diff --git a/.gitignore b/.gitignore
index 8edcbd04..4cefb1cf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,113 @@
.hugo_build.lock
.vscode
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
+
+### Node Patch ###
+# Serverless Webpack directories
+.webpack/
+
+# Optional stylelint cache
+
+# SvelteKit build / generate output
+.svelte-kit
+
+# End of https://www.toptal.com/developers/gitignore/api/hugo,node
diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index cbbc36bc..00000000
--- a/.gitmodules
+++ /dev/null
@@ -1,3 +0,0 @@
-[submodule "themes/hugo-video"]
- path = themes/hugo-video
- url = https://github.com/martignoni/hugo-video.git
diff --git a/Makefile b/Makefile
index f2624f6d..aabd39e1 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,8 @@ endif
.RECIPEPREFIX = >
build: clean
-> hugo
+> npm ci
+> hugo --minify
clean:
> rm -rf public/
@@ -19,9 +20,6 @@ clean:
server:
> hugo server --buildDrafts
-## index-pagefind: Not yet implemented
-index-pagefind:
-> npx pagefind --source "public"
## help: Print this help message
help:
diff --git a/archetypes/default.md b/archetypes/default.md
index 21255a18..82b2c5e7 100644
--- a/archetypes/default.md
+++ b/archetypes/default.md
@@ -1,35 +1,9 @@
---
-title: "{{ replace .TranslationBaseName "-" " " | title }}"
-date: {{ .Date }}
-lastmod: {{ .Date }}
+title: "{{ humanize .Name | title }}"
+date: "{{ .Date }}"
draft: true
-keywords: []
-description: ""
-tags: []
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
+comments: true
toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
-
---
diff --git a/assets/css/custom.css b/assets/css/custom.css
deleted file mode 100644
index 5c8be984..00000000
--- a/assets/css/custom.css
+++ /dev/null
@@ -1,15 +0,0 @@
-.hanchor {
- visibility: hidden;
- color: silver;
- font-size: 100%;
- transition: 0.2s;
- padding-left: 8px;
- font-weight: 600;
-}
-
-h2:hover a,
-h3:hover a,
-h4:hover a {
- visibility: visible;
- text-decoration: none;
-}
diff --git a/assets/jsconfig.json b/assets/jsconfig.json
new file mode 100644
index 00000000..05c9d2e1
--- /dev/null
+++ b/assets/jsconfig.json
@@ -0,0 +1,10 @@
+{
+ "compilerOptions": {
+ "baseUrl": ".",
+ "paths": {
+ "*": [
+ "../node_modules/prismjs/*"
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/config.yaml b/config.yaml
index 565f21e0..c7ac718b 100644
--- a/config.yaml
+++ b/config.yaml
@@ -1,67 +1,54 @@
-baseurl: /
-staticDir: static
+baseurl: "https://davegallant.ca"
languageCode: en-us
googleAnalytics: G-V8WJDERTX9
copyright: Dave Gallant
-preserveTaxonomyNames: true
-pygmentsstyle: nord
-pygmentscodefences: true
-pygmentscodefencesguesssyntax: true
-theme:
- - archie
- - hugo-video
-title: davegallant
params:
- mode: toggle
- useCDN: true
- subtitle: "A personal blog"
- mathjax: true
- katex: true
+ author: Dave Gallant
+ subtitle: Software Engineer
+ favicon: https://davegallant.ca/favicon.ico
- favicon: https://davegallant.ca/favicon.ico
+ logo:
+ text: davegallant.ca
+ url: /
- kofi:
-
- customcss:
- - css/custom.css
-
- social:
- - name: Email
- icon: at-sign
- url: 'mailto:me@davegallant.ca'
- - name: LinkTree
- icon: compass
- url: 'https://linktr.ee/davegallant'
- - name: GitHub
- icon: github
- url: 'https://github.com/davegallant'
- - name: Mastodon
- icon: speaker
- url: https://mastodon.social/@davegallant
- - name: LinkedIn
- icon: linkedin
- url: https://www.linkedin.com/in/dave-gallant/
-
- comments:
- utterances:
- enable: true
- issueTerm: "pathname"
- github:
- username: davegallant
- repository: davegallant.github.io
+ comments:
+ utterances:
+ enable: true
+ issueTerm: "pathname"
+ github:
+ username: davegallant
+ repository: davegallant.github.io
menu:
main:
- - name: Posts
- url: /
- weight: 1
- - name: About
- url: /about
- weight: 2
- name: RSS
url: /index.xml
- weight: 3
+ weight: 1
permalinks:
- post: '/blog/:year/:month/:day/:slug/'
+ post: "/blog/:year/:month/:day/:slug/"
+
+module:
+ imports:
+ - path: github.com/davegallant/hugo-theme-gruvbox
+ - path: github.com/schnerring/hugo-mod-json-resume
+ mounts:
+ - source: node_modules/simple-icons/icons
+ target: assets/simple-icons
+ - source: assets
+ target: assets
+ - source: layouts
+ target: layouts
+ - source: static
+ target: static
+ - source: node_modules/prismjs
+ target: assets/prismjs
+ - source: node_modules/prism-themes/themes
+ target: assets/prism-themes
+ - source: node_modules/typeface-fira-code/files
+ target: static/fonts
+ - source: node_modules/typeface-roboto-slab/files
+ target: static/fonts
+ - source: node_modules/@tabler/icons/icons
+ target: assets/tabler-icons
diff --git a/content/about.md b/content/about.md
deleted file mode 100644
index ebc034f4..00000000
--- a/content/about.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-title: About
-weight: -210
-disable_comments: true
-hide_date: true
----
-
-I'm a software tinkerer with a passion for infrastructure, tooling, security, and coffee.
-
-Feel free to reach out at [me@davegallant.ca](mailto:me@davegallant.ca).
diff --git a/content/post/appgate-sdp-on-arch-linux/index.md b/content/post/appgate-sdp-on-arch-linux/index.md
index 963ded33..8f676232 100644
--- a/content/post/appgate-sdp-on-arch-linux/index.md
+++ b/content/post/appgate-sdp-on-arch-linux/index.md
@@ -2,8 +2,7 @@
title: "AppGate SDP on Arch Linux"
date: 2020-03-16T22:00:15-04:00
draft: false
-keywords: ['linux', 'vpn']
-description: ""
+comments: true
tags: ['linux', 'vpn', 'python']
author: "Dave Gallant"
---
diff --git a/content/post/automatically-rotating-aws-keys/index.md b/content/post/automatically-rotating-aws-keys/index.md
index 9b494af6..6dff3a95 100644
--- a/content/post/automatically-rotating-aws-keys/index.md
+++ b/content/post/automatically-rotating-aws-keys/index.md
@@ -3,37 +3,10 @@ title: "Automatically rotating AWS access keys"
date: 2021-09-17T12:48:33-04:00
lastmod: 2021-09-17T12:48:33-04:00
draft: false
-keywords: []
-description: ""
+comments: true
tags: ['aws', 'python', 'security', 'aws-vault']
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
-
---
-
-
Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a [script](https://gist.github.com/davegallant/2c042686a78684a657fe99e20fa7a924#file-aws_access_key_rotator-py) since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.
In the longer term, migrating my local workflows to [aws-vault](https://github.com/99designs/aws-vault) seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where [AWS suggests](https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html)). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS's secure keystore. There is even a [rotate command](https://github.com/99designs/aws-vault/blob/master/USAGE.md#rotating-credentials) included.
diff --git a/content/post/backing-up-gmail-with-synology/index.md b/content/post/backing-up-gmail-with-synology/index.md
index 5ba68c64..21eb747c 100644
--- a/content/post/backing-up-gmail-with-synology/index.md
+++ b/content/post/backing-up-gmail-with-synology/index.md
@@ -2,39 +2,14 @@
title: "Backing up gmail with Synology"
date: 2022-03-13T18:49:10-04:00
lastmod: 2022-03-13T18:49:10-04:00
+comments: true
draft: false
-keywords: []
-description: ""
-tags: ['degoogle', 'synology', 'gmail', 'backup', 'ransomware']
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
-
+tags: ["degoogle", "synology", "gmail", "backup", "ransomware"]
---
-
+I've used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
- I've used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
+
The thought of completely de-googling has crossed my mind on occassion. Convenience, coupled with my admiration for Google engineering, has prevented me from doing so thus far. Though, I may end up doing so at some point in the future.
