Kristina and I have been married for ten years (!) come June, and we had a very small wedding and no honeymoon because we were completely broke at the time. We decided we’d do a big trip for our ten-year anniversary to make up for it, and decided on Switzerland. Kristina had been there about fifteen years ago and loved it, and was really keen to show me around and also to take photos with a proper camera and better eye for composition.
See full post (and LOTS of photos)
I’ve been using Linode to host myself a Linux virtual machine since 2011, originally so I could run Jira on it (now long since moved to a cloud-hosted instance), since my entire job was supporting it back then, and also just generally to dabble with Linux and the command line. I started out with CentOS 5 as that’s what we were using at work at the time, and slowly installed more and more random things on it.
When I decided it was time to upgrade to CentOS 7 in 2015, I put together a page in Confluence noting down each thing I was doing, as I was starting with a fresh new virtual machine and migrating only the bits and pieces I needed to it. That was better, but still ended up with a bit of a sprawling page and me forgetting to update it after I’d completed the initial migration. I eventually shut down my whole Dreamhost account and moved solely to having my website and blog and various miscellany (15 years worth of images from LiveJournal entries and posts on Ars Technica, as two examples) hosted on the Linode. Unfortunately I wrote down absolutely none of how I configured it all!
As part of playing around with my YubiKey and setting up GPG agent forwarding, I discovered that the version of GnuPG that CentOS 7 ships with is too old to support agent forwarding from newer versions, so I decided to spin up a new Linode but with Debian 9 instead (since thatdoes support agent forwarding), and migrate everything to it. This time, however, I would do it programatically!
Linode have a thing called StackScripts that let you start up a fresh VM and run a bunch of commands on boot to configure it how you need. Over the course of probably two months, I built up a Bash script to install and configure all my various software packages at boot to a fresh Debian 9 machine to configure it how I needed, and with everything stored in a Git repository. That included also adding Git repositories with my Nginx and systemd configurations as well as running a script on my existing CentOS 7 VM to grab database dumps of my website and our respective blogs, as well as the aforementioned 15 years’ worth of images and other files.
The end result is a ~500 line Bash script that’s version-controlled so I can see exactly what I did, with any new changes I’m making since I cut over to the Debian VM being saved in that as well, and the same with my systemd/Nginx/everything-else configuration! As long as I’m disciplined about remembering to update my StackScript when I make software changes, whenever the next big move to a new VM is should be a hell of a lot simpler.
As previously mentioned, I’ve been enjoying the hell out of my iPad Pro and Apple Pencil, and have been doing a whole lot more drawing/sketching/painting since then. I moved my Mastodon account over to a much smaller instance, mastodon.art, which as you’d expect is very focused on art and has a lot of extremely creative people on it, and I’ve been getting a daily dose of inspiration. (As a side-note, I can’t recommend enough moving to a smaller Mastodon instance as opposed to one of the huge ones like mastodon.social… it really does feel much more like a community, and the local timeline is something you actually can keep up with and interact with).
I found a really good series of tutorials on drawing people and facial expressions, and drew this!
After that were a bunch more extremely munted-looking people which I’m not going to post, but then I eventually got my proportions better.
One of the artist-types I follow on Mastodon is Noah Bradley, he’s done paintings for all sorts of places including for Magic: The Gathering! He said he biggest piece of advice was “Use more reference!”, i.e. have an actual picture/photo/whatever next to the thing you’re drawing so you can get the proportions and such correct. I took that advice to heart, and painted this picture of what ended up as a queen!
She looks nothing like the original photo, of course, but it really helped to get the angles of everything correct. I also really started getting the hang of lighting, I’m so pleased with the light from the runes that’s reflecting off her hair, especially on the right.
Lily’s Christmas present was the first-gen Apple Pencil for her own iPad and she’s been absolutely drawing her heart out as well. One of the things she likes drawing are My Little Pony characters… she’s never watched the show but enjoys making up her own characters. She set me a challenge of making a character myself, with the theme of “neon”, and I took that opportunity to do some more practice with lighting (see the linked image for the full effect). I found an outline online and traced over that for the shape, but the colour is all me!
We also took my old teddy bear Neddy out, who I’ve had since I was a year old, and used him for some lighting practice.
Then my latest work was Maria Franz from the band Heilung! They do epic pagan/folk music and it’s absolutely fantastic (see the video of their live show). I introduced Lily to them and she’s now completely obsessed. She sent me a picture of Maria Franz that she’d traced over and coloured in, and I realised that’d be a perfect bit of subject matter.
