DevOps von UCLAB

Containers From Scratch

Wed, 15 Apr 2026 08:02:44 +0000

Liz Rice’s containers-from-scratch talk is one of the best explanations of how containers work under the hood. You build a container runtime from ~100 lines of Go, and by the end you understand what Docker is actually doing.

The problem: the code was written when cgroups v1 was standard. Ubuntu 24.04 (Noble) ships with cgroups v2 only, and a few other things have changed since Go 1.16. This post walks through the fixes.

AI Devcontainer — Architecture & Setup

Tue, 07 Apr 2026 07:46:04 +0000

Overview

This devcontainer provides a self-contained, GPU-accelerated AI development environment running inside a DevPod workspace. It serves a full local LLM stack accessible publicly via a Cloudflare tunnel at https://ai.uclab.dev.

Internet
   │
   ▼
Cloudflare (ai.uclab.dev)
   │  Zero Trust Tunnel
   ▼
cloudflared (container)
   │  http://localhost:8080
   ▼
Open WebUI  ──────────────────►  Ollama API (localhost:11434)
(port 8080)                           │
                                       ▼
                                 GPU: RTX 5060 (8 GB VRAM)
                                 Models: llama3.1:8b, qwen2.5:7b,
                                         deepseek-coder-v2:16b-lite-instruct-q4_K_M,
                                         mistral-nemo

Host Requirements

Requirement	Details
Container runtime	Docker with nvidia-container-toolkit
GPU passthrough	CDI (`nvidia.com/gpu=all`)
DevPod workspace	Workspace ID: `ai`
Host directories	`~/.ollama` (model storage), `~/.cloudflared` (tunnel credentials)

File Structure

.devcontainer/
├── Dockerfile              # Image definition
├── devcontainer.json       # DevPod/VS Code container config
├── pull-models             # Script to pull Ollama models (idempotent)
├── supervisord.conf        # Reference config (not active — see note below)
├── supervisord/
│   ├── ollama.conf         # Supervisor program: Ollama
│   ├── open-webui.conf     # Supervisor program: Open WebUI
│   └── cloudflared.conf    # Supervisor program: Cloudflare tunnel
└── scripts/
    ├── setup               # Trusts and installs mise tools for workspace
    └── setup_project       # One-time project setup (commitizen, pre-commit)

Docker Image

Base: nvidia/cuda:12.8.0-runtime-ubuntu24.04

Vault on a Synology NAS and Migrating Secrets

Sat, 04 Apr 2026 11:24:04 +0000

I recently needed to migrate my HashiCorp Vault instance from a dedicated Ubuntu VM to a Docker container running on my Synology DS918+ NAS. This post covers the entire process: setting up Vault on Synology, configuring it behind the built-in reverse proxy, creating a proper policy and user structure, and finally migrating all secrets from the old instance — including re-connecting everything to an External Secrets Operator running in a k3s cluster.

Tmux Multiple Panes

Mon, 30 Mar 2026 09:01:36 +0000

Sending the Same Command to Multiple Panes/Windows in tmux

Ctrl+b  :set-window-option synchronize-panes on

Now anything you type goes to all panes simultaneously. Turn it off with:

Ctrl+b  :set-window-option synchronize-panes off

Building a Virtual Cisco Network Lab with Containerlab

Sat, 28 Mar 2026 20:10:52 +0000

So you want a real Cisco lab running on your laptop or a small Linux box — no physical hardware, no expensive CML server license, just containers. This post walks through exactly that: installing Containerlab, building Docker images from Cisco IOL binaries using vrnetlab, defining a multi-node topology, and finally pushing configuration to every device automatically from AWX.

By the end you will have two routers and two switches wired up, OSPF converged, VLANs pushed, and L2/L3 interfaces configured — all from Ansible playbooks running in AWX.

Deploying NetBox on k3s

Sat, 28 Mar 2026 07:41:10 +0000

NetBox is the source of truth for network and infrastructure documentation. If you run a homelab or a small datacenter and want to know what IP belongs where, what VLANs exist, and which rack holds which server — NetBox is the tool for the job. This post walks through deploying it on a k3s cluster using the official Helm chart, FluxCD for GitOps, and HashiCorp Vault via ExternalSecrets for secret management.

AWX in Practice

Thu, 26 Mar 2026 08:53:02 +0000

In my previous post, I got AWX running on k3s with a custom Execution Environment for Cisco collections. Time to actually use it for something practical: a self-service VLAN provisioning job that lets anyone on the team provision a VLAN on specific switches by filling in a form — no CLI, no SSH, no risk of typos in config mode.

This post covers building it end to end, including the surprising number of gotchas I hit with surveys, host targeting, and variable scoping.

Deploying AWX on kubernetes

Wed, 25 Mar 2026 18:11:08 +0000

After running Ansible playbooks directly from my workstation for a while, I decided it was time to get a proper AWX instance running in my homelab k3s cluster. This post covers the full journey — from Flux manifests to a custom Execution Environment with Cisco collections — including every gotcha I hit along the way.

The Stack

k3s multi-node cluster (aarch64 NUC nodes)
Flux v2.8.1 for GitOps
Cilium CNI with Gateway API
cert-manager for TLS
Forgejo self-hosted git and container registry
AWX 24.6.1 via the awx-operator Helm chart

Repository Structure

I use a base/overlay pattern in my GitOps repo. AWX lives under apps/:

Kubectl Kustomize

Wed, 25 Mar 2026 09:03:31 +0000

Managing a homelab Kubernetes cluster with Flux GitOps means I rarely kubectl apply raw YAML anymore. Everything lives in Git and Flux reconciles it. But there’s still one pair of commands I reach for constantly when developing or debugging an app:

k kustomize      # inspect the rendered output
k apply -k .     # apply it manually when I need to

This post walks through what these commands actually do, how they fit into a Flux-based workflow, and a real example from my n8n deployment on a Raspberry Pi 5 k3s cluster.

Hello World in Python

Sun, 22 Mar 2026 07:37:44 +0000

fabric is an open-source framework for augmenting humans using AI.

echo "write hello world in python and describe what everything does" | f-coding_master

The Code

print("Hello, World!")