@@ -42,7 +17,7 @@ The thought of completely de-googling has crossed my mind on occassion. Convenie
Synology products are reasonably priced for what you get (essentially a cloud-in-a-box) and there is very little maintenance required. I've recently been in interested in syncing and snapshotting my personal data. I've setup [Synology's Cloud Sync](https://www.synology.com/en-ca/dsm/feature/cloud_sync) and keep copies of most of my cloud data.
- I've used tools such as [gmvault](http://www.gmvault.org) with success in the past. Setting this up on a cron seems like a viable option. However, I don't really need a lot of the features it offers and do not plan to restore this data to another account.
+I've used tools such as [gmvault](http://www.gmvault.org) with success in the past. Setting this up on a cron seems like a viable option. However, I don't really need a lot of the features it offers and do not plan to restore this data to another account.
Synology's MailPlus seems to be a good candidate for backing up this data. By enabling POP3 fetching, it's possible to fetch all existing emails, as well as periodically fetch all new emails. If a disaster ever did occur, having these emails would be beneficial, as they are an extension of my memory bank.
@@ -62,7 +37,7 @@ After this, mail started coming in.
- After fetching 19 years worth of emails, I tried searching for some emails. It only took a few seconds to search through ~50K emails, which is a relief if I ever did have to search for something important.
+After fetching 19 years worth of emails, I tried searching for some emails. It only took a few seconds to search through ~50K emails, which is a relief if I ever did have to search for something important.
## Securing Synology
diff --git a/content/post/replacing-docker-with-podman-on-macos/index.md b/content/post/replacing-docker-with-podman-on-macos/index.md
index 29bf8537..da36721e 100644
--- a/content/post/replacing-docker-with-podman-on-macos/index.md
+++ b/content/post/replacing-docker-with-podman-on-macos/index.md
@@ -3,39 +3,14 @@ title: "Replacing docker with podman on macOS (and Linux)"
date: 2021-10-11T10:43:35-04:00
lastmod: 2021-10-11T10:43:35-04:00
draft: false
-keywords: []
-description: ""
-tags: ['docker', 'podman', 'containers']
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
-
+comments: true
+tags: ["docker", "podman", "containers"]
---
-
-
-
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
+
+
{{< tweet 1388586550682861568 >}}
Docker has been one of the larger influencers in the container world, helping to standardize the [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/main/spec.md). For many developers, containers have become synonymous with terms like `docker` and `Dockerfile` (a file containing build instructions for a container image). Docker has certainly made it very convenient to build and run containers, but it is not the only solution for doing so.
@@ -85,7 +60,7 @@ Copying config sha256:14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8
Writing manifest to image destination
Storing signatures
14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab
-````
+```
> If you're having an issue pulling images, you may need to remove `~/.docker/config.json` or remove the set of auths in the configuration as mentioned [here](https://stackoverflow.com/a/69121873/1191286).
@@ -118,7 +93,7 @@ alias docker=podman
### podman-compose
-You may be wondering: what about docker-compose? Well, there *claims* to be a drop-in replacement for it: [podman-compose](https://github.com/containers/podman-compose).
+You may be wondering: what about docker-compose? Well, there _claims_ to be a drop-in replacement for it: [podman-compose](https://github.com/containers/podman-compose).
```sh
pip3 install --user podman-compose
@@ -168,5 +143,4 @@ One caveat to mention is that there isn't an official graphical user interface f
> Update: After further usage, bind mounts do not seem to work out of the box when the client and host are on different machines. A rather involved solution using [sshfs](https://en.wikipedia.org/wiki/SSHFS) was shared [here](https://github.com/containers/podman/issues/8016#issuecomment-920015800).
-
I had been experimenting with Podman on Linux before writing this, but after listening to this [podcast episode](https://kubernetespodcast.com/episode/164-podman/), I was inspired to give Podman a try on macOS.
diff --git a/content/post/running-k3s-in-lxc-on-proxmox/index.md b/content/post/running-k3s-in-lxc-on-proxmox/index.md
index bba432d6..afa0893b 100644
--- a/content/post/running-k3s-in-lxc-on-proxmox/index.md
+++ b/content/post/running-k3s-in-lxc-on-proxmox/index.md
@@ -3,29 +3,8 @@ title: "Running K3s in LXC on Proxmox"
date: 2021-11-14T10:07:03-05:00
lastmod: 2021-11-14T10:07:03-05:00
draft: false
-keywords: []
-description: ""
+comments: true
tags: ["k3s", "proxmox", "lxc", "self-hosted"]
-categories: []
-author: ""
-
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
---
It has been a while since I've actively used Kubernetes and wanted to explore the evolution of tools such as [Helm](https://helm.sh) and [Tekton](https://tekton.dev). I decided to deploy [K3s](https://k3s.io), since I've had success with deploying it on resource-contrained Raspberry Pis in the past. I thought that this time it'd be convenient to have K3s running in a LXC container on Proxmox. This would allow for easy snapshotting of the entire Kubernetes deployment. LXC containers also provide an efficient way to use a machine's resources.
diff --git a/content/post/setting-up-gitea-actions-with-tailscale/index.md b/content/post/setting-up-gitea-actions-with-tailscale/index.md
index 7948cfa3..91b72353 100644
--- a/content/post/setting-up-gitea-actions-with-tailscale/index.md
+++ b/content/post/setting-up-gitea-actions-with-tailscale/index.md
@@ -1,40 +1,17 @@
---
title: "Setting up Gitea Actions with Tailscale"
date: 2023-12-10T17:22:11-05:00
+comments: true
lastmod: 2023-12-10T17:22:11-05:00
draft: false
-keywords: []
description: ""
tags: ["gitea", "gitea actions", "github actions", "tailscale", "self-hosted"]
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
---
-
-
In this post I'll go through the process of setting up Gitea Actions and [Tailscale](https://tailscale.com/), unlocking a simple and secure way to automate workflows.
+
+
## What is Gitea?
[Gitea](https://about.gitea.com/) is a lightweight and fast git server that has much of the same look and feel as github. I have been using it in my homelab to mirror repositories hosted on other platforms such as github and gitlab. These mirrors take advantage of the decentralized nature of git by serving as "backups". One of the main reasons I hadn't been using it more often was due to the lack of integrated CI/CD. This is no longer the case.
@@ -209,7 +186,7 @@ jobs:
And voilà:
-{{< video src="gitea-workflow" >}}
+{{< video poster="gitea-workflow" >}}
You may be wondering how the gitea runner is allowed to connect to the other hosts using ansible? Well, the nodes are in the same tailnet and have [tailscale ssh](https://tailscale.com/tailscale-ssh) enabled.
