dave/site
1
0
Fork 0
mirror of https://github.com/davegallant/davegallant.github.io.git synced 2025-08-06 08:43:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Switch to theme based on Archie

Browse Source
This commit is contained in:
Dave Gallant
2023-03-25 11:00:28 -04:00
parent f4f3f341c3
commit ade197054d
432 changed files with 14878 additions and 35404 deletions
Download Patch File Download Diff File Expand all files Collapse all files

545
public/blog/2021/09/06/what-to-do-with-a-homelab/index.html
View File

@@ -1,332 +1,105 @@
<!DOCTYPE html>
<html lang='en' dir='auto'><head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<meta name='description' content='A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process.'>
<meta name='theme-color' content='#8979b3'>
<html><head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"><title>What To Do With A Homelab - davegallant</title><link rel="icon" type="image/png" href=https://davegallant.ca/favicon.ico /><meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process." />
<meta property="og:image" content=""/>
<meta property="og:title" content="What To Do With A Homelab" />
<meta property="og:description" content="A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process." />
<meta property="og:type" content="article" />
<meta property="og:url" content="/blog/2021/09/06/what-to-do-with-a-homelab/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2021-09-06T01:12:54-04:00" />
<meta property="article:modified_time" content="2021-09-06T01:12:54-04:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="What To Do With A Homelab"/>
<meta name="twitter:description" content="A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process."/>
<script src="https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js"></script>
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:ital,wght@1,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css2?family=Fira+Sans&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Roboto+Mono" rel="stylesheet">
<meta property='og:title' content='What To Do With A Homelab • davegallant'>
<meta property='og:description' content='A homelab can be an inexpensive way to host a multitude of internal/external services and learn a lot in the process.'>
<meta property='og:url' content='/blog/2021/09/06/what-to-do-with-a-homelab/'>
<meta property='og:site_name' content='davegallant'>
<meta property='og:type' content='article'><meta property='article:section' content='post'><meta property='article:tag' content='tailscale'><meta property='article:tag' content='homelab'><meta property='article:tag' content='netdata'><meta property='article:tag' content='jellyfin'><meta property='article:tag' content='plex'><meta property='article:tag' content='pihole'><meta property='article:tag' content='virtualization'><meta property='article:tag' content='adguard'><meta property='article:tag' content='grafana'><meta property='article:published_time' content='2021-09-06T01:12:54-04:00'/><meta property='article:modified_time' content='2021-09-06T01:12:54-04:00'/><meta name='twitter:card' content='summary'>
<meta name="generator" content="Hugo 0.108.0">
<title>What To Do With A Homelab • davegallant</title>
<link rel='canonical' href='/blog/2021/09/06/what-to-do-with-a-homelab/'>
<link rel='icon' href='/favicon.ico'>
<link rel='stylesheet' href='/assets/css/main.ab98e12b.css'><link rel='stylesheet' href='/css/custom.css'><style>
:root{--color-accent:#8979b3;}
</style>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98710982-2', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<link rel="stylesheet" type="text/css" media="screen" href="/css/main.f7354ef8ed840429a37397307f3d9872782673d6b91d714b3f600b210d91fbaf.css" />
<link id="darkModeStyle" rel="stylesheet" type="text/css" href="/css/dark.726cd11ca6eb7c4f7d48eb420354f814e5c1b94281aaf8fd0511c1319f7f78a4.css" disabled />
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
tex2jax: {
inlineMath: [['$','$'], ['\\(','\\)']],
displayMath: [['$$','$$'], ['\[','\]']],
processEscapes: true,
processEnvironments: true,
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'],
TeX: { equationNumbers: { autoNumber: "AMS" },
extensions: ["AMSmath.js", "AMSsymbols.js"] }
}
});
</script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.css">
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.js"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/contrib/auto-render.min.js" onload="renderMathInElement(document.body);"></script>
<script>
document.addEventListener("DOMContentLoaded", function() {
renderMathInElement(document.body, {
delimiters: [
{left: "$$", right: "$$", display: true},
{left: "$", right: "$", display: false}
]
});
});
</script>
<link rel="stylesheet" type="text/css" href="/css/custom.2e59ff60a2d9c7e42e3c1af2aff0ba627da46f910a234867e98d178eb05c87dc.css">
</head>
<body class='page type-post has-sidebar'>
<div class='site'><div id='sidebar' class='sidebar'>
<a class='screen-reader-text' href='#main-menu'>Skip to Main Menu</a>
<div class='container'><section class='widget widget-about sep-after'>
<header>
<div class='logo'>
<a href='/'>
<img src='/images/logo.png'>
</a>
</div>
<h2 class='title site-title '>
<a href='/'>
davegallant
</a>
</h2>
<div class='desc'>
personal blog
</div>
</header>
</section>
<section class='widget widget-taxonomy_cloud sep-after'>
<header>
<h4 class='title widget-title'>Tags</h4>
</header>
<div class='container list-container'>
<ul class='list taxonomy-cloud'><li>
<a href='/tags/adguard/' style='font-size:1em'>adguard</a>
</li><li>
<a href='/tags/aws/' style='font-size:1em'>aws</a>
</li><li>
<a href='/tags/aws-vault/' style='font-size:1em'>aws-vault</a>
</li><li>
<a href='/tags/backup/' style='font-size:1em'>backup</a>
</li><li>
<a href='/tags/containers/' style='font-size:1em'>containers</a>
</li><li>
<a href='/tags/degoogle/' style='font-size:2em'>degoogle</a>
</li><li>
<a href='/tags/docker/' style='font-size:1em'>docker</a>
</li><li>
<a href='/tags/dotfiles/' style='font-size:1em'>dotfiles</a>
</li><li>
<a href='/tags/gmail/' style='font-size:1em'>gmail</a>
</li><li>
<a href='/tags/grafana/' style='font-size:1em'>grafana</a>
</li><li>
<a href='/tags/home-manager/' style='font-size:1em'>home-manager</a>
</li><li>
<a href='/tags/homelab/' style='font-size:1em'>homelab</a>
</li><li>
<a href='/tags/invidious/' style='font-size:1em'>invidious</a>
</li><li>
<a href='/tags/jellyfin/' style='font-size:1em'>jellyfin</a>
</li><li>
<a href='/tags/k3s/' style='font-size:1em'>k3s</a>
</li><li>
<a href='/tags/linux/' style='font-size:1em'>linux</a>
</li><li>
<a href='/tags/lxc/' style='font-size:1em'>lxc</a>
</li><li>
<a href='/tags/netdata/' style='font-size:1em'>netdata</a>
</li><li>
<a href='/tags/nix/' style='font-size:1em'>nix</a>
</li><li>
<a href='/tags/openwrt/' style='font-size:1em'>openwrt</a>
</li><li>
<a href='/tags/pfsense/' style='font-size:1em'>pfsense</a>
</li><li>
<a href='/tags/pihole/' style='font-size:1em'>pihole</a>
</li><li>
<a href='/tags/plex/' style='font-size:1em'>plex</a>
</li><li>
<a href='/tags/podman/' style='font-size:1em'>podman</a>
</li><li>
<a href='/tags/privacy/' style='font-size:1em'>privacy</a>
</li><li>
<a href='/tags/proxmox/' style='font-size:2em'>proxmox</a>
</li><li>
<a href='/tags/python/' style='font-size:2em'>python</a>
</li><li>
<a href='/tags/ransomware/' style='font-size:1em'>ransomware</a>
</li><li>
<a href='/tags/router/' style='font-size:1em'>router</a>
</li><li>
<a href='/tags/router-on-a-stick/' style='font-size:1em'>router-on-a-stick</a>
</li><li>
<a href='/tags/security/' style='font-size:1em'>security</a>
</li><li>
<a href='/tags/synology/' style='font-size:1em'>synology</a>
</li><li>
<a href='/tags/tailscale/' style='font-size:2em'>tailscale</a>
</li><li>
<a href='/tags/virtualization/' style='font-size:1em'>virtualization</a>
</li><li>
<a href='/tags/vlan/' style='font-size:1em'>vlan</a>
</li><li>
<a href='/tags/vpn/' style='font-size:1em'>vpn</a>
</li><li>
<a href='/tags/yewtu.be/' style='font-size:1em'>yewtu.be</a>
</li><li>
<a href='/tags/youtube/' style='font-size:1em'>youtube</a>
</li></ul>
</div>
</section>
<section class='widget widget-social_menu sep-after'><nav aria-label='Social Menu'>
<ul><li>
<a href='https://github.com/davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Github account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37 0 0 0-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44 0 0 0 20 4.77 5.07 5.07 0 0 0 19.91 1S18.73.65 16 2.48a13.38 13.38 0 0 0-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07 0 0 0 5 4.77a5.44 5.44 0 0 0-1.5 3.78c0 5.42 3.3 6.61 6.44 7A3.37 3.37 0 0 0 9 18.13V22" />
</svg>
</a>
</li><li>
<a href='https://twitter.com/davega11ant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Twitter account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M23 3a10.9 10.9 0 0 1-3.14 1.53 4.48 4.48 0 0 0-7.86 3v1A10.66 10.66 0 0 1 3 4s-4 9 5 13a11.64 11.64 0 0 1-7 2c9 5 20 0 20-11.5a4.5 4.5 0 0 0-.08-.83A7.72 7.72 0 0 0 23 3z" />
</svg>
</a>
</li><li>
<a href='https://fosstodon.org/@davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Mastodon account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path fill="#ccc" d="M23.268 5.313c-.35-2.578-2.617-4.61-5.304-5.004C17.51.242 15.792 0 11.813 0h-.03c-3.98 0-4.835.242-5.288.309C3.882.692 1.496 2.518.917 5.127C.64 6.412.61 7.837.661 9.143c.074 1.874.088 3.745.26 5.611c.118 1.24.325 2.47.62 3.68c.55 2.237 2.777 4.098 4.96 4.857c2.336.792 4.849.923 7.256.38c.265-.061.527-.132.786-.213c.585-.184 1.27-.39 1.774-.753a.057.057 0 0 0 .023-.043v-1.809a.052.052 0 0 0-.02-.041a.053.053 0 0 0-.046-.01a20.282 20.282 0 0 1-4.709.545c-2.73 0-3.463-1.284-3.674-1.818a5.593 5.593 0 0 1-.319-1.433a.053.053 0 0 1 .066-.054c1.517.363 3.072.546 4.632.546c.376 0 .75 0 1.125-.01c1.57-.044 3.224-.124 4.768-.422c.038-.008.077-.015.11-.024c2.435-.464 4.753-1.92 4.989-5.604c.008-.145.03-1.52.03-1.67c.002-.512.167-3.63-.024-5.545zm-3.748 9.195h-2.561V8.29c0-1.309-.55-1.976-1.67-1.976c-1.23 0-1.846.79-1.846 2.35v3.403h-2.546V8.663c0-1.56-.617-2.35-1.848-2.35c-1.112 0-1.668.668-1.67 1.977v6.218H4.822V8.102c0-1.31.337-2.35 1.011-3.12c.696-.77 1.608-1.164 2.74-1.164c1.311 0 2.302.5 2.962 1.498l.638 1.06l.638-1.06c.66-.999 1.65-1.498 2.96-1.498c1.13 0 2.043.395 2.74 1.164c.675.77 1.012 1.81 1.012 3.12z"/>
</svg>
</a>
</li><li>
<a href='mailto:dave.gallant@gmail.com' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Contact via Email</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" />
<polyline points="22,6 12,13 2,6" />
</svg>
</a>
</li><li>
<a href='https://linkedin.com/in/dave-gallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Linkedin account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z" />
<rect x="2" y="9" width="4" height="12" />
<circle cx="4" cy="4" r="2" />
</svg>
</a>
</li></ul>
</nav>
</section></div>
<div class='sidebar-overlay'></div>
</div><div class='main'><nav id='main-menu' class='menu main-menu' aria-label='Main Menu'>
<div class='container'>
<a class='screen-reader-text' href='#content'>Skip to Content</a>
<button id='sidebar-toggler' class='sidebar-toggler' aria-controls='sidebar'>
<span class='screen-reader-text'>Toggle Sidebar</span>
<span class='open'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="3" y1="12" x2="21" y2="12" />
<line x1="3" y1="6" x2="21" y2="6" />
<line x1="3" y1="18" x2="21" y2="18" />
</svg>
</span>
<span class='close'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="18" y1="6" x2="6" y2="18" />
<line x1="6" y1="6" x2="18" y2="18" />
</svg>
</span>
</button>
<ul><li class='item'>
<a href='/'>Home</a>
</li><li class='item'>
<a href='/about/'>About</a>
</li><li class='item'>
<a href='/index.xml'>RSS</a>
</li></ul>
</div>
</nav><div class='header-widgets'>
<div class='container'></div>
</div>
<header id='header' class='header site-header'>
<div class='container sep-after'>
</div>
</header>
<main id='content'>
<article lang='en' class='entry'>
<header class='header entry-header'>
<div class='container sep-after'>
<div class='header-info'>
<h1 class='title'>What To Do With A Homelab</h1>
</div>
<div class='entry-meta'>
<span class='posted-on'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><rect x="3" y="4" width="18" height="18" rx="2" ry="2" />
<line x1="16" y1="2" x2="16" y2="6" />
<line x1="8" y1="2" x2="8" y2="6" />
<line x1="3" y1="10" x2="21" y2="10" />
</svg>
<span class='screen-reader-text'>Posted on </span>
<time class='entry-date' datetime='2021-09-06T01:12:54-04:00'>2021, Sep 06</time>
</span>
<span class='reading-time'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><circle cx="12" cy="12" r="10" />
<polyline points="12 6 12 12 15 15" />
</svg>
4 mins read
</span>
</div>
</div>
<body>
<div class="content"><header>
<div class="main">
<a href="/">davegallant</a>
</div>
<nav>
<a href="/">Home</a>
<a href="/post">All posts</a>
<a href="/about">About</a>
<a href="/tags">Tags</a>
| <span id="dark-mode-toggle" onclick="toggleTheme()"></span>
<script src="/js/themetoggle.js"></script>
</nav>
</header>
<main>
<article>
<div class="title">
<h1 class="title">What To Do With A Homelab</h1>
<div class="meta">Posted on Sep 6, 2021</div>
</div>
<div class='container entry-content'><p>A homelab can be an inexpensive way to host a multitude of internal/external services and learn <em>a lot</em> in the process.</p>
<section class="body"><p>A homelab can be an inexpensive way to host a multitude of internal/external services and learn <em>a lot</em> in the process.</p>
<p>Do you want host your own Media server? Ad blocker? Web server?
Are you interested in learning more about Linux? Virtualization? Networking? Security?
Building a homelab can be an entertaining playground to enhance your computer skills.</p>
@@ -357,65 +130,41 @@ Containers have much less overhead in terms of boot time and storage allocation.
<p>As mentioned above, <a href="https://github.com/louislam/uptime-kuma">Uptime Kuma</a> is a convenient way to track uptime and monitor the availability of your services.</p>
<p><img src="/images/uptime-kuma.png" alt="uptime-kuma"></p>
<h2 id="in-summary">In Summary<a href="#in-summary" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Building out a homelab can be a rewarding experience and it doesn&rsquo;t require buying a rack full of expensive servers to get a significant amount of utility. There are many services that you can run that require very minimal setup, making it possible to get a server up and running in a short period of time, with monitoring, and that can be securely connected to remotely.</p></div>
<p>Building out a homelab can be a rewarding experience and it doesn&rsquo;t require buying a rack full of expensive servers to get a significant amount of utility. There are many services that you can run that require very minimal setup, making it possible to get a server up and running in a short period of time, with monitoring, and that can be securely connected to remotely.</p></section>
<footer class='entry-footer'>
<div class='container sep-before'><div class='tags'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M20.59,13.41l-7.17,7.17a2,2,0,0,1-2.83,0L2,12V2H12l8.59,8.59A2,2,0,0,1,20.59,13.41Z" />
<line x1="7" y1="7" x2="7" y2="7" />
</svg>
<span class='screen-reader-text'>Tags: </span><a class='tag' href='/tags/tailscale/'>tailscale</a>, <a class='tag' href='/tags/homelab/'>homelab</a>, <a class='tag' href='/tags/netdata/'>netdata</a>, <a class='tag' href='/tags/jellyfin/'>jellyfin</a>, <a class='tag' href='/tags/plex/'>plex</a>, <a class='tag' href='/tags/pihole/'>pihole</a>, <a class='tag' href='/tags/virtualization/'>virtualization</a>, <a class='tag' href='/tags/adguard/'>adguard</a>, <a class='tag' href='/tags/grafana/'>grafana</a></div>
<div class="post-tags">
<nav class="nav tags">
<ul class="tags">
<li><a href="/tags/tailscale">tailscale</a></li>
<li><a href="/tags/homelab">homelab</a></li>
<li><a href="/tags/netdata">netdata</a></li>
<li><a href="/tags/jellyfin">jellyfin</a></li>
<li><a href="/tags/plex">plex</a></li>
<li><a href="/tags/pihole">pihole</a></li>
<li><a href="/tags/virtualization">virtualization</a></li>
<li><a href="/tags/adguard">adguard</a></li>
<li><a href="/tags/grafana">grafana</a></li>
</ul>
</nav>
</div>
</article>
</main>
</div>
</footer>
</article>
<nav class='entry-nav'>
<div class='container'><div class='prev-entry sep-before'>
<a href='/blog/2020/03/16/appgate-sdp-on-arch-linux/'>
<span aria-hidden='true'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="20" y1="12" x2="4" y2="12" />
<polyline points="10 18 4 12 10 6" />
</svg>
Previous</span>
<span class='screen-reader-text'>Previous post: </span>AppGate SDP on Arch Linux</a>
</div><div class='next-entry sep-before'>
<a href='/blog/2021/09/08/why-i-threw-out-my-dotfiles/'>
<span class='screen-reader-text'>Next post: </span>Why I Threw Out My Dotfiles<span aria-hidden='true'>Next <svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="4" y1="12" x2="20" y2="12" />
<polyline points="14 6 20 12 14 18" />
</svg>
</span>
</a>
</div></div>
</nav>
<section id='comments' class='comments'>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
@@ -426,24 +175,32 @@ Containers have much less overhead in terms of boot time and storage allocation.
