Reid Burke

  • Hello world: our family update

    Jeeyun and I are new parents to this sweet baby girl. Kaylee Nari was born in June. We are excited, a bit tired, and hopeful for what God will do in our family.

  • Securely store SSH keys with Secretive

    Secretive is an app by Max Goedjen for storing and managing SSH keys in the Secure Enclave on macOS.

    Most of us keep our private SSH keys on disk at ~/.ssh/id_* with restrictive file permissions to keep them a secret. However, it is not difficult for malware to copy these private keys from disk.

    Secretive stores SSH private keys in the Secure Enclave[efn_note]The Secure Enclave is a part of modern Mac systems on chip (SoCs) which is “designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.” If you have a recent Mac with a T series chip or M series chip, you have a Secure Enclave.[/efn_note] where they cannot be exported by design. This makes it much more difficult for a malicious program to use them.

    You can also require stronger access controls like authentication before every use, which can be set when creating a new secret key.

    Accessing such a key requires authentication with your Apple Watch, Touch ID, or password.

    In any case, whenever your keys are accessed, you get a notification. This keeps you aware of anything which uses your key — including by SSH agent forwarding. This works great for cloning from private Git repositories when deploying WordPress on a remote server.

    Since the private keys cannot be exported, you cannot back them up or use the same private keys on multiple computers. You can create different keys on every computer you use which keeps the private keys safe. I have another computer with Secretive which I use as a backup, but you may consider a cold storage strategy for backup keys which are not stored on your main computer’s disk.

    Secretive is available on GitHub. The binaries are created in an auditable build process which allows you to verify the source code for a given build corresponds to the release binary.

    You can install Secretive with Homebrew:

    brew install --cask secretive

    Once you have Secretive and its SecretAgent running, a simple configuration change to your ~/.ssh/config gets you going:

    Host *
  IdentityAgent "~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh"

    Secretive exclusively uses ecdsa-sha2-nistp256 public keys[efn_note]Why this type? The NIST P-256 elliptic curve digital signature algorithm is used for signing because it’s what the Secure Enclave hardware supports. As a bit of an aside, some folks are cautious about this algorithm because they believe it is rigged due to an unexplained seed. This is difficult to prove or disprove. I am more likely to experience the threat of malware than a possible curve weakness.[/efn_note] which some services do not support, e.g. Azure DevOps which only supports ssh-rsa. For these keys, I use 1Password for SSH and include its IdentityAgent and Host settings for ssh.dev.azure.com earlier in my config file like this:

    Host ssh.dev.azure.com
  IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
Host *
  IdentityAgent "~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh"

    Since I am using identity agents like this, I no longer have any problems which require me to mess with running ssh-agent and ssh-add — access to servers and GitHub works well and seamlessly.

    Many large companies have been using similar tools like Yubikeys to store keys and secure important systems. I am glad to bring this kind of technology home for my own servers.

    One more thing: If you have an older Mac without a Secure Enclave, you can use Secretive with smart cards like a Yubikey.

  • Uncommon Observations about the VESA Studio Display

    I have used a Studio Display with a VESA mount and nano-texture glass for a bit over a week. Here are some uncommon observations about this particular model coming from an LG UltraFine 5K and two Intel MacBook Pros.

    macOS rotates the screen for you when the display is rotated into portrait. This works perfectly and automatically. In addition, the built-in camera will also rotate the image at the same time, which allows you to rotate the screen mid-call if you wish.

    Automatic rotation to portrait mode

    The screen is much faster to wake the computer than the LG UltraFine 5K. I normally use my computers in clamshell mode. I used to have to pop open the lid on my computer every so often because I could not wake the computer from the keyboard. This never happens with the Studio Display.

    I use wired Ethernet using a Belkin USB-C adapter sold by Apple (an older black one) and have a gigabit connection to the internet. This adapter technically did work when connected to an LG UltraFine 5K; however, the speed would be limited to a max of under 400 Mbps due to LG weirdness. When this same adapter is connected to the Studio Display, I get the full speed of my connection at around 940 Mbps. This means I can truly use a single cable from my computer to the display for everything.

    Belkin Ethernet adapter in black connected to the rear of the Display

    I ordered this display sight unseen and opted for the nano-texture without looking at an example of the texture in person. I dislike the texture.

    I work in a room with a lot of natural light; however, the texture is less desirable than any minor glare I had with the UltraFine. I miss the image quality of the UltraFine; however, I have grown to dislike the texture a bit less after several days of use. Given it takes 8-10 weeks to get a replacement display, I’ll keep this one, especially since my wife is now using the UltraFine 5K for her work.

