Search
1000 results for “lucy_who”
-
How Leese Family Connected Epstein to the Bullingdon Club
Epstein was reportedly brought into British establishment circles through the Leese family, especially Douglas Leese and his son Nick Leese, who was connected to the Bullingdon Club set.
Our previous article says the Leese family acted as a “primary bridge” for Epstein’s entry into high-society England in the early 1980s, placing him around the “Bullingdon Club set” and linking him to financiers and arms-dealer networks around Adnan Khashoggi.
The Bullingdon Club is basically an elite Oxford University dining/drinking society for wealthy male students. It is famous because many members later entered the British establishment: politics, finance, media, law, aristocratic circles.The claim is not simply “Epstein was a Bullingdon member.” The stronger point is that Epstein was reportedly introduced into British high society through Douglas Leese and Nick Leese, with Nick Leese being connected to Oxford’s Bullingdon Club circle. The Sunday Times reported that Epstein was “mentored” by Douglas Leese in the early 1980s and eased into establishment circles by Bullingdon-linked people, including Nick Leese. https://www.thetimes.co.uk/article/ghislaine-maxwell-birthday-book-jeffrey-epstein-mentor-gjn2r0v9f
The Bullingdon Club was a gateway into Britain’s elite Oxford-establishment network. Epstein’s reported connection was through the Leese family, especially Douglas Leese and Nick Leese, whose Bullingdon Club circle allegedly helped open doors into aristocratic, political, and financial society.
Jeffrey Epstein appears to have entered British establishment circles in the early 1980s through the Leese family. Douglas Leese, a former British arms dealer/defence figure, has been reported as an early mentor or introducer. Nick Leese, connected to Oxford’s Bullingdon Club circle, appears to have helped place Epstein near Britain’s elite social network. This does not prove Epstein was a formal Bullingdon Club member, but it does suggest the Bullingdon-linked network may have acted as an access route into aristocratic, political, financial, and royal society.
The Bullingdon Club’s famous political members are mainly linked to later Conservative figures such as David Cameron, Boris Johnson, and George Osborne. Sources discussing the club repeatedly identify Cameron and Johnson in the 1987 Bullingdon photo; Blair is not part of that known Bullingdon group. https://en.wikipedia.org/wiki/1987_Bullingdon_Club_photograph
Timeline: Douglas Leese and Epstein
PeriodWhat appears to have happenedSource URL1981Epstein reportedly met the Leese family during a UK trip with Paula Fisher / Paula Heil Fisher, after she encountered Nick Leese socially. Epstein then met Douglas Leese.https://www.thetimes.co.uk/article/ghislaine-maxwell-birthday-book-jeffrey-epstein-mentor-gjn2r0v9fEarly 1980sDouglas Leese was reportedly an early mentor or introducer for Epstein. Nick Leese’s Oxford/Bullingdon-linked circle allegedly helped Epstein access British establishment society.https://www.thetimes.co.uk/article/ghislaine-maxwell-birthday-book-jeffrey-epstein-mentor-gjn2r0v9fEarly–mid 1980sNick Leese was reportedly connected to the Bullingdon Club circle at Oxford. This supports the phrase “Bullingdon-linked network,” not “Epstein was a Bullingdon member.”https://www.thetimes.co.uk/article/ghislaine-maxwell-birthday-book-jeffrey-epstein-mentor-gjn2r0v9f1987Epstein reportedly fell out with Douglas Leese and then moved into the orbit of Steven Hoffenberg.https://www.thetimes.co.uk/article/ghislaine-maxwell-birthday-book-jeffrey-epstein-mentor-gjn2r0v9f1987 onwardVanity Fair reported that Steven Hoffenberg claimed Douglas Leese introduced him to Epstein. Epstein gave a different account, saying he was introduced by John Mitchell.https://www.vanityfair.com/news/2003/03/jeffrey-epstein-2003031987–1993Epstein became involved with Hoffenberg and Towers Financial. This period is important because it connects Epstein’s earlier British access to his later financial rise.https://www.vanityfair.com/news/2003/03/jeffrey-epstein-2003031990s onwardEpstein’s UK network later becomes clearer through Ghislaine Maxwell, London society, and Prince Andrew. US prosecutors said Maxwell helped Epstein recruit, groom, and abuse minor girls from at least 1994 to about 2004.https://www.justice.gov/usao-sdny/pr/ghislaine-maxwell-sentenced-20-years-prison-conspiring-jeffrey-epstein-sexually-abuseEpstein knew the Leese family.
Douglas Leese was reported as an early mentor/introducer.
Nick Leese was Bullingdon-linked and wrote in Epstein’s birthday book.
Hoffenberg said Douglas Leese introduced him to Epstein.
Julian Leese remained in contact with Epstein years later.Shocking News
It appears to be Adrian Hughes — a former Dudley councillor.
Reports say he was jailed for 32 months after admitting four child sexual offences. Police had created decoy online profiles for two girls, “Lucy” aged 13 and “Molly” aged 12, so the victims he believed he was contacting were children, but they were actually undercover officers. The party that promised to protect children like my daughter Emily who is missing to weed out paedophiles from its ranks. Former Dudley councillor involved in children’s services jailed for child sex offences | ITV News Central
As the father of Emily, who is missing, I want more than slogans. I want every institution and political party to prove they are doing everything possible to protect vulnerable children and remove dangerous people from positions of trust.
The especially grim part is that Hughes had sat on Dudley Council children-related committees, including the Children’s Services Select Committee, the Children and Young Person’s Scrutiny Committee, and the Children’s Corporate Parenting Board.
The court sentenced him to 32 months for attempting to incite a child into sexual activity, with other concurrent sentences, and imposed an indefinite Sexual Harm Prevention Order plus indefinite police notification requirements.
May 4, 2026Type your email…
Subscribe
Related Posts
- How Leese Family Connected Epstein to the Bullingdon Club
- The Death they burrowed
- The Leeses: Gateway to the British Establishment and Epstein.
- “Formal Complaint: Suspected Fraudulent Use of Money Claim / Court Process and £7,500 Costs Demand Following £2,000 Claim”
- RED FLAG SHAM MARIAGES
The Leeses: Gateway to the British Establishment and Epstein.
by Martin NewboldMay 3, 2026 by Martin NewboldMay 1, 2026 #Books #childWelfare #courtCrisis #familyLaw #humanRights #News #politics -
Sharing: NDConnection’s Neurodiversity-Affirming Care Toolkit + SPACE Series
Neurodiverse Connection just published a practical, interactive toolkit for neurodiversity-affirming care and support — and it’s one of the most important resources we’ve seen arrive this year.
NDC is explicit: this is not a rebranded version of Positive Behaviour Support. It is not PBS in softer language. It is a fundamentally different paradigm — one that moves away from external observation, compliance, and behavior modification toward internal experience, co-regulation, relational trust, dignity, and consent.
That’s the line we hold at Stimpunks. “Being with” people, not “doing to” them.
Why This Matters
The toolkit is built on the Autistic SPACE Framework (Doherty, McCowan & Shaw, 2023) — a framework developed by Autistic clinicians who also navigate healthcare as Autistic people. SPACE names what neurodivergent people actually need: Sensory safety, Predictability, Acceptance, Communication, and Empathy, anchored in physical, processing, and emotional space.
That vocabulary maps directly onto what we build at Stimpunks.
Cavendish Space is our answer to what physical and relational space needs to look like for neurodivergent people — decompression, sensory safety, room to exist without masking. The SPACE framework’s “physical space” and “emotional space” dimensions articulate exactly why. Quiet zones. No-touch policies respected. Solitude honored, not pathologized.
Neuroqueer Learning Spaces and SPACE-TIME take the same logic into learning environments. Regulation first. Processing time built in. Interaction pace set by the learner. The toolkit’s “processing space” dimension — allowing silence between questions, providing agendas in advance, offering summaries afterward — is what we mean when we say regulation-first design isn’t an accommodation add-on. It’s the baseline.
None of this is compatible with ABA or PBS. Not partially. Not with modifications. The behaviors those frameworks try to suppress are often adaptive, communicative, regulatory. They are valid messages, not problems to eliminate.
Read the Series
NDC published a lived experience blog series alongside the toolkit as part of their Against PBS & ABA campaign. All of them are worth your time.
SPACE: An Autism-Informed Framework
Lucy Gilbert, NdC’s Lived Experience Lead, reflects on how SPACE-informed practice gives practitioners something tangible — not a checklist of right answers, but a scaffold for curiosity and reflection. There is no one-size-fits-all. That’s the point.How SPACE Helped My Wellbeing at Work as a Late-Discovered AuDHD Person
Antonia Aluko describes workplace accommodations that weren’t personal to her — a checklist drawn from disability services, not from who she actually is. SPACE gave her a framework for understanding and naming what she genuinely needed. Late discovery is a theme that runs through so much of our community’s experience. This is for them.The SPACE Framework: How It Changed My Experience of Accessing Mental Health Care
Molly Anderton collected mental health diagnoses for years before an Autism diagnosis. When recommended treatments “didn’t work,” she was told the problem was her. SPACE reframes that entirely. The environment was the problem. The system was the problem. Not her.SPACE — A Framework for Wellbeing for All
Lucy Gilbert again, with a clear argument: Autism-informed care doesn’t only benefit Autistic people. It reduces barriers for everyone. A Director of Nursing at one of NDC’s Culture of Care events put it simply: “We are all human, and we need to strive to deliver human care and connection.” That’s the whole thing.The Alignment Is Real
NDC’s framing and Stimpunks’ framing are built from the same foundation: broken systems, not broken people. Regulation as an internal physiological process, not performed calm. Emotions as valid messages. Autistic leadership centered, not consulted. Human rights as the floor, not the ceiling.
The toolkit is a living document. It will evolve. That’s the right relationship to have with this kind of work.
We’re sharing it here because resources like this are too rare, and they need to travel.
Neurodiverse Connection: ndconnection.co.uk
Stimpunks Foundation: stimpunks.org
Stimpunks on Cavendish Space: stimpunks.org/space/Header image credit: Original graphic by ADI to illustrate the elements of the Autistic SPACE framework
#healthcare #neuroaffirming -
Sharing: NDConnection’s Neurodiversity-Affirming Care Toolkit + SPACE Series
Neurodiverse Connection just published a practical, interactive toolkit for neurodiversity-affirming care and support — and it’s one of the most important resources we’ve seen arrive this year.
NDC is explicit: this is not a rebranded version of Positive Behaviour Support. It is not PBS in softer language. It is a fundamentally different paradigm — one that moves away from external observation, compliance, and behavior modification toward internal experience, co-regulation, relational trust, dignity, and consent.
That’s the line we hold at Stimpunks. “Being with” people, not “doing to” them.
Why This Matters
The toolkit is built on the Autistic SPACE Framework (Doherty, McCowan & Shaw, 2023) — a framework developed by Autistic clinicians who also navigate healthcare as Autistic people. SPACE names what neurodivergent people actually need: Sensory safety, Predictability, Acceptance, Communication, and Empathy, anchored in physical, processing, and emotional space.
That vocabulary maps directly onto what we build at Stimpunks.
Cavendish Space is our answer to what physical and relational space needs to look like for neurodivergent people — decompression, sensory safety, room to exist without masking. The SPACE framework’s “physical space” and “emotional space” dimensions articulate exactly why. Quiet zones. No-touch policies respected. Solitude honored, not pathologized.
Neuroqueer Learning Spaces and SPACE-TIME take the same logic into learning environments. Regulation first. Processing time built in. Interaction pace set by the learner. The toolkit’s “processing space” dimension — allowing silence between questions, providing agendas in advance, offering summaries afterward — is what we mean when we say regulation-first design isn’t an accommodation add-on. It’s the baseline.
None of this is compatible with ABA or PBS. Not partially. Not with modifications. The behaviors those frameworks try to suppress are often adaptive, communicative, regulatory. They are valid messages, not problems to eliminate.
Read the Series
NDC published a lived experience blog series alongside the toolkit as part of their Against PBS & ABA campaign. All of them are worth your time.
SPACE: An Autism-Informed Framework
Lucy Gilbert, NdC’s Lived Experience Lead, reflects on how SPACE-informed practice gives practitioners something tangible — not a checklist of right answers, but a scaffold for curiosity and reflection. There is no one-size-fits-all. That’s the point.How SPACE Helped My Wellbeing at Work as a Late-Discovered AuDHD Person
Antonia Aluko describes workplace accommodations that weren’t personal to her — a checklist drawn from disability services, not from who she actually is. SPACE gave her a framework for understanding and naming what she genuinely needed. Late discovery is a theme that runs through so much of our community’s experience. This is for them.The SPACE Framework: How It Changed My Experience of Accessing Mental Health Care
Molly Anderton collected mental health diagnoses for years before an Autism diagnosis. When recommended treatments “didn’t work,” she was told the problem was her. SPACE reframes that entirely. The environment was the problem. The system was the problem. Not her.SPACE — A Framework for Wellbeing for All
Lucy Gilbert again, with a clear argument: Autism-informed care doesn’t only benefit Autistic people. It reduces barriers for everyone. A Director of Nursing at one of NDC’s Culture of Care events put it simply: “We are all human, and we need to strive to deliver human care and connection.” That’s the whole thing.The Alignment Is Real
NDC’s framing and Stimpunks’ framing are built from the same foundation: broken systems, not broken people. Regulation as an internal physiological process, not performed calm. Emotions as valid messages. Autistic leadership centered, not consulted. Human rights as the floor, not the ceiling.
The toolkit is a living document. It will evolve. That’s the right relationship to have with this kind of work.
We’re sharing it here because resources like this are too rare, and they need to travel.
Neurodiverse Connection: ndconnection.co.uk
Stimpunks Foundation: stimpunks.org
Stimpunks on Cavendish Space: stimpunks.org/space/Header image credit: Original graphic by ADI to illustrate the elements of the Autistic SPACE framework
#healthcare #neuroaffirming -
Sharing: NDConnection’s Neurodiversity-Affirming Care Toolkit + SPACE Series
Neurodiverse Connection just published a practical, interactive toolkit for neurodiversity-affirming care and support — and it’s one of the most important resources we’ve seen arrive this year.
NDC is explicit: this is not a rebranded version of Positive Behaviour Support. It is not PBS in softer language. It is a fundamentally different paradigm — one that moves away from external observation, compliance, and behavior modification toward internal experience, co-regulation, relational trust, dignity, and consent.
That’s the line we hold at Stimpunks. “Being with” people, not “doing to” them.
Why This Matters
The toolkit is built on the Autistic SPACE Framework (Doherty, McCowan & Shaw, 2023) — a framework developed by Autistic clinicians who also navigate healthcare as Autistic people. SPACE names what neurodivergent people actually need: Sensory safety, Predictability, Acceptance, Communication, and Empathy, anchored in physical, processing, and emotional space.
That vocabulary maps directly onto what we build at Stimpunks.
Cavendish Space is our answer to what physical and relational space needs to look like for neurodivergent people — decompression, sensory safety, room to exist without masking. The SPACE framework’s “physical space” and “emotional space” dimensions articulate exactly why. Quiet zones. No-touch policies respected. Solitude honored, not pathologized.
Neuroqueer Learning Spaces and SPACE-TIME take the same logic into learning environments. Regulation first. Processing time built in. Interaction pace set by the learner. The toolkit’s “processing space” dimension — allowing silence between questions, providing agendas in advance, offering summaries afterward — is what we mean when we say regulation-first design isn’t an accommodation add-on. It’s the baseline.
None of this is compatible with ABA or PBS. Not partially. Not with modifications. The behaviors those frameworks try to suppress are often adaptive, communicative, regulatory. They are valid messages, not problems to eliminate.
Read the Series
NDC published a lived experience blog series alongside the toolkit as part of their Against PBS & ABA campaign. All of them are worth your time.
