In this series of posts we’re going to explore ActivityPub, the protocol that powers microblogging across the Fediverse. This post is going to focus on the technologies ActivityPub is built upon. It doesn’t dive into how ActivityPub itself is used to provide interoperable microblogging. That will be the topic of a future entry. ⚠️ Caveat lector:...
I’m renaming the series to “Replacing Avahi” because after a bit of reflection “getting rid of” sounds a lot harsher than I ever intended. In part 1 we took a quick look at what DNS-SD is and why we use Avahi for it on Linux. We then came up with a plan on how to replace it by re-implementing its D-Bus API ourselves by in turn leveraging...
Avahi is a daemon you can run on your system for the purpose of discovering or announcing services using DNS-SD. DNS-SD defines how to perform service discovery using DNS SRV and TXT records. Though it can use unicast DNS, its most typical usage is using multicast DNS over zeroconf, i.e link local IPv4/6. If you’ve heard of Apple Bonjour, this is...
When running servers I want to encrypt the data stored on them. The problem you then pretty quickly run into is that it’s hard to actually boot with an encrypted root. I’ve solved this problem in the past by having a tinysshd in my initramfs which prompts me for a password to unlock the volumes. Though this works, it’s annoying in that the server...
A lot has been written about working remotely. In light of the current COVID-19 pandemic, I decided to write down my own thoughts on this topic and the processes and tools I’ve developed to help me be effective at working remotely. I moved to being full-time remote in February of 2019. Before that every job I’ve had was office bound. Though I...
In a previous post I showed you how to setup Keycloak to provide you with OpenID Connect and SAML capabilities. The problem with Keycloak is is that’s it’s a pretty big beast, whereas most of the time we don’t need all the functionality. It’s also tricky to run in a highly available fashion and is annoyingly slow to start up. In this post we’ll...
In a previous post I showed you how to set up Gatekeeper as a proxy to enfroce authorization on requests. The problem with Gatekeeper is that it required a lot of additional configuration, an additional proxy hop and is a separate component. What this post will do instead is use the OpenResty build of nginx with the OIDC plugin to avoid all of...
Update 2019-06-09: Performing BIOS updates I recently decided to get myself a new laptop. Though work provides me with one, I make a point out of never using it for personal use. It can get a bit complicated around intellectual property laws. I’m also perfectly fine with my employer enforcing certain policies on their device that I just don’t...
As part of my home automation I wanted to emulate a Philips Hue bridge. The reason for that is that a lot of things provide out-of-the-box integration with Philips Hue. Aside from that, there’s a ton of apps and other cool things in the Hue ecosystem I wanted to unlock. However, we use the IKEA Trådfri system at home, even though we do have a...
I’m addicted to home automation. There. Said it. But it’s just such a tremendous amount of fun to play with. I’m pretty sure it’s the SRE in me. Why do anything by hand when you can have computers do things for you? Why turn on the lights when you get home when it can happen automatically? Turn on the lights when you enter the bathroom? Barbaric!...
NOTE: A much simpler solution is describe in BeyondCorp @ Home: Authentication and authorization proxy with OpenResty In a previous post I showed you how to set up a “Lite” version of a BeyondCorp style access layer for a home or startup environment. The reason I called it lite is because though it does do full authentication, it didn’t have...
This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs ACLs, access control lists, are an important aspect of running a directory service. ACLs are how you control who can access...
This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs I consider setting up a Directory Service a pretty big pain in the ass, especially OpenLDAP. Microsoft fares much better...
Update 2019-10-06: If you don’t need SAML, consider swapping out Keycloak for Dex instead. You can read all about that in this follow-up post. BeyondCorp is a different approach to securing access to networked applications and services. Unlike the traditional perimeter security model, BeyondCorp dispels the notion of network segmentation as the...
This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs Now that we have a directory service up an running it’s important we talk a bit about some security aspects. The...
This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs I apologise for the long delay between posts. Life took over for a while and I never got around to writing the rest of it....
I have a pretty standard Prometheus, bunch of exporters and Grafana setup at home. This is mostly used to monitor different aspects of my house, like the exporter I have for power usage. However, while trying to figure out the cause of a node exporter crash I found myself in need of an alerting system, so that it could tell me when the node...
One area Linux has made quite a lot of progress in is the ability for people to get firmware and BIOS updates for their devices. This used to be a massive PITA but thanks largely to the Linux Vendor Firmware Service and its associated tooling (fwupd, fwupdmgr) this has become a lot simpler. Quite a few vendors support this nowadays and deliver...