diff --git a/content/post/using-aks-and-socks-to-connect-to-a-private-azure-db/index.md b/content/post/using-aks-and-socks-to-connect-to-a-private-azure-db/index.md
index 7b70feac..85e12c1b 100644
--- a/content/post/using-aks-and-socks-to-connect-to-a-private-azure-db/index.md
+++ b/content/post/using-aks-and-socks-to-connect-to-a-private-azure-db/index.md
@@ -3,8 +3,7 @@ title: "Using AKS and SOCKS to connect to a private Azure DB"
date: 2023-05-22T16:31:29-04:00
lastmod: 2023-05-22T16:31:29-04:00
draft: false
-keywords: []
-description: ""
+comments: true
tags:
[
"aks",
@@ -20,36 +19,12 @@ tags:
"socat",
"socks",
]
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
---
+I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I'd rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I'd like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
+
-## The Problem
-
-I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I'd rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I'd like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
## Go Public?
diff --git a/content/post/virtualizing-a-router-with-pfsense/index.md b/content/post/virtualizing-a-router-with-pfsense/index.md
index 008944f1..6e790fcf 100644
--- a/content/post/virtualizing-a-router-with-pfsense/index.md
+++ b/content/post/virtualizing-a-router-with-pfsense/index.md
@@ -3,8 +3,7 @@ title: "Virtualizing my router with pfSense"
date: 2022-04-02T18:50:09-04:00
lastmod: 2022-04-02T18:50:09-04:00
draft: false
-keywords: []
-description: ""
+comments: true
tags:
[
"pfsense",
@@ -15,37 +14,12 @@ tags:
"vlan",
"self-hosted",
]
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
---
-
-
-## The problem
-
My aging router has been running [OpenWrt](https://en.wikipedia.org/wiki/OpenWrt) for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a [large index of packages](https://openwrt.org/packages/index/start). Ever since I've connected some standalone wireless access points, I've had less of a need for an off-the-shelf all-in-one wireless router combo. I've also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
+
+
## pfSense
I figured this would be a good opportunity to try [pfSense](https://en.wikipedia.org/wiki/PfSense). I've heard nothing but positive things about pfSense and the fact it's been around since 2004, based on FreeBSD, and written in PHP gave me the impression that it would be relatively stable (and I'd expect nothing less because it has an important job to do!). pfSense can be run on many different machines, and there are even some [officially supported appliances](https://www.netgate.com/appliances). Since I already have a machine running Proxmox, why not just run it in a VM? It'd allow for automatic snapshotting of the machine. There is a good [video](https://www.youtube.com/watch?v=hdoBQNI_Ab8) on this by Techno Tim. Tim has a lot of good videos, and this one is about virtualizing pfSense.
diff --git a/content/post/watching-youtube-in-private/index.md b/content/post/watching-youtube-in-private/index.md
index 95434e46..e47a7f32 100644
--- a/content/post/watching-youtube-in-private/index.md
+++ b/content/post/watching-youtube-in-private/index.md
@@ -3,8 +3,7 @@ title: "Watching YouTube in private"
date: 2022-12-10T21:46:55-05:00
lastmod: 2022-12-10T21:46:55-05:00
draft: false
-keywords: []
-description: ""
+comments: true
tags:
[
"invidious",
@@ -15,35 +14,12 @@ tags:
"privacy",
"self-hosted",
]
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
---
-
-
I recently stumbled upon [yewtu.be](https://yewtu.be) and found it intriguing. It not only allows you to watch YouTube without _being on YouTube_, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it's a hosted instance of [invidious](https://invidious.io/).
+
+
The layout is simple, and **JavaScript is not required**.
diff --git a/content/post/what-to-do-with-a-homelab/index.md b/content/post/what-to-do-with-a-homelab/index.md
index daede185..eff2b36a 100644
--- a/content/post/what-to-do-with-a-homelab/index.md
+++ b/content/post/what-to-do-with-a-homelab/index.md
@@ -3,21 +3,7 @@ title: "What to do with a homelab"
date: 2021-09-06T01:12:54-04:00
lastmod: 2021-09-06T01:12:54-04:00
draft: false
-keywords: []
-description: ""
-tags:
- [
- "tailscale",
- "homelab",
- "netdata",
- "jellyfin",
- "plex",
- "pihole",
- "virtualization",
- "adguard",
- "grafana",
- "self-hosted",
- ]
+comments: true
author: "Dave Gallant"
---
diff --git a/content/post/why-i-threw-out-my-dotfiles/index.md b/content/post/why-i-threw-out-my-dotfiles/index.md
index c78b6861..30211843 100644
--- a/content/post/why-i-threw-out-my-dotfiles/index.md
+++ b/content/post/why-i-threw-out-my-dotfiles/index.md
@@ -3,37 +3,12 @@ title: "Why I threw out my dotfiles"
date: 2021-09-08T00:42:33-04:00
lastmod: 2021-09-08T00:42:33-04:00
draft: false
-keywords: []
-description: ""
+comments: true
tags: ['nix', 'dotfiles', 'home-manager']
-categories: []
-author: ""
-
-# You can also close(false) or open(true) something for this content.
-# P.S. comment can only be closed
-comment: false
-toc: false
-autoCollapseToc: false
-postMetaInFooter: false
-hiddenFromHomePage: false
-# You can also define another contentCopyright. e.g. contentCopyright: "This is another copyright."
-contentCopyright: false
-reward: false
-mathjax: false
-mathjaxEnableSingleDollar: false
-
-flowchartDiagrams:
- enable: false
- options: ""
-
-sequenceDiagrams:
- enable: false
- options: ""
-
---
+Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (`~/.zshrc`, `~/.config/git/config`, `~/.config/tmux/tmux.conf`, etc). I have tried several different ways to manage them, including [bare git repos](https://www.atlassian.com/git/tutorials/dotfiles) and utilities such as [GNU Stow](https://www.gnu.org/software/stow/). These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: [home-manager](https://github.com/nix-community/home-manager).
-Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (`~/.zshrc`, `~/.config/git/config`, `~/.config/tmux/tmux.conf`, etc). I have tried several different ways to manage them, including [bare git repos](https://www.atlassian.com/git/tutorials/dotfiles) and utilities such as [GNU Stow](https://www.gnu.org/software/stow/). These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: [home-manager](https://github.com/nix-community/home-manager).
## What is home-manager?
diff --git a/data/json_resume/en.json b/data/json_resume/en.json
new file mode 100644
index 00000000..dce4ceac
--- /dev/null
+++ b/data/json_resume/en.json
@@ -0,0 +1,27 @@
+{
+ "basics": {
+ "name": "Dave Gallant",
+ "label": "Software Engineer",
+ "image": "",
+ "email": "me@davegallant.ca",
+ "summary": "I'm a software tinkerer passionate about infra, security and self-hosting 👋.",
+ "profiles": [
+ {
+ "network": "LinkTree",
+ "url": "https://linktr.ee/davegallant"
+ },
+ {
+ "network": "GitHub",
+ "url": "https://github.com/davegallant"
+ },
+ {
+ "network": "Mastodon",
+ "url": "https://mastodon.social/@davegallant"
+ },
+ {
+ "network": "LinkedIn",
+ "url": "https://www.linkedin.com/in/dave-gallant"
+ }
+ ]
+ }
+}
diff --git a/go.mod b/go.mod
new file mode 100644
index 00000000..ebccffcd
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,9 @@
+module davegallant.github.io
+
+go 1.21.5
+
+require (
+ github.com/davegallant/hugo-theme-gruvbox v0.0.0-20240102030224-3e3d39381e83 // indirect
+ github.com/schnerring/hugo-mod-json-resume v0.0.0-20231224014047-e651a547c19a // indirect
+ github.com/schnerring/hugo-theme-gruvbox v0.0.0-20231222001142-c40bfccc26fe // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 00000000..c4cb3a71
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,6 @@
+github.com/davegallant/hugo-theme-gruvbox v0.0.0-20240102030224-3e3d39381e83 h1:1K2zeS/GlzUztodRODqVdT0L53So3oKQl2W6xv3hk3k=
+github.com/davegallant/hugo-theme-gruvbox v0.0.0-20240102030224-3e3d39381e83/go.mod h1:BQehNdf/SB/+bCc031OVsLECIgB9ZaN1dfUFKTeOIuo=
+github.com/schnerring/hugo-mod-json-resume v0.0.0-20231224014047-e651a547c19a h1:EZRiOf0iW5k9lycVv3LngzSsGUxDRszYS4U7ea2r8RY=
+github.com/schnerring/hugo-mod-json-resume v0.0.0-20231224014047-e651a547c19a/go.mod h1:5dixHC0WHu0w2Aqb8hsOCrIU1OBYr1w5Q6HZAmTub7Q=
+github.com/schnerring/hugo-theme-gruvbox v0.0.0-20231222001142-c40bfccc26fe h1:YFCe/83618UT24IqSn7Ka0TSSZ54BNvDJ7n0WzxWgsg=
+github.com/schnerring/hugo-theme-gruvbox v0.0.0-20231222001142-c40bfccc26fe/go.mod h1:ZEP0AB4v1k845Jmx9XmOY39CuR7Zud/owFh8wRGgeZg=
diff --git a/themes/archie/layouts/partials/comments.html b/layouts/partials/comments.html
similarity index 56%
rename from themes/archie/layouts/partials/comments.html
rename to layouts/partials/comments.html
index 167dc4a1..885ba2be 100644
--- a/themes/archie/layouts/partials/comments.html
+++ b/layouts/partials/comments.html
@@ -1,8 +1,17 @@
+
+
+
{{- $config := .Site.Params.comments -}}
{{- $utterancesEnabled := $config.utterances.enable -}}
-{{- if and ( $utterancesEnabled ) ( not .Params.disable_comments) -}}
+{{- if and ( $utterancesEnabled ) -}}
404 Page not found
This is not the page you're looking for.
