-
Securing Kubernetes access using OIDC and Keycloak
Yesterday I finally implemented proper SSO for my Kubernetes clusters and since I noticed some bad patterns in other tutorials along the way, I decided to write my own. Hoping to make different mistakes.
-
Fighting phishing for everyone's good
Today I spend a few minutes to report phishing mails and domains that I collected with my various email addresses. Since I think many people will face a similar problem at some point, the question “What do I do with this information?”
-
Please use official example and test domains
Every now and then, you want to make an example. Suddenly you end up with the wildest domain names in these examples. A popular misuse of an IP that suddenly became a real address was 1.1.1.1 but there is a solution for this.
-
Kubernetes native delete protection using Validation Admission Policies
In Kubernetes 1.30 Validation Admission Policies became stable and generally available. Validation Admission Policies are a lightweight, built-in policy engine for the Kubernetes API server, that allows to use the “Common Expression Language” (CEL) to express policies for single objects and warn, log or deny them.
-
Helpful resources about the polyfill supply-chain attack
Today sansec.io published an article about a supply-chain attack against the popular polyfill.io library. polyfill.io is a JavaScript library that provides modern browser features for legacy browsers by implementing backwards compatible versions of the required APIs if possible.
-
CVEs, Exponetial Growth and the next Log4shell
I think many will remember Log4Shell as a security event. It has become a scale for the badness of a security event. “It’s an issue, but not the next Log4Shell” is a sentence I throw around from time to time.
-
Using Kubernetes spare capacity for Pods
In Kubernetes you can do a lot of fun little things. One of them is playing with the cluster-autoscaler and creating workloads that only run, when there is spare capacity left in your cluster.
-
How to screw up your Raspberry Pi
I bought a Raspberry Pi 5 with an NVMe base from Pimoroni and decided to play around with it. I should mention that it has been quite a while since my last Raspberry Pi endeavours. 4 years to be exact, so I’m a little rusty.
-
Growing home infrastructure
I’ve been running IT infrastructure at home for a while now, and I’ve seen people come in and out of self-hosting. So here are some lessons I’ve learned about running my home infrastructure with complex setups like Kubernetes.
-
Helpful resources for the xz situation
Collection of useful resources, to bring people up to speed with the situation.
-
Post mortem: oauth2-proxy security incident
The use of the trusted-ip-flag for oauth2-proxy resulted in skipped authentication steps for various services in the Shivering-Isles infrastructure.
-
Energy Saving Fallacy
As mentioned in a previous article about CO2 emission monitoring I’m using Shelly Plugs to monitor the energy usage of devices.
-
Fedora Silverblue LUKS Keyboard Layout
When installing Fedora Silverblue and encrypting the disk using LUKS, I always run into the problem, that my keyboard layout is German during the Installation, but once rebooted and entering the boot environment where I are entering my LUKS password, the layout is US layout. This is a known limitation...
-
Managing End of Life dates
Recently I’ve been talking a lot to people about End of Life (EOL) dates. It seems like it is common to struggle a bit with keeping on top of EOL dates for software and products. Therefore let me introduce you, to this nifty website called endoflife.date.
-
Power efficiency problems with AMD CPUs on Linux 6.5.5
An unusual noticeable humming was coming from my home infrastructure machines during the past day. Usually these machines are basically silent since I disabled CPU boosting as part of noise and power optimisation. But not today.
-
About Read-Only Containers, Ruby and EmptyDir
I’m running the majority of my workloads on Kubernetes these days, including my Mastodon instance. For many years I’ve been running Mastodon in read-only mode for the container filesystem. However, I somehow missed the Sidekiq container.
-
Owning Music, Saving Money, Support Artists
The other week I decided to get some new music from a band I enjoyed. Looking at the options to download their music on a platform seemed limited and often poisoned with Digital Rights Management (DRM).
-
Install Netbird on Unifi UDM
Just a quick documentation for myself that might become handy for other people as well.
-
Fixing HedgeDoc failing to fetch profileinfo with Keycloak 20
Today I was surprised that my HedgeDoc refused to let me in using my SI-Auth SSO based on Keycloak.
-
Unmountable EBS volumes
Today I investigated an interesting phenomenon: AWS EBS volumes decided to not get mounted for some workload in a Kubernetes cluster. There was no clear reason why given that the volumes had tried to be attached and the error message didn’t indicate that something was fundamentally broken. Also after a...