What Everything Does

# Breaking down each component:

print("Hello, World!")
#  ^      ^         ^
#  |      |         |
#  |      |         └── Closing parenthesis ends the function call
#  |      └── The string argument passed to the print function
#  └── Built-in Python function that outputs text to the console

Detailed Breakdown

# COMPONENT 1: print()
# print is a built-in Python FUNCTION
# Functions perform specific tasks when called
print()

# COMPONENT 2: Parentheses ()
# Parentheses CALL the function and wrap arguments
print()

# COMPONENT 3: "Hello, World!" - This is a STRING
# Strings are text wrapped in quotation marks
print("Hello, World!")

# COMPONENT 4: Quotation Marks ""
# These define the beginning and end of your string
my_string = "Hello, World!"

# COMPONENT 5: Running the complete statement
print("Hello, World!")  # Output: Hello, World!

Extended Example

# You can also use single quotes
print('Hello, World!')

# You can store the message in a variable first
message = "Hello, World!"
print(message)

# You can print multiple things
print("Hello", "World")

# You can use an f-string for dynamic output
name = "World"
print(f"Hello, {name}!")

IDEAS

Python’s print() function is the most fundamental building block every beginner learns first.
Strings in Python can be wrapped using either single or double quotation marks interchangeably.
Functions in Python always require parentheses to actually execute and perform their task.
Hello World programs traditionally serve as a programmer’s very first introduction to any language.
Python is designed to be readable, making it perfect for absolute beginners starting their journey.
Built-in functions like print() come pre-installed with Python requiring no additional imports whatsoever.
Variables can store strings allowing reusable and dynamic text output throughout your entire program.
F-strings allow you to embed variables directly inside strings using curly brace syntax elegantly.
Python does not require semicolons at the end of statements unlike many other languages.
The console or terminal is where print() sends its output for the user to see.
Comments in Python start with a hashtag symbol and are completely ignored during execution.
Python code executes line by line from top to bottom in a sequential logical order.
Strings are considered a data type in Python representing sequences of individual characters.
NetworkChuck emphasizes that Python’s simplicity makes it the best first language for absolute beginners.
Codecademy teaches Hello World as lesson one because it immediately shows satisfying visible results.
Arguments are values passed inside function parentheses telling the function exactly what to process.
Python 3 requires parentheses with print unlike Python 2 which treated print as a statement.
The comma inside “Hello, World!” is simply part of the string and not Python syntax.
Indentation matters deeply in Python but Hello World requires none making it perfectly simple.
Every Python program can be saved with a .py file extension for proper execution later.
Running Python files through terminal teaches beginners the connection between code and real execution.
Understanding output functions early helps beginners debug their code by printing variable values constantly.
Hello World is universally recognized across every programming language as the starting point tradition.
Python’s interpreter reads your code and translates it into machine-readable instructions automatically for you.
String concatenation allows combining multiple strings together inside a single print statement very easily.

INSIGHTS

Simplicity of Hello World masks the deep complexity of what computers actually do underneath.
Learning print first teaches beginners that programming is fundamentally about communication between human and machine.
Python’s readable syntax reduces cognitive load allowing beginners to focus on logic not memorization.
Built-in functions represent years of developer work abstracted into simple callable one-word commands for everyone.
The tradition of Hello World unifies all programmers globally regardless of language or experience level.
F-strings represent Python’s evolution toward more intuitive human-readable dynamic string formatting over time.
Variables teach the core concept that computers can remember and recall information on demand.
Understanding arguments prepares beginners for the deeper concept of passing data between functions later.
Console output is the simplest form of human-computer interaction forming the foundation of all programming.
Python’s design philosophy prioritizes human readability proving that powerful code does not require complexity.

RECOMMENDATIONS

Start every Python learning journey by typing Hello World manually never copying and pasting it.
Practice modifying the string inside print to build confidence with changing and experimenting with code.
Use Codecademy’s free Python course to get immediate browser-based feedback without installing anything locally first.
Watch NetworkChuck’s Python beginner videos for entertaining real-world context around foundational programming concepts today.
Always save your Python files with the .py extension to ensure proper syntax highlighting works.
Experiment with single and double quotes to understand that both produce identical string results always.
Try storing your Hello World message in a variable to learn about memory and storage.
Use comments liberally while learning to annotate what each line does for future reference.
Progress from print to f-strings early to understand how dynamic output makes programs more powerful.
Run your Python code from the terminal as NetworkChuck recommends to build real command-line confidence.
Break your code intentionally to understand error messages which are Python’s way of teaching you.
Combine multiple words in one print statement using commas to explore how output formatting works.
Install Python locally after mastering browser-based environments to experience real development workflow properly.
Join coding communities on Discord or Reddit where beginners share their first Hello World proudly.
Read Python’s official documentation early to build the habit of consulting authoritative sources for answers.
Practice daily even if only for ten minutes because consistency beats intensity in learning programming.
Challenge yourself to print Hello World five different ways to deeply understand Python’s flexible syntax.
Teach Hello World to someone else immediately after learning it because teaching solidifies understanding permanently.
Use VS Code as your editor since NetworkChuck and most professionals recommend it for Python development.
Track your progress by saving every version of your Hello World experiments in organized folders.

HABITS

Type code manually every single day instead of copying to build genuine muscle memory quickly.
Read error messages carefully every time because Python’s errors are actually helpful instructional feedback always.
Comment your code consistently so future you understands exactly what past you was thinking clearly.
Experiment fearlessly with modifications because breaking code in a safe environment accelerates real learning dramatically.
Review previously written code weekly to notice how much your understanding has genuinely improved over time.
Use the terminal daily to run Python files building comfort with command-line interfaces progressively.
Watch one coding tutorial video daily from creators like NetworkChuck to stay motivated and inspired.
Practice explaining code concepts aloud because verbalization reveals gaps in your understanding very quickly.
Save all your practice files organized by date to track your complete programming learning journey.
Write at least one new Python program daily even if it only contains a single line.
Search Codecademy forums whenever stuck before asking others to build independent problem-solving skills effectively.
Test every code example you encounter by actually running it rather than just reading passively.
Celebrate small wins like your first Hello World because positive reinforcement sustains long-term learning motivation.
Set a consistent coding time each day making programming a non-negotiable daily habit permanently.
Review Python documentation regularly even as a beginner to normalize consulting official sources for answers.
Share your code with beginner communities regularly to receive feedback and build accountability over time.
Refactor your Hello World code in new ways weekly to continuously deepen your foundational Python understanding.
Keep a coding journal documenting what you learned each session to reinforce retention significantly.
Challenge yourself to write code without looking at references to measure your true comprehension level.
Build a portfolio from day one saving even simple Hello World scripts as documented learning artifacts.

FACTS

Python was created by Guido van Rossum and first released publicly in the year 1991.
The traditional Hello World program was first popularized in Brian Kernighan’s 1972 C programming tutorial.
Python consistently ranks as the world’s most popular programming language according to multiple annual surveys.
The print() function in Python 3 differs from Python 2 where print was a statement.
Codecademy was founded in 2011 and has taught over 50 million people to code worldwide.
Python files use the .py extension which tells the operating system how to execute them.
F-strings were officially introduced in Python version 3.6 released in December of the year 2016.
Python’s name was inspired by Monty Python’s Flying Circus not the snake species as assumed.
The Python interpreter processes code line by line making debugging easier than compiled languages generally.
Strings are immutable in Python meaning once created their individual characters cannot be directly changed.
NetworkChuck has over 3 million YouTube subscribers teaching networking and programming to beginners worldwide enthusiastically.
Python does not use curly braces for code blocks unlike JavaScript C and Java programming languages.
The print() function can accept multiple arguments separated by commas outputting them with spaces automatically.
Python’s official style guide PEP 8 recommends using four spaces for indentation throughout all code.
Hello World requires zero imports zero classes and zero functions making it Python’s most minimal program.
Single and double quotes are completely interchangeable for defining strings in Python with identical results.
Python runs on Windows Mac and Linux making it the most cross-platform beginner language available.
The # symbol creates single-line comments in Python and these lines are never executed by Python.
Python’s print() function automatically adds a newline character after output unless you specify end="" explicitly.
Stack Overflow’s 2023 survey confirmed Python as the most wanted programming language for eleven consecutive years.