I had a picture of her open in Safari in split-screen view so I could get the outline and proportions right, and Procreate tells me this was nearly 10 hours all up! I’m absolutely stoked with how it ended up, and just seeing the difference between my earliest stuff and now is great, even though it’s only been two months. The “Use reference” mantra is one that I’m definitely taking to heart.
As of today, we’ve had Beanie for five years!
We got him as a rescue dog when he was a year old, he’d already had three previous owners before us, and the house he was living in when we got him had two other much larger dogs that apparently were taking most of the food and generally bullied him. The idiot woman who owned him also had him on some “raw chicken” diet where he’d have basically just raw chicken pieces, and his hair was all short and his tail was permanently very tightly curled — which is how he gets when he’s nervous or anxious — and didn’t wag at all for the first three or so weeks that he was living at ours.
He had quite bad separation anxiety, we eventually went to the vet and got some anti-anxiety medicine because he would scratch at the door repeatedly when we’d leave the house, to the point that he was scratching the paint off it. The medicine combined with giving him a marrowbone treat whenever we leave for a period of more than an hour or two has definitely helped, he now gets excited we’re we’re getting ready to leave because he often gets a treat. 😛
He’s never liked other dogs, and generally still doesn’t, but we were able to take him to puppy training session where he at least got some exposure to dogs around his size, and that led to our now-regular visits with Leo!
Because Kristina and I are out of the house for a good 10-11 hours a day, we have a dog walker to comes every day after lunch to let him out and give him a walk. We have her come around anyway if one of us is working from home or sick, and he gets so excited when she arrives.
Beanie is a good boy, he never gets into any trouble whatsoever: he doesn’t chew things, he goes to bed at night when we do and doesn’t get out of bed in the morning until we’re up (or even after we’re up on occasion), if one of us is sick he’ll happily snuggle up on the lounge with us. One of his favourite things to do is to “up” at us, which he frequently does after we’re lying in bed and getting ready to go to sleep!
The only irritation is his bark… there is ZERO wind-up or warning, and it’s an extremely loud and sharp bark that gives you a heart-attack! If he’s bored he’ll find things to bark at which can be super-annoying, but usually a quick walk around the block will tire him out and he calms down afterwards. Given how destructive other dogs can be though, I think we have it pretty good with Beanie. 🙂
(Update December 2022: As suggested in the latest comments, this entire blog post is pretty much redundant now! Linux Mint 21.1 installs without a hitch, even using Cinnamon, and I have fully-functional brightness and sound keys straight out of the box.)
(Update December 2020: I successfully upgraded from Linux Mint 19.3 to Linux Mint 20 by following the official Linux Mint instructions. The only additional post-upgrade work I had to do was re-adding the Section "Device" bit to /usr/share/X11/xorg.conf.d/nvidia-drm-outputclass-ubuntu.conf as described below to get the brightness keys working again.)
(Update May 2020: I’ve re-run through this whole process using Linux Mint 19.3 and have updated this blog post with new details. Notably, no need to install pommed, and including the specific voodoo needed for the 2010 MacBook Air from Ask Ubuntu regarding PCI-E bus identifiers.)
We have a still perfectly usable Late-2010 MacBook Air (“MacBookAir3,2”, model number A1369), but with macOS 10.14 Mojave dropping support for Macs older than 2012 (it’s possible to extremely-hackily install it on older machines but I’d rather not go down that route), I decided I’d try installing Linux on it. The MacBook Air still works fine, if a bit slow, on macOS 10.13 but I felt like a bit of nerding!
My distribution of choice was Linux Mint, which is Ubuntu-based but less with the constant changes that Canonical keep making. The first hurdle right out of the gate was which “edition” to choose: Cinnamon, MATE, or xfce. There was zero info on the website about which to choose, I started with Cinnamon but that kept crashing when booting from the installation ISO and giving me a message about being in fallback mode. It turns out Cinnamon is the one with all the graphical bells and whistles, and it appears that an eight-year ultralight laptop’s video card isn’t up to snuff, so I ended up on “MATE” edition, which looks pretty much identical but works fine.
