- 1 Post
- 42 Comments
I use Hugo, it’s not super complicated.
You basically just define templates in pseudo html for common content (header, nav panel, footer, etc), and then you write your articles in markdown and Hugo combines the two and outputs actual html files.
You also have a content folder for js, css, and images which get output as is.
That’s about all there is to it, it’s a pretty minimalist static site generator.
Hosting wise you can just put it on github pages for free.
Dunno why ppl are down voting you, this is 100% the way.
Architecture as code is amazing, being able to completely wipe your server, re-install fresh, and turn it on and it goes right back to how it was is awesome.
GitOps version controlled architecture is easy to maintain, easy to rollback, and easy to modify.
I use k8s for my entire homelab, it has some initial learning curve but once you “get it” and have working configs on github, it becomes so trivial to add more stuff to it, scale it up, etc.
Yup, I usually have it set to the slowest setting when typing.
I find I work much better and can think clearer while walking, as it keeps the blood flowing and makes me feel more awake and engaged.
If I have a tough problem I’m trying to work through I turn the speed up to a faster pace and sorta just work through it in my head while speed walking, often this helps a lot!
During meetings when I’m bored I also turn the speed up a bit.
I often get around 10k to 12k steps in a day now.
Note I don’t stay on the treadmill all day long, I usually clock a good 4 hours on it though.
Then I take a break and chill on the couch with my work laptop, usually I leave my more “chill” tasks like writing my tests for this part, and throw on some Netflix while I churn all my tests out.
Highly recommend it, I’ve lost a good 15ish lbs now in the past year since I started doing it, and I just generally feel a lot better, less depressed, less anxious :)
I have heard of jupyter but am not familiar with its nuances.
But doing python dev with neovim is very doable, it uses the same LSP I think.
I personally have a dedicated dev machine running debian that has everything on it, including nvim configured.
I SSH into my dev box from other machines to do work, because neovim is a TUI it “just works” over SSH inside the terminal itself, which is what I like about it.
It feels good to just
- SSH into my box
tmuxinator my-project-name
And boom, 4 tmux tabs pop open ready to go in the terminal:
- nvim (pointing at the project dir)
- lazygit already open
- nvim (pointing at my secrets.json file elsewhere)
- an extra general console window opened to project root
And I can just deep dive into working asap in just those 2 steps, it feels very smooth.
I often can even just do tmux a (short for attach) to just straight re-open whatever session I last had open in tmux, instantly jumping right back into where I left off.
I try and start using it for basic tasks, like note taking, to get used to its interface and basic commands like :w and :q, as well as switching between insert and cmd mode.
Once you are familiar with switching between modes, copying, pasting, etc, then you probably will wanna Starr learning it’s lua api and how to load in some QoL plugins. Basic stuff like treesitter, telescope, and nvim-tree are good places to start.
Once you feel comfortable with swapping between files with telescope and configuring plugins, I’d deep dive into getting an LSP up and running for your language of choice so you can actually code.
In the interim I’d recommend getting comfy with using tmux in your terminal, try and open new tmux tabs to do units of work instead of constantly cding around.
I like to keep 4 tmux tabs open for a project:
- nvim
- lazygit
- secrets file open in nvim (usually my secrets file is in another dir so it doesn’t check into git)
- a general terminal tab for running commands
From my experience the only big changes I’d say I made overtime are:
-
Font size bumped up
-
Switched to neovim from visual studio, which took like a year to relearn my entire workflow (100% worth it though)
-
Switched from multiscreen setup to one single big screen (largely due to #2 above no longer needing a second screen, tmux+harpoon+telescope+fzf goes brrrr)
-
Switched to a standing desk with a treadmill, because I became able to afford a larger living space where I can fit such a setup.
If I were to do this meme though it’d mostly be #1, there just came a day when I had to pop open my settings and ++ the font size a couple times, that’s how I knew I was getting old.
Oh, Jesus, this is from January.
Yeah, we got issued an emergency alert to drop unnecessary power usage in Edmonton and there was a cool graph that epcor I believe posted later showing how edmontons power usage dropped a shit tonne as people got the alert.