About
- -I’m a software tinkerer with a passion for infrastructure, tooling, security, and coffee.
-Feel free to reach out at me@davegallant.ca.
-AppGate SDP on Arch Linux
AppGate SDP provides a Zero Trust network. This post describes how to get AppGate SDP
4.3.2working on Arch Linux.Depending on the AppGate SDP Server that is running, you may require a client that is more recent than the latest package on AUR. +As of right now, the latest AUR is
4.2.2-1.These steps highlight how to get it working with
Python3.8by making a 1 line modification to AppGate source code.Packaging#
We already know the community package is currently out of date, so let’s clone it:
You’ll likely notice that the version is not what we want, so let’s modify the
PKGBUILDto the following:Let’s first make sure we have some dependencies. If you do not have yay, check it out.
Now, let’s install it:
Running the client#
Ok, let’s run the client by executing
appgate.It complains about not being able to connect.
Easy fix:
Now we should be connected… but DNS is not working?
Fixing the DNS#
Running
resolvectlshould display that something is not right.Why is the DNS not being set by appgate?
It seems like python3 is required for the DNS setting to happen. -Let’s try to run it.
-Ok, let’s install it:
-Will it work now? Not yet. There’s another issue:
-This is a breaking change in Python3.8.
-So what is calling
-platform.linux_distribution?Let’s search for it:
-Aha! So this is in the local AppGate source code. This should be an easy fix. Let’s just replace this line with:
-Wrapping up
-It turns out there are breaking changes in Python3.8.
-The docs say
-Deprecated since version 3.5, will be removed in version 3.8: See alternative like the distro package.I suppose this highlights one of the caveats of relying upon the system’s python, rather than having an isolated, dedicated environment for all dependencies.
- - - - - -Ok, let’s install it:
Will it work now? Not yet. There’s another issue:
This is a breaking change in Python3.8.
So what is calling
platform.linux_distribution?Let’s search for it:
Aha! So this is in the local AppGate source code. This should be an easy fix. Let’s just replace this line with:
Wrapping up#
It turns out there are breaking changes in Python3.8.
The docs say
Deprecated since version 3.5, will be removed in version 3.8: See alternative like the distro package.I suppose this highlights one of the caveats of relying upon the system’s python, rather than having an isolated, dedicated environment for all dependencies.
What to do with a homelab
A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process.
Do you want host your own Media server? Ad blocker? Web server? Are you interested in learning more about Linux? Virtualization? Networking? Security? -Building a homelab can be an entertaining playground to enhance your computer skills.
-One of the best parts about building a homelab is that it doesn’t have to be a large investment in terms of hardware. One of the simplest ways to build a homelab is out of a refurbished computer. -Having multiple machines/nodes provides the advantage of increased redundancy, but starting out with a single node is enough to reap many of the benefits of having a homelab.
-Virtualization#
-Virtualizing your hardware is an organized way of dividing up your machine’s resources. This can be done with something such as a Virtual Machine or something lighter like a container using LXC or runC. -Containers have much less overhead in terms of boot time and storage allocation. This Stack Overflow answer sums it up nicely.
-
-A hypervisor such as Proxmox can be installed in minutes on a new machine. It provides a web interface and a straight-forward way to spin up new VMs and containers. Even if your plan is to run mostly docker containers, Proxmox can be a useful abstraction for managing VMs, disks and running scheduled backups. You can even run docker within an LXC container by enabling nested virtualization. You’ll want to ensure that VT-d and VT-x are enabled in the BIOS if you decide to install a hypervisor to manage your virtualization.
-Services#
-So what are some useful services to deploy?
--- Jellyfin or Plex - basically a self-hosted Netflix that can be used to stream from multiple devices, and the best part is that you manage the content! Unlike Plex, Jellyfin is open source and can be found here.
-- changedetection - is a self-hosted equivalent to something like visualping.io that will notify you when a webpage changes and keep track of the diffs
-- Adguard or Pihole - can block a list of known trackers for all clients on your local network. I’ve used pihole for a long time, but have recently switched to Adguard since the UI is more modern and it has the ability to toggle on/off a pre-defined list of services, including Netflix (this is useful if you have stealthy young kids). Either of these will speed up your internet experience, simply because you won’t need to download all of the extra tracking bloat.
-- Gitea - A lightweight git server. I use this to mirror git repos from GitHub, GitLab, etc.
-- Homer - A customizable landing page for services you need to access (including the ability to quickly search).
-- Uptime Kuma - A fancy tool for monitoring the uptime of services.
-
-There is a large number of services you can self-host, including your own applications that you might be developing. awesome-self-hosted provides a curated list of services that might be of interest to you.
-VPN#
-You could certainly setup and manage your own VPN by using something like OpenVPN, but there is also something else you can try: tailscale. It is a very quick way to create fully-encrypted connections between clients. With its MagicDNS, your can reference the names of machines like
-homerrather than using an IP address. By using this mesh-like VPN, you can easily create a secure tunnel to your homelab from anywhere.Monitoring#
-
-Monitoring can become an important aspect of your homelab after it starts to become something that is relied upon. One of the simplest ways to setup some monitoring is using netdata. It can be installed on individual containers, VMs, and also a hypervisor (such as Proxmox). All of the monitoring works out of the box by detecting disks, memory, network interfaces, etc.
-Additionally, agents installed on different machines can all be centrally viewed in netdata, and it can alert you when some of your infrastructure is down or in a degraded state. Adding additional nodes to netdata is as simple as a 1-line shell command.
-As mentioned above, Uptime Kuma is a convenient way to track uptime and monitor the availability of your services.
-
-In Summary#
-Building out a homelab can be a rewarding experience and it doesn’t require buying a rack full of expensive servers to get a significant amount of utility. There are many services that you can run that require very minimal setup, making it possible to get a server up and running in a short period of time, with monitoring, and that can be securely connected to remotely.
- - - - - -One of the best parts about building a homelab is that it doesn’t have to be a large investment in terms of hardware. One of the simplest ways to build a homelab is out of a refurbished computer. +Having multiple machines/nodes provides the advantage of increased redundancy, but starting out with a single node is enough to reap many of the benefits of having a homelab.
Virtualization#
Virtualizing your hardware is an organized way of dividing up your machine’s resources. This can be done with something such as a Virtual Machine or something lighter like a container using LXC or runC. +Containers have much less overhead in terms of boot time and storage allocation. This Stack Overflow answer sums it up nicely.
A hypervisor such as Proxmox can be installed in minutes on a new machine. It provides a web interface and a straight-forward way to spin up new VMs and containers. Even if your plan is to run mostly docker containers, Proxmox can be a useful abstraction for managing VMs, disks and running scheduled backups. You can even run docker within an LXC container by enabling nested virtualization. You’ll want to ensure that VT-d and VT-x are enabled in the BIOS if you decide to install a hypervisor to manage your virtualization.
Services#
So what are some useful services to deploy?
There is a large number of services you can self-host, including your own applications that you might be developing. awesome-self-hosted provides a curated list of services that might be of interest to you.
VPN#
You could certainly setup and manage your own VPN by using something like OpenVPN, but there is also something else you can try: tailscale. It is a very quick way to create fully-encrypted connections between clients. With its MagicDNS, your can reference the names of machines like
homerrather than using an IP address. By using this mesh-like VPN, you can easily create a secure tunnel to your homelab from anywhere.Monitoring#
Monitoring can become an important aspect of your homelab after it starts to become something that is relied upon. One of the simplest ways to setup some monitoring is using netdata. It can be installed on individual containers, VMs, and also a hypervisor (such as Proxmox). All of the monitoring works out of the box by detecting disks, memory, network interfaces, etc.
