Category: Wordpress

Everything posted after the migration to Wordpress

More fun with Yubikey: Signed Git commits and GPG agent forwarding

virtualwolfWordpressLeave a comment

I’ve been on a “What other neat things can I do with my Yubikey” kick after my last post, and it turns out one of those neat things is to cryptographically sign Git commits. This allows you to prove that the owner of a particular GPG key is actually the person who committed the code. 

Setting up signed Git commits locally is very easy, run git config --global user.signingkey "<ID of your GPG signing subkey>" (mine is C65E91ED24C34F59 as shown in the screenshot below), then run your Git commit normally but with the added flag -S to sign it.

Bitbucket Cloud doesn’t currently support displaying signed Git commits in the UI, but you can do it on GitHub and you get a shiny little “Verified” badge next to each one and this message when you click on it:

You can also show it locally with git log --show-signature.

This is all well and good, but what if you want to sign something on a remote server that you’re connected to via SSH? Enter GPG agent forwarding!

Just like you can do SSH agent forwarding to have your private SSH key securely forwarded to a machine you’re connecting to, you can do the same with the GPG agent that stores your GPG keys and allow it to access your signing subkey. Setting up GPG agent forwarding is broadly straightforward, but make a note of which versions of GNUPG you’re running at each end. The “modern” version is 2.1 and higher, I’m running 2.2.x on my Macs but my Linode runs CentOS 7 which only comes with GPUPG 2.0.x and I wasn’t able to fully get agent forwarding working between it and 2.2.x on my Macs. I tested the latest Debian with 2.1 and that worked.

I followed this guide, but one extremely important note is that you can’t use a relative path for the local or remote sockets, they have to be the full absolute path. This becomes a pain when you’re connecting to and from different OSes or machines where your username differs. Thankfully, SSH has a Match exec option where you can run a command to match different hosts and use different host definitions (and thus put in different paths for the sockets) depending on your local and remote machines.

Mine looks like this :

# Source machine is a personal Mac, connecting to another personal Mac on my local network; the local network all uses the .core domain internally
Match exec "hostname | grep -F .core" Host *.core
    RemoteForward /Users/virtualwolf/.gnupg/S.gpg-agent /Users/virtualwolf/.gnupg/S.gpg-agent.extra

# Source machine is a personal Mac, connecting to my Linux box
Match exec "hostname | grep -F .core" Host {name of the Host block for my Linode}
    RemoteForward /home/virtualwolf/.gnupg/S.gpg-agent /Users/virtualwolf/.gnupg/S.gpg-agent.extra

# Source machine is my work Mac, connecting to my Linux box
Match exec "hostname | grep -F {work machine hostname}" Host {name of the Host block for my Linode}
    RemoteForward /home/virtualwolf/.gnupg/S.gpg-agent /Users/{work username}/.gnupg/S.gpg-agent.extra

(Yes, technically this doesn’t work as I mentioned at the start due to my Linode being on CentOS 7 and having GNUPG 2.0, but the socket forwarding bit works, just not when I actually want to do anything with it. :P)

Nginx, PHP-FPM, and Cloudflare, oh my!

virtualwolfWordpressLeave a comment

I use my Linode to host a number of things (this blog and Kristina’s, my website and Kristina’s, an IRC session via tmux and irssi for a friend and me, and probably another thing or two I’m forgetting). Kristina started up a travel blog a few months ago which I’m also hosting on it, and shortly after that point I found that maybe once every two weeks or so my website and our blogs weren’t running anymore. I looked into it and it was being caused by Linux’s Out-Of-Memory Killer, which kicks in when the system is critically low on memory and needs to free some up, killing the Docker container that my website runs in as well as MariaDB.

The main cause was Apache and MariaDB using up entirely too much memory for my little 1GB Linode, it was evidently just sitting on this side of stable with two WordPress blogs but adding a third seems like it tipped it over the edge. The reason MariaDB and my website’s Docker container were being killed is because although Apache was using up a heap of memory it was spread over a number of worker threads, so individually none of those were high, and MariaDB and my website were the largest on the list. There’s lots of tweaks you can do, several of which I tried, but all that happened was that it delayed the inevitable rather than entirely resolving it. Apache is powerful but low-resource-usage it ain’t. The primary low-resource-usage alternative to Apache is Nginx, so I figured this weekend I’d have a crack at moving over to that.

