deadbaed

Self hosted Nix binary cache with Attic

2026-05-19T19:35:20+02:00

In nixpkgs, most of derivations are cached on cache.nixos.org. This is great when consuming derivations on a NixOS system or a home manager configuration, but when you start writing your own derivations which will not end up on nixpkgs, you might spend a lot of time waiting on those derivations to build, especially when automating stuff like CI/CD, servers, etc. The goal is to build everything only once, and reuse what was built on any machine.

Fortunately, you can spin up your own binary cache and every time you build a derivation, push it to the cache. Finally, configure nix to mark your cache as trusted to use those cached derivations.

Install the cache

You will need a NixOS machine. Additionally, attic can work with a S3 bucket and a PostgreSQL database. If you need to use S3 and want to self host it, I recommend Garage.

Credentials

A JWT secret is required for user authentication, you will need to generate one:

nix-shell -p openssl --run "openssl genrsa -traditional 4096 | base64 -w0"

Afterwards, put that secret as the value of the environment variable ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64. You can put it inside a file (so the file will contain ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=foo where foo is the secret you just generated), but make sure only root can see it. Or you can encrypt it with something like agenix.

Configuration

Nothing special here.

{
  services.atticd = {
    enable = true;
    environmentFile = "/etc/atticd.env"; # Your file might be somewhere else
    settings = {
      listen = "127.0.0.1:8080";
    };
  };
}

Reverse proxy

If you intend to have your cache open to the internet, put it behind a reverse proxy with a TLS certicate. I personally use nginx, it works great and thanks to nix I can configure it without being an expert in the nginx configuration format.

One thing to note if you use a reverse proxy: you need to bump the clientMaxBodySize setting otherwise you will not be able to push derivations (the default is 10m for nginx on NixOS).

let
  fqdn = "attic.domain.example";
in
{
  services.atticd.settings.api-endpoint = "https://${fqdn}/"; # Must end with a trailing slash
  services.nginx = {
    virtualHosts."${fqdn}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8080";
        proxyWebsockets = true;
      };
    };
    clientMaxBodySize = "1024m";
  };
}

Configure the cache

Create a user token

If you point your web browser to the FQDN your provided earlier, you should see a happy computer prompting you to run attic push. That means the installation worked, you can close your browser. You are ready to create your first cache.

It took me a while to understand the authn/authz model, but there are 2 commands to use:

As the administrator, you run atticd-atticadm on the server running atticd to generate tokens which you give to users. When generating a token, you befine what are the token can do.
As a user, you run attic login with a name for the cache, the FQDN, and the token generated by the administrator.

On the server, let's create the first token which will give all the possible permissions to the user for one hour:

atticd-atticadm make-token \
    --sub root \
    --validity '1 hour' \
    --pull '*' \
    --push '*' \
    --delete '*' \
    --create-cache '*' \
    --configure-cache '*' \
    --configure-cache-retention '*' \
    --destroy-cache '*'

In this case, the '*' mean that the permission is given for all caches. For examaple, to create a token which can pull indefinitely only from cache hello, run:

atticd-atticadm make-token \
    --sub hello-user \
    --validity '99 years' \
    --pull 'hello'

Consume token

Our regular computer, let's connect to the cache:

nix-shell -p attic-client
attic login mycache https://attic.domain.example eyJh...
cat .config/attic/config.toml # The credentials will show up here

We can now create a cache:

attic cache create hello

If you get the message ✨ Created cache "hello" on "mycache" that means you are good, otherwise the error would be Error: Unauthorized: Unauthorized..

To show information about a cache such as the public key, run:

attic cache info hello

To make the cache publicly available (meaning, no token is required to pull data), run:

attic cache configure --public hello

Use the cache

Make sure you create a token which only allows to pull from the cache, to prevent unwanted pushes.

Now that you have the public key and the binary cache endopoint, you can tell nix to use your cache, for example on NixOS you can use this config:

{
  nix.settings = {
    substituters = [
      "https://attic.domain.example/hello"
    ];
    trusted-public-keys = [
      "hello:1aL6vcQ7mKF0oEXlHsV330qXTMfafsN2radupW8OSMM="
    ];
  };
}

Alternatively you can also use attic use hello, which will write into $HOME/.config/nix/nix.conf for you.

Push to the cache

If you have a token which can push, you can simply use attic push hello <path> to push to your hello cache, for example:

attic push hello /nix/store/...
attic push hello ./result
attic push hello $(nix-build)

CI

With GitHub actions compatible CI, the attic-action works great. You do not even need to specify what needs to be pushed, everything will be pushed at the end of the workflow run.

[If the formatting of this post looks odd in your feed reader, visit the original article]

Run Nix on Forgejo Actions on NixOS

2026-03-26T18:47:13+01:00

I will start by assuming that you have a Forgejo instance running, and you know what is Forgejo Actions. If that is not the case, I invite you to read the Forgejo User documentation and the Forgejo Admin documentation. They are a good read!

Please note that NixOS is not required to have a Forgejo Actions runner building nix code. I deploy my runner with NixOS because it is so damn simple to run and maintain.

Setup a runner

Registration token

Let's say that your forgejo instance is available at https://forgejo.example.net.

With an administrator account, go to https://forgejo.example.net/admin/actions/runners and get a registration token.

Get the token, and be ready to put it when needed.

If you put the registration token directly in your configuration file, it might end up in the nix store, which is publicly readable by any user on the machine. To prevent this you can encrypt it, I recommend using agenix for that. It uses SSH keys for the encryption and it works great.

OCI containers and Forgejo labels

The runner will need to have a label to know which jobs it can pick up. There are many labels from which you can choose from but for our usecase the docker label is enough.

I prefer to use Podman over Docker, but using Docker is just fine.

In the past I used the excellent guide from Robin Appelman which creates a container image with Nix pre-installed. But it required flakes, and every once in a while I had to update the flake's inputs, rebuild the image, and load it to the container tool.

I want something that is simpler, and requires less maintenance. Fortunately there are pre-built container images (which already work with existing GitHub workflows) for act (the Forgejo actions runner is based on act). A popular option is https://github.com/catthehacker/docker_images, and an alternative could be https://github.com/tcpipuk/act-runner.

I will name the images like they are GitHub Actions to keep things similar.

{ config, lib, pkgs, ... }:

{
  virtualisation.containers.enable = true;
  virtualisation.oci-containers.backend = "podman";
  virtualisation = {
    podman = {
      enable = true;
      dockerCompat = true;
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.forgejo-runner = {
      enable = true;
      name = "my-forgejo-runner"; # TODO: put a cute name for your runner
      token = "put-token-here"; # TODO: use agenix
      url = "https://forgejo.example.net/"; # TODO: put the link to your instance
      labels = [
        "node-24:docker://node:24-trixie"
        "ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:runner-24.04"
        "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:runner-latest"
      ];
      settings = {
        container.network = "host";
        log.level = "debug"; # have logs of the jobs appear in system logs
      };
    };
  };
}

You are done configuring the runner! Rebuild the NixOS machine and you should see the runner appear in https://forgejo.example.net/admin/actions/runners.

Write your workflow file

To make sure everything works, create a test git repo on Forgejo with a simple default.nix or shell.nix, and create a file in .forgejo/workflows/ci.yml.

To install Nix, simply use the install-nix-action from cachix. If you use npins, you can even set the path to nixpkgs directly to save time:

name: CI
on:
  push:
jobs:
  my_nix_job:
    runs-on: ubuntu-latest
    steps:
      - uses: https://data.forgejo.org/actions/checkout@v6
      - uses: https://github.com/cachix/install-nix-action@v31
      - name: Get Nixpkgs path
        run: |
          nixpkgs_path=$(nix eval --raw -f npins/default.nix nixpkgs)
          echo "NIX_PATH=nixpkgs=$nixpkgs_path" >> "$FORGEJO_ENV"
      - run: nix-build ./default.nix

Commit and push the file, and you should have the job being picked on https://forgejo.example.net/user/repo/actions!