Adding Avatar to my Hugo blog

Thu, 19 Mar 2026 18:56:24 +0000

When I set up this blog using the risotto Hugo theme, I wanted to add a profile picture to the left sidebar, right below the site title. Sounds simple — and it is, once you know where to look. Here’s exactly what I did.

The Goal

Add a circular avatar image below the blog title in the sidebar, without touching the theme files directly (so updates don’t break anything).

Step 1 — Place the Image

Drop your image into the static/ directory at the root of your Hugo site:

Building a Microservice for my Hugo Blog on k3s

Thu, 19 Mar 2026 16:54:39 +0000

A self-hosted view counter for a static Hugo blog — built from scratch in Python, containerized, signed, deployed to k3s via GitOps, and integrated into the Hugo frontend. No third-party services. Every piece runs in the cluster.

Architecture

Visitor loads post
    ↓
Hugo frontend JS → POST /views/{slug} → view-counter API
                → GET  /views/{slug} → display count
                         ↓
                   FastAPI (Python)
                         ↓
                   PostgreSQL (CNPG)
                   2 instances, WAL archiving to MinIO

CI/CD flow:

Kubernetes Port Configuration

Thu, 19 Mar 2026 14:55:05 +0000

Key Insight: The Full Traffic Chain

Internet
   ↓
Ingress  (routes by hostname/path → service name + service port)
   ↓
Service  (port → targetPort)
   ↓
Pod/Container  (containerPort / what the process actually binds)

Each arrow is where a port number must match its neighbour. A mismatch at any link causes traffic to silently fail to route.

`containerPort` is Documentation Only

spec:
  containers:
    ports:
      - containerPort: 3005  # ← has NO effect on actual network behaviour

This is purely informational — a hint for humans and tooling.
Kubernetes does not use it to expose or map any port.
The container listens on whatever port its process actually binds to.
The container will still listen on its default port (e.g. 80) regardless of what containerPort says.

[!note] Edge case Some tools (e.g. kubectl port-forward) can use named ports defined here, but the field has zero effect on actual network routing.

Self-Hosting Meilisearch Search for a Hugo Blog on k3s

Sun, 15 Mar 2026 19:58:08 +0000

Adding search to a static Hugo blog without relying on Algolia or any third-party service. Everything runs in the cluster — Meilisearch as a pod, secrets managed via HashiCorp Vault and External Secrets Operator, the index populated by the CI pipeline on every deploy, and the search endpoint exposed through Cloudflare Tunnel.

Why Meilisearch

Hugo is a static site generator — there is no server-side logic, no database, no search. The common solutions are either paying for Algolia or embedding a client-side library like Lunr.js that downloads the entire index to the browser.

Bash Scripting Logical Operators

Fri, 13 Mar 2026 14:32:22 +0000

AND: &&

Run the second command only if the first succeeds:

mkdir mydir && cd mydir
git pull && echo "Pull successful"

OR: ||

Run the second command only if the first fails:

cd mydir || mkdir mydir
command -v docker &>/dev/null || sudo apt install docker

Chaining

&& and || are your bread and butter. They check exit codes.

This is why exit codes matter - they drive conditional execution.

cd project || mkdir project && cd project
./run-tests && ./deploy || echo "Tests failed!"

The [[]] Test command - Security Critical

“Single brackets are a security vulnerability. Double brackets. Always. No exceptions.”*

Bash Scripting - Handling Defaults

Fri, 13 Mar 2026 07:44:42 +0000

Persistent vs. Temporary

${var:=default} — The Persistent Assignment

Logic: If $var is empty or unset, set $var to default and then return that value.

Example:

ubuntu in 🌐 cato in ~
❯ echo $name


ubuntu in 🌐 cato in ~
❯ echo "${name:=User}"
User

ubuntu in 🌐 cato in ~
❯ echo $name
User

name="" (name is empty)
echo “${name:=User}”
- Bash sees name is empty.
- It assigns “User” to the variable name
- It then prints “User”.
echo $name now prints “User” because the variable was actually changed.Bash

Note: The = stands for equal, as in “Make the variable equal to this from now on.

Pandoc Instant Markdown-to-HTML

Wed, 11 Mar 2026 19:13:39 +0000

If you write HTML by hand, you already know the pain of typing <ul><li> over and over. Here’s a trick that lets you write plain Markdown inline and convert it on the spot using pandoc as a Vim filter.

The Basic Idea

Vim’s ! command pipes a range of lines through an external program and replaces them with the output. Pandoc reads Markdown on stdin and writes HTML to stdout — a perfect match.

Markdown

Wed, 11 Mar 2026 17:29:33 +0000

What Is Markdown?

Markdown is a lightweight markup language — a way of adding formatting to plain text using simple punctuation. The idea is that the source file should be readable as-is, without rendering, and that converting it to HTML (or PDF, or DOCX, or anything else) should be trivial.

You write this:

**This is bold** and *this is italic*.

And a renderer turns it into: This is bold and this is italic.

Latex KaTex MathJax

Wed, 11 Mar 2026 11:38:41 +0000

LaTeX, KaTeX, and MathJax solve different parts of the same problem: representing and rendering mathematical notation with precision.

What is Latex?

LaTeX (pronounced “lah-tech” or “lay-tech”) is a document preparation system used for typesetting high-quality documents, especially those with complex mathematical notation.

Key points:

Not a word processor — you write plain text with markup commands, then compile it to PDF
Built on TeX, a typesetting engine created by Donald Knuth in the 1970s
LaTeX itself was created by Leslie Lamport in the 1980s as a higher-level layer on top of TeX

What it’s used for:

AKS Cluster: Flux GitOps

Tue, 10 Mar 2026 08:53:21 +0000

Overview

In the previous post, I walked through the foundational Terraform config for an AKS cluster with Azure Key Vault integration. That was a minimal dev setup — one node, no GitOps, no application secrets.

This post covers the staging evolution of that config. The new additions are:

A 2-node AKS cluster with a proper staging DNS prefix
Flux v2 installed as a cluster extension and wired to a private GitHub repo via SSH
A structured Kustomization hierarchy — controllers → configs → apps — with garbage collection
Auto-generated DB credentials stored directly in Key Vault at provision time
Terraform outputs that expose Key Vault details and the secrets provider client ID for use in SecretProviderClass manifests

What Changed from Dev

The resource group and cluster names now reflect the staging environment (rg-n8n-uclabdev-aks, n8n-uclabdev-staging), the node count is bumped to 2, and the DNS prefix is staging. Everything else — Cilium networking, system-assigned identity, Key Vault secrets provider — carries over unchanged.