Overall it was pretty straightforward, this guide from Digital Ocean was a good starting point, the bits where it fell short was mostly just a case of looking up all of the equivalent directives for SSL, mapping to filesystem locations, etc. (I have ~15 years of history of hosted images I’ve posted on the Ars Technica  forums and my old LiveJournal—which is now this blog—and wanted to make sure those links all kept working). 

One difference is with getting WordPress going… WordPress is all PHP, and Apache by default runs PHP code inside the Apache process itself via mod_php, whereas when you’re using Nginx you have to be using PHP-FPM or similar which is an entirely separate process that runs on the server and that Nginx talks to to process the PHP code. I mostly followed this guide, also from Digital Ocean though there were a couple of extra gotchas I ran into when getting it fully going with Nginx for WordPress:

  • Edit /etc/nginx/fastcgi_params and add a new line with this content or you’ll end up with nothing but an empty blank page: fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
  • Remember to change the ownership of the WordPress installation directory to the nginx user instead of  apache
  • The default settings for PHP-FPM assume it’s running on a box with significantly more than 2GB of RAM; edit /etc/php-fpm.d/www.conf and change the line that says pm = dynamic to be pm = ondemand; with ondemand PHP-FPM will spin up worker processes as needed but will kill off idle ones after ten seconds rather than leaving them around indefinitely.

Additionally, Nginx doesn’t support .htaccess files so if you’ve got WordPress set up to use any of the “pretty”-type links, you’ll end up with 404s when you try to view an individual post instead. The fix is to put the following into the server block at the bottom:

location / {
    try_files $uri $uri/ /index.php?$args;
}

So it’ll pass the correct arguments to WordPress’ index.php file. You’ll also want to block access to any existing .htaccess files as well:

location ~ /\.ht {
    deny all;
}

The last thing I did with this setup was to put the entirety of my website, Kristina’s, and our respective blogs behind Cloudflare. I had great success with their DNS over HTTPS service, and their original product is essentially a reverse proxy that caches static content (CSS, Javascript, images) at each of their points of presence around the world so you’ll load those from whichever server is geographically closest to you. For basic use it’s free, and includes SSL, you just need to point your domain’s nameservers at the ones they provide. The only thing I needed to do was to set up another DNS record so I could actually SSH into my Linode, because now the host virtualwolf.org resolves to Cloudflare’s servers which obviously don’t have any SSH running!

Overall, the combination of Nginx + PHP-FPM + Cloudflare has resulted in remarkably faster page loads for our blogs, and thus far significantly reduced memory usage as well.

GPG and hardware-based two-factor authentication with YubiKey

virtualwolfWordpress2 Comments

As part of having an Ars Technica Pro++ subscription, they sent me a free YubiKey 4, which is a small hardware token that plugs into your USB port and allows for a bunch of extra security on your various accounts because you need the token physically plugged into your computer in order to authenticate. It does a number of neat things:

  • Generating one-time passwords (TOTP) as a second-factor when logging in to websites;
  • Storing GPG keys;
  • Use as a second-factor with Duo;

And a bunch of other stuff as well, none of which I’m using (yet).

My password manager of choice is 1Password, and although it allows saving one-time passwords for websites itself, I wanted to lock access to the 1Password account itself down even further. Their cloud-based subscription already has strong protection by using a secret key in addition to your strong master password, but you can also set it up to require a one-time password the first time you log into it from a new device or browser so I’m using the YubiKey for that.

I also generated myself GPG keys and saved them to the YubiKey. It was not the most user-friendly process in the world, though that’s a common complaint that’s levelled at GPG. I found this guide that runs you through it all and, while long, it’s pretty straightforward. It’s all set up now, though, my public key is here and I can send and receive encrypted messages and cryptographically sign documents, and the master key is saved only on an encrypted USB stick. You can also use the GPG agent that runs on your machine and reads the keys from the YubiKey to also be used for SSH, so I’ve got that set up with my Linode.

The last thing I’ve done is to set the YubiKey up as a hardware token with Duo and put my Linode’s SSH and this blog (and soon Kristina’s, though hers not with the YubiKey) behind that. With the Duo Unix module, even sudo access requires the YubiKey, and the way that’s set up is that you touch the button on the YubiKey itself and it generates a code and enters it for you.

