instead of the SSD. This later caused one application setup to fail, which took a while to diagnose and fix. Pain rating: rake.

3. Related to the above item, whenever you install an app from the catalog the storage location for its data defaults to the System Dataset (labeled “ixVolume”). If the app has multiple storage locations (say, one for configuration, one for data storage), they'll all default to that. It's a dumb default. Usually this is just inconvenient, but two apps just flat out refused to launch with their storage located that way. If you find the right page in TrueNAS's documentation (see next item), you will, in fact, read that you should probably specify a different location for every app. If you should do that, why is ixVolume still the default? Pain rating: rake (once), construction toy (every other time).

4. I have a pet peeve about interfaces that rely on tooltips but which don't actually put helpful information in those tooltips. The application installation interface (used both for apps from the catalog and if you're installing a “custom” app as in item 7 below) is full of the wrong kind of tooltip, where the tooltip just repeats what the control's label says (e.g. the tooltip on the “Pull Policy” field says “The pull policy for the image.”) If there were a full documentation page somewhere that said how to use all the controls on that page to configure an app, it wouldn't be so bad, but see the next item.

5. The primary links to documentation from within the UI all seem to go to the documentation for the EOL Core release and not the current SCALE Community Edition release. And they changed their web strategy between releases, so if you think you can just get the current version by selecting the dropdown at the top of the page, you're in for a fun surprise when you're redirected to a useless landing page instead. And if you go to a search engine to find the right instructions, chances are you're going to find stuff about the next major release (25.10), which is in active development and is apparently getting new architecture for some of the interfaces. If you're still running 25.04, good luck to you. Pain rating: rake, because this is just a terrible self-own. It's way too hard to find complete documentation for the current release.

6. App installations sometimes result in incorrect permissions on the volumes those apps need. Some app installers have an option to fix permissions, but most of them don't. Pain rating: construction toy.

7. There are weird gaps in the app catalog. Officially you can just install Docker packages for apps that don't have catalog entries. There are even two different ways to install a docker package: a cryptic UI with unhelpful tooltips and no current documentation (item 4), or a spot you can paste in a YAML config. I guess the expectation is just that you know how to do that already or that somebody else has already documented it. Docker came along after I'd already sworn off Linux so it's a gap for me, and I lost a few hours trying to figure out a YAML config just for one app. Pain rating: rake, but one with a handle that only hits you in the thigh and not the face.

8. If you are going to have multiple apps that host services, you probably want the Nginx Proxy Manager app so you can get to all those services with reasonable URLs and not just ports. But Nginx Proxy Manager by default wants to own ports 80 and 443, which the TrueNAS UI also wants to own. The installation will fail unless you reassign the ports TrueNAS uses before you install the NPM app, but this isn't documented anywhere. There are forum posts about it, though. There's also a checkbox in the TrueNAS UI about redirecting traffic from 80 to 443, but it's incompatible with Nginx Proxy Manager. I see now they've changed the language on the tooltip a little, so maybe it's less broken in 25.04.2. Pain rating: like stepping on a construction toy, then stepping on more of them as you try to get away from the first one.

9. There were a couple Linux services that were enabled by default that failed on startup because they weren't configured. I looked into both of them, realized I didn't need either one (at least one was related to directory-based user authentication I won't be using), and disabled them. Pain rating: construction toy. If I hadn't been looking at startup logs while I was setting everything up I might not have known these unnecessary services were failing.

I also encountered some issues that I can't solely blame on TrueNAS and/or Linux, like an issue with music files I exported from Apple's “Music” app (still iTunes to me) if they had unicode combining characters in their filenames (think ñ or à). Turns out Apple handles that one way, but to get those files into playlists in Navidrome I had to “precompose” the playlist files. But that's not as bad as the whole week I spent on a photo export, writing code in a language I only barely know how to use (Python) to automate uploads directly from the Photos app on a Mac to my Immich server. (It's pretty spiffy, though. It creates albums if they don't exist and stacks the edited/original/raw versions of every image that has more than one).

I'm basically done with setup now and the thing that cost me the most time was working around Apple software, so most of these complaints are just complaints. But it would be nice not to have complaints at all.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

A few years ago my wife expressed a preference for iced coffee in the summer, and then as cold brew gained enough in popularity that it started showing up on tap everywhere, she expressed a preference for that over my previous, lazy man's iced coffee method (namely: brew a pot of hot coffee, then immediately put it in mason jars with as little headroom as possible and refrigerate overnight).

