A common theme in my posts, is to treat my homelab as if it has the same security requirements as a production environment. Since, in theory, it is a production environment, and I wouldn’t want anything to happen to it. For protected access, I normally use something like Tailscale, since I don’t need to expose anything to the internet, but sometimes when I am accessing it via a remote network, that network may be locked down and prevent Tailscale/wireguard connections, so I need a break-glass solution. ...
SSH into your Gitea Actions for debugging
While Gitea Actions allows for local debugging of workflows, sometimes you need to debug directly on the runner. This is especially challenging since the workflows only exist for the duration of the run. Even if you have access to the server and can docker exec into the container, it may terminate while you are debugging. Since Gitea Actions are compatible with GitHub Actions, you can use action-tmate to SSH directly into the runner environment, and debug your workflow in real-time. ...
Manage an entire fleet of macOS VMs with HashiCorp Nomad
As an experiment to familiarize myself with Nomad driver plugins, I created a driver plugin for Tart that allows you to manage macOS VMs using Nomad. It allows you to manage macOS VMs with Nomad in a similar way to how you would manage Docker containers. Disclaimer: This is a WIP and not yet ready for production use. It is a proof of concept and should be treated as such. Please do not use this in production environments. If you need production ready solutions, consider using Orchard which is built by the same developers behind Tart. ...
Trouble with Azure Functions, and Managed Identities
As a part of a project to automate TLS ceritificates for Azure Application Gateways, I ran into an unexpected issue with Azure Functions and managed identities. Specifically, the tool I was using was attempting to fetch a managed identity token, but wasn’t able to. I had to review the code of the tool, and many pages of documentation to discover that Azure Functions provide environment variables that contain the correct endpoint information which differ ever so slightly from the standard endpoint. ...
SSH Multi-Factor Authentication with SoloKey V2
In a bout of attempting to improve my operational security, I decided to review my current pracitices and see which areas I could improve. While I already use SSH keys for auth, having a file that is essentially a password to all my servers is a bit of a security risk if it ever is compromised. I already use my SoloKey for 2FA on various websites, so why not for SSH too? This way, even if someone gets my private key file, they can’t access my servers without physically having my SoloKey. Still a risk (see the XKCD comic about a $5 wrench), but less so. ...
Gitea Actions: Forget about YAML, let's use Nix
I maintain many repositories using Gitea Actions, and I’ve run into a lot of pipeline failures due to the smallest of issues. Most commonly it is whitespace differences in YAML files that cause unexpected parsing or complete failures. Recently, I was helping someone debug a workflow where a copy and paste from a different workflow brought in spaces for some lines instead of tabs leading to the pipeline to fail. ...
Streamlining My GCP SSH Workflow: Using SSH Configuration Tricks
In my use of Google Cloud Platform (GCP), I often recreate virtual machines (VMs), requiring frequent updates to connection information. This process becomes cumbersome, especially when dealing with stale entries in the known_hosts file and managing DNS entries for a growing number of servers. Additionally, using the Identity-Aware Proxy (IAP) requires the use of the gcloud cli for secure access to these servers adds another layer of complexity. What I ended up doing was to leverage my previous experience with SSH configuration files to streamline my workflow. ...
Use Drone plugins in Gitea Actions
Drone.IO is a CI/CD platform that uses Docker Containers for each pipeline step. This makes it easy to use existing Docker containers as steps in your pipeline. You can go futher and create special containers that are designed to be used as steps in your pipeline that accept arguments from the pipeline to run pre-defined tasks. These plugins can be re-used in Gitea Actions to be able to run the same tasks in Gitea Actions as you would in Drone. ...
Experimenting with Proxmox on Apple Silicon: Turning Your M1 MacBook Air into a Virtual Datacentre
In an effort to create an easy-to-manage VM environment that I can use on the go, even with spotty internet, I decided to try running Proxmox on my Apple Silicon MacBook Air. I could use Parallels or VMware Fusion, but I instead chose Proxmox to support open-source software. Should the need arise to run production-level workloads, I can always purchase a Proxmox license and deploy it on a dedicated server. The challenging part was that Proxmox doesn’t distribute itself for arm64/aarch64, so I needed to find a way how to do that. ...
Bye-bye Docker Hub, time to self-host all of my Docker images
One of the great things about Gitea, is that it comes with a built-in Docker registry. This means that you don’t need to be reliant on Docker Hub (or its rate-limits) to host your docker images, or any other OCI compliant image for that matter. In this post, I’ll go over how I migrated some of my docker images from the Docker Hub to my own self-hosted registry in Gitea. I won’t go over the setup of the package registry in Gitea itself, as it’s enabled by default, and I’d rather focus on the migration of images itself. The approach I took also didn’t use any registry specific tools, and so it can be generalized to most other registries. ...