I think only a couple specific areas had brown outs, we definitely didn’t get them in my area.
- Make branch for the ticket
- Make periodic commits to branch
- Open PR from branch to main
- (optional) if the changes are big, I have a meeting with devs to discuss it. If I can’t easily explain to the junior devs what I did and why, it means I did something wrong.
As a senior dev, I’ve found “can the junior devs grok wtf I did/made” to be an excellent “did I overengineer?” Litmus test.
A good implementation should be not too hard to explain to the juniors, and they should be able to “get it” in a single short 20-30 minute meeting at most.
If they are curious/interested and ask questions, that’s a good sign I made something useful and worthwhile.
If I get a lot of “I’m not sure I get it” and blank stares, I probably have overcomplicated the solution.
If that “ooooh, okay!” Comes quickly, then we are good!
The automobile didn’t put cabbies out of jobs, it put horses out of work.
If anything it actually made demand for cabbies skyrocket, because now they could do the same job but way faster, so now they were more affordable abd not just a service reserved for wealthy.
In other words, expect that AI will increase demand for programmers exceptionally, as the bar for entry lowers.
An LLM still needs a “pilot” to “drive” it, and you need to still know code well enough to interpret the output and catch mistakes or hallucinations.
But typically when a field becomes more affordable, it goes up in demand, not down, because the target audience that can afford the service grows exponentially.
“But if it’s so easy to become program now, what’s to stop people from just using ChatGPT and never hiring a programmer?”
Same reason people still, today, hire cabs even if they can drive themselves.
Convenience. Time is money and just because 1 person can do all the jobs of a company, doesn’t mean they physically have the time to do it.
I think the reason experienced devs tend to have minimalist websites that look like they are from the 90s, is because software devs aren’t UX experts.
At a senior level at large companies, someone else designs the look and figmas to make the site be pretty. I don’t do that shit.
I can do some basic stuff as a front end dev, but react has nothing to do with css animations and all the stuff you typically associate with a “pretty” website.
Reactive frameworks are just handy for updating the dom on a mutatable website (ie forms, web socket stuff, data in out, pulling data from a db)
Blogs tend to be statically generated so there should be zero reason to use reactive frameworks anyways, unless you add something dynamic like perhaps a comment box folks can login to and leave comments/likes/shares etc. Loading those comments will prolly want a framework.
Aside from that, it’s mostly css to do fancy stuff.
You can’t “invoke logic via HTML attributes,”
Oh boy a semantic argument
Proceeds to describe how you can use HTMX to invoke logic via HTML attributes
Whatever you want to call it, trigger, invoke, whatever.
You can leverage HTML attributes to automatically cause arbitrary Javascript ajax calls to happen by extension if those attributes being present.
Trying to argue the semantics of this is stupid.
You put HTML attributes on shit, and the presence of those attributes in turn causes arbitrary Javascript client side logic to fire off purely due to the presence of those attributes.
That’s like, literally it’s entire shtick.
And any web dev who remotely understands the point of CSP and why it was created, should instantly have alarm bells going off at the concept of triggering arbitrary ajax via html attributes.
“HTMX doesn’t bypass CSP! It just (proceeds to describe the exact mechanism by which it bypasses CSP)”
It’s bonkers how many people don’t grok this, SMH.
I see you don’t understand what the word “if” means, and you also don’t understand modern js practices.
That’s like saying you “serve React client side” and “transpile JavaScript into more JavaScript.” Jesus, I feel like I’m taking crazy pills.
You don’t serve react client side, any junior dev is familiar with transpiling framework code to produce their website. Yes, you 100% transpile react code before serving it, the fact you dont understand what I am talking about speaks volumes. It’s clear this whole time I’ve been having a discussion with someone who doesn’t even know the absolute bare minimum of day 1 front end dev. If you don’t understand how literally normal and industry standard something as basic as transpiling js is, you have literally zero business spreading info about something far more serious as HTMX.
You are in zero way qualified to be recommending anyone expose their websites to the security nightmare that is HTMX, stop spreading misinfo, stop encouraging devs to do so.ething stupid, and go learn the basics of FE dev practices.
