Nelson's log

  • Bazzite desktop impressions

    I’ve had the nicest time using a Linux desktop OS the last few days, so good I may make this my daily driver. For the first time this OS feels like it works better than Windows. Faster, cleaner. Also it feels like a coherent product in a way previous Linux desktops haven’t.

    I tried Bazzite 43, a Fedora variant intended for gaming. The GUI I’m suing is KDE Plasma 6. Most of what I like about it seems to be the KDE + Fedora stuff. Bazzite adds on top of that a bunch of gaming apps pre-installed, working NVidia graphics drivers, and an atomic OS release system suitable for civilian use.

    I’m running this on an AMD desktop system with an NVidia 5060.

    First Impressions

    I was thrilled that stuff just worked out of the box. I installed it on an external USB drive. Key thing: my NVidia 5060 with a 6K HDR display just worked, first try! Even Windows can’t manage that. I could launch Steam and be playing games full speed in minutes.

    I also got an immediate impression that stuff Just Works in this Linux distribution. Windows 11 feels the weight of its history, lots of crufty hacks and weird brokenness. Bazzite felt fresh and new in a nice way. That honeymoon broke down once I got deeper into it but at least there’s a new set of bugs and there’s some hope of hacking your way around them.

    Graphics

    Linux desktop has come a long way. This is the first time I’ve used Wayland and it’s nice that stuff like font scaling, HDR, etc work correctly. And KDE Plasma is a remarkably coherent system.

    One particularly neat trick: I have two screens set at different scaling. If I drag a window across the both it scales correctly, one side at 200% and one side at 250%. Windows can’t manage that.

    I did run into rough edges eventually. The Nvidia-open driver that’s the default works great on my 5060, but not on my old 1080 card. The proprietary Nvidia driver does work on the 1080 but isn’t identifying all the display modes it should find. I went deep down a rabbithole of video mode hacking complete with programming video card dot clocks, like it was 1995. Ugh! I never did get it working. TO be fair, the 1080 is nine years old now.

    Atomic Linux

    Fedora is a pretty solid Linux. I’ve never really used it, I went down the Debian / Ubuntu road instead. But it’s solid.

    What’s unusual about Bazzite is it is an atomic distribution. Instead of upgrading individual packages piecemeal you install one giant 5GB release that bundles kernel, important packages, graphics drivers, apps.. Everything you’d want. Then you can reboot to this new release, or roll back. There are tools for layering custom stuff on top of these releases but you are discouraged from doing that.

    If you want to add an application, Bazzite suggests you get a Flatpak from some online app store. These work great right until they don’t! You also have the option of running AppImages using GearLever, I use this for LM Studio.

    If you want to Linux CLI tools or other low level stuff, Bazzite suggests using Homebrew and installing it just in your home directory. UGH! Homebrew is awful and is the main reason I switched away from MacOS all these years ago. Another option is distrobox, which gives you a nice container for Linux shell work.

    The problem I’ve run into with this model is some stuff just doesn’t work. The most pernicious is 1Password. It wants to run a persistent process storing state securely, then a browser extension talks to it. But this won’t work if 1Password is in one Flatpak container and the browser extension is in another container. I tried various hacks to get around it and it got really complicated. I can imagine someone adding a specific integration for this just for Bazzite, a bridge between containers, but no one has yet.

    Update: someone made the integration! This worked for me but 😬 at using something so hacky for something as important as my 1Password data store.

    Rollbacks are awfully nice though! I experienced this today. Bazzite 44 just came out so I tried it out only to find the graphics driver isn’t working right. Just one button to go back to yesterday’s 43 release, no drama.

    Customization

    A lot of personalization is nice on Bazzite but not everything is great.

    Changing hostname is surprisingly clunky! The default I got was computer. There’s no GUI for changing it!

    The keyboard function keys didn’t work as F keys out of the box. On my Apple keyboard they act like “media keys” and do things like screen brightness. There’s various hack fixes for this all involving the command line: really should have a GUI for this.

    I’ve done a bunch of other customization. Input Remapper to remap Caps Lock to a script to open clipboard content as web pages. tweaking the desktop to look just so. Etc. It’s always fun for me to re-do this kind of setup, or at least every few years, and in general KDE Plasma is providing a good experience.