I tried all the most common instructions for cold brew on the internet, and I found that no matter what I did I just wasn't satisfied with any of them. I'm not going to call out any specific guides to making cold brew concentrate, but here is what I found:

• It doesn't matter how strong you try to brew the concentrate. If you're making concentrate at all, once you dilute it to drinking strength it just tastes watery.
• On the other hand it's nearly impossible to predict liquid yield based on the starting weight of ground coffee and water, because the amount of water absorbed by the ground coffee and/or trapped between grains after filtering varies. As a result, some dilution is always going to be necessary to hit a target volume without exceeding it.
• There is a point of diminishing or counterproductive returns: longer brewing times increase unpleasant flavor notes.
• Underextraction is also bad.
• The coffee beans that taste best to me when brewed hot don't produce a well enough balanced cold brew. Something slightly darker than that preference tastes better when brewed cold, but since light/medium/dark and city/city+/full city are all basically meaningless when comparing different roasters, this still requires experimentation as availability changes.

Note: I didn't try anything like pressure infusion using a cream whipper and chargers, because it's such a mess to clean up (and if something goes wrong with your cream whipper, as I witnessed at a liquor industry demo, it's even more of a mess). You might be able to make good concentrate under lab conditions, but I was looking for something that was both practical in a home kitchen and delicious.

Here's what I ended up with for one (1) liter of cold brew coffee:

Ingredients

• 114 grams freshly ground coffee (I grind it like I do for French press, but I also grind more finely for French press than most people do). 114 grams seems like a weird number, but it's 4 ounces and most whole bean coffee comes in units of 12 or 16 ounces. I don't recommend pre-ground coffee.
• 1150 ml water at room temperature if your jar or brewer has the room; if your container is smaller, try to get at least 900 ml for best results.

Instructions

• Combine in a large jar or a dedicated cold brew gadget if you have one. I like to add about half the water, let it bloom for a minute or five, then stir down the bloom and add the rest of the water.
• Steep for 12 hours. There's some wiggle room: the safe range seems to be between 11 and 14 hours; much shorter than 11 hours and it'll be weak and acidic; go past 14 and it will start to pick up notes of ash and compost.
• Filter, first through a fine metal strainer and then (if desired) through a paper cone.
• After filtering, check your yield. The coffee will usually trap between 1.6 and 1.7 times its mass in water. If you started with the amounts above you should end up with something between 955 and 970 ml. If you end up with significantly less, check to see if your grounds are still really wet. You can stir them around or try gently pressing on the mass of grounds, but don't use too much force or you'll end up with some flavors you don't want.
• Add a little water as necessary to bring the yield up to 1 liter.
• Chill and serve.

We have an OXO Cold Brew Coffee Maker that takes up a lot of room on the kitchen counter, but it makes the first three steps pretty simple and allows me to make two liters of cold brew at once if I fill it to the top. I fill it most of the way with the “rainmaker” top in place, then remove that and top it off so the liquid comes about ⅛” from the edge, so it doesn't overflow if the coffee continues to bloom. When filtered the yield is usually around 1.75 L. I top it off to 2 L before decanting into a couple growlers (or, usually, a growler and a nitro keg, but that part is entirely optional).

Enjoy. Or, I dunno, keep making cold brew wrong. I'm not your boss.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

What I didn't mention in the post about port forwarding DNS requests was that the AdGuard Home instance I'm running is running on the same OPNsense firewall as my primary, non-filtered DNS resolver. Setting up a virtual IP with an IPv4 address is pretty simple. The main resolver is on the firewall's primary LAN address (ends in .1, unsurprisingly); the AdGuard virtual interface is on .101 on the same subnet. Setting up IPv6, however, stumped me. I've found that even though our IPv4 WAN address tends to survive reboots, we get a new IPv6 prefix with every reboot. IPv6 does some things with prefixing and link-local addresses that I still don't fully understand. For instance, only four characters in the IPv6 address ever change, but they're in the middle of the address. I needed to understand enough to make this work, but I didn't need to understand enough to run a whole IPv6 network.