</script>
</div>
</div>
</section>
</section><footer>
<div style="display:flex"><a class="soc" href="https://github.com/davegallant" rel="me" title="GitHub"><i data-feather="github"></i></a>
<a class="border"></a><a class="soc" href="https://twitter.com/davega11ant/" rel="me" title="Twitter"><i data-feather="twitter"></i></a>
<a class="border"></a><a class="soc" href="https://fosstodon.org/@davegallant" rel="me" title="Mastodon"><i data-feather="speaker"></i></a>
<a class="border"></a><a class="soc" href="https://www.linkedin.com/in/dave-gallant/" rel="me" title="LinkedIn"><i data-feather="linkedin"></i></a>
<a class="border"></a></div>
<div class="footer-info">
2023 Dave Gallant | Theme based on <a
href="https://github.com/athul/archie">Archie</a> | Built with <a href="https://gohugo.io">Hugo</a>
</div>
</footer>
</main>
<footer id='footer' class='footer'>
<div class='container sep-before'><div class='copyright'>
<p> &copy; 2020-2022 Dave Gallant </p>
</div>
</div>
</footer>
</div>
</div><script>window.__assets_js_src="/assets/js/"</script>
<script src='/assets/js/main.c3bcf2df.js'></script>
</body>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98710982-2', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script>
feather.replace()
</script></div>
</body>
</html>

813
public/blog/2021/09/08/why-i-threw-out-my-dotfiles/index.html
View File

@@ -1,26 +1,283 @@
<!DOCTYPE html>
<html lang='en' dir='auto'><head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<meta name='description' content=''>
<meta name='theme-color' content='#8979b3'>
<html><head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Why I Threw Out My Dotfiles - davegallant</title><link rel="icon" type="image/png" href=https://davegallant.ca/favicon.ico /><meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="" />
<meta property="og:image" content=""/>
<meta property="og:title" content="Why I Threw Out My Dotfiles" />
<meta property="og:description" content="" />
<meta property="og:type" content="article" />
<meta property="og:url" content="/blog/2021/09/08/why-i-threw-out-my-dotfiles/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2021-09-08T00:42:33-04:00" />
<meta property="article:modified_time" content="2021-09-08T00:42:33-04:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Why I Threw Out My Dotfiles"/>
<meta name="twitter:description" content=""/>
<script src="https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js"></script>
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:ital,wght@1,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css2?family=Fira+Sans&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Roboto+Mono" rel="stylesheet">
<meta property='og:title' content='Why I Threw Out My Dotfiles • davegallant'>
<meta property='og:description' content=''>
<meta property='og:url' content='/blog/2021/09/08/why-i-threw-out-my-dotfiles/'>
<meta property='og:site_name' content='davegallant'>
<meta property='og:type' content='article'><meta property='article:section' content='post'><meta property='article:tag' content='nix'><meta property='article:tag' content='dotfiles'><meta property='article:tag' content='home-manager'><meta property='article:published_time' content='2021-09-08T00:42:33-04:00'/><meta property='article:modified_time' content='2021-09-08T00:42:33-04:00'/><meta name='twitter:card' content='summary'>
<link rel="stylesheet" type="text/css" media="screen" href="/css/main.f7354ef8ed840429a37397307f3d9872782673d6b91d714b3f600b210d91fbaf.css" />
<link id="darkModeStyle" rel="stylesheet" type="text/css" href="/css/dark.726cd11ca6eb7c4f7d48eb420354f814e5c1b94281aaf8fd0511c1319f7f78a4.css" disabled />
<meta name="generator" content="Hugo 0.108.0">
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
tex2jax: {
inlineMath: [['$','$'], ['\\(','\\)']],
displayMath: [['$$','$$'], ['\[','\]']],
processEscapes: true,
processEnvironments: true,
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'],
TeX: { equationNumbers: { autoNumber: "AMS" },
extensions: ["AMSmath.js", "AMSsymbols.js"] }
}
});
</script>
<title>Why I Threw Out My Dotfiles • davegallant</title>
<link rel='canonical' href='/blog/2021/09/08/why-i-threw-out-my-dotfiles/'>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.css">
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.js"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/contrib/auto-render.min.js" onload="renderMathInElement(document.body);"></script>
<script>
document.addEventListener("DOMContentLoaded", function() {
renderMathInElement(document.body, {
delimiters: [
{left: "$$", right: "$$", display: true},
{left: "$", right: "$", display: false}
]
});
});
</script>
<link rel="stylesheet" type="text/css" href="/css/custom.2e59ff60a2d9c7e42e3c1af2aff0ba627da46f910a234867e98d178eb05c87dc.css">
</head>
<body>
<div class="content"><header>
<div class="main">
<a href="/">davegallant</a>
</div>
<nav>
<a href="/">Home</a>
<a href="/post">All posts</a>
<a href="/about">About</a>
<a href="/tags">Tags</a>
| <span id="dark-mode-toggle" onclick="toggleTheme()"></span>
<script src="/js/themetoggle.js"></script>
</nav>
</header>
<main>
<article>
<div class="title">
<h1 class="title">Why I Threw Out My Dotfiles</h1>
<div class="meta">Posted on Sep 8, 2021</div>
</div>
<section class="body"><p>Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (<code>~/.zshrc</code>, <code>~/.config/git/config</code>, <code>~/.config/tmux/tmux.conf</code>, etc). I have tried several different ways to manage them, including <a href="https://www.atlassian.com/git/tutorials/dotfiles">bare git repos</a> and utilities such as <a href="https://www.gnu.org/software/stow/">GNU Stow</a>. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: <a href="https://github.com/nix-community/home-manager">home-manager</a>.</p>
<h2 id="what-is-home-manager">What is home-manager?<a href="#what-is-home-manager" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Before understanding home-manager, it is worth briefly discussing what nix is. <a href="https://nixos.org/">nix</a> is a package manager that originally spawned from a <a href="https://edolstra.github.io/pubs/phd-thesis.pdf">PhD thesis</a>. Unlike other package managers, it uses symbolic links to keep track of the currently installed packages, keeping around the old ones in case you may want to rollback.</p>
<p>For example, I have used nix to install the package <a href="https://search.nixos.org/packages?channel=unstable&amp;show=bind&amp;from=0&amp;size=50&amp;sort=relevance&amp;type=packages&amp;query=bind">bind</a> which includes <code>dig</code>. You can see that it is available on multiple platforms. The absolute path of <code>dig</code> can be found by running:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ ls -lh <span style="color:#66d9ef">$(</span>which dig<span style="color:#66d9ef">)</span>
</span></span><span style="display:flex;"><span>lrwxr-xr-x 73 root 31 Dec 1969 /run/current-system/sw/bin/dig -&gt; /nix/store/0r4qdyprljd3dki57jn6c6a8dh2rbg9g-bind-9.16.16-dnsutils/bin/dig
</span></span></code></pre></div><p>Notice that there is a hash included in the file path? This is a nix store path and is computed by the nix package manager. This <a href="https://nixos.org/guides/nix-pills/nix-store-paths.html">nix pill</a> does a good job explaining how this hash is computed. All of the nix pills are worth a read, if you are interested in learning more about nix itself. However, using home-manager does not require extensive knowledge of nix.</p>
<p>Part of the nix ecosystem includes <a href="https://github.com/NixOS/nixpkgs">nixpkgs</a>. Many popular tools can be found already packaged in this repository. As you can see with these <a href="https://repology.org/repositories/statistics/total">stats</a>, there is a large number of existing packages that are being maintained by the community. Contributing a new package is easy, and anyone can do it!</p>
<p>home-manager leverages the nix package manager (and nixpkgs), as well the nix language so that you can declaratively define your system configuration. I store my <a href="https://github.com/davegallant/nix-config">nix-config</a> in git so that I can keep track of my packages and configurations, and retain a clean and informative git commit history so that I can understand what changed and why.</p>
<h2 id="setting-up-home-manager">Setting up home-manager<a href="#setting-up-home-manager" class="hanchor" ariaLabel="Anchor">#</a></h2>
<blockquote>
<p>⚠️ If you run this on your main machine, make sure you backup your configuration files first. home-manager is pretty good about not overwriting existing configuration, but it is better to have a backup! Alternatively, you could test this out on a VM or cloud instance.</p>
</blockquote>
<p>The first thing you should do is <a href="https://nixos.org/guides/install-nix.html">install nix</a>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>curl -L https://nixos.org/nix/install | sh
</span></span></code></pre></div><p>It&rsquo;s generally not a good idea to curl and execute files from the internet (without verifying integrity), so you might want to download the install script first and take a look before executing it!</p>
<p>Open up a new shell in your terminal and running <code>nix</code> <em>should</em> work. If not, run <code>. ~/.nix-profile/etc/profile.d/nix.sh</code></p>
<p>Now, <a href="https://github.com/nix-community/home-manager#installation">install home-manager</a>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>nix-channel --add https://github.com/nix-community/home-manager/archive/master.tar.gz home-manager
</span></span><span style="display:flex;"><span>nix-channel --update
</span></span><span style="display:flex;"><span>nix-shell <span style="color:#e6db74">&#39;&lt;home-manager&gt;&#39;</span> -A install
</span></span></code></pre></div><p>You should see a wave of <code>/nix/store/*</code> paths being displayed on your screen.</p>
<p>Now, to start off with a basic configuration, open up <code>~/.config/nixpkgs/home.nix</code> in the editor of your choice and paste this in (you will want to change <code>userName</code> and <code>homeDirectory</code>):</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nix" data-lang="nix"><span style="display:flex;"><span>{ config<span style="color:#f92672">,</span> pkgs<span style="color:#f92672">,</span> <span style="color:#f92672">...</span> }:
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span> programs<span style="color:#f92672">.</span>home-manager<span style="color:#f92672">.</span>enable <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> home <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> username <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;dave&#34;</span>;
</span></span><span style="display:flex;"><span> homeDirectory <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/home/dave&#34;</span>;
</span></span><span style="display:flex;"><span> stateVersion <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;21.11&#34;</span>;
</span></span><span style="display:flex;"><span> packages <span style="color:#f92672">=</span> <span style="color:#66d9ef">with</span> pkgs; [
</span></span><span style="display:flex;"><span> bind
</span></span><span style="display:flex;"><span> exa
</span></span><span style="display:flex;"><span> fd
</span></span><span style="display:flex;"><span> ripgrep
</span></span><span style="display:flex;"><span> ];
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> programs <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> git <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span> aliases <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> aa <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;add -A .&#34;</span>;
</span></span><span style="display:flex;"><span> br <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;branch&#34;</span>;
</span></span><span style="display:flex;"><span> c <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;commit -S&#34;</span>;
</span></span><span style="display:flex;"><span> ca <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;commit -S --amend&#34;</span>;
</span></span><span style="display:flex;"><span> cb <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;checkout -b&#34;</span>;
</span></span><span style="display:flex;"><span> co <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;checkout&#34;</span>;
</span></span><span style="display:flex;"><span> d <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;diff&#34;</span>;
</span></span><span style="display:flex;"><span> l <span style="color:#f92672">=</span>
</span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;log --graph --pretty=format:&#39;%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)&lt;%an&gt;%Creset&#39; --abbrev-commit&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> delta <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> options <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> features <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;line-numbers decorations&#34;</span>;
</span></span><span style="display:flex;"><span> whitespace-error-style <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;22 reverse&#34;</span>;
</span></span><span style="display:flex;"><span> plus-style <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;green bold ul &#39;#198214&#39;&#34;</span>;
</span></span><span style="display:flex;"><span> decorations <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> commit-decoration-style <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;bold yellow box ul&#34;</span>;
</span></span><span style="display:flex;"><span> file-style <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;bold yellow ul&#34;</span>;
</span></span><span style="display:flex;"><span> file-decoration-style <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;none&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> extraConfig <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> push <span style="color:#f92672">=</span> { default <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;current&#34;</span>; };
</span></span><span style="display:flex;"><span> pull <span style="color:#f92672">=</span> { rebase <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>; };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> starship <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span> enableZshIntegration <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> settings <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> add_newline <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>;
</span></span><span style="display:flex;"><span> scan_timeout <span style="color:#f92672">=</span> <span style="color:#ae81ff">10</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> zsh <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span> enableAutosuggestions <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span> enableSyntaxHighlighting <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span> history<span style="color:#f92672">.</span>size <span style="color:#f92672">=</span> <span style="color:#ae81ff">1000000</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> localVariables <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> CASE_SENSITIVE <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;true&#34;</span>;
</span></span><span style="display:flex;"><span> DISABLE_UNTRACKED_FILES_DIRTY <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;true&#34;</span>;
</span></span><span style="display:flex;"><span> RPROMPT <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>; <span style="color:#75715e"># override because macOS defaults to filepath</span>
</span></span><span style="display:flex;"><span> ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;fg=#838383,underline&#34;</span>;
</span></span><span style="display:flex;"><span> ZSH_DISABLE_COMPFIX <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;true&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> initExtra <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> export PAGER=less
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#39;&#39;</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> shellAliases <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;..&#34;</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;cd ..&#34;</span>;
</span></span><span style="display:flex;"><span> grep <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;rg --smart-case&#34;</span>;
</span></span><span style="display:flex;"><span> ls <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;exa -la --git&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;oh-my-zsh&#34;</span> <span style="color:#f92672">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>;
</span></span><span style="display:flex;"><span> plugins <span style="color:#f92672">=</span> [
</span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;gitfast&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;last-working-dir&#34;</span>
</span></span><span style="display:flex;"><span> ];
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>Save the file and run:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>home-manager switch
</span></span></code></pre></div><p>You should see another wave of <code>/nix/store/*</code> paths. The new configuration should now be active.</p>
<p>If you run <code>zsh</code>, you should see that you have <a href="https://starship.rs/">starship</a> and access to several other utils such as <code>rg</code>, <code>fd</code>, and <code>exa</code>.</p>
<p>This basic configuration above is also defining your <code>~/.config/git/config</code> and <code>.zshrc</code>. If you already have either of these files, home-manager will complain about them already existing.</p>
<p>If you run <code>cat ~/.zshrc</code>, you will see the way these configuration files are generated.</p>
<p>You can extend this configuration for programs such as (neo)vim, emacs, alacritty, ssh, etc. To see other programs, take a look at <a href="https://github.com/nix-community/home-manager/tree/master/modules/programs">home-manager/modules/programs</a>.</p>
<h2 id="gateway-to-nix">Gateway To Nix<a href="#gateway-to-nix" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>In ways, home-manager can be seen as a gateway to the nix ecosystem. If you have enjoyed the way you can declare user configuration with home-manager, you may be interested in expanding your configuration to include other system dependencies and configuration. For example, in Linux you can define your entire system&rsquo;s configuration (including the kernel, kernel modules, networking, filesystems, etc) in nix. For macOS, there is <a href="https://github.com/LnL7/nix-darwin">nix-darwin</a> that includes nix modules for configuring launchd, dock, and other preferences and services. You may also want to check out <a href="https://nixos.wiki/wiki/Flakes">Nix Flakes</a>: a more recent feature that allows you declare dependencies, and have them automatically pinned and hashed in <code>flake.lock</code>, similar to that of many modern package managers.</p>
<h2 id="wrapping-up">Wrapping up<a href="#wrapping-up" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>The title of this post is slightly misleading, since it&rsquo;s possible to retain some of your dotfiles and have them intermingle with home-manager by including them alongside nix. The idea of defining user configuration using nix can provide a clean way to maintain your configuration, and allow it to be portable across platforms. Is it worth the effort to migrate away from shell scripts and dotfiles? I&rsquo;d say so.</p></section>