[If the formatting of this post looks odd in your feed reader, visit the original article]

2025 Retrospective

2025-12-31T22:53:07+01:00

Every year people set their new year's resolutions for the upcoming year, but I always forget mine. I'd like to do the opposite instead: look back on what I accomplished the year that going to close in a couple of hours.

Starting with a failure

The year opened with a project started early 2024, which is a cool concept of a mobile multi player game without an internet connection. I had the plan of the technical details, and was spending a lot of time on the infrastructure and auxiliary details, but not on the application itself.

My involvement in this project ended early march, pretty disappointed in the communication with the other party involved.

But I learned a lot of nix, and I ported a GitHub action launching self-hosted Forgejo Actions runners on Hetzner Cloud! It worked pretty well, here's a link to my fork if people using Forgejo are interested. It was useful for me to build for a aarch64 target while owning only x86-64 workers; cross-compilation did not work when I tried it.

Try something else

Took some time off "big projects" to experiment a bit with encryption. I tried age and PASETO, it was fun!

Neovim 0.11 got released, and I care a lot (too much?) about my tools, I wanted to simplify my configuration because I was adding more and more plugins. I took the time to re-work my config, and learn more about neovim and its features!

I also migrated most of my dotfiles to nix with home-manager and nix-darwin. I discovered this website listing home-manager options and it's pretty neat! Wished nix-darwin has the same.

Back to the old school

When I was in high school, I got to work on a project (a connected trash can) which involved an ESP32 with sensors. On this project I was working on the software: get data from the sensors, connect to a Wi-Fi network and send data over HTTP, drive a SSD1306 display to show some information. I was bad at it (first real coding experience), but I loved it.

My first paid internship was to work with a ESP8266, I was tasked to write the software to connect and manage Wi-Fi networks for a IoT product. Loved it as well, I love seeing the end result and knowing what a physical device can do to enhance people's lives.

I feel there is something special about embedded devices: you can create something (from the firmware to the PCB, passing by the buttons and the LEDs and the screens!), and a human being can physically interract with it! Compared to a website or an app where you can only click, type and touch -- it's still wonderful all the things we can make with software and the web, but I feel there is something special when you can actually hold it in your hand.

I've been following Scott Mabin's work on getting rust programs run on ESP32s, and I am happy to see the progress made!

There's a Rust library to make rust apps with a nice TUI (Terminal User Interface) called ratatui. You might use it if you use some apps such as bottom.

I had an idea of a GPS project, and I discovered mousefood: a backend of ratatui but for embedded devices! This is the perfect tool to display data on the embedded device itself.

The GPS project did not go anywhere, but I contributed a bit to mousefood! It's a really cool project, it's a library I wish I had in high school when working on the connected trash can.

Blog

I wrote my own blog engine this summer! I need to improve the tooling around it (add more nix), but I am very happy with the result.

Rest of the year

I wanted to rewrite a project I did in the past, and fix design decisions I was not happy about. At the moment I only worked on tooling, infrastructure, and project scaffolding, but I spent a bunch of time on the architecture with diagrams and did some writing, let's see how this will go.

I created nix-supervisord as an outcome of doing the tooling of that project. Pretty happy of the result! It's my first nix library, did not think I was going to write one someday!

I also did maintenance on the gen_passphprase crate I maintain.

Lookback

I am overall happy with what I did this year, even though I learned some lessons the hard way: when working with someone else or for someone else, make sure to have your back covered in case something goes wrong.

I enjoy working on my tools to improve them, I just need to be careful of not spending too much time on them. I like nix a lot, I think it's a wonderful tool to build and to maintain software in the long run!

Embedded devices are cool, I'd like to spend more time with them, maybe create something useful!

Happy 2026!

[If the formatting of this post looks odd in your feed reader, visit the original article]

Neovim LSP config for TypeScript (vtsls) with Yarn Plug'N'Play

2025-09-07T01:15:38+02:00

I am starting a new project with Yarn. The last time I used it new projects defaulted to use v1, which uses the old way of installing packages in node_modules, like npm does.

When I created my project and upgraded to use the latest version of Yarn (v4 as I am writing this), I was surpised to see that neovim could not find TypeScript types in my code! VSCodium was not able to find types either. I started to research what was going on.

Plug And Play

Yarn has multiple modes to install packages, the latest and default one is called Plug'N'Play (PNP). Instead of installing packages inside a node_modules folder, it will instead download them in a cache, and create a special file named .pnp.cjs, defining what packages are resolved.

From what I understand, you give this file to the node runtime, and it will know where to load packages from its cache.

Ghost dependencies

The main issue I had so far is the ghost dependencies protection which requires packages to precisely define all their dependencies, something which can be tricky to do correctly.

If a package does not declare their dependencies correctly and it breaks at runtime, you have multiple options:

Declare in your project which packages need some extra information with a .yarnrc.yml file, see the Yarn documentation
Fix the packages upstream directly, but you need to be ready to spend some time doing that (which can be hard to do in some cases)
Disable the PNP mode entirely, by using another linker like pnpm or going back to the node_modules way.

PNP is still recommended to use, because it has an optimized way of managing installed packages across projects, and a good protection against unaccounted dependencies at runtime (at the cost of having all your packages declaring their dependencies correctly).

Editor support for TypeScript and others

By default, tools like LSPs and text editors will look for packages in the node_modules folder, because it is the way node always worked so far.

In PNP mode however, since the .pnp.cjs file tells where to go instead of node_modules, many tools have no idea how to load that file out of the box.

Yarn has a concept of editor SDKs which will help your editor find your packages. I will cover neovim, since it requires a bit of work to get it working.

Neovim setup

Zip files

Yarn seems to heavily use zip files to store packages, and stores zip files inside other zip files. There is a plugin named vim-rzip which brings this capability to neovim. Simply install it with your favorite package manager, with lazy.nvim I installed it like this:

require("lazy").setup({
  spec = {
    { "lbrayner/vim-rzip" }
  }
})

Editor SDK generation

To generate the Yarn editor SDK, a CLI tool is provided: Install it in inside your project with yarn add -D @yarnpkg/sdks, and run yarn sdks base to generate the base SDKs. For neovim this is enough, if you need some integrations can be additionally generated.

The location of the editor SDK is in .yarn/sdks. From what I understand this folder should be committed in version control.

Integration with the `vtsls` LSP

I use the vtsls LSP wrapper over ts_ls, because it seems to be the only one working with the VueJS LSP.

vtsls allows to provide the location of the TypeScript library and compiler (config reference), required to use Yarn with PNP.

I found a config snippet doing exactly what I wanted. When using neovim 0.11, the lua code will look like this to configure vtsls:

vim.lsp.config("vtsls", {
  settings = {
    vtsls = {},
    typescript = {},
  },
  before_init = function(_, config)
    local yarnPnpFile = vim.fs.find({ ".pnp.cjs" }, { upward = true })[1]
    if yarnPnpFile then
      config.settings.typescript.tsdk = vim.fs.dirname(yarnPnpFile) .. "/.yarn/sdks/typescript/lib"
      config.settings.vtsls.autoUseWorkspaceTsdk = true
    end
  end,
})

Thank you very much Simon Park for sharing your dotfiles! It saved me a lot of time.

Now when opening a TypeScript file, the LSP should find your packages and do its work normally.

Future

Hopefully the Go port of TypeScript will implement the automatic detection of packages with Yarn PNP, so that in the future no additional setup will be required when working with projects using Yarn and its PNP mode.

[If the formatting of this post looks odd in your feed reader, visit the original article]

Migrating my blog to my own engine

2025-08-05T02:48:36+02:00

Begginings

I created my blog in 2016 with a very popular blog engine at the time: Jekyll. Combined with hosting provided by GitHub Pages, it is a quick way to start publishing content. I did not write a lot when I started my blog, so it was not a big deal. That worked fine for a couple of years, until I was tired of managing Ruby dependencies and warnings, and I remember getting a bit of trouble when I was running Windows.