It’s all pretty sweet and definitely adds a bunch of extra security around everything. I’m busily seeing what else I can lock down now!

Setting up DNS over HTTPS on macOS

virtualwolfWordpress6 Comments

Back in April, Cloudflare announced a privacy-focused DNS server running at 1.1.1.1 (and 1.0.0.1), and that it supported DNS over HTTPS. A lot of regular traffic goes over HTTPS these days, but DNS queries to look up the IP address of a domain are still unencrypted, so your ISP can still snoop on which servers you’re visiting even if they can’t see the actual content. We have a Mac mini that runs macOS Server and does DHCP and DNS for our home network, among other things, and with the impending removal of those functions and their suggested replacements with regular non-UI tools with a upcoming version of it, I figured now would be a good time to look into moving us over to use Cloudflare’s shiny new DNS server at the same time.

Turns out it wasn’t that difficult!

Overview

  1. Install Homebrew.
  2. Install cloudflared and dnsmasq: brew install cloudflare/cloudflare/cloudflared dnsmasq
  3. Configure dnsmasq to point to cloudflared as its own DNS resolver.
  4. Configure cloudflared to use DNS over HTTPS and run on port 54.
  5. Install both as services to run at system boot.

Configuring dnsmasq

Edit the configuration file located at /usr/local/etc/dnsmasq.conf and uncomment line 66 and change it from server=/localnet/192.168.0.1 to server=127.0.0.1#54 to tell it to pass DNS requests onto localhost on port 54, which is where cloudflared will be set up.

Configuring cloudflared

Create the directory /usr/local/etc/cloudflared and create a file inside that called config.yml with the following contents:

no-autoupdate: true
proxy-dns: true
proxy-dns-port: 54
proxy-dns-upstream:
  - https://1.1.1.1/dns-query
  - https://1.0.0.1/dns-query

Auto-update is disabled because that seems to break things when the update occurs, and the service doesn’t start back up correctly.

Configuring dnsmasq and cloudflared to start on system boot

dnsmasq: sudo brew services start dnsmasq will both start it immediately and also set it to start at system boot.

cloudflared: sudo cloudflared service install, which installs it for launchctl at /Library/LaunchDaemons/com.cloudflare.cloudflared.plist.

Updating your DNS servers

Now that dnsmasq and cloudflared are running, you need to actually tell your machines to use them as their DNS servers! Open up System Preferences > Network, hit Advanced, and in the DNS tab click the + button and put your computer’s local IP address in. (You’ll want to make sure your machine has a static IP address, of course). Repeat the process for everything else on your local network to have them all send their DNS traffic to 1.1.1.1 as well.

You can confirm that all your DNS traffic is going where it should be with dnsleaktest.

And done!

I was surprised at how straightforward this was. I also didn’t realise until I was doing all of this that dnsmasq also does DHCP, so with the assistance of this blog post I’ve also replaced the built-in DHCP server on the Mac mini and continue to have full local hostname resolution as well!

Knights Ridge “eco retreat”

virtualwolfTravel / Wordpress
Knights Ridge “eco retreat”

We went for a weekend away up to a place in the Hunter Valley billing itself as an “eco retreat” and it was pretty great! We were able to bring Beanie along too, which he loved. Kristina had the great idea to get one of those extendo-leads so he was able to roam up to five metres away and smell all the smells while still remaining technically on his lead.

The whole place is entirely off-grid: electricity comes from solar plus battery storage (though they also included instructions for how to start up the backup generator in case anything happened), the toilet is a composting one, and water is all captured from the rain and stored. They did have a somewhat anaemic ADSL2 connection though, so I don’t know if you count that as still being entirely off-grid. 😛 There was zero mobile phone signal though, the whole time we were there our phones said “No service”.

The place was decorated in quite the rustic style, with all sorts of old bits and bobs around, but it was all totally clean and dust-free.

Sitting
Untitled
Untitled

There was no electric kettle, only an old stovetop one, and you don’t realise  how spoiled you are until you remember just how damn long it takes for a kettle to come to a boil on a gas stovetop!