Additionally, agents installed on different machines can all be centrally viewed in netdata, and it can alert you when some of your infrastructure is down or in a degraded state. Adding additional nodes to netdata is as simple as a 1-line shell command.
As mentioned above, Uptime Kuma is a convenient way to track uptime and monitor the availability of your services.
In Summary#
Building out a homelab can be a rewarding experience and it doesn’t require buying a rack full of expensive servers to get a significant amount of utility. There are many services that you can run that require very minimal setup, making it possible to get a server up and running in a short period of time, with monitoring, and that can be securely connected to remotely.
Why I threw out my dotfiles
Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (
~/.zshrc,~/.config/git/config,~/.config/tmux/tmux.conf, etc). I have tried several different ways to manage them, including bare git repos and utilities such as GNU Stow. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: home-manager.What is home-manager?#
Before understanding home-manager, it is worth briefly discussing what nix is. nix is a package manager that originally spawned from a PhD thesis. Unlike other package managers, it uses symbolic links to keep track of the currently installed packages, keeping around the old ones in case you may want to rollback.
For example, I have used nix to install the package bind which includes
dig. You can see that it is available on multiple platforms. The absolute path ofdigcan be found by running:Notice that there is a hash included in the file path? This is a nix store path and is computed by the nix package manager. This nix pill does a good job explaining how this hash is computed. All of the nix pills are worth a read, if you are interested in learning more about nix itself. However, using home-manager does not require extensive knowledge of nix.
Part of the nix ecosystem includes nixpkgs. Many popular tools can be found already packaged in this repository. As you can see with these stats, there is a large number of existing packages that are being maintained by the community. Contributing a new package is easy, and anyone can do it!
home-manager leverages the nix package manager (and nixpkgs), as well the nix language so that you can declaratively define your system configuration. I store my nix-config in git so that I can keep track of my packages and configurations, and retain a clean and informative git commit history so that I can understand what changed and why.
Setting up home-manager#
The first thing you should do is install nix:
It’s generally not a good idea to curl and execute files from the internet (without verifying integrity), so you might want to download the install script first and take a look before executing it!
Open up a new shell in your terminal and running
nixshould work. If not, run. ~/.nix-profile/etc/profile.d/nix.shNow, install home-manager:
You should see a wave of
/nix/store/*paths being displayed on your screen.Now, to start off with a basic configuration, open up
~/.config/nixpkgs/home.nixin the editor of your choice and paste this in (you will want to changeuserNameandhomeDirectory):Save the file and run:
You should see another wave of
/nix/store/*paths. The new configuration should now be active.If you run
zsh, you should see that you have starship and access to several other utils such asrg,fd, andexa.This basic configuration above is also defining your
~/.config/git/configand.zshrc. If you already have either of these files, home-manager will complain about them already existing.If you run
cat ~/.zshrc, you will see the way these configuration files are generated.You can extend this configuration for programs such as (neo)vim, emacs, alacritty, ssh, etc. To see other programs, take a look at home-manager/modules/programs.
Gateway To Nix#
In ways, home-manager can be seen as a gateway to the nix ecosystem. If you have enjoyed the way you can declare user configuration with home-manager, you may be interested in expanding your configuration to include other system dependencies and configuration. For example, in Linux you can define your entire system’s configuration (including the kernel, kernel modules, networking, filesystems, etc) in nix. For macOS, there is nix-darwin that includes nix modules for configuring launchd, dock, and other preferences and services. You may also want to check out Nix Flakes: a more recent feature that allows you declare dependencies, and have them automatically pinned and hashed in
flake.lock, similar to that of many modern package managers.Wrapping up#
The title of this post is slightly misleading, since it’s possible to retain some of your dotfiles and have them intermingle with home-manager by including them alongside nix. The idea of defining user configuration using nix can provide a clean way to maintain your configuration, and allow it to be portable across platforms. Is it worth the effort to migrate away from shell scripts and dotfiles? I’d say so.
Automatically rotating AWS access keys
Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a script since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.
In the longer term, migrating my local workflows to aws-vault seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where AWS suggests). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS’s secure keystore. There is even a rotate command included.
Replacing docker with podman on macOS (and Linux)
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
Docker has been one of the larger influencers in the container world, helping to standardize the OCI Image Format Specification. For many developers, containers have become synonymous with terms like
dockerandDockerfile(a file containing build instructions for a container image). Docker has certainly made it very convenient to build and run containers, but it is not the only solution for doing so.This post briefly describes my experience swapping out docker for podman on macOS.
What is a container?#
A container is a standard unit of software that packages up all application dependencies within it. Multiple containers can be run on a host machine all sharing the same kernel as the host. Linux namespaces help provide an isolated view of the system, including mnt, pid, net, ipc, uid, cgroup, and time. There is an in-depth video that discusses what containers are made from, and near the end there is a demonstration on how to build your own containers from the command line.
By easily allowing the necessary dependencies to live alongside the application code, containers make the “works on my machine” problem less of a problem.
Benefits of Podman#
One of the most interesting features of Podman is that it is daemonless. There isn’t a process running on your system managing your containers. In contrast, the docker client is reliant upon the docker daemon (often running as root) to be able to build and run containers.
Podman is rootless by default. It is now possible to run the docker daemon rootless as well, but it’s still not the default behaviour.
I’ve also observed that so far my 2019 16" Macbook Pro hasn’t sounded like a jet engine, although I haven’t performed any disk-intensive operations yet.
Installing Podman#
Running Podman on macOS is more involved than on Linux, because the podman-machine must run Linux inside of a virtual machine. Fortunately, the installation is made simple with brew (read this if you’re installing Podman on Linux):
The podman-machine must be started:
Running a container#
Let’s try to pull an image:
and then run and exec into the container:
What does this error mean? A bit of searching lead to this github issue.
Until the fix is released, a workaround is to just specify a port (even when it’s not needed):
If you’re reading this from the future, there is a good chance specifying a port won’t be needed.
Another example of running a container with Podman can be found in the Jellyfin Documentation.
Aliasing docker with podman#
Force of habit (or other scripts) may have you calling
docker. To work around this:podman-compose#
You may be wondering: what about docker-compose? Well, there claims to be a drop-in replacement for it: podman-compose.
Now let’s create a
docker-compose.ymlfile to test:Now run:
This should more or less provide the same results you would come to expect with docker. The README does clearly state that podman-compose is under development.
Summary#
Installing Podman on macOS was not seamless, but it was manageable well within 30 minutes. I would recommend giving Podman a try to anyone who is unhappy with experiencing forced docker updates, or who is interested in using a more modern technology for running containers.
One caveat to mention is that there isn’t an official graphical user interface for Podman, but there is an open issue considering one. If you rely heavily on Docker Desktop’s UI, you may not be as interested in using podman yet.
I had been experimenting with Podman on Linux before writing this, but after listening to this podcast episode, I was inspired to give Podman a try on macOS.
Running K3s in LXC on Proxmox
It has been a while since I’ve actively used Kubernetes and wanted to explore the evolution of tools such as Helm and Tekton. I decided to deploy K3s, since I’ve had success with deploying it on resource-contrained Raspberry Pis in the past. I thought that this time it’d be convenient to have K3s running in a LXC container on Proxmox. This would allow for easy snapshotting of the entire Kubernetes deployment. LXC containers also provide an efficient way to use a machine’s resources.
What is K3s?#
K3s is a Kubernetes distro that advertises itself as a lightweight binary with a much smaller memory-footprint than traditional k8s. K3s is not a fork of k8s as it seeks to remain as close to upstream as it possibly can.
Configure Proxmox#
This gist contains snippets and discussion on how to deploy K3s in LXC on Proxmox. It mentions that
bridge-nf-call-iptablesshould be loaded, but I did not understand the benefit of doing this.Disable swap#
There is an issue on Kubernetes regarding swap here. There claims to be support for swap in 1.22, but for now let’s disable it:
It might be worth experimenting with swap enabled in the future to see how that might affect performance.