<div class="post-tags">
<nav class="nav tags">
<ul class="tags">
<li><a href="/tags/nix">nix</a></li>
<li><a href="/tags/dotfiles">dotfiles</a></li>
<li><a href="/tags/home-manager">home-manager</a></li>
</ul>
</nav>
</div>
</article>
</main>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
issue-term='pathname'
<link rel='icon' href='/favicon.ico'>
<link rel='stylesheet' href='/assets/css/main.ab98e12b.css'><link rel='stylesheet' href='/css/custom.css'><style>
:root{--color-accent:#8979b3;}
</style>
theme='github-light'
crossorigin='anonymous' async>
</script>
</div>
</div>
</section><footer>
<div style="display:flex"><a class="soc" href="https://github.com/davegallant" rel="me" title="GitHub"><i data-feather="github"></i></a>
<a class="border"></a><a class="soc" href="https://twitter.com/davega11ant/" rel="me" title="Twitter"><i data-feather="twitter"></i></a>
<a class="border"></a><a class="soc" href="https://fosstodon.org/@davegallant" rel="me" title="Mastodon"><i data-feather="speaker"></i></a>
<a class="border"></a><a class="soc" href="https://www.linkedin.com/in/dave-gallant/" rel="me" title="LinkedIn"><i data-feather="linkedin"></i></a>
<a class="border"></a></div>
<div class="footer-info">
2023 Dave Gallant | Theme based on <a
href="https://github.com/athul/archie">Archie</a> | Built with <a href="https://gohugo.io">Hugo</a>
</div>
</footer>
<script type="application/javascript">
var doNotTrack = false;
@@ -33,520 +290,8 @@ if (!doNotTrack) {
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
</head>
<body class='page type-post has-sidebar'>
<div class='site'><div id='sidebar' class='sidebar'>
<a class='screen-reader-text' href='#main-menu'>Skip to Main Menu</a>
<div class='container'><section class='widget widget-about sep-after'>
<header>
<div class='logo'>
<a href='/'>
<img src='/images/logo.png'>
</a>
</div>
<h2 class='title site-title '>
<a href='/'>
davegallant
</a>
</h2>
<div class='desc'>
personal blog
</div>
</header>
</section>
<section class='widget widget-taxonomy_cloud sep-after'>
<header>
<h4 class='title widget-title'>Tags</h4>
</header>
<div class='container list-container'>
<ul class='list taxonomy-cloud'><li>
<a href='/tags/adguard/' style='font-size:1em'>adguard</a>
</li><li>
<a href='/tags/aws/' style='font-size:1em'>aws</a>
</li><li>
<a href='/tags/aws-vault/' style='font-size:1em'>aws-vault</a>
</li><li>
<a href='/tags/backup/' style='font-size:1em'>backup</a>
</li><li>
<a href='/tags/containers/' style='font-size:1em'>containers</a>
</li><li>
<a href='/tags/degoogle/' style='font-size:2em'>degoogle</a>
</li><li>
<a href='/tags/docker/' style='font-size:1em'>docker</a>
</li><li>
<a href='/tags/dotfiles/' style='font-size:1em'>dotfiles</a>
</li><li>
<a href='/tags/gmail/' style='font-size:1em'>gmail</a>
</li><li>
<a href='/tags/grafana/' style='font-size:1em'>grafana</a>
</li><li>
<a href='/tags/home-manager/' style='font-size:1em'>home-manager</a>
</li><li>
<a href='/tags/homelab/' style='font-size:1em'>homelab</a>
</li><li>
<a href='/tags/invidious/' style='font-size:1em'>invidious</a>
</li><li>
<a href='/tags/jellyfin/' style='font-size:1em'>jellyfin</a>
</li><li>
<a href='/tags/k3s/' style='font-size:1em'>k3s</a>
</li><li>
<a href='/tags/linux/' style='font-size:1em'>linux</a>
</li><li>
<a href='/tags/lxc/' style='font-size:1em'>lxc</a>
</li><li>
<a href='/tags/netdata/' style='font-size:1em'>netdata</a>
</li><li>
<a href='/tags/nix/' style='font-size:1em'>nix</a>
</li><li>
<a href='/tags/openwrt/' style='font-size:1em'>openwrt</a>
</li><li>
<a href='/tags/pfsense/' style='font-size:1em'>pfsense</a>
</li><li>
<a href='/tags/pihole/' style='font-size:1em'>pihole</a>
</li><li>
<a href='/tags/plex/' style='font-size:1em'>plex</a>
</li><li>
<a href='/tags/podman/' style='font-size:1em'>podman</a>
</li><li>
<a href='/tags/privacy/' style='font-size:1em'>privacy</a>
</li><li>
<a href='/tags/proxmox/' style='font-size:2em'>proxmox</a>
</li><li>
<a href='/tags/python/' style='font-size:2em'>python</a>
</li><li>
<a href='/tags/ransomware/' style='font-size:1em'>ransomware</a>
</li><li>
<a href='/tags/router/' style='font-size:1em'>router</a>
</li><li>
<a href='/tags/router-on-a-stick/' style='font-size:1em'>router-on-a-stick</a>
</li><li>
<a href='/tags/security/' style='font-size:1em'>security</a>
</li><li>
<a href='/tags/synology/' style='font-size:1em'>synology</a>
</li><li>
<a href='/tags/tailscale/' style='font-size:2em'>tailscale</a>
</li><li>
<a href='/tags/virtualization/' style='font-size:1em'>virtualization</a>
</li><li>
<a href='/tags/vlan/' style='font-size:1em'>vlan</a>
</li><li>
<a href='/tags/vpn/' style='font-size:1em'>vpn</a>
</li><li>
<a href='/tags/yewtu.be/' style='font-size:1em'>yewtu.be</a>
</li><li>
<a href='/tags/youtube/' style='font-size:1em'>youtube</a>
</li></ul>
</div>
</section>
<section class='widget widget-social_menu sep-after'><nav aria-label='Social Menu'>
<ul><li>
<a href='https://github.com/davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Github account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37 0 0 0-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44 0 0 0 20 4.77 5.07 5.07 0 0 0 19.91 1S18.73.65 16 2.48a13.38 13.38 0 0 0-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07 0 0 0 5 4.77a5.44 5.44 0 0 0-1.5 3.78c0 5.42 3.3 6.61 6.44 7A3.37 3.37 0 0 0 9 18.13V22" />
</svg>
</a>
</li><li>
<a href='https://twitter.com/davega11ant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Twitter account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M23 3a10.9 10.9 0 0 1-3.14 1.53 4.48 4.48 0 0 0-7.86 3v1A10.66 10.66 0 0 1 3 4s-4 9 5 13a11.64 11.64 0 0 1-7 2c9 5 20 0 20-11.5a4.5 4.5 0 0 0-.08-.83A7.72 7.72 0 0 0 23 3z" />
</svg>
</a>
</li><li>
<a href='https://fosstodon.org/@davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Mastodon account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path fill="#ccc" d="M23.268 5.313c-.35-2.578-2.617-4.61-5.304-5.004C17.51.242 15.792 0 11.813 0h-.03c-3.98 0-4.835.242-5.288.309C3.882.692 1.496 2.518.917 5.127C.64 6.412.61 7.837.661 9.143c.074 1.874.088 3.745.26 5.611c.118 1.24.325 2.47.62 3.68c.55 2.237 2.777 4.098 4.96 4.857c2.336.792 4.849.923 7.256.38c.265-.061.527-.132.786-.213c.585-.184 1.27-.39 1.774-.753a.057.057 0 0 0 .023-.043v-1.809a.052.052 0 0 0-.02-.041a.053.053 0 0 0-.046-.01a20.282 20.282 0 0 1-4.709.545c-2.73 0-3.463-1.284-3.674-1.818a5.593 5.593 0 0 1-.319-1.433a.053.053 0 0 1 .066-.054c1.517.363 3.072.546 4.632.546c.376 0 .75 0 1.125-.01c1.57-.044 3.224-.124 4.768-.422c.038-.008.077-.015.11-.024c2.435-.464 4.753-1.92 4.989-5.604c.008-.145.03-1.52.03-1.67c.002-.512.167-3.63-.024-5.545zm-3.748 9.195h-2.561V8.29c0-1.309-.55-1.976-1.67-1.976c-1.23 0-1.846.79-1.846 2.35v3.403h-2.546V8.663c0-1.56-.617-2.35-1.848-2.35c-1.112 0-1.668.668-1.67 1.977v6.218H4.822V8.102c0-1.31.337-2.35 1.011-3.12c.696-.77 1.608-1.164 2.74-1.164c1.311 0 2.302.5 2.962 1.498l.638 1.06l.638-1.06c.66-.999 1.65-1.498 2.96-1.498c1.13 0 2.043.395 2.74 1.164c.675.77 1.012 1.81 1.012 3.12z"/>
</svg>
</a>
</li><li>
<a href='mailto:dave.gallant@gmail.com' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Contact via Email</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" />
<polyline points="22,6 12,13 2,6" />
</svg>
</a>
</li><li>
<a href='https://linkedin.com/in/dave-gallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Linkedin account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z" />
<rect x="2" y="9" width="4" height="12" />
<circle cx="4" cy="4" r="2" />
</svg>
</a>
</li></ul>
</nav>
</section></div>
<div class='sidebar-overlay'></div>
</div><div class='main'><nav id='main-menu' class='menu main-menu' aria-label='Main Menu'>
<div class='container'>
<a class='screen-reader-text' href='#content'>Skip to Content</a>
<button id='sidebar-toggler' class='sidebar-toggler' aria-controls='sidebar'>
<span class='screen-reader-text'>Toggle Sidebar</span>
<span class='open'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="3" y1="12" x2="21" y2="12" />
<line x1="3" y1="6" x2="21" y2="6" />
<line x1="3" y1="18" x2="21" y2="18" />
</svg>
</span>
<span class='close'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="18" y1="6" x2="6" y2="18" />
<line x1="6" y1="6" x2="18" y2="18" />
</svg>
</span>
</button>
<ul><li class='item'>
<a href='/'>Home</a>
</li><li class='item'>
<a href='/about/'>About</a>
</li><li class='item'>
<a href='/index.xml'>RSS</a>
</li></ul>
</div>
</nav><div class='header-widgets'>
<div class='container'></div>
</div>
<header id='header' class='header site-header'>
<div class='container sep-after'>
</div>
</header>
<main id='content'>
<article lang='en' class='entry'>
<header class='header entry-header'>
<div class='container sep-after'>
<div class='header-info'>
<h1 class='title'>Why I Threw Out My Dotfiles</h1>
</div>
<div class='entry-meta'>
<span class='posted-on'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><rect x="3" y="4" width="18" height="18" rx="2" ry="2" />
<line x1="16" y1="2" x2="16" y2="6" />
<line x1="8" y1="2" x2="8" y2="6" />
<line x1="3" y1="10" x2="21" y2="10" />
</svg>
<span class='screen-reader-text'>Posted on </span>
<time class='entry-date' datetime='2021-09-08T00:42:33-04:00'>2021, Sep 08</time>
</span>
<span class='reading-time'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><circle cx="12" cy="12" r="10" />
<polyline points="12 6 12 12 15 15" />
</svg>
5 mins read
</span>
</div>
</div>
</header>
<div class='container entry-content'><p>Over the years I have collected a number of dotfiles that I have shared across both Linux and macOS machines (<code>~/.zshrc</code>, <code>~/.config/git/config</code>, <code>~/.config/tmux/tmux.conf</code>, etc). I have tried several different ways to manage them, including <a href="https://www.atlassian.com/git/tutorials/dotfiles">bare git repos</a> and utilities such as <a href="https://www.gnu.org/software/stow/">GNU Stow</a>. These solutions work well enough, but I have since found what I would consider a much better solution for organizing user configuration: <a href="https://github.com/nix-community/home-manager">home-manager</a>.</p>
<h2 id="what-is-home-manager">What is home-manager?<a href="#what-is-home-manager" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Before understanding home-manager, it is worth briefly discussing what nix is. <a href="https://nixos.org/">nix</a> is a package manager that originally spawned from a <a href="https://edolstra.github.io/pubs/phd-thesis.pdf">PhD thesis</a>. Unlike other package managers, it uses symbolic links to keep track of the currently installed packages, keeping around the old ones in case you may want to rollback.</p>
<p>For example, I have used nix to install the package <a href="https://search.nixos.org/packages?channel=unstable&amp;show=bind&amp;from=0&amp;size=50&amp;sort=relevance&amp;type=packages&amp;query=bind">bind</a> which includes <code>dig</code>. You can see that it is available on multiple platforms. The absolute path of <code>dig</code> can be found by running:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span><span style="color:#009;font-weight:bold">$</span> ls -lh <span style="color:#069;font-weight:bold">$(</span>which dig<span style="color:#069;font-weight:bold">)</span>
</span></span><span style="display:flex;"><span><span style="color:#aaa">lrwxr-xr-x 73 root 31 Dec 1969 /run/current-system/sw/bin/dig -&gt; /nix/store/0r4qdyprljd3dki57jn6c6a8dh2rbg9g-bind-9.16.16-dnsutils/bin/dig
</span></span></span></code></pre></div><p>Notice that there is a hash included in the file path? This is a nix store path and is computed by the nix package manager. This <a href="https://nixos.org/guides/nix-pills/nix-store-paths.html">nix pill</a> does a good job explaining how this hash is computed. All of the nix pills are worth a read, if you are interested in learning more about nix itself. However, using home-manager does not require extensive knowledge of nix.</p>
<p>Part of the nix ecosystem includes <a href="https://github.com/NixOS/nixpkgs">nixpkgs</a>. Many popular tools can be found already packaged in this repository. As you can see with these <a href="https://repology.org/repositories/statistics/total">stats</a>, there is a large number of existing packages that are being maintained by the community. Contributing a new package is easy, and anyone can do it!</p>
<p>home-manager leverages the nix package manager (and nixpkgs), as well the nix language so that you can declaratively define your system configuration. I store my <a href="https://github.com/davegallant/nix-config">nix-config</a> in git so that I can keep track of my packages and configurations, and retain a clean and informative git commit history so that I can understand what changed and why.</p>
<h2 id="setting-up-home-manager">Setting up home-manager<a href="#setting-up-home-manager" class="hanchor" ariaLabel="Anchor">#</a></h2>
<blockquote>
<p>⚠️ If you run this on your main machine, make sure you backup your configuration files first. home-manager is pretty good about not overwriting existing configuration, but it is better to have a backup! Alternatively, you could test this out on a VM or cloud instance.</p>
</blockquote>
<p>The first thing you should do is <a href="https://nixos.org/guides/install-nix.html">install nix</a>:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>curl -L https://nixos.org/nix/install | sh
</span></span></code></pre></div><p>It&rsquo;s generally not a good idea to curl and execute files from the internet (without verifying integrity), so you might want to download the install script first and take a look before executing it!</p>
<p>Open up a new shell in your terminal and running <code>nix</code> <em>should</em> work. If not, run <code>. ~/.nix-profile/etc/profile.d/nix.sh</code></p>
<p>Now, <a href="https://github.com/nix-community/home-manager#installation">install home-manager</a>:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>nix-channel --add https://github.com/nix-community/home-manager/archive/master.tar.gz home-manager
</span></span><span style="display:flex;"><span>nix-channel --update
</span></span><span style="display:flex;"><span>nix-shell <span style="color:#c30">&#39;&lt;home-manager&gt;&#39;</span> -A install
</span></span></code></pre></div><p>You should see a wave of <code>/nix/store/*</code> paths being displayed on your screen.</p>
<p>Now, to start off with a basic configuration, open up <code>~/.config/nixpkgs/home.nix</code> in the editor of your choice and paste this in (you will want to change <code>userName</code> and <code>homeDirectory</code>):</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nix" data-lang="nix"><span style="display:flex;"><span>{ config<span style="color:#555">,</span> pkgs<span style="color:#555">,</span> <span style="color:#555">...</span> }:
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span> programs<span style="color:#555">.</span>home-manager<span style="color:#555">.</span>enable <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> home <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> username <span style="color:#555">=</span> <span style="color:#c30">&#34;dave&#34;</span>;
</span></span><span style="display:flex;"><span> homeDirectory <span style="color:#555">=</span> <span style="color:#c30">&#34;/home/dave&#34;</span>;
</span></span><span style="display:flex;"><span> stateVersion <span style="color:#555">=</span> <span style="color:#c30">&#34;21.11&#34;</span>;
</span></span><span style="display:flex;"><span> packages <span style="color:#555">=</span> <span style="color:#069;font-weight:bold">with</span> pkgs; [
</span></span><span style="display:flex;"><span> bind
</span></span><span style="display:flex;"><span> exa
</span></span><span style="display:flex;"><span> fd
</span></span><span style="display:flex;"><span> ripgrep
</span></span><span style="display:flex;"><span> ];
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> programs <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> git <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span> aliases <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> aa <span style="color:#555">=</span> <span style="color:#c30">&#34;add -A .&#34;</span>;
</span></span><span style="display:flex;"><span> br <span style="color:#555">=</span> <span style="color:#c30">&#34;branch&#34;</span>;
</span></span><span style="display:flex;"><span> c <span style="color:#555">=</span> <span style="color:#c30">&#34;commit -S&#34;</span>;
</span></span><span style="display:flex;"><span> ca <span style="color:#555">=</span> <span style="color:#c30">&#34;commit -S --amend&#34;</span>;
</span></span><span style="display:flex;"><span> cb <span style="color:#555">=</span> <span style="color:#c30">&#34;checkout -b&#34;</span>;
</span></span><span style="display:flex;"><span> co <span style="color:#555">=</span> <span style="color:#c30">&#34;checkout&#34;</span>;
</span></span><span style="display:flex;"><span> d <span style="color:#555">=</span> <span style="color:#c30">&#34;diff&#34;</span>;
</span></span><span style="display:flex;"><span> l <span style="color:#555">=</span>
</span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;log --graph --pretty=format:&#39;%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)&lt;%an&gt;%Creset&#39; --abbrev-commit&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> delta <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> options <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> features <span style="color:#555">=</span> <span style="color:#c30">&#34;line-numbers decorations&#34;</span>;
</span></span><span style="display:flex;"><span> whitespace-error-style <span style="color:#555">=</span> <span style="color:#c30">&#34;22 reverse&#34;</span>;
</span></span><span style="display:flex;"><span> plus-style <span style="color:#555">=</span> <span style="color:#c30">&#34;green bold ul &#39;#198214&#39;&#34;</span>;
</span></span><span style="display:flex;"><span> decorations <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> commit-decoration-style <span style="color:#555">=</span> <span style="color:#c30">&#34;bold yellow box ul&#34;</span>;
</span></span><span style="display:flex;"><span> file-style <span style="color:#555">=</span> <span style="color:#c30">&#34;bold yellow ul&#34;</span>;
</span></span><span style="display:flex;"><span> file-decoration-style <span style="color:#555">=</span> <span style="color:#c30">&#34;none&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> extraConfig <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> push <span style="color:#555">=</span> { default <span style="color:#555">=</span> <span style="color:#c30">&#34;current&#34;</span>; };
</span></span><span style="display:flex;"><span> pull <span style="color:#555">=</span> { rebase <span style="color:#555">=</span> <span style="color:#360">true</span>; };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> starship <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span> enableZshIntegration <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> settings <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> add_newline <span style="color:#555">=</span> <span style="color:#360">false</span>;