With my XPS 13 up and running I ran into some issues with the Dell WD15 (USB 3) dock. It mainly caused my display manager to crash whenever I would plug it in with (with my external screen attached), except after a fresh boot. This is of course wildely unhelpful but a colleague told me many folks had issues with the USB 3 version of the dock and...
After about 3 years it was time to refresh my hardware. Though I’ve long used MacBook Pro’s as my daily drivers the new MBP with touchbar wasn’t getting me excited and the new keyboard feels downright awful to me. So, I decided this was going to be the year of the Linux Desktop and I’ve switched to a Dell XPS 13 (9360, Kaby Lake) Developer...
As you might’ve noticed from other blog post entries I’m suddenly all into directory services. This happens b/c that’s what I’m currently working on. As such I find myself needing to manipulate data in a DIT quite a bit and writing ldif’s by hand is not my idea of fun. Instead I set out to create a small library that would essentially allow me to...
This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs Directory Services are fundamentally pretty simple. All information they contain is stored in a hierarchical tree structure,...
This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs Directory services come with a lot of terminology and part of that lingo is what makes things difficult to understand to...
In this series of posts I want to talk about directory services. The directory allow you to model things like people, computers, groups and their relationships in a central database. This service can then be used for authenticating users, managing group memberships and a whole lot more. In many small environments people avoid the perceived...
My home WiFi router is an ASUS RT-AC66U. It’s a great device with a tolerable manufacturer provided UI and quite a lot of advanced features. Though it’s marketed as a WiFi router I use it as a WiFi access point and switch, it doesn’t route. I have a Linux box that does that. Since a lot of my devices are wireless a lot of my traffic flows through...
One of the issues I run into when running a server, at home or anywhere else, is the crazy amount of random attempts at SSH logins. My SSH configuration is strict enough that most of these attempts just die on the key exchange, they never even get past the handshake. Then there’s fail2ban ensuring you get temporarily blocked if you’re obviously...
My ISP (Telia) doesn’t do native IPv6 yet (like most ISPs unfortunately). However, they do support something called IPv6 Rapid Deployment, also known as 6rd. What it does is fairly simply, it encodes in the information you get from your ISP during a DHCPv4 chat the information needed to set up a 6to4 tunnel with an endpoint provided by your ISP....
Over the past few months I’ve started to reassemble a home server. I managed to get a great server board with 2 Xeon E5’s and 128GB of ECC RAM (b/c why not?) and spent Saturday breaking in the hard drives, setting everything up to be nice and encrypted and so on. One of the things I like to have at home is a decent monitoring system. I’ve toyed...
This has been a hard blog post to write, but to me it feels like it’s been a long time coming. For the better part of the past 5 years my job and open source contributions have revolved a lot around Puppet. I’ve been a member of the community for a long time, contributing to a range of different projects and giving a variety of talks at...
Every now and then I find myself in discussions with people around which tools we should use for what job. This comes up especially often in the context of FOSS with regards to communication platforms. Do we use IRC, Slack, Gitter? Also, are mailing lists still a thing? Should we have a Discourse instead? Fairly often the reaction of people will...
One of the things I find myself doing from time to time it to execute the whois command. This allows me to figure out to whom an IP(range) or domain belongs. However, when doing this on OS X, especially with IPv6 addresses I’m greeted with: $ whois 2a00:1450:400f:805::200e No match for "2a00:1450:400f:805::200e". >>> Last update of whois...
I recently moved to a new place (because the rental market is cray cray here). Despite how annoying it is to move around a benefit of the new place is that it has fiber so I wasted no time and got a connection from Telia. I plugged in the ISP shipped router and while browsing through the admin interface I noticed an IPv6 address showed up. All...
FOSDEM is a wonderful event. But as with any event with geeks people will try to sniff your traffic, mess with GSM, grab your credentials and what not. The best way to stay safe? Don’t bring electronics with you or have them in flight mode (laptop included). No Bluetooth, no WiFi, no GSM/3G/tethering, nothing. If that doesn’t sound all that...