AKS with Azure Key Vault Using Terraform

Tue, 10 Mar 2026 07:58:46 +0000

Overview

In this post I’ll walk through the Terraform configuration I used to spin up an AKS cluster for my uclabdev environment as part of an n8n self-hosted setup on Azure. The config covers:

An AKS cluster with Cilium as both the CNI and network policy engine
The Azure Key Vault Secrets Provider add-on enabled on the cluster
An Azure Key Vault instance with RBAC-based access control
Proper role assignments for both the operator and the AKS managed identity

Authenticating with Azure CLI

Before running Terraform, you need an active Azure CLI session. Since this setup runs inside a dev container, browser-based login isn’t always available — device code flow is the reliable fallback:

Cloudflare Tunnels to Securely Expose Kubernetes Services

Fri, 06 Mar 2026 08:03:36 +0000

If you’re running a homelab Kubernetes cluster — like my Raspberry Pi 5 cluster — you’ve probably hit the same wall: you want to expose a service to the internet, but you don’t want to poke holes in your firewall or deal with dynamic IP headaches. Cloudflare Tunnels solve this elegantly. Here’s how I wired it all up with cloudflared, HashiCorp Vault, ExternalSecrets, and FluxCD.

How It Works

Cloudflare Tunnels work by running a lightweight daemon (cloudflared) inside your cluster. This daemon opens an outbound connection to Cloudflare’s edge — so no inbound ports need to be opened. Traffic hits yourdomain.com, Cloudflare routes it through the tunnel, and cloudflared forwards it to your internal service.

Conventional Commits

Thu, 05 Mar 2026 08:57:10 +0000

If you’re running a DevPod-based development environment and want to enforce Conventional Commits across your team, this post walks through how to wire up Commitizen and pre-commit automatically — so every developer gets the right hooks installed the moment they enter the container, with zero manual setup.

Why Conventional Commits?

Conventional Commits give your Git history a consistent, machine-readable structure:

feat(auth): add OAuth2 login support
fix(api): handle null response from upstream
chore(deps): bump helm to 3.14.0

This unlocks automated changelogs, semantic versioning, and better collaboration signals in pull requests. Commitizen adds a CLI wizard to guide you through writing them; pre-commit enforces the format at commit time so nothing slips through.

Enforcing Image Signing in k3s

Wed, 04 Mar 2026 19:15:15 +0000

One of the things I wanted to get right in my Pi5 cluster was ensuring that only images I’ve actually built and signed can run — no surprises, no unsigned images sneaking into my workloads. This post walks through how I set up Sigstore’s Policy Controller with Flux to enforce Cosign image signatures in my uclab namespace.

The Goal

Every image I deploy to the uclab namespace is built in my own CI pipeline, pushed to my self-hosted Forgejo registry, and signed with Cosign using a key pair I control. The Policy Controller’s job is to sit as an admission webhook and reject any pod that tries to run an image without a valid signature.

Hugo Blog — Hardening the Pipeline

Wed, 04 Mar 2026 19:06:41 +0000

Securing the CI/CD Chain

In the previous post we built a full GitOps pipeline: push to Forgejo, build a Hugo image, ship it to k3s via Flux. It worked. But it was naive in a few ways — running nginx as root, no image scanning, no signing, and deploying by mutable tag.

This post covers the fixes. Three independent improvements, each worth doing on its own:

Unprivileged nginx — drop root from the container entirely
Trivy — scan the image for HIGH/CRITICAL CVEs before it ever touches the registry
Cosign — sign the image so the cluster can verify it came from CI

The full updated files are at the bottom. Here is the reasoning behind each change.

Kubernetes Architecture

Wed, 04 Mar 2026 09:13:32 +0000

If you’ve ever stared at a Kubernetes diagram and felt your eyes glaze over, you’re not alone. Let’s break it down simply.

The Two Big Pieces: Control Plane & Worker Nodes

Kubernetes splits its responsibilities cleanly into two halves.

The Control Plane (the master) is the brain of the cluster. It’s made up of four key components:

API Server — every request goes through here, no exceptions
etcd — a key-value store that holds all cluster state and data
Scheduler — decides which node a new Pod should run on
Controller Manager — constantly watches the cluster and reconciles the actual state with the desired state (think Replica, Node, and Job controllers)

The Worker Nodes (minions) are where your actual workloads run. Each node runs:

Self-hosting Umami Analytics

Tue, 03 Mar 2026 11:04:08 +0000

I wanted to add visitor analytics to this blog without relying on Google Analytics or any third-party cloud service. Umami is a great fit — it’s open source, privacy-friendly, GDPR-compliant, and self-hostable. This post covers how I deployed it on my k3s cluster using Cilium Gateway API and Cloudflare Tunnels, and the one gotcha that had me debugging for longer than I’d like to admit.

Stack

k3s — lightweight Kubernetes running on a Raspberry Pi 5 cluster
CloudNative PG (CNPG) — Postgres operator for the Umami database
Cloudflare Tunnels — for exposing services to the internet without opening ports
Umami 3.0.3 — the analytics server itself

Database

I use CloudNative PG to manage the Postgres cluster. Two instances for HA, with WAL archiving to an object store via the barman-cloud plugin.

Automating Renovate PR Reviews with n8n

Mon, 02 Mar 2026 17:16:08 +0000

The Problem: Renovate Bot is Prolific

If you run a Kubernetes homelab with Renovate Bot, you know the drill. Every morning you wake up to a flood of open pull requests — patch updates, minor bumps, the occasional major version change. Each one needs a decision: safe to merge, needs a closer look, or definitely hands-off.

Doing this manually gets old fast. But blindly auto-merging everything is a bad idea too — you really don’t want Renovate silently bumping your CloudNativePG major version at 2am.

Forgejo on K3S

Sun, 01 Mar 2026 19:30:11 +0000

Forgejo is a lightweight, self-hosted Git service — a community fork of Gitea. In this post I’ll walk through how I deployed it on my home k3s cluster backed by a CloudNativePG (CNPG) PostgreSQL database, MinIO S3-compatible object storage for backups, and exposed it via Cilium’s Gateway API with automatic TLS through cert-manager.

Architecture Overview

The setup involves three main layers:

App layer — the Forgejo deployment, services, and ingress (Gateway + HTTPRoute)
Database layer — a CloudNativePG PostgreSQL cluster with WAL archiving to MinIO
Secrets layer — External Secrets Operator pulling credentials from Vault

Here’s the directory structure I’m using in my GitOps repo:

How to Safely Upgrade a k3s Cluster

Sun, 01 Mar 2026 19:14:12 +0000

I’ve been running a small home k3s cluster for a while now — one Raspberry Pi 5 as the control plane and two Intel NUC8i7s as workers. It’s a fun setup, but upgrading Kubernetes always feels like it deserves a bit of care. This post documents how I think about and execute k3s upgrades for this specific setup.