-
How to program FlexiSpot E7
Since I always forget where I put the paperwork to my desk and I considered the FlexiSpot web page hard to read, I decided to just document this piece of information here.
-
CO2 monitoring using Prometheus, Shelly plugs and co2signal
This week I got my new Shelly plugs. This was the missing piece to properly monitoring the amount of CO2 produced by my devices’ electricity usage. In order to do this, I take the CO2 produced by the German power grid, that the co2signal API provides, normalise this data and...
-
Backup internet connection
Setting up a backup internet connection is trivial nowadays. All you need is a Ethernet to USB adapter and if this Ethernet adapter1 happens to not be USB-C, a USB-A to USB-C adapter. Which you probably already own, thanks to notebooks dropping Ethernet ports. ↩
-
Mirroring your cluster images
When you run a Kubernetes cluster in production and you happen to misconfigure a deployment it can quickly happen, that you hit the Docker Hub rate limits. But it can also happen, that an upstream registry is just unavailable or an image has been deleted. In order to counter this,...
-
Postgres-Operator with Metrics
When running PostgreSQL in Kubernetes, operators become quickly a topic. Operators are a concept of application specific Kubernetes controller. Or to put it easier: Operators are programs that configure and manage other software.
-
Extend your recovery plan
Today is “world backup day”, a day where everyone is reminded to have a backup of all their important data. And since everyone is reminded to take their regular backup today, let’s talk about what your backup should include, and what you might want to add to be even better...
-
Store Kubernetes Credentials in pass
Kubernetes is a powerful orchestration software that puts a lot of power into its CLI interface kubectl. However when it comes to credential storage, it’s rather mediocre. While it provides all you need, by default, it’ll store your access tokens, certificates or alike in your home directory in plaintext. This...
-
F-Droid as an IPFS repository
In the past few days I looked into a proof of concept for a IPFS-hosted F-Droid repository. The background for this experiment was the idea, to get rid of more manual upgrades that my phone is currently plagued with, for example for Signal, where one has to manually approve updates,...
-
How FLoC incentivises more, not less tracking
Google recently published a new standard called “Federated Learning of Cohorts”, short FLoC. Google would like to see this standard adopted by the wider internet to keep its ad/tracking business floating after basically every browser nowadays, soon including Google’s own Chrome and Chromium browser, blocks 3rd-party cookies.1 At least according...
-
FSF - Stop riding a dead horse
Today the FSF published two statements, one by their board and one by Richard Stallman (RMS) himself, both trying to explain the currently rather awkward situation, where by some sort of back-room meetings RMS somehow made it back onto the board of the FSF and wasn’t welcomed as much as...
-
Carving little helper scripts
Over the past few weeks I’ve been writing some scripts and bash commands to generate version numbers as well as to automate compliance around repositories. Since I usually just throw them into the Snippets section on SI-GitLab or even more often some repository there, let me share them here, so...
-
Print what you enjoy
Today I went ahead and handed out a copy of my University thesis to the professor who mentored me while writing it. And I recalled why I recently spend more than 100€ to print multiple copies.
-
Zero downtime LUKS + LVM volume resize
On my server backends, all volumes are encrypted. The raw block storage is provided by my hosting provider. Therefore it on top of the block storage, a LUKS volume is created to ensure secrecy of all data stored there. To keep management easy and allow easy filesystem snapshots for backups...
-
Debug your DNS traffic with systemd-resolved
It happens from time to time, that you wonder why DNS is not working, where things are breaking and, especially in case of proprietary software, what DNS requests applications are making.
-
Configure DoT on systemd-resolved
I run own DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) servers at dns.shivering-isles.com for quite a while now. Finally I made it to configure my Fedora system to use these DNS servers for all DNS queries, not just the ones from the browser.
-
CentOS Stream and what the fuzz is about
For those active in the Linux world, you might heard of CentOS. Long time known “RHEL clone”. There was a bit more to it, but I want to dive into the details here. Note, this article is a complete opinion piece, so feel free to disagree and don’t expect your...
-
Odd lurker bots on Matrix
Over the past months I’ve been monitoring a situation across my matrix rooms that makes me a bit uncomfortable. A growing number of bots that join a those smaller communities and do nothing but lurking, resulting in higher server loads and unnecessary message distribution.