</span></span><span style="display:flex;"><span> scan_timeout <span style="color:#555">=</span> <span style="color:#f60">10</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> zsh <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span> enableAutosuggestions <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span> enableSyntaxHighlighting <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span> history<span style="color:#555">.</span>size <span style="color:#555">=</span> <span style="color:#f60">1000000</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> localVariables <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> CASE_SENSITIVE <span style="color:#555">=</span> <span style="color:#c30">&#34;true&#34;</span>;
</span></span><span style="display:flex;"><span> DISABLE_UNTRACKED_FILES_DIRTY <span style="color:#555">=</span> <span style="color:#c30">&#34;true&#34;</span>;
</span></span><span style="display:flex;"><span> RPROMPT <span style="color:#555">=</span> <span style="color:#c30">&#34;&#34;</span>; <span style="color:#09f;font-style:italic"># override because macOS defaults to filepath</span>
</span></span><span style="display:flex;"><span> ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE <span style="color:#555">=</span> <span style="color:#c30">&#34;fg=#838383,underline&#34;</span>;
</span></span><span style="display:flex;"><span> ZSH_DISABLE_COMPFIX <span style="color:#555">=</span> <span style="color:#c30">&#34;true&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> initExtra <span style="color:#555">=</span> <span style="color:#c30">&#39;&#39;
</span></span></span><span style="display:flex;"><span><span style="color:#c30"> export PAGER=less
</span></span></span><span style="display:flex;"><span><span style="color:#c30"> &#39;&#39;</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> shellAliases <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;..&#34;</span> <span style="color:#555">=</span> <span style="color:#c30">&#34;cd ..&#34;</span>;
</span></span><span style="display:flex;"><span> grep <span style="color:#555">=</span> <span style="color:#c30">&#34;rg --smart-case&#34;</span>;
</span></span><span style="display:flex;"><span> ls <span style="color:#555">=</span> <span style="color:#c30">&#34;exa -la --git&#34;</span>;
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;oh-my-zsh&#34;</span> <span style="color:#555">=</span> {
</span></span><span style="display:flex;"><span> enable <span style="color:#555">=</span> <span style="color:#360">true</span>;
</span></span><span style="display:flex;"><span> plugins <span style="color:#555">=</span> [
</span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;gitfast&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;last-working-dir&#34;</span>
</span></span><span style="display:flex;"><span> ];
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> };
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>Save the file and run:</p>
<pre tabindex="0"><code>home-manager switch
</code></pre><p>You should see another wave of <code>/nix/store/*</code> paths. The new configuration should now be active.</p>
<p>If you run <code>zsh</code>, you should see that you have <a href="https://starship.rs/">starship</a> and access to several other utils such as <code>rg</code>, <code>fd</code>, and <code>exa</code>.</p>
<p>This basic configuration above is also defining your <code>~/.config/git/config</code> and <code>.zshrc</code>. If you already have either of these files, home-manager will complain about them already existing.</p>
<p>If you run <code>cat ~/.zshrc</code>, you will see the way these configuration files are generated.</p>
<p>You can extend this configuration for programs such as (neo)vim, emacs, alacritty, ssh, etc. To see other programs, take a look at <a href="https://github.com/nix-community/home-manager/tree/master/modules/programs">home-manager/modules/programs</a>.</p>
<h2 id="gateway-to-nix">Gateway To Nix<a href="#gateway-to-nix" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>In ways, home-manager can be seen as a gateway to the nix ecosystem. If you have enjoyed the way you can declare user configuration with home-manager, you may be interested in expanding your configuration to include other system dependencies and configuration. For example, in Linux you can define your entire system&rsquo;s configuration (including the kernel, kernel modules, networking, filesystems, etc) in nix. For macOS, there is <a href="https://github.com/LnL7/nix-darwin">nix-darwin</a> that includes nix modules for configuring launchd, dock, and other preferences and services. You may also want to check out <a href="https://nixos.wiki/wiki/Flakes">Nix Flakes</a>: a more recent feature that allows you declare dependencies, and have them automatically pinned and hashed in <code>flake.lock</code>, similar to that of many modern package managers.</p>
<h2 id="wrapping-up">Wrapping up<a href="#wrapping-up" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>The title of this post is slightly misleading, since it&rsquo;s possible to retain some of your dotfiles and have them intermingle with home-manager by including them alongside nix. The idea of defining user configuration using nix can provide a clean way to maintain your configuration, and allow it to be portable across platforms. Is it worth the effort to migrate away from shell scripts and dotfiles? I&rsquo;d say so.</p></div>
<footer class='entry-footer'>
<div class='container sep-before'><div class='tags'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M20.59,13.41l-7.17,7.17a2,2,0,0,1-2.83,0L2,12V2H12l8.59,8.59A2,2,0,0,1,20.59,13.41Z" />
<line x1="7" y1="7" x2="7" y2="7" />
</svg>
<span class='screen-reader-text'>Tags: </span><a class='tag' href='/tags/nix/'>nix</a>, <a class='tag' href='/tags/dotfiles/'>dotfiles</a>, <a class='tag' href='/tags/home-manager/'>home-manager</a></div>
</div>
</footer>
</article>
<nav class='entry-nav'>
<div class='container'><div class='prev-entry sep-before'>
<a href='/blog/2021/09/06/what-to-do-with-a-homelab/'>
<span aria-hidden='true'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="20" y1="12" x2="4" y2="12" />
<polyline points="10 18 4 12 10 6" />
</svg>
Previous</span>
<span class='screen-reader-text'>Previous post: </span>What To Do With A Homelab</a>
</div><div class='next-entry sep-before'>
<a href='/blog/2021/09/17/automatically-rotating-aws-access-keys/'>
<span class='screen-reader-text'>Next post: </span>Automatically Rotating AWS Access Keys<span aria-hidden='true'>Next <svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="4" y1="12" x2="20" y2="12" />
<polyline points="14 6 20 12 14 18" />
</svg>
</span>
</a>
</div></div>
</nav>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
issue-term='pathname'
theme='github-light'
crossorigin='anonymous' async>
</script>
</div>
</div>
</section>
</main>
<footer id='footer' class='footer'>
<div class='container sep-before'><div class='copyright'>
<p> &copy; 2020-2022 Dave Gallant </p>
</div>
</div>
</footer>
</div>
</div><script>window.__assets_js_src="/assets/js/"</script>
<script src='/assets/js/main.c3bcf2df.js'></script>
</body>
<script>
feather.replace()
</script></div>
</body>
</html>

549
public/blog/2021/09/17/automatically-rotating-aws-access-keys/index.html
View File

@@ -1,26 +1,152 @@
<!DOCTYPE html>
<html lang='en' dir='auto'><head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<meta name='description' content=''>
<meta name='theme-color' content='#8979b3'>
<html><head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Automatically Rotating AWS Access Keys - davegallant</title><link rel="icon" type="image/png" href=https://davegallant.ca/favicon.ico /><meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="" />
<meta property="og:image" content=""/>
<meta property="og:title" content="Automatically Rotating AWS Access Keys" />
<meta property="og:description" content="" />
<meta property="og:type" content="article" />
<meta property="og:url" content="/blog/2021/09/17/automatically-rotating-aws-access-keys/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2021-09-17T12:48:33-04:00" />
<meta property="article:modified_time" content="2021-09-17T12:48:33-04:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Automatically Rotating AWS Access Keys"/>
<meta name="twitter:description" content=""/>
<script src="https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js"></script>
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:ital,wght@1,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css2?family=Fira+Sans&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Roboto+Mono" rel="stylesheet">
<meta property='og:title' content='Automatically Rotating AWS Access Keys • davegallant'>
<meta property='og:description' content=''>
<meta property='og:url' content='/blog/2021/09/17/automatically-rotating-aws-access-keys/'>
<meta property='og:site_name' content='davegallant'>
<meta property='og:type' content='article'><meta property='article:section' content='post'><meta property='article:tag' content='aws'><meta property='article:tag' content='python'><meta property='article:tag' content='security'><meta property='article:tag' content='aws-vault'><meta property='article:published_time' content='2021-09-17T12:48:33-04:00'/><meta property='article:modified_time' content='2021-09-17T12:48:33-04:00'/><meta name='twitter:card' content='summary'>
<link rel="stylesheet" type="text/css" media="screen" href="/css/main.f7354ef8ed840429a37397307f3d9872782673d6b91d714b3f600b210d91fbaf.css" />
<link id="darkModeStyle" rel="stylesheet" type="text/css" href="/css/dark.726cd11ca6eb7c4f7d48eb420354f814e5c1b94281aaf8fd0511c1319f7f78a4.css" disabled />
<meta name="generator" content="Hugo 0.108.0">
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
tex2jax: {
inlineMath: [['$','$'], ['\\(','\\)']],
displayMath: [['$$','$$'], ['\[','\]']],
processEscapes: true,
processEnvironments: true,
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'],
TeX: { equationNumbers: { autoNumber: "AMS" },
extensions: ["AMSmath.js", "AMSsymbols.js"] }
}
});
</script>
<title>Automatically Rotating AWS Access Keys • davegallant</title>
<link rel='canonical' href='/blog/2021/09/17/automatically-rotating-aws-access-keys/'>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.css">
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.js"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/contrib/auto-render.min.js" onload="renderMathInElement(document.body);"></script>
<script>
document.addEventListener("DOMContentLoaded", function() {
renderMathInElement(document.body, {
delimiters: [
{left: "$$", right: "$$", display: true},
{left: "$", right: "$", display: false}
]
});
});
</script>
<link rel="stylesheet" type="text/css" href="/css/custom.2e59ff60a2d9c7e42e3c1af2aff0ba627da46f910a234867e98d178eb05c87dc.css">
</head>
<body>
<div class="content"><header>
<div class="main">
<a href="/">davegallant</a>
</div>
<nav>
<a href="/">Home</a>
<a href="/post">All posts</a>
<a href="/about">About</a>
<a href="/tags">Tags</a>
| <span id="dark-mode-toggle" onclick="toggleTheme()"></span>
<script src="/js/themetoggle.js"></script>
</nav>
</header>
<main>
<article>
<div class="title">
<h1 class="title">Automatically Rotating AWS Access Keys</h1>
<div class="meta">Posted on Sep 17, 2021</div>
</div>
<section class="body"><p>Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a <a href="https://gist.github.com/davegallant/2c042686a78684a657fe99e20fa7a924#file-aws_access_key_rotator-py">script</a> since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.</p>
<p>In the longer term, migrating my local workflows to <a href="https://github.com/99designs/aws-vault">aws-vault</a> seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where <a href="https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html">AWS suggests</a>). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS&rsquo;s secure keystore. There is even a <a href="https://github.com/99designs/aws-vault/blob/master/USAGE.md#rotating-credentials">rotate command</a> included.</p></section>
<div class="post-tags">
<nav class="nav tags">
<ul class="tags">
<li><a href="/tags/aws">aws</a></li>
<li><a href="/tags/python">python</a></li>
<li><a href="/tags/security">security</a></li>
<li><a href="/tags/aws-vault">aws-vault</a></li>
</ul>
</nav>
</div>
</article>
</main>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
issue-term='pathname'
<link rel='icon' href='/favicon.ico'>
<link rel='stylesheet' href='/assets/css/main.ab98e12b.css'><link rel='stylesheet' href='/css/custom.css'><style>
:root{--color-accent:#8979b3;}
</style>
theme='github-light'
crossorigin='anonymous' async>
</script>
</div>
</div>
</section><footer>
<div style="display:flex"><a class="soc" href="https://github.com/davegallant" rel="me" title="GitHub"><i data-feather="github"></i></a>
<a class="border"></a><a class="soc" href="https://twitter.com/davega11ant/" rel="me" title="Twitter"><i data-feather="twitter"></i></a>
<a class="border"></a><a class="soc" href="https://fosstodon.org/@davegallant" rel="me" title="Mastodon"><i data-feather="speaker"></i></a>
<a class="border"></a><a class="soc" href="https://www.linkedin.com/in/dave-gallant/" rel="me" title="LinkedIn"><i data-feather="linkedin"></i></a>
<a class="border"></a></div>
<div class="footer-info">
2023 Dave Gallant | Theme based on <a
href="https://github.com/athul/archie">Archie</a> | Built with <a href="https://gohugo.io">Hugo</a>
</div>
</footer>
<script type="application/javascript">
var doNotTrack = false;
@@ -33,387 +159,8 @@ if (!doNotTrack) {
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
</head>
<body class='page type-post has-sidebar'>
<div class='site'><div id='sidebar' class='sidebar'>
<a class='screen-reader-text' href='#main-menu'>Skip to Main Menu</a>
<div class='container'><section class='widget widget-about sep-after'>
<header>
<div class='logo'>
<a href='/'>
<img src='/images/logo.png'>
</a>
</div>
<h2 class='title site-title '>
<a href='/'>
davegallant
</a>
</h2>
<div class='desc'>
personal blog
</div>
</header>
</section>
<section class='widget widget-taxonomy_cloud sep-after'>
<header>
<h4 class='title widget-title'>Tags</h4>
</header>
<div class='container list-container'>
<ul class='list taxonomy-cloud'><li>
<a href='/tags/adguard/' style='font-size:1em'>adguard</a>
</li><li>
<a href='/tags/aws/' style='font-size:1em'>aws</a>
</li><li>
<a href='/tags/aws-vault/' style='font-size:1em'>aws-vault</a>
</li><li>
<a href='/tags/backup/' style='font-size:1em'>backup</a>
</li><li>
<a href='/tags/containers/' style='font-size:1em'>containers</a>
</li><li>
<a href='/tags/degoogle/' style='font-size:2em'>degoogle</a>
</li><li>
<a href='/tags/docker/' style='font-size:1em'>docker</a>
</li><li>
<a href='/tags/dotfiles/' style='font-size:1em'>dotfiles</a>
</li><li>
<a href='/tags/gmail/' style='font-size:1em'>gmail</a>
</li><li>
<a href='/tags/grafana/' style='font-size:1em'>grafana</a>
</li><li>
<a href='/tags/home-manager/' style='font-size:1em'>home-manager</a>
</li><li>
<a href='/tags/homelab/' style='font-size:1em'>homelab</a>
</li><li>
<a href='/tags/invidious/' style='font-size:1em'>invidious</a>
</li><li>
<a href='/tags/jellyfin/' style='font-size:1em'>jellyfin</a>
</li><li>
<a href='/tags/k3s/' style='font-size:1em'>k3s</a>
</li><li>
<a href='/tags/linux/' style='font-size:1em'>linux</a>
</li><li>
<a href='/tags/lxc/' style='font-size:1em'>lxc</a>
</li><li>
<a href='/tags/netdata/' style='font-size:1em'>netdata</a>
</li><li>
<a href='/tags/nix/' style='font-size:1em'>nix</a>
</li><li>
<a href='/tags/openwrt/' style='font-size:1em'>openwrt</a>
</li><li>
<a href='/tags/pfsense/' style='font-size:1em'>pfsense</a>
</li><li>
<a href='/tags/pihole/' style='font-size:1em'>pihole</a>
</li><li>
<a href='/tags/plex/' style='font-size:1em'>plex</a>
</li><li>
<a href='/tags/podman/' style='font-size:1em'>podman</a>
</li><li>
<a href='/tags/privacy/' style='font-size:1em'>privacy</a>
</li><li>
<a href='/tags/proxmox/' style='font-size:2em'>proxmox</a>
</li><li>
<a href='/tags/python/' style='font-size:2em'>python</a>
</li><li>
<a href='/tags/ransomware/' style='font-size:1em'>ransomware</a>
</li><li>
<a href='/tags/router/' style='font-size:1em'>router</a>
</li><li>
<a href='/tags/router-on-a-stick/' style='font-size:1em'>router-on-a-stick</a>
</li><li>
<a href='/tags/security/' style='font-size:1em'>security</a>
</li><li>
<a href='/tags/synology/' style='font-size:1em'>synology</a>
</li><li>
<a href='/tags/tailscale/' style='font-size:2em'>tailscale</a>
</li><li>
<a href='/tags/virtualization/' style='font-size:1em'>virtualization</a>
</li><li>
<a href='/tags/vlan/' style='font-size:1em'>vlan</a>
</li><li>
<a href='/tags/vpn/' style='font-size:1em'>vpn</a>
</li><li>
<a href='/tags/yewtu.be/' style='font-size:1em'>yewtu.be</a>
</li><li>
<a href='/tags/youtube/' style='font-size:1em'>youtube</a>
</li></ul>
</div>
</section>
<section class='widget widget-social_menu sep-after'><nav aria-label='Social Menu'>
<ul><li>
<a href='https://github.com/davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Github account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37 0 0 0-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44 0 0 0 20 4.77 5.07 5.07 0 0 0 19.91 1S18.73.65 16 2.48a13.38 13.38 0 0 0-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07 0 0 0 5 4.77a5.44 5.44 0 0 0-1.5 3.78c0 5.42 3.3 6.61 6.44 7A3.37 3.37 0 0 0 9 18.13V22" />
</svg>
</a>
</li><li>
<a href='https://twitter.com/davega11ant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Twitter account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M23 3a10.9 10.9 0 0 1-3.14 1.53 4.48 4.48 0 0 0-7.86 3v1A10.66 10.66 0 0 1 3 4s-4 9 5 13a11.64 11.64 0 0 1-7 2c9 5 20 0 20-11.5a4.5 4.5 0 0 0-.08-.83A7.72 7.72 0 0 0 23 3z" />
</svg>
</a>
</li><li>
<a href='https://fosstodon.org/@davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Mastodon account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path fill="#ccc" d="M23.268 5.313c-.35-2.578-2.617-4.61-5.304-5.004C17.51.242 15.792 0 11.813 0h-.03c-3.98 0-4.835.242-5.288.309C3.882.692 1.496 2.518.917 5.127C.64 6.412.61 7.837.661 9.143c.074 1.874.088 3.745.26 5.611c.118 1.24.325 2.47.62 3.68c.55 2.237 2.777 4.098 4.96 4.857c2.336.792 4.849.923 7.256.38c.265-.061.527-.132.786-.213c.585-.184 1.27-.39 1.774-.753a.057.057 0 0 0 .023-.043v-1.809a.052.052 0 0 0-.02-.041a.053.053 0 0 0-.046-.01a20.282 20.282 0 0 1-4.709.545c-2.73 0-3.463-1.284-3.674-1.818a5.593 5.593 0 0 1-.319-1.433a.053.053 0 0 1 .066-.054c1.517.363 3.072.546 4.632.546c.376 0 .75 0 1.125-.01c1.57-.044 3.224-.124 4.768-.422c.038-.008.077-.015.11-.024c2.435-.464 4.753-1.92 4.989-5.604c.008-.145.03-1.52.03-1.67c.002-.512.167-3.63-.024-5.545zm-3.748 9.195h-2.561V8.29c0-1.309-.55-1.976-1.67-1.976c-1.23 0-1.846.79-1.846 2.35v3.403h-2.546V8.663c0-1.56-.617-2.35-1.848-2.35c-1.112 0-1.668.668-1.67 1.977v6.218H4.822V8.102c0-1.31.337-2.35 1.011-3.12c.696-.77 1.608-1.164 2.74-1.164c1.311 0 2.302.5 2.962 1.498l.638 1.06l.638-1.06c.66-.999 1.65-1.498 2.96-1.498c1.13 0 2.043.395 2.74 1.164c.675.77 1.012 1.81 1.012 3.12z"/>
</svg>
</a>
</li><li>
<a href='mailto:dave.gallant@gmail.com' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Contact via Email</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" />
<polyline points="22,6 12,13 2,6" />
</svg>
</a>
</li><li>