SPACE: An Autism-Informed Framework
Lucy Gilbert, NdC’s Lived Experience Lead, reflects on how SPACE-informed practice gives practitioners something tangible — not a checklist of right answers, but a scaffold for curiosity and reflection. There is no one-size-fits-all. That’s the point.How SPACE Helped My Wellbeing at Work as a Late-Discovered AuDHD Person
Antonia Aluko describes workplace accommodations that weren’t personal to her — a checklist drawn from disability services, not from who she actually is. SPACE gave her a framework for understanding and naming what she genuinely needed. Late discovery is a theme that runs through so much of our community’s experience. This is for them.The SPACE Framework: How It Changed My Experience of Accessing Mental Health Care
Molly Anderton collected mental health diagnoses for years before an Autism diagnosis. When recommended treatments “didn’t work,” she was told the problem was her. SPACE reframes that entirely. The environment was the problem. The system was the problem. Not her.SPACE — A Framework for Wellbeing for All
Lucy Gilbert again, with a clear argument: Autism-informed care doesn’t only benefit Autistic people. It reduces barriers for everyone. A Director of Nursing at one of NDC’s Culture of Care events put it simply: “We are all human, and we need to strive to deliver human care and connection.” That’s the whole thing.The Alignment Is Real
NDC’s framing and Stimpunks’ framing are built from the same foundation: broken systems, not broken people. Regulation as an internal physiological process, not performed calm. Emotions as valid messages. Autistic leadership centered, not consulted. Human rights as the floor, not the ceiling.
The toolkit is a living document. It will evolve. That’s the right relationship to have with this kind of work.
We’re sharing it here because resources like this are too rare, and they need to travel.
Neurodiverse Connection: ndconnection.co.uk
Stimpunks Foundation: stimpunks.org
Stimpunks on Cavendish Space: stimpunks.org/space/Header image credit: Original graphic by ADI to illustrate the elements of the Autistic SPACE framework
#healthcare #neuroaffirming -
Sharing: NDConnection’s Neurodiversity-Affirming Care Toolkit + SPACE Series
Neurodiverse Connection just published a practical, interactive toolkit for neurodiversity-affirming care and support — and it’s one of the most important resources we’ve seen arrive this year.
NDC is explicit: this is not a rebranded version of Positive Behaviour Support. It is not PBS in softer language. It is a fundamentally different paradigm — one that moves away from external observation, compliance, and behavior modification toward internal experience, co-regulation, relational trust, dignity, and consent.
That’s the line we hold at Stimpunks. “Being with” people, not “doing to” them.
Why This Matters
The toolkit is built on the Autistic SPACE Framework (Doherty, McCowan & Shaw, 2023) — a framework developed by Autistic clinicians who also navigate healthcare as Autistic people. SPACE names what neurodivergent people actually need: Sensory safety, Predictability, Acceptance, Communication, and Empathy, anchored in physical, processing, and emotional space.
That vocabulary maps directly onto what we build at Stimpunks.
Cavendish Space is our answer to what physical and relational space needs to look like for neurodivergent people — decompression, sensory safety, room to exist without masking. The SPACE framework’s “physical space” and “emotional space” dimensions articulate exactly why. Quiet zones. No-touch policies respected. Solitude honored, not pathologized.
Neuroqueer Learning Spaces and SPACE-TIME take the same logic into learning environments. Regulation first. Processing time built in. Interaction pace set by the learner. The toolkit’s “processing space” dimension — allowing silence between questions, providing agendas in advance, offering summaries afterward — is what we mean when we say regulation-first design isn’t an accommodation add-on. It’s the baseline.
None of this is compatible with ABA or PBS. Not partially. Not with modifications. The behaviors those frameworks try to suppress are often adaptive, communicative, regulatory. They are valid messages, not problems to eliminate.
Read the Series
NDC published a lived experience blog series alongside the toolkit as part of their Against PBS & ABA campaign. All of them are worth your time.
SPACE: An Autism-Informed Framework
Lucy Gilbert, NdC’s Lived Experience Lead, reflects on how SPACE-informed practice gives practitioners something tangible — not a checklist of right answers, but a scaffold for curiosity and reflection. There is no one-size-fits-all. That’s the point.How SPACE Helped My Wellbeing at Work as a Late-Discovered AuDHD Person
Antonia Aluko describes workplace accommodations that weren’t personal to her — a checklist drawn from disability services, not from who she actually is. SPACE gave her a framework for understanding and naming what she genuinely needed. Late discovery is a theme that runs through so much of our community’s experience. This is for them.The SPACE Framework: How It Changed My Experience of Accessing Mental Health Care
Molly Anderton collected mental health diagnoses for years before an Autism diagnosis. When recommended treatments “didn’t work,” she was told the problem was her. SPACE reframes that entirely. The environment was the problem. The system was the problem. Not her.SPACE — A Framework for Wellbeing for All
Lucy Gilbert again, with a clear argument: Autism-informed care doesn’t only benefit Autistic people. It reduces barriers for everyone. A Director of Nursing at one of NDC’s Culture of Care events put it simply: “We are all human, and we need to strive to deliver human care and connection.” That’s the whole thing.The Alignment Is Real
NDC’s framing and Stimpunks’ framing are built from the same foundation: broken systems, not broken people. Regulation as an internal physiological process, not performed calm. Emotions as valid messages. Autistic leadership centered, not consulted. Human rights as the floor, not the ceiling.
The toolkit is a living document. It will evolve. That’s the right relationship to have with this kind of work.
We’re sharing it here because resources like this are too rare, and they need to travel.
Neurodiverse Connection: ndconnection.co.uk
Stimpunks Foundation: stimpunks.org
Stimpunks on Cavendish Space: stimpunks.org/space/Header image credit: Original graphic by ADI to illustrate the elements of the Autistic SPACE framework
#healthcare #neuroaffirming -
100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
This post contains affiliate links which may earn Eco Mom Diaries a commission.
Few novels feel as atmospheric and romantic as Wuthering Heights by Emily Brontë. Set on the wild English moors, the story is filled with dramatic love, haunting landscapes, and unforgettable characters. Even the names in the novel carry a poetic, windswept charm that feels perfect for parents who love classic literature.
Victorian names from the Brontë era often feel elegant and timeless. Many come from nature, old English traditions, or strong historical roots. Some appear directly in Wuthering Heights, while others reflect the same vintage style and moody beauty that surrounds the story.
If you are drawn to literary names with depth and romance, here is a collection of 100 baby girl names inspired by the world and aesthetic of Wuthering Heights — arranged from A to Z.
A
Ada — Noble and serene; a Victorian classic.
Adeline — Noble and graceful.
Agnes — Pure and gentle.
Alice — Noble and bright.B
Beatrice — Bringer of happiness.
Blythe — Carefree and joyful.
Briony — A climbing plant; delicate and nature-inspired.
Briar — A thorny rose bush, evoking wild landscapes.C
Catherine — Pure; the unforgettable heroine of Wuthering Heights.
Clara — Bright and clear.
Cora — Maiden; soft and classic.
Cecilia — Heavenly and musical.D
Diana — Divine and luminous.
Dorothea — Gift of God.
Delilah — Delicate and romantic.
Daphne — Laurel tree; graceful and natural.E
Eleanor — Light and compassion.
Eliza — Devoted to God.
Esther — Star.
Edith — Prosperous in war; a vintage English name.F
Florence — Flourishing and blooming.
Felicity — Great happiness.
Frances — Free-spirited.
Flora — Flower; a beautiful Victorian favorite.G
Georgiana — Feminine form of George; elegant and aristocratic.
Grace — Charm and goodness.
Genevieve — Woman of the people.
Gwendolyn — White ring or blessed.H
Harriet — Ruler of the home.
Hazel — The hazel tree; earthy and gentle.
Hester — Star; an old English favorite.
Honor — A virtue name popular in earlier centuries.I
Isabella — Devoted to God; Catherine’s sister-in-law in Wuthering Heights.
Iris — Rainbow; delicate and botanical.
Imogen — Maiden; poetic and Shakespearean.
Ivy — Evergreen vine symbolizing loyalty.J
Jane — God is gracious; reminiscent of Brontë literature.
Juliet — Youthful and romantic.
Josephine — God will increase.
Jessamine — Jasmine flower.K
Katherine — A variant of Catherine meaning pure.
Keira — Dark-haired beauty.
Kitty — A charming diminutive of Katherine.
Kendra — Wise ruler.L
Lillian — Lily flower; soft and elegant.
Lucy — Light.
Lydia — From Lydia in Greece.
Lavender — A fragrant flowering plant.M
Margaret — Pearl.
Matilda — Strength in battle.
Millicent — Strong worker.
Mabel — Lovable.N
Nelly — Shining light; inspired by Ellen “Nelly” Dean, the narrator of Wuthering Heights.
Nora — Honor or light.
Naomi — Pleasantness.
Nadine — Hope.O
Olivia — Olive tree; peaceful and timeless.
Ophelia — Help; poetic and dramatic.
Odette — Wealth and prosperity.
Octavia — Eighth.P
Penelope — Weaver.
Primrose — The first rose of spring.
Phoebe — Bright and radiant.
Prudence — A classic Victorian virtue name.Q
Queenie — A charming vintage nickname meaning queen.
Quinn — Wise and intelligent.
Quilla — Gentle and poetic.
Quintessa — Essence or fifth element.R
Rosalind — Beautiful rose.
Rosamund — Horse protector.
Rowena — Fame and joy.
Rebecca — To bind.S
Sophia — Wisdom.
Seraphina — Fiery and angelic.
Sylvia — Of the forest.
Susanna — Lily flower.T
Theodora — Gift of God.
Tabitha — Gazelle; graceful and rare.
Theresa — Harvester.
Temperance — Self-control; a virtue name.U
Una — One or unity.
Unity — Harmony and togetherness.
Ursula — Little bear.
Ulyssa — A rare poetic name.V
Victoria — Victory.
Violet — Purple flower; beautifully Victorian.
Verity — Truth.
Valentina — Strength and health.W
Winifred — Blessed peace.
Willa — Resolute protector.
Wilhelmina — Determined guardian.
Wren — Small songbird.X
Xanthe — Golden.
Xenia — Hospitality.
Ximena — Listener.
Xandra — Defender of mankind.Y
Yvette — Yew tree.
Yara — Small butterfly.
Yvonne — Archer.
Ysolde — Ice ruler; romantic medieval name.Z
Zara — Blooming flower.
Zinnia — Bright garden flower.
Zelda — Blessed or gray fighting maid.
Zora — Dawn.Final Thoughts
Names inspired by Wuthering Heights capture a kind of timeless romance that feels both dramatic and elegant. Whether you love classic Victorian names like Catherine and Isabella or nature-inspired picks like Briar, Ivy, and Wren, these names carry the same windswept beauty found in Emily Brontë’s unforgettable story.
A literary name can feel like a little piece of poetry—something that grows with your child and always carries a story behind it.
15 Life Skills Every Kid Should Learn Before Age 10
by Editorial Team2026100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
by Editorial Team2026What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
by Editorial Team202618 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
by Editorial Team2026Quiet Luxury for Less: The Old Money Capsule Wardrobe You Can Build on Amazon
by Editorial Team2026Free People Inspired Clothing For Less On Amazon
by Editorial Team2026Not So Spooky Bluey Bookmarks: Promote Reading with Adorable Characters
by Editorial Team2026Free Printable Minecraft Themed Lunchbox Notes for Kids
by Editorial Team2026Best Non-Toxic Lunch Boxes for Healthy and Eco-Friendly School Meals
by Editorial Team2026Free Printable Peppa Pig Lunchbox Notes For Kids
by Editorial Team2026Inside Out Themed Lunchbox Notes: Free Printable Sheets
by Editorial Team2026Wall-E Themed Free Printable Lunchbox Notes for Kids
by Editorial Team2026 https://www.pinterest.com/ecomomdiaries/- 100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
- 15 Life Skills Every Kid Should Learn Before Age 10
- 100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
- What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
- 18 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
I’m
#Babies #Books #family #Food #Kids #Motherhood #Names #NewBorns #photography #Travel #WutheringHeights -
100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
This post contains affiliate links which may earn Eco Mom Diaries a commission.
Few novels feel as atmospheric and romantic as Wuthering Heights by Emily Brontë. Set on the wild English moors, the story is filled with dramatic love, haunting landscapes, and unforgettable characters. Even the names in the novel carry a poetic, windswept charm that feels perfect for parents who love classic literature.
Victorian names from the Brontë era often feel elegant and timeless. Many come from nature, old English traditions, or strong historical roots. Some appear directly in Wuthering Heights, while others reflect the same vintage style and moody beauty that surrounds the story.
If you are drawn to literary names with depth and romance, here is a collection of 100 baby girl names inspired by the world and aesthetic of Wuthering Heights — arranged from A to Z.
A
Ada — Noble and serene; a Victorian classic.
Adeline — Noble and graceful.
Agnes — Pure and gentle.
Alice — Noble and bright.B
Beatrice — Bringer of happiness.
Blythe — Carefree and joyful.
Briony — A climbing plant; delicate and nature-inspired.
Briar — A thorny rose bush, evoking wild landscapes.C
Catherine — Pure; the unforgettable heroine of Wuthering Heights.
Clara — Bright and clear.
Cora — Maiden; soft and classic.
Cecilia — Heavenly and musical.D
Diana — Divine and luminous.
Dorothea — Gift of God.
Delilah — Delicate and romantic.
Daphne — Laurel tree; graceful and natural.E
Eleanor — Light and compassion.
Eliza — Devoted to God.
Esther — Star.
Edith — Prosperous in war; a vintage English name.F
Florence — Flourishing and blooming.
Felicity — Great happiness.
Frances — Free-spirited.
Flora — Flower; a beautiful Victorian favorite.G
Georgiana — Feminine form of George; elegant and aristocratic.
Grace — Charm and goodness.
Genevieve — Woman of the people.
Gwendolyn — White ring or blessed.H
Harriet — Ruler of the home.
Hazel — The hazel tree; earthy and gentle.
Hester — Star; an old English favorite.
Honor — A virtue name popular in earlier centuries.I
Isabella — Devoted to God; Catherine’s sister-in-law in Wuthering Heights.
Iris — Rainbow; delicate and botanical.
Imogen — Maiden; poetic and Shakespearean.
Ivy — Evergreen vine symbolizing loyalty.J
Jane — God is gracious; reminiscent of Brontë literature.
Juliet — Youthful and romantic.
Josephine — God will increase.
Jessamine — Jasmine flower.K
Katherine — A variant of Catherine meaning pure.
Keira — Dark-haired beauty.
Kitty — A charming diminutive of Katherine.
Kendra — Wise ruler.L
Lillian — Lily flower; soft and elegant.
Lucy — Light.
Lydia — From Lydia in Greece.
Lavender — A fragrant flowering plant.M
Margaret — Pearl.
Matilda — Strength in battle.
Millicent — Strong worker.
Mabel — Lovable.N
Nelly — Shining light; inspired by Ellen “Nelly” Dean, the narrator of Wuthering Heights.
Nora — Honor or light.
Naomi — Pleasantness.
Nadine — Hope.O
Olivia — Olive tree; peaceful and timeless.
Ophelia — Help; poetic and dramatic.
Odette — Wealth and prosperity.
Octavia — Eighth.P
Penelope — Weaver.
Primrose — The first rose of spring.
Phoebe — Bright and radiant.
Prudence — A classic Victorian virtue name.Q
Queenie — A charming vintage nickname meaning queen.
Quinn — Wise and intelligent.
Quilla — Gentle and poetic.
Quintessa — Essence or fifth element.R
Rosalind — Beautiful rose.
Rosamund — Horse protector.
Rowena — Fame and joy.
Rebecca — To bind.S
Sophia — Wisdom.
Seraphina — Fiery and angelic.
Sylvia — Of the forest.
Susanna — Lily flower.T
Theodora — Gift of God.
Tabitha — Gazelle; graceful and rare.
Theresa — Harvester.
Temperance — Self-control; a virtue name.U
Una — One or unity.
Unity — Harmony and togetherness.
Ursula — Little bear.
Ulyssa — A rare poetic name.V
Victoria — Victory.
Violet — Purple flower; beautifully Victorian.
Verity — Truth.
Valentina — Strength and health.W
Winifred — Blessed peace.
Willa — Resolute protector.
Wilhelmina — Determined guardian.
Wren — Small songbird.X
Xanthe — Golden.
Xenia — Hospitality.
Ximena — Listener.
Xandra — Defender of mankind.Y
Yvette — Yew tree.
Yara — Small butterfly.
Yvonne — Archer.
Ysolde — Ice ruler; romantic medieval name.Z
Zara — Blooming flower.
Zinnia — Bright garden flower.
Zelda — Blessed or gray fighting maid.