Putting a cuppa on

The whole place was completely and totally silent in terms of any sort of human noise, the only sounds were from the trees and birds, and it was absolutely delightful. Sunset down the shallow valley that we were in was quite nice too.

Spotlight
Sunset

At dusk we saw a couple of wombats, though Beanie had to bark at them probably because they were low and had four legs and so looked somewhat dog-shaped, but we also saw some kangaroos! Beanie was absolutely fascinated by the kangaroos, we were watching from a goodly distance and he was sitting there absolutely laser-focused on them.

A distant kangaroo!
The kangaroo is the little tiny spec right in the middle where the field starts turning into the side of the valley.
Intently watching the distant kangaroo

My only complaint with the place is the number of bugs that manage to come in at night! Only about half the windows have flyscreens on them, so we had to run around and mostly close the place up once dusk arrived. All in all it was extremely relaxing, though. A++ would relax again.

The full album of photos is on Flickr.

Book recommendations, 2018 edition

virtualwolfWordpress

Fair warning, I’m rubbish at writing reviews so I’m just going to copy and paste the summary from Booktopia. 😛 But I’ve read all of these books and they’re all fantastic and highly recommended!

Vigil by Angela Slatter (Book 1 of the Verity Fassbinder series)

Urban fantasy set in Brisbane.

Verity Fassbinder has her feet in two worlds.

The daughter of one human and one Weyrd parent, she has very little power herself, but does claim unusual strength — and the ability to walk between us and the other — as a couple of her talents. As such a rarity, she is charged with keeping the peace between both races, and ensuring the Weyrd remain hidden from us.

But now Sirens are dying, illegal wine made from the tears of human children is for sale — and in the hands of those Weyrd who hold with the old ways — and someone has released an unknown and terrifyingly destructive force on the streets of Brisbane.

And Verity must investigate, or risk ancient forces carving our world apart. 

The Stars are Legion by Kameron Hurley

Science fiction, a review on Amazon described it as “biopunk” which I think is perfect. It’s one of those books where very little is explicitly spelled out and you gather more and more little nuggets about the world as the book goes on.

Somewhere on the outer rim of the universe, a mass of decaying worldships known as the Legion is traveling in the seams between the stars. For generations, a war for control of the Legion has been waged, with no clear resolution. As worlds continue to die, a desperate plan is put into motion.

Zan wakes with no memory, prisoner of a people who say they are her family. She is told she is their salvation — the only person capable of boarding the Mokshi, a world-ship with the power to leave the Legion. But Zan’s new family is not the only one desperate to gain control of the prized ship. Zan must choose sides in a genocidal campaign that will take her from the edges of the Legion’s gravity well to the very belly of the world. Zan will soon learn that she carries the seeds of the Legion’s destruction — and its possible salvation. 

The Collapsing Empire by John Scalzi (Book 1 of the Interdependency series)

Science fiction.

In the far future, humanity has left Earth to create a glorious empire. Now this interstellar network of worlds faces disaster — but can three individuals save their people?

The empire’s outposts are utterly dependent on each other for resources, a safeguard against war, and a way its rulers can exert control. This relies on extra-dimensional pathways between the stars, connecting worlds. But “The Flow” is changing course, which could plunge every colony into fatal isolation.

A scientist will risk his life to inform the empire’s ruler. A scion of a Merchant House stumbles upon conspirators seeking power. And the new Empress of the Interdependency must battle lies, rebellion and treason. Yet as they work to save a civilization on the brink of collapse, others have very different plans…

The Fifth Season by N.K. Jemisin (Book 1 of the Broken Earth trilogy)

Science-fiction/fantasy, it’s kind of hard to nail it down to a single genre.

Three terrible things happen in a single day.

Essun, masquerading as an ordinary schoolteacher in a quiet small town, comes home to find that her husband has brutally murdered their son and kidnapped their daughter. Mighty Sanze, the empire whose innovations have been civilization’s bedrock for a thousand years, collapses as its greatest city is destroyed by a madman’s vengeance. And worst of all, across the heartland of the world’s sole continent, a great red rift has been torn which spews ash enough to darken the sky for years. Or centuries.

But this is the Stillness, a land long familiar with struggle, and where orogenes — those who wield the power of the earth as a weapon — are feared far more than the long cold night. Essun has remembered herself, and she will have her daughter back.