-
Growing a community
I’ve been building (free software) communities for quite a while now. With HedgeDoc (former CodiMD) being probably the most successful project. How can one tell? Well, I was able to step back a bit and let better people for the job handle it. However there is also MadIRC which is...
-
Improve your mobile browser experience
As I just set up my phone’s browser, I thought it might be nice to make some notes and share them with the world. This article aims at people who currently just use their default browser on Android. If you are using the Tor browser or have your own browser...
-
Self-sufficient commits
When I look at commit histories I’m often scared. Scared by what happens if people ever move their source code to another platform to collaborate. A well written git history can help to prevent a lot of reverse engineering of your future self or other developers. How? By providing useful...
-
Why I use multiple password managers
You might saw my previous take on password managers where I mentioned that I used all four of the compared password managers. These days I reduced the number of password managers that I use a bit, but I still use two different password managers on a daily basis. Those password...
-
Self-isolate your website with a CSP
Of course the headline is a little wordplay talking about the current situation, but also correct nonetheless. In order to harden your website and prevent unexpected leaking of your user’s IP addresses and browser fingerprints to third-parties, a CSP, Content-Security-Policy, is a great tool.
-
Why web feeds are better than email newsletters
When I look in my mailbox and registration forms around the web one thing is essential: Everyone wants to get back to me. And everyone wants to do that by email. From web shops where I buy a single item explicitly without creating an account, to blogs and even portfolio...
-
Using duplicity and Backblaze B2 storage for backup
Making regular backups of your data is important. I hope no one is trying to debate on that. Of course, some data is more important than other, but given that you want to keep things around, I recommend you to store your data in a good place and then make...
-
Shivering-Isles GitLab in 2020
As you may know, I run a GitLab instance for my private projects on one of my servers. In order to make it easy to identify I usually refer to it as SI-GitLab. And to say the least, GitLab is an amazing piece of software.
-
Using the Matrix room directory
Everyone who follows me around will have notice that I’m an advocate for the matrix protocol. Main argument is of course the federation, but also the growing ecosystem and strong standardization of the protocol. Since I’m an advocate for protocol, I of course provide various channels on this wonderful, federated...
-
Fedora, where are you?
Looking at the most recent wiki changes by the Debian project, I love to say: Welcome to the Fediverse, Debian! I’m looking forward to wonderful people to exchange about tech and social topics!
-
Home is where SSO works
Some people might already noticed, but during last year I setup keycloak for SSO to all services on my private setup. And to tell things as they are: It’s awesome. You open your browser, as always it deleted all cookies. I open my Mastodon instance, click on login, enter my...
-
Privacy for SSH
SSH is probably one of the most used protocols world-wide and daily used by developers and administrators. But have you ever thought about what your SSH connection might tells about you?
-
Manage Firefox on Fedora
When you run Firefox in an enterprise environment, you are for sure interested in deploying your settings and not rely on the defaults. This whole topic got even more important with the deployment of DNS over HTTPS (DoH) in Firefox.
-
Why for Matrix TOFU is not an option yet
When you stay around the support channels of Matrix, you’ll come across a lot of people asking why end-to-end-encryption (E2EE) is so complicated in Matrix or more explicit in Riot and why you have to verify each and every device of each and every member of a room. In order...
-
Updating the UEFI/BIOS of a Lenovo t450s using Fedora
A year ago, my Lenovo X1 Carbon running Fedora was greeting me with firmware updates for the first time, using fwupd, an awesome service for integrated firmware updates on Linux. A service that the Linux community was lacking for way too long and probably due to it’s absence causes millions...
-
How to create an LUKS-encrypted external device on Linux
Nowadays you shouldn’t leave any data on a disk unencrypted. Therefore creating an encrypted external hard drive is considered good practice to store your data, system backups and more.
-
Atom plugin "gitlab-integration" leaks your tokens
After waiting 90 days for the developer to answer or fix it, it’s time to inform the public.
-
Shivering-Isles Onion Service
Remember Cloudflare announcing their “Cloudflare Onion Service” a few months ago? This was a huge step for them towards becoming more Tor-friendly and an experiment to reduce the number of CAPTCHAs TorBrowser users have to solve. Besides that, it introduced a quite interesting concept of handling Tor traffic.
-
Using web feeds
In recent months, I reorganized my news flow. As I don’t use those regular news apps like Google News or similar, my main source of News was Twitter and a public media news app. Somehow it wasn’t really organized and I simply missed some news, while getting a lot of...