What I actually needed was an IPv6 address that would stay consistent enough for me to bind a service to it without having that service crash the next time the firewall restarted, but that wouldn't in the process cause other things on the firewall to go wrong. If I tried to create a new IPv6 address in the same subnet as the main link-local network, things went wrong. I started experimenting. After many false starts, here's what has ended up working for me. (ORIGINAL: There may be a better, more official, way to accomplish this, but this setup has worked for me for a while now.) UPDATE: Turns out the “correct” way to do this is with an IPv6 address fragment, so I've updated a couple steps below.

1. Set up an IPv4 virtual address on the same LAN subnet. Pick one that won't be assigned by your DHCP server, but that's easy enough to remember. It's important to set the “Deny service binding” checkbox to keep OPNsense from binding other services to the new virtual IP.

2. Set up an IPv6 virtual address. (DEPRECATED: I copied the existing IPv6 link-local address and changed the beginning of its prefix from fe80 to fd80 but left the rest exactly the same, with a /64 subnet. This makes it easy enough to read just the first and last bits of the binding when looking at interfaces on the firewall. On closer reading now I think I can't actually use fd80 (see: I don't fully understand, above), but it was the first thing that actually worked so I'm just going to let it be wrong until something else breaks.)) Turns out you can do this with an IPv6 address fragment. I'm using ::5353/128 for this purpose. Again, click that “Deny service binding” checkbox.

3. Turn on router advertisement. (DEPRECATED: for the fd80:: prefix with a /64 subnet — turns out that with an IPv6 fragment you can just use the defaults, but you do need the service turned on so other hosts will know how to reach the IPv6 virtual address fragment created above)

4. Install the AdGuard Home package for OPNsense (I use the full repo there and not just the AdGuard one, because I also have the Unifi controller running. That's left as an exercise for the reader).

5. Enable the “Adguardhome” service but deselect “Primary DNS” so it doesn't try to bind to the standard ports on the primary LAN interface. It'll still probably try to bind its management web interface to :80, so have fun figuring out how to get the defaults working temporarily.

6. To the command line! Edit /usr/local/AdGuardHome/AdGuardHome.yaml and configure its http section to bind to the IPv4 address you created in step 1. Also configure the bind_hosts section of the dns section and bind it to both virtual addresses created above. You may or may not be able to do this without just using vi, but I used vi because I have the muscle memory for it.

7. Once you've verified that the service is up and running alongside the built-in Unbound DNS service (one or both may require restarts, and see below for a way to test that they're both working), you can assign the resolver to individual hosts using your DHCP server of choice, unless the DHCP server of your choice is Kea, which currently lacks this functionality. If you're using Kea, or you only want to maintain one set of configurations, skip directly to the port forwarding described in my other post.

To verify that both services are running from another computer on the network, you can use the host command on the command line, e.g.: host google.com 192.168.1.1 would ask the primary resolver at .1 (presumably your router; adjust accordingly), while host google.com 192.168.1.101 would ask the AdGuard Home resolver. Substitute the IPv6 address of your router's primary interface (up to you to figure out) and ::5353 for the virtual interface to check that it's also working over IPv6, if that's a thing that matters to you.

After typing all this out I'm sure there has to be a less convoluted way to do what I wanted, but all the services I want to run coexist on the same hardware and everything works after restarts, so I consider this job done for now.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

So, for example, my home firewall used to run pfSense. After their shenanigans with OPNsense.com I started to think that maybe I didn't want to be running pfSense anymore, but switching to something else would have taken time and effort so I just … never got around to it. Then, in a push for profits, pfSense owners Netgate also took a hostile stance towards users of the community edition, but my firewall still worked as it was, so I still didn't get around to changing it.

Then the FreeBSD WireGuard mess happened and I decided I needed to get away from any code managed by the people responsible. So now I run OPNsense. There's a common lineage (m0n0wall) and I was able to adapt my configuration without much trouble. I'm not super happy about how FreeBSD's loose management let the WireGuard mess get as bad as it did, but migrating my stuff away from FreeBSD isn't high on my list of priorities. I'm not picking that battle any time soon. I only started using FreeBSD in the first place because I hated the way systemd was rolled out, but that's a different rant.

Anyway. My more recent “Oh. Oh, no. Not that” moment came when I discovered that our Chromecast had a trick up its sleeve.