If you don’t understand the tools of the trade, stop spreading terrible info about them online.
Everything you have written in this entire thread has made everyone who has read it stupider and you have actively made the internet a worse place. You are a prime example of the exact thing that is wrong with web devs nowadays.
Go back to the drawing board, you have a LOT to learn still it sounds like.
I prefer just writing my html, js, css, as is, and then transpiling to pack it down, treeshake, hash, cache bust, CSP, etc etc.
The amount if headache, overhead, inversion of control, mess, and bloat involved in frameworks tends to make me spend way too much time on writing boilerplate.
template and slot exist now, and modern js can do most of the shit fancy libs used to.
There’s very little need for frameworks unless you meed a SUPER dynamic website that has tonnes of mutability.
The amount if times i see people load in like 3 frameworks and 10mb of bullshit and ten js files to make a fucking static form that doesn’t even do anything fancy is insane.
Just fucking write the like… 8 lines of normal code to populate the form, wtf? Why are we using routers at all, HTTP already exists and does that, why did we re-invent http?
Front-end devs need to spend less time installing npm packages to try and magically solve their issues and just learn how to actually write code, SMH.
Just to be clear, are you talking about some kind of templating library that literally transpiles all the htmx logic and instead packs it into individual ajax logic in js files “per element”, such that you don’t need to serve htmx client side and instead you pre-transpile all the ajax logic out to separate files?
Cause the very start of my statements was that if we had something like that then HTMX would be fine, as a templating lib that transpiled out to html+js.
That you can CSP lockdown, because now you no longer are able to invoke arbitrary logic with html attributes, only the explicitly transpiled ajax can and all concepts of htmx have been actually removed from the final html+js you actually serve to the client.
If that is what you are talking about above, then please link me because that sounds awesome and is what HTMX outta be, and would remove all of its security issues.
If that’s not what you are talking about, and you truly dont understand the fact that you can’t compare an html element that triggers logic (which you can’t CSP block), to a script chunk that performs logic (which you can CSP block), then I think you do indeed need to go read up on and understand what the point if CSP is and why it was implemented in browsers.
The two are apples and oranges. HTML elements should not be capable of invoking logic arbitrarily, that violates a core principle of html.
That’s not broad enough.
If you in any way have functionality that handles anything remotely requiring security, do not use HTMX.
This goes way beyond “parameterized endpoints”.
Listen extremely closely and pray to God anyone dev with more than 2 brain cells groks how serious th8s vulnerability is:
HTMX enables arbitrary invocation of ANY api endpoint with cookies included, through html attributes, which inherently can’t be covered by Content Security Policy
This is deeply important for any web dev worth their salt to understand.
Sanitizing User input should be your LAST layer of defence against attack vectors. Not, NOT, your first and only
It’s supposed to be your “break in case of emergency” system, not your primary (and only remaining) defense layer.
why you didn’t properly sanitize user input
This is like someone pointing out that blowing a giant hole in the hull of your ship causes it to take on water, and you respond by asking “well why aren’t you bailing out the water with a bucket?”
You do understand why Content Security Policy exists, and what it is for… right?
“We don’t need a watertight ship hull for the voyage, just reinvent and implement a bunch of strapping young lads that 24/7 bail water out of the ship as it sails, it’s faster and more efficient than doing something crazy like building your ship to be secure and water tight.”
CSP allows you to whitelist/blacklist arbitrary Javascript, and ideally you completely blacklist online js from being executed at all, such that only .js files of same domain can be invoked by your website.
This serves the role of locking down injection attacks, only your explicitly approved Javascript can be invoked.
HTMX enables invoking of logic via HTML attributes on HTML elements… which CSP can’t cover
Which means you re-open yourself to injection attacks via HTML. Attackers can inject an HTML element with HTMX attributes and no amount of CSP will stop HTMX from going “Okey doke!” And invoking whatever the attributes say to do.
This effectively shoots even a completely locked down CSP config square in the nuts, totally defeating the entire point of using it.