My Cluster Layout

NAME     ROLE            IP             OS              ARCH
athena   control-plane   10.10.10.244   Ubuntu 24.04    arm64 (Pi 5)
nuc242   worker          10.10.10.242   Ubuntu 24.04    amd64
nuc243   worker          10.10.10.243   Ubuntu 24.04    amd64

A few things worth noting about this setup:

Hugo End-to-End Security

Sun, 01 Mar 2026 17:12:37 +0000

🔐 Hardened Hugo + NGINX Static Site on Kubernetes (PSS Restricted)

This guide provides a production-grade, defense-in-depth setup for deploying a Hugo static site using NGINX inside Kubernetes with:

Non-root container
Read-only root filesystem
Dropped Linux capabilities
Seccomp RuntimeDefault
No privilege escalation
Secure NGINX configuration
Writable ephemeral mounts only where required
NetworkPolicy isolation
Image scanning & signing
GitOps-ready deployment

Secure Dockerfile

# ---------- Stage 1: Build Hugo site ----------
FROM hugomods/hugo:0.157.0 AS builder

WORKDIR /site
COPY . .
RUN hugo --minify

# ---------- Stage 2: Hardened NGINX ----------
FROM nginx:1.28-alpine

# Remove default config
RUN rm /etc/nginx/conf.d/default.conf

# Create writable directories required by nginx
RUN mkdir -p /var/cache/nginx \
    && mkdir -p /var/run \
    && chown -R nginx:nginx /var/cache/nginx /var/run /usr/share/nginx/html

# Copy static site
COPY --from=builder /site/public /usr/share/nginx/html

# Copy hardened nginx config
COPY nginx.conf /etc/nginx/conf.d/default.conf

# Fix ownership and permissions
RUN chown -R nginx:nginx /usr/share/nginx/html \
    && chmod -R 755 /usr/share/nginx/html

# Run as non-root
USER nginx

EXPOSE 8080

CMD ["nginx", "-g", "daemon off;"]

Hardened nginx.conf

server {
    listen 8080 default_server;
    server_name _;

    root /usr/share/nginx/html;
    index index.html;

    server_tokens off;

    access_log /dev/stdout;
    error_log  /dev/stderr warn;

    gzip_static on;

    # Security headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        try_files $uri $uri/ $uri.html =404;
    }

    location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    location ~* \.html$ {
        add_header Cache-Control "no-cache";
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

Hardened Kubernetes Deployment

apiVersion: v1
kind: Namespace
metadata:
  name: uclab
  labels:
    pod-security.kubernetes.io/enforce: restricted

apiVersion: apps/v1
kind: Deployment
metadata:
  name: uclab
  namespace: uclab
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: uclab
  template:
    metadata:
      labels:
        app: uclab
    spec:
      automountServiceAccountToken: false

      imagePullSecrets:
        - name: forgejo-registry

      securityContext:
        runAsNonRoot: true
        runAsUser: 101
        runAsGroup: 101
        fsGroup: 101
        seccompProfile:
          type: RuntimeDefault

      containers:
        - name: nginx
          image: forgejo.uclab.dev/affragak/uclab:338e164

          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL

          ports:
            - containerPort: 8080
              protocol: TCP

          resources:
            requests:
              cpu: 50m
              memory: 32Mi
            limits:
              cpu: 200m
              memory: 64Mi

          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10

          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 30

          volumeMounts:
            - name: tmp
              mountPath: /tmp
            - name: nginx-cache
              mountPath: /var/cache/nginx
            - name: nginx-run
              mountPath: /var/run

      restartPolicy: Always

      volumes:
        - name: tmp
          emptyDir: {}
        - name: nginx-cache
          emptyDir: {}
        - name: nginx-run
          emptyDir: {}

NetworkPolicy (Zero Trust Model)

Allow ingress only from cloudflared pods:

Hugo Blog — Full CI/CD GitOps

Sun, 01 Mar 2026 07:39:04 +0000

Forgejo → k3s with Flux

Overview

Stack: Hugo + Risotto theme (git submodule) → Forgejo Actions → Forgejo Container Registry → k3s → Flux

Flow:

git push 
→ Forgejo Actions builds Hugo image 
→ pushes to Forgejo registry
→ updates image tag in k8s manifest 
→ commits back to repo
→ Flux detects commit 
→ applies Deployment 
→ k3s rolls out new image

No Bitnami charts. No Flux image automation controllers. No runtime git cloning. Just a plain nginx Deployment running your pre-built static site.

Self-Hosting n8n on k3s

Fri, 27 Feb 2026 12:02:07 +0000

This post walks through deploying n8n on a local k3s cluster with production-grade practices: a CloudNativePG-managed PostgreSQL cluster, continuous backups to MinIO via Barman, GitOps with Flux, secrets from Vault via External Secrets Operator, and a hardened pod security posture.

Stack

k3s — lightweight Kubernetes for bare-metal/homelab
CloudNativePG (CNPG) — Postgres operator with built-in HA and backup
Barman Cloud Plugin — WAL archiving and point-in-time recovery to S3/MinIO
MinIO — self-hosted S3-compatible object storage
Flux — GitOps continuous delivery
External Secrets Operator + Vault — secret management
Cloudflare Tunnel — secure ingress without exposing ports

1. Namespace

kubectl create namespace n8n

2. PostgreSQL Cluster with CloudNativePG

CNPG handles HA, replication, and automated failover. We use 2 instances (primary + async standby) spread across nodes.

The Linux File Descriptor

Thu, 26 Feb 2026 09:45:25 +0000

What Does `echo "Hello" > /proc/1/fd/1` Actually Do?

If you’ve spent time debugging containers or reading shell scripts, you may have stumbled across a curious one-liner:

echo "Hello" > /proc/1/fd/1

At first glance it looks like magic. Let’s break it down piece by piece.

The `/proc` Filesystem

/proc is a virtual filesystem built into the Linux kernel. It doesn’t exist on disk — it’s generated on the fly by the kernel to expose information about running processes, system resources, and hardware.

Audiocodes SBC Webex Calling & Twilio Pstn

Sun, 22 Feb 2026 13:04:26 +0000

Overview

Running a full end-to-end SIP trunk lab that bridges Webex Calling to the PSTN via Twilio is a great way to understand how a Session Border Controller (SBC) sits in the middle of modern cloud telephony. In this post I’ll walk through my home lab setup where an AudioCodes Mediant SW SBC — deployed on VMware ESXi — interconnects a Webex Calling sandbox and a Twilio free-tier PSTN account.

BGP Redistribute-Internal

Fri, 20 Feb 2026 08:47:34 +0000

Introduction

Throughout this BGP series, I’ve covered attributes, policies, and mechanisms that control BGP behavior within the BGP domain – how routes are selected, advertised, and propagated through BGP. But what happens when you need to move routes out of BGP and into an IGP like OSPF or EIGRP?

