Igor Bubelov About Blog Notes Photos

August 2020

Notes · Aug 30, 2020

Table of Contents

Nextcloud News

I’ve been using Nextcloud for a while now and I really enjoy it. It’s an ambitious platform that can host and manage a lot of different services in a plug and play fashion. The core service of Nextcloud is file syncing. It can be used as an alternative to Dropbox or Google Drive, but it goes far beyond storing your files and it doesn’t expose your private data to all of those shady companies that don’t deserve our trust.

It’s easy to extend Nextcloud by installing additional apps from its official app store. One of my favorite Nextcloud apps is News and it allows me to keep an auto-updating list of RSS feeds on my Nextcloud server which I can always access from an official Android app. Having a single place to store all of my news and podcasts alongside with their state (new/seen, starred/unstarred) allows me to read my news feed from any platform. Another benefit of having a server for my RSS feeds is that the changes I make via any of my client apps get propagated to all of the other apps automatically.

I tried to use the official Nextcloud News app for a few months, and it didn’t align with my usage patterns very well. I’ve been thinking about it for a few days, and I decided to solve this issue in a pretty radical way: by creating my own Nextcloud News Android app. I have no illusions about how much time it will take but reading RSS feeds is an important part of my daily routine, and I feel that it’s worth the effort. I’ll probably finish it by the next month, so I’ll write more about this project in my later posts.

IP Forwarding With Nftables

I have a Digital Ocean server which I use as a proxy for my self-hosted home server. I’ve been using some hacky solution based on iptables but it was a pain in the ass so I’ve decided to get rid of this piece of technical debt and the first thing that I noticed was the deprecation of iptables utility itself.

It certainly looks like nftables is the future so I played with it for a while and I settled with the following config for my proxy:

#!/usr/sbin/nft -f

define wan = eth0
define wg = wg0
define wg_net =

# TODO Since Linux kernel 5.2, there is support for performing stateful NAT in inet family chains.
table ip wg {
  chain prerouting {
    # Priority = NF_IP_PRI_NAT_DST (-100, destination NAT)
    type nat hook prerouting priority -100;
    iif $wan tcp dport { http, https } dnat

  chain postrouting {
    # Priority = NF_IP_PRI_NAT_SRC (100, source NAT)
    type nat hook postrouting priority 100;
    # Mask WireGuard packets as if they come from this server
    oif $wan ip saddr $wg_net masquerade

  chain input {
    type nat hook input priority 100;

  chain output {
    type nat hook output priority -100;

It looks way cleaner than the iptables equivalent and it can certainly be refactored to look even more readable. I really like its declarative way of describing the traffic rules.

The prerouting chain just redirects all of the TCP traffic coming to the ports 80 or 443 to my home-based Raspberry Pi 4. Both DO droplet and RPi share the same WireGuard network between them. The RPi IP address is, that’s why dnat points there in the config above. I should probably convert this magic number into a variable, thankfully nftables supports that.

The postrouting chain is pretty interesting. It allows me to use that DO droplet as a VPN server. It “masks” all of the outgoing traffic with this server’s IP address but that traffic can originate from any node in my WireGuard network. Such a VPN won’t give you a lot of privacy since most of the mainstream hosting providers know your name, email and even your credit card info but it can certainly be used to circumvent certain kinds of Internet censorship in your real location.

Software Engineering Interviews

I had an odd job this month which was in essence an attempt to find a good Android developer for a company I know very little about. It still amazes me that there is almost no correlation between what people write about in their CVs and what they really know.

I’m not a big fan or “preparing” for interviews, it sounds artificial and it really is. Needless to say that it doesn’t show anything useful. Most of the time, it’s fine not to know something. We can’t have an expert knowledge in every possible domain and no one should expect that from someone else. It seems pretty obvious, and that’s what CVs help us to solve: people can see what we worked with, which technologies we explored and it makes total sense to discuss it during the tech interview.