It’s a cute idea but what is needed is a way to pre-emptively treat HTMX as a template file that transpiles everything out so the ajax happens in a separate .js file
If we had that, then it’d be safe and secure, as the whole “htmx attributes on elements” thing would just be a templating syntax, but when transpiled it wouldn’t be supported anymore so attackers can no longer inject html as an attack vector
Unfortunately it also kicks Content Security Policy square in the nuts and shoots a giant hole right through your website security, so if anyone on my team brings up using it I inform them it’s an instant security fail if we so much as touch it.
It’s a cute idea but horribly implemented. If your website has any security requirements, do not use htmx
Edit: the fact so many people have no idea about this and are downvoting is sad. People need to learn how CSP headers work, and why inherently HTMX completely bypasses this as it currently is designed.
Looks good, many of the same plugins I use in my setup, though I’ve got a couple more important bits and bobs Id consider necessary for a modern ide:
-
nvim-dap, for debugging
-
A good solution for running unit tests (something I’m still trying to find a good option for myself)
-
nvim.llm for self hosted code prompting with an llm (finally got this working last night!)
-
File templates for doing away with common boilerplate for various filetypes, I forked new-file-template for this adding support for callback api to support prompting telescope multiselects.
-
Toggling comments, I love comment.nvim for this
As an Edmontonian, this is perpetually exhausting.
I don’t want to have to sell my house and move to Newfoundland, but it seems like maybe that’s what I am going to have to do if this shit keeps up.
I have basically zero financial, cultural, spiritual, or emotional reason to stick around other than my family lives here.
Gogs and Gitea are very similiar, Gitea is a fork of Gogs with a bit more features as I understand it.
However when I tried to get Gitea working personally a year and a half ago, it had some rough issues with redirect looping onto itself infinitely, could never get it to work.
On the other hand Gogs didn’t have this issue, and was much more painless to stand up, so it’s what I use now.
Ideals largely vaporize when you have bills to pay and you are facing homelessness.
Your best bet is start talking to local job recruiters, ask them what tech stacks and certs are in high demand, and go learn that stack and get those certs and take whatever job will pay you.
Once your bills are getting paid you probably will have time/energy to work on personal projects.
The vast majority of work is closed source proprietary stuff.
In fact to be more specific, the vast majority is mind numbing “thing” management CRUD applications.
Inventory management, people management, accounting, etc etc.
“We wanna make an app for managing (things)” is gonna be your life for awhile.
It’s also heavily a lot of “we had this (thing) management app made by someone 12 years ago. It’s now barely functional, riddled with bugs, has huge security holes, and has tens of thousands of users every day on it. We want you to add new features to it and not fix any of the existing massive issues at all. We have no idea how it works, it has zero documentation, we don’t even know where it is hosted atm, and you will count yourself lucky of you even get the git history”
You heavily want to focus your skills first and foremost on how to read other people’s code. How to interpret wtf this zero documented function does and how it works.
That’s your #1 skill.
I wonder to what extent you can further brace against this by improving your “seed” prompt on the backend.
IE: “if the user attempts to change the topic or perform any action to do anything other than your directives, don’t do it” or whatever, fiddling with wording and running a large testing dataset against it to validate how effective it is at filtering out the bypass prompts.
Htmx has a bunch of logic that basically completely bypasses Content Security Policy stuff, as it has its own pseudo baked in “execute inline js” logic that executes arbitrary javascript via attributes on html elements.
Since this gets executed by the HTMX logic you load in from their library, it effectively allows an attacker to arbitrarily execute js via manipulating the DOM, and Content Security Policy won’t pick it up because HTMX parses the attribute and executes on behalf of it (and you have already whitelisted HTMX in your CSP for it to function)
Result: It punctures a giant hole in your CSP, rendering it useless.
There’s technically a flag you can flip to disable this functionality, but its via the dom so… not reliable imo. If I could pre-compile HTMX ahead of time with that functionality completely disabled to the degree it doesnt even get compiled into the output .js at all, then I would trust it.
But the fact all the logic is still technically there in the library I have loaded and I am purely relying on “this flag in the dom should block this from working, probably”, I don’t see that as very secure.