Update: I’ve long since given up on PGP. It’s just not worth it. Ignore this post. Over the years I’ve tried to use PGP multiple times. However, I’ve always failed miserably at managing keys and understanding the lifecycle involved. This is evident by searching the keyservers for my name, it’ll turn up a few rather idiotic and dubiously keys....
update: We’ve settled on the name Vox Pupuli. It’s a play on the Latin “vox populi”, voice of the people, but in our case ends up meaning “voice of the puppets”. As quite a few of you know at PuppetConf 2014 we started a community collaboration effort on the maintenance of modules and tooling in the Puppet ecosystem. In our enthusiasm we baptised...
Part of the fun of Puppetconf is getting to talk to so many people and learning clever new tricks from each other. I knew IntelliJ had some support for writing Puppet code but as Travis showed me it’s been greatly improved. If you’re running IntelliJ you’ll need to install both the Ruby and the Puppet plugins. If you’re on RubyMine only the...
Based on a remark of a friend about preconceptions we have with regard to gender I started looking more carefully at how I use gender pronouns. Though I’m usually fairly diligent in writing I noticed I failed entirely in speech. This usually happens to me when I meet a new person because at that point I have no context to go on. My autopilot...
If you’re following me through social media it won’t have escaped your attention that my avatar turned rainbow and there was a distinct increase in rainbows throughout my feed as we were ramping up to Pride. Many people outside the LGBTQ community and even quite a few within don’t realise the importance of Pride and just see it as a shameless...
Bootstrapping a modern, r10k powered, masterless, Puppet 4 setup on Debian and Ubuntu. pupa is a toy project of mine. Essentially I decided to bring all my personal machines under full Puppet control. Inspired by how our Puppet setup works at my job I decided to go for a masterless setup. The problem really is to get Puppet on your machine. Once...
Last night Europe went to war. No the Germans didn’t start it, we were just having a huge music contest followed by some political voting to decide who should win. I adore the Eurovision Song Contest It might not be a manly thing to admit to but it’s one of those things that just gets me ridiculously, over the rainbow to the moon, happy. It’s...
Today I made one of the hardest decisions I’ve made in a while. I decided to give up maintainership of two projects that I originally started. The projects are pypuppetdb, a library to talk to the PuppetDB API, and Puppetboard, a dashboard for PuppetDB that leverages pypuppetdb. Both projects started two years ago during my time at Nedap. The...
After my post on LGBTQ in tech a lot of people reached out to me, thanking me for the post, with a lot of kind words and some even with a resounding “yes that’s me too”. It’s been heartwarming to see the support this story gathered and how the Puppet community, which is the one I interact with the most, reacted to it. Interestingly though some...
Most people who know me know I’m gay, or that I identify as gay or queer or whichever way you’re more comfortable phrasing or thinking about it. To put it bluntly: I like men, I date men, I sleep with men, I happen to be a man and it’s all good. The thing that struck me about tech when I started getting more involved in online communities is that...
As some of you know I’m the unofficial maintainer of the apt module from Puppetlabs. Together with Morgan from the Puppetlabs Module Team we try and keep that module up to date and in good shape. The apt module has not seen a significant revision since its inception in 2010. Over the past 4 years it has accumulated feature after feature without...
Today we had our usual Puppet Module triage. It’s a time a week where module contributors and the Puppetlabs Module Team gather online to discuss, comment, merge or reject PR’s against the different module. This is the best time for you as a contributor to join if you have a PR pending and want feedback. For the first time we’ve kept minutes of...
the Lotus positions but for a long time I wasn’t able to hold that position for extended periods of time. However, since I’ve switched to working standing up for about 3/4 of my day I’ve noticed a marked improvement in my capability to hold this pose. After just two weeks of doing this I can comfortably hold a pose for 15-20m whereas before at...
So as I said I would blog regularily, and then I didn’t. That’s because I’m a techy and while working and tweaking the blog I obviously broke it and until now haven’t really found the time to fix it. Just wasn’t at the top of my priority list because all solutions to blogging through Github kinda sucked. Now that it is fixed, lets catch up....
I expected to write a post much earlier than this but the first week was so busy all I wanted to do in the evenings was get home and relax, screw the computer. Monday was my first day and it was fun. I got thrown in at the deep end helping to form the squad I’m going to be a member of. Since I’d only been at the company 2.5hrs there was a lot to...
As some of you know, there’s a big change coming over here. Because of this I decided to throw out the old blog and the content that goes with it, much like I’m throwing out most of my possessions in preparation of what’s to come. The idea is that’ll blog about the new experiences, perhaps sometimes even on a daily basis so that friends and...