For reasons of security as much as (perhaps even more than) general stubbornness, I run an instance of AdGuard Home for devices on the network that are impossible or impractical to configure to block their own ads. Any “smart” device on the network gets assigned to the AdGuard server instead of the main, unfiltered resolver running on my OPNsense firewall.

A weird unexpected side effect of blocking ads in this way was that several of the apps on our smart TV started crashing less. Since they were often crashing where ad breaks might exist (if we weren't paying for the ad-free versions, which we mostly are), my theory is that there's a “load the next thing” subroutine that can't reliably handle a transitory failure like a network blip at the wrong moment. But if the app can't connect to the ad server at all, even just for the “you don't need to display ads” ticket, then it grabs the whole program as one continuous segment. No more “load the next segment” subroutines, fewer crashes as a result. I wouldn't have predicted this, and for the most part we pay for service tiers without ads, but I'm not getting paid to deal with somebody else's bugs. Especially when the app loses our playback location when it crashes, resulting in several minutes of fussing just to get back to where we were before the app crashed.

Things were great when I set all this up, and then 48 hours later the Chromecast was showing ads again. It seems that Google anticipated people using things like AdGuard or a Pi-hole, and after some predetermined period of failure the Chromecast will just silently switch its own DNS and route around the blockage. It's smart, but I'm stubborn.

So I set up a couple new port forwarding rules on my firewall. Here's what I had to do:

1. Set up an alias for the AdGuard instance, with both its IPv4 and IPv6 addresses. Call it AdGuard.

2. Set up another alias for any streaming devices that I want to live in AdGuard jail. I started with IP addresses for this alias, but thanks to IPv6 I've now settled on using MAC addresses. Call this one Streamers. Add the MAC addresses for every device you want to send to jail.

3. Set up a Port Forward rule for traffic: a. On the LAN interface; b. IPv4/IPv6; c. TCP/UDP; d. Source: the Streamers alias; e. Source port range: Any; f. Destination invert: checked (it's important that this be checked); g. Destination: the AdGuard alias; h. Destination port range: from DNS to DNS; i: Redirect target IP: the AdGuard alias (again); j: Redirect target port: DNS.

4. Copy that rule to a new rule, and change the port selections from DNS to the number 853, which is DNS over TLS.

Put together, these two rules ensure that any DNS traffic from any of the devices in that Streamers alias gets routed to my local AdGuard server.

For the Chromecast specifically, I added one more rule, just to be mean. That rule looks for traffic FROM the Chromecast specifically, TO a GoogleDNS alias (8.8.8.8, 8.8.4.4, 2001:4860:4860::8844, and 2001:4860:4860::8888), on port 443, which is DNS over HTTPS. That traffic, which would normally get routed as normal web requests, also gets forwarded to the AdGuard server. Luckily DNS over HTTPS doesn't validate the SSL certificate when querying.

So far the only device I've seen actual IPv6 traffic from is our new Apple TV, which also aggressively rotates its IPv6 addresses to try to foil tracking, but doing MAC-based filtering has worked exactly as intended. We have some IoT temperature monitors I should probably get the MAC addresses from to put them in jail as well, but I feel the workflow has been proven.

If you want me to use your software as designed, don't ever make me go, “Oh. Oh, no.”

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

Salsa Confluence GRX 600 2x, in front of our fireplace

Here are some notes on the process and initial impressions of the bike itself.

The Buying Experience

First, I'm not sure I recommend the experience of buying a bike from REI during a big sale event. Despite being a co-op, they've been corporatized to the extent that the bike shop within the DC flagship store is only barely adequately staffed for regular business, which means they're understaffed for peak times. Before I get into anything else, I do want to say that all my interactions with the staff at the DC flagship store have been great, and I don't think it's their fault they're understaffed for the amount of business the store gets. But the fact is, they're understaffed for the amount of business the store gets, and it shows.

I suspected they'd be backlogged due to the Member Days event, so I waited a couple days after their automated system told me my bike was at the store, and then I called the store itself to speak to the bike shop about when it might be ready. (Pro tip: if you're waiting on a bike, call the store and not the 800 number.) When I called that Friday morning, they thought they might get to it that evening. In the process the person I spoke to on the phone pulled up my account and saw that I'd ordered two bikes, and he asked if there was anything different between them. I said that one of them came with extra bonus rewards from the credit card, but I was planning on canceling pickup of the other one. Shortly after that I got a notice that the first order (the one without the extra reward) had been canceled. If I'd known that would be possible I'd have had them cancel it sooner, but I've been assured it's not a problem.