Enable IP Forwarding#
To avoid IP Forwarding issues with Traefik, run the following on the host:
Create LXC container#
Create an LXC container in the Proxmox interface as you normally would. Remember to:
unprivileged containerModify container config#
Now back on the host run
pct listto determine what VMID it was given.Open
/etc/pve/lxc/$VMID.confand append:All of the above configurations are described in the manpages. +Notice that
cgroup2is used since Proxmox VE 7.0 has switched to a pure cgroupv2 environment.Thankfully cgroup v2 support has been supported in k3s with these contributions:
Enable shared host mounts#
From within the container, run:
Install K3s#
One of the simplest ways to install K3s on a remote host is to use k3sup. Ensure that you supply a valid
-CONTAINER_IPand choose thek3s-versionyou prefer. -As of 2021/11, it is still defaulting to the 1.19 channel, so I overrode it to 1.22 for cgroup v2 support. See the published releases here.If all goes well, you should see a path to the
-kubeconfiggenerated. I moved this into~/.kube/configso that kubectl would read this by default.Wrapping up#
-Installing K3s in LXC on Proxmox works with a few tweaks to the default configuration. I later followed the Tekton’s Getting Started guide and was able to deploy it in a few commands.
-I made sure to install Tailscale in the container so that I can easily access K3s from anywhere.
-If I’m feeling adventurous, I might experiment with K3s rootless.
- - - - - - -If all goes well, you should see a path to the
kubeconfiggenerated. I moved this into~/.kube/configso that kubectl would read this by default.Wrapping up#
Installing K3s in LXC on Proxmox works with a few tweaks to the default configuration. I later followed the Tekton’s Getting Started guide and was able to deploy it in a few commands.
I made sure to install Tailscale in the container so that I can easily access K3s from anywhere.
If I’m feeling adventurous, I might experiment with K3s rootless.
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
The thought of completely de-googling has crossed my mind on occassion. Convenience, coupled with my admiration for Google engineering, has prevented me from doing so thus far. Though, I may end up doing so at some point in the future.
Synology MailPlus Server#
Synology products are reasonably priced for what you get (essentially a cloud-in-a-box) and there is very little maintenance required. I’ve recently been in interested in syncing and snapshotting my personal data. I’ve setup Synology’s Cloud Sync and keep copies of most of my cloud data.
I’ve used tools such as gmvault with success in the past. Setting this up on a cron seems like a viable option. However, I don’t really need a lot of the features it offers and do not plan to restore this data to another account.
Synology’s MailPlus seems to be a good candidate for backing up this data. By enabling POP3 fetching, it’s possible to fetch all existing emails, as well as periodically fetch all new emails. If a disaster ever did occur, having these emails would be beneficial, as they are an extension of my memory bank.
Installing MailPlus can be done from the Package Center:
Next, I went into Synology MailPlus Server and on the left, clicked on Account and ensured my user was marked as active.
Afterwords, I followed these instructions in order to start backing up emails.
When entering the POP3 credentials, I created an app password solely for authenticating to POP3 from the Synology device. This is required because I have 2-Step verification enabled on my account. There doesn’t seem to be a more secure way to access POP3 at the moment. It does seem like app password access is limited in scope (when MFA is enabled). These app passwords can’t be used to login to the main Google account.
I made sure to set the
Fetch RangetoAllin order to get all emails from the beginning of time.After this, mail started coming in.
After fetching 19 years worth of emails, I tried searching for some emails. It only took a few seconds to search through ~50K emails, which is a relief if I ever did have to search for something important.
Securing Synology#
Since Synology devices are not hermetically sealed, it’s best to secure them by enabling MFA to help prevent being the victim of ransomware. It is also wise to backup your system settings and volumes to the cloud using a tool such as Hyper Backup. +Encrypting your shared volumes should also be done, since unfortunately DSM does not support full disk encryption.
Summary#
Having backups of various forms of cloud data is a good investment, especially in times of war. I certainly feel more at ease for having backed up my emails.
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
pfSense#
I figured this would be a good opportunity to try pfSense. I’ve heard nothing but positive things about pfSense and the fact it’s been around since 2004, based on FreeBSD, and written in PHP gave me the impression that it would be relatively stable (and I’d expect nothing less because it has an important job to do!). pfSense can be run on many different machines, and there are even some officially supported appliances. Since I already have a machine running Proxmox, why not just run it in a VM? It’d allow for automatic snapshotting of the machine. There is a good video on this by Techno Tim. Tim has a lot of good videos, and this one is about virtualizing pfSense.
Router on a stick#
I had initially made the assumption that in order to build a router, you would need more than a single NIC (or a dual-port NIC) in order to support both WAN and LAN. This is simply not the case, because VLANs are awesome! In order to create a router, all you need is a single port NIC and a network switch that supports VLANs (also marketed as a managed switch). I picked up the Netgear GS308E because it has both a sufficient amount of ports for my needs, and it supports VLANs. It also has a nice sturdy metal frame which was a pleasant surprise.
After setting up this Netgear switch, it shoud be possible to access the web interface at http://192.168.0.239. It may be at a different address. To find the address, try checking your DHCP leases in your router interface (if you plugged it into an existing router). I realized I was unable to access this interface because I was on a different subnet, so I set my machine’s address to
192.168.0.22in order to temporarily setup this switch. I assigned a static ip address to the switch (inSystem > Switch Information) so that it was in the same subnet as the rest of my network.The web interface is nothing spectactular, but it allows for managing VLANs.
The following configuration will:
In the switch’s web interface, I went to
VLANand then802.1Q, and then clicked onVLAN Configuration. I configured the ports to look like this:Note that the
VLAN Identifier Settinghas been setup already with two VLANs (1 and 10). More VLANs can be created (i.e. to isolate IoT devices), but 2 VLANs is all we need for the initial setup of a router.To replicate the above configuration, add a new VLAN ID 10 (1 should exist by default).
Next, go into
VLAN Membershipand configure VLAN 1’s port membership to be the following:and then configure VLAN 10’s port membership to be the following:
Now, go into
Port PVIDand ensure that port 8 is set to PVID 10.This above configuration will dedicate two of the eight ports to WAN and LAN. This will allow the internet to flow into the pfSense from the modem.
Setting up pfSense#
pfSense is fairly easy to setup. Just download the latest ISO and boot up the virtual machine. +When setting up the machine, I mostly went with all of the defaults. Configuration can be changed later in the web interface, which is quite a bit simpler.
Since VLANs are going to be leveraged, when you go to
Assign Interfaces, VLANs should be setup now like the following:WANshould bevtnet0.10LANshould bevtnet0After going through the rest of the installation, if everything is connected correctly it should display both WAN and LAN addresses.
If all goes well, the web interface should be running at https://192.168.1.1.
And this is where the fun begins. There are many tutorials and blogs about how to setup pfSense and various services and packages that can be installed. I’ve already installed pfBlocker-NG.
Summary#
It is fairly simple to setup a router with pfSense from within a virtual machine. A physical dedicated routing machine is not necessary and often does not perform as well as software running on faster and more reliable hardware. So far, pfSense has been running for over a week without a single hiccup. pfSense is a mature piece of software that is incredibly powerful and flexible. To avoid some of the instability I had experienced with OpenWrt, I enabled AutoConfigBackup, which is capable of automatically backing up configuration upon every change. I plan to explore and experiment with more services and configuration in the future, so the ability to track all of these changes gives me the peace of mind that experimentation is safe.
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
The layout is simple, and JavaScript is not required.
I started using yewtu.be as my primary client for watching videos. I subscribe to several YouTube channels and I prefer the interface invidiuous provides due to its simplicity. It’s also nice to be in control of my search and watch history.
A few days ago, yewtu.be went down briefly, and that motivated me enough to self-host invidious. There are several other hosted instances listed here, but being able to easily backup my own instance (including subscriptions and watch history) is more compelling in my case.