    Signal

    Shame on Signal, WTF is this warning? I tried using their instructions for the experimental “use kwallet6 to store secrets” and it seems to be working but I can’t be sure.

    Gaming

    It’s funny: I set up Bazzite and pretty much haven’t run any games. But they run great!

    One problem I’ve run into is the OS seems to use more GPU RAM. Some of it is wasted, like a virtual keyboard I’ve never used wants 400MB. Some of it is legit, Chrome has 600MB or more even with few tabs open, Discord wants another 250MB, Wayland itself needs a bunch. I’m using a bunch of Factorio mods that want 13GB of GPU RAM and I only have 16. This works fine on Windows but I’m having to close stuff to get it to run in Linux.

    The underlying problem is Windows is better at evicting apps from VRAM when a game wants the memory than Linux is. There’s some brand new work about a dmemcg-booster patch to the kernel to allow prioritizing certain processes for GPU memory. This sounds like a good thing. And necessary in the world of Electron bloat.

    Conclusion

    I like Bazzite enough it makes me want to use Linux as my daily OS. Windows has never been easy to love and seems worse lately. This KDE Plasma environment is good enough that there’s pleasure in making it work for me, not just frustration.

    I think I don’t want the Atomic OS though. It’s causing too many problems. And it makes perfect sense for a computer appliance, something like a SteamDeck or a gaming PC where you don’t want to tinker with the OS. But I’m tinkering with Linux all the time and am OK with the instability that comes from manually upgrading things myself. Well, I’m sorta OK with it. At least I prefer it to this set of jails that Bazzite is shoehorning everything in to.

    So now I’m looking for some other distribution. Lead contenders are Kubuntu or else Fedora 44. Something that’s not atomic. I think I’d rather try a stock general Linux distro and then add a little bit of gaming stuff (graphics drivers, Steam app). Nobara is also interesting, another Fedora customized for gaming but this one isn’t packaged as an atomic distribution.

    Bazzite is a very nice product. And they have a lot of momentum. I’m very glad I tried it out and would definitely recommend it to someone who’s less of a tinkerer.

    Update: an Update

    Since writing this Bazzite 44 was released. And was silently upgraded to everyone running Bazzite 43. It’s been a confusing update and I think they need to rethink their update notification or policy. Some problems:

    • A serious NVidia driver bug that broke displays. Fixed in one day.
    • They removed the Sunshine that was installed and expects you to install it via Homebrew instead. Folks on Reddit are confused.
    • A MakeMKV flatpak was installed. Again folks on Reddit are confused / alarmed

    I think it’s good that the Bazzite team is making new releases and changing features. But not sure how to do that without confusing all the civilians who are just expecting their TV gaming box to work the same every day.

  • Secure Boot’s ongoing pain

    Microsoft invented this thing called “secure boot” whose ostensible purpose was to stop malware from installing in your boot loader, but whose actual function is to make it very difficult to use other operating systems on Wintel hardware. Here it is 2026 and I’m still struggling with it.

    First, to clear any illusions: secure boot, as deployed for the last 15 years, is a total sham. Every device had a security exploit that made it easy to defeat. Even better pretty much every device trusted a key named DO NOT TRUST, right there on the whitelist in the BIOS. This key was compromised. Whatever apocalypse Secure Boot was supposed to protect us from didn’t happen and good thing since the tech didn’t happen.

    What does happen is about once a year I try to do something with Secure Boot and Linux and get flummoxed. For a long time it was Proxmox VMs, I finally just gave up on secure boot in the VM BIOS. But I also have a problem with my old ASUS Z270-P BIOS, it doesn’t make it easy to disable secure root. I’m not sure I even can, I’m supposed to do something scary about erasing boot keys and I’m scared I’ll leave it in a state where Windows won’t boot.

    So now I’m playing with Bazzite Linux, a Fedora variant, and it has some complicated crap involving MOK keys which aren’t real secure boot keys but some subsidiary of a Microsoft key. And it’s not working.

    Look at that! Turns out, old BIOS had like 64kb of static storage for secure keys. And Microsoft has put so many entries into it over the years that there’s no room left for operating systems from competing companies. Gosh, I wonder how that was allowed to happen?