At some point I switched to Zola, and I liked it a lot: instead of managing many dependencies, there is a single binary to run to create/preview/build websites, and a good feature set out of the box.

But so far the look of my blog was pretty generic, for a simple reason: I disliked writting CSS. In fact, I prefered searching for a theme that I could use rather than spending time making my own. Fortunately, there is a big pool of Zola and Jekyll themes ready to be used, so it was prefect for me!

I started by blog when I did not know how to make web applications, but now I can! And now I can write some CSS, thanks to a wonderful tool named TailwindCSS. Tailwind made me tolereate writting CSS, it helps me a lot to understand what I do, now it is making me enjoy writting CSS!

A couple of years ago I redesigned my website, and started to use Leptos for the templating / components part. It turns out I like Leptos a lot to make reusable components.

I wanted to give a fresh look to my blog, but I did not want to write HTML templates by hand or deal with raw CSS, I wanted to do it with Leptos and Tailwind! While browsing the web I found someone building their blog with Leptos and TailwindCSS as well!

Feature set

In my opinion, static sites generators are awesome for blogs -- You write a piece a content, give it to a tool, and it will emit files that are ready to be viewed in a web browser. That is pretty powerful, and makes the website portable, no lock-in to a specific tool! So my new blog had to be statically generated.

I want to have an Web feed, it is non negociable. Web feeds are awesome, Zola and Jekyll generate an Atom feed by default, so my blog will have an Atom feed.

It has to look nice, whether on desktop or mobile. Tailwind makes this easy: simply write the CSS for a mobile screen, and make some adjustements when making the screen bigger.

Something I wanted to have is nice code blocks, I used highlight.js for this, it's a pretty nice library! If JavaScript is completely blocked on the reader's browser this is not a problem, there is a fallback option which shows the code block without any syntax highlighting. Currently highlight.js is being pulled from a CDN, it could be vendored at some point, the JavaScript files would be need to be downloaded during build time.

Content

All content is written in Markdown, the excellent crate pulldown-cmark is used to parse the content.

A tiny bit of metadata is required in every piece of content:

title: The Tagline of the content. Used on the homepage and on the Web feed.
date: Moment of publication. I started to use the crate jiff in all my projects, I like its API. An example moment is 2025-07-01T12:56:42+02:00[Europe/Paris], I discovered RFC 9657 extends RFC 3339, it allows the IANA Time Zone to be in the date/time string!
uuid: The unique identifier of the content, it is only used for the Web feed.

Filename

To be considered for inclusion, the filename of every piece of content must either be:

YYYY-MM-DD-slug.md when there is no additional assets
YYYY-MM-DD-slug/index.md when assets will be put next to the index.md file.

The slug will appear in the URL of the content. It can be anything, but it must not change after publication, otherwise it will be published as a new content.

The YYYY-MM-DD part is not used on the final website anywhere, it is simply there to make the files sort naturally by name on the filesystem. It also checked against the date tag in the metadata in case a typo was made.

Custom components

During markdown parsing, when an HTML block is detected, HTML tags are scanned against a list of custom HTML tags in leptos_ssg to see if they match (they must not clash with HTML tags from the W3C).

If there is a match, a Leptos view is rendered on the HTML page, but not on the Web feed (to keep things simple, since all Web feed readers might not display it correctly). The content author should put a paragraph above or below the custom component to explain what is happening, for Web browsers without JavaScript (if the component requires it), or for Web feed readers.

The first custom component is ImageGrid, which will render a grid of images from a folder. It can be used like this:

&lt;ImageGrid src="path-to-images/" /&gt;

And it will look like this (for Web feed readers, here is the folder with sample images):

Web feed

An Atom feed is generated, and not an RSS feed, because the tools I used previously generated Atom feeds, and because it is standardized. It seems a bit simpler to understand compared to RSS 1.0 and RSS 2.0, at a first glance.

Every piece of content requires to have its own UUID, to make sure there will never be any conflicts. I would like to thank those sites:

https://www.alanwsmith.com/en/2a/ne/cw/if/ For a quick "getting started" guide
https://peterbabic.dev/blog/using-uuid-in-atom-feed/ For explaining why UUIDs are needed

In the Web feed, the UUID of every piece of content is a UUIDv5 composed of:

The UUIDv4 of the site, which is deadbaed-dead-4444-baed-dddeadbaeddd (very random huh?)
The UUIDv4 of the piece of content

That way, every single piece of content is guaranteed to always have the same UUID since the moment of publication.

The only downside to this approach is to remember to generate an UUIDv4 when writting new content, but it should be fine.

It will never be finished

I am aware that a blogging engine will never be finished and it will never have all the features big engines have, and it will have some bugs.

But I am very happy to make my own tools, and use them in production!

The name of the engine is leptos_ssg, the source code is available here, and there is an instance to showcase the engine!

Write more

I hope re-building my blog (and accidentally writting my own blog engine) will encourage me to write more!

And the writting better be about projects I am working on, and not about the blog engine itself 😁

[If the formatting of this post looks odd in your feed reader, visit the original article]

Automount a Hetzner Storage Box with sshfs on NixOS

2024-08-10T00:00:00+00:00

I had my eyes on some nice arm64 servers from Hetzner, and I finally pulled the trigger, I got the CAX21.

It is also the opportunity to reduce time of maintaining my infrastructure, I will use NixOS to setup my server. By having a couple of configuration files, it will be easier to review, edit and update the system.

But time will tell if it is the good decision, and not sticking to a imperative distribution such as Debian.

Not a lot of storage

The only downside with these servers is the storage -- I only have 80 gigabytes of storage on mine. Fortunately, Hetzner has their Storage Box offerings, I picked up a BX11 which has 1 terabyte of storage!

The plan is to mount the storage box as a regular drive and have applications use it normally. The main applications will be documents, media, backups -- not speed critical data such as databases or logs.

Storage Box ordering and setup

Start by ordering your Storage Box, I think mine took less than an hour to be provisioned and delivered to me.

On the configuration panel, I only ticked SSH support and the disabled the rest. If you will use the storage box outside of the Hetzner network, enable External reachability.

Finally, you cannot set the password yourself, you will have to reset it.

SSH keys

On the server, generate a new ssh key with ssh-keygen which will be used to connect to the storage box.

Since I want the storage box to be mounted automatically on startup, so I did not set a passphrase on the key.

Copy the ssh to the storage box with:

ssh-copy-id -p 23 -s user@storagebox.example.org

More documentation on ssh keys with storage box: https://docs.hetzner.com/robot/storage-box/backup-space-ssh-keys

NixOS configuration

The easy part, and the reason why I think I will like to use NixOS on my server:

You can put it inside your configuration.nix directly, I placed it inside its own file.

{ ... }:

{
  fileSystems."/mnt/storagebox" = {
    device = "user@storagebox.example.org:/some/path";
    fsType = "fuse.sshfs";
    options = [
      "identityfile=/place/to/ssh/key/somewhere"
      "idmap=user"
      "x-systemd.automount" # mount the filesystem automatically on first access
      "allow_other" # don't restrict access to only the user which `mount`s it (because that's probably systemd who mounts it, not you)
      "user" # allow manual `mount`ing, as ordinary user.
      "_netdev"
    ];
  };
  boot.supportedFilesystems."fuse.sshfs" = true;
}

Thank you so much to this Discourse post for the configuration snippet!

Run

nixos-rebuild switch && cd /mnt/storagebox

and you are able to read and write files!

[If the formatting of this post looks odd in your feed reader, visit the original article]

First setup of Archivebox

2024-03-02T00:00:00+00:00

I discovered Archivebox and decided to install it on my server using containers.

I just had to make a couple of adjustements, because all the content on the instance is publically available. I do not want that, I want to restrict access with user accounts.