Zora — Dawn.Final Thoughts
Names inspired by Wuthering Heights capture a kind of timeless romance that feels both dramatic and elegant. Whether you love classic Victorian names like Catherine and Isabella or nature-inspired picks like Briar, Ivy, and Wren, these names carry the same windswept beauty found in Emily Brontë’s unforgettable story.
A literary name can feel like a little piece of poetry—something that grows with your child and always carries a story behind it.
15 Life Skills Every Kid Should Learn Before Age 10
by Editorial Team2026100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
by Editorial Team2026What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
by Editorial Team202618 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
by Editorial Team2026Quiet Luxury for Less: The Old Money Capsule Wardrobe You Can Build on Amazon
by Editorial Team2026Free People Inspired Clothing For Less On Amazon
by Editorial Team2026Not So Spooky Bluey Bookmarks: Promote Reading with Adorable Characters
by Editorial Team2026Free Printable Minecraft Themed Lunchbox Notes for Kids
by Editorial Team2026Best Non-Toxic Lunch Boxes for Healthy and Eco-Friendly School Meals
by Editorial Team2026Free Printable Peppa Pig Lunchbox Notes For Kids
by Editorial Team2026Inside Out Themed Lunchbox Notes: Free Printable Sheets
by Editorial Team2026Wall-E Themed Free Printable Lunchbox Notes for Kids
by Editorial Team2026 https://www.pinterest.com/ecomomdiaries/- 100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
- 15 Life Skills Every Kid Should Learn Before Age 10
- 100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
- What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
- 18 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
I’m
#Kids #Travel #Food #Books #Motherhood #family #Babies #Names #NewBorns #WutheringHeights #photography -
100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
This post contains affiliate links which may earn Eco Mom Diaries a commission.
Few novels feel as atmospheric and romantic as Wuthering Heights by Emily Brontë. Set on the wild English moors, the story is filled with dramatic love, haunting landscapes, and unforgettable characters. Even the names in the novel carry a poetic, windswept charm that feels perfect for parents who love classic literature.
Victorian names from the Brontë era often feel elegant and timeless. Many come from nature, old English traditions, or strong historical roots. Some appear directly in Wuthering Heights, while others reflect the same vintage style and moody beauty that surrounds the story.
If you are drawn to literary names with depth and romance, here is a collection of 100 baby girl names inspired by the world and aesthetic of Wuthering Heights — arranged from A to Z.
A
Ada — Noble and serene; a Victorian classic.
Adeline — Noble and graceful.
Agnes — Pure and gentle.
Alice — Noble and bright.B
Beatrice — Bringer of happiness.
Blythe — Carefree and joyful.
Briony — A climbing plant; delicate and nature-inspired.
Briar — A thorny rose bush, evoking wild landscapes.C
Catherine — Pure; the unforgettable heroine of Wuthering Heights.
Clara — Bright and clear.
Cora — Maiden; soft and classic.
Cecilia — Heavenly and musical.D
Diana — Divine and luminous.
Dorothea — Gift of God.
Delilah — Delicate and romantic.
Daphne — Laurel tree; graceful and natural.E
Eleanor — Light and compassion.
Eliza — Devoted to God.
Esther — Star.
Edith — Prosperous in war; a vintage English name.F
Florence — Flourishing and blooming.
Felicity — Great happiness.
Frances — Free-spirited.
Flora — Flower; a beautiful Victorian favorite.G
Georgiana — Feminine form of George; elegant and aristocratic.
Grace — Charm and goodness.
Genevieve — Woman of the people.
Gwendolyn — White ring or blessed.H
Harriet — Ruler of the home.
Hazel — The hazel tree; earthy and gentle.
Hester — Star; an old English favorite.
Honor — A virtue name popular in earlier centuries.I
Isabella — Devoted to God; Catherine’s sister-in-law in Wuthering Heights.
Iris — Rainbow; delicate and botanical.
Imogen — Maiden; poetic and Shakespearean.
Ivy — Evergreen vine symbolizing loyalty.J
Jane — God is gracious; reminiscent of Brontë literature.
Juliet — Youthful and romantic.
Josephine — God will increase.
Jessamine — Jasmine flower.K
Katherine — A variant of Catherine meaning pure.
Keira — Dark-haired beauty.
Kitty — A charming diminutive of Katherine.
Kendra — Wise ruler.L
Lillian — Lily flower; soft and elegant.
Lucy — Light.
Lydia — From Lydia in Greece.
Lavender — A fragrant flowering plant.M
Margaret — Pearl.
Matilda — Strength in battle.
Millicent — Strong worker.
Mabel — Lovable.N
Nelly — Shining light; inspired by Ellen “Nelly” Dean, the narrator of Wuthering Heights.
Nora — Honor or light.
Naomi — Pleasantness.
Nadine — Hope.O
Olivia — Olive tree; peaceful and timeless.
Ophelia — Help; poetic and dramatic.
Odette — Wealth and prosperity.
Octavia — Eighth.P
Penelope — Weaver.
Primrose — The first rose of spring.
Phoebe — Bright and radiant.
Prudence — A classic Victorian virtue name.Q
Queenie — A charming vintage nickname meaning queen.
Quinn — Wise and intelligent.
Quilla — Gentle and poetic.
Quintessa — Essence or fifth element.R
Rosalind — Beautiful rose.
Rosamund — Horse protector.
Rowena — Fame and joy.
Rebecca — To bind.S
Sophia — Wisdom.
Seraphina — Fiery and angelic.
Sylvia — Of the forest.
Susanna — Lily flower.T
Theodora — Gift of God.
Tabitha — Gazelle; graceful and rare.
Theresa — Harvester.
Temperance — Self-control; a virtue name.U
Una — One or unity.
Unity — Harmony and togetherness.
Ursula — Little bear.
Ulyssa — A rare poetic name.V
Victoria — Victory.
Violet — Purple flower; beautifully Victorian.
Verity — Truth.
Valentina — Strength and health.W
Winifred — Blessed peace.
Willa — Resolute protector.
Wilhelmina — Determined guardian.
Wren — Small songbird.X
Xanthe — Golden.
Xenia — Hospitality.
Ximena — Listener.
Xandra — Defender of mankind.Y
Yvette — Yew tree.
Yara — Small butterfly.
Yvonne — Archer.
Ysolde — Ice ruler; romantic medieval name.Z
Zara — Blooming flower.
Zinnia — Bright garden flower.
Zelda — Blessed or gray fighting maid.
Zora — Dawn.Final Thoughts
Names inspired by Wuthering Heights capture a kind of timeless romance that feels both dramatic and elegant. Whether you love classic Victorian names like Catherine and Isabella or nature-inspired picks like Briar, Ivy, and Wren, these names carry the same windswept beauty found in Emily Brontë’s unforgettable story.
A literary name can feel like a little piece of poetry—something that grows with your child and always carries a story behind it.
15 Life Skills Every Kid Should Learn Before Age 10
by Editorial Team2026100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
by Editorial Team2026What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
by Editorial Team202618 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
by Editorial Team2026Quiet Luxury for Less: The Old Money Capsule Wardrobe You Can Build on Amazon
by Editorial Team2026Free People Inspired Clothing For Less On Amazon
by Editorial Team2026Not So Spooky Bluey Bookmarks: Promote Reading with Adorable Characters
by Editorial Team2026Free Printable Minecraft Themed Lunchbox Notes for Kids
by Editorial Team2026Best Non-Toxic Lunch Boxes for Healthy and Eco-Friendly School Meals
by Editorial Team2026Free Printable Peppa Pig Lunchbox Notes For Kids
by Editorial Team2026Inside Out Themed Lunchbox Notes: Free Printable Sheets
by Editorial Team2026Wall-E Themed Free Printable Lunchbox Notes for Kids
by Editorial Team2026 https://www.pinterest.com/ecomomdiaries/- 100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
- 15 Life Skills Every Kid Should Learn Before Age 10
- 100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
- What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
- 18 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
I’m
#Kids #Travel #Food #Books #Motherhood #family #Babies #Names #NewBorns #WutheringHeights #photography -
100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
This post contains affiliate links which may earn Eco Mom Diaries a commission.
Few novels feel as atmospheric and romantic as Wuthering Heights by Emily Brontë. Set on the wild English moors, the story is filled with dramatic love, haunting landscapes, and unforgettable characters. Even the names in the novel carry a poetic, windswept charm that feels perfect for parents who love classic literature.
Victorian names from the Brontë era often feel elegant and timeless. Many come from nature, old English traditions, or strong historical roots. Some appear directly in Wuthering Heights, while others reflect the same vintage style and moody beauty that surrounds the story.
If you are drawn to literary names with depth and romance, here is a collection of 100 baby girl names inspired by the world and aesthetic of Wuthering Heights — arranged from A to Z.
A
Ada — Noble and serene; a Victorian classic.
Adeline — Noble and graceful.
Agnes — Pure and gentle.
Alice — Noble and bright.B
Beatrice — Bringer of happiness.
Blythe — Carefree and joyful.
Briony — A climbing plant; delicate and nature-inspired.
Briar — A thorny rose bush, evoking wild landscapes.C
Catherine — Pure; the unforgettable heroine of Wuthering Heights.
Clara — Bright and clear.
Cora — Maiden; soft and classic.
Cecilia — Heavenly and musical.D
Diana — Divine and luminous.
Dorothea — Gift of God.
Delilah — Delicate and romantic.
Daphne — Laurel tree; graceful and natural.E
Eleanor — Light and compassion.
Eliza — Devoted to God.
Esther — Star.
Edith — Prosperous in war; a vintage English name.F
Florence — Flourishing and blooming.
Felicity — Great happiness.
Frances — Free-spirited.
Flora — Flower; a beautiful Victorian favorite.G
Georgiana — Feminine form of George; elegant and aristocratic.
Grace — Charm and goodness.
Genevieve — Woman of the people.
Gwendolyn — White ring or blessed.H
Harriet — Ruler of the home.
Hazel — The hazel tree; earthy and gentle.
Hester — Star; an old English favorite.
Honor — A virtue name popular in earlier centuries.I
Isabella — Devoted to God; Catherine’s sister-in-law in Wuthering Heights.
Iris — Rainbow; delicate and botanical.
Imogen — Maiden; poetic and Shakespearean.
Ivy — Evergreen vine symbolizing loyalty.J
Jane — God is gracious; reminiscent of Brontë literature.
Juliet — Youthful and romantic.
Josephine — God will increase.
Jessamine — Jasmine flower.K
Katherine — A variant of Catherine meaning pure.
Keira — Dark-haired beauty.
Kitty — A charming diminutive of Katherine.
Kendra — Wise ruler.L
Lillian — Lily flower; soft and elegant.
Lucy — Light.
Lydia — From Lydia in Greece.
Lavender — A fragrant flowering plant.M
Margaret — Pearl.
Matilda — Strength in battle.
Millicent — Strong worker.
Mabel — Lovable.N
Nelly — Shining light; inspired by Ellen “Nelly” Dean, the narrator of Wuthering Heights.
Nora — Honor or light.
Naomi — Pleasantness.
Nadine — Hope.O
Olivia — Olive tree; peaceful and timeless.
Ophelia — Help; poetic and dramatic.
Odette — Wealth and prosperity.
Octavia — Eighth.P
Penelope — Weaver.
Primrose — The first rose of spring.
Phoebe — Bright and radiant.
Prudence — A classic Victorian virtue name.Q
Queenie — A charming vintage nickname meaning queen.
Quinn — Wise and intelligent.
Quilla — Gentle and poetic.
Quintessa — Essence or fifth element.R
Rosalind — Beautiful rose.
Rosamund — Horse protector.
Rowena — Fame and joy.
Rebecca — To bind.S
Sophia — Wisdom.
Seraphina — Fiery and angelic.
Sylvia — Of the forest.
Susanna — Lily flower.T
Theodora — Gift of God.
Tabitha — Gazelle; graceful and rare.
Theresa — Harvester.
Temperance — Self-control; a virtue name.U
Una — One or unity.
Unity — Harmony and togetherness.
Ursula — Little bear.
Ulyssa — A rare poetic name.V
Victoria — Victory.
Violet — Purple flower; beautifully Victorian.
Verity — Truth.
Valentina — Strength and health.W
Winifred — Blessed peace.
Willa — Resolute protector.
Wilhelmina — Determined guardian.
Wren — Small songbird.X
Xanthe — Golden.
Xenia — Hospitality.
Ximena — Listener.
Xandra — Defender of mankind.Y
Yvette — Yew tree.
Yara — Small butterfly.
Yvonne — Archer.
Ysolde — Ice ruler; romantic medieval name.Z
Zara — Blooming flower.
Zinnia — Bright garden flower.
Zelda — Blessed or gray fighting maid.
Zora — Dawn.Final Thoughts
Names inspired by Wuthering Heights capture a kind of timeless romance that feels both dramatic and elegant. Whether you love classic Victorian names like Catherine and Isabella or nature-inspired picks like Briar, Ivy, and Wren, these names carry the same windswept beauty found in Emily Brontë’s unforgettable story.
A literary name can feel like a little piece of poetry—something that grows with your child and always carries a story behind it.
15 Life Skills Every Kid Should Learn Before Age 10
by Editorial Team2026100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
by Editorial Team2026What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
by Editorial Team202618 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
by Editorial Team2026Quiet Luxury for Less: The Old Money Capsule Wardrobe You Can Build on Amazon
by Editorial Team2026Free People Inspired Clothing For Less On Amazon
by Editorial Team2026Not So Spooky Bluey Bookmarks: Promote Reading with Adorable Characters
by Editorial Team2026Free Printable Minecraft Themed Lunchbox Notes for Kids
by Editorial Team2026Best Non-Toxic Lunch Boxes for Healthy and Eco-Friendly School Meals
by Editorial Team2026Free Printable Peppa Pig Lunchbox Notes For Kids
by Editorial Team2026Inside Out Themed Lunchbox Notes: Free Printable Sheets
by Editorial Team2026Wall-E Themed Free Printable Lunchbox Notes for Kids
by Editorial Team2026 https://www.pinterest.com/ecomomdiaries/- 100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
- 15 Life Skills Every Kid Should Learn Before Age 10
- 100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
- What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
- 18 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
I’m
#Kids #Travel #Food #Books #Motherhood #family #Babies #Names #NewBorns #WutheringHeights #photography -
100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
This post contains affiliate links which may earn Eco Mom Diaries a commission.
Few novels feel as atmospheric and romantic as Wuthering Heights by Emily Brontë. Set on the wild English moors, the story is filled with dramatic love, haunting landscapes, and unforgettable characters. Even the names in the novel carry a poetic, windswept charm that feels perfect for parents who love classic literature.
Victorian names from the Brontë era often feel elegant and timeless. Many come from nature, old English traditions, or strong historical roots. Some appear directly in Wuthering Heights, while others reflect the same vintage style and moody beauty that surrounds the story.
If you are drawn to literary names with depth and romance, here is a collection of 100 baby girl names inspired by the world and aesthetic of Wuthering Heights — arranged from A to Z.
A
Ada — Noble and serene; a Victorian classic.
Adeline — Noble and graceful.
Agnes — Pure and gentle.
Alice — Noble and bright.B
Beatrice — Bringer of happiness.
Blythe — Carefree and joyful.
Briony — A climbing plant; delicate and nature-inspired.
Briar — A thorny rose bush, evoking wild landscapes.C
Catherine — Pure; the unforgettable heroine of Wuthering Heights.
Clara — Bright and clear.
Cora — Maiden; soft and classic.
Cecilia — Heavenly and musical.D
Diana — Divine and luminous.
Dorothea — Gift of God.
Delilah — Delicate and romantic.
Daphne — Laurel tree; graceful and natural.E
Eleanor — Light and compassion.
Eliza — Devoted to God.
Esther — Star.
Edith — Prosperous in war; a vintage English name.F
Florence — Flourishing and blooming.
Felicity — Great happiness.
Frances — Free-spirited.
Flora — Flower; a beautiful Victorian favorite.G
Georgiana — Feminine form of George; elegant and aristocratic.
Grace — Charm and goodness.
Genevieve — Woman of the people.
Gwendolyn — White ring or blessed.H
Harriet — Ruler of the home.
Hazel — The hazel tree; earthy and gentle.
Hester — Star; an old English favorite.
Honor — A virtue name popular in earlier centuries.I
Isabella — Devoted to God; Catherine’s sister-in-law in Wuthering Heights.
Iris — Rainbow; delicate and botanical.