    The “fix” is to go in the BIOS and either delete all the keys (scary)… Or delete the DBX keys, which is a blacklist of all the compromised keys that Microsoft has revoked over the years. Well, however many will fit in 64kb. Anyway none of these are necessary so you can delete them. That leaves enough room for a legitimate operating system to enable itself to boot. Well, sorta…

    I think this error means “you need to install our key to boot”. so now I’m off to boot a Linux system that is signed with an existing key that has the tool to add this other key for Bazzite I need.

    What a complete farce.

  • Outgoing SMTP relay services

    Fiddlesticks. I had my somebits.com email all set up right. DKIM and SPF were working, I had a DMARC policy of rejecting unsigned email for three weeks with no problems. And then I broke my setup by cancelling Google Workspace.

    Now I’m back but sending email via SMTP2Go. Details below.

    I broke it

    Last year I set up somebits.com to be on Google Workspace for incoming and outgoing email. And then promptly forgot what I did. Last month I stopped using somebits.com for incoming email because it was not working right. Cloudflare’s email relaying seemed better. So I figured I could stop paying $8/mo for Google Workspace since I wasn’t receiving email.

    I forgot about sending email. Without Workspace, there’s no way to DKIM sign outgoing emails I send through Gmail. Gmail will still send email from @somebits.com but it won’t even try to sign them. That’s sort of OK, at least once I turned off my p=reject DMARC policy. But I like the idea of DKIM signed emails.

    The easy thing would have been to re-enable Google Workspace. But when you do that you get a notice about how things might not work right for 24 hours. Google’s stupid eventual consistency designs still biting me in the ass, 20 years later. Also I just don’t like Google Workspace, it’s a messy product and does way more than I want. Time for an alternative SMTP sender.

    SMTP relay services

    The trick is finding a reliable sending service that caters to small legitimate users. Clearly all the business is in helping spammers marketers deliver bulk email. Not me!

    I asked several AIs what I should use. My main concerns are correctness of DKIM and SPF and a good reputation so I don’t get blocked along with a bunch of spam customers. Here’s a quick summary of what the AIs suggested:

    • SMTP2Go. Generous free tier of 1000 emails / month, supposedly forever. Good reputation, good service.
    • Brevo. Very generous free tier (9000 emails / month). But some question about reputation.
    • Postmark. The leader for correct + good reputation, in part because they segregate marketing email. But the free tier is only 100 messages a month. If I get to the point of needing to pay $15/mo to deliver email I’ll look at them again.
    • Forward Email. They came up as a relay for receiving mail too. The free tier doesn’t allow sending mail via the relay so I didn’t look further. OTOH $3/mo may cover me, worth a look again maybe.
    • MailerSend. Generous free tier (3000 emails/month). Didn’t look further.
    • Amazon SES. Not interested in the mire of AWS.
    • SendGrid / Twilio. Nah.
    • Mailgun. Seemed good but no real free plan.

    I wanted to use Cloudflare since I already use them for receiving email. They did finally launch their email sending service in public beta. But near as I can tell they don’t have an SMTP relay suitable for pointing Gmail at to deliver mail. It’s not really their goal, the purpose of their service is more backend stuff.

    Sorry for the half-ass evaluation, I was losing patience. I picked SMTP2Go based on what I saw.

    SMTP2Go

    So far so good with SMTP2Go. It’s pretty simple. You set up an account, tell them what domain you want to send mail as, then they give you three DNS records and you’re off to the races. One neat trick is the DNS records are all CNAMEs to their servers, no need to configure complex TXT records with nonces in them.

    I like their dashboard UI. You can set up different users, manage passwords, etc. It’s all overkill for my small use case but easy enough to work with. I appreciate the rapid view into sent email with logs and reporting and the like.

    One weird thing: smtp2go explicitly says you don’t need to set up an SPF record. Instead they are using something called VERP that involves a CNAME, see here for more detail. One of the test tools I tried complained about an SPF failure so I went ahead and added smtp2go as an authorized sender for my whole domain, which shut up that error.

  • Email receivers for testing

    I keep tinkering with my email setup. It’s very helpful to have an email address you can send messages to that gets you some diagnostics. Here’s a few.