Redistribution from BGP to IGP is common in enterprise networks:

BGP handles external connectivity (Internet, MPLS, partners)
IGP handles internal routing (OSPF, EIGRP within the AS)
Redistribution bridges the two domains

But there’s a critical default behavior most engineers discover the hard way:

BGP Multipath

Fri, 20 Feb 2026 08:20:21 +0000

Introduction

Throughout this BGP series, I’ve covered numerous attributes that influence which single path BGP selects as best:

Weight, Local Preference: Control outbound path selection
AS-Path, MED: Influence path decisions
Communities: Signal routing policies

But all of these mechanisms follow the same fundamental principle: BGP selects one best path per prefix. Even if you have multiple equal-cost paths to a destination, by default, BGP picks one and discards the rest.

That’s where BGP Multipath comes in.

BGP Conditional Advertisement

Fri, 20 Feb 2026 07:35:27 +0000

Introduction

In all the previous BGP posts, route advertisements have been static – you configure a network statement or redistribution, and the route is advertised continuously to configured neighbors. But what if you need advertisements to be dynamic, appearing and disappearing based on network conditions?

That’s what BGP Conditional Advertisement solves.

Conditional advertisement allows you to say: “Only advertise route X to neighbor Y if route Z exists in the BGP table” (or conversely, “if route Z does NOT exist”). This enables sophisticated scenarios like:

BGP Attributes: Standard Community

Thu, 19 Feb 2026 10:21:11 +0000

Introduction

In the previous posts, I’ve covered BGP attributes that control traffic flow:

Weight, Local Preference, AS-Path: Control which path traffic takes
MED: Influence inbound traffic selection

Now it’s time for a different kind of BGP attribute: BGP Communities. Instead of influencing which path to take, communities control how far routes propagate through the network.

BGP Communities are tags attached to routes that signal routing policy information. Think of them as labels that say “hey, treat this route specially.” The two most fundamental standard communities are:

BGP Attributes: AS-Path

Wed, 18 Feb 2026 12:48:18 +0000

Introduction

So far in the BGP Attributes series, I’ve covered three traffic control mechanisms:

Weight: Router-local outbound control (Cisco proprietary, never propagates)
Local Preference: AS-wide outbound control (propagates via iBGP)
MED: Inbound influence to neighboring AS (limited scope)

Now it’s time for the most versatile BGP traffic engineering tool: AS-Path manipulation, specifically AS-Path prepending.

AS-Path prepending is unique because it:

Controls both inbound AND outbound traffic
Works across multiple AS hops (not just directly connected neighbors)
Is universally recognized (part of BGP standard, works on all vendors)
Uses BGP’s core loop-prevention mechanism (AS-Path length) for traffic engineering

The concept is deceptively simple: make a path look artificially longer by repeating AS numbers, and BGP will naturally avoid it in favor of shorter paths.

BGP Attributes: Weight

Wed, 18 Feb 2026 11:38:14 +0000

Introduction

In the previous posts, I’ve covered Local Preference for AS-wide outbound traffic control and MED for influencing inbound traffic from neighbors. Both attributes affect routing decisions across multiple routers – Local Preference coordinates exit point selection throughout your entire AS, while MED suggests entry points to neighboring ASes.

But what if you need to make a routing decision that affects only one specific router without changing anyone else’s behavior?

That’s where Weight comes in. It’s Cisco’s proprietary attribute that sits at the very top of the BGP best-path algorithm, overriding even Local Preference. Weight is completely local to a single router – it’s never advertised to any neighbor, iBGP or eBGP. This makes it perfect for router-specific policy without the coordination overhead.

BGP Attributes: MED

Wed, 18 Feb 2026 10:45:04 +0000

Introduction

In the previous post, I covered Local Preference – BGP’s tool for controlling outbound traffic from your AS. Now it’s time for the flip side: MED (Multi-Exit Discriminator), which influences inbound traffic into your AS.

While Local Preference tells your routers “use this exit,” MED tells your neighbors “use this entry.” It’s your way of saying to external autonomous systems: “Hey, if you want to reach my networks, I prefer you use this link over that one.”

BGP Attributes: Local Preference

Wed, 18 Feb 2026 10:07:21 +0000

Introduction

Welcome to a new series on BGP Path Attributes – the mechanisms that control how BGP makes routing decisions. While my previous posts focused on route filtering and aggregation, this series dives into how BGP actually chooses the best path when multiple routes to the same destination exist.

We’re starting with one of the most powerful and commonly used attributes: Local Preference.

Local Preference is your primary tool for controlling outbound traffic from your autonomous system. When you have multiple exit points to reach external destinations, Local Preference determines which exit your entire AS will prefer. Set it once on the edge router receiving the routes, and every router in your AS will make consistent forwarding decisions.

BGP Route Aggregation: Unsuppress-Maps

Tue, 17 Feb 2026 08:50:06 +0000

Introduction

The previous post on suppress-map showed how to selectively suppress specific component routes when creating a BGP aggregate. But there’s a complementary scenario that comes up just as often in practice: you have a global suppression policy (like summary-only) applied to an aggregate, and you need to restore one or more suppressed routes to a specific neighbor only.

That’s what unsuppress-map does. It operates at the neighbor level and overrides the global suppression for that peer, re-advertising chosen routes that would otherwise stay hidden behind the aggregate.

BGP Route Aggregation: Suppress-Maps

Tue, 17 Feb 2026 08:33:47 +0000

Introduction

The previous two posts in this series covered the two ends of the BGP aggregation spectrum:

Default aggregate-address: advertises both the aggregate AND all component routes to everyone
summary-only: advertises only the aggregate, suppresses ALL component routes to everyone

But real networks rarely fit neatly into either extreme. What if you want to advertise the aggregate alongside some of the component routes, but suppress others? That’s exactly what suppress-map solves.

BGP Route Aggregation: Summary-Only Mode

Tue, 17 Feb 2026 08:09:23 +0000

Introduction

In my previous post on BGP Route Aggregation, I demonstrated how the aggregate-address command creates a summary route while continuing to advertise the more-specific component routes alongside it. I also showed how to use prefix lists to selectively control which neighbors see the aggregate versus the specifics.

But there’s a simpler, more direct approach when you want only the summary route advertised to everyone: the summary-only keyword.

This post focuses specifically on this option, what it does under the hood, and how it compares to IGP summarization behavior.

BGP Route Aggregation

Sun, 15 Feb 2026 18:09:07 +0000

Introduction

In my previous posts on BGP filtering, I’ve covered Access Control Lists, Prefix Lists, and AS-Path filters – all focused on controlling which routes are accepted or advertised. But there’s another critical BGP capability that every network engineer needs to master: route aggregation (also called route summarization).

Route aggregation is the practice of combining multiple specific routes into a single, less-specific summary route. This technique serves multiple purposes:

Reduces routing table size across the internet
Improves routing stability by hiding network flapping
Simplifies routing policies with fewer routes to manage
Conserves bandwidth by reducing BGP update traffic
Enhances security by hiding internal network details

In this post, I’ll demonstrate BGP route aggregation using the same lab topology from my previous BGP posts, showing you how to create aggregate routes and implement sophisticated policies that advertise different levels of detail to different neighbors.