She does not care if the world falls apart around her. Essun will break it herself, if she must, to save her daughter.

Leviathan Wakes (Book 1 of The Expanse series)

Gritty science fiction. (It should be noted that there are currently seven books in this series so far, and they are all brilliant.)

Humanity has colonised the planets — interstellar travel is still beyond our reach, but the solar system has become a dense network of colonies. But there are tensions — the mineral-rich outer planets resent their dependence on Earth and Mars and the political and military clout they wield over the Belt and beyond.

Now, when Captain Jim Holden’s ice miner stumbles across a derelict, abandoned ship, he uncovers a secret that threatens to throw the entire system into war. Attacked by a stealth ship belonging to the Mars fleet, Holden must find a way to uncover the motives behind the attack, stop a war and find the truth behind a vast conspiracy that threatens the entire human race.

Bound by Alan Baxter (Book 1 of the Alex Caine trilogy)

Urban fantasy set (at least initially) in Sydney.

Alex Caine is a martial artist fighting in illegal cage matches. His powerful secret weapon is an unnatural vision that allows him to see his opponents’ moves before they know their intentions themselves.

After a fight one night, an enigmatic Englishman, Patrick Welby, claims to know Alex’s secret. Welby shows Alex how to unleash a breathtaking realm of magic and power, drawing him into a mind-bending adventure beyond his control. And control is something Alex values above all else. 

Changer by Matt Gemmell (Book 1 of the Kestrel series)

Urban fantasy-slash-science-fiction, set in the Edinburgh, Scotland.

Jutland, Denmark: a billionaire industrialist seizes control of a top-secret project that the European Defence Agency calls Destiny, manipulating it for his own ends.

Edinburgh, Scotland: physicist Neil Aldridge’s life is saved by an elite EU special forces team, codenamed KESTREL, drawing him into a race against time to prevent a disaster that will claim millions of lives.

As the chase leads to London, Amsterdam and beyond, Aldridge and his allies must battle a ruthless adversary: a trained killer with an unnatural ability, who seeks to hasten the cataclysm.

With time running out, Aldridge discovers that he and his enemy share an astonishing secret, which may be the key to salvation — or cause death on an unprecedented scale…

The spiritual successor to SimCity, Cities: Skylines

virtualwolfWordpressLeave a comment

I first played the original SimCity Classic back in the early 1990s on our old Macintosh LC II, and absolutely loved it. Laying out a city and watching it grow was extremely satisfying, and the sequel, SimCity 2000 was even more detailed. I played a bit of SimCity 4, which came out in 2003, but the latest entry in the series, titled just “SimCity“, by all accounts sucked. The maps were significantly smaller in size, and it required an internet connection and was multiplayer to boot.

It’s actually possible to play SimCity 2000 on modern machines and I definitely got stuck into it a few years ago. This is a screenshot of my most recent city!

Screenshot of SimCity 2000, zoomed out and showing as much of my city as possible.

If you’re wanting a proper modern SimCity 2000-esque experience though, Cities: Skylines is what you’re after. It came out in March of 2015 on desktop, and was ported to Xbox One in April of 2017 and they did a damned good job of it, the controls are all perfectly suited to playing on a controller as opposed to with a mouse and keyboard.

The level of detail of the simulation is fantastic, you can zoom all the way in and follow individual people (called “cims”, as opposed to SimCity’s “sims”) or vehicles and see where they’re going. There’s a robust public transport system and you can put in train lines (and buses, and trams, and a subway, and in the most recent expansion called Mass Transit, even monorails, blimps, and ferries!) and see the cims going to and from work, and how many are waiting at each station and so on.

We recently upgraded to the Xbox One X and a shiny new OLED 4K TV (quite the upgrade from our nine year-old 37″ giant-bezeled LCD TV!), and it makes for some very nice screenshots. These are from my largest city called Springdale, currently home to ~140k people!

Nostalgia and the Classic Mac OS

virtualwolfWordpress2 Comments

I’ve been a Mac user my entire life, originally just because my dad used them at his work and so bought them for home as well. My earliest memories are of him bringing his SE/30 home and playing around in MacPaint. We also had an Apple IIe that we got second-hand from my uncle that lived in my bedroom for a few years, though that doesn’t count as a Mac.