To do so, start by finding out the container name, and open a shell:

docker exec --user=archivebox -it container-name-goes-here bash

Go into the directory where Archivebox data is stored, and you will be able to run command to manage the instance.

Hide everything from the public

archivebox config --set SAVE_ARCHIVE_DOT_ORG=False
archivebox config --set PUBLIC_INDEX=False
archivebox config --set PUBLIC_SNAPSHOTS=False
archivebox config --set PUBLIC_ADD_VIEW=False

Create first user account

Now that you cut outside world access to your instance, create an admin user to access and add new content:

archivebox manage createsuperuser

Once finished, exit the shell and restart Archivebox.

[If the formatting of this post looks odd in your feed reader, visit the original article]

Setup a private Docker registry

2023-07-15T00:00:00+00:00

My internal infrastructure is complete. I can now work on my projects, but at some point they need to go out to the world!

The platform for most of my projects is the web, and the best tool I found so far to deploy them is Docker.

I want to keep the code on the private infrastructure, but I also want to be in control of where the docker images will be stored.

The perfect solution is a private Docker registry! But it will not be on the internal infrastructure, it will be publicly available on a regular server.

That way, projects can be deployed in their final form whenever and wherever, while the source remaining private.

Get started locally

To start, I will launch a test registry on my machine to make sure everything works.

I will use these docker images:

registry: The official registry made by Docker themselves
docker-registry-ui: A nice webui to view and manage images on the registry

Here's the docker-compose file I used to get started:

services:

  registry-server:
    image: registry:2.8.2
    ports:
      - 5000:5000
    volumes:
      - ./registry-data:/var/lib/registry
      - ./passwords:/auth/htpasswd
    environment:
      REGISTRY_AUTH: 'htpasswd'
      REGISTRY_AUTH_HTPASSWD_REALM: 'Registry Realm'
      REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd'
      REGISTRY_HTTP_HEADERS_Access-Control-Origin: '[http://registry.example.com]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
    container_name: registry-server

  registry-ui:
    image: joxit/docker-registry-ui:2.5.0
    ports:
      - 8001:80
    environment:
      SINGLE_REGISTRY: true
      REGISTRY_TITLE: Docker Registry UI
      DELETE_IMAGES: true
      SHOW_CONTENT_DIGEST: true
      NGINX_PROXY_PASS_URL: http://registry-server:5000
      SHOW_CATALOG_NB_TAGS: true
      CATALOG_MIN_BRANCHES: 1
      CATALOG_MAX_BRANCHES: 1
      TAGLIST_PAGE_SIZE: 100
      REGISTRY_SECURED: false
      CATALOG_ELEMENTS_LIMIT: 1000
    container_name: registry-ui

But don't start the services right away.

Authentication

I don't want the registry being open to everyone though, let's add some authentication.

To keep things simple, I will use HTTP basic auth. If you want, there's a possibility to have a more complex setup.

Here's a quick script to get passwords in a format that Docker will accept:

#!/bin/sh
#
# new-password.sh

if [ -z "$1" ]
then
echo "usage: $0 username"
exit 1
fi

echo "creating password for user \"$1\""
htpasswd -nB $1

How to use it:

$ ./new-password.sh phil
creating password for user "phil"
New password: phil
Re-type new password: phil
phil:$2y$05$asxsqfmEQJpg8zuKGyieMOmTirok.Gd/noliF.y48DJXe.97ufGHG

Copy the last line in the passwords file (see the docker-compose file).

Repeat the process for every user you want to give authentication to your registry.

Keep in mind I only cover AUTHENTICATION (who can access the registry), and not AUTHORIZATION (who can do what on the registry). With this setup, if you have access to the registry, you can do anything on it.

Use the registry

Start the services with

docker compose up

Now, you can access the webui by going to

http://localhost:8001

in a web browser and sign-in with your credentials. You should see an empty list. Let's add some images!

Naming images

Pick an image you want on the registry.

If it's an existing image:

docker tag name-of-existing-image localhost:5000/existing-image-name

If you build the image directly:

docker build -t localhost:5000/new-image-name

The name of the image must have the domain of the registry, in our case it's localhost:5000.

Login to registry

To sign in to the registry, use

docker login localhost:5000

and enter your credentials.

Push / Pull

Simply run the usual docker command to push or pull images. Docker will know which registry to use based of the image's name.

docker push localhost:5000/new-image-name
docker pull localhost:5000/existing-image-name

That's pretty much it!

Deploy to production

I use Caprover to deploy my docker images easily, it comes with a reverse proxy and automatic TLS certificates with Let's encrypt.

Here's the one-click-app config I created for the registry:

captainVersion: 4

services:
  $$cap_appname-registry:
    image: registry:$$cap_registry_version
    volumes:
      - $$cap_appname-data:/var/lib/registry
      - $$cap_appname-auth:/auth/
    environment:
      REGISTRY_AUTH: 'htpasswd'
      REGISTRY_AUTH_HTPASSWD_REALM: 'Registry Realm'
      REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd'
      REGISTRY_HTTP_HEADERS_Access-Control-Origin: '[https://$$cap_appname-registry.$$cap_root_domain, https://$$cap_appname-ui.$$cap_root_domain]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
    caproverExtra:
        containerHttpPort: '5000'

  $$cap_appname-ui:
    image: joxit/docker-registry-ui:$$cap_ui_version
    environment:
      SINGLE_REGISTRY: true
      REGISTRY_TITLE: Docker Registry UI
      DELETE_IMAGES: true
      SHOW_CONTENT_DIGEST: true
      NGINX_PROXY_PASS_URL: http://srv-captain--$$cap_appname-registry:5000
      SHOW_CATALOG_NB_TAGS: true
      CATALOG_MIN_BRANCHES: 1
      CATALOG_MAX_BRANCHES: 1
      TAGLIST_PAGE_SIZE: 100
      REGISTRY_SECURED: false
      CATALOG_ELEMENTS_LIMIT: 1000

caproverOneClickApp:
    variables:
        - id: '$$cap_registry_version'
          label: Registry Version
          defaultValue: '2.8.2'
          description: Check out the Docker page for the valid tags https://hub.docker.com/_/registry/tags
          validRegex: "/.{1,}/"
        - id: '$$cap_ui_version'
          label: UI Version
          defaultValue: '2.5.0'
          description: Check out the Docker page for the valid tags https://hub.docker.com/r/joxit/docker-registry-ui/tags
          validRegex: "/.{1,}/"
    instructions:
        start: |-
            A private docker registry, with a webui to see images
        end: |-
            The registry has been deployed! Look in the "auth" volume to update credentials
    displayName: docker-registry-with-ui
    isOfficial: false
    description: A private docker registry, with a webui to see images
    documentation: https://docs.docker.com/registry/

[If the formatting of this post looks odd in your feed reader, visit the original article]

Setup a service on our internal infrastructure on Alpine Linux

2023-07-02T00:00:00+00:00

Now we have a basic internal infrastructure with:

Everything hidden and encrypted through the network (WireGuard)
Pretty internal domain names instead of raw ip addresses (CoreDNS)
A basic http server just in case (Caddy)
Our own TLS certificates that are easy to get (Step CA)

But everything is on the same machine. While it could be okay, I will host the services I want on other machines.

I will run them on the same Proxmox cluster, but the possibilities are endless (as long you can get WireGuard running).

Get started

Install Alpine. Setup ssh and repositories.

WireGuard

We will set up WireGuard, but not a server, a regular peer that will connect to the WireGuard server.

Create a new peer on the WireGuard server, and get the config file ready.

Install

Install WireGuard:

apk add wireguard-tools

To load the WireGuard module on startup, edit

/etc/modules

and simply add

wireguard

and reboot.

Configure

Put the WireGuard config to

/etc/wireguard/wg0.conf

Start

Copy the init.d script for WireGuard like we did for the original server.

And ask it to start on boot.