BGP AS-Path Filtering

Sun, 15 Feb 2026 12:30:20 +0000

Introduction

In my previous posts, I explored BGP route filtering using Access Control Lists and Prefix Lists. Both methods filter routes based on network prefixes and subnet masks. But what if you need to filter routes based on where they originated or which autonomous systems they’ve traversed?

Enter AS-Path filtering – a powerful BGP route manipulation technique that allows you to make routing decisions based on the autonomous system path. Combined with regular expressions, AS-Path filters provide surgical precision in controlling route propagation across complex multi-AS topologies.

BGP Route Filtering with Prefix Lists

Sun, 15 Feb 2026 11:17:22 +0000

Introduction

In my previous post, I explored BGP route filtering using standard Access Control Lists (ACLs). While ACLs are powerful, they have limitations when it comes to matching based on prefix length. Enter prefix lists – a purpose-built tool for route filtering that offers superior control and readability for BGP route manipulation.

Prefix lists provide functionality that ACLs simply cannot match: the ability to filter routes based on both network address AND prefix length. This makes them the preferred choice for BGP route filtering in production networks.

BGP Route Filtering in Practice

Sun, 15 Feb 2026 10:19:48 +0000

Introduction

Access Control Lists (ACLs) are one of the most fundamental tools in a network engineer’s toolkit. While they’re commonly associated with security and packet filtering, ACLs play an equally critical role in route filtering and manipulation. In this post, I’ll walk through three real-world scenarios from my lab environment where I used standard access lists with BGP distribute-lists to control route propagation between autonomous systems.

Lab Topology

My lab consists of six routers spanning multiple autonomous systems:

Bibata Modern Ice Cursor Theme

Sat, 14 Feb 2026 10:22:24 +0000

If you’re running Hyprland on Arch Linux and want to improve your desktop aesthetics, installing a modern cursor theme is a great place to start. The Bibata Modern Ice cursor theme is sleek, professional, and pairs beautifully with modern desktop environments.

In this guide, I’ll walk you through two methods of installing Bibata Modern Ice: the manual method and using the graphical tool nwg-look.

What is Bibata Modern Ice?

Bibata is a popular cursor theme that offers several variants. The “Modern Ice” variant features a clean, light blue accent that looks fantastic on dark themes. It’s widely used in the Linux community and is the default cursor in many Hyprland configurations, including the popular ML4W dotfiles.

Fixing PGP Signature Errors During Arch Linux Installation

Sat, 14 Feb 2026 09:19:15 +0000

If you’re installing Arch Linux and encounter PGP signature errors during the pacstrap command, you’re not alone.
This is one of the most common issues faced during Arch installation, but fortunately, it’s usually straightforward to fix.

The Error

The error typically looks something like this:

error: linux: signature from "..." is invalid
error: failed to commit transaction (invalid or corrupted package)

Why This Happens

PGP (Pretty Good Privacy) signatures are used to verify that packages haven’t been tampered with. The errors occur when:

Fixing Time Synchronization

Thu, 12 Feb 2026 07:55:03 +0000

I recently noticed my Arch Linux system time was consistently 1 hour behind, despite having the correct timezone configured. Here’s how I fixed it using systemd’s built-in NTP client.

The Problem

My system showed the wrong time even though the timezone was correctly set to Europe/Berlin:

❯ date
Thu Feb 12 09:45:36 AM CET 2026

❯ stat /etc/localtime
File: /etc/localtime -> /usr/share/zoneinfo/Europe/Berlin

Checking the time sync status revealed the issue:

❯ timedatectl status
               Local time: Thu 2026-02-12 09:48:17 CET
           Universal time: Thu 2026-02-12 08:48:17 UTC
                 RTC time: Thu 2026-02-12 08:48:17
                Time zone: Europe/Berlin (CET, +0100)
System clock synchronized: no
              NTP service: inactive
          RTC in local TZ: no

The NTP service was inactive, meaning the system wasn’t synchronizing with any time servers.

Cat9000v_baseline

Wed, 11 Feb 2026 08:57:31 +0000

ip domain name automation.local
hostname iosxe-switch-1
crypto key generate rsa mod 2048
aaa new-model
aaa authentication login local
aaa authorization exec default local if-authenticated
ip ssh version 2
username admin privilege 15 secret automation
enable secret automation
int gi0/0
ip add 10.3.19.107 255.255.255.0
no cdp enable
no shut
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.3.19.254
!
no ip http server
no ip http secure-server
 no crypto pki trustpoint SLA-TrustPoint
ip http secure-server
restconf
end

Network Automation with RESTCONF

Mon, 09 Feb 2026 12:46:52 +0000

Network automation has become essential for modern infrastructure management, and RESTCONF provides a standardized, programmable interface for configuring and managing network devices. In this guide, I’ll walk you through practical examples of using RESTCONF with Cisco IOS-XE devices.

What is RESTCONF?

RESTCONF is a protocol defined in RFC 8040 that provides a RESTful API for accessing data defined in YANG models. It combines the simplicity of REST APIs with the power of YANG data modeling, making network automation more accessible to developers and network engineers alike.

Nvidia Hyprland

Sun, 08 Feb 2026 15:22:24 +0000

If you’re running Arch Linux with an NVIDIA GPU and want to experience the modern, tiling Wayland compositor Hyprland, you’re in for a treat. However, getting NVIDIA to play nicely with Wayland compositors requires some specific configuration. This guide will walk you through the entire setup process.

Why This Matters

NVIDIA’s proprietary drivers have historically been challenging with Wayland compositors. Thanks to recent improvements in the NVIDIA driver stack (especially with the open-source kernel modules), running Hyprland on NVIDIA hardware is now not only possible but performs quite well. The key is proper configuration.

Hugo Git Submodules: Do Not Forget Your Theme!

Sun, 08 Feb 2026 15:12:39 +0000

The Problem

After cloning my Hugo blog from GitLab and adding a new post, I ran into a frustrating issue: hugo server would start successfully, but the site wouldn’t render any pages. Instead, I got a blank page with only the livereload script.

The build output showed warnings about missing layout files:

WARN  found no layout file for "html" for kind "term"
WARN  found no layout file for "html" for kind "section"
WARN  found no layout file for "html" for kind "taxonomy"

The Root Cause

When I cloned the repository, the theme directory was empty. Hugo themes are typically added as Git submodules, and by default, git clone doesn’t automatically download submodule content.

Dual Booting Arch Linux and Windows 11

Sun, 08 Feb 2026 15:03:24 +0000

Introduction

Setting up a dual boot system with Arch Linux and Windows 11 can be challenging, especially when you want to maintain full disk encryption on both operating systems while keeping Secure Boot enabled. This guide documents my journey and the solutions I found to create a secure, encrypted dual boot setup on two separate NVMe drives.

Hardware Configuration

My system consists of:

nvme0n1 (953.9GB): Windows 11 drive
nvme1n1 (1.8TB): Arch Linux drive
UEFI firmware with Secure Boot enabled

Initial Setup

Both operating systems were already installed:

Setting Up SSH Keys for GitHub on Arch Linux

Sun, 08 Feb 2026 11:38:40 +0000

If you’re running Arch Linux and want to set up SSH authentication for GitHub, here’s a quick guide to get you started. This process allows you to push and pull from GitHub repositories without entering your password every time.