Imogen — Maiden; poetic and Shakespearean.
Ivy — Evergreen vine symbolizing loyalty.J
Jane — God is gracious; reminiscent of Brontë literature.
Juliet — Youthful and romantic.
Josephine — God will increase.
Jessamine — Jasmine flower.K
Katherine — A variant of Catherine meaning pure.
Keira — Dark-haired beauty.
Kitty — A charming diminutive of Katherine.
Kendra — Wise ruler.L
Lillian — Lily flower; soft and elegant.
Lucy — Light.
Lydia — From Lydia in Greece.
Lavender — A fragrant flowering plant.M
Margaret — Pearl.
Matilda — Strength in battle.
Millicent — Strong worker.
Mabel — Lovable.N
Nelly — Shining light; inspired by Ellen “Nelly” Dean, the narrator of Wuthering Heights.
Nora — Honor or light.
Naomi — Pleasantness.
Nadine — Hope.O
Olivia — Olive tree; peaceful and timeless.
Ophelia — Help; poetic and dramatic.
Odette — Wealth and prosperity.
Octavia — Eighth.P
Penelope — Weaver.
Primrose — The first rose of spring.
Phoebe — Bright and radiant.
Prudence — A classic Victorian virtue name.Q
Queenie — A charming vintage nickname meaning queen.
Quinn — Wise and intelligent.
Quilla — Gentle and poetic.
Quintessa — Essence or fifth element.R
Rosalind — Beautiful rose.
Rosamund — Horse protector.
Rowena — Fame and joy.
Rebecca — To bind.S
Sophia — Wisdom.
Seraphina — Fiery and angelic.
Sylvia — Of the forest.
Susanna — Lily flower.T
Theodora — Gift of God.
Tabitha — Gazelle; graceful and rare.
Theresa — Harvester.
Temperance — Self-control; a virtue name.U
Una — One or unity.
Unity — Harmony and togetherness.
Ursula — Little bear.
Ulyssa — A rare poetic name.V
Victoria — Victory.
Violet — Purple flower; beautifully Victorian.
Verity — Truth.
Valentina — Strength and health.W
Winifred — Blessed peace.
Willa — Resolute protector.
Wilhelmina — Determined guardian.
Wren — Small songbird.X
Xanthe — Golden.
Xenia — Hospitality.
Ximena — Listener.
Xandra — Defender of mankind.Y
Yvette — Yew tree.
Yara — Small butterfly.
Yvonne — Archer.
Ysolde — Ice ruler; romantic medieval name.Z
Zara — Blooming flower.
Zinnia — Bright garden flower.
Zelda — Blessed or gray fighting maid.
Zora — Dawn.Final Thoughts
Names inspired by Wuthering Heights capture a kind of timeless romance that feels both dramatic and elegant. Whether you love classic Victorian names like Catherine and Isabella or nature-inspired picks like Briar, Ivy, and Wren, these names carry the same windswept beauty found in Emily Brontë’s unforgettable story.
A literary name can feel like a little piece of poetry—something that grows with your child and always carries a story behind it.
15 Life Skills Every Kid Should Learn Before Age 10
by Editorial Team2026100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
by Editorial Team2026What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
by Editorial Team202618 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
by Editorial Team2026Quiet Luxury for Less: The Old Money Capsule Wardrobe You Can Build on Amazon
by Editorial Team2026Free People Inspired Clothing For Less On Amazon
by Editorial Team2026Not So Spooky Bluey Bookmarks: Promote Reading with Adorable Characters
by Editorial Team2026Free Printable Minecraft Themed Lunchbox Notes for Kids
by Editorial Team2026Best Non-Toxic Lunch Boxes for Healthy and Eco-Friendly School Meals
by Editorial Team2026Free Printable Peppa Pig Lunchbox Notes For Kids
by Editorial Team2026Inside Out Themed Lunchbox Notes: Free Printable Sheets
by Editorial Team2026Wall-E Themed Free Printable Lunchbox Notes for Kids
by Editorial Team2026 https://www.pinterest.com/ecomomdiaries/- 100 Wuthering Heights–Inspired Baby Girl Names (A–Z)
- 15 Life Skills Every Kid Should Learn Before Age 10
- 100 Healthy Amazon Snacks for Kids (School Snack Ideas Parents Love)
- What Is Eco Core? The Sustainable Lifestyle Trend Everyone Is Talking About
- 18 Best Seafood Restaurants in Destin and Fort Walton Beach (Local Favorites)
I’m
#Babies #Books #family #Food #Kids #Motherhood #Names #NewBorns #photography #Travel #WutheringHeights -
Massive Attack and Paul Weller's requests to geo-block music in Israel have been approved (New Musical Express, 2025-11-26)
>> They pushed to have their music taken down from streaming services in Israel as part of the ‘No Music For Genocide’ campaign…
>> ... Names who have gotten involved so far include My Bloody Valentine, Denzel Curry, Shygirl, Paris Paloma, YHWH Nailgun, Fontaines D.C., Amyl & The Sniffers, Kneecap, Paramore, Rina Sawayama, Primal Scream, Faye Webster, Japanese Breakfast, Yaeji, King Krule, MJ Lenderman, Mannequin Pussy, Wednesday, Soccer Mommy, Björk, Lorde, IDLES, MUNA, Paloma Faith, Clairo, Wolf Alice, Lucy Dacus and AURORA.
>> … the artists are also encouraging major label groups Sony, UMG, and Warner to follow suit, and highlighting how each previously blocked their entire catalogues from Russia and closed operations just four weeks after its invasion of Ukraine.
#NoMusicForGenocide #NMFG #BoycottIsrael
@[email protected] @[email protected] -
Theatre Review: Interview (Understudy Performance)
https://shkspr.mobi/blog/2025/09/theatre-review-interview-understudy-performance/
One of the best things about London theatre is that once in a while a show will give its understudies a chance to break out of the dressing room and soar on the stage. It's a chance to see talented performers at a discount price. What's not to like? Lucy Donnelly and Mark Sean-Byrne are both flawless. His slouched frustration plays against her manic dream pixie self-loathing. The stage is gorgeously laid out - allowing the performers to dance around each other.
The Mayor of London passed a law a few years ago which said that every theatre performance needs to incorporate a live video backdrop. That's the only explanation for that particular cliché's ubiquity. But here it actually makes sense! We see social-media star Katya going live to her legion of followers, and her face is blown up a million pixels wide, dominating the stage. At times, the waveforms of the characters' voices undulate along the back wall. It is hypnotic.
It's such a shame that the dialogue is so inept and the plot so ridiculous. The characters' emotions change because the plot needs them to - not because of anything that has actually happened. I get that the play is called "Interview", but that doesn't mean every line of dialogue needs to be a question, does it? Finally, there's no reason for any of the plot to happen.
At its core is a good question about the tension between new-media and old. Whether selling parasocial relationships is whoreish behaviour (and if that matters)? Are pale-stale-male journalists the enemy? Or does their tragic backstory absolve them of responsibility?
Unlike, say, Mamet's Oleanna there's no he-said/she-said. There isn't a lot of ambiguity about what is and isn't happening. The final "twist" is works well but, again, there's no reason for it to happen. The whole play lacks a sense of why.
The play is on until the 27th of September. The performances are stunning, the staging innovative, the sound design is excellent. It's just a pity the play itself is a bit underwhelming.
-
In regards to Xena making a statement against the stigma surrounding HIV: in the episode 'Here She Comes... Miss Amphipolis', Xena enters a beauty pageant undercover. There, she encounters Miss Artiphys, a character played by the late Karen Dior, an HIV-positive actor, singer, former adult performer, and drag queen (reports on Dior’s gender identity are contradictory, and probably also affected by '90s culture).
When Xena discovers that Miss Artiphys was an AMAB character who entered the competition presenting as a woman, the latter explains her actions with the line: "You really don’t get it, do you? I guess being born a woman you wouldn’t. This is a chance to use a part of me most people usually laugh at, or worse. A part I usually have to hide. Only here that part works for me, you see?" expecting Xena to force her to drop.
Instead, Xena encourages her to stay in the competition, never reveals her secret, never disrespects her, and in the end, she ends up being crowned winner. After her victory, Xena and Artiphys share a kiss. That was an intentional statement against the widespread misinformation surrounding AIDS and the transmission of HIV that reportedly Lucy Lawless insisted on being included.
It is near impossible to fully explain how *ridiculously* groundbreaking it was that this entire plot happened in the mid '90s.
#Xena #XenaWarriorPrincess #LGBTQIA #LGBTQ #TransRights #HIV #trans #Gender #TV
-
Die Vogelgrippe-Situation hat sich nur verschlechtert
Die #Vogelgrippe #H5N1 war bisher eine Krise, die langsam brodelte. Die Situation verschlechterte sich im Jahr 2021, als Vögel das Virus von #Europa nach #Amerika brachten, was eine Wiederholung von 2014 war, als asiatische Zugvögel in den Vereinigten Staaten und #Kanada weit verbreitete Ausbrüche auslösten. Beide Ereignisse führten zu einer #Masseninfektion von #Hausgeflügel und zur Keulung von Millionen von Hühnern. Die Ausbrüche, die 2021 begannen und bis heute andauern, weisen jedoch eine zusätzliche Besonderheit auf: Dieses Mal sind auch #Säugetiere wie #Robben und #Großkatzen in großer Zahl infiziert worden und wurden tot an Stränden, in Zoos und anderswo aufgefunden.Das vergangene Jahr erwies sich als ein weiterer Wendepunkt für das Virus, als es in Hunderten von US-#Rinderherden und bei #Arbeitern, die diese betreuten, nachgewiesen wurde. Mittlerweile ist klar, dass es keinen Grund für Optimismus gibt, dass H5N1 als geringfügiges Ärgernis verschwinden wird. Im Gegenteil, die Situation hat sich nur verschlechtert.
Da viele Anzeichen auf eine zukünftige #Grippepandemie hindeuten, wird der Schlüssel zur Bekämpfung darin bestehen, einen freien Datenfluss zu gewährleisten, der eine Frühwarnung ermöglicht, und die Ressourcen für umfassende Tests und die #Analyse der genetischen Entwicklung von H5N1 zu erhöhen. Dies muss sowohl global als auch national geschehen – aber an einem kritischen Punkt hat Präsident Donald #Trump die Vereinigten Staaten stattdessen von den internationalen Gesundheitsbemühungen zurückgezogen und seinen Fehltritt noch verschlimmert, indem er die Kommunikation, die Kapazitäten und die Budgets der nationalen #Gesundheitsbehörden ins Visier nahm. Die Wahrscheinlichkeit steigt, dass die Welt eine Gelegenheit verpasst, eine potenzielle #Pandemie zu bekämpfen, bevor sie ausbricht.
Die #Infektion mit dem #Vogelgrippevirus hat sich mit beispielloser Geschwindigkeit bei Wild- und Hausvögeln sowie bei #Meeressäugern und #Landsäugetieren ausgebreitet. Bei einem jüngsten und beängstigenden Vorfall Ende 2024 starben von den 37 #Großkatzen, die in einem Schutzgebiet in #Shelton, #Washington, untergebracht waren, darunter #Pumas, #Rotluchse und #Tiger, 20 an einer Infektion mit dem Virus, die meisten innerhalb von 24 Stunden. H5N1 scheint sich durch #Atemwegssekrete und den Kontakt mit infizierten #Zugvögeln verbreitet zu haben.
Der Silberstreif am Horizont von H5N1 ist, dass #Menschen, die erkrankten Tieren ausgesetzt sind, sich zwar mit dem Virus anstecken können, aber nach dem derzeitigen Kenntnisstand der Forscher nicht ohne Weiteres andere Menschen infizieren können. Das könnte sich jedoch ändern, wenn die Infektionszahlen in die Höhe schnellen. Das Virus stellt eine ernsthafte #Bedrohung dar.
Experten für öffentliche #Gesundheit waren zu Recht besorgt, als das Virus 2024 in US-#Milchviehbeständen auftauchte. Es hat die Hälfte der fast 1.000 Menschen getötet, die sich seit Anfang der 2000er Jahre damit infiziert haben, überwiegend in #Südostasien. Dort konnte es sich rasch ausbreiten und bisher fast tausend Herden infizieren. Anders als bei Wildvögeln oder anderen #Tierarten arbeiten Menschen eng mit #Milchvieh zusammen. Menschen haben sich das Virus auch direkt von Vögeln eingefangen. Während #Milchbauern bisher nur leichte Infektionen erlitten haben, verliefen die Erkrankungen von zwei Personen, die sich bei toten oder infizierten Wild- oder Hausvögeln mit dem Virus angesteckt hatten, weitaus schlimmer. Ein Patient aus #Louisiana starb; ein anderer in British Columbia erholte sich nur nach einem außergewöhnlichen medizinischen Eingriff. In beiden Fällen zeigten virale #RNA-Sequenzen #Mutationen, die eine effektive Bindung an Zellen in den menschlichen Atemwegen ermöglichen könnten. Bei Rindern und zahlreichen anderen Tierarten erhält das Virus zahlreiche Gelegenheiten, sich weiterzuentwickeln und gefährlicher zu werden.
Besonders besorgniserregend: Wenn zwei verschiedene #Virusstämme einen einzelnen Wirt gleichzeitig infizieren, können sie Teile ihres #Genoms austauschen, ein Prozess, der als #Reassortment bezeichnet wird. Dadurch kann ein neues Virus mit einer anderen Kombination von Eigenschaften entstehen. Die #Schweinegrippe-Epidemie (#H1N1) von 1985 bis 1989 wurde beispielsweise durch ein Virus verursacht, das durch den Austausch von #Genomsegmenten in einem #Schwein entstand, das gleichzeitig mit einem menschlichen und einem #Vogelvirusstamm infiziert war. Diese Art der Vermischung bei Tieren wird durch den aktuellen Ausbruch der #Vogelgrippe, der parallel zu einer extrem starken saisonalen #Grippewelle auftritt, immer wahrscheinlicher.
Derzeit werden die meisten Tests auf H5N1 bei symptomatischen Fällen durchgeführt. Infizierte Tiere und Menschen können jedoch bereits Tage vor dem Auftreten von Symptomen eine hohe #Viruslast aufweisen. Arbeiter in Milch- und Geflügelfarmen zögern jedoch, sich testen zu lassen, aus Angst, ihren #Arbeitsplatz zu verlieren. Obwohl die Centers for Disease Control and Prevention (CDC) kürzlich ihre Empfehlungen geändert haben, um sicherzustellen, dass auch asymptomatische #Landarbeiter getestet werden, ist die Anzahl der durchgeführten Tests nach wie vor unzureichend. Die #CDC hat sich kürzlich mit kommerziellen Testlabors zusammengetan, um die Überwachung zu verbessern, und auch einzelne Bundesstaaten führen vermehrt Tests an #Milch asymptomatischer Herden durch.
Es sind aggressive Tests zur #Früherkennung einer auf den Menschen übertragbaren Form von H5N1 erforderlich, aber das ist nur ein Teil eines jeden notwendigen Reaktionsplans: Überwachung ohne #Kommunikation ist nutzlos. Die Trump-Regierung hat im Rahmen eines allgemeinen Angriffs auf den Haushalt von #Gesundheitsbehörden und deren wissenschaftliche Unabhängigkeit versucht, die Kommunikation im Bereich der öffentlichen Gesundheit auf Bundesebene einzuschränken – selbst bei lebenswichtigen Informationen über H5N1.
Nach der Amtseinführung verhinderte die Regierung die Veröffentlichung des viel gepriesenen Morbidity and Mortality Weekly Report der CDC, der seit Jahrzehnten regelmäßig und auch nach einem Präsidentenwechsel ohne Unterbrechung veröffentlicht worden war. Die erste Ausgabe nach der Amtseinführung sollte angeblich Studien über H5N1 enthalten. Als die Veröffentlichung wieder aufgenommen wurde, waren diese nicht enthalten (obwohl eine inzwischen veröffentlicht wurde, in der das #Infektionsrisiko für Tierärzte, die mit infizierten Tieren arbeiten, aufgezeigt wird).
Seitdem sickern Daten aus verschiedenen Quellen durch.