    The polishing cloth is a perfect fit inside a Ziploc snack sized bag.

    Apple Polishing Cloth inside of a Ziploc snack bag

    You cannot clean the screen with anything except this cloth. We have the best cleaning lady who helps us keep our home clean, so I made a note which I printed out, put inside a sheet protector, and tape to the top of the screen while cleaning since it’s such an unusual requirement to remember.

    Cleaning NoteDownload

    I have yet for “Hey Siri” to work correctly. This might be an Intel thing. Setting up “Hey, Siri” when my computer is in clamshell mode does not work — the computer prompts me to open the lid because macOS probably doesn’t understand the Studio Display’s capability during setup of “Hey, Siri.”

    Many other parts of the experience are well documented elsewhere: image quality, so-so webcam, weird Center Stage framing, superb speakers and microphones, excellent build quality compared with LG, and so on.

    Overall, I believe the Studio Display solves some quality of life issues for a true single-cable “dock” for those who want wired Ethernet and a display on a single cable. The perfect sleep wake, perfect wired Ethernet, and the automatic screen and camera rotation on the VESA model make it the model to get.

  • Hosting a nonprofit website for free with WordPress, Azure, Trellis, and Terraform

    I open sourced the WordPress stack and Azure web server infrastructure used for awakeningchurch.com.

    Azure can host WordPress at no cost because Microsoft offers $3,500 a year in Azure credits for nonprofits. You only need about $360 of these credits to serve a simple website with a staging and production servers.

    WordPress stack

    The WordPress repo is a combination of Trellis and Bedrock which provide server provisioning and dependency management powered by Ansible and Composer. You can manage it all with the simple Trellis CLI.

    Inside you will find:

    We are using Composer to install and update WordPress plugins like these:

    Some custom plugins we developed for custom post types like teaching and events are not yet open source. We are moving from Azure DevOps to GitHub for hosting repositories and these plugins will make the move soon.

    Infrastructure with Terraform

    The infrastructure repo contains a Terraform configuration to setup a blue-green deployment of a staging and production servers.

    You can get a lot of performance out of a small server with Trellis when using FastCGI caching.

    The setup is simple: a single Standard B1s server and a Premium SSD P4 32 GB for each environment. This costs about $30/month for two servers with one per environment. We only use about $360 of our $3,500 credits so the hosting is free.

    Other infrastructure

    We also use Azure storage for storing WordPress uploads and the Azure CDN for delivering uploaded assets. Uploads and CDN URLs are handled by the Azure Storage Plugin. Costs are minimal and there are plenty of left over credits to spend.

    This storage infrastructure is not included in our web Terraform infrastructure because it was created long ago.

    What’s next

    As I need to recreate servers to upgrade them, I plan to extend the Terraform repo to include a wrapper stack to switch Cloudflare DNS to new servers. I do DNS changes manually for now.

    Self-hosting is great

    I hope this example of hosting a WordPress website will help you in creating websites of your own.

    Nonprofits with nerds on staff (or volunteering) can make use of the $3,500 in Azure credit to make their website hosting free.

    I believe owning your web presence is important. Most folks can grab a domain and pay a provider to host WordPress. Since you control your site’s data, you can easily grow your site later and have hundreds of hosting options, plugins, and themes to build your site.

    And if you are comfortable on the command line, you can use the Trellis CLI to create a new WordPress installation and start a $5 DigitalOcean droplet which is more than powerful enough to host most websites. You can locally develop your changes and deploy them to your production site with little effort.

    Getting started looks something like this:

    brew install roots/tap/trellis-cli vagrant virtualbox
trellis new example.com
trellis up

    This very site uses Trellis. I host several more websites using similar tools which makes self-hosting WordPress much easier.

    WordPress block editing has made WordPress into a very flexible tool for content. I recommend you try WordPress out if you haven’t used it in a while — it’s good.

  • Robust Portable Live Streaming on a Budget

    In 2019, I built a new live streaming PC for Awakening Church. I am excited to share the details of our live studio PC and how you can build your own to have high-quality live production switching and streaming without the typical high cost.

    A few months ago we shifted to recording our weekly broadcast in advance using DSLRs, but we’ll soon be returning to a live workflow and we will be using this equipment at the core.