<a href='https://linkedin.com/in/dave-gallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Linkedin account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z" />
<rect x="2" y="9" width="4" height="12" />
<circle cx="4" cy="4" r="2" />
</svg>
</a>
</li></ul>
</nav>
</section></div>
<div class='sidebar-overlay'></div>
</div><div class='main'><nav id='main-menu' class='menu main-menu' aria-label='Main Menu'>
<div class='container'>
<a class='screen-reader-text' href='#content'>Skip to Content</a>
<button id='sidebar-toggler' class='sidebar-toggler' aria-controls='sidebar'>
<span class='screen-reader-text'>Toggle Sidebar</span>
<span class='open'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="3" y1="12" x2="21" y2="12" />
<line x1="3" y1="6" x2="21" y2="6" />
<line x1="3" y1="18" x2="21" y2="18" />
</svg>
</span>
<span class='close'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="18" y1="6" x2="6" y2="18" />
<line x1="6" y1="6" x2="18" y2="18" />
</svg>
</span>
</button>
<ul><li class='item'>
<a href='/'>Home</a>
</li><li class='item'>
<a href='/about/'>About</a>
</li><li class='item'>
<a href='/index.xml'>RSS</a>
</li></ul>
</div>
</nav><div class='header-widgets'>
<div class='container'></div>
</div>
<header id='header' class='header site-header'>
<div class='container sep-after'>
</div>
</header>
<main id='content'>
<article lang='en' class='entry'>
<header class='header entry-header'>
<div class='container sep-after'>
<div class='header-info'>
<h1 class='title'>Automatically Rotating AWS Access Keys</h1>
</div>
<div class='entry-meta'>
<span class='posted-on'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><rect x="3" y="4" width="18" height="18" rx="2" ry="2" />
<line x1="16" y1="2" x2="16" y2="6" />
<line x1="8" y1="2" x2="8" y2="6" />
<line x1="3" y1="10" x2="21" y2="10" />
</svg>
<span class='screen-reader-text'>Posted on </span>
<time class='entry-date' datetime='2021-09-17T12:48:33-04:00'>2021, Sep 17</time>
</span>
<span class='reading-time'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><circle cx="12" cy="12" r="10" />
<polyline points="12 6 12 12 15 15" />
</svg>
One min read
</span>
</div>
</div>
</header>
<div class='container entry-content'><p>Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a <a href="https://gist.github.com/davegallant/2c042686a78684a657fe99e20fa7a924#file-aws_access_key_rotator-py">script</a> since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.</p>
<p>In the longer term, migrating my local workflows to <a href="https://github.com/99designs/aws-vault">aws-vault</a> seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where <a href="https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html">AWS suggests</a>). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS&rsquo;s secure keystore. There is even a <a href="https://github.com/99designs/aws-vault/blob/master/USAGE.md#rotating-credentials">rotate command</a> included.</p></div>
<footer class='entry-footer'>
<div class='container sep-before'><div class='tags'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M20.59,13.41l-7.17,7.17a2,2,0,0,1-2.83,0L2,12V2H12l8.59,8.59A2,2,0,0,1,20.59,13.41Z" />
<line x1="7" y1="7" x2="7" y2="7" />
</svg>
<span class='screen-reader-text'>Tags: </span><a class='tag' href='/tags/aws/'>aws</a>, <a class='tag' href='/tags/python/'>python</a>, <a class='tag' href='/tags/security/'>security</a>, <a class='tag' href='/tags/aws-vault/'>aws-vault</a></div>
</div>
</footer>
</article>
<nav class='entry-nav'>
<div class='container'><div class='prev-entry sep-before'>
<a href='/blog/2021/09/08/why-i-threw-out-my-dotfiles/'>
<span aria-hidden='true'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="20" y1="12" x2="4" y2="12" />
<polyline points="10 18 4 12 10 6" />
</svg>
Previous</span>
<span class='screen-reader-text'>Previous post: </span>Why I Threw Out My Dotfiles</a>
</div><div class='next-entry sep-before'>
<a href='/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/'>
<span class='screen-reader-text'>Next post: </span>Replacing docker with podman on macOS (and Linux)<span aria-hidden='true'>Next <svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="4" y1="12" x2="20" y2="12" />
<polyline points="14 6 20 12 14 18" />
</svg>
</span>
</a>
</div></div>
</nav>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
issue-term='pathname'
theme='github-light'
crossorigin='anonymous' async>
</script>
</div>
</div>
</section>
</main>
<footer id='footer' class='footer'>
<div class='container sep-before'><div class='copyright'>
<p> &copy; 2020-2022 Dave Gallant </p>
</div>
</div>
</footer>
</div>
</div><script>window.__assets_js_src="/assets/js/"</script>
<script src='/assets/js/main.c3bcf2df.js'></script>
</body>
<script>
feather.replace()
</script></div>
</body>
</html>

617
public/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/index.html
View File

@@ -1,332 +1,105 @@
<!DOCTYPE html>
<html lang='en' dir='auto'><head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<meta name='description' content=''>
<meta name='theme-color' content='#8979b3'>
<html><head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Replacing docker with podman on macOS (and Linux) - davegallant</title><link rel="icon" type="image/png" href=https://davegallant.ca/favicon.ico /><meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="" />
<meta property="og:image" content=""/>
<meta property="og:title" content="Replacing docker with podman on macOS (and Linux)" />
<meta property="og:description" content="" />
<meta property="og:type" content="article" />
<meta property="og:url" content="/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2021-10-11T10:43:35-04:00" />
<meta property="article:modified_time" content="2021-10-11T10:43:35-04:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Replacing docker with podman on macOS (and Linux)"/>
<meta name="twitter:description" content=""/>
<script src="https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js"></script>
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:ital,wght@1,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css2?family=Fira+Sans&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Roboto+Mono" rel="stylesheet">
<meta property='og:title' content='Replacing docker with podman on macOS (and Linux) • davegallant'>
<meta property='og:description' content=''>
<meta property='og:url' content='/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/'>
<meta property='og:site_name' content='davegallant'>
<meta property='og:type' content='article'><meta property='article:section' content='post'><meta property='article:tag' content='docker'><meta property='article:tag' content='podman'><meta property='article:tag' content='containers'><meta property='article:published_time' content='2021-10-11T10:43:35-04:00'/><meta property='article:modified_time' content='2021-10-11T10:43:35-04:00'/><meta name='twitter:card' content='summary'>
<meta name="generator" content="Hugo 0.108.0">
<title>Replacing docker with podman on macOS (and Linux) • davegallant</title>
<link rel='canonical' href='/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/'>
<link rel='icon' href='/favicon.ico'>
<link rel='stylesheet' href='/assets/css/main.ab98e12b.css'><link rel='stylesheet' href='/css/custom.css'><style>
:root{--color-accent:#8979b3;}
</style>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98710982-2', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<link rel="stylesheet" type="text/css" media="screen" href="/css/main.f7354ef8ed840429a37397307f3d9872782673d6b91d714b3f600b210d91fbaf.css" />
<link id="darkModeStyle" rel="stylesheet" type="text/css" href="/css/dark.726cd11ca6eb7c4f7d48eb420354f814e5c1b94281aaf8fd0511c1319f7f78a4.css" disabled />
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
tex2jax: {
inlineMath: [['$','$'], ['\\(','\\)']],
displayMath: [['$$','$$'], ['\[','\]']],
processEscapes: true,
processEnvironments: true,
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'],
TeX: { equationNumbers: { autoNumber: "AMS" },
extensions: ["AMSmath.js", "AMSsymbols.js"] }
}
});
</script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.css">
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.js"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/contrib/auto-render.min.js" onload="renderMathInElement(document.body);"></script>
<script>
document.addEventListener("DOMContentLoaded", function() {
renderMathInElement(document.body, {
delimiters: [
{left: "$$", right: "$$", display: true},
{left: "$", right: "$", display: false}
]
});
});
</script>
<link rel="stylesheet" type="text/css" href="/css/custom.2e59ff60a2d9c7e42e3c1af2aff0ba627da46f910a234867e98d178eb05c87dc.css">
</head>
<body class='page type-post has-sidebar'>
<div class='site'><div id='sidebar' class='sidebar'>
<a class='screen-reader-text' href='#main-menu'>Skip to Main Menu</a>
<div class='container'><section class='widget widget-about sep-after'>
<header>
<div class='logo'>
<a href='/'>
<img src='/images/logo.png'>
</a>
</div>
<h2 class='title site-title '>
<a href='/'>
davegallant
</a>
</h2>
<div class='desc'>
personal blog
</div>
</header>
</section>
<section class='widget widget-taxonomy_cloud sep-after'>
<header>
<h4 class='title widget-title'>Tags</h4>
</header>
<div class='container list-container'>
<ul class='list taxonomy-cloud'><li>
<a href='/tags/adguard/' style='font-size:1em'>adguard</a>
</li><li>
<a href='/tags/aws/' style='font-size:1em'>aws</a>
</li><li>
<a href='/tags/aws-vault/' style='font-size:1em'>aws-vault</a>
</li><li>
<a href='/tags/backup/' style='font-size:1em'>backup</a>
</li><li>
<a href='/tags/containers/' style='font-size:1em'>containers</a>
</li><li>
<a href='/tags/degoogle/' style='font-size:2em'>degoogle</a>
</li><li>
<a href='/tags/docker/' style='font-size:1em'>docker</a>
</li><li>
<a href='/tags/dotfiles/' style='font-size:1em'>dotfiles</a>
</li><li>
<a href='/tags/gmail/' style='font-size:1em'>gmail</a>
</li><li>
<a href='/tags/grafana/' style='font-size:1em'>grafana</a>
</li><li>
<a href='/tags/home-manager/' style='font-size:1em'>home-manager</a>
</li><li>
<a href='/tags/homelab/' style='font-size:1em'>homelab</a>
</li><li>
<a href='/tags/invidious/' style='font-size:1em'>invidious</a>
</li><li>
<a href='/tags/jellyfin/' style='font-size:1em'>jellyfin</a>
</li><li>
<a href='/tags/k3s/' style='font-size:1em'>k3s</a>
</li><li>
<a href='/tags/linux/' style='font-size:1em'>linux</a>
</li><li>
<a href='/tags/lxc/' style='font-size:1em'>lxc</a>
</li><li>
<a href='/tags/netdata/' style='font-size:1em'>netdata</a>
</li><li>
<a href='/tags/nix/' style='font-size:1em'>nix</a>
</li><li>
<a href='/tags/openwrt/' style='font-size:1em'>openwrt</a>
</li><li>
<a href='/tags/pfsense/' style='font-size:1em'>pfsense</a>
</li><li>
<a href='/tags/pihole/' style='font-size:1em'>pihole</a>
</li><li>
<a href='/tags/plex/' style='font-size:1em'>plex</a>
</li><li>
<a href='/tags/podman/' style='font-size:1em'>podman</a>
</li><li>
<a href='/tags/privacy/' style='font-size:1em'>privacy</a>
</li><li>
<a href='/tags/proxmox/' style='font-size:2em'>proxmox</a>
</li><li>
<a href='/tags/python/' style='font-size:2em'>python</a>
</li><li>
<a href='/tags/ransomware/' style='font-size:1em'>ransomware</a>
</li><li>
<a href='/tags/router/' style='font-size:1em'>router</a>
</li><li>
<a href='/tags/router-on-a-stick/' style='font-size:1em'>router-on-a-stick</a>
</li><li>
<a href='/tags/security/' style='font-size:1em'>security</a>
</li><li>
<a href='/tags/synology/' style='font-size:1em'>synology</a>
</li><li>
<a href='/tags/tailscale/' style='font-size:2em'>tailscale</a>
</li><li>
<a href='/tags/virtualization/' style='font-size:1em'>virtualization</a>
</li><li>
<a href='/tags/vlan/' style='font-size:1em'>vlan</a>
</li><li>
<a href='/tags/vpn/' style='font-size:1em'>vpn</a>
</li><li>
<a href='/tags/yewtu.be/' style='font-size:1em'>yewtu.be</a>
</li><li>
<a href='/tags/youtube/' style='font-size:1em'>youtube</a>
</li></ul>
</div>
</section>
<section class='widget widget-social_menu sep-after'><nav aria-label='Social Menu'>
<ul><li>
<a href='https://github.com/davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Github account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37 0 0 0-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44 0 0 0 20 4.77 5.07 5.07 0 0 0 19.91 1S18.73.65 16 2.48a13.38 13.38 0 0 0-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07 0 0 0 5 4.77a5.44 5.44 0 0 0-1.5 3.78c0 5.42 3.3 6.61 6.44 7A3.37 3.37 0 0 0 9 18.13V22" />
</svg>
</a>
</li><li>
<a href='https://twitter.com/davega11ant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Twitter account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M23 3a10.9 10.9 0 0 1-3.14 1.53 4.48 4.48 0 0 0-7.86 3v1A10.66 10.66 0 0 1 3 4s-4 9 5 13a11.64 11.64 0 0 1-7 2c9 5 20 0 20-11.5a4.5 4.5 0 0 0-.08-.83A7.72 7.72 0 0 0 23 3z" />
</svg>
</a>
</li><li>
<a href='https://fosstodon.org/@davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Mastodon account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path fill="#ccc" d="M23.268 5.313c-.35-2.578-2.617-4.61-5.304-5.004C17.51.242 15.792 0 11.813 0h-.03c-3.98 0-4.835.242-5.288.309C3.882.692 1.496 2.518.917 5.127C.64 6.412.61 7.837.661 9.143c.074 1.874.088 3.745.26 5.611c.118 1.24.325 2.47.62 3.68c.55 2.237 2.777 4.098 4.96 4.857c2.336.792 4.849.923 7.256.38c.265-.061.527-.132.786-.213c.585-.184 1.27-.39 1.774-.753a.057.057 0 0 0 .023-.043v-1.809a.052.052 0 0 0-.02-.041a.053.053 0 0 0-.046-.01a20.282 20.282 0 0 1-4.709.545c-2.73 0-3.463-1.284-3.674-1.818a5.593 5.593 0 0 1-.319-1.433a.053.053 0 0 1 .066-.054c1.517.363 3.072.546 4.632.546c.376 0 .75 0 1.125-.01c1.57-.044 3.224-.124 4.768-.422c.038-.008.077-.015.11-.024c2.435-.464 4.753-1.92 4.989-5.604c.008-.145.03-1.52.03-1.67c.002-.512.167-3.63-.024-5.545zm-3.748 9.195h-2.561V8.29c0-1.309-.55-1.976-1.67-1.976c-1.23 0-1.846.79-1.846 2.35v3.403h-2.546V8.663c0-1.56-.617-2.35-1.848-2.35c-1.112 0-1.668.668-1.67 1.977v6.218H4.822V8.102c0-1.31.337-2.35 1.011-3.12c.696-.77 1.608-1.164 2.74-1.164c1.311 0 2.302.5 2.962 1.498l.638 1.06l.638-1.06c.66-.999 1.65-1.498 2.96-1.498c1.13 0 2.043.395 2.74 1.164c.675.77 1.012 1.81 1.012 3.12z"/>
</svg>
</a>
</li><li>
<a href='mailto:dave.gallant@gmail.com' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Contact via Email</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" />
<polyline points="22,6 12,13 2,6" />
</svg>
</a>
</li><li>
<a href='https://linkedin.com/in/dave-gallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Linkedin account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z" />
<rect x="2" y="9" width="4" height="12" />
<circle cx="4" cy="4" r="2" />
</svg>
</a>
</li></ul>
</nav>
</section></div>
<div class='sidebar-overlay'></div>
</div><div class='main'><nav id='main-menu' class='menu main-menu' aria-label='Main Menu'>
<div class='container'>
<a class='screen-reader-text' href='#content'>Skip to Content</a>
<button id='sidebar-toggler' class='sidebar-toggler' aria-controls='sidebar'>
<span class='screen-reader-text'>Toggle Sidebar</span>
<span class='open'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="3" y1="12" x2="21" y2="12" />
<line x1="3" y1="6" x2="21" y2="6" />
<line x1="3" y1="18" x2="21" y2="18" />
</svg>
</span>
<span class='close'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="18" y1="6" x2="6" y2="18" />
<line x1="6" y1="6" x2="18" y2="18" />
</svg>
</span>
</button>
<ul><li class='item'>
<a href='/'>Home</a>
</li><li class='item'>
<a href='/about/'>About</a>
</li><li class='item'>
<a href='/index.xml'>RSS</a>
</li></ul>
</div>
</nav><div class='header-widgets'>
<div class='container'></div>
</div>
<header id='header' class='header site-header'>
<div class='container sep-after'>
</div>
</header>
<main id='content'>
<article lang='en' class='entry'>
<header class='header entry-header'>
<div class='container sep-after'>
<div class='header-info'>
<h1 class='title'>Replacing docker with podman on macOS (and Linux)</h1>
</div>
<div class='entry-meta'>
<span class='posted-on'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><rect x="3" y="4" width="18" height="18" rx="2" ry="2" />
<line x1="16" y1="2" x2="16" y2="6" />
<line x1="8" y1="2" x2="8" y2="6" />
<line x1="3" y1="10" x2="21" y2="10" />
</svg>
<span class='screen-reader-text'>Posted on </span>
<time class='entry-date' datetime='2021-10-11T10:43:35-04:00'>2021, Oct 11</time>
</span>
<span class='reading-time'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><circle cx="12" cy="12" r="10" />
<polyline points="12 6 12 12 15 15" />
</svg>
5 mins read
</span>
</div>
</div>
<body>
<div class="content"><header>
<div class="main">
<a href="/">davegallant</a>
</div>
<nav>
<a href="/">Home</a>
<a href="/post">All posts</a>
<a href="/about">About</a>
<a href="/tags">Tags</a>
| <span id="dark-mode-toggle" onclick="toggleTheme()"></span>
<script src="/js/themetoggle.js"></script>
</nav>
</header>
<main>
<article>
<div class="title">
<h1 class="title">Replacing docker with podman on macOS (and Linux)</h1>
<div class="meta">Posted on Oct 11, 2021</div>
</div>
<div class='container entry-content'><p>There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:</p>
<section class="body"><p>There are a number of reasons why you might want to replace docker, especially on macOS. The following feature bundled in Docker Desktop might have motivated you enough to consider replacing docker:</p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">...ignoring Docker updates is a paid feature now?? <a href="https://t.co/ZxKW3b9LQM">pic.twitter.com/ZxKW3b9LQM</a></p>&mdash; Brendan Dolan-Gavitt (@moyix) <a href="https://twitter.com/moyix/status/1388586550682861568?ref_src=twsrc%5Etfw">May 1, 2021</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
@@ -341,130 +114,94 @@ if (!doNotTrack) {
<p>I&rsquo;ve also observed that so far my 2019 16&quot; Macbook Pro hasn&rsquo;t sounded like a jet engine, although I haven&rsquo;t performed any disk-intensive operations yet.</p>
<h3 id="installing-podman">Installing Podman<a href="#installing-podman" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>Running Podman on macOS is more involved than on Linux, because the podman-machine must run Linux inside of a virtual machine. Fortunately, the installation is made simple with <a href="https://formulae.brew.sh/formula/podman">brew</a> (read <a href="https://podman.io/getting-started/installation#linux-distributions">this</a> if you&rsquo;re installing Podman on Linux):</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>brew install podman
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>brew install podman
</span></span></code></pre></div><p>The podman-machine must be started:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># This is not necessary on Linux</span>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#75715e"># This is not necessary on Linux</span>
</span></span><span style="display:flex;"><span>podman machine init
</span></span><span style="display:flex;"><span>podman machine start
</span></span></code></pre></div><h3 id="running-a-container">Running a container<a href="#running-a-container" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>Let&rsquo;s try to pull an image:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span><span style="color:#009;font-weight:bold">$</span> podman pull alpine
</span></span><span style="display:flex;"><span><span style="color:#aaa">Trying to pull docker.io/library/alpine:latest...