Reboot and make sure everything works, you should see WireGuard logs when the machine is starting.

And the DNS should be working! Try to ping an internal DNS name.

Sometimes the DNS will go back to the system's default (probably your DHCP server's), so force the DNS as seen in the post about CoreDNS.

DNS entry

In the main server, edit CoreDNS to add a new DNS entry for the newly added peer.

Save and restart CoreDNS.

MOTD

Add the dynamic MOTD if you feel like it. I did.

Reverse proxy

Before installing and starting services, let's add a reverse proxy for security + some sweet TLS certs.

I'll be using caddy. You will need to enable the community repo first.

apk add caddy

Let's get a hello world:

/etc/caddy/Caddyfile

## global
{
        # step-ca ACME server
        acme_ca https://10.131.111.1:444/acme/acme/directory
}

docker.philt3r docker.philt3r:80 {
    respond "Hello, world!"
}

I start the service on ports 80 and 443 to get the initial TLS certificate, I will remove access on port 80 afterward.

Don't start caddy yet.

TLS certificates

On our new server, we need to trust the root ca. Download the root ca, and ask the system to trust it:

apk add ca-certificates ca-certificates-bundle
wget --no-check-certificate https://10.131.111.1:444/roots.pem -O /usr/local/share/ca-certificates/philt3r.crt
update-ca-certificates

Now we can start caddy and enable it on boot:

rc-service caddy start
rc-update add caddy

You should get a Hello World on port 443. If you do, you can disable access from port 80 in the Caddyfile and restart caddy.

Install the service

Now we can install the service we want to host, start it, and configure caddy to be a reverse proxy for it.

Repeat the process for the other services you want to host.

Protip: serve the services on 127.0.0.1 and use caddy to restrict access only from the WireGuard peers (since there is the DNS restriction).

Sample Caddyfile:

## global
{
        # step-ca ACME server
        acme_ca https://10.131.111.1:444/acme/acme/directory
}

docker.philt3r {
        reverse_proxy 127.0.0.1:3000
}

Docker

Since I'll be using Docker to host most services, I'll install it:

apk add docker docker-compose
rc-update add docker
rc-service docker start

Then spin up your docker containers and route them with caddy.

[If the formatting of this post looks odd in your feed reader, visit the original article]

Dynamic MOTD on Alpine Linux

2023-06-30T00:00:00+00:00

When we sign in to our server, the message of the day (MOTD) is pretty lame. Let's get something better!

This is the default MOTD of alpine:

Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See &lt;http://wiki.alpinelinux.org&gt;.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

And here's my new MOTD. I even show the WireGuard ip address:



  Name: intra.philt3r
  Kernel: 6.1.35-0-lts
  Distro: Alpine Linux v3.18
  Version 3.18.2

  Uptime: 0 days, 0 hours, 22 minutes
  CPU Load: 0.00, 0.00, 0.00

  Memory: 468M
  Free Memory: 217M

  Disk: 6.6G
  Free Disk: 6.6G

  eth0 Address: 192.168.1.71
  wg0 Address: 10.131.111.1

Start and enable cron at startup (it should be installed by default):

rc-service crond start
rc-update add crond

Let's run a script every 15 minutes to update the /etc/motd file:

/etc/periodic/15min/motd

Here's the content of my MOTD:

#!/bin/sh
#. /etc/os-release
PRETTY_NAME=`awk -F= '$1=="PRETTY_NAME" { print $2 ;}' /etc/os-release | tr -d '"'`
VERSION_ID=`awk -F= '$1=="VERSION_ID" { print $2 ;}' /etc/os-release`
UPTIME_DAYS=$(expr `cat /proc/uptime | cut -d '.' -f1` % 31556926 / 86400)
UPTIME_HOURS=$(expr `cat /proc/uptime | cut -d '.' -f1` % 31556926 % 86400 / 3600)
UPTIME_MINUTES=$(expr `cat /proc/uptime | cut -d '.' -f1` % 31556926 % 86400 % 3600 / 60)
cat > /etc/motd << EOF


  Name: `hostname`
  Kernel: `uname -r`
  Distro: $PRETTY_NAME
  Version $VERSION_ID

  Uptime: $UPTIME_DAYS days, $UPTIME_HOURS hours, $UPTIME_MINUTES minutes
  CPU Load: `cat /proc/loadavg | awk '{print $1 ", " $2 ", " $3}'`

  Memory: `free -m | head -n 2 | tail -n 1 | awk {'print  $2'}`M
  Free Memory: `free -m | head -n 2 | tail -n 1 | awk {'print $4'}`M

  Disk: `df -h / | awk  '{ a = $2 } END { print a }'`
  Free Disk: `df -h / | awk '{ a =  $2 } END { print a }'`

  eth0 Address: `ifconfig eth0 | grep "inet addr" |  awk -F: '{print $2}' | awk '{print $1}'`
  wg0 Address: `ifconfig wg0 | grep "inet addr" |  awk -F: '{print $2}' | awk '{print $1}'`


EOF

Make the script executable, and check if it's good:

chmod a+x /etc/periodic/15min/motd
run-parts --test /etc/periodic/15min

If you're lazy and don't want to wait 15 minutes, run the script directly:

/etc/periodic/15min/motd

Log out and log back in, you should see the new MOTD!

Resources

https://kingtam.win/archives/apline-custom.html

I just copy/pasted and changed the MOTD.

[If the formatting of this post looks odd in your feed reader, visit the original article]

Setup Caddy with a CA and ACME server on Alpine Linux

2023-06-28T00:00:00+00:00

Now that we have a WireGuard VPN with an awesome internal DNS server, let's get a web server with HTTPS!

Caddy

Install

You will need to enable the community repo first.

doas apk add caddy

Configuration

Create a folder to serve stuff from, I placed it in

/srv/www

Create the config in

/etc/caddy/Caddyfile

Here's the config, it's very simple to get started:

intra.philt3r:80
root * /srv/www
file_server browse

This config will only launch an HTTP server, the HTTPS will come later.

It should work only from the WireGuard peers, since they can resolve the DNS name intra.philt3r.

If there is no index.html in the folder, it will serve static files directly.

Script to launch

Caddy already has a service!

Start: rc-service caddy start
Stop: rc-service caddy stop
Reload configuration without downtime: rc-service caddy reload

Generate keys and certificates

We will generate the Root CA, the Intermediate CA.

Generate these with openssl installed on a computer, preferabbly offline.

Make sure the keys are stored in a safe place, I will store mine inside of a KeePassXC keystore.

OpenSSL Configuration

inside a folder, create a file

config.conf

In [CA_root], make sure to put your folder dir

# OpenSSL root CA configuration file.

[ ca ]
# `man ca`
default_ca = CA_root

[ CA_root ]
# Directory and file locations.
dir               = /home/phil/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
# Match names with Smallstep naming convention
private_key       = $dir/root_ca_key
certificate       = $dir/root_ca.crt

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 25202
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName 	= supplied
localityName	    	= supplied
organizationName        = match
commonName              = supplied

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See &lt;https://en.wikipedia.org/wiki/Certificate_signing_request>&gt;.
countryName          = Country (2 letter code)
stateOrProvinceName  = State or Region
localityName         = City
commonName           = Common Name
0.organizationName   = Organization Name

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

After, run

mkdir newcerts
touch index.txt
echo 1420 > serial

We are now ready to generate keys and certificates.

Root key and certificate

Generate key:

openssl genrsa -aes256 -out root_ca_key 4096

It will ask for a passphrase, I generated mine with my KeePassXC.

Generate root certificate:

openssl req -config config.conf -key root_ca_key -days 3650 -new -x509 -sha256 -extensions v3_ca -out root_ca.crt

My root CA will last for 3650 days (10 years).

Here's the info I provided:

Country (2 letter code) []:FR
State or Region []:Bretagne
City []:Rennes
Common Name []:philt3r CA
Organization Name []:philt3r

I saved the root_ca_key and root_ca.crt inside my KeePassXC.