    Technical tools

    dmarctester aka learndmarc. A very cute interactive tool. A little cumbersome for quick testing but there’s a fast forward button. It shows results for SPF, DKIM, and DMARC. It does not show spam score nor the exact message it received.

    dkimvalidator: very barebones but good for basics of SPF, DKIM, DMARC. Shows original message front and center. A little hard to read but then again quite complete. I’ll note this flagged an SPF error where others didn’t. I suspect this isn’t supporting the VERP that SMTP2Go uses or if there’s a real problem. (The problem went away when I added a supposedly unnecessary SPF entry.)

    mxtoolbox has a responder on ping@tools.mxtoolbox.com. The email reply gives you basics (SPF, DKIM, DMARC) and you can click through for a nicely formatted detailed report. Not much marketing / reputation info. Does show you the exact message received.

    Marketing tools

    mail-tester.com. Nice mix of technical stuff (SPF/DKIM/DMARC) and content / marketing stuff. Shows your spamassassin score. Tells you if you’re on any major blocklists. Will show you original message. I like the way this tool looks.

    aboutmy.email. Marketing-oriented tool. Does tell you about SPF and DKIM, also Yahoo/Google requirements (like an unsubscribe link)

    Not useful

    check-auth@verifier.port25.com: this tool was great but recently stopped working (April 2026).

  • Another Twitter archive

    Since Twitter was destroyed it’s been frustrating losing access to all the stuff I wrote. X still allows you to download an archive of your own tweets, but then there’s the challenge of making the data useful.

    For awhile now I’ve been using Julia’s tweet-archive. It works great but I never loved the styling. (I never tried to improve it, either.) You can see my archive in Julia’s thing here.

    Matt Haughey just vibe-coded up an alternative. I like the way it looks. It’s also got a couple of extra tricks. The code works with various old formats of Twitter exports. The Javascript has some nice functions like filtering by year. And it displays reply tweets, albeit not linked to what you’re replying to. You can see my archive in Matt’s thing here.

    Matt’s code worked out of the box for me but some of the path management and permissions are a little fiddly. Here’s what I did to get it working, from a Twitter archive I pulled just yesterday.

    # Download and prepare the files
    mkdir /tmp/t; cd /tmp/t
    unzip twitter-dump.zip
    git clone https://github.com/mathowie/tweet-search-archive
    # Clean up the repo a bit and link in the data
    cd tweet-search-archive
    rm -r tweets_media
    ln -s ../data/tweets.js .
    ln -s ../data/tweets_media .
    sed -i 's/Your Name/Nelson Minar/; s/yourhandle/nelson/' build.py
    # Build the archive
    python build.py
    # Copy the output to a web server and fix permissions
    cp -a tweet_search.html ../data/tweets_media ~/public_html/tmp/tweets/
    find ~/public_html/tmp/tweets/ -type d -exec chmod 0755 {} + -o -type f -exec chmod 0444 {} +

  • restic cheatsheet notes for myself

    I use Restic for backups. It’s great! But I forget how to use it, the usability for what I’m doing is not great. I’m using resticprofile as a CLI frontend. Last I looked backrest was a good option for a Web GUI: I should reconsider and switch.

    Anyway, some notes on the current setup on my personal Linux box with all my important files. (This is the host tt.)

    Configuration

    Important stuff is in /usr/local/etc/restic, including passwords (also in 1Password) and profiles.toml

    / and /home/nelson are backed up locally to /mnt/backup/restic (another disk). /home/nelson is also backed up to BackBlaze emulating an S3 datastore in a bucket named “restic2”.

    (there’s also backups for other hosts in Backblaze in other buckets and honestly I’ve forgotten what they are for! See Below for update)

    Shell setup

    alias rp='/usr/local/bin/resticprofile --config /usr/local/etc/restic/profiles.toml

    Look around

    rp profiles
    rp home.show
    rp home.snapshots
    rp home.mount /tmp/m

    Check metadata integrity

    rp home.check
    rp root.check
    rp bbhome.check

    Check local home backups are working by verifying 5% of the data

    rp home.check --read-data-subset=5%

    Check backblaze backups with read (note: slow)

    rp bbhome.check --read-data-subset=1%

    Maintenance (slow!)

    rp home.prune
    rp root.prune
    # rp bbhome.prune # may be expensive!

    Somebits.com backups (2026-05-11)

    My public server somebits.com backs up all of / to BackBlaze via Restic. The details are described in a 1Password note “Restic backup password for somebits.com” and contains a TOML file for resticprofile and the necessary passwords and keys. I tested it today (May 11 2026) and the backup seems to be working.