It turns out, it’s still OK to brag about your expertise in networks and know nothing about network timeouts or to be a math major and understand nothing about the basic math concepts. How can a “Kotlin Expert” with many years of experience believe that Kotlin has its own VM? People keep putting stuff they’re unable to reason about in their CVs. It seems like by “knowledge” they mean “knowledge of a basic and most typical setup”. Anyone can use most of the modern tools and libraries, it doesn’t show expertise and it’s not relevant.

In my opinion, a real expert in a certain set of technologies should understand how they work and should be able to explain their choice. I’m not sure if it’s too much to ask nowadays.


There is a growing demand for privacy and many people see a problem with the duopoly of Google and Apple in the smartphone market. Smartphones in general are perfect privacy-invading devices and both Google and Apple put their own closed-source code into their phones and they are pretty open about what this code does: it collects your personal data, every piece it can find.

While you can’t install an alternative OS on an iPhone, you can do it with your Android smartphone. LineageOS is a brave attempt to free the Android OS from the Google surveillance empire. I use it and it works great but having “clean” operating system doesn’t solve the whole problem.

The main issue with LineageOS is that you can’t install it on “any” Android smartphone. Even worse, they won’t even recommend you any particular smartphone. Choosing hardware for LineageOS is tough and you shouldn’t expect any serious guarantees on how long they will support your device of choice. It’s not a critique of LineageOS. I use it and I love it, but this model has some pretty obvious limitations.

I believe that LineageOS is still relevant and important but it’s also important to explore some alternative ways to protect our data from malicious big tech companies, ISP’s and other parties that are able to leverage the weaknesses and “gray areas” in our smartphones for profit.

One of those ways is to focus on hardware. Having an OS that can run on many smartphones is great, but is also important to have a smartphone that can last for years and that can run many operating systems. Here are three smartphone hardware projects I find interesting:

Purism hardware seem to be pretty expensive and also the least open. PinePhone is both open hardware and open software. It can run many Linux distributions and it can also run Android but full compatibility is not guaranteed if you choose that option.

Fairphone seems to be a good option for people who aren’t ready to move from Android to a Linux distro. Both Android and iOS have many polished apps and games and it would be naive to think that mobile Linux distributions will be able to match all of that any time soon. I don’t like the fact that Fairphone has Google apps and services by default. Of course, you can install LineageOS on your Fairphone but it doesn’t support it’s newest model, at least officially.

I’m still not sure if Fairphone is better than any usual Android smartphone. It’s expensive and it does not really respect user privacy. Even their website has an annoying cookie dialog that won’t let you use it unless you surrender your data. Yes, modular smartphones seem like a good idea and I would really like to be able to use a smartphone for a decade or more and just buy some spare parts when something breaks. But with Fairphone prices, it feels like a rather expensive toy.

I’m not blind and I see many problems with PinePhones but I think that it’s the most promising smartphone hardware project out there.

Game: XCOM 2

That’s what you would see if you try to launch this game:

Adorable, isn’t it? “Agree” by default, but hey, you can disagree, right? You can, but 2K Games will keep showing you this nonsense after every launch. Probably those bastards have been forced by law to ask for your permission before doing their shady stuff and that pisses them off. They think its their data and they will keep annoying you with this blocking dialog until you surrender it. Modern games are so much fun.

The game itself is pretty good, I like it. It’s not as hardcore as “Terror From the Deep” but I didn’t expect it to be similar to its legendary ancestor which was made almost three decades ago. I expected something similar to “XCOM: Enemy Unknown” (2012) and I got what I expected. The “old” XCOM (1994-1995) and the new XCOM (2012+) are just different games. They don’t have to be similar and I’m sure that their audience is pretty different too.

As you can see, this game isn’t about good graphics. It’s mostly about making the right tactical and strategic decisions. Good tactics can compensate for bad strategy and vice versa. It also does a good job at creating an emotional attachment between the players and their squads so any danger of losing one of your favorite soldiers can feel pretty terrifying. That’s an interesting way to make the game much darker and scarier and it’s the unifying feature of all tactical XCOM games no matter new or old.