As expected, I didn't get any notification that it was complete on Friday, and I assumed they'd just be slammed over the weekend so I didn't call again until the following Monday. When I did, they said it was built but hadn't been inspected, and there was nobody on the schedule who could inspect it. So it wasn't ready until Tuesday, a week after they'd received the bike.

When I picked up the bike that Tuesday, I used my free hour of setup to have fenders and pedals installed, and then I started riding home. I made it a couple miles before realizing that one of the two shift/brake lever assemblies wasn't clamped down tightly enough and would move if I happened to apply force to it (like when I stood on the pedals to cross the street at a green light). So I turned around and rode back to REI, where the same tech who'd installed my fenders again helped me. He seemed personally affronted that the loose assembly had passed inspection, so he took a little extra time to double check all the bolts (again: I have only good things to say about my interactions with the team at this REI location).

Customization

In addition to the fenders and pedals, I also ordered more accessories from REI (using member rewards), as well as lights and a wiring adapter I had to order elsewhere. Here's what I have so far:

As mentioned above, when I picked up the bike I had REI install the fenders. I installed the rear rack myself, attached the front and rear lights as appropriate, and took the bike back to REI to get the lights connected to the bike's electronic system (a process that requires removal of the pedals, bottom bracket, and battery). Unfortunately, when I installed the rear rack I found that I needed to tap the frame eyelets so the bolts would thread without galling. Since I didn't own a metric tap and die kit, that's another $30 out of pocket, but now I own those tools.

Further, the front light's 8W maximum power draw exceeds the bike's specifications. It's possible to configure the light to a total of four power levels (4W, 5W, 7W, and 8W), but while I was testing that I kept getting error messages in the bike's app. Eventually I realized that if the power draw was too high (7W or 8W), the error would pop up when the lights were turned on; but if the lights were configured to low enough power the error didn't pop up until I used the bike's controller to turn the lights off. I can replicate it, so I filed a bug report with the drive system's manufacturer. (They've responded with a theory, and we've had some emails back and forth, but this isn't resolved yet).

Bank Error in Your Favor, Collect $200

Getting paid in scrip instead of actual money isn't my favorite, but it seems like my hunch was correct that the credits (in whatever form) would pay for most of the accessories I'd be adding to the bike. The breakdown:

• $349.90 in a “single use bonus card”;
• $100 in a gift card for using the new REI Rewards credit card somewhere else within the first 60 days;
• $2.21 in rewards for using the REI Rewards credit card somewhere else, just as regular spending;
• $185.45 in rewards for using the REI Rewards card at REI;
• $185.45 in bonus rewards for doing so during the Member Match days.

That's $823.01 in various benefits, of which I've spent $693.41. I did have to pay out of pocket to get lights and the wiring for them, but the bulk of what I've “spent” has come out of various rewards. That feels OK. (I've also bought some panniers and I want to get some shoes, but neither of those feel like part of the setup since they don't get permanently attached.)

The amount above also excludes the 2024 member reward expected by March 2025. A 10% reward (“typical, but not guaranteed”) would be $399 based on just the spending totaled above. This definitely softens the blow. Your accessory needs may vary.

But Enough About That. How Does It Ride?

I'm still on the learning curve, but I'm a little surprised how closely it matches the idealized bike in my head.

I wanted something that had a comfortable default position on the hoods for getting around the city, but that gave me the option of the drops when I wanted them, and the fit seems really good for both of those. I had to get REI to raise the seat before I'd gone very far, and I ended up raising it a bit more when I got home, but the bars feel like they're in a good place. I'm still getting used to having flat pedals without toe clips. I know toe clips are well out of fashion now, but I liked not having to think about where my feet were on the pedals and whether they were likely to slip.

It strikes a really nice balance between being powerful enough to level the hills and being light enough that it feels like a normal bike and not an e-bike. It's definitely not as punishingly stiff as the new Capital Bikeshare e-bikes are, so it gamely handles DC's pitted streets. I like the fact it's possible to customize the level of assistance, but I haven't yet settled on what levels I like best. I'm currently using the commuter preset but I have to admit that its maximum level of assistance seems like more than I need most of the time. I appreciate the extra help when I'm really feeling fatigued though.