    I also have rsnapshot backups of just /home configured. That doesn’t include /var/www or the important stuff in /etc.

  • Starlink handoff latency

    Starlink has a core design of changing to new satellites potentially every 15 seconds, exactly at 12, 27, 42, 57 seconds into the minute. Globally. Weird, huh?

    That pattern shows up in this ping tool. The yellow smears occur every 15 seconds and indicate brief periods of higher latency, like 200ms instead of 30ms. I’m surprised this is every 15 seconds, I thought the dish mostly stayed locked on one satellite for a few minutes at a time.

  • Gemini vs Google Keep

    I’m using Gemini 3 for all my AI queries. One thing that makes it better than ChatGPT for me is it has good integration with other Google products. The Gmail tool is particularly good, I am regularly using it now to ask complex queries about emails going back months.

    The Google Keep tool though is a total mess. It just doesn’t work and fails in exactly the way LLMs so often fail. It’ll say it can do something, then try to do it and fail, then tell you it succeeded. It’s too bad: Google Keep would be the perfect tool as a sort of external memory for my chats. In particular having Gemini write output notes to something I can then easily consult on my phone.

    The one thing the Keep integration seems to do reliably is append to a note. It can add content.

    Gemini thinks it is also capable of editing notes, and updating them, and deleting them.

    This is AI lies. The tool doesn’t seem able to do some of these things, particularly “Add & Update Content”. And it will say it updated something when in fact it hasn’t.

    Also other stuff just doesn’t work. I tried “delete all notes in Google Keep”. It then deleted 2 of the 3 notes I had and confidently told me it deleted all of them. Ugh.

    It’s too bad: I really like the idea of a notepad for Gemini to manage.

  • Slow network: rebooted switches

    Boring post for my own notes. My Internet got slow about 3 days ago, from the usual 100-400Mbps down to an average of 10-80Mbps. There was no increase in packet loss or latency. Rebooting the switches fixed it.

    No idea what went wrong. The problem started 2026-04-03 11:00Z, or about 3 in the morning here when Starlink sometimes reboots itself for a firmware update. So that was my first guess for the problem. I rebooted my router and Starlink and the problem persisted.

    Then I rebooted the simple unmanaged switches in my network. That fixed it. Real mystery, that. If I was stuck at 100Mbps I’d understand it was a link speed problem. If I had a lot of packet loss I’d blame a flaky switch or cable. But 40Mbps? No packet loss? No idea.

    Well one guess. My original round Starlink dish has some weird behavior about its ethernet port. I have it plugged into a switch rather than directly to my router because that helped stabilize it. So maybe Starlink rebooted itself and something went wrong with the link and only rebooting that switch fixed it? Total guess here.

    My real concern was Starlink throttling. They’ve added various cheaper metered plans lately. I’m on Residential Max so that shouldn’t apply to me.

  • Schwab vs. Cloudflare

    I have accounts at Schwab. Some of their email isn’t getting forwarded to me via Cloudflare, mail sent from @schwab.com. Some is, mail sent from @mail.schwab.com.

    The problem seems to be that schwab.com has an SPF record dictating strict rules about who can send mail as them and Cloudflare is obeying them.

    $ whois 205.220.171.227 | grep Organization
    Organization: Proofpoint, Inc. (PROOF)
    $ dig schwab.com TXT | grep -i spf
    schwab.com. 0 IN TXT "v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all"
    $ dig mail.schwab.com TXT | grep -i spf
    mail.schwab.com.        0       IN      TXT     "v=spf1 include:cust-spf.exacttarget.com -all"
    mail.schwab.com.        0       IN      TXT     "spf2.0/pra include:cust-senderid.exacttarget.com -all"

    It looks like the problem is at Proofpoint, their secure email system. schwab.com has an SPF record that says only Proofpoint is allowed to send mail as schwab.com and receivers should reject anything from a server not in Proofpoint’s list. But the IP address that sent the mail isn’t on that list, despite whois data saying it belongs to Proofpoint. Sure seems like their error but it’s not transient.

    The Schwab mail that is getting through is being sent from mail.schwab.com. That has a different SPF record for ExactTarget (Salesforce). They seem to be doing SPF correctly.