    Background

    Back in 2016, Awakening Church used a single Blackmagic Pocket Cinema Camera with a Teradek VidiU to stream to our own self-hosted live video server. Times have changed. We now have a multi-camera production with live switching to make it easier to produce live streams.

    Before our latest 2019 build, we used a custom computer built in 2017. This computer worked well but each camera required a lot of cables: power, SDI, and VISCA in/out. This made cabling heavy and cumbersome to setup. Additionally, the PC was in a standard case, which means we had to setup all cabling from scratch every week.

    This computer was stolen in late 2019. We thankfully had insurance which covered the cost of building a replacement.

    Awakening has been and still is a mobile church which needs to setup and teardown every week. When building the replacement, we kept setup and teardown issues in mind.

    Requirements

    • Entire system easy to assemble and store
    • Operation by a single volunteer — this means remotely controlled cameras
    • Save money over commercial systems costing $8K+
    • Reduce cable needs

    Our 2019 build

    We used Vimeo Premium and its bundled Livestream Studio switcher for video production, so the entire computer is built to run this program.

    The software requires hardware acceleration for best performance, so we chose a processor with an integrated GPU which supports Intel Quick Sync video to offload some H.264 encoding and decoding tasks.

    We adopted NDI|HX cameras which can handle power, network control, and H.264 video all in a single Ethernet cable.

    We no longer need a capture card for every camera, but we still need one for capturing ProPresenter slides.

    We use a rackmount design to allow the computer to remain in a portable rack alongside a PoE switch and PDU. This lets us easily setup and teardown the system every week.

    Here’s a picture of the portable PC rack:

    Live PC in Gator Rack

    The EdgeSwitch is for the camera network. The switch provides power to the cameras and a PTZ controller which makes it easy to move the cameras. You could also just use the PTZ controls within Livestream Studio to save more on costs.

    Here’s the part list, including the switch, PDU, and Gator rack:

    We already had a donated 150W EdgeSwitch, so the cost isn’t included in the above list.

    Here’s the interior:

    Recent additions in the above photo not included in the part list are an internal hardware license USB dongle and onboard Wi-Fi. And yes, that’s a Fry’s receipt for Rip-Ties. So long, Fry’s.

    Studio

    In March 2020 we setup this equipment semi-permanently in our church’s studio. Here’s a photo of the early setup. We now have large 4K monitors instead of a single small one, but this small monitor worked well for easy storage in a Pelican 1650 case.

    Live production studio
    Hasty setup in the early quarantimes

    Performance

    This system performs well for a fraction of the cost of typical commercial live streaming systems. The Intel i7-9700 includes an integrated GPU with Intel Quick Sync video which hardware accelerates H.264 encoding and decoding in Livestream Studio.

    However, this setup did not perform well when adding a third camera.

    After adding a third NDI|HX camera, we’re starting to hit the limits of performance of this system when also used with a computer HDMI input which requires conversion.

    My friend Douglas suspected thermal issues with the CPU, so we looked into that as well, but the real issue appeared to be the need for a dedicated GPU to keep the CPU workload down.

    Adding a GPU

    We added a Quadro P1000 graphics card from B&H after running into performance issues. Livestream Studio appears to work much better with this card in place. Our previous CPU usage was very high — often over 85% during recording and streaming. We’re now back down to about 50% according to the operator who ran cameras today.

    This added $317.99 to the cost of the above build.

    Quadro P1000 graphics card installed inside a rackmount PC

    I’d bet you could save some money and get a Quadro P400 to do the same job. It’s the same card used in Livestream’s own high-end HD51 4K edition which costs $8,999. (See Livestream product datasheet.) The P400 card is only $118.74 from B&H.

    The integrated GPU is disabled in firmware by default because we added a dedicated GPU. I was curious if running both the iGPU and Quadro would be beneficial, but I didn’t bother turning it back on after the tests went well.

    If your build is not constrained to low-profile cards due to a 2U rackmount design, you have a lot more options for hardware encoding and decoding with NVIDIA than the Quadro series, but this card does quite well and includes a regular-sized bracket for use in traditional PC cases. Since the P400 contains the same hardware H.264 decoding and encoding engines and stream limits as the P1000, consider the P400 before needing to add on more cost with a more expensive card.

    Summary

    The rackmount setup in a portable case is ideal for setup and teardown. Using NDI|HX takes more compute resources but really reduces the amount of cabling. And the machine is very easy to build with commonly available parts.

    We are preparing to use this equipment again for live streaming in an outdoor setting under a tent. In the future, I look forward to sharing what we learn from adapting this equipment to our new environment.