Anfang dieses Monats gab das #Landwirtschaftsministerium bekannt, dass ein zweiter H5N1-Stamm von Vögeln auf drei #Milchviehherden in #Nevada übergesprungen war. Dabei handelte es sich um den tödlicheren D1.1-Stamm, der Mutationen aufweist, die eine leichtere Ausbreitung des Virus bei Säugetieren ermöglichen könnten, im Gegensatz zum milderen B3.13-Stamm, der seit letztem Sommer Herden infiziert. Die Kühe in Nevada zeigten bei den Tests keine Symptome, aber die frühzeitige Erkennung durch das Milchuntersuchungsprogramm des #Landwirtschaftsministeriums von Nevada ermöglichte es den Beamten, die betroffenen Herden unter #Quarantäne zu stellen und so die Ausbreitung der #Infektion einzudämmen.
Da der gefährlichere D1.1-Stamm nun bei nordamerikanischen Zugvögeln vorherrscht, ist das, was in Nevada geschah – die zweite dokumentierte Übertragung von H5N1 von Vögeln auf Rinder – keine Überraschung. Es könnte jedoch sein, dass dieses Virus für Überraschungen sorgt, wenn die Tests bei nicht symptomatischen Menschen und Tieren weiterhin unzureichend sind, insbesondere da die Trump-Regierung die globale Zusammenarbeit der USA einschränkt und der #Datenfluss aus den USA und internationalen Organisationen, die Infektionen und die Entwicklung des Virus identifizieren, auf ein Rinnsal verlangsamt wird oder ganz zum Erliegen kommt.
Die CDC und die #Weltgesundheitsorganisation (WHO) sind maßgeblich daran beteiligt, die sich entwickelnde H5N1-Bedrohung im Auge zu behalten. Kein Teil der Welt ist vor zirkulierenden pandemischen Viren geschützt, und zu wissen, was sie sind und wo sie sich befinden, ist entscheidend für den Schutz der #Gesundheit der Amerikaner und der Menschen auf der ganzen Welt.
In der Vergangenheit haben die CDC und die WHO einen aktiven #Datenaustausch im Zusammenhang mit der globalen Krankheitsüberwachung betrieben. Die Kommunikation zwischen den Behörden erfolgte in Foren wie Beratungsgremien und Notfallteams. Ende Januar jedoch unterband die Trump-Regierung die Kommunikation zwischen CDC-Mitarbeitern und der WHO und zog Mitarbeiter ab, die in WHO-Büros arbeiteten. Die #Regierung ordnete außerdem die Einstellung der finanziellen Unterstützung der USA für die WHO an, wobei diese Anordnung eine einjährige Schonfrist vorsieht. Die Anordnung, die Kommunikation einzustellen, trat jedoch sofort in Kraft. Die Vereinigten Staaten sind nicht mehr Teil der globalen Diskussion darüber, wie auf eine wachsende und potenziell explosive Krankheitsbedrohung reagiert werden soll. Die #Amerikaner haben den verlässlichen Einblick in das Verhalten von H5N1 außerhalb der US-Grenzen verloren und werden möglicherweise die Chance verpassen, Schutzmaßnahmen zu ergreifen.
Natürlich ist das globale #Gesundheitssystem fehlerhaft. Die WHO und die CDC wurden für ihre Lücken und Verzögerungen bei der Vorsorge und Reaktion in den Tagen nach dem Auftreten von #COVID19 kritisiert. Die #WHO wurde beschuldigt, zu einem Werkzeug politischer Agenden zu werden, und dafür kritisiert, dass sie erst dann #Reisebeschränkungen erlassen hat, als die Pandemie bereits weltweit wütete. Währenddessen verzögerte bei der CDC ein fehlerhafter #COVID-Test, der frühzeitig veröffentlicht wurde, die genaue Meldung von Fällen. Das System muss repariert und nicht aufgegeben werden, insbesondere da die H5N1-Bedrohung weiter eskaliert.
Da die Zahl der mit dem #Virus infizierten #Vögel und #Säugetiere weiterhin explosionsartig ansteigt, ist das Auftreten eines übertragbaren pandemischen Stammes keine Frage des „ob“, sondern des „wann“. Um Michael Osterholm, den Direktor des Zentrums für #Infektionskrankheitenforschung und -politik an der Universität von #Minnesota, zu zitieren: „Die Pandemieuhr tickt. Wir wissen nur nicht, wie spät es ist.“
Quelle: Lucy Shapiro, 20. Februar 2025 in Bulletin of the Atomic Scientists: The bird flu outlook has only gotten worse
Übersetzung: Thomas Trueten [Nicht authorisiert]
-
Alaska has more people than previously thought
If you squint real hard, you can see one person waving in the distance.
(Photo by Taylor Murphy on Unsplash)The Daily Isotope dispatched its intrepid team to Alaska to get to the bottom of the story. We talked to Lucy Gibbs, head of the state government’s department of statistics. Gibbs explains, “We first did a count the usual way, but we quickly realized that the number we obtained couldn’t have been right. So we figured that we probably missed counting some folks.”
Gibbs continues, “The first thing we did was to look behind all the fridges located in Alaska. Lo and behold! Folks were either hiding behind the fridges, or they had lost their way while going somewhere else and ended up there. It is not terribly surprising that people would get lost, given the fierce snowstorms we get here. We also found a few people who lost their way only to get stranded on glaciers.”
Gibbs again, “But we did not stop there, we also looked under the beds, and we found more folks hiding there. Then we checked the brothels, the illegal booze and gambling establishments, and places of the sort, and we found even more people. Some of them claimed to have lost their way in a snowstorm, but that seems dubious. Finally, we asked the governor to open his mouth, and found one last person hiding in there.”
The final count is 697 residents, up from a 100. Unfortunately, the team sent by The Daily Isotope never made its way back. They are presumably lost in a snowstorm.
This satire was inspired by this article:
#Alaska #AutisticWriters #satire #statistics #TheDailyIsotope
-
Ghost stories have been with us for centuries, tapping into our innate curiosity about the unknown and the afterlife. They evoke a sense of thrill and suspense, allowing us to confront our fears in a safe environment. They hold a profound message that speaks to our sense of destiny – our destiny. These tales bring us themes of loss, love, and the unresolved, which resonate with our own experiences and emotions. I remember sitting around a campfire where ghost stories were told – some over and over again. Every family has a ghost, don’t they? For mine family, it was a woman, in pilgrim dress, that came for a great-great uncle who died during the 1918 flu epidemic.
“Real love isn’t blind, it sees everything and has an endless capacity for forgiving.”
R.A. DICK, THE GHOST AND MRS. MUIR
My favourite ghost story: The Ghost and Mrs. Muir
Author: R.A. Dick (aka Josephine Aimee Campbell Leslie)
Genre: Gothic/RomanceMy favourite ghost story is “The Ghost and Mrs. Muir”, a heartwarming novel that masterfully blends romance, humour, and the supernatural. Set in the picturesque seaside of early 20th-century England, R.A. Dick (the pen name of Josephine Aimee Campbell Leslie) introduces us to Lucy Muir, a young widow seeking independence and a fresh start after the death of her husband.
When Lucy moves into a quaint cottage that turns out to be haunted by Captain Daniel Gregg, the former owner, what begins as a tale of fright transforms into a strong partnership. Initially apprehensive of the ghost, Lucy soon finds him to be a kindred spirit who offers her companionship and guidance. Captain Gregg is portrayed as a roguish yet appealing figure, whose interactions with Lucy bring both emotional depth and delightful comedy to the narrative.
R. A. Dick’s writing elegantly captures the nuances of love, loss, and personal growth. The relationship between Lucy and Captain Gregg evolves, highlighting themes of destiny and the profound connections between souls, living or dead. Lucy’s journey toward self-discovery and empowerment resonates deeply with readers.
The novel achieved even greater recognition when it was adapted into the beloved 1947 film starring Rex Harrison and Gene Tierney. The film captured the spirit of the book, bringing the story of Lucy and Captain Gregg to life for a new audience.
One of the standout aspects of “The Ghost and Mrs. Muir” is its insightful commentary on love. As Lucy grapples with her new life, she learns that “Real love isn’t blind, it sees everything and has an endless capacity for forgiving.” This quote is the heart of the novel, reminding us that love transcends boundaries, whether they are earthly or ethereal.
“Because, as I have told you so many times, I have no words to make you understand,” said the captain. It’ s all the beauty and serenity and nobility you have ever experienced on earth. It’s all your grandest and most generous feelings, and the finest sunsets and greatest music- and then you’ re only on the fringe of understanding.”
R.A. DICK, THE GHOST AND MRS. MUIR
https://rebeccasreadingroom.ca/2024/10/31/happy-halloween-with-the-ghost-and-mrs-muir/
#FictionSalon #GothicFiction #HappyHalloween #RADick #RomanceFiction #TheGhostAndMrsMuir
-
'Anything that can be built can be taken down': The largest dam removal in US history is complete – what happens next?
The #KlamathRiver is free of four huge dams for the first time in generations. But for the #Yurok tribe, the river's restoration is only just beginning – starting with 18 billion seeds.
by Lucy Sheriff, September 3, 2024
"This is decades and decades in the making," says Thompson. 'We were told it was never going to happen. That it was foolish to even ask for one removal. We were asking for four.'
"The #KlamathBasin covers more than 12,000 square miles (31,000 sq km) in southern Oregon and northern California, and was home to the JC Boyle, Copco 1, Copco 2 and Iron Gate dams, all owned by #PacifiCorp, an electric utilities company. The Klamath was once the third-largest salmon producing river on the US's West Coast before the construction of the dams blocked fish from accessing almost 400 miles (640km) of critical river habitat for almost 100 years.
"Fall #ChinookSalmon numbers plummeted by more than 90% and spring chinook by 98%. #SteelheadTrout, #CohoSalmon and #PacificLamprey numbers also saw drastic declines, and the Klamath tribes in the upper basin have been without their salmon fishery for a century, since the completion of #Copco 1 in 1922. The situation became so bad that Yurok tribe – who are known as the salmon people – began importing Alaskan salmon for their annual salmon festival, traditionally held to celebrate the first return of fall chinook salmon to the Klamath River.
"The dams also had a severe impact on #WaterTemperature and quality – growth of #ToxicAlgae behind two of the dams resulted in health warnings against water contact.
"'It was painful,' says Willard Carlson, a Yurok elder who is known as a #RiverWarrior and was part of the inter-generational campaign. 'All those years seeing our river damaged like that. I remember as a kid we'd have other people from nearby tribes making fun of our river. 'Oh, you're Yurok, your river is dirty.' For us, the #dams were a monument to the [#coloniser] people who conquered us."
[...]
"Restoring the land
But something that does need "a helping hand is the restoration of 2,200 acres (890ha) of land that is above ground for the first time in a century following the emptying of four reservoirs.
"'Removing the dams is one thing, restoring the land is quite another,' says Thompson, a civil engineer and part of the crew working on the restoration project – which is being managed by Resource Environmental Solutions, an ecological restoration company."
#KarukTribe #YurokTribe #KlamathRiverRenewal #RestoreNature #Decolonize #WaterIsLife #NativeAmericans
-
'Anything that can be built can be taken down': The largest dam removal in US history is complete – what happens next?
The #KlamathRiver is free of four huge dams for the first time in generations. But for the #Yurok tribe, the river's restoration is only just beginning – starting with 18 billion seeds.
by Lucy Sheriff, September 3, 2024
"This is decades and decades in the making," says Thompson. 'We were told it was never going to happen. That it was foolish to even ask for one removal. We were asking for four.'
"The #KlamathBasin covers more than 12,000 square miles (31,000 sq km) in southern Oregon and northern California, and was home to the JC Boyle, Copco 1, Copco 2 and Iron Gate dams, all owned by #PacifiCorp, an electric utilities company. The Klamath was once the third-largest salmon producing river on the US's West Coast before the construction of the dams blocked fish from accessing almost 400 miles (640km) of critical river habitat for almost 100 years.
"Fall #ChinookSalmon numbers plummeted by more than 90% and spring chinook by 98%. #SteelheadTrout, #CohoSalmon and #PacificLamprey numbers also saw drastic declines, and the Klamath tribes in the upper basin have been without their salmon fishery for a century, since the completion of #Copco 1 in 1922. The situation became so bad that Yurok tribe – who are known as the salmon people – began importing Alaskan salmon for their annual salmon festival, traditionally held to celebrate the first return of fall chinook salmon to the Klamath River.
"The dams also had a severe impact on #WaterTemperature and quality – growth of #ToxicAlgae behind two of the dams resulted in health warnings against water contact.
"'It was painful,' says Willard Carlson, a Yurok elder who is known as a #RiverWarrior and was part of the inter-generational campaign. 'All those years seeing our river damaged like that. I remember as a kid we'd have other people from nearby tribes making fun of our river. 'Oh, you're Yurok, your river is dirty.' For us, the #dams were a monument to the [#coloniser] people who conquered us."
[...]
"Restoring the land
But something that does need "a helping hand is the restoration of 2,200 acres (890ha) of land that is above ground for the first time in a century following the emptying of four reservoirs.
"'Removing the dams is one thing, restoring the land is quite another,' says Thompson, a civil engineer and part of the crew working on the restoration project – which is being managed by Resource Environmental Solutions, an ecological restoration company."
#KarukTribe #YurokTribe #KlamathRiverRenewal #RestoreNature #Decolonize #WaterIsLife #NativeAmericans
-
'Anything that can be built can be taken down': The largest dam removal in US history is complete – what happens next?
The #KlamathRiver is free of four huge dams for the first time in generations. But for the #Yurok tribe, the river's restoration is only just beginning – starting with 18 billion seeds.
by Lucy Sheriff, September 3, 2024
"This is decades and decades in the making," says Thompson. 'We were told it was never going to happen. That it was foolish to even ask for one removal. We were asking for four.'
"The #KlamathBasin covers more than 12,000 square miles (31,000 sq km) in southern Oregon and northern California, and was home to the JC Boyle, Copco 1, Copco 2 and Iron Gate dams, all owned by #PacifiCorp, an electric utilities company. The Klamath was once the third-largest salmon producing river on the US's West Coast before the construction of the dams blocked fish from accessing almost 400 miles (640km) of critical river habitat for almost 100 years.
"Fall #ChinookSalmon numbers plummeted by more than 90% and spring chinook by 98%. #SteelheadTrout, #CohoSalmon and #PacificLamprey numbers also saw drastic declines, and the Klamath tribes in the upper basin have been without their salmon fishery for a century, since the completion of #Copco 1 in 1922. The situation became so bad that Yurok tribe – who are known as the salmon people – began importing Alaskan salmon for their annual salmon festival, traditionally held to celebrate the first return of fall chinook salmon to the Klamath River.
"The dams also had a severe impact on #WaterTemperature and quality – growth of #ToxicAlgae behind two of the dams resulted in health warnings against water contact.
"'It was painful,' says Willard Carlson, a Yurok elder who is known as a #RiverWarrior and was part of the inter-generational campaign. 'All those years seeing our river damaged like that. I remember as a kid we'd have other people from nearby tribes making fun of our river. 'Oh, you're Yurok, your river is dirty.' For us, the #dams were a monument to the [#coloniser] people who conquered us."
[...]
"Restoring the land
But something that does need "a helping hand is the restoration of 2,200 acres (890ha) of land that is above ground for the first time in a century following the emptying of four reservoirs.
"'Removing the dams is one thing, restoring the land is quite another,' says Thompson, a civil engineer and part of the crew working on the restoration project – which is being managed by Resource Environmental Solutions, an ecological restoration company."
#KarukTribe #YurokTribe #KlamathRiverRenewal #RestoreNature #Decolonize #WaterIsLife #NativeAmericans
-
'Anything that can be built can be taken down': The largest dam removal in US history is complete – what happens next?
The #KlamathRiver is free of four huge dams for the first time in generations. But for the #Yurok tribe, the river's restoration is only just beginning – starting with 18 billion seeds.
by Lucy Sheriff, September 3, 2024
"This is decades and decades in the making," says Thompson. 'We were told it was never going to happen. That it was foolish to even ask for one removal. We were asking for four.'
"The #KlamathBasin covers more than 12,000 square miles (31,000 sq km) in southern Oregon and northern California, and was home to the JC Boyle, Copco 1, Copco 2 and Iron Gate dams, all owned by #PacifiCorp, an electric utilities company. The Klamath was once the third-largest salmon producing river on the US's West Coast before the construction of the dams blocked fish from accessing almost 400 miles (640km) of critical river habitat for almost 100 years.