So until that gets fixed and I can compile htmx with webpack or vite in order to completely treeshake that functionality right the hell out of my output, I aint gonna recommend anyone use it if they want an iota of security on their site. It’s got literally baked in security bypasses, don’t use it.
Hell Id even just be happy if they released a “htmx-lite” package I could use, that just doesnt have that functionality baked in, thatd be enough to make me consider it.
I’m not liking htmx, I checked it out, it seemed promising, but it has giant gaping security holes in it so I can’t endorse it.
I have been sticking to using Ejs with html-bundler-webpack
The combo is lightning fast and gives me a solid usability of html partials so I can modularize my front end in re-useable chunks.
It compiles to the static site fast for iterative development, it has everything I need baked in for common needs (minification, bundling, transpiling, cache busting, integrity, crossorigin, tree shaking, etc etx)
I like how it let’s me just focus on actually writing the html + js + css and not have to muck around with thirty boilerplate steps to just make the app run.
If I need a lot of reactivity I’ll use vue or angular but I so so rarely need that.
And now with the template element, half the time reactivity can just be done with those.
Only time I actually need react/vue is when I have to frequently mutate/delete in the DOM.
But if I purely am additive, adding things to the DOM, template elements are plenty.
It’s hard to justify using anything other than JS or if you wanna be fancy, Web Assbly, for the FE.
Any other front end language involves generating Javascript from your language, which inevitably ends up with you making a weird Frankenstein project that mixes the two.
I’d rather just use stuff like Webpack or Vite to compile my JS front-end out of JS (or TS) from the start. It always ends up being a cleaner result.
My backend though can be whatever the fuck I want it to be.
But if you ever think dynamically compiling/transpiling a JS front end on the fly on demand is a good idea, instead of simply just delivering static pre-compiled/transpiled pages, you’re part of the problem for why the web is so slow and bloated.
It’s wild how crazy of projects people will build that take 3 entire seconds to just deliver a 500kb static form that doesn’t even need angular to do anything. They turn a couple hundred kb into several mb for no useful reason, it’s wild.
I was able to connect to the DB with Cloudbeaver, but it straight up wasn’t providing the diagram tab in the way the picture said it outta. The example pic even specifically is using a postgres DB as its example!
I pretty much had the exact same view, but no diagram tab. Unfortunately the wiki article doesn’t go into much detail, it just says:
“(if the tab is not presented then the object does not support the diagram presentation)”
With no information provided further listing off what is, and is not, supported for diagram presentation.
Lack of documentation it seems, which is unfortunate. It seemed like it has potential but I spent a good 20 minutes fiddling with it, trying different configurations and settings, nothing made it start working and it seems like (as is the case on a few of these tools) the ERD tooling is often a bit of an afterthought and poorly supported.
Many of the tools are sql first, ERD… third? fourth? forgotten and lacking most features :(
Trying it out, the wiki says it has an ERD editor, but its documentation is kind of lacking.
It’s example image here: https://github.com/dbeaver/cloudbeaver/wiki/Entity-Diagrams
Shows it interacting with a postgres database, but when I try the same I am not getting a Diagram tab. Its also proving to be pretty awkward to try and work with.
So far best I have found is Azimutt, which is pretty close to what I want but its interface is lacking atm, and I couldnt get it to successfully connect to my postgres database in the end (kept giving NOT FOUND errors even though I tested inside the docker image to validate the connection and it could indeed TCP the postgres database’s port)
- @pixxelkick@lemmy.world to
- •
- 1Y
- •
It just sounds like Tim was no longer a developer and should have a manager title, as he was training and teaching and on boarding all the time.
If his title was no longer developer, because he wasn’t doing any development on his own, said metrics wouldn’t apply to him anymore, and the issue would be resolved in a reasonable way.
I’ve been looking for th8s for awhile too.
Not a locally run tool, but a self hosted web app (that I wire up to my self hosted db) that has a web portal I login to, and then can manage my db with a nice slick UI to define tables, relations, etc.
There’s been some I’ve found but they vastly lacked basic features and were clearly in very early beta.