My installation method was using Raspberry Pi Imager to write the installation ISO to a spare SD card (despite the name, it can be used to write any ISO: scroll all the way down in the “Choose OS” dialog and select “Use custom”). Installing Linux requires you to partition the SSD using Disk Utility, I added a 2GB partition for the /boot partition, and another 100GB to install Linux itself onto. It doesn’t matter which format you choose as it’ll be reformatted as part of the installation process.
After partitioning, reboot with the SD card in and the Option key held down, and choose the “EFI Boot” option. The installer is quite straightforward, but I chose the custom option when it asked how to format the drive, formatted both the 2GB and 100GB partitions as ext4, with the 2GB one mounted at /boot and the 100GB at /. The other part is to install the bootloader onto that /boot partition, to make it easy to get rid of everything if you want to go back to single-partition macOS and no Linux.
The next hurdle was video card drivers. Mint comes with an open-source video card driver called “Nouveau” which works but isn’t very performant, and there was lots of screen tearing as I’d scroll or move windows around. This being Linux, it was naturally not as simple as just installing the official Nvidia one and being done with, because that resulted in a black screen at boot. 😛 I did a massive amount of searching and eventually stumbled across this answer on AskUbuntu which worked where nothing else did: I followed those instructions and was able to successfully install the official Nvidia drivers without getting a black screen on boot!
(Update May 2020: I honestly don’t remember whether I had to go through Step 1 of Andreas’ instructions, “Install Ubuntu in UEFI mode with the Nvidia drivers”, but check for the existence of the directory /sys/firmware before running the rest of this. That directory is only created if you’ve booted in EFI mode. If it doesn’t exist, follow the link in Step 1).
I’m copying the details here for posterity, in case something happens to that answer, but all credit goes to Andreas there. These details are specifically for the Late 2010 MacBook Air with a GeForce 320M video card, so using this on something else might very well break things.
Create the file /etc/grub.d/01_enable_vga.conf and paste the following contents into it:
cat << EOF
setpci -s "00:17.0" 3e.b=8
setpci -s "02:00.0" 04.b=7
EOFThen make the new file executable and update the grub config files:
$ sudo chmod 755 /etc/grub.d/01_enable_vga.conf
$ sudo update-grubAnd then restart. Double-check that the register values have been set to 8 for the bridge device and 7 for the display device:
$ sudo setpci -s "00:17.0" 3e.b
08
$ sudo setpci -s "02:00.0" 04.b
07Next, load up the “Driver Manager” control panel and set the machine to use the Nvidia drivers, once it’s finished doing its thing — which took a couple of minutes — restart once more, and you’ll be running with the much-more-performant Nvidia drivers!
At this point I realised that the brightness keys on the keyboard didn’t work. Cue a whole bunch more searching, with fix being to add the following snippet to the bottom of /usr/share/X11/xorg.conf.d/nvidia-drm-outputclass-ubuntu.conf:
Section "Device"
Identifier "Device0"
Driver "nvidia"
VendorName "NVIDIA Corporation"
BoardName "GeForce 320M"
Option "RegistryDwords" "EnableBrightnessControl=1"
EndSectionAnd now I have a fully-functioning Linux installation, with working sleep+wake, audio, wifi, and brightness!
I’m certainly not going to be switching to it full-time, and it feels like a lot more fragile than macOS, but it’s fun to muck around with a new operating system. And with 1Password X, I’m able to use 1Password within Firefox under Linux too!
I bought an iPad mini 2 back in April of 2014, which was the first mini with a retina display. It got fairly slow with the upgrade to iOS 11, and even though iOS 12 gave it a bit of a shot in the arm, it still ultimately struggled to do much beyond very basic web browsing and social media things — not entirely surprising given it’s five years old at this point. Apple announced the latest version of the iPad Pro at the end of October last year, along with an updated Apple Pencil, and all the reviews said the iPad was absolutely gobsmackingly fast (to the point where it beats all but the highest-end Core i9 15″ MacBook Pro in a number of CPU benchmarks), so I decided to finally retire the iPad mini and upgrade.
Holy. Crap.
It’s honestly one of the most impressive pieces of technology I’ve used in recent years; almost the entire thing is screen, there’s only enough bezel to comfortably hold the edges and no more, and it’s about as thin as I recall the iPhone 4/4S being, with the same industrial design. I’m still on the iPhone 7 so haven’t used Face ID before, and it works like magic. The screen has a 120Hz refresh rate as opposed to the standard 60Hz of most displays, and it means that everything feels just subtly more fluid and responsive. Everything I do on it is just totally effortless, it responds immediately without any hint of lag or hesitation.