Intermediate key and certificate

Generate key:

openssl genrsa -aes256 -out intermediate_ca_key 4096

It will ask for a passphrase, I generated mine with my KeePassXC.

Generate certificate request:

openssl req -config config.conf -new -sha256 -key intermediate_ca_key -out intermediate_ca.csr.pem

Here's the info I provided:

Country (2 letter code) []:FR
State or Region []:Bretagne
City []:Rennes
Common Name []:philt3r Intermediate CA 
Organization Name []:philt3r

Sign certificate request with Root key:

openssl ca -config config.conf -keyfile root_ca_key -cert root_ca.crt -extensions v3_intermediate_ca -days 1825 -notext -md sha256 -in intermediate_ca.csr.pem -out intermediate_ca.crt

My Intermediate certificate will last for 1825 days (5 years).

Save these files, I saved them in my KeePassXC:

intermediate_ca_key
intermediate_ca.csr.pem
intermediate_ca.crt

Once everything is saved and backed up, delete everything from your computer securely.

CA and ACME server

I discovered Smallstep, which allows to become your own ACME server.

Install

They provide packages for Alpine!

Install the packages with

apk add step-cli step-certificates

Configuration

Start by creating the folder where step will save all the configs:

mkdir /etc/step-ca -p

Let's configure step-ca!

STEPPATH=/etc/step-ca step ca init --name="philt3r" --acme --address="10.131.111.1:444" --provisioner="philt3r" --deployment-type standalone

I ask it to run on the address 10.131.111.1 (the WireGuard ip) and on the port 444. The port 443 will be used for a https server, so I picked 443 + 1.

Since I want an ACME server, I asked to get one.

Step will ask what IP address the clients will use to reach your ca, reply with 10.131.111.1, because only WireGuard peers and the server should be allowed.

This will prompt a password, put one.

Step will generate a root and intermediate key, as well as an intermediate certificate. We don't want that, since we already generated our own.

Copy these files in /etc/step-ca/certs:

root_ca.crt
intermediate_ca.crt

Copy intermediate_ca_key in /etc/step-ca/secrets folder. I use the key directly, but in a safe environment use a Yubikey, but I don't have one.

Start the CA/ACME server

Run

step-ca /etc/step-ca/config/ca.json

to start the server. It will ask your password to decrypt the intermediate_ca_key. Provide the password.

The server should start, stop it.

We will now create a file containing the password of the intermediate_ca_key, since we want to have the ACME server starting when Alpine will boot.

Why put the password inside a file? Well, simply because we can't type the password at boot. Again, in an ideal environment, use a Yubikey.

Create a file at

/etc/step-ca/password.txt

and place the password inside that file.

step should run as the user step-ca, so update the permissions on the config folder:

chown step-ca:step-ca -Rv /etc/step-ca/

To verify that everything worked, run:

step-ca /etc/step-ca/config/ca.json --password-file=/etc/step-ca/password.txt

Stop the server again.

Script to launch

Step already has a service!

Start: rc-service step-ca start
Stop: rc-service step-ca stop

Use ACME with Caddy

Now let's tell Caddy to get TLS certificates with our ACME server.

Edit the /etc/caddy/Caddyfile:

# global
{
        # step-ca ACME server
        acme_ca https://10.131.111.1:444/acme/acme/directory
}

intra.philt3r intra.philt3r:80 {
        root * /srv/www
        file_server browse
}

Make sure step-ca is started, and restart Caddy to make sure everything is good:

rc-service caddy restart

Now we need to tell our system to trust the certificates.

Download the file containing the certificates. It is available at this URL:

https://10.131.111.1:444/roots.pem

On every device you want to trust your certificates, you will need to download the file on the device, then you will need to tell your operating system to trust it.

OSX: Trust the certificate
iOS: Download the certificate from the device and trust it
Firefox: Install the certificate on your system and tell firefox to trust it
Linux distros: Ubuntu, Fedora

Start on boot

Start caddy and step-ca on startup with:

rc-update add step-ca
rc-update add caddy

Reboot to make sure everything works.

Resources

https://wiki.alpinelinux.org/wiki/Repositories
Awesome guide that helped me a lot: https://www.apalrd.net/posts/2023/network_acme/

[If the formatting of this post looks odd in your feed reader, visit the original article]

Setup CoreDNS on Alpine Linux

2023-06-25T00:00:00+00:00

Now that we have a WireGuard VPN, let's add a DNS server, to type letters instead of numbers!

Install CoreDNS

You will need to enable the community repo first.

doas apk add coredns

Configuration

Create the config in

/etc/coredns/Corefile

# snippets
(common) {
    cache 60
    acl {
        allow net 127.0.0.1 10.131.110.0/24 10.131.111.0/24
        block
    }
}

# intranet
philt3r {
    import common
    log . {combined} {
        class denial error success
    }

    hosts {
        10.131.111.1 intra.philt3r
        falltrough
    }
}

# extranet
. {
    import common

    # Free DNS
    forward . 212.27.40.240 212.27.40.241
}

My DNS service of choice comes from free.fr. Feel free to put your own favorite DNS service!

Script to launch on server startup

CoreDNS already has a service!

Add at startup: rc-update add coredns
Remove from startup: rc-update del coredns
Show services at startup: rc-status

The logs of CoreDNS should be available at

/var/log/coredns/coredns.log

Use CoreDNS on the system

Now that we have our DNS server, let's use it on our server!

If you use DHCP to get the ip address of your server, the DNS will always be used from the DHCP.

We want to use our own DHCP server.

Create the file (and the folder associated with it)

/etc/udhcpc/udhcpc.conf

and put

RESOLV_CONF="NO"

Then, edit the

/etc/resolv.conf

and put

nameserver 127.0.0.1

Restart the server.

[If the formatting of this post looks odd in your feed reader, visit the original article]

Setup WireGuard server on Alpine Linux

2023-06-24T00:00:00+00:00

Let's do this baremetal, no Docker!

I will do this inside a Proxmox virtual machine.

Get started

Start by installing Alpine Linux: Run the installer, next, next, next, and boot the os once it's done.

Setup ssh

Copy ssh key (run this on your local machine):

ssh-copy-id -i ~/.ssh/id_rsa.pub user@ip

doas apk add vim

Edit ssh config to force ssh key use:

doas vim /etc/ssh/sshd_config

Find and update these statements:

PermitRootLogin no
PubkeyAuthentication yes

Restart ssh service, logout, and log back in

doas rc-service sshd restart

Setup alpine package manager

I use mirrors.ircam.fr as my mirror

Open

/etc/apk/repositories

add the community repo, and run updates:

doas apk -U upgrade

WireGuard basics

Install WireGuard:

doas apk add wireguard-tools

Kernel module

Load the module

doas modprobe wireguard

To launch the module on startup, edit

/etc/modules

and simply add

wireguard

at the bottom, and save the file.

IP forwarding

Edit

/etc/sysctl.conf

and add

net.ipv4.ip_forward = 1

at the bottom of the file, and save

Launch sysctl on startup with

doas rc-update add sysctl

and reboot.

IP Addresses

Pick a range if ip addresses to use: RFC 1918

I'll pick 10.131.111.x for the WireGuard peers.