The first Mac my dad bought for us at home was the LC II in 1992 (I was 9!), and I can remember spending hours trawling through Microsoft Encarta being blown away at just how much information I could look up immediately. I also remember playing Shufflepuck Café and Battle Chess, and I’m sure plenty of others too that didn’t leave as large an impression. There was also an application that came with the computer called Mouse Practice that showed you how to use a mouse, and we had At Ease installed for a while as well until I outgrew it.

After the LC II we upgraded to the Power Macintosh 6200 in 1995, which among other things came with a disc full of demos on it including the original Star Wars: Dark Forces (which I absolutely begged my parents to get the full version of for Christmas, including promising to entirely delete Doom II which they were a bit disapproving of due to the high levels of gore), and Bungie’s Marathon 2: Durandal (which I originally didn’t even bother looking at for the first few months because I thought it was something to do with running!). Marathon 2 was where I first became a fan of Bungie’s games, and I spent many many hours playing it and the subsequent Marathon Infinity as well as a number of fan-made total conversions too (most notably Marathon:EVIL and Tempus Irae).

The period we owned the 6200 also marked the first time we had an internet connection as well (a whopping 28.8Kbps modem, no less!). The World Wide Web was just starting to take off around this time, I remember dialing into a couple of the local Mac BBSes but at that point they were already dying out anyway and the WWW quickly took over. The community that sprang up around the Marathon trilogy was the first online community I was really a member of, and Hotline was used quite extensively for chatting. Marathon Infinity came with map-making tools which I eagerly jumped into and made a whole bunch of maps and put them online. I was even able to dig up the vast majority of them, there’s only a couple of them that I’ve not been able to find. I have a vivid memory of when Marathon:EVIL first came out, it was an absolutely massive 20MB and I can recall leaving the download going at a blazing-fast 2.7KB/s for a good two or three hours, and constantly coming back to it to make sure it hadn’t dropped out or otherwise stopped.

After the Marathon trilogy, Bungie developed the realtime strategy games Myth: The Fallen Lords and its sequel Myth II: Soulblighter, both of which I also played the hell out of and was a pretty active member of the community in.

After the 6200 we then had a second-gen iMac G3 then a “Sawtooth” Power Mac G4 just for me as my sister and I kept arguing about who should have time on the computer and the Internet. 😛 The G4 was quite a bit of money as you’d imagine, so I promised to pay it back to dad as soon as I got a job and started working.

macOS (formerly Mac OS X then OS X) is obviously a far more solid operating system, but I’ve always had a soft spot for the Classic Mac OS even with its cooperative multitasking and general fragility. We got rid of the old Power Mac G4 probably eight years ago now (which I regret doing), and I wanted to have some machine capable of running Mac OS 9 just for nostalgia’s sake. Mum and dad still had mum’s old PowerBook G3 and I was able to get a power adapter for it and boot it up to noodle around in, but it was a bit awkwardly-sized to fit on my desk and the battery was so dead that if the power cord wasn’t plugged in it wouldn’t boot at all.

There was a thread on Ars Technica a few months ago about old computers, and someone mentioned that if you were looking at something capable of running Mac OS 9 your best bet was to get the very last of the Power Mac G4s that could boot to it natively, the Mirrored Drive Doors model. I poked around on eBay and found a guy selling one in mint condition, and so bought it as a present to myself for my birthday.

Behold!

Power Mac G4 MDD

Dual 1.25GHz G4 processors, 1GB of RAM, 80GB of hard disk space, and a 64MB ATI Radeon 8500 graphics card. What a powerhouse. 😛

There’s a website, Macintosh Repository, where a bunch of enthusiasts are collecting old Mac software from yesteryear, so that’s been my main place to download all the old software and games that I remember from growing up. It’s been such a trip down memory lane, I love it!

A trip to Queenstown

virtualwolfTravel / WordpressLeave a comment

Last week we finally got around to visiting New Zealand! We’d been meaning to go for a good couple of years now, but never actually did it. We started small and visited just Queenstown and surrounds, and were only there for three full days.