"Fall #ChinookSalmon numbers plummeted by more than 90% and spring chinook by 98%. #SteelheadTrout, #CohoSalmon and #PacificLamprey numbers also saw drastic declines, and the Klamath tribes in the upper basin have been without their salmon fishery for a century, since the completion of #Copco 1 in 1922. The situation became so bad that Yurok tribe – who are known as the salmon people – began importing Alaskan salmon for their annual salmon festival, traditionally held to celebrate the first return of fall chinook salmon to the Klamath River.
"The dams also had a severe impact on #WaterTemperature and quality – growth of #ToxicAlgae behind two of the dams resulted in health warnings against water contact.
"'It was painful,' says Willard Carlson, a Yurok elder who is known as a #RiverWarrior and was part of the inter-generational campaign. 'All those years seeing our river damaged like that. I remember as a kid we'd have other people from nearby tribes making fun of our river. 'Oh, you're Yurok, your river is dirty.' For us, the #dams were a monument to the [#coloniser] people who conquered us."
[...]
"Restoring the land
But something that does need "a helping hand is the restoration of 2,200 acres (890ha) of land that is above ground for the first time in a century following the emptying of four reservoirs.
"'Removing the dams is one thing, restoring the land is quite another,' says Thompson, a civil engineer and part of the crew working on the restoration project – which is being managed by Resource Environmental Solutions, an ecological restoration company."
#KarukTribe #YurokTribe #KlamathRiverRenewal #RestoreNature #Decolonize #WaterIsLife #NativeAmericans
-
'Anything that can be built can be taken down': The largest dam removal in US history is complete – what happens next?
The #KlamathRiver is free of four huge dams for the first time in generations. But for the #Yurok tribe, the river's restoration is only just beginning – starting with 18 billion seeds.
by Lucy Sheriff, September 3, 2024
"This is decades and decades in the making," says Thompson. 'We were told it was never going to happen. That it was foolish to even ask for one removal. We were asking for four.'
"The #KlamathBasin covers more than 12,000 square miles (31,000 sq km) in southern Oregon and northern California, and was home to the JC Boyle, Copco 1, Copco 2 and Iron Gate dams, all owned by #PacifiCorp, an electric utilities company. The Klamath was once the third-largest salmon producing river on the US's West Coast before the construction of the dams blocked fish from accessing almost 400 miles (640km) of critical river habitat for almost 100 years.
"Fall #ChinookSalmon numbers plummeted by more than 90% and spring chinook by 98%. #SteelheadTrout, #CohoSalmon and #PacificLamprey numbers also saw drastic declines, and the Klamath tribes in the upper basin have been without their salmon fishery for a century, since the completion of #Copco 1 in 1922. The situation became so bad that Yurok tribe – who are known as the salmon people – began importing Alaskan salmon for their annual salmon festival, traditionally held to celebrate the first return of fall chinook salmon to the Klamath River.
"The dams also had a severe impact on #WaterTemperature and quality – growth of #ToxicAlgae behind two of the dams resulted in health warnings against water contact.
"'It was painful,' says Willard Carlson, a Yurok elder who is known as a #RiverWarrior and was part of the inter-generational campaign. 'All those years seeing our river damaged like that. I remember as a kid we'd have other people from nearby tribes making fun of our river. 'Oh, you're Yurok, your river is dirty.' For us, the #dams were a monument to the [#coloniser] people who conquered us."
[...]
"Restoring the land
But something that does need "a helping hand is the restoration of 2,200 acres (890ha) of land that is above ground for the first time in a century following the emptying of four reservoirs.
"'Removing the dams is one thing, restoring the land is quite another,' says Thompson, a civil engineer and part of the crew working on the restoration project – which is being managed by Resource Environmental Solutions, an ecological restoration company."
#KarukTribe #YurokTribe #KlamathRiverRenewal #RestoreNature #Decolonize #WaterIsLife #NativeAmericans
-
The FreeBSD-native-ish home lab and network
For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
The Home Server
I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer listNAME STATE JID HOSTNAME IPv4 GWantranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1git Stoppedhuginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is nginx. All it does is
proxy_passas needed. It runs on the host.Other services that run on the host are DNS (BIND9), an email service running
OpenSMTPd(which will be moved to a Jail soon), the chat service runningprosody(which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.
Yes, I have a firewall, I use
pf(4).For the techies in the room, here’s what my
rc.conflooks like.# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64 \inet6 2001:470:1f15:e4::5222 prefixlen 64 \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"
The
gif0interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.As you have guessed from this config file, I do have VLANs setup. So let’s get into that.
The Home Network
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home GuestHere are the active ports
PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, portem019untagged: 1001To home router, portigb118tagged: 42, 100, 69, 99To home router, portigb217untagged: 37To home router, portigb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC ProThe home router, hostnamed
evn0(named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the followingroot@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.
Here’s what the
rc.conflooks likeclear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""
Here’s
pf.conf, because security is important.ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if from $int_if:network to anypass on $mgmt_if from $mgmt_if:network to anypass on $sw_if from $sw_if:network to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet proto icmppass inet6 proto icmp6pass out all keep stateI’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.
Here’s
rtadvd.conf, for my IPv6 folksigb2.100:\ :addr="2001:470:7914:6a76::":prefixlen#64:\ :rdnss="2001:470:7914:6a76::1":\ :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\ :addr="2001:470:7914:6969::":prefixlen#64:\ :rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 { range 172.16.100.100 172.16.100.150; option domain-name-servers 172.16.100.1; option subnet-mask 255.255.255.0; option routers 172.16.100.1; option domain-name "evn0.loc.illuriasecurity.com"; option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots { hardware ethernet d4:57:63:f1:5a:36; fixed-address 172.16.100.7;}host unifi0 { hardware ethernet 58:9c:fc:93:d1:0b; fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 { range 172.31.42.100 172.31.42.150; option domain-name-servers 172.31.42.1; option subnet-mask 255.255.255.0; option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 { range 192.168.69.100 192.168.69.150; option domain-name-servers 192.168.69.1; option subnet-mask 255.255.255.0; option routers 192.168.69.1;}So you’re wondering, what’s this
unifi0? Well, that brings us toT480s
This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named
unifi0that runs the Unifi Management thingie.Here’s what
rc.confof the host looks likeclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"
I used Jailer to create the
unifi0jail, here’s what thejail.conflooks like# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 { $id = "6"; devfs_ruleset = 10; $bridge = "bridge42"; $domain = "evn0.loc.illuriasecurity.com"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "ifconfig epair${id} create up"; exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart += "ifconfig ${bridge} addm epair${id}a up"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "ifconfig ${bridge} deletem epair${id}a"; exec.poststop += "ifconfig epair${id}a destroy"; host.hostname = "${name}.${domain}"; path = "/usr/local/jailer/unifi0"; exec.consolelog = "/var/log/jail/${name}.log"; persist; mount.fdescfs; mount.procfs;}Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.
Finally, the tiny
Raspberry Pi 4, Model B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is
rc.confhostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"
And the Samba Configuration
[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G # Adjust the size according to your needscreate mask = 0600directory mask = 0700
That’s pretty much it.
Conclusion
I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the future.
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET
-
The FreeBSD-native-ish home lab and network
For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
The Home Server
I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer listNAME STATE JID HOSTNAME IPv4 GWantranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1git Stoppedhuginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is nginx. All it does is
proxy_passas needed. It runs on the host.Other services that run on the host are DNS (BIND9), an email service running
OpenSMTPd(which will be moved to a Jail soon), the chat service runningprosody(which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.
Yes, I have a firewall, I use
pf(4).For the techies in the room, here’s what my
rc.conflooks like.# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64 \inet6 2001:470:1f15:e4::5222 prefixlen 64 \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"
The
gif0interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.As you have guessed from this config file, I do have VLANs setup. So let’s get into that.
The Home Network
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home GuestHere are the active ports
PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, portem019untagged: 1001To home router, portigb118tagged: 42, 100, 69, 99To home router, portigb217untagged: 37To home router, portigb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC ProThe home router, hostnamed
evn0(named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the followingroot@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.
Here’s what the
rc.conflooks likeclear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""
Here’s
pf.conf, because security is important.ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if from $int_if:network to anypass on $mgmt_if from $mgmt_if:network to anypass on $sw_if from $sw_if:network to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet proto icmppass inet6 proto icmp6pass out all keep stateI’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.
Here’s
rtadvd.conf, for my IPv6 folksigb2.100:\ :addr="2001:470:7914:6a76::":prefixlen#64:\ :rdnss="2001:470:7914:6a76::1":\ :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\ :addr="2001:470:7914:6969::":prefixlen#64:\ :rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 { range 172.16.100.100 172.16.100.150; option domain-name-servers 172.16.100.1; option subnet-mask 255.255.255.0; option routers 172.16.100.1; option domain-name "evn0.loc.illuriasecurity.com"; option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots { hardware ethernet d4:57:63:f1:5a:36; fixed-address 172.16.100.7;}host unifi0 { hardware ethernet 58:9c:fc:93:d1:0b; fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 { range 172.31.42.100 172.31.42.150; option domain-name-servers 172.31.42.1; option subnet-mask 255.255.255.0; option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 { range 192.168.69.100 192.168.69.150; option domain-name-servers 192.168.69.1; option subnet-mask 255.255.255.0; option routers 192.168.69.1;}So you’re wondering, what’s this
unifi0? Well, that brings us toT480s
This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named
unifi0that runs the Unifi Management thingie.Here’s what
rc.confof the host looks likeclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"
I used Jailer to create the
unifi0jail, here’s what thejail.conflooks like# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 { $id = "6"; devfs_ruleset = 10; $bridge = "bridge42"; $domain = "evn0.loc.illuriasecurity.com"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "ifconfig epair${id} create up"; exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart += "ifconfig ${bridge} addm epair${id}a up"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "ifconfig ${bridge} deletem epair${id}a"; exec.poststop += "ifconfig epair${id}a destroy"; host.hostname = "${name}.${domain}"; path = "/usr/local/jailer/unifi0"; exec.consolelog = "/var/log/jail/${name}.log"; persist; mount.fdescfs; mount.procfs;}Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.
Finally, the tiny
Raspberry Pi 4, Model B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is
rc.confhostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"
And the Samba Configuration
[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G # Adjust the size according to your needscreate mask = 0600directory mask = 0700
That’s pretty much it.
Conclusion
I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the future.
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET
-
The FreeBSD-native-ish home lab and network
For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
The Home Server
I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer listNAME STATE JID HOSTNAME IPv4 GWantranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1git Stoppedhuginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is nginx. All it does is
proxy_passas needed. It runs on the host.Other services that run on the host are DNS (BIND9), an email service running
OpenSMTPd(which will be moved to a Jail soon), the chat service runningprosody(which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.
Yes, I have a firewall, I use
pf(4).For the techies in the room, here’s what my
rc.conflooks like.# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64 \inet6 2001:470:1f15:e4::5222 prefixlen 64 \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"
The
gif0interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.As you have guessed from this config file, I do have VLANs setup. So let’s get into that.
The Home Network
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home GuestHere are the active ports
PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, portem019untagged: 1001To home router, portigb118tagged: 42, 100, 69, 99To home router, portigb217untagged: 37To home router, portigb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC ProThe home router, hostnamed
evn0(named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the followingroot@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.
Here’s what the
rc.conflooks likeclear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""
Here’s
pf.conf, because security is important.ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if from $int_if:network to anypass on $mgmt_if from $mgmt_if:network to anypass on $sw_if from $sw_if:network to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet proto icmppass inet6 proto icmp6pass out all keep stateI’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.
Here’s
rtadvd.conf, for my IPv6 folksigb2.100:\ :addr="2001:470:7914:6a76::":prefixlen#64:\ :rdnss="2001:470:7914:6a76::1":\ :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\ :addr="2001:470:7914:6969::":prefixlen#64:\ :rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 { range 172.16.100.100 172.16.100.150; option domain-name-servers 172.16.100.1; option subnet-mask 255.255.255.0; option routers 172.16.100.1; option domain-name "evn0.loc.illuriasecurity.com"; option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots { hardware ethernet d4:57:63:f1:5a:36; fixed-address 172.16.100.7;}host unifi0 { hardware ethernet 58:9c:fc:93:d1:0b; fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 { range 172.31.42.100 172.31.42.150; option domain-name-servers 172.31.42.1; option subnet-mask 255.255.255.0; option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 { range 192.168.69.100 192.168.69.150; option domain-name-servers 192.168.69.1; option subnet-mask 255.255.255.0; option routers 192.168.69.1;}So you’re wondering, what’s this
unifi0? Well, that brings us toT480s
This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named
unifi0that runs the Unifi Management thingie.Here’s what
rc.confof the host looks likeclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"
I used Jailer to create the
unifi0jail, here’s what thejail.conflooks like# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 { $id = "6"; devfs_ruleset = 10; $bridge = "bridge42"; $domain = "evn0.loc.illuriasecurity.com"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "ifconfig epair${id} create up"; exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart += "ifconfig ${bridge} addm epair${id}a up"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "ifconfig ${bridge} deletem epair${id}a"; exec.poststop += "ifconfig epair${id}a destroy"; host.hostname = "${name}.${domain}"; path = "/usr/local/jailer/unifi0"; exec.consolelog = "/var/log/jail/${name}.log"; persist; mount.fdescfs; mount.procfs;}Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.
Finally, the tiny
Raspberry Pi 4, Model B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is
rc.confhostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"
And the Samba Configuration
[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G # Adjust the size according to your needscreate mask = 0600directory mask = 0700
That’s pretty much it.
Conclusion
I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the future.
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET
-
The FreeBSD-native-ish home lab and network
For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
The Home Server
I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer listNAME STATE JID HOSTNAME IPv4 GWantranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1git Stoppedhuginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is nginx. All it does is
proxy_passas needed. It runs on the host.Other services that run on the host are DNS (BIND9), an email service running
OpenSMTPd(which will be moved to a Jail soon), the chat service runningprosody(which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.
Yes, I have a firewall, I use
pf(4).For the techies in the room, here’s what my
rc.conflooks like.# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64 \inet6 2001:470:1f15:e4::5222 prefixlen 64 \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"
The
gif0interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.As you have guessed from this config file, I do have VLANs setup. So let’s get into that.
The Home Network
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home GuestHere are the active ports
PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, portem019untagged: 1001To home router, portigb118tagged: 42, 100, 69, 99To home router, portigb217untagged: 37To home router, portigb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC ProThe home router, hostnamed
evn0(named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the followingroot@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.
Here’s what the
rc.conflooks likeclear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""
Here’s
pf.conf, because security is important.ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if from $int_if:network to anypass on $mgmt_if from $mgmt_if:network to anypass on $sw_if from $sw_if:network to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet proto icmppass inet6 proto icmp6pass out all keep stateI’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.
Here’s
rtadvd.conf, for my IPv6 folksigb2.100:\ :addr="2001:470:7914:6a76::":prefixlen#64:\ :rdnss="2001:470:7914:6a76::1":\ :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\ :addr="2001:470:7914:6969::":prefixlen#64:\ :rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 { range 172.16.100.100 172.16.100.150; option domain-name-servers 172.16.100.1; option subnet-mask 255.255.255.0; option routers 172.16.100.1; option domain-name "evn0.loc.illuriasecurity.com"; option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots { hardware ethernet d4:57:63:f1:5a:36; fixed-address 172.16.100.7;}host unifi0 { hardware ethernet 58:9c:fc:93:d1:0b; fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 { range 172.31.42.100 172.31.42.150; option domain-name-servers 172.31.42.1; option subnet-mask 255.255.255.0; option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 { range 192.168.69.100 192.168.69.150; option domain-name-servers 192.168.69.1; option subnet-mask 255.255.255.0; option routers 192.168.69.1;}So you’re wondering, what’s this
unifi0? Well, that brings us toT480s
This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named
unifi0that runs the Unifi Management thingie.Here’s what
rc.confof the host looks likeclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"
I used Jailer to create the
unifi0jail, here’s what thejail.conflooks like# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 { $id = "6"; devfs_ruleset = 10; $bridge = "bridge42"; $domain = "evn0.loc.illuriasecurity.com"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "ifconfig epair${id} create up"; exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart += "ifconfig ${bridge} addm epair${id}a up"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "ifconfig ${bridge} deletem epair${id}a"; exec.poststop += "ifconfig epair${id}a destroy"; host.hostname = "${name}.${domain}"; path = "/usr/local/jailer/unifi0"; exec.consolelog = "/var/log/jail/${name}.log"; persist; mount.fdescfs; mount.procfs;}Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.