Calculate your CIDR: https://www.ipaddressguide.com/cidr

Here's my network layout:

CIDR: 10.131.110.0/23
Start: 10.131.110.0
End: 10.131.111.255

Network services:

Start: 10.131.110.0/24
End: 10.131.110.255/24

WireGuard:

Start: 10.131.111.0/24
End: 10.131.111.255/24

Generate keys for WireGuard

Do everything as root (doas is the equivalent of sudo):

doas su

Move to the wireguard configuration, I'll store everything there for easy access:

cd /etc/wireguard/

Generate the private and public key, store them in files (we'll use them later):

wg genkey | tee philt3r-privatekey | wg pubkey > philt3r-publickey

Configure server interface

All the server configuration will happen in

/etc/wireguard/wg0.conf

Protip for vim users: To add content of a file in current buffer directly: StackOverflow answer

[Interface]
# Name = wg0
Address = 10.131.111.1/24
ListenPort = 51820
PrivateKey = &lt;server-private-key&gt;
PostUp = iptables -t nat -A POSTROUTING -s 10.131.111.0/24 -o %i -j MASQUERADE;
PostUp = iptables -t nat -A POSTROUTING -s 10.131.110.0/24 -o %i -j MASQUERADE;
PostUp = iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT;
PostUp = iptables -A FORWARD -i %i -j ACCEPT;
PostUp = iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -s 10.131.111.0/24 -o %i -j MASQUERADE;
PostDown = iptables -t nat -D POSTROUTING -s 10.131.110.0/24 -o %i -j MASQUERADE;
PostDown = iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -j ACCEPT;
PostDown = iptables -D FORWARD -o %i -j ACCEPT;

Once it's good, make sure only root can read and write to the files:

chmod 600 /etc/wireguard/*

Add new peer

You will need to repeat this for each new peer

cd /etc/wireguard/

Generate keys

Starting now, name is a placeholder for the name of the peer.

I typically use the format name-of-person followed by device-name. For example, the peer for my phone will be phil-iphone.

Create folder to store keys for the peer:

mkdir -p peers/name

Generate preshared key (not required):

wg genpsk | tee peers/name/preshared.psk

Generate private and public keys for the peer:

wg genkey | tee peers/name/private.key | wg pubkey > peers/name/public.key

Update server configuration

Edit your wg0.conf, add at the bottom:

[Peer]
# Name = name
PublicKey = peers/name/public.key
PresharedKey = peers/name/preshared.psk
AllowedIPs = 10.131.111.2/32
AllowedIPs = 10.131.110.0/24
AllowedIPs = 10.131.111.0/24

Peer configuration

Now let's create the configuration to give to the peer:

Create the file

peers/name/philt3r-name.wg.conf

And put the following

[Interface]
PrivateKey = peers/name/private.key
Address = 10.131.111.2/24
#DNS = 10.131.111.1

[Peer]
PublicKey = &lt;server-public-key&gt;
PresharedKey = peers/name/preshared.psk
Endpoint = server-ip:51820
AllowedIPs = 10.131.110.0/24
AllowedIPS = 10.131.111.0/24
PersistentKeepalive = 25

DNS info is not used yet, it's normal, I will enable it once my DNS server will be created (not in this blog post though).

Distribute config

Either give the configuration file we just created, or you can have multiple choices.

QR Code

Start by installing

apk add libqrencode-tools

And run

qrencode -t ansiutf8 < peers/name/philt3r-name.wg.conf

Base64

Note: I'm using base64 on Alpine, which comes from BusyBox, the CLI may be different depending on the operating system you're using.

Encode the configuration file to a base64 string:

cat philt3r-name.wg.conf | base64 -w 0

And on the other device, decode the string and save to a file:

base64 -d > philt3r-name.wg.conf

Put the base64 encoded string, and send a EOF (usually ctrl + d).

Restart WireGuard

If you already have WireGuard running, simply run

rc-service wg restart

to restart the server with your new peer.

Start WireGuard manually

Make sure to open the port on your router in UDP mode! I spent a lot of time debugging to realize that my port was in TCP, double check!

Make sure to be root before, don't use doas or sudo!

wg-quick up wg0

On the peer, start the tunnel.

On the server, run

wg

to check the status of WireGuard. You should see the peer and some stats it is connected.

If you do not see info about the peer even if it is not connected, that means you did something wrong in the configuration!

From your peer, you should be able to ping the WireGuard internal IP:

10.131.111.1

iOS: Ping
OSX / Linux: ping

If you can ping the ip, you're good!

You may not be able to go on the internet, or even make DNS requests, it's normal.

We are just testing if the tunnel works. You can stop the tunnel.

Stop WireGuard manually

wg-quick down wg0

Script to launch on server startup

To start WireGuard on startup, we will write an OpenRC script. It will be located in

/etc/init.d/wg

Put the following:

#!/sbin/openrc-run
#

description="WireGuard"

depend() {
    need localmount net sysctl
    after bootmisc
}

start() {
    ebegin "Starting WireGuard"
    wg-quick up wg0
    eend $?
}

stop() {
    ebegin "Stopping WireGuard"
    wg-quick down wg0
    eend $?
}

status() {
    wg show wg0
}

Give it executable access

chmod +x /etc/init.d/wg

Manual

Start: rc-service wg start
Stop: rc-service wg stop
Restart: rc-service wg restart
Status: rc-service wg status

Startup

Add at startup: rc-update add wg
Remove from startup: rc-update del wg
Show services at startup: rc-status

Reboot and make sure everything works, you should see WireGuard logs when your server is starting.

Resources

These resources helped me when setting up my WireGuard server. Thanks!

[If the formatting of this post looks odd in your feed reader, visit the original article]

how to use the docker of the epitech moulinette

2020-01-19T00:00:00+00:00

this guide will show you how to install docker, download the epitech moulinette container and learn how to use it for your projects.

install

ubuntu:

sudo apt install docker.io

arch:

sudo pacman -S docker

setup docker before first use

to use docker without root privileges run

sudo usermod -aG docker $USER

and REBOOT your computer afterwards for changes to take effect.

to start docker on every boot

sudo systemctl enable docker

get the epitech container

docker pull epitechcontent/epitest-docker

will download the epitech moulinette environement. make sure to have fast internet, because the container is about 5 gigabytes.

start the container and get a shell

go into the directory you want to get a shell in the epitech container.

docker run -it --rm -v $(pwd):/home/project -w /home/project epitechcontent/epitest-docker /bin/bash

will get you a bash prompt: you are now in the container. run the commands you want, and exit the shell when you are done.

if you are using docker on windows (inside powershell), run

docker run -it --rm -v ${pwd}:/home/project -w /home/project epitechcontent/epitest-docker /bin/bash

[If the formatting of this post looks odd in your feed reader, visit the original article]

archlinux how old is your installation

2019-04-18T00:00:00+00:00

on archlinux, to see when you installed arch on your computer, run this command

sed -n "/ installed $1/{s/].*/]/p;q}" /var/log/pacman.log

it will display the date and the time when you ran pacstrap on the live cd to install your system.

on my laptop, i get [2018-10-21 21:05], which is when i switched from fedora back to arch because my school required fedora.

[If the formatting of this post looks odd in your feed reader, visit the original article]

openbsd first setup after install

2019-03-01T00:00:00+00:00

just installed openbsd on my chromebook, seems to be working fine!

since it's my first time using openbsd, here are some stuff that i will start to do on my machines after installing openbsd:

enable `doas`

doas is kinda the equivalent of sudo. to enable it, run cp /etc/examples/doas.conf /etc to copy the doas config file.

disable root account

now that doas is ready, we dont need to root account anymore. to disable it, run usermod -p'*' root to set the root password to *. this will prevent root from log on directly to the machine (with su as an example), but with doas we can run doas sh to get a shell.

install missing firmware for your hardware

maybe your wifi card isn't working? or maybe you can't display any graphical interface? maybe that's because you don't have the firmware for it: here's how to install it:

run doas fw_update -i to see the missing firmwares.

so grab a flash drive, format it in fat filesystem format, go to firmware.openbsd.org, download the missing firmwares, along with the SHA256.sig and index.txt files, and put them on the usb key.

mount the flash drive on openbsd, and run doas fw_update -p *path of flash drive* to install the firmwares from the flash drive.

your missing firmware should not be anymore.