We flew in at night on Saturday night, and the descent in was rather long and bumpy which I guess is to be somewhat expected when it’s surrounded by mountains. We went into Queenstown for dinner first, and had one of the best burgers I’ve ever had at The World Bar.

The place we were staying was about 15 minutes drive from Queenstown, but because it was night time all we could see was brilliant yellow leaves on the trees at the side of the road where the headlights were lighting them up. We woke up the next morning, and holy crap, the view!

The Remarkables, morning light

Untitled

We went up the Skyline Gondola which has a hell of a view over Queenstown itself.

The view from Skyline Queenstown

Next we drive up to Glenorchy, which is about an hour away. Lunch was surprisingly delicious beef noodle soup from a Chinese restaurant there (there are a lot of Chinese tourists around).

On the road to Glenorchy

Kristina

Orange

Glenorchy Wharf

We spent the afternoon wandering around Queenstown Gardens and Queenstown itself. This was definitely a fantastic time to visit, the air was cool and crisp and all the leaves were changing and everything was bright yellow.

Sitting

Untitled

Secluded

Smokey

Dinner was whole baked flounder with shaved fennel and orange from Public Kitchen and it was absolutely magnificent, cooked to total perfection. The “whole fish” bit was slightly off-putting because it’s literally that, a entire fish, eyeballs and all, sitting on your plate staring up at you but I pretty quickly got over it. 😛

The morning view the next morning was even better than before.

The Remarkables, morning light 2

We paid a brief visit to Arrowtown, though there wasn’t a whole lot there and it was mostly tourist shops.

Untitled

Untitled

We then drove up to Wanaka and took the obligatory photo of the tree there.

That Wanaka Tree

The drive itself had some great scenery along the way too.

Untitled

Winding road

Untitled

Dinner was at the Pig & Whistle pub, I got the dry-rubbed steak with veggies and red wine jus and Kristina had chicken and mushroom pasta, and they were both absolutely incredible.

The final full day we were there, we drove two and a half hours up to Lake Pukaki. As before, the drive itself was quite scenic too.

Stopping at Tarras

Lindis Pass

The lake itself is amazing, it’s this crazy neon-blue colour. The first two photos don’t really do it justice, but the third one is exactly how it looked even in person.

Lake Pukaki

Lake Pukaki

Lake Pukaki

We drove a little further north along the western edge of the lake to get a bit closer to Looking towards Aoraki / Mount Cook, which was looking very dramatic with its peaks covered in clouds.

Looking towards Aoraki / Mount Cook

Overall it was a fantastic trip, we definitely want to go back again but we’re thinking we’ll fly into Christchurch next time and drive around further in the north of the South Island.

The full photosets are here:

More miniatures: Warhammer 40,000 edition

virtualwolfWordpress2 Comments

Warhammer 40,000 used to be quite the complicated affair, lots of rules and looking things up on different tables to check what dice roll you needed for different effects, and needing many hours to finish a game. The 8th Edition of the game came out last year, and was apparently extremely streamlined and simplified and seems to have been received very well. Since I’d been doing well with Shadespire, I decided to get the 8th Edition core box set as well, and had almost exactly enough in Amazon gift card balance for it! It comes with Space Marines, as always, but the opposing side is Chaos this time. 7 Plague Marines, a few characters, a big vehicle, and about 20 undead daemon things. I decided to alternate between painting a handful of each side at once, so as not to get bored, and have gone with Space Wolves (big surprise, I know) as the paint scheme for the Imperial side.

Space Wolves Intercessor

There’s another five of these Space Marines but they’re all identical apart from the poses so I didn’t take photos of all of them.

The Plague Marines are all unique though, so I’ve been taking photos of each of them, my first batch was four of them.

Plague Marine 1

Plague Marine 2

Plague Marine 3

Plague Marine 4

My mobile painting table has been a great success, but after the first batch of Space Marines I realised I was getting a sore neck and back from hunching over towards the miniatures as I was painting them because everything was too low. Another trip to Bunnings, and lo and behold…

Painting table from the side, showing the two vertical blanks to give it some hight

Problem solved!

I also realised the other day why I was enjoying painting my miniatures a lot more now than I used to… it’s thanks to being able to combine my hobbies of painting and also photography. 😛 I can paint the miniatures and be happy with my work, but then also take professional-looking photos of them and share them with the world!