As I focused on my research before buying anything, I noticed that a common complaint about hub motors (as opposed to mid-mount motors) is that they don't have enough torque at low speed, meaning that they can't provide enough assistance when you really need it, like going up a hill. In my experience this complaint is unfounded. I don't think of myself as the fittest, most powerful rider, but I've been riding bikes for long enough, and I have an instinctive enough feel for cadence and power output, that even when I'm fatigued I'm not struggling to get up enough speed for the motor to provide enough torque. Cynically, I'd guess this complaint is coming primarily from people who have more experience reading spec sheets than riding hub-motor bikes in person. Low torque at low RPM is just not a problem. Don't believe the anti-hype.

On the other end, I've gone past the 20mph limit of the motor assistance and … it's fine? Again, maybe this is just because I had a pretty good idea of my own power output before I even chose a bike, or a function of the places I've ridden so far, but I can easily get to 19 or 20 MPH on the flat. However the thing attenuates its assistance past that point just feels like pedaling a bike to me. It doesn't weigh enough to slow me down, and if I feel like I need a more aerodynamic position that's what the drops are for. The assistance can be dialed up so it's more than just a tailwind, but it's not like I feel like I miss the extra power when and if it drops out.

Do I miss having a throttle? I do not. Do I think I need more power? Not so far!

Sadly, I'm not 100% happy with everything.

The paint is terrible, and in addition to the places I know I damaged it (like installing the rear rack), there's a chip on the bottom of the top tube that I know I didn't cause. I don't love the shade of yellow anyway and I know bikes get scarred in use, but the paint really could stand to be better.

The internal control system is acceptable but still somewhat cryptic. The controller is a single button with an LED ring. There's a paper chart included with the manuals that's supposed to tell you what all the color codes from the LED ring actually mean, and how you do various things like change the amount of assistance, but everything just feels a little less obvious than it should be. To change the power assistance: press the button quickly to make the thing listen for a command, then press the button a second time to cycle through the power levels (one level per press after the first press, which doesn't count). To turn the lights on or off: short press to make it listen, then a long press. OK, I guess. It would be so much easier with more buttons and a display that didn't require you to memorize modes.

The associated app (used for customizing power levels and tracking rides) is … meh. It can save workouts to Apple Fitness, but it only records time and not distance; it doesn't record your heart rate if you don't open the Apple Watch app first; if you start a ride from the Watch app the phone app doesn't actually reflect that. It can send rides to Strava automatically, and it seems to be a little better about sending all the available data there, but I'd prefer not to have Strava in the middle there. There's also one non-obvious place to customize whether the lights come on automatically or not, but there are two other places to change the power levels. It also seems to be a huge battery drain on my phone. I had an issue this week after locking the assistance when locking up the bike. My phone's battery was very low because of the rides I'd taken earlier that day, and I'd put it in low power mode. At the start of my ride home I unlocked the assistance so I could ride home, but it seemed that the bike didn't actually get the command (maybe because my phone was in low power mode?). I rode home wondering why the assistance wasn't helping me more.

Apple Fitness cycling workout data, showing a 4.85 mile ride with a gradual climb gaining 251 feet over the length of the ride, an average heart rate of 151 BPM, and an average speed of 11.9 MPH

See? Learning curve.

Anyway, the overall experience is great. I love riding it and I feel like I made the right choice. The app could be better, but it's actually conceivable that could improve since the manufacturer does seem to care. And if I have it long enough that it needs to be repainted, well, I can pick a different color then.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

The geometry is surprisingly similar to a modern gravel bike, but the stock bars were killing my wrists. I'd idly thought about component upgrades but if I'd switched to drop bars I also would have had to buy new brake levers and shifters, and I still wouldn't have had disc brakes. I did install a Jones H-Loop bar on a shorter stem, and that mostly fixed my wrist issues. In retrospect I could have gone with an even shorter stem than the one I bought, but I was worried about changing the handling too much.

So anyway, for a few years now, in the back of my mind, I've kind of wanted a bike that was “like this, but.” I'd already discovered that the frame geometry was very much like a modern gravel bike (similar seat and head tube angles, wheelbase, and bottom bracket height) so I thought that the drop bars, disc brakes, and stack height of a modern gravel bike would be really nice to have. But I was also wary of falling into the N+1 trap (see below) so I steadfastly refused to think about this except in the most abstract of terms.