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Getting image source signatures
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Copying blob sha256:a0d0a0d46f8b52473982a3c466318f479767577551a53ffc9074c9fa7035982e
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Copying config sha256:14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Writing manifest to image destination
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Storing signatures
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab
</span></span></span></code></pre></div><blockquote>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ podman pull alpine
</span></span><span style="display:flex;"><span>Trying to pull docker.io/library/alpine:latest...
</span></span><span style="display:flex;"><span>Getting image source signatures
</span></span><span style="display:flex;"><span>Copying blob sha256:a0d0a0d46f8b52473982a3c466318f479767577551a53ffc9074c9fa7035982e
</span></span><span style="display:flex;"><span>Copying config sha256:14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab
</span></span><span style="display:flex;"><span>Writing manifest to image destination
</span></span><span style="display:flex;"><span>Storing signatures
</span></span><span style="display:flex;"><span>14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab
</span></span></code></pre></div><blockquote>
<p>If you&rsquo;re having an issue pulling images, you may need to remove <code>~/.docker/config.json</code> or remove the set of auths in the configuration as mentioned <a href="https://stackoverflow.com/a/69121873/1191286">here</a>.</p>
</blockquote>
<p>and then run and exec into the container:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span><span style="color:#009;font-weight:bold">$</span> podman run --rm -ti alpine
</span></span><span style="display:flex;"><span><span style="color:#aaa">Error: error preparing container 99ace1ef8a78118e178372d91fd182e8166c399fbebe0f676af59fbf32ce205b for attach: error configuring network namespace for container 99ace1ef8a78118e178372d91fd182e8166c399fbebe0f676af59fbf32ce205b: error adding pod unruffled_bohr_unruffled_bohr to CNI network &#34;podman&#34;: unexpected end of JSON input
</span></span></span></code></pre></div><p>What does this error mean? A bit of searching lead to <a href="https://github.com/containers/podman/issues/11837">this github issue</a>.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ podman run --rm -ti alpine
</span></span><span style="display:flex;"><span>Error: error preparing container 99ace1ef8a78118e178372d91fd182e8166c399fbebe0f676af59fbf32ce205b for attach: error configuring network namespace for container 99ace1ef8a78118e178372d91fd182e8166c399fbebe0f676af59fbf32ce205b: error adding pod unruffled_bohr_unruffled_bohr to CNI network &#34;podman&#34;: unexpected end of JSON input
</span></span></code></pre></div><p>What does this error mean? A bit of searching lead to <a href="https://github.com/containers/podman/issues/11837">this github issue</a>.</p>
<p>Until the fix is released, a workaround is to just specify a port (even when it&rsquo;s not needed):</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>podman run -p <span style="color:#f60">4242</span> --rm -ti alpine
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>podman run -p <span style="color:#ae81ff">4242</span> --rm -ti alpine
</span></span></code></pre></div><p>If you&rsquo;re reading this from the future, there is a good chance specifying a port won&rsquo;t be needed.</p>
<p>Another example of running a container with Podman can be found in the <a href="https://jellyfin.org/docs/general/administration/installing.html#podman">Jellyfin Documentation</a>.</p>
<h3 id="aliasing-docker-with-podman">Aliasing docker with podman<a href="#aliasing-docker-with-podman" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>Force of habit (or other scripts) may have you calling <code>docker</code>. To work around this:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#366">alias</span> <span style="color:#033">docker</span><span style="color:#555">=</span>podman
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>alias docker<span style="color:#f92672">=</span>podman
</span></span></code></pre></div><h3 id="podman-compose">podman-compose<a href="#podman-compose" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>You may be wondering: what about docker-compose? Well, there <em>claims</em> to be a drop-in replacement for it: <a href="https://github.com/containers/podman-compose">podman-compose</a>.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>pip3 install --user podman-compose
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>pip3 install --user podman-compose
</span></span></code></pre></div><p>Now let&rsquo;s create a <code>docker-compose.yml</code> file to test:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cat <span style="color:#c30">&lt;&lt; EOF &gt;&gt; docker-compose.yml
</span></span></span><span style="display:flex;"><span><span style="color:#c30">version: &#39;2&#39;
</span></span></span><span style="display:flex;"><span><span style="color:#c30">services:
</span></span></span><span style="display:flex;"><span><span style="color:#c30"> hello_world:
</span></span></span><span style="display:flex;"><span><span style="color:#c30"> image: ubuntu
</span></span></span><span style="display:flex;"><span><span style="color:#c30"> command: [/bin/echo, &#39;Hello world&#39;]
</span></span></span><span style="display:flex;"><span><span style="color:#c30">EOF</span>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cat <span style="color:#e6db74">&lt;&lt; EOF &gt;&gt; docker-compose.yml
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">version: &#39;2&#39;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">services:
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> hello_world:
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> image: ubuntu
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> command: [/bin/echo, &#39;Hello world&#39;]
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span>
</span></span></code></pre></div><p>Now run:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span><span style="color:#009;font-weight:bold">$</span> podman-compose up
</span></span><span style="display:flex;"><span><span style="color:#aaa">podman pod create --name=davegallant.github.io --share net
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">40d61dc6e95216c07d2b21cea6dcb30205bfcaf1260501fe652f05bddf7e595e
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">0
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">podman create --name=davegallant.github.io_hello_world_1 --pod=davegallant.github.io -l io.podman.compose.config-hash=123 -l io.podman.compose.project=davegallant.github.io -l io.podman.compose.version=0.0.1 -l com.docker.compose.container-number=1 -l com.docker.compose.service=hello_world --add-host hello_world:127.0.0.1 --add-host davegallant.github.io_hello_world_1:127.0.0.1 ubuntu /bin/echo Hello world
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Resolved &#34;ubuntu&#34; as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Trying to pull docker.io/library/ubuntu:latest...
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Getting image source signatures
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Copying blob sha256:f3ef4ff62e0da0ef761ec1c8a578f3035bef51043e53ae1b13a20b3e03726d17
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Copying blob sha256:f3ef4ff62e0da0ef761ec1c8a578f3035bef51043e53ae1b13a20b3e03726d17
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Copying config sha256:597ce1600cf4ac5f449b66e75e840657bb53864434d6bd82f00b172544c32ee2
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Writing manifest to image destination
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Storing signatures
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">1a68b2fed3fdf2037b7aef16d770f22929eec1d799219ce30541df7876918576
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">0
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">podman start -a davegallant.github.io_hello_world_1
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">Hello world
</span></span></span></code></pre></div><p>This should more or less provide the same results you would come to expect with docker. The README does clearly state that podman-compose is under development.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ podman-compose up
</span></span><span style="display:flex;"><span>podman pod create --name=davegallant.github.io --share net
</span></span><span style="display:flex;"><span>40d61dc6e95216c07d2b21cea6dcb30205bfcaf1260501fe652f05bddf7e595e
</span></span><span style="display:flex;"><span>0
</span></span><span style="display:flex;"><span>podman create --name=davegallant.github.io_hello_world_1 --pod=davegallant.github.io -l io.podman.compose.config-hash=123 -l io.podman.compose.project=davegallant.github.io -l io.podman.compose.version=0.0.1 -l com.docker.compose.container-number=1 -l com.docker.compose.service=hello_world --add-host hello_world:127.0.0.1 --add-host davegallant.github.io_hello_world_1:127.0.0.1 ubuntu /bin/echo Hello world
</span></span><span style="display:flex;"><span>Resolved &#34;ubuntu&#34; as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
</span></span><span style="display:flex;"><span>Trying to pull docker.io/library/ubuntu:latest...