[If the formatting of this post looks odd in your feed reader, visit the original article]

how to put a custom boot logo on a thinkpad

2019-02-24T00:00:00+00:00

disclaimer

i need to warn you that you are on your own. even though it works fine, i'm not responsible of what you do.

introduction

you have a thinkpad. it's beautiful, it's fast, it's perfect, it doesn't run windows; there's just one thing that could be perfect: the boot logo.

by default on new models, your boot logo look like this:

to get a custom boot logo, you need:

an internet connection
a compatible model
a usb flash drive
a gif image (you can also use a bmp or a jpg image, but i've found that with gif images it works better)

get the BIOS update

to install your custom boot logo, you need to flash a BIOS update.

to download the BIOS update, go on lenovo's support website, choose drivers and updates and find your model.

next, go in the section BIOS/UEFI and download the BIOS Update (Bootable CD). it will download a iso image.

if you can't find the update image, that means that you're out of luck, and you can't get a custom boot logo. sorry.

convert the iso image

now that you have the iso image, you need to convert it to a img file. to do so, run the following command in a terminal:

geteltorito -o bios-image.img bios-image-downloaded.iso

if you don't have geteltorito, look online to install it.

flash the image on your usb drive

now it's time to flash the image on your usb drive. get the name of your flash drive using lsblk, plug your usb drive, and run lsblk again to see your drive.

go into the folder where the img file is located, and run in a terminal:

sudo dd if=bios-image.img of=/dev/sdX bs=1M status=progress oflag=sync

where X is your drive letter that you know thanks to lsblk.

get the gif file to use

if you want, i already have this selection of images ready to be used, or you can make your own!

Here is a folder with images ready to be used

you can see the requirements, go in your usb drive, open the readme.txt in the flash folder.

put the gif image in the flash folder, and name it LOGO1.JPG. copy that image, and name that one LOGO2.JPG.

check the readme.txt file to see the filenames, they might differ on different models.

flash the BIOS update

reboot your computer, and boot on the usb flash drive. if you don't know how, the internet should help you with that.

now that the flash utility has booted, choose the second option, and follow the instructions.

the computer will reboot, flash the update, and when it will reboot, you should get your custom boot logo!

if you want to go back to the default logo, simply reflash the bios update, when when asked if you want to use your custom logo, say no, and the default logo will be put back.

[If the formatting of this post looks odd in your feed reader, visit the original article]

my contributions to the linux kernel

2018-04-10T00:00:00+00:00

you read it right! i am a contributor to the linux kernel!

... but you are going to be dissapointed: my contributions are not going to change the world, just comments, alignments and documentation and stuff...

i submited something like 10 patches (as of april 10, 2018) and 3 patches have been accepted and are now into the kernel!

if you wanna check them out, you can read them on kernel.org.

yes, i am aware that Linus has a copy of the repo on github, but when i try to see my commits on github, i can't get them because there is too many commits and github can't get me the list.

so, here are my kernel contributions, listed by date:

[If the formatting of this post looks odd in your feed reader, visit the original article]

restart chrome with a url

2018-04-09T00:00:00+00:00

did you know that you can restart chrome/chromium with a simple url?

here is it: about://restart !

but this trick does not work with the <a> html tag, which seems logical, copy the link and paste it in a new tab to get it to work

it'd be annoying as fuck if you could click on links that restart your browser, imagine if an extension could replace every clickable link with this one! 😊

i think its usage is for chrome developers, the end user doesn't really care to type a url to restart their browser, they click on the x and they reopen it (duh).

[If the formatting of this post looks odd in your feed reader, visit the original article]

error on zsh when using vim and autocomplete

2018-03-13T00:00:00+00:00

do you use zsh and ohmyzsh ?

do you run into an issue when you are about to edit a file with vim, and you use the Tab key to autocomplete the filename, but instead you get something like this:

$ vim ~/filena&lt;TAB&gt;
_arguments:448: _vim_files: function definition file not found

annoying af, right ?

how to fix it

here's how to fix it: delete the zcompdump directory off your personal directory, and reload your zsh config file (or close and open a new shell).

rm -rf ~/.zcompdump*; source ~/.zshrc;

it took me at least 15 mins to find that .... hopefully i save some time for you .

sources

stackoverflow and github

[If the formatting of this post looks odd in your feed reader, visit the original article]

how to link your vimrc file on windows

2018-02-17T00:00:00+00:00

i code on my linux machine, and i use vim as my text editor.
i've been using vim for almost 4 years, and i started to make my config file.
i store it with git, along all my config files for my linux setup (aka my dot files).

here's the thing, i also use windows to code, and i also use vim.
i also want to use the same config that i store in git.

to do so i need to do a symbolink link to my vimrc file. i dunno how to do that on windows.

here's how to do it:

cmd

if you use the old school, black boxed cmd.exe, you need to run these commands:

cd c:\users\_username_
mklink .vimrc _path-to-vimrc_

and you should be good to go.
just make sure it has been linked correctly with vim ~/.vimrc

powershell

if you use the new, blue boxed powershell.exe, it's a bit different:
you can make it with powershell's language (or whatever they call the stuff they're using), but some require admin privileges, some require custom functions or something like that...

or you can keep it simple and use the cmd command to use cmd.exe to run the mklink program to make the symlink:

cd c:\users\_username_
cmd /c mklink .vimrc _path-to-vimrc_

sources

i found this blog post to find out how to do symlinks on cmd,
and i used this wikipedia article and this stackoverflow thread to learn how to do it on powershell.

[If the formatting of this post looks odd in your feed reader, visit the original article]

dd status

2016-07-14T00:00:00+00:00

Here's a cool tip if you use dd to copy disk images to a disk, or if you want to clone drives.

As we all know (or should know), dd is a powerful tool; but it can be dangerous if not manipulated correctly.

By default, dd doesn't give any information on what is it doing; which can be very boring, because you don't know when you'll be able to test that new Linux distro you just discovered!

Well, good news! You can get some status from dd! This tip works on Linux and OS X.

Linux

When you enter your dd command, add this little snippet at the end:

status=progress

When dd will be busy doing its thing, you should get some info about its progress.

OS X

Run your dd command normally without status=progress, after that open a new terminal and enter this command:

while pgrep ^dd; do sudo pkill -INFO dd; sleep 30; done;

And come back into the dd command. When the dd task will be done, the second command we ran will exit as well and you can close that other terminal safely.

30 is the number of seconds that will update the counter every X seconds.

[If the formatting of this post looks odd in your feed reader, visit the original article]

deadbaed

Self hosted Nix binary cache with Attic

Install the cache

Credentials

Configuration

Reverse proxy

Configure the cache

Create a user token

Consume token

Use the cache

Push to the cache

CI

Run Nix on Forgejo Actions on NixOS

Setup a runner

Registration token

OCI containers and Forgejo labels

Write your workflow file

2025 Retrospective

Starting with a failure

Try something else

Back to the old school

Blog

Rest of the year

Lookback

Neovim LSP config for TypeScript (vtsls) with Yarn Plug'N'Play

Plug And Play

Ghost dependencies

Editor support for TypeScript and others

Neovim setup

Zip files

Editor SDK generation

Integration with the vtsls LSP

Future

Migrating my blog to my own engine

Begginings

Feature set

Content

Filename

Custom components

Web feed

It will never be finished

Write more

Automount a Hetzner Storage Box with sshfs on NixOS

Not a lot of storage

Storage Box ordering and setup

SSH keys

NixOS configuration

First setup of Archivebox

Hide everything from the public

Create first user account

Setup a private Docker registry

Get started locally

Authentication

Use the registry

Naming images

Login to registry

Push / Pull

Deploy to production

Setup a service on our internal infrastructure on Alpine Linux

Get started

WireGuard

Install

Configure

Start

DNS entry

MOTD

Reverse proxy

TLS certificates

Install the service

Docker

Dynamic MOTD on Alpine Linux

Resources

Setup Caddy with a CA and ACME server on Alpine Linux

Caddy

Install

Configuration

Script to launch

Generate keys and certificates

OpenSSL Configuration

Root key and certificate

Integration with the `vtsls` LSP

enable `doas`