Posts

This blog post was initially intended to explain how to migrate from iptables to nftables — there are plenty of similar posts all over the internet. However, I soon realised that I was also running Docker on my laptop, which still does not natively support nftables at the time of writing. I therefore decided to write a dual-aim article: switching to nftables and allowing Docker containers to access the network. Disable iptables To fully transition to nftables and prevent conflicts, it’s important to stop and disable the legacy iptables services. You can do this with the following commands: ...

Why I Did It At first, this was a learning project. I wanted to understand the real nuts and bolts of Kubernetes — not just on paper, but on actual, bare-metal hardware in my home. But over time, it became something more. It became my platform — the place where I host the things I care about, where I experiment, where I break things and fix them again. What I Wanted To learn how things really work under the hood To automate everything — no clicking, no guesswork To host my own services with security and flexibility in mind To power things down when I don’t need them, and boot them up instantly when I do What I Built The stack is simple but powerful: ...

Having worked out how to handle TLS traffic on my K3S setup, it is time to achieve the same goal on Docker. In this guide, I’ll show you how to set up a Raspberry Pi running Docker Swarm, SWAG (Secure Web Application Gateway), and Let’s Encrypt to secure your containerized applications with free TLS certificates. While I’ll use Jellyfin as an example, this approach works for most containerized applications. Getting started Prerequisites A Raspberry Pi with Docker and Docker Swarm. A public domain managed, for example, by Cloudflare. Containerized applications, such as Jellyfin, running on Docker. SWAG to handle reverse proxy and TLS certificates. Folder structure All my Docker containers data is stored on BTRFS volume under /opt/my_pool where I have created a folder for each container and the nas-stack.yml file with all the Docker instructions. ...

In this article, we’ll look at using Traefik in K3S alongside cert-manager to act as an ACME (Automatic Certificate Management Environment) client for acquiring certificates from Let’s Encrypt. In order to obtain certificates, it is necessary to prove domain ownership to a Certificate Authority (CA). One method of verifying ownership is through a DNS-01 challenge. For this guide, we will use Cloudflare as our DNS provider, but the principles outlined can easily be adapted for use with other DNS providers. ...

This is the first part of my MikroTik and Terraform series, where I will explain my old and current setup and answer a lot of questions about why. Old setup Many, many years ago I decided to abandon the traditional two-pair wiring hDSL (most widespread, at least in Switzerland) because I was bored of paying the electrician at each house change due to the required changes on the building telephone panel. To cut a long story short, I chose the LTE modem for its versatility, I have no need for high performance and therefore did not choose fibre optics. ...

I recently bought a MikroTik router and I’m spending a lot of time configuring it and trying to understand/learn as much as I can (some posts coming in the near future). With the new router I would like to go a step further and set up some static DNS entries within my home for my devices and for my lab. In this post we will: Prevent dhcpd and NetworkManager to overwrite /etc/resolv.conf Configure Dnscrypt-proxy to use Quad9 with DoH Use Dnscrypt-proxy forwarding feature to resolve hostnames of home devices Manually configure /etc/resolv.conf Configure dhcpd By default, dhcpd obtains nameservers from the DHCP server and configures them in /etc/resolv.conf. If you are a frequent traveller, this means that you will use whatever name servers are configured on the networks you connect to, with some potential security threads (MiTM, DNS Spoofing/Hijacking and privacy risks). To avoid this, we will configure dhcpd to ignore the DNS servers received from the dhcp server and always use Dnscrypt-proxy listening on localhost:53. ...

Nowadays, the browser is always open on my computer and I spend most of my time there. If there is a problem or I need to look up the parameters of a command, the first thing I do is look it up on the web. Now I want to go back to using man pages and rediscover the romance and essence that they convey. Why Man Pages? Always there when you need them: Unlike the internet, which requires connectivity, man pages are always right there on your system. Whether you’re on a plane, in a remote area, or just want to avoid the distractions of the web, man pages are a reliable companion. ...

I would like to build a simple NAS using my Raspberry Pi 5, equipped with the Geekworm X1011 and an M.2 NVMe drives. This project will also provide me with the opportunity to use BTRFS for the first time. Getting started To install BTRFS excecute the following commnad: sudo apt install btrfs-progs Uses lsblk to get the current partitions status $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS mmcblk0 179:0 0 14.9G 0 disk ├─mmcblk0p1 179:1 0 512M 0 part /boot/firmware └─mmcblk0p2 179:2 0 14.4G 0 part / nvme0n1 259:0 0 476.9G 0 disk └─nvme0n1p1 259:1 0 476.9G 0 part nvme1n1 259:2 0 238.5G 0 disk nvme2n1 259:7 0 238.5G 0 disk If necessary, use one of the many tools, such as wipefs, fdisk, cfdisk, or parted, to remove the old partitions, for example: ...

In Debian installation process, the preseed.cfg file allows for automated installations by pre-configuring various installation parameters. In this article I will focus on the d-i preseed/late_command string parameter, which is used to run custom commands at the end of the installation process. Here is an example that I recently used in my packer-vbox-debian-latest project: d-i preseed/late_command string \ mkdir --mode=700 /target/home/testuser/.ssh; \ wget -q http://10.0.2.2:8081/key.pub -O /target/home/testuser/.ssh/authorized_keys; \ in-target chown testuser:testuser /home/testuser/.ssh; \ in-target chown testuser:testuser /home/testuser/.ssh/authorized_keys; \ in-target chmod 0600 /home/testuser/.ssh/authorized_keys As you can see, sometimes /target is used, other times in-target, I must admit I struggled a bit to understand the difference and when to use one instead of the other. ...

My current Arch Linux installation has many years and I’d like to reinstall it using other technologies like LVM and BTRFS, but before reinstalling my laptop, I’m testing the installation process inside a VirtualBox VM. This morning I got bored of typing all the commands and in my head popped up Powershell Direct with Hyper-V. Basically you can attach a Powershell session directly to the Hyper-V VM. I found a similar approach by configuring port forwarding in VirtualBox and connecting via SSH. ...