However, I think my favourite part so far is the Apple Pencil. It’s much the same as the original in terms of usage, but magnetically pairs and charges on the right side of the iPad, and has an option to double-tap the Pencil itself to switch between your current drawing tool and the eraser tool. It has pressure and angle sensitivity, so can behave exactly like an actual pencil. Turn it sideways and use the edge and you can do subtle shading, and the harder you press the darker the shade.
The built-in Notes app has basic Pencil support, but I’ve been using Procreate — which I actually originally bought on my iPad mini but didn’t use very much due to it being a pain trying to do any sort of detail with a finger — and it’s so awesome. It’s absolutely not going to win any sort of awards, but I’ve done two things so far and am really happy with both of them.
The first was done with the drawing assist turned on and an isometric grid, followed by a whole bunch of layers to get the lighting looking right.
And the second is just a pencil sketch. Like I said, objectively it’s not very good, but not having done anything like this before, I’m still very pleased.
I had a photo open in Safari in split-screen view beside Procreate, the woman in my sketch looks absolutely nothing like the photo but it was more just generally to get the angles right. 😛 My having done photography definitely helped with the shading because I could easily visualise in my head how the shadows would fall.
I need to make sure I keep up the practise so I can improve!
I also remembered that GarageBand on iOS is a thing, and goddamn, it’s also impressive. It’s the same idea as in GarageBand on the Mac with adding preset loops of instruments and combining them together — or recording your own — but they’ve done an amazing job of translating that to something that’s usable with a touch interface. I’d made a couple of songs in GarageBand for Mac previously (nearly twelve years ago now, jesus), but not really anything since.
I bought a USB-C to 3.5mm headphone adapter for the iPad so I could use my big Audio Technica headphones — doing audio work requires very low latency, and Bluetooth has way too much latency, to the point where if you try to use Bluetooth headphones with GarageBand on iOS it’ll give you a big warning to that effect — and did a bunch of dabbling the other day, and made another new song!
I’m very interested to see what Apple does with iOS 13 this year, because the iPad Pro’s hardware is astonishingly capable, but it feels like the software could be doing more. I’ve hooked up our spare Bluetooth keyboard and dabbled around in that and it’s neat, but there’s not enough support for keyboard shortcuts even in Apple’s own applications . In Messages, for instance, you can use Cmd-↑ and Cmd-↓ to switch between conversations, but there’s no way to get the focus back to the input field once you’ve done so… you have to reach for the screen. There’s an official Apple keyboard cover that turns your iPad into something resembling a laptop, but I don’t know how well it would work remaining steady on a lap on a train.
All that said, I’m absolutely stoked with the new iPad, and am seriously keen to see the software catch up to the capabilities of the hardware!
I’ve been on a “What other neat things can I do with my Yubikey” kick after my last post, and it turns out one of those neat things is to cryptographically sign Git commits. This allows you to prove that the owner of a particular GPG key is actually the person who committed the code.
Setting up signed Git commits locally is very easy, run git config --global user.signingkey "<ID of your GPG signing subkey>" (mine is C65E91ED24C34F59 as shown in the screenshot below), then run your Git commit normally but with the added flag -S to sign it.
Bitbucket Cloud doesn’t currently support displaying signed Git commits in the UI, but you can do it on GitHub and you get a shiny little “Verified” badge next to each one and this message when you click on it:
You can also show it locally with git log --show-signature.
This is all well and good, but what if you want to sign something on a remote server that you’re connected to via SSH? Enter GPG agent forwarding!
Just like you can do SSH agent forwarding to have your private SSH key securely forwarded to a machine you’re connecting to, you can do the same with the GPG agent that stores your GPG keys and allow it to access your signing subkey. Setting up GPG agent forwarding is broadly straightforward, but make a note of which versions of GNUPG you’re running at each end. The “modern” version is 2.1 and higher, I’m running 2.2.x on my Macs but my Linode runs CentOS 7 which only comes with GPUPG 2.0.x and I wasn’t able to fully get agent forwarding working between it and 2.2.x on my Macs. I tested the latest Debian with 2.1 and that worked.
I followed this guide, but one extremely important note is that you can’t use a relative path for the local or remote sockets, they have to be the full absolute path. This becomes a pain when you’re connecting to and from different OSes or machines where your username differs. Thankfully, SSH has a Match exec option where you can run a command to match different hosts and use different host definitions (and thus put in different paths for the sockets) depending on your local and remote machines.