Hosting invidious#
The quickest way to get invidious up is with docker-compose as mentioned in the docs.
I made a few modifications, and ended up with:
After invidious was up and running, I installed Tailscale on it to leverage its MagicDNS, and I’m now able to access this instance from anywhere at http://invidious:3000/feed/subscriptions.
Redirecting YouTube links#
I figured it would be nice to redirect existing YouTube links that others send me, so that I could seamlessly watch the videos using invidious.
I went looking for a way to redirect paths at the browser level. I found the lightweight proxy requestly, which can be used to modify http requests in my browser. I created the following rules:
Now the link https://www.youtube.com/watch?v=-lz30by8-sU will redirect to http://invidious:3000/watch?v=-lz30by8-sU
I’m still looking for ways to improve this invidious setup. There doesn’t appear to be a way to stream in 4K yet.
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
Go Public?#
Should the database be migrated to public subnets? Ideally not, since it is good practice to host internal infrastructure in restricted subnets.
How do others handle this?#
With GCP, connecting to a private db instance from any machine can be achieved with cloud-sql-proxy. This works by proxying requests from your machine to the SQL database instance in the cloud, while the authentication is handled by GCP’s IAM.
So what about Azure? Is there any solution that is as elegant as cloud-sql-proxy?
A Bastion#
Similar to what AWS has recommended, perhaps a bastion is the way forward?
Azure has a fully-managed service called Azure Bastion that provides secure access to virtual machines that do not have public IPs. This looks interesting, but unfortunately it costs money and requires an additional virtual machine.
Because this adds cost (and complexity), it does not seem like a desirable option in its current state. If it provided a more seamless connection to the database, it would be more appealing.
SOCKS#
SOCKS is a protocol that enables a way to proxy connections by exchanging network packets between the client and the server. There are many implementations and many readily available container images that can run a SOCKS server.
It’s possible to use this sort of proxy to connect to a private DB, but is it any simpler than using a virtual machine as a jumphost? It wasn’t until I stumbled upon kubectl-plugin-socks5-proxy that I was convinced that using SOCKS could be made simple.
So how does it work? By installing the kubectl plugin and then running
kubectl socks5-proxy, a SOCKS proxy server is spun up in a pod and then opens up port-forwarding session using kubectl.As you can see below, this k8s plugin is wrapped up nicely:
With the above proxy connection open, it is possible to access both the DNS and private IPs accessible within the k8s cluster. In this case, I am able to access the private database, since there is network connectivity between the k8s cluster and the database.
Caveats and Conclusion#
The above outlined solution makes some assumptions:
If these stars align, than this solution might work as a stopgap for accessing a private Azure DB (and I’m assuming this could work similarly on AWS).
It would be nice if Azure provided tooling similar to cloud-sql-proxy, so that using private databases would be more of a convenient experience.
One other thing to note is that some clients (such as dbeaver) do not provide DNS resolution over SOCKS. So in this case, you won’t be able to use DNS as if you were inside the cluster, but instead have to rely on knowing private ip addresses.
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
What is Gitea?#
Gitea is a lightweight and fast git server that has much of the same look and feel as github. I have been using it in my homelab to mirror repositories hosted on other platforms such as github and gitlab. These mirrors take advantage of the decentralized nature of git by serving as “backups”. One of the main reasons I hadn’t been using it more often was due to the lack of integrated CI/CD. This is no longer the case.
Gitea Actions#
Gitea Actions have made it into the 1.19.0 release. This feature had been in an experimental state up until 1.21.0 and is now enabled by default 🎉.
So what are they? If you’ve ever used GitHub Actions (and if you’re reading this, I imagine you have), these will look familiar. Gitea Actions essentially enable the ability to run github workflows on gitea. Workflows between gitea and github are not completely interopable, but a lot of the same workflow syntax is already compatible on gitea. You can find a documented list of unsupported workflows syntax.
Actions work by using a custom fork of nekos/act. Workflows run in a new container for every job. If you specify an action such as ‘actions/checkout@v3’, it defaults to downloading the scripts from github.com. To avoid internet egress, you could always clone the required actions to your local gitea instance.
Actions (gitea’s implementation) has me excited because it makes spinning up a network-isolated environment for workflow automation incredibly simple.
Integration with Tailscale#
So how does Tailscale help here? Well, more recently I’ve been exposing my self-hosted services through a combination of traefik and the tailscale (through the tailscale-traefik proxy integration described here). This allows for a nice looking dns name (i.e. gitea.my-tailnet-name.ts.net) and automatic tls certificate management. I can also share this tailscale node securely with other tailscale users without configuring any firewall rules on my router.
Deploying Gitea, Traefik, and Tailscale#
In my case, the following is already set up:
My preferred approach to deploying code in a homelab environment is with docker compose. I have deployed this in a proxmox lxc container based on debian with a hostname
gitea. This could be deployed in any environment and with any hostname (as long you updated the tailscale machine name to your preferred subdomain for magic dns).The
docker-compose.yamlfile looks like:traefik/data/traefik.yaml:and finally
traefik/data/dynamic/dynamic.yaml:Something to consider is whether or not you want to use ssh with git. One method to get this to work with containers is to use ssh container passthrough. I decided to keep it simple and not use ssh, since communicating over https is perfectly fine for my use case.
After adding the above configuration, running
docker compose up -dshould be enough to get an instance up and running. It will be accessible at https://gitea.my-tailnet-name.ts.net from within the tailnet.Connecting a Runner#
I installed the runner by following the docs. I opted for installing it on a separate host (another lxc container) as recommended in the docs. I used the systemd unit file to ensure that the runner comes back online after system reboots. I installed tailscale on this gitea runner as well, so that it can have the same “networking privileges” as the main instance.
After registering this runner and starting the daemon, it appeared in
/admin/actions/runners:Running a workflow#
Now it’s time start running some automation. I used the demo workflow as a starting point to verify that the runner is executing workflows.
After this, I wanted to make sure that some of my existing workflows could be migrated over.
The following workflow uses a matrix to run a job for several of my hosts using ansible playbooks that will do various tasks such as patching os updates and updating container images.
And voilà:
You may be wondering how the gitea runner is allowed to connect to the other hosts using ansible? Well, the nodes are in the same tailnet and have tailscale ssh enabled.
Areas for improvement#
One enhancement that I would like to see is the ability to send notifications on workflow failures. Currently, this doesn’t seem possible without adding logic to each workflow.
Conclusion#
Gitea Actions are fast and the resource footprint is minimal. My gitea instance is currently using around 250mb of memory and a small fraction of a single cpu core (and the runner is using a similar amount of resources). This is impressive since many alternatives tend to require substantially more resources. It likely helps that the codebase is largely written in go.
By combining gitea with the networking marvel that is tailscale, running workflows becomes simple and fun. Whether you are working on a team or working alone, this setup ensures that your workflows are securely accessible from anywhere with an internet connection.
Categories
404 Page not found
This is not the page you're looking for.
Categories
Tags
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
Running K3s in LXC on Proxmox
Replacing docker with podman on macOS (and Linux)
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
Automatically rotating AWS access keys
Why I threw out my dotfiles
Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (
~/.zshrc,~/.config/git/config,~/.config/tmux/tmux.conf, etc). I have tried several different ways to manage them, including bare git repos and utilities such as GNU Stow. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: home-manager.What to do with a homelab
A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process.
A personal blog
AppGate SDP on Arch Linux
- -- - - ← Prev - - - - - -
- - -AppGate SDP on Arch Linux
AppGate SDP provides a Zero Trust network. This post describes how to get AppGate SDP
4.3.2working on Arch Linux.Posts
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
Running K3s in LXC on Proxmox
Replacing docker with podman on macOS (and Linux)
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
Automatically rotating AWS access keys
Why I threw out my dotfiles
Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (
~/.zshrc,~/.config/git/config,~/.config/tmux/tmux.conf, etc). I have tried several different ways to manage them, including bare git repos and utilities such as GNU Stow. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: home-manager.What to do with a homelab
A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process.