Finally, the tiny
Raspberry Pi 4, Model B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is
rc.confhostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"
And the Samba Configuration
[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G # Adjust the size according to your needscreate mask = 0600directory mask = 0700
That’s pretty much it.
Conclusion
I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the future.
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET
-
The FreeBSD-native-ish home lab and network
For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
The Home Server
I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer listNAME STATE JID HOSTNAME IPv4 GWantranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1git Stoppedhuginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is nginx. All it does is
proxy_passas needed. It runs on the host.Other services that run on the host are DNS (BIND9), an email service running
OpenSMTPd(which will be moved to a Jail soon), the chat service runningprosody(which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.
Yes, I have a firewall, I use
pf(4).For the techies in the room, here’s what my
rc.conflooks like.# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64 \inet6 2001:470:1f15:e4::5222 prefixlen 64 \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"
The
gif0interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.As you have guessed from this config file, I do have VLANs setup. So let’s get into that.
The Home Network
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home GuestHere are the active ports
PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, portem019untagged: 1001To home router, portigb118tagged: 42, 100, 69, 99To home router, portigb217untagged: 37To home router, portigb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC ProThe home router, hostnamed
evn0(named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the followingroot@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.
Here’s what the
rc.conflooks likeclear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""
Here’s
pf.conf, because security is important.ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if from $int_if:network to anypass on $mgmt_if from $mgmt_if:network to anypass on $sw_if from $sw_if:network to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet proto icmppass inet6 proto icmp6pass out all keep stateI’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.
Here’s
rtadvd.conf, for my IPv6 folksigb2.100:\ :addr="2001:470:7914:6a76::":prefixlen#64:\ :rdnss="2001:470:7914:6a76::1":\ :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\ :addr="2001:470:7914:6969::":prefixlen#64:\ :rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 { range 172.16.100.100 172.16.100.150; option domain-name-servers 172.16.100.1; option subnet-mask 255.255.255.0; option routers 172.16.100.1; option domain-name "evn0.loc.illuriasecurity.com"; option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots { hardware ethernet d4:57:63:f1:5a:36; fixed-address 172.16.100.7;}host unifi0 { hardware ethernet 58:9c:fc:93:d1:0b; fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 { range 172.31.42.100 172.31.42.150; option domain-name-servers 172.31.42.1; option subnet-mask 255.255.255.0; option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 { range 192.168.69.100 192.168.69.150; option domain-name-servers 192.168.69.1; option subnet-mask 255.255.255.0; option routers 192.168.69.1;}So you’re wondering, what’s this
unifi0? Well, that brings us toT480s
This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named
unifi0that runs the Unifi Management thingie.Here’s what
rc.confof the host looks likeclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"
I used Jailer to create the
unifi0jail, here’s what thejail.conflooks like# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 { $id = "6"; devfs_ruleset = 10; $bridge = "bridge42"; $domain = "evn0.loc.illuriasecurity.com"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "ifconfig epair${id} create up"; exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart += "ifconfig ${bridge} addm epair${id}a up"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "ifconfig ${bridge} deletem epair${id}a"; exec.poststop += "ifconfig epair${id}a destroy"; host.hostname = "${name}.${domain}"; path = "/usr/local/jailer/unifi0"; exec.consolelog = "/var/log/jail/${name}.log"; persist; mount.fdescfs; mount.procfs;}Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.
Finally, the tiny
Raspberry Pi 4, Model B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is
rc.confhostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"
And the Samba Configuration
[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G # Adjust the size according to your needscreate mask = 0600directory mask = 0700
That’s pretty much it.
Conclusion
I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the future.
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET
-
GardensTale Goes to Roadburn 2024
By GardensTale
Roadburn is a unique festival. Many have no idea what it is, but those who know it often revere it. Starting in 1999 as a traveling stoner festival, it has grown into one of the most adventurous, envelope-pushing celebrations of music worldwide. The line-ups have grown increasingly experimental, and a few years ago the festival adopted the slogan Redefining Heaviness. It’s a mission statement that indicates the wide scope of the festival, exploring other forms of heaviness through the inclusion of genres beyond metal.
My partner and I have visited every Roadburn since 2017, when I last wrote a report on the experience. At the time, we had a sweet arrangement allowing free entry by playing host to a performing artist. Unfortunately, this option no longer exists since the pandemic, so instead we have been inviting random festival goers, which has netted us a steadily growing slew of festival buddies from across Europe. This year was no different, with a few old friends and a few new ones taking up residence in our living room. With the fires of friendship thus stoked, we set off on our sixth voyage into the depths of the heavy underground.
Day 1 (Thursday, 18th of April)
2:34 PM — Got to Hexvessel’s set playing Polar Veil a little late, because one of our guests needed a bracelet still. Good doom, played well, but doesn’t blow me away. Room is crammed, but it’s the first show of the festival.
2:44 PM — Watched a few songs, then went to grab merch. Hoodies were already sold out in several colors.
3:11 PM — Sunrise Patriot Motion is like “what if Ashenspire swallowed a synthwave band” and I like it. It’s a strange contrast but it works.
4:03 PM — Wiegedood were doing a live soundtrack to a Japanese experimental silent film from 1926 and it was as odd as that sounds.
5:44 PM — Grabbed some food during a gap in the schedule and afterward watched a few songs of Sean Mulrooney’s set (from Tau and the Drones of Praise). Dark folk with sparse vocals doesn’t really work unless the vocals are good, and these weren’t.
5:47 PM — Now sitting outside the venue where UBOA is doing her thing and it sounds like two supercomputers on train tracks colliding head-on. Bit above my maximum noise-to-music ratio.
7:16 PM — Inter Arma is pretty dang massive. Sound in the venue isn’t great so the guitars aren’t getting their due but faces are caving in.
8:26 PM — WHITE WARD IS FUCKING AMAZING
8:35 PM — Their saxophone player is in the army so they had to make do with samples, but after 4 canceled appearances due to Covid and the war, it was worth the wait.
9:46 PM — Everyone and the family dog wants to see Chelsea Wolfe, so being 20 minutes early still meant nosebleed spots in the balcony. Wolfe fills the room anyway. I don’t always click with her albums that much, but man she is a force to behold on stage.
10:54 PM — Shows hadn’t left much time for food today, so a big fat doner wrap will have to do. A fellow with too little blood in his alcohol walked into the door and cracked his head on the tiles. Walked away 10 minutes later. Hope he survived.
11:37 PM — Goddamn, Backxwash is heavier with her hip-hop than most bands are playing metal. No one on stage but a black woman in a poofy dress laying down the law over raw industrial beats. Fucking awesome set.
Day 2 (Friday, 19th of April)
3:14 PM — Started off crammed into the room like sardines to hear Fluisteraars do an experimental set: the droniest of drone with birdsong on top. Handled about 10 minutes of that before bailing. Not my jam and way overcrowded.
3:39 PM — Mat McNerney (aka Kvohst of Hexvessel and others) doing a commissioned piece called Music For Gloaming: A Nocturne. Very gothic doom/black mixture, pretty cool set with loads of atmosphere.
6:33 PM — After a meal we went to check out Lucy Kruger + The Lost Boys in the Hall of Fame venue. Very nice weighty dream pop, not unlike Emma Ruth Rundle.
8:31 PM — Good thing we were there because Inter Arma was drafted for a second performance, a secret set of material from their classic albums. Also in the Hall of Fame, the smallest venue of the festival. Absolutely brainscramblingly colossal. Easily the heaviest thing on the festival so far.
9:52 PM — Another secret set, this one by Couch Slut in the skate park. Harsh music under the harsh glare of the tubes. Great performance and the venue brought out their punky DIY spirit, looking forward to seeing them again early tomorrow for their new album playthrough.
Day 3 (Saturday, 20th of April)
1:24 PM — Knoll for breakfast is kind of terrifying and overwhelming but also kind of awesome in a “my skull is now 2D” kind of way.
1:26 PM — Suddenly a wild trumpet appears!
2:25 PM — Couch Slut playing their new album. Raw as all fucking get out. Great show! Excellent live band both performances, visceral as fuck. The frontwoman confessed to only sleeping 90 minutes that night, and occasionally it showed, but by and large, she killed it.
2:50 PM — Oneiroporeia is a super young band and it shows, but their blackened prog-goth sound is solid and promising.
5:04 PM — Roadburn has a queue problem this year, especially today, and primarily at the Spoorzone venues. It’s always unclear when a venue opens and the queues have gotten gigantic. After wasting some time in a queue in an attempt to see Agriculture, we decided to settle in at the Main stage and wait for The Keening.
5:52 PM — The Keening is as beautiful and fragile as the titular Little Bird, but could use a few more dynamic stanzas to balance out the mid-weight atmodoomfolk a little. Still quite pretty though.
8:37 PM — Between rain and queues we settled on Ni in the Paradox jazz club. Super skronky instrumental jazzmathcore is healing my soul right now.
10:44 PM — Ni turned out one of the best things I’ve seen at the festival this year. Cult Leader’s acidic sludgy hardcore made a run for the podium, but their gothic-doom passages just aren’t as captivating. When these guys go full blast though, they’re absolutely vicious.
11:32 PM — In the spirit of trying new things, we ended the day with a few Frail Body tracks. Safe to say that screamo is not my new passion.
Day 4 (Sunday, 21st of April)
3:05 PM — We dragged our exhausted husks to the Terminal for the final day. Kicking off with Laster is a good start. The weird psych black band with ghoulish masks are pretty much studio-tight. It does feel a little clinical or impersonal as a live show but it’s a very solid performance.
4:47 PM — Today really is black metal day at the Terminal. No complaints from me! Verwoed tears down the place with their ritualistic and reasonably melodic take. Good sound and a spirited performance. The Dutch black metal scene proves to be thriving once more.
6:27 PM — After all the doom and gloom, a little black thrash that’s all riffs and no brakes is just the ticket, and Devil Master hits the spot. Doing the second half of the set sitting on the floor by the wall because my feet are withered stumps at this point.
6:31 PM — I’m also surprised by the amount of delighted surprised faces I get from bartenders when I show them my order on my phone screen. Is it really that uncommon? It’s so much simpler than shouting!
8:32 PM — Biological necessities (aka food) and a queue meant missing the first half of Fluisteraars’ full black metal set. This is a shame because fuck me this is one of the best performances of the whole festival. It’s apparently only the second time the band performs live and they put most of their peers to shame.
10:18 PM — Dödsrit led a 50-minute war band to raid and pillage the Terminal. Baller set, tons of energy and extremely fun! Sound was a bit off, as is tradition in this venue, but it didn’t spoil a good time. Thought this would be the last show for us, but in the interest of a last drink with a few friends we went to…
11:29 PM — …the main stage for Cloakroom. Not a terribly engaging band even by shoegaze standards, but a nice lullaby to sing the festival to sleep.
Between collaborations, commissioned pieces, secret sets, and integral album presentations, not to mention a lot of bands that would not fit in at many other festivals, Roadburn’s line-up is always unique. I’d never have found bands like Ni or Lucy Kruger without the concerted efforts of Walter Hoeijmakers and Becky Laverty to keep Roadburn one of the most forward-thinking festivals out there. I found some new favorites and checked out some bands I knew only by reputation. But best of all is experiencing it all with an ever-expanding gaggle of friends. We’ve rarely watched a show with just the two of us; nearly every time we had the company of friends, and come rain or queues, that is the best way to experience this festival.
#Agriculture #Ashenspire #Backxwash #ChelseaWolfe #Cloakroom #CouchSlut #CultLeader #DevilMaster #Dödsrit #EmmaRuthRundle #Fluisteraars #FrailBody #Hexvessel #InterArma #Knoll #Laster #LucyKrugerTheLostBoys #ni #Oneiroporeia #SunrisePatriotMotion #TauAndTheDronesOfPraise #TheKeening #UBOA #Verwoed #WhiteWard #Wiegedood
-
GardensTale Goes to Roadburn 2024
By GardensTale
Roadburn is a unique festival. Many have no idea what it is, but those who know it often revere it. Starting in 1999 as a traveling stoner festival, it has grown into one of the most adventurous, envelope-pushing celebrations of music worldwide. The line-ups have grown increasingly experimental, and a few years ago the festival adopted the slogan Redefining Heaviness. It’s a mission statement that indicates the wide scope of the festival, exploring other forms of heaviness through the inclusion of genres beyond metal.
My partner and I have visited every Roadburn since 2017, when I last wrote a report on the experience. At the time, we had a sweet arrangement allowing free entry by playing host to a performing artist. Unfortunately, this option no longer exists since the pandemic, so instead we have been inviting random festival goers, which has netted us a steadily growing slew of festival buddies from across Europe. This year was no different, with a few old friends and a few new ones taking up residence in our living room. With the fires of friendship thus stoked, we set off on our sixth voyage into the depths of the heavy underground.
Day 1 (Thursday, 18th of April)
2:34 PM — Got to Hexvessel’s set playing Polar Veil a little late, because one of our guests needed a bracelet still. Good doom, played well, but doesn’t blow me away. Room is crammed, but it’s the first show of the festival.
2:44 PM — Watched a few songs, then went to grab merch. Hoodies were already sold out in several colors.
3:11 PM — Sunrise Patriot Motion is like “what if Ashenspire swallowed a synthwave band” and I like it. It’s a strange contrast but it works.
4:03 PM — Wiegedood were doing a live soundtrack to a Japanese experimental silent film from 1926 and it was as odd as that sounds.
5:44 PM — Grabbed some food during a gap in the schedule and afterward watched a few songs of Sean Mulrooney’s set (from Tau and the Drones of Praise). Dark folk with sparse vocals doesn’t really work unless the vocals are good, and these weren’t.
5:47 PM — Now sitting outside the venue where UBOA is doing her thing and it sounds like two supercomputers on train tracks colliding head-on. Bit above my maximum noise-to-music ratio.
7:16 PM — Inter Arma is pretty dang massive. Sound in the venue isn’t great so the guitars aren’t getting their due but faces are caving in.
8:26 PM — WHITE WARD IS FUCKING AMAZING
8:35 PM — Their saxophone player is in the army so they had to make do with samples, but after 4 canceled appearances due to Covid and the war, it was worth the wait.
9:46 PM — Everyone and the family dog wants to see Chelsea Wolfe, so being 20 minutes early still meant nosebleed spots in the balcony. Wolfe fills the room anyway. I don’t always click with her albums that much, but man she is a force to behold on stage.
10:54 PM — Shows hadn’t left much time for food today, so a big fat doner wrap will have to do. A fellow with too little blood in his alcohol walked into the door and cracked his head on the tiles. Walked away 10 minutes later. Hope he survived.
11:37 PM — Goddamn, Backxwash is heavier with her hip-hop than most bands are playing metal. No one on stage but a black woman in a poofy dress laying down the law over raw industrial beats. Fucking awesome set.
Day 2 (Friday, 19th of April)
3:14 PM — Started off crammed into the room like sardines to hear Fluisteraars do an experimental set: the droniest of drone with birdsong on top. Handled about 10 minutes of that before bailing. Not my jam and way overcrowded.
3:39 PM — Mat McNerney (aka Kvohst of Hexvessel and others) doing a commissioned piece called Music For Gloaming: A Nocturne. Very gothic doom/black mixture, pretty cool set with loads of atmosphere.
6:33 PM — After a meal we went to check out Lucy Kruger + The Lost Boys in the Hall of Fame venue. Very nice weighty dream pop, not unlike Emma Ruth Rundle.
8:31 PM — Good thing we were there because Inter Arma was drafted for a second performance, a secret set of material from their classic albums. Also in the Hall of Fame, the smallest venue of the festival. Absolutely brainscramblingly colossal. Easily the heaviest thing on the festival so far.
9:52 PM — Another secret set, this one by Couch Slut in the skate park. Harsh music under the harsh glare of the tubes. Great performance and the venue brought out their punky DIY spirit, looking forward to seeing them again early tomorrow for their new album playthrough.
Day 3 (Saturday, 20th of April)
1:24 PM — Knoll for breakfast is kind of terrifying and overwhelming but also kind of awesome in a “my skull is now 2D” kind of way.