Rule #12 // The correct number of bikes to own is n+1. While the minimum number of bikes one should own is three, the correct number is n+1, where n is the number of bikes currently owned. This equation may also be re-written as s-1, where s is the number of bikes owned that would result in separation from your partner.

A few things just made me change my mind. The Cannondale is starting to have some stacked up maintenance needs that I either don't have the tools for (squeaky bottom bracket, rims that need some attention) or have lost patience for (sticky shifting between a couple gears that I think means I may need to overhaul the shifter and/or replace the cables). I've been using Capital Bikeshare e-bikes more lately when I need to go one-way and that way is uphill, and while the power is nice, the riding experience is awful. Both of those are minor, but the thing that really pushed me over the edge was … an autoimmune disease.

I'd known for a few years (five, it turns out) that my regular blood tests indicated that I had some kind of autoimmune disease, but I'd been able to ignore it. This year the fatigue seemed to be getting a lot worse though, and I talked to my doctor about it, and finally saw a rheumatologist to check out my blood test results. But The New Fatigue™ means I just don't have the stamina to do rides I've done hundreds of times before. Riding back from a (different) doctor's appointment, I basically bonked, and I felt it for three days afterward instead of recovering as soon as I'd had some rest. This was the first time I'd felt that fatigued for that long. And I hated it.

So I went from “maybe I'd like a new gravel bike, someday” to “I should get an e-bike, like, now.” It was Labor Day weekend and thus time for REI's annual sale, but the more I looked at commuter/cargo e-bikes the more I realized that if I bought one of those, I'd definitely end up wanting something like a gravel/adventure/all-road e-bike in addition. Which sure smells a lot like the N+1 rule all over again, and I don't want to fall into that trap. So I wondered, “is an electric gravel bike a decent commuter?” And the internet kind of says yes. Could I have found an N=1 bike?

The answer turned out to be … a qualified maybe? I found a few decent bike models that covered my wishlist (comfortable position, drop bars, disc brakes, 2× drivetrain, not too heavy) but actually being able to buy one (from a local bike shop, not online) and justify the cost ($2.5K was table stakes; $3.5K seemed to be the real going rate) was going to be hard. But then I found a clearance deal on a GT eGrade Bolt. Velofix isn't so much an LBS (“Local Bike Shop”) as a storage unit and somebody with a van, but they seem to have two mechanics in the DC area and feedback on /r/bikedc wasn't bad.

One bike, in a good color even, and only available in the size I needed. Was this too good to be true? You bet. It was an inventory error, and GT is out of stock of this old model (and haven't yet introduced its successor). So my order was canceled and refunded. Cannondale, owned by the same parent company, has an equivalent model, the Topstone Neo SL 2, that has the same 2×10 drivetrain as the discontinued one from GT and I can't help but think it's also maybe due for a replacement. Trek's equivalent, the Domane+ AL 5 is out of stock in my size in every color.

That left me with basically one model I could even try to buy locally, the Salsa Confluence GRX 600 2x, but it's a new model this year, so it's full price everywhere. I was about to give up, and then the clock passed midnight and REI's Member Days deals went live. Extra 10% back if I used their credit card. Getting this year's model with 20% back to pay for accessories was certainly tempting, but I made myself sleep on it.

The next morning it still didn't seem like a bad idea, so I figured I'd leave it to the fate of “can I even get approved for the credit card?” No card, no deal (literally). Well, sure enough they approved me for the card and I could get a virtual card number through the app, so I ordered a(nother) bike!

I went about my day. The next morning I figured I should get a head start picking out accessories like pedals, fenders, and a new lock, so I opened up a new REI tab. And there was a banner saying that there was now a Member Match offer for an additional 10% back in the form of a store bonus card, for purchases made Saturday and Sunday only. The offer was not applicable to previous purchases, but I had the available credit on the new REI Co-op Mastercard I'd just opened the day before. So I ordered my third new bike in three days.

Yes, this is actually the same screenshot as the one above it, so your browser doesn't have to request another image

It's absurd. REI won't let you cancel an order in progress, so my local REI is going to have a spare bike exactly like mine. I feel bad for increasing their overhead, but I didn't make the rules, and $350 in store credit makes it worthwhile to me.