Posts
AppGate SDP on Arch Linux
AppGate SDP provides a Zero Trust network. This post describes how to get AppGate SDP
4.3.2working on Arch Linux.Entries tagged - "adguard"
- - --
- What to do with a homelab Sep 6, 2021
-
- -aks
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
aws-vault
Automatically rotating AWS access keys
aws
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
Automatically rotating AWS access keys
azure
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
backup
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
bastion
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
cloud-sql-proxy
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
containers
Replacing docker with podman on macOS (and Linux)
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
database
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
degoogle
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
docker
Replacing docker with podman on macOS (and Linux)
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
dotfiles
Why I threw out my dotfiles
Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (
~/.zshrc,~/.config/git/config,~/.config/tmux/tmux.conf, etc). I have tried several different ways to manage them, including bare git repos and utilities such as GNU Stow. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: home-manager.eks
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
gitea actions
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
gitea
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
github actions
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
gmail
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
Entries tagged - "grafana"
- - --
- What to do with a homelab Sep 6, 2021
-
- -home-manager
Why I threw out my dotfiles
Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (
~/.zshrc,~/.config/git/config,~/.config/tmux/tmux.conf, etc). I have tried several different ways to manage them, including bare git repos and utilities such as GNU Stow. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: home-manager.Entries tagged - "homelab"
- - --
- What to do with a homelab Sep 6, 2021
-
- -Tags
gitea
gitea actions
github actions
self-hosted
tailscale
aks
aws
azure
bastion
cloud-sql-proxy
invidious
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
Entries tagged - "jellyfin"
- - --
- What to do with a homelab Sep 6, 2021
-
- -k3s
Running K3s in LXC on Proxmox
k8s
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
kubectl-plugin-socks5-proxy
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
linux
AppGate SDP on Arch Linux
AppGate SDP provides a Zero Trust network. This post describes how to get AppGate SDP
4.3.2working on Arch Linux.lxc
Running K3s in LXC on Proxmox
Entries tagged - "netdata"
- - --
- What to do with a homelab Sep 6, 2021
-
- -nix
Why I threw out my dotfiles
Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (
~/.zshrc,~/.config/git/config,~/.config/tmux/tmux.conf, etc). I have tried several different ways to manage them, including bare git repos and utilities such as GNU Stow. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: home-manager.openwrt
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
Tags
database
eks
k8s
kubectl-plugin-socks5-proxy
proxy
socat
socks
degoogle
invidious
privacy
Tags
yewtu.be
youtube
openwrt
pfsense
proxmox
router
router-on-a-stick
vlan
backup
gmail
Tags
ransomware
synology
k3s
lxc
containers
docker
podman
aws-vault
python
security
Tags
dotfiles
home-manager
nix
linux
vpn
pfsense
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
Entries tagged - "pihole"
- - --
- What to do with a homelab Sep 6, 2021
-
- -Entries tagged - "plex"
- - --
- What to do with a homelab Sep 6, 2021
-
- -podman
Replacing docker with podman on macOS (and Linux)
There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:
privacy
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
proxmox
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
Running K3s in LXC on Proxmox
proxy
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
python
Automatically rotating AWS access keys
AppGate SDP on Arch Linux
AppGate SDP provides a Zero Trust network. This post describes how to get AppGate SDP
4.3.2working on Arch Linux.ransomware
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
router-on-a-stick
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
router
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
security
Automatically rotating AWS access keys
self-hosted
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
Running K3s in LXC on Proxmox
socat
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
socks
Using AKS and SOCKS to connect to a private Azure DB
I ran into a roadblock recently where I wanted to be able to conveniently connect to a managed postgres database within Azure that was not running on public subnets. And by conveniently, I mean that I’d rather not have to spin up an ephemeral virtual machine running in the same network and proxy the connection, and I’d like to use a local client (preferably with a GUI). After several web searches, it became evident that Azure does not readily provide much tooling to support this.
synology
Backing up gmail with Synology
I’ve used gmail since the beta launched touting a whopping 1GB of storage. I thought this was a massive leap in email technology at the time. I was lucky enough to get an invite fairly quickly. Not suprisingly, I have many years of emails, attachments, and photos. I certainly do not want to lose the content of many of these emails. Despite the redundancy of the data that Google secures, I still feel better retaining a copy of this data on my own physical machines.
tailscale
Setting up Gitea Actions with Tailscale
In this post I’ll go through the process of setting up Gitea Actions and Tailscale, unlocking a simple and secure way to automate workflows.
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
Entries tagged - "virtualization"
- - --
- What to do with a homelab Sep 6, 2021
-
- -vlan
Virtualizing my router with pfSense
My aging router has been running OpenWrt for years and for the most part has been quite reliable. OpenWrt is an open-source project used on embedded devices to route network traffic. It supports many different configurations and there exists a large index of packages. Ever since I’ve connected some standalone wireless access points, I’ve had less of a need for an off-the-shelf all-in-one wireless router combo. I’ve also recently been experiencing instability with my router (likely the result of a combination of configuration tweaking and firmware updating). OpenWrt has served me well, but it is time to move on!
vpn
AppGate SDP on Arch Linux
AppGate SDP provides a Zero Trust network. This post describes how to get AppGate SDP
4.3.2working on Arch Linux.yewtu.be
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
youtube
Watching YouTube in private
I recently stumbled upon yewtu.be and found it intriguing. It not only allows you to watch YouTube without being on YouTube, but it also allows you to create an account and subscribe to channels without a Google account. What sort of wizardry is going on under the hood? It turns out that it’s a hosted instance of invidious.
-
Entries tagged - "{{ .Data.Term }}"
-{{ else }} -All articles
-{{ end }} - -- {{- range .Data.Pages -}} - {{- if (not (in (.Site.Params.excludedTypes | default (slice "page")) .Type)) -}} --
- {{.Title}} {{ dateFormat "Jan 2, 2006" .Date }}{{ if .Draft }} DRAFT {{ end }}
-
- {{- end -}}
- {{- end -}}
-
-{{ end }} diff --git a/themes/archie/layouts/_default/single.html b/themes/archie/layouts/_default/single.html deleted file mode 100644 index 2d2e12e7..00000000 --- a/themes/archie/layouts/_default/single.html +++ /dev/null @@ -1,47 +0,0 @@ -{{ define "main" }} -{{ .Title }}
- {{ if not .Params.hide_date }} -Entries tagged - "{{ .Data.Term }}"
-{{ else }} -All articles
-{{ end }} - -- {{- range .Data.Pages -}} - {{- if (not (in (.Site.Params.excludedTypes | default (slice "page")) .Type)) -}} --
- {{.Title}} {{ dateFormat "Jan 2, 2006" .Date }}{{ if .Draft }} DRAFT {{ end }}
-
- {{- end -}}
- {{- end -}}
-
-{{ end }} diff --git a/themes/archie/layouts/_default/terms.html b/themes/archie/layouts/_default/terms.html deleted file mode 100644 index fea9c2f7..00000000 --- a/themes/archie/layouts/_default/terms.html +++ /dev/null @@ -1,20 +0,0 @@ -{{ define "main" }} -All tags
- -{{ $biggest := 1 }} -{{ $smallest := 1 }} -{{ $max := 3 }} -{{ $min := 1 }} -{{ $size := $min }} - -{{ $data := .Data }} -- {{ range $key, $value := .Data.Terms.ByCount }} - {{ $size := (add (mul (div $value.Count $biggest) (sub $max $min)) $min) }} - {{ $size := (cond (eq $biggest $smallest) $min $size) }} -- {{ $value.Name }}
- {{ end }}
-
-{{ .Site.Params.Subtitle | markdownify }}
- {{- end -}} -{{.Title}}
- -{{ template "partials/pagedescription.html" . }} -
- - {{ if $pag.HasPrev }} - ← Prev - {{ end }} - - - {{ if $pag.HasNext }} - Next → - {{ end }} - -
-{{ end }} diff --git a/themes/archie/layouts/shortcodes/callout.html b/themes/archie/layouts/shortcodes/callout.html deleted file mode 100644 index 5557aad6..00000000 --- a/themes/archie/layouts/shortcodes/callout.html +++ /dev/null @@ -1,6 +0,0 @@ - -