1:26 PM — Suddenly a wild trumpet appears!
2:25 PM — Couch Slut playing their new album. Raw as all fucking get out. Great show! Excellent live band both performances, visceral as fuck. The frontwoman confessed to only sleeping 90 minutes that night, and occasionally it showed, but by and large, she killed it.
2:50 PM — Oneiroporeia is a super young band and it shows, but their blackened prog-goth sound is solid and promising.
5:04 PM — Roadburn has a queue problem this year, especially today, and primarily at the Spoorzone venues. It’s always unclear when a venue opens and the queues have gotten gigantic. After wasting some time in a queue in an attempt to see Agriculture, we decided to settle in at the Main stage and wait for The Keening.
5:52 PM — The Keening is as beautiful and fragile as the titular Little Bird, but could use a few more dynamic stanzas to balance out the mid-weight atmodoomfolk a little. Still quite pretty though.
8:37 PM — Between rain and queues we settled on Ni in the Paradox jazz club. Super skronky instrumental jazzmathcore is healing my soul right now.
10:44 PM — Ni turned out one of the best things I’ve seen at the festival this year. Cult Leader’s acidic sludgy hardcore made a run for the podium, but their gothic-doom passages just aren’t as captivating. When these guys go full blast though, they’re absolutely vicious.
11:32 PM — In the spirit of trying new things, we ended the day with a few Frail Body tracks. Safe to say that screamo is not my new passion.
Day 4 (Sunday, 21st of April)
3:05 PM — We dragged our exhausted husks to the Terminal for the final day. Kicking off with Laster is a good start. The weird psych black band with ghoulish masks are pretty much studio-tight. It does feel a little clinical or impersonal as a live show but it’s a very solid performance.
4:47 PM — Today really is black metal day at the Terminal. No complaints from me! Verwoed tears down the place with their ritualistic and reasonably melodic take. Good sound and a spirited performance. The Dutch black metal scene proves to be thriving once more.
6:27 PM — After all the doom and gloom, a little black thrash that’s all riffs and no brakes is just the ticket, and Devil Master hits the spot. Doing the second half of the set sitting on the floor by the wall because my feet are withered stumps at this point.
6:31 PM — I’m also surprised by the amount of delighted surprised faces I get from bartenders when I show them my order on my phone screen. Is it really that uncommon? It’s so much simpler than shouting!
8:32 PM — Biological necessities (aka food) and a queue meant missing the first half of Fluisteraars’ full black metal set. This is a shame because fuck me this is one of the best performances of the whole festival. It’s apparently only the second time the band performs live and they put most of their peers to shame.
10:18 PM — Dödsrit led a 50-minute war band to raid and pillage the Terminal. Baller set, tons of energy and extremely fun! Sound was a bit off, as is tradition in this venue, but it didn’t spoil a good time. Thought this would be the last show for us, but in the interest of a last drink with a few friends we went to…
11:29 PM — …the main stage for Cloakroom. Not a terribly engaging band even by shoegaze standards, but a nice lullaby to sing the festival to sleep.
Between collaborations, commissioned pieces, secret sets, and integral album presentations, not to mention a lot of bands that would not fit in at many other festivals, Roadburn’s line-up is always unique. I’d never have found bands like Ni or Lucy Kruger without the concerted efforts of Walter Hoeijmakers and Becky Laverty to keep Roadburn one of the most forward-thinking festivals out there. I found some new favorites and checked out some bands I knew only by reputation. But best of all is experiencing it all with an ever-expanding gaggle of friends. We’ve rarely watched a show with just the two of us; nearly every time we had the company of friends, and come rain or queues, that is the best way to experience this festival.
#Agriculture #Ashenspire #Backxwash #ChelseaWolfe #Cloakroom #CouchSlut #CultLeader #DevilMaster #Dödsrit #EmmaRuthRundle #Fluisteraars #FrailBody #Hexvessel #InterArma #Knoll #Laster #LucyKrugerTheLostBoys #ni #Oneiroporeia #SunrisePatriotMotion #TauAndTheDronesOfPraise #TheKeening #UBOA #Verwoed #WhiteWard #Wiegedood
-
GardensTale Goes to Roadburn 2024
By GardensTale
Roadburn is a unique festival. Many have no idea what it is, but those who know it often revere it. Starting in 1999 as a traveling stoner festival, it has grown into one of the most adventurous, envelope-pushing celebrations of music worldwide. The line-ups have grown increasingly experimental, and a few years ago the festival adopted the slogan Redefining Heaviness. It’s a mission statement that indicates the wide scope of the festival, exploring other forms of heaviness through the inclusion of genres beyond metal.
My partner and I have visited every Roadburn since 2017, when I last wrote a report on the experience. At the time, we had a sweet arrangement allowing free entry by playing host to a performing artist. Unfortunately, this option no longer exists since the pandemic, so instead we have been inviting random festival goers, which has netted us a steadily growing slew of festival buddies from across Europe. This year was no different, with a few old friends and a few new ones taking up residence in our living room. With the fires of friendship thus stoked, we set off on our sixth voyage into the depths of the heavy underground.
Day 1 (Thursday, 18th of April)
2:34 PM — Got to Hexvessel’s set playing Polar Veil a little late, because one of our guests needed a bracelet still. Good doom, played well, but doesn’t blow me away. Room is crammed, but it’s the first show of the festival.
2:44 PM — Watched a few songs, then went to grab merch. Hoodies were already sold out in several colors.
3:11 PM — Sunrise Patriot Motion is like “what if Ashenspire swallowed a synthwave band” and I like it. It’s a strange contrast but it works.
4:03 PM — Wiegedood were doing a live soundtrack to a Japanese experimental silent film from 1926 and it was as odd as that sounds.
5:44 PM — Grabbed some food during a gap in the schedule and afterward watched a few songs of Sean Mulrooney’s set (from Tau and the Drones of Praise). Dark folk with sparse vocals doesn’t really work unless the vocals are good, and these weren’t.
5:47 PM — Now sitting outside the venue where UBOA is doing her thing and it sounds like two supercomputers on train tracks colliding head-on. Bit above my maximum noise-to-music ratio.
7:16 PM — Inter Arma is pretty dang massive. Sound in the venue isn’t great so the guitars aren’t getting their due but faces are caving in.
8:26 PM — WHITE WARD IS FUCKING AMAZING
8:35 PM — Their saxophone player is in the army so they had to make do with samples, but after 4 canceled appearances due to Covid and the war, it was worth the wait.
9:46 PM — Everyone and the family dog wants to see Chelsea Wolfe, so being 20 minutes early still meant nosebleed spots in the balcony. Wolfe fills the room anyway. I don’t always click with her albums that much, but man she is a force to behold on stage.
10:54 PM — Shows hadn’t left much time for food today, so a big fat doner wrap will have to do. A fellow with too little blood in his alcohol walked into the door and cracked his head on the tiles. Walked away 10 minutes later. Hope he survived.
11:37 PM — Goddamn, Backxwash is heavier with her hip-hop than most bands are playing metal. No one on stage but a black woman in a poofy dress laying down the law over raw industrial beats. Fucking awesome set.
Day 2 (Friday, 19th of April)
3:14 PM — Started off crammed into the room like sardines to hear Fluisteraars do an experimental set: the droniest of drone with birdsong on top. Handled about 10 minutes of that before bailing. Not my jam and way overcrowded.
3:39 PM — Mat McNerney (aka Kvohst of Hexvessel and others) doing a commissioned piece called Music For Gloaming: A Nocturne. Very gothic doom/black mixture, pretty cool set with loads of atmosphere.
6:33 PM — After a meal we went to check out Lucy Kruger + The Lost Boys in the Hall of Fame venue. Very nice weighty dream pop, not unlike Emma Ruth Rundle.
8:31 PM — Good thing we were there because Inter Arma was drafted for a second performance, a secret set of material from their classic albums. Also in the Hall of Fame, the smallest venue of the festival. Absolutely brainscramblingly colossal. Easily the heaviest thing on the festival so far.
9:52 PM — Another secret set, this one by Couch Slut in the skate park. Harsh music under the harsh glare of the tubes. Great performance and the venue brought out their punky DIY spirit, looking forward to seeing them again early tomorrow for their new album playthrough.
Day 3 (Saturday, 20th of April)
1:24 PM — Knoll for breakfast is kind of terrifying and overwhelming but also kind of awesome in a “my skull is now 2D” kind of way.
1:26 PM — Suddenly a wild trumpet appears!
2:25 PM — Couch Slut playing their new album. Raw as all fucking get out. Great show! Excellent live band both performances, visceral as fuck. The frontwoman confessed to only sleeping 90 minutes that night, and occasionally it showed, but by and large, she killed it.
2:50 PM — Oneiroporeia is a super young band and it shows, but their blackened prog-goth sound is solid and promising.
5:04 PM — Roadburn has a queue problem this year, especially today, and primarily at the Spoorzone venues. It’s always unclear when a venue opens and the queues have gotten gigantic. After wasting some time in a queue in an attempt to see Agriculture, we decided to settle in at the Main stage and wait for The Keening.
5:52 PM — The Keening is as beautiful and fragile as the titular Little Bird, but could use a few more dynamic stanzas to balance out the mid-weight atmodoomfolk a little. Still quite pretty though.
8:37 PM — Between rain and queues we settled on Ni in the Paradox jazz club. Super skronky instrumental jazzmathcore is healing my soul right now.
10:44 PM — Ni turned out one of the best things I’ve seen at the festival this year. Cult Leader’s acidic sludgy hardcore made a run for the podium, but their gothic-doom passages just aren’t as captivating. When these guys go full blast though, they’re absolutely vicious.
11:32 PM — In the spirit of trying new things, we ended the day with a few Frail Body tracks. Safe to say that screamo is not my new passion.
Day 4 (Sunday, 21st of April)
3:05 PM — We dragged our exhausted husks to the Terminal for the final day. Kicking off with Laster is a good start. The weird psych black band with ghoulish masks are pretty much studio-tight. It does feel a little clinical or impersonal as a live show but it’s a very solid performance.
4:47 PM — Today really is black metal day at the Terminal. No complaints from me! Verwoed tears down the place with their ritualistic and reasonably melodic take. Good sound and a spirited performance. The Dutch black metal scene proves to be thriving once more.
6:27 PM — After all the doom and gloom, a little black thrash that’s all riffs and no brakes is just the ticket, and Devil Master hits the spot. Doing the second half of the set sitting on the floor by the wall because my feet are withered stumps at this point.
6:31 PM — I’m also surprised by the amount of delighted surprised faces I get from bartenders when I show them my order on my phone screen. Is it really that uncommon? It’s so much simpler than shouting!
8:32 PM — Biological necessities (aka food) and a queue meant missing the first half of Fluisteraars’ full black metal set. This is a shame because fuck me this is one of the best performances of the whole festival. It’s apparently only the second time the band performs live and they put most of their peers to shame.
10:18 PM — Dödsrit led a 50-minute war band to raid and pillage the Terminal. Baller set, tons of energy and extremely fun! Sound was a bit off, as is tradition in this venue, but it didn’t spoil a good time. Thought this would be the last show for us, but in the interest of a last drink with a few friends we went to…
11:29 PM — …the main stage for Cloakroom. Not a terribly engaging band even by shoegaze standards, but a nice lullaby to sing the festival to sleep.
Between collaborations, commissioned pieces, secret sets, and integral album presentations, not to mention a lot of bands that would not fit in at many other festivals, Roadburn’s line-up is always unique. I’d never have found bands like Ni or Lucy Kruger without the concerted efforts of Walter Hoeijmakers and Becky Laverty to keep Roadburn one of the most forward-thinking festivals out there. I found some new favorites and checked out some bands I knew only by reputation. But best of all is experiencing it all with an ever-expanding gaggle of friends. We’ve rarely watched a show with just the two of us; nearly every time we had the company of friends, and come rain or queues, that is the best way to experience this festival.
#Agriculture #Ashenspire #Backxwash #ChelseaWolfe #Cloakroom #CouchSlut #CultLeader #DevilMaster #Dödsrit #EmmaRuthRundle #Fluisteraars #FrailBody #Hexvessel #InterArma #Knoll #Laster #LucyKrugerTheLostBoys #ni #Oneiroporeia #SunrisePatriotMotion #TauAndTheDronesOfPraise #TheKeening #UBOA #Verwoed #WhiteWard #Wiegedood
-
August 2023 - Seascape: the state of our oceans
Endless fallout: the Pacific idyll still facing nuclear blight 77 years on
The film Oppenheimer has shone a global spotlight on the dawn of US nuclear weapons tests. In the #MarshallIslands, where 23 of those earth-shattering blasts happened, people have never been able to forget
by Lucy Sherriff
Fri 25 Aug 2023 03.00 EDT"At first glance, the aquamarine waters that surround the Marshall Islands seem like paradise. But this idyllic #Pacific scene hides a dark secret: it was the location of 67 #nuclear detonations as part of US military tests during the #ColdWar between 1946 and 1958.
"The bombs were exploded above ground and underwater on Bikini and Enewetak Atolls, including one device 1,100 times larger than the Hiroshima atom bomb. Chernobyl-like levels of radiation forced hundreds from their homes. #BikiniAtoll remains deserted. At the US government’s urging, residents have begun returning slowly to #Enewetak.
"Today, there is little visible evidence of the tests on the islands except for a 115-metre (377ft)-wide cement dome that locals nickname the Tomb – for good reason.
"Built in the late 1970s and now aged and cracking, the huge concrete lid on #RunitIsland covers more than 90,000 cubic metres (3.1m cubic ft) – or roughly 35 Olympic-sized swimming pools – of radioactive soil and nuclear waste. Unbeknown to the #Marshallese people, the US shipped the waste from #Nevada, where it was testing nuclear weapons on #NativeAmerican land.
"The legacy of America’s nuclear testing on #IndigenousCommunities both on the US mainland and its territories has come under renewed scrutiny with the release of Oppenheimer, the blockbuster film about the physicist who led development of the atomic bomb.
"Although his team tested the nuclear weapons on Native American land – there were 928 large-scale nuclear weapons tests in #Nevada, #Utah and #Arizona during the cold war, dispersing huge clouds of radioactive material – the film never mentions the impact of the testing on the local Native Americans.
"'The film completely ignores the experiences of our people,' says #IanZabarte, principal man of the Western Bands of the #ShoshoneNation – who have been described as 'the most bombed nation on earth'.
"Zabarte is attempting to forge connections with those Pacific Islanders who were similarly affected by #NuclearTesting. Earlier this year, he met representatives from the Marshall Islands when they visited Nevada to discuss the effects on their health from nuclear weapons testing.
“'The health impacts on our people have never been investigated,' Zabarte says. 'We have never received an apology, let alone any kind of compensation.'
"Separately, a band of Marshallese activists are now sailing around the country’s 29 atolls, along with #Artists and #ClimateScientists, on a 12-day tour that aims to raise awareness of nuclear testing on the archipelago.
"The 520-mile ocean voyage is being operated by Cape Farewell, a cultural programme founded by the British artist David Buckland and funded by the Waverley Street Foundation, Laurene Powell Jobs’s climate charity.
"'Cancers continue from generation to generation,' says Alson Kelen, a master navigator and community elder who grew up on Bikini Atoll and is joining the expedition.
"'If you ask anyone here if there’s a legacy of nuclear impact on their health, the answer would be yes. The Marshall Islands Nuclear Claim Tribunal has a list of #cancers that are related to nuclear throughout our people. These cancers are hereditary.'
"The US maintains that the Marshall Islands are safe. It seized them from #Japan in 1944, and eventually granted the islands independence in 1979, but the fledgling nation remained in 'free association' with the US. Under this system, along with #Micronesia and #Palau, the Marshall Islands are self-governing but economically remain largely dependent on Washington, which also retains a military presence. Today it continues to use the US dollar, and American aid still represents a large percentage of its GDP.
"In 1988, an independent international tribunal was established to adjudicate between the two countries, and it later ordered the US to pay $2.3bn (£1.8bn) to the Marshall Islands in healthcare and resettlement costs.
"The US government has refused, arguing that its liabilities ended when it paid $600m in the 1990s. In 1998, the US stopped providing medical care for cancer-stricken islanders, leaving many in financial hardship."
#NuclearWasteDome #ClimateChange #SeaLevelRise #WaterIsLife #EnvironmentalRacism