Mine looks like this :
# Source machine is a personal Mac, connecting to another personal Mac on my local network; the local network all uses the .core domain internally
Match exec "hostname | grep -F .core" Host *.core
RemoteForward /Users/virtualwolf/.gnupg/S.gpg-agent /Users/virtualwolf/.gnupg/S.gpg-agent.extra
# Source machine is a personal Mac, connecting to my Linux box
Match exec "hostname | grep -F .core" Host {name of the Host block for my Linode}
RemoteForward /home/virtualwolf/.gnupg/S.gpg-agent /Users/virtualwolf/.gnupg/S.gpg-agent.extra
# Source machine is my work Mac, connecting to my Linux box
Match exec "hostname | grep -F {work machine hostname}" Host {name of the Host block for my Linode}
RemoteForward /home/virtualwolf/.gnupg/S.gpg-agent /Users/{work username}/.gnupg/S.gpg-agent.extra
(Yes, technically this doesn’t work as I mentioned at the start due to my Linode being on CentOS 7 and having GNUPG 2.0, but the socket forwarding bit works, just not when I actually want to do anything with it. :P)
I use my Linode to host a number of things (this blog and Kristina’s, my website and Kristina’s, an IRC session via tmux and irssi for a friend and me, and probably another thing or two I’m forgetting). Kristina started up a travel blog a few months ago which I’m also hosting on it, and shortly after that point I found that maybe once every two weeks or so my website and our blogs weren’t running anymore. I looked into it and it was being caused by Linux’s Out-Of-Memory Killer, which kicks in when the system is critically low on memory and needs to free some up, killing the Docker container that my website runs in as well as MariaDB.
The main cause was Apache and MariaDB using up entirely too much memory for my little 1GB Linode, it was evidently just sitting on this side of stable with two WordPress blogs but adding a third seems like it tipped it over the edge. The reason MariaDB and my website’s Docker container were being killed is because although Apache was using up a heap of memory it was spread over a number of worker threads, so individually none of those were high, and MariaDB and my website were the largest on the list. There’s lots of tweaks you can do, several of which I tried, but all that happened was that it delayed the inevitable rather than entirely resolving it. Apache is powerful but low-resource-usage it ain’t. The primary low-resource-usage alternative to Apache is Nginx, so I figured this weekend I’d have a crack at moving over to that.
Overall it was pretty straightforward, this guide from Digital Ocean was a good starting point, the bits where it fell short was mostly just a case of looking up all of the equivalent directives for SSL, mapping to filesystem locations, etc. (I have ~15 years of history of hosted images I’ve posted on the Ars Technica forums and my old LiveJournal—which is now this blog—and wanted to make sure those links all kept working).
One difference is with getting WordPress going… WordPress is all PHP, and Apache by default runs PHP code inside the Apache process itself via mod_php, whereas when you’re using Nginx you have to be using PHP-FPM or similar which is an entirely separate process that runs on the server and that Nginx talks to to process the PHP code. I mostly followed this guide, also from Digital Ocean though there were a couple of extra gotchas I ran into when getting it fully going with Nginx for WordPress:
/etc/nginx/fastcgi_params and add a new line with this content or you’ll end up with nothing but an empty blank page: fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;nginx user instead of apache/etc/php-fpm.d/www.conf and change the line that says pm = dynamic to be pm = ondemand; with ondemand PHP-FPM will spin up worker processes as needed but will kill off idle ones after ten seconds rather than leaving them around indefinitely.Additionally, Nginx doesn’t support .htaccess files so if you’ve got WordPress set up to use any of the “pretty”-type links, you’ll end up with 404s when you try to view an individual post instead. The fix is to put the following into the server block at the bottom:
location / {try_files $uri $uri/ /index.php?$args;}
So it’ll pass the correct arguments to WordPress’ index.php file. You’ll also want to block access to any existing .htaccess files as well:
location ~ /\.ht {deny all;}
The last thing I did with this setup was to put the entirety of my website, Kristina’s, and our respective blogs behind Cloudflare. I had great success with their DNS over HTTPS service, and their original product is essentially a reverse proxy that caches static content (CSS, Javascript, images) at each of their points of presence around the world so you’ll load those from whichever server is geographically closest to you. For basic use it’s free, and includes SSL, you just need to point your domain’s nameservers at the ones they provide. The only thing I needed to do was to set up another DNS record so I could actually SSH into my Linode, because now the host virtualwolf.org resolves to Cloudflare’s servers which obviously don’t have any SSH running!