-
Let's discover OpenPGP keys
I don’t know how familiar you are with OpenPGP as a standard or GnuPG as one of the providers for OpenPGP, but it’s one of the two big standards for email encryption. Besides that it’s also used for signing software packages in almost all Linux distributions, signing ISO files to...
-
First impression on /e/
This weekend I did something I planned to do for more than a year already. I got rid of the stock ROM on my smartphone and I highly recommend everyone else to do this as well, and a lot earlier than me.
-
Forget your passwords!
In this blog you can find 3 different articles about passwords and password safes. Starting with one about KeePass, one about LastPass and finally one comparing both of them with Bitwarden and pass. So let’s talk about how using them changes your daily life.
-
New Design
As you may notice my blog looks a bit different. In the past week I started to re-design the blog in various ways.
-
Mastodon and Amazon S3
Back on 21st of August I ran into a conversation between Gargron, the founder and main developer of Mastodon, and a user about the security of images uploaded for the purpose of direct messages.
-
Publish your work while keeping a private fork
-
Password safes - LastPass vs. Bitwarden vs. Keepass vs. Pass
-
Why IRC is not dead
Today we have various “replacements” for IRC that solve a lot of IRC’s problems. There are closed source solutions like Slack and Hipchat, as well as open-source solutions like Let’s chat, Rocket.Chat, and Mattermost, that call themselves a replacement for IRC.
-
TravisCI - Build a CI pipeline for Docker images
The last few days I spend by creating Docker images and improve their automated testing. I was using Jenkins as a self-hosted solution a few month ago but as it is written in Java and has an ugly UI,1 I wasn’t really in love with it. Is now resolved by...
-
Helpful shell snippets for Docker, Testing and Bootstrapping
Today, I won’t provide a real article but some helpful shell snippets to working with bootstrap scripts, docker images or other minimal setups.
-
Docker - Minimize your containers with alpine linux
-
Make better software with Docker
Under the premise “containerize all the things” I’m working a lot with Docker building more and more container images. A few days ago I had a conversation about the need for Docker. Well, actually it was more about why Docker doesn’t make anything better.
-
Config management at MadIRC
A week ago I’ve talked about configuration management of an InspIRCd instance in the #InspIRCd support channel. So today I’ll provide you a little insight into the configuration management I build for MadIRC.
-
Scalability - Why most web applications can not scale horizontal
Last week one of the greatest cloud computing events in the world was going on: The DockerCon2016. And one of the things docker want to bring to people is scalability for their applications. Especially horizontal scalability.
-
HTTP/2 - Getting ready on Debian with Apache2
HTTP/2 is the newest version of the HTTP protocol and has a lot of improvements including binary headers. I’m currently thrilled by “state of the art”-web-applications, but still running an apache2 web server. Most people agree that nginx is more “state of the art” than apache2 and may be right....
-
JavaScript performance optimization
After explaining in my previous article how to optimize the load time of JavaScript let’s talk about how to improve the runtime of JavaScript.
-
KeePass - The place for all your keys and passwords
Secure passwords are needed these days. Using passwords only once improves security a lot. It’s also important to use long passwords. More than 16 characters are recommended. Complex passwords also improve the security significantly.
-
The science of loading JavaScript
The current web without JavaScript? Sounds impossible. JavaScript allows web designers to create everything. From a simple form which validates data before sending, over cool element effects, to full programs and games written in JavaScript running in nearly every browser and every platform.
-
Ansible on Windows using HyperV and Debian
Ansible is a nice tool to manage your servers simply by using ssh. I’m working on scripts to deploy all my services via Ansible but I run into a problem: Ansible isn’t really well supported on Windows.
-
Let's encrypt: Free, trusted certificates for postfix and dovecot
After explaining how to get certificates for generic services, which you can read in my recent blog posts, I’ll explain how to setup dovecot and postfix working with Let’s encrypt certificates.
-
Let's encrypt: Renew all your certificates using systemd
In my previous blog entry I said I have to handle the renew process for let’s encrypt in an own article. So here it is.
-
Let's encrypt: Get certifiactes for reverse proxied services
Let’s encrypt is a lovely solution for the big problem of expensive certificates. It allows you to get free certificates by running their clients. To prove that you are the owner of the domain they just use a challenge which is placed on your webserver.
-
Welcome
Welcome to my ‘new’ blog.