</span></span><span style="display:flex;"><span>Getting image source signatures
</span></span><span style="display:flex;"><span>Copying blob sha256:f3ef4ff62e0da0ef761ec1c8a578f3035bef51043e53ae1b13a20b3e03726d17
</span></span><span style="display:flex;"><span>Copying blob sha256:f3ef4ff62e0da0ef761ec1c8a578f3035bef51043e53ae1b13a20b3e03726d17
</span></span><span style="display:flex;"><span>Copying config sha256:597ce1600cf4ac5f449b66e75e840657bb53864434d6bd82f00b172544c32ee2
</span></span><span style="display:flex;"><span>Writing manifest to image destination
</span></span><span style="display:flex;"><span>Storing signatures
</span></span><span style="display:flex;"><span>1a68b2fed3fdf2037b7aef16d770f22929eec1d799219ce30541df7876918576
</span></span><span style="display:flex;"><span>0
</span></span><span style="display:flex;"><span>podman start -a davegallant.github.io_hello_world_1
</span></span><span style="display:flex;"><span>Hello world
</span></span></code></pre></div><p>This should more or less provide the same results you would come to expect with docker. The README does clearly state that podman-compose is under development.</p>
<h3 id="summary">Summary<a href="#summary" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>Installing Podman on macOS was not seamless, but it was manageable well within 30 minutes. I would recommend giving Podman a try to anyone who is unhappy with experiencing forced docker updates, or who is interested in using a more modern technology for running containers.</p>
<p>One caveat to mention is that there isn&rsquo;t an official graphical user interface for Podman, but there is an <a href="https://github.com/containers/podman/issues/11494">open issue</a> considering one. If you rely heavily on Docker Desktop&rsquo;s UI, you may not be as interested in using podman yet.</p>
<blockquote>
<p>Update: After further usage, bind mounts do not seem to work out of the box when the client and host are on different machines. A rather involved solution using <a href="https://en.wikipedia.org/wiki/SSHFS">sshfs</a> was shared <a href="https://github.com/containers/podman/issues/8016#issuecomment-920015800">here</a>.</p>
</blockquote>
<p>I had been experimenting with Podman on Linux before writing this, but after listening to this <a href="https://kubernetespodcast.com/episode/164-podman/">podcast episode</a>, I was inspired to give Podman a try on macOS.</p></div>
<p>I had been experimenting with Podman on Linux before writing this, but after listening to this <a href="https://kubernetespodcast.com/episode/164-podman/">podcast episode</a>, I was inspired to give Podman a try on macOS.</p></section>
<footer class='entry-footer'>
<div class='container sep-before'><div class='tags'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M20.59,13.41l-7.17,7.17a2,2,0,0,1-2.83,0L2,12V2H12l8.59,8.59A2,2,0,0,1,20.59,13.41Z" />
<line x1="7" y1="7" x2="7" y2="7" />
</svg>
<span class='screen-reader-text'>Tags: </span><a class='tag' href='/tags/docker/'>docker</a>, <a class='tag' href='/tags/podman/'>podman</a>, <a class='tag' href='/tags/containers/'>containers</a></div>
<div class="post-tags">
<nav class="nav tags">
<ul class="tags">
<li><a href="/tags/docker">docker</a></li>
<li><a href="/tags/podman">podman</a></li>
<li><a href="/tags/containers">containers</a></li>
</ul>
</nav>
</div>
</article>
</main>
</div>
</footer>
</article>
<nav class='entry-nav'>
<div class='container'><div class='prev-entry sep-before'>
<a href='/blog/2021/09/17/automatically-rotating-aws-access-keys/'>
<span aria-hidden='true'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="20" y1="12" x2="4" y2="12" />
<polyline points="10 18 4 12 10 6" />
</svg>
Previous</span>
<span class='screen-reader-text'>Previous post: </span>Automatically Rotating AWS Access Keys</a>
</div><div class='next-entry sep-before'>
<a href='/blog/2021/11/14/running-k3s-in-lxc-on-proxmox/'>
<span class='screen-reader-text'>Next post: </span>Running K3s in LXC on Proxmox<span aria-hidden='true'>Next <svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="4" y1="12" x2="20" y2="12" />
<polyline points="14 6 20 12 14 18" />
</svg>
</span>
</a>
</div></div>
</nav>
<section id='comments' class='comments'>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
@@ -475,24 +212,32 @@ if (!doNotTrack) {
</script>
</div>
</div>
</section>
</section><footer>
<div style="display:flex"><a class="soc" href="https://github.com/davegallant" rel="me" title="GitHub"><i data-feather="github"></i></a>
<a class="border"></a><a class="soc" href="https://twitter.com/davega11ant/" rel="me" title="Twitter"><i data-feather="twitter"></i></a>
<a class="border"></a><a class="soc" href="https://fosstodon.org/@davegallant" rel="me" title="Mastodon"><i data-feather="speaker"></i></a>
<a class="border"></a><a class="soc" href="https://www.linkedin.com/in/dave-gallant/" rel="me" title="LinkedIn"><i data-feather="linkedin"></i></a>
<a class="border"></a></div>
<div class="footer-info">
2023 Dave Gallant | Theme based on <a
href="https://github.com/athul/archie">Archie</a> | Built with <a href="https://gohugo.io">Hugo</a>
</div>
</footer>
</main>
<footer id='footer' class='footer'>
<div class='container sep-before'><div class='copyright'>
<p> &copy; 2020-2022 Dave Gallant </p>
</div>
</div>
</footer>
</div>
</div><script>window.__assets_js_src="/assets/js/"</script>
<script src='/assets/js/main.c3bcf2df.js'></script>
</body>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98710982-2', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script>
feather.replace()
</script></div>
</body>
</html>

701
public/blog/2021/11/14/running-k3s-in-lxc-on-proxmox/index.html
View File

@@ -1,26 +1,227 @@
<!DOCTYPE html>
<html lang='en' dir='auto'><head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<meta name='description' content=''>
<meta name='theme-color' content='#8979b3'>
<html><head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Running K3s in LXC on Proxmox - davegallant</title><link rel="icon" type="image/png" href=https://davegallant.ca/favicon.ico /><meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="" />
<meta property="og:image" content=""/>
<meta property="og:title" content="Running K3s in LXC on Proxmox" />
<meta property="og:description" content="" />
<meta property="og:type" content="article" />
<meta property="og:url" content="/blog/2021/11/14/running-k3s-in-lxc-on-proxmox/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2021-11-14T10:07:03-05:00" />
<meta property="article:modified_time" content="2021-11-14T10:07:03-05:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Running K3s in LXC on Proxmox"/>
<meta name="twitter:description" content=""/>
<script src="https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js"></script>
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:ital,wght@1,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css2?family=Fira+Sans&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Roboto+Mono" rel="stylesheet">
<meta property='og:title' content='Running K3s in LXC on Proxmox • davegallant'>
<meta property='og:description' content=''>
<meta property='og:url' content='/blog/2021/11/14/running-k3s-in-lxc-on-proxmox/'>
<meta property='og:site_name' content='davegallant'>
<meta property='og:type' content='article'><meta property='article:section' content='post'><meta property='article:tag' content='k3s'><meta property='article:tag' content='proxmox'><meta property='article:tag' content='lxc'><meta property='article:published_time' content='2021-11-14T10:07:03-05:00'/><meta property='article:modified_time' content='2021-11-14T10:07:03-05:00'/><meta name='twitter:card' content='summary'>
<link rel="stylesheet" type="text/css" media="screen" href="/css/main.f7354ef8ed840429a37397307f3d9872782673d6b91d714b3f600b210d91fbaf.css" />
<link id="darkModeStyle" rel="stylesheet" type="text/css" href="/css/dark.726cd11ca6eb7c4f7d48eb420354f814e5c1b94281aaf8fd0511c1319f7f78a4.css" disabled />
<meta name="generator" content="Hugo 0.108.0">
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
tex2jax: {
inlineMath: [['$','$'], ['\\(','\\)']],
displayMath: [['$$','$$'], ['\[','\]']],
processEscapes: true,
processEnvironments: true,
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'],
TeX: { equationNumbers: { autoNumber: "AMS" },
extensions: ["AMSmath.js", "AMSsymbols.js"] }
}
});
</script>
<title>Running K3s in LXC on Proxmox • davegallant</title>
<link rel='canonical' href='/blog/2021/11/14/running-k3s-in-lxc-on-proxmox/'>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.css">
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/katex.min.js"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.15.2/dist/contrib/auto-render.min.js" onload="renderMathInElement(document.body);"></script>
<script>
document.addEventListener("DOMContentLoaded", function() {
renderMathInElement(document.body, {
delimiters: [
{left: "$$", right: "$$", display: true},
{left: "$", right: "$", display: false}
]
});
});
</script>
<link rel="stylesheet" type="text/css" href="/css/custom.2e59ff60a2d9c7e42e3c1af2aff0ba627da46f910a234867e98d178eb05c87dc.css">
</head>
<body>
<div class="content"><header>
<div class="main">
<a href="/">davegallant</a>
</div>
<nav>
<a href="/">Home</a>
<a href="/post">All posts</a>
<a href="/about">About</a>
<a href="/tags">Tags</a>
| <span id="dark-mode-toggle" onclick="toggleTheme()"></span>
<script src="/js/themetoggle.js"></script>
</nav>
</header>
<main>
<article>
<div class="title">
<h1 class="title">Running K3s in LXC on Proxmox</h1>
<div class="meta">Posted on Nov 14, 2021</div>
</div>
<section class="body"><p>It has been a while since I&rsquo;ve actively used Kubernetes and wanted to explore the evolution of tools such as <a href="https://helm.sh">Helm</a> and <a href="https://tekton.dev">Tekton</a>. I decided to deploy <a href="https://k3s.io">K3s</a>, since I&rsquo;ve had success with deploying it on resource-contrained Raspberry Pis in the past. I thought that this time it&rsquo;d be convenient to have K3s running in a LXC container on Proxmox. This would allow for easy snapshotting of the entire Kubernetes deployment. LXC containers also provide an efficient way to use a machine&rsquo;s resources.</p>
<h2 id="what-is-k3s">What is K3s?<a href="#what-is-k3s" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>K3s is a Kubernetes distro that advertises itself as a lightweight binary with a much smaller memory-footprint than traditional k8s. K3s is not a fork of k8s as it seeks to remain as close to upstream as it possibly can.</p>
<h2 id="configure-proxmox">Configure Proxmox<a href="#configure-proxmox" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>This <a href="https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185">gist</a> contains snippets and discussion on how to deploy K3s in LXC on Proxmox. It mentions that <code>bridge-nf-call-iptables</code> should be loaded, but I did not understand the benefit of doing this.</p>
<h2 id="disable-swap">Disable swap<a href="#disable-swap" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>There is an issue on Kubernetes regarding swap <a href="https://github.com/kubernetes/kubernetes/issues/53533">here</a>. There claims to be support for swap in 1.22, but for now let&rsquo;s disable it:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>sysctl vm.swappiness=0
</span></span><span style="display:flex;"><span>swapoff -a
</span></span></code></pre></div><p>It might be worth experimenting with swap enabled in the future to see how that might affect performance.</p>
<h3 id="enable-ip-forwarding">Enable IP Forwarding<a href="#enable-ip-forwarding" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>To avoid IP Forwarding issues with Traefik, run the following on the host:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sudo sysctl net.ipv4.ip_forward<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span>
</span></span><span style="display:flex;"><span>sudo sysctl net.ipv6.conf.all.forwarding<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span>
</span></span><span style="display:flex;"><span>sudo sed -i <span style="color:#e6db74">&#39;s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g&#39;</span> /etc/sysctl.conf
</span></span><span style="display:flex;"><span>sudo sed -i <span style="color:#e6db74">&#39;s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g&#39;</span> /etc/sysctl.conf
</span></span></code></pre></div><h2 id="create-lxc-container">Create LXC container<a href="#create-lxc-container" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Create an LXC container in the Proxmox interface as you normally would. Remember to:</p>
<ul>
<li>Uncheck <code>unprivileged container</code></li>
<li>Use a LXC template (I chose a debian 11 template downloaded with <a href="https://pve.proxmox.com/wiki/Linux_Container#Create_container">pveam</a>)</li>
<li>In memory, set swap to 0</li>
<li>Create and start the container</li>
</ul>
<h3 id="modify-container-config">Modify container config<a href="#modify-container-config" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>Now back on the host run <code>pct list</code> to determine what VMID it was given.</p>
<p>Open <code>/etc/pve/lxc/$VMID.conf</code> and append:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>lxc.apparmor.profile: unconfined
</span></span><span style="display:flex;"><span>lxc.cap.drop:
</span></span><span style="display:flex;"><span>lxc.mount.auto: <span style="color:#e6db74">&#34;proc:rw sys:rw&#34;</span>
</span></span><span style="display:flex;"><span>lxc.cgroup2.devices.allow: c 10:200 rwm
</span></span></code></pre></div><p>All of the above configurations are described in the <a href="https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html">manpages</a>.
Notice that <code>cgroup2</code> is used since Proxmox VE 7.0 has switched to a <a href="https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_cgroup">pure cgroupv2 environment</a>.</p>
<p>Thankfully cgroup v2 support has been supported in k3s with these contributions:</p>
<ul>
<li><a href="https://github.com/k3s-io/k3s/pull/2584">https://github.com/k3s-io/k3s/pull/2584</a></li>
<li><a href="https://github.com/k3s-io/k3s/pull/2844">https://github.com/k3s-io/k3s/pull/2844</a></li>
</ul>
<h2 id="enable-shared-host-mounts">Enable shared host mounts<a href="#enable-shared-host-mounts" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>From within the container, run:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>echo <span style="color:#e6db74">&#39;#!/bin/sh -e
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ln -s /dev/console /dev/kmsg
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">mount --make-rshared /&#39;</span> &gt; /etc/rc.local
</span></span><span style="display:flex;"><span>chmod +x /etc/rc.local
</span></span><span style="display:flex;"><span>reboot
</span></span></code></pre></div><h2 id="install-k3s">Install K3s<a href="#install-k3s" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>One of the simplest ways to install K3s on a remote host is to use <a href="https://github.com/alexellis/k3sup">k3sup</a>.
Ensure that you supply a valid <code>CONTAINER_IP</code> and choose the <code>k3s-version</code> you prefer.
As of 2021/11, it is still defaulting to the 1.19 channel, so I overrode it to 1.22 for cgroup v2 support. See the published releases <a href="https://github.com/k3s-io/k3s/releases">here</a>.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ssh-copy-id root@$CONTAINER_IP
</span></span><span style="display:flex;"><span>k3sup install --ip $CONTAINER_IP --user root --k3s-version v1.22.3+k3s1
</span></span></code></pre></div><p>If all goes well, you should see a path to the <code>kubeconfig</code> generated. I moved this into <code>~/.kube/config</code> so that kubectl would read this by default.</p>
<h2 id="wrapping-up">Wrapping up<a href="#wrapping-up" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Installing K3s in LXC on Proxmox works with a few tweaks to the default configuration. I later followed the Tekton&rsquo;s <a href="https://tekton.dev/docs/getting-started/">Getting Started</a> guide and was able to deploy it in a few commands.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>$ kubectl get all --namespace tekton-pipelines
</span></span><span style="display:flex;"><span>NAME READY STATUS RESTARTS AGE
</span></span><span style="display:flex;"><span>pod/tekton-pipelines-webhook-8566ff9b6b-6rnh8 1/1 Running 1 (50m ago) 12h
</span></span><span style="display:flex;"><span>pod/tekton-dashboard-6bf858f977-qt4hr 1/1 Running 1 (50m ago) 11h
</span></span><span style="display:flex;"><span>pod/tekton-pipelines-controller-69fd7498d8-f57m4 1/1 Running 1 (50m ago) 12h
</span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">
</span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
</span></span><span style="display:flex;"><span>service/tekton-pipelines-controller ClusterIP 10.43.44.245 &lt;none&gt; 9090/TCP,8080/TCP 12h
</span></span><span style="display:flex;"><span>service/tekton-pipelines-webhook ClusterIP 10.43.183.242 &lt;none&gt; 9090/TCP,8008/TCP,443/TCP,8080/TCP 12h
</span></span><span style="display:flex;"><span>service/tekton-dashboard ClusterIP 10.43.87.97 &lt;none&gt; 9097/TCP 11h
</span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">
</span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>NAME READY UP-TO-DATE AVAILABLE AGE
</span></span><span style="display:flex;"><span>deployment.apps/tekton-pipelines-webhook 1/1 1 1 12h
</span></span><span style="display:flex;"><span>deployment.apps/tekton-dashboard 1/1 1 1 11h
</span></span><span style="display:flex;"><span>deployment.apps/tekton-pipelines-controller 1/1 1 1 12h
</span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">
</span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>NAME DESIRED CURRENT READY AGE
</span></span><span style="display:flex;"><span>replicaset.apps/tekton-pipelines-webhook-8566ff9b6b 1 1 1 12h
</span></span><span style="display:flex;"><span>replicaset.apps/tekton-dashboard-6bf858f977 1 1 1 11h
</span></span><span style="display:flex;"><span>replicaset.apps/tekton-pipelines-controller-69fd7498d8 1 1 1 12h
</span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">
</span></span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010"></span>NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
</span></span><span style="display:flex;"><span>horizontalpodautoscaler.autoscaling/tekton-pipelines-webhook Deployment/tekton-pipelines-webhook 9%/100% 1 5 1 12h
</span></span></code></pre></div><p>I made sure to install Tailscale in the container so that I can easily access K3s from anywhere.</p>
<p>If I&rsquo;m feeling adventurous, I might experiment with <a href="https://rancher.com/docs/k3s/latest/en/advanced/#running-k3s-with-rootless-mode-experimental">K3s rootless</a>.</p></section>
<div class="post-tags">
<nav class="nav tags">
<ul class="tags">
<li><a href="/tags/k3s">k3s</a></li>
<li><a href="/tags/proxmox">proxmox</a></li>
<li><a href="/tags/lxc">lxc</a></li>
</ul>
</nav>
</div>
</article>
</main>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
issue-term='pathname'
<link rel='icon' href='/favicon.ico'>
<link rel='stylesheet' href='/assets/css/main.ab98e12b.css'><link rel='stylesheet' href='/css/custom.css'><style>
:root{--color-accent:#8979b3;}
</style>
theme='github-light'
crossorigin='anonymous' async>
</script>
</div>
</div>
</section><footer>
<div style="display:flex"><a class="soc" href="https://github.com/davegallant" rel="me" title="GitHub"><i data-feather="github"></i></a>
<a class="border"></a><a class="soc" href="https://twitter.com/davega11ant/" rel="me" title="Twitter"><i data-feather="twitter"></i></a>
<a class="border"></a><a class="soc" href="https://fosstodon.org/@davegallant" rel="me" title="Mastodon"><i data-feather="speaker"></i></a>
<a class="border"></a><a class="soc" href="https://www.linkedin.com/in/dave-gallant/" rel="me" title="LinkedIn"><i data-feather="linkedin"></i></a>
<a class="border"></a></div>
<div class="footer-info">
2023 Dave Gallant | Theme based on <a
href="https://github.com/athul/archie">Archie</a> | Built with <a href="https://gohugo.io">Hugo</a>