After years of convincing myself that I didn't need another bike, it's definitely weird to have placed three orders in three days just to get to the point of finally owning one more. I wonder if I should sell the Cannondale.

Update: I've now posted some impressions of my new bike.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.

This week, however, the Mac mini stopped updating. The installer for the latest Safari update crashed without successful completion, and Ventura 13.6.1 wasn’t showing up in Software Update at all. Delving into the Console app I found the root error was the shove process crashing with a doesNotRecognizeSelector error message. I exhausted the amount of time I was willing to spend on it, and that should have been that. But then my wife asked for her annual supply of Christmas music from my CD collection, which for disk space reasons is only in my Music-formerly-iTunes library and not hers. (There does not seem to be a good way to share a music library across users, or at least there wasn't the last time I looked for one). Putting my music on her iPhone requires plugging her iPhone into the computer where the library lives and syncing manually. It's a pain, but most of the time this doesn't matter, because we can fill it up with the stuff she likes and forget about it. Unfortunately, the computer where the library lives happens to be the Mac mini that previously failed at Software Update.

That same Mac mini, unsurprisingly, required the installation of some software component so it could connect to her iPhone, and when I tried to install it the same shove process crashed with the same sort of doesNotRecognizeSelector error message.

Good news, everyone! This is not a problem Apple will help you fix. Leaving aside the not-inconsequential issue that Ventura isn't officially supported on this Mac, their guidance for problems like this is just to reinstall the OS and restore from a backup. I went back to the thumb drive I'd used for the installer, but the installer said that the volume couldn't be downgraded. Um, what?

So then I downloaded the full 13.6.1 installer and used the media creation tool to put that on my thumb drive instead of whatever older version of Ventura was on there. 13.6.1 is newer than the 13.6 that was installed on the Mac, so that installation should work, right? Wrong. Even the 13.6.1 installer said that the volume couldn't be downgraded.

At this point I followed the usual guidance and created a new volume on the startup drive, but then the installer said there wasn't enough room on the volume. After I deleted 4 GB of old media files to clear up the 1.5 GB I needed, the installer still said there wasn't enough room on the volume. Frustrated, I wiped out the Time Machine snapshots on the original volume and that made enough room for installation.

After letting the installer do its thing, I tried to use Migration Assistant to copy everything from the old startup volume to the new one, but here's where this gets really weird: Migration Assistant refused to allow me to select the old startup volume, saying it that it was a newer version of the OS and that the current startup volume would need to be upgraded first.

Based on that I'm pretty certain that some indicator of the current installed OS version on the old startup volume has gotten corrupted. But because this is not a problem Apple will in any way help you resolve, what I'm left with is a tedious, manual process to look over the old startup volume and its user directories, find the things that should be copied, and copy them with the correct permissions into the corresponding places on the new startup volume. Several hours of work across three days later, I've got most of the important stuff done but I still have some lingering issues.

I thought I had gotten the Music library all set up again, but then it turned out that merely pointing the app at the directory containing all its media wasn't enough. I had to import all the files that were already in the media directory (almost a thousand albums, more than 12,000 songs, which could play nonstop, without repeat, for 31 days). And of course since it's a new installation my wife's iPhone doesn't recognize it as the library that was previously synced. Doesn't matter that it's the same hardware, the same library files copied into the active user's home directory, and the same media folder on the same hard drive. Now, just to get Christmas music onto her iPhone, I've had to take notes (by hand) of what music was already on her phone, set up the sync with the new copy of the same library, and then restore all the old music when adding Christmas music.

Even weirder, there's a handful of playlists that are either empty now or just don't show up in the interface where you select which music to sync. The music exists in the library, but the playlists can't be selected. I think this is caused by a workaround I previously had to put in place for stuff that iTunes Match mismatched (e.g. mono tracks from remastered Beatles albums that iTunes Match replaced with the stereo versions), but I have to stop somewhere. That can be a problem for another day.

Ironically, the non-Apple media server software I use for TV and movies (Emby) worked perfectly once I copied the old configuration directory over, recognizing all the local media directories I'd previously configured. It's just the Apple software that didn't work right the first time. There's probably a lesson in there somewhere.

I don't have comments on here, but if you want to respond to this post, I'm on the fedi as fedward@distraction.party.