Overall, the combination of Nginx + PHP-FPM + Cloudflare has resulted in remarkably faster page loads for our blogs, and thus far significantly reduced memory usage as well.
As part of having an Ars Technica Pro++ subscription, they sent me a free YubiKey 4, which is a small hardware token that plugs into your USB port and allows for a bunch of extra security on your various accounts because you need the token physically plugged into your computer in order to authenticate. It does a number of neat things:
And a bunch of other stuff as well, none of which I’m using (yet).
My password manager of choice is 1Password, and although it allows saving one-time passwords for websites itself, I wanted to lock access to the 1Password account itself down even further. Their cloud-based subscription already has strong protection by using a secret key in addition to your strong master password, but you can also set it up to require a one-time password the first time you log into it from a new device or browser so I’m using the YubiKey for that.
I also generated myself GPG keys and saved them to the YubiKey. It was not the most user-friendly process in the world, though that’s a common complaint that’s levelled at GPG. I found this guide that runs you through it all and, while long, it’s pretty straightforward. It’s all set up now, though, my public key is here and I can send and receive encrypted messages and cryptographically sign documents, and the master key is saved only on an encrypted USB stick. You can also use the GPG agent that runs on your machine and reads the keys from the YubiKey to also be used for SSH, so I’ve got that set up with my Linode.
The last thing I’ve done is to set the YubiKey up as a hardware token with Duo and put my Linode’s SSH and this blog (and soon Kristina’s, though hers not with the YubiKey) behind that. With the Duo Unix module, even sudo access requires the YubiKey, and the way that’s set up is that you touch the button on the YubiKey itself and it generates a code and enters it for you.
It’s all pretty sweet and definitely adds a bunch of extra security around everything. I’m busily seeing what else I can lock down now!
Back in April, Cloudflare announced a privacy-focused DNS server running at 1.1.1.1 (and 1.0.0.1), and that it supported DNS over HTTPS. A lot of regular traffic goes over HTTPS these days, but DNS queries to look up the IP address of a domain are still unencrypted, so your ISP can still snoop on which servers you’re visiting even if they can’t see the actual content. We have a Mac mini that runs macOS Server and does DHCP and DNS for our home network, among other things, and with the impending removal of those functions and their suggested replacements with regular non-UI tools with a upcoming version of it, I figured now would be a good time to look into moving us over to use Cloudflare’s shiny new DNS server at the same time.
Turns out it wasn’t that difficult!
cloudflared and dnsmasq: brew install cloudflare/cloudflare/cloudflared dnsmasqdnsmasq to point to cloudflared as its own DNS resolver.cloudflared to use DNS over HTTPS and run on port 54.Edit the configuration file located at /usr/local/etc/dnsmasq.conf and uncomment line 66 and change it from server=/localnet/192.168.0.1 to server=127.0.0.1#54 to tell it to pass DNS requests onto localhost on port 54, which is where cloudflared will be set up.
Create the directory /usr/local/etc/cloudflared and create a file inside that called config.yml with the following contents:
no-autoupdate: true proxy-dns: true proxy-dns-port: 54 proxy-dns-upstream: - https://1.1.1.1/dns-query - https://1.0.0.1/dns-query
Auto-update is disabled because that seems to break things when the update occurs, and the service doesn’t start back up correctly.
dnsmasq: sudo brew services start dnsmasq will both start it immediately and also set it to start at system boot.
cloudflared: sudo cloudflared service install, which installs it for launchctl at /Library/LaunchDaemons/com.cloudflare.cloudflared.plist.
Now that dnsmasq and cloudflared are running, you need to actually tell your machines to use them as their DNS servers! Open up System Preferences > Network, hit Advanced, and in the DNS tab click the + button and put your computer’s local IP address in. (You’ll want to make sure your machine has a static IP address, of course). Repeat the process for everything else on your local network to have them all send their DNS traffic to 1.1.1.1 as well.
You can confirm that all your DNS traffic is going where it should be with dnsleaktest.
I was surprised at how straightforward this was. I also didn’t realise until I was doing all of this that dnsmasq also does DHCP, so with the assistance of this blog post I’ve also replaced the built-in DHCP server on the Mac mini and continue to have full local hostname resolution as well!