</div>
</footer>
<script type="application/javascript">
var doNotTrack = false;
@@ -33,464 +234,8 @@ if (!doNotTrack) {
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
</head>
<body class='page type-post has-sidebar'>
<div class='site'><div id='sidebar' class='sidebar'>
<a class='screen-reader-text' href='#main-menu'>Skip to Main Menu</a>
<div class='container'><section class='widget widget-about sep-after'>
<header>
<div class='logo'>
<a href='/'>
<img src='/images/logo.png'>
</a>
</div>
<h2 class='title site-title '>
<a href='/'>
davegallant
</a>
</h2>
<div class='desc'>
personal blog
</div>
</header>
</section>
<section class='widget widget-taxonomy_cloud sep-after'>
<header>
<h4 class='title widget-title'>Tags</h4>
</header>
<div class='container list-container'>
<ul class='list taxonomy-cloud'><li>
<a href='/tags/adguard/' style='font-size:1em'>adguard</a>
</li><li>
<a href='/tags/aws/' style='font-size:1em'>aws</a>
</li><li>
<a href='/tags/aws-vault/' style='font-size:1em'>aws-vault</a>
</li><li>
<a href='/tags/backup/' style='font-size:1em'>backup</a>
</li><li>
<a href='/tags/containers/' style='font-size:1em'>containers</a>
</li><li>
<a href='/tags/degoogle/' style='font-size:2em'>degoogle</a>
</li><li>
<a href='/tags/docker/' style='font-size:1em'>docker</a>
</li><li>
<a href='/tags/dotfiles/' style='font-size:1em'>dotfiles</a>
</li><li>
<a href='/tags/gmail/' style='font-size:1em'>gmail</a>
</li><li>
<a href='/tags/grafana/' style='font-size:1em'>grafana</a>
</li><li>
<a href='/tags/home-manager/' style='font-size:1em'>home-manager</a>
</li><li>
<a href='/tags/homelab/' style='font-size:1em'>homelab</a>
</li><li>
<a href='/tags/invidious/' style='font-size:1em'>invidious</a>
</li><li>
<a href='/tags/jellyfin/' style='font-size:1em'>jellyfin</a>
</li><li>
<a href='/tags/k3s/' style='font-size:1em'>k3s</a>
</li><li>
<a href='/tags/linux/' style='font-size:1em'>linux</a>
</li><li>
<a href='/tags/lxc/' style='font-size:1em'>lxc</a>
</li><li>
<a href='/tags/netdata/' style='font-size:1em'>netdata</a>
</li><li>
<a href='/tags/nix/' style='font-size:1em'>nix</a>
</li><li>
<a href='/tags/openwrt/' style='font-size:1em'>openwrt</a>
</li><li>
<a href='/tags/pfsense/' style='font-size:1em'>pfsense</a>
</li><li>
<a href='/tags/pihole/' style='font-size:1em'>pihole</a>
</li><li>
<a href='/tags/plex/' style='font-size:1em'>plex</a>
</li><li>
<a href='/tags/podman/' style='font-size:1em'>podman</a>
</li><li>
<a href='/tags/privacy/' style='font-size:1em'>privacy</a>
</li><li>
<a href='/tags/proxmox/' style='font-size:2em'>proxmox</a>
</li><li>
<a href='/tags/python/' style='font-size:2em'>python</a>
</li><li>
<a href='/tags/ransomware/' style='font-size:1em'>ransomware</a>
</li><li>
<a href='/tags/router/' style='font-size:1em'>router</a>
</li><li>
<a href='/tags/router-on-a-stick/' style='font-size:1em'>router-on-a-stick</a>
</li><li>
<a href='/tags/security/' style='font-size:1em'>security</a>
</li><li>
<a href='/tags/synology/' style='font-size:1em'>synology</a>
</li><li>
<a href='/tags/tailscale/' style='font-size:2em'>tailscale</a>
</li><li>
<a href='/tags/virtualization/' style='font-size:1em'>virtualization</a>
</li><li>
<a href='/tags/vlan/' style='font-size:1em'>vlan</a>
</li><li>
<a href='/tags/vpn/' style='font-size:1em'>vpn</a>
</li><li>
<a href='/tags/yewtu.be/' style='font-size:1em'>yewtu.be</a>
</li><li>
<a href='/tags/youtube/' style='font-size:1em'>youtube</a>
</li></ul>
</div>
</section>
<section class='widget widget-social_menu sep-after'><nav aria-label='Social Menu'>
<ul><li>
<a href='https://github.com/davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Github account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37 0 0 0-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44 0 0 0 20 4.77 5.07 5.07 0 0 0 19.91 1S18.73.65 16 2.48a13.38 13.38 0 0 0-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07 0 0 0 5 4.77a5.44 5.44 0 0 0-1.5 3.78c0 5.42 3.3 6.61 6.44 7A3.37 3.37 0 0 0 9 18.13V22" />
</svg>
</a>
</li><li>
<a href='https://twitter.com/davega11ant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Twitter account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M23 3a10.9 10.9 0 0 1-3.14 1.53 4.48 4.48 0 0 0-7.86 3v1A10.66 10.66 0 0 1 3 4s-4 9 5 13a11.64 11.64 0 0 1-7 2c9 5 20 0 20-11.5a4.5 4.5 0 0 0-.08-.83A7.72 7.72 0 0 0 23 3z" />
</svg>
</a>
</li><li>
<a href='https://fosstodon.org/@davegallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Mastodon account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path fill="#ccc" d="M23.268 5.313c-.35-2.578-2.617-4.61-5.304-5.004C17.51.242 15.792 0 11.813 0h-.03c-3.98 0-4.835.242-5.288.309C3.882.692 1.496 2.518.917 5.127C.64 6.412.61 7.837.661 9.143c.074 1.874.088 3.745.26 5.611c.118 1.24.325 2.47.62 3.68c.55 2.237 2.777 4.098 4.96 4.857c2.336.792 4.849.923 7.256.38c.265-.061.527-.132.786-.213c.585-.184 1.27-.39 1.774-.753a.057.057 0 0 0 .023-.043v-1.809a.052.052 0 0 0-.02-.041a.053.053 0 0 0-.046-.01a20.282 20.282 0 0 1-4.709.545c-2.73 0-3.463-1.284-3.674-1.818a5.593 5.593 0 0 1-.319-1.433a.053.053 0 0 1 .066-.054c1.517.363 3.072.546 4.632.546c.376 0 .75 0 1.125-.01c1.57-.044 3.224-.124 4.768-.422c.038-.008.077-.015.11-.024c2.435-.464 4.753-1.92 4.989-5.604c.008-.145.03-1.52.03-1.67c.002-.512.167-3.63-.024-5.545zm-3.748 9.195h-2.561V8.29c0-1.309-.55-1.976-1.67-1.976c-1.23 0-1.846.79-1.846 2.35v3.403h-2.546V8.663c0-1.56-.617-2.35-1.848-2.35c-1.112 0-1.668.668-1.67 1.977v6.218H4.822V8.102c0-1.31.337-2.35 1.011-3.12c.696-.77 1.608-1.164 2.74-1.164c1.311 0 2.302.5 2.962 1.498l.638 1.06l.638-1.06c.66-.999 1.65-1.498 2.96-1.498c1.13 0 2.043.395 2.74 1.164c.675.77 1.012 1.81 1.012 3.12z"/>
</svg>
</a>
</li><li>
<a href='mailto:dave.gallant@gmail.com' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Contact via Email</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" />
<polyline points="22,6 12,13 2,6" />
</svg>
</a>
</li><li>
<a href='https://linkedin.com/in/dave-gallant' target='_blank' rel='noopener me'>
<span class='screen-reader-text'>Open Linkedin account in new tab</span><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z" />
<rect x="2" y="9" width="4" height="12" />
<circle cx="4" cy="4" r="2" />
</svg>
</a>
</li></ul>
</nav>
</section></div>
<div class='sidebar-overlay'></div>
</div><div class='main'><nav id='main-menu' class='menu main-menu' aria-label='Main Menu'>
<div class='container'>
<a class='screen-reader-text' href='#content'>Skip to Content</a>
<button id='sidebar-toggler' class='sidebar-toggler' aria-controls='sidebar'>
<span class='screen-reader-text'>Toggle Sidebar</span>
<span class='open'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="3" y1="12" x2="21" y2="12" />
<line x1="3" y1="6" x2="21" y2="6" />
<line x1="3" y1="18" x2="21" y2="18" />
</svg>
</span>
<span class='close'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="18" y1="6" x2="6" y2="18" />
<line x1="6" y1="6" x2="18" y2="18" />
</svg>
</span>
</button>
<ul><li class='item'>
<a href='/'>Home</a>
</li><li class='item'>
<a href='/about/'>About</a>
</li><li class='item'>
<a href='/index.xml'>RSS</a>
</li></ul>
</div>
</nav><div class='header-widgets'>
<div class='container'></div>
</div>
<header id='header' class='header site-header'>
<div class='container sep-after'>
</div>
</header>
<main id='content'>
<article lang='en' class='entry'>
<header class='header entry-header'>
<div class='container sep-after'>
<div class='header-info'>
<h1 class='title'>Running K3s in LXC on Proxmox</h1>
</div>
<div class='entry-meta'>
<span class='posted-on'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><rect x="3" y="4" width="18" height="18" rx="2" ry="2" />
<line x1="16" y1="2" x2="16" y2="6" />
<line x1="8" y1="2" x2="8" y2="6" />
<line x1="3" y1="10" x2="21" y2="10" />
</svg>
<span class='screen-reader-text'>Posted on </span>
<time class='entry-date' datetime='2021-11-14T10:07:03-05:00'>2021, Nov 14</time>
</span>
<span class='reading-time'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><circle cx="12" cy="12" r="10" />
<polyline points="12 6 12 12 15 15" />
</svg>
4 mins read
</span>
</div>
</div>
</header>
<div class='container entry-content'><p>It has been a while since I&rsquo;ve actively used Kubernetes and wanted to explore the evolution of tools such as <a href="https://helm.sh">Helm</a> and <a href="https://tekton.dev">Tekton</a>. I decided to deploy <a href="https://k3s.io">K3s</a>, since I&rsquo;ve had success with deploying it on resource-contrained Raspberry Pis in the past. I thought that this time it&rsquo;d be convenient to have K3s running in a LXC container on Proxmox. This would allow for easy snapshotting of the entire Kubernetes deployment. LXC containers also provide an efficient way to use a machine&rsquo;s resources.</p>
<h2 id="what-is-k3s">What is K3s?<a href="#what-is-k3s" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>K3s is a Kubernetes distro that advertises itself as a lightweight binary with a much smaller memory-footprint than traditional k8s. K3s is not a fork of k8s as it seeks to remain as close to upstream as it possibly can.</p>
<h2 id="configure-proxmox">Configure Proxmox<a href="#configure-proxmox" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>This <a href="https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185">gist</a> contains snippets and discussion on how to deploy K3s in LXC on Proxmox. It mentions that <code>bridge-nf-call-iptables</code> should be loaded, but I did not understand the benefit of doing this.</p>
<h2 id="disable-swap">Disable swap<a href="#disable-swap" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>There is an issue on Kubernetes regarding swap <a href="https://github.com/kubernetes/kubernetes/issues/53533">here</a>. There claims to be support for swap in 1.22, but for now let&rsquo;s disable it:</p>
<pre tabindex="0"><code>sysctl vm.swappiness=0
swapoff -a
</code></pre><p>It might be worth experimenting with swap enabled in the future to see how that might affect performance.</p>
<h3 id="enable-ip-forwarding">Enable IP Forwarding<a href="#enable-ip-forwarding" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>To avoid IP Forwarding issues with Traefik, run the following on the host:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sudo sysctl net.ipv4.ip_forward<span style="color:#555">=</span><span style="color:#f60">1</span>
</span></span><span style="display:flex;"><span>sudo sysctl net.ipv6.conf.all.forwarding<span style="color:#555">=</span><span style="color:#f60">1</span>
</span></span><span style="display:flex;"><span>sudo sed -i <span style="color:#c30">&#39;s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g&#39;</span> /etc/sysctl.conf
</span></span><span style="display:flex;"><span>sudo sed -i <span style="color:#c30">&#39;s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g&#39;</span> /etc/sysctl.conf
</span></span></code></pre></div><h2 id="create-lxc-container">Create LXC container<a href="#create-lxc-container" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Create an LXC container in the Proxmox interface as you normally would. Remember to:</p>
<ul>
<li>Uncheck <code>unprivileged container</code></li>
<li>Use a LXC template (I chose a debian 11 template downloaded with <a href="https://pve.proxmox.com/wiki/Linux_Container#Create_container">pveam</a>)</li>
<li>In memory, set swap to 0</li>
<li>Create and start the container</li>
</ul>
<h3 id="modify-container-config">Modify container config<a href="#modify-container-config" class="hanchor" ariaLabel="Anchor">#</a></h3>
<p>Now back on the host run <code>pct list</code> to determine what VMID it was given.</p>
<p>Open <code>/etc/pve/lxc/$VMID.conf</code> and append:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>lxc.apparmor.profile: unconfined
</span></span><span style="display:flex;"><span>lxc.cap.drop:
</span></span><span style="display:flex;"><span>lxc.mount.auto: <span style="color:#c30">&#34;proc:rw sys:rw&#34;</span>
</span></span><span style="display:flex;"><span>lxc.cgroup2.devices.allow: c 10:200 rwm
</span></span></code></pre></div><p>All of the above configurations are described in the <a href="https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html">manpages</a>.
Notice that <code>cgroup2</code> is used since Proxmox VE 7.0 has switched to a <a href="https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_cgroup">pure cgroupv2 environment</a>.</p>
<p>Thankfully cgroup v2 support has been supported in k3s with these contributions:</p>
<ul>
<li><a href="https://github.com/k3s-io/k3s/pull/2584">https://github.com/k3s-io/k3s/pull/2584</a></li>
<li><a href="https://github.com/k3s-io/k3s/pull/2844">https://github.com/k3s-io/k3s/pull/2844</a></li>
</ul>
<h2 id="enable-shared-host-mounts">Enable shared host mounts<a href="#enable-shared-host-mounts" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>From within the container, run:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#366">echo</span> <span style="color:#c30">&#39;#!/bin/sh -e
</span></span></span><span style="display:flex;"><span><span style="color:#c30">ln -s /dev/console /dev/kmsg
</span></span></span><span style="display:flex;"><span><span style="color:#c30">mount --make-rshared /&#39;</span> &gt; /etc/rc.local
</span></span><span style="display:flex;"><span>chmod +x /etc/rc.local
</span></span><span style="display:flex;"><span>reboot
</span></span></code></pre></div><h2 id="install-k3s">Install K3s<a href="#install-k3s" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>One of the simplest ways to install K3s on a remote host is to use <a href="https://github.com/alexellis/k3sup">k3sup</a>.
Ensure that you supply a valid <code>CONTAINER_IP</code> and choose the <code>k3s-version</code> you prefer.
As of 2021/11, it is still defaulting to the 1.19 channel, so I overrode it to 1.22 for cgroup v2 support. See the published releases <a href="https://github.com/k3s-io/k3s/releases">here</a>.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ssh-copy-id root@<span style="color:#033">$CONTAINER_IP</span>
</span></span><span style="display:flex;"><span>k3sup install --ip <span style="color:#033">$CONTAINER_IP</span> --user root --k3s-version v1.22.3+k3s1
</span></span></code></pre></div><p>If all goes well, you should see a path to the <code>kubeconfig</code> generated. I moved this into <code>~/.kube/config</code> so that kubectl would read this by default.</p>
<h2 id="wrapping-up">Wrapping up<a href="#wrapping-up" class="hanchor" ariaLabel="Anchor">#</a></h2>
<p>Installing K3s in LXC on Proxmox works with a few tweaks to the default configuration. I later followed the Tekton&rsquo;s <a href="https://tekton.dev/docs/getting-started/">Getting Started</a> guide and was able to deploy it in a few commands.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span><span style="color:#009;font-weight:bold">$</span> kubectl get all --namespace tekton-pipelines
</span></span><span style="display:flex;"><span><span style="color:#aaa">NAME READY STATUS RESTARTS AGE
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">pod/tekton-pipelines-webhook-8566ff9b6b-6rnh8 1/1 Running 1 (50m ago) 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">pod/tekton-dashboard-6bf858f977-qt4hr 1/1 Running 1 (50m ago) 11h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">pod/tekton-pipelines-controller-69fd7498d8-f57m4 1/1 Running 1 (50m ago) 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa"></span><span style="color:#a00;background-color:#faa">
</span></span></span><span style="display:flex;"><span><span style="color:#a00;background-color:#faa"></span><span style="color:#aaa">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">service/tekton-pipelines-controller ClusterIP 10.43.44.245 &lt;none&gt; 9090/TCP,8080/TCP 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">service/tekton-pipelines-webhook ClusterIP 10.43.183.242 &lt;none&gt; 9090/TCP,8008/TCP,443/TCP,8080/TCP 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">service/tekton-dashboard ClusterIP 10.43.87.97 &lt;none&gt; 9097/TCP 11h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa"></span><span style="color:#a00;background-color:#faa">
</span></span></span><span style="display:flex;"><span><span style="color:#a00;background-color:#faa"></span><span style="color:#aaa">NAME READY UP-TO-DATE AVAILABLE AGE
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">deployment.apps/tekton-pipelines-webhook 1/1 1 1 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">deployment.apps/tekton-dashboard 1/1 1 1 11h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">deployment.apps/tekton-pipelines-controller 1/1 1 1 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa"></span><span style="color:#a00;background-color:#faa">
</span></span></span><span style="display:flex;"><span><span style="color:#a00;background-color:#faa"></span><span style="color:#aaa">NAME DESIRED CURRENT READY AGE
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">replicaset.apps/tekton-pipelines-webhook-8566ff9b6b 1 1 1 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">replicaset.apps/tekton-dashboard-6bf858f977 1 1 1 11h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">replicaset.apps/tekton-pipelines-controller-69fd7498d8 1 1 1 12h
</span></span></span><span style="display:flex;"><span><span style="color:#aaa"></span><span style="color:#a00;background-color:#faa">
</span></span></span><span style="display:flex;"><span><span style="color:#a00;background-color:#faa"></span><span style="color:#aaa">NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
</span></span></span><span style="display:flex;"><span><span style="color:#aaa">horizontalpodautoscaler.autoscaling/tekton-pipelines-webhook Deployment/tekton-pipelines-webhook 9%/100% 1 5 1 12h
</span></span></span></code></pre></div><p>I made sure to install Tailscale in the container so that I can easily access K3s from anywhere.</p>
<p>If I&rsquo;m feeling adventurous, I might experiment with <a href="https://rancher.com/docs/k3s/latest/en/advanced/#running-k3s-with-rootless-mode-experimental">K3s rootless</a>.</p></div>
<footer class='entry-footer'>
<div class='container sep-before'><div class='tags'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><path d="M20.59,13.41l-7.17,7.17a2,2,0,0,1-2.83,0L2,12V2H12l8.59,8.59A2,2,0,0,1,20.59,13.41Z" />
<line x1="7" y1="7" x2="7" y2="7" />
</svg>
<span class='screen-reader-text'>Tags: </span><a class='tag' href='/tags/k3s/'>k3s</a>, <a class='tag' href='/tags/proxmox/'>proxmox</a>, <a class='tag' href='/tags/lxc/'>lxc</a></div>
</div>
</footer>
</article>
<nav class='entry-nav'>
<div class='container'><div class='prev-entry sep-before'>
<a href='/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/'>
<span aria-hidden='true'><svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="20" y1="12" x2="4" y2="12" />
<polyline points="10 18 4 12 10 6" />
</svg>
Previous</span>
<span class='screen-reader-text'>Previous post: </span>Replacing docker with podman on macOS (and Linux)</a>
</div><div class='next-entry sep-before'>
<a href='/blog/2022/03/13/backing-up-gmail-with-synology/'>
<span class='screen-reader-text'>Next post: </span>Backing Up Gmail With Synology<span aria-hidden='true'>Next <svg
class="icon"
xmlns="http://www.w3.org/2000/svg"
viewbox="0 0 24 24"
stroke-linecap="round"
stroke-linejoin="round"
stroke-width="2"
aria-hidden="true"
><line x1="4" y1="12" x2="20" y2="12" />
<polyline points="14 6 20 12 14 18" />
</svg>
</span>
</a>
</div></div>
</nav>
<section id='comments' class='comments'>
<div class='container sep-before'>
<div class='comments-area'><script src='https://utteranc.es/client.js'
repo='davegallant/davegallant.github.io'
issue-term='pathname'
theme='github-light'
crossorigin='anonymous' async>
</script>
</div>
</div>
</section>
</main>
<footer id='footer' class='footer'>
<div class='container sep-before'><div class='copyright'>
<p> &copy; 2020-2022 Dave Gallant </p>
</div>
</div>
</footer>
</div>
</div><script>window.__assets_js_src="/assets/js/"</script>
<script src='/assets/js/main.c3bcf2df.js'></script>
</body>
<script>
feather.replace()
</script></div>
</body>
</html>