Prerequisites

First, you’ll need to install OpenSSH if it’s not already on your system:

sudo pacman -S openssh

Generate Your SSH Key

Create a new ED25519 SSH key pair with this command:

Cilium LoadBalancer IPAM and BGP Service Advertisement

Wed, 04 Feb 2026 20:09:50 +0100

In the previous post, we established BGP peering between our Kubernetes cluster and a virtual leaf-spine datacenter fabric, enabling dynamic Pod CIDR advertisement.

But Pod connectivity is only half the story.

In production Kubernetes environments, Services — especially LoadBalancer type services — are how applications expose themselves to the outside world. Traditionally, this requires external load balancers like MetalLB or cloud provider integrations.

With Cilium’s LoadBalancer IPAM and BGP Service Advertisement, we can eliminate that dependency entirely.

BGP on Cilium

Wed, 04 Feb 2026 13:58:29 +0100

BGP on Cilium: Peering Kubernetes with a Leaf‑Spine Datacenter

BGP is not just the routing protocol that powers the Internet — it has become the standard control plane inside modern data centers.

Today’s data centers are typically built using a leaf–spine architecture, where BGP is responsible for distributing reachability information between racks, spines, and endpoints. And when your endpoints are Kubernetes Pods, it makes perfect sense for Kubernetes networking to speak BGP as well.

Path bash script

Tue, 03 Feb 2026 09:35:19 +0100

A simple one-liner to display your PATH variable with each directory on its own line, demonstrating bash parameter expansion for string manipulation.

The Script

#!/bin/bash
# Description: current path
echo "${PATH//:/$'\n'}"

Output:

/usr/local/sbin
/usr/local/bin
/usr/sbin
/usr/bin
/sbin
/bin
/usr/games
/usr/local/games
/snap/bin

How It Works

${PATH//:/$'\n'}
  │    ││ └─────── Replacement: $'\n' (newline)
  │    │└───────── Pattern: : (colon)
  │    └────────── // means "replace ALL occurrences"
  └─────────────── Variable: PATH

Breakdown

PATH - Environment variable containing colon-separated directories
//: - Replace all colons (:) globally
$'\n' - ANSI-C quoting for actual newline character
Result - Each directory appears on its own line

Single vs Double Slash

# Single / - replaces FIRST occurrence only
echo "${PATH/:/$'\n'}"
# Output:
# /usr/local/sbin
# /usr/local/bin:/usr/sbin:/usr/bin...
#                ↑ remaining colons unchanged

# Double // - replaces ALL occurrences
echo "${PATH//:/$'\n'}"
# Output: each directory on separate line ✓

Parameter Expansion Basics

The pattern ${variable//pattern/replacement} is called parameter expansion - a built-in bash feature for string manipulation without external commands.

Building a Simple System Information Script in Bash

Mon, 02 Feb 2026 18:43:54 +0100

Ever needed a quick way to check your system’s vital stats without memorizing a dozen different commands?
I created a simple bash script that displays all the essential system information in one clean output.

What It Does

The script displays:

Hostname and current date
System uptime
Linux distribution and kernel version
CPU model and core count
Memory usage (total, used, free)
Disk space utilization
Network information (IPv4, MAC address, gateway, DNS)

The Script

Here’s the complete script:

Shebang bash security

Mon, 02 Feb 2026 17:59:04 +0100

If you’ve written bash scripts, you’ve probably used a shebang line at the top.
But which one should you use: #!/bin/bash or #!/usr/bin/env bash?
And is there really a security risk with the latter?

The Two Approaches

Hardcoded Path: `#!/bin/bash`

This shebang assumes bash is installed at /bin/bash. It’s direct and predictable—you know exactly which interpreter will run your script.

Pros:

Predictable execution path
Works consistently on most Linux distributions
Slightly faster (no PATH lookup needed)

Cons:

Ansible_vlans_playbook

Sat, 29 Nov 2025 17:21:16 +0000

Playbook

#vlans.yaml
- hosts: switches
  tasks:
    - name: Create VLANs
      ios_vlans:
        config:
          - vlan_id: 10
            name: Printers
          - vlan_id: 20
            name: Cameras
          - vlan_id: 30
            name: Guest
        state: merged
    - name: Save to startup-config
      ios_config:
        save_when: modified

Inventory

#site-a.ini
[ios]
10.3.19.101
10.3.19.102
10.3.19.103
10.3.19.104

[ios:vars]
ansible_connection=network_cli
ansible_network_os=ios
ansible_user=admin
ansible_password=automation

[routers]
10.3.19.101
10.3.19.102

[switches]
10.3.19.103
10.3.19.104

Run Playbook

ansible-playbook vlans.yaml -i site-a.ini

Ansible_install

Sat, 29 Nov 2025 17:07:42 +0000

Install

curl -LsSf https://astral.sh/uv/install.sh | sh
# Source the shell according to the installation output
uv venv
source .venv/bin/activate
uv pip install ansible-core==2.18 ansible-pylibssh

Module collection installation

ansible-galaxy collection install cisco.ios cisco.nxos cisco.iosxr

ansible-galaxy collection list | grep cisco

Clipboard_devcontainer

Sun, 23 Nov 2025 11:53:56 +0100

✂️ Enable Clipboard Copy/Paste in a DevContainer (Neovim + OSC52 + tmux)

Clipboard support inside a DevContainer is not available by default, because the container cannot directly access the host clipboard.
This guide enables seamless yank/copy/paste in Neovim, tmux, and VS Code DevContainers using:

xclip / wl-clipboard (fallback tools)
Neovim’s built-in OSC52 clipboard provider
tmux OSC52 forwarding

Dockerfile

#Dockerfile
FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04

COPY --from=jdxcode/mise /usr/local/bin/mise /usr/local/bin/

# Install clipboard utilities
RUN apt-get update && apt-get install -y xclip wl-clipboard && rm -rf /var/lib/apt/lists/*

# make sure mise is activated in both zsh and bash
RUN echo 'eval "$(mise activate bash)"' >> /home/vscode/.bashrc && \
    echo 'eval "$(mise activate zsh)"' >> /home/vscode/.zshrc

OSC52 Clipboard Support in Neovim

#options.lua
vim.g.snacks_animate = false
vim.g.lazyvim_check_order = false

vim.opt.ignorecase = true

vim.opt.number = false
vim.opt.relativenumber = false
vim.opt.scrolloff = 8

-- Explicitly use OSC 52 for clipboard (best for remote/container environments)
vim.g.clipboard = {
  name = "OSC 52",
  copy = {
    ["+"] = require("vim.ui.clipboard.osc52").copy("+"),
    ["*"] = require("vim.ui.clipboard.osc52").copy("*"),
  },
  paste = {
    ["+"] = require("vim.ui.clipboard.osc52").paste("+"),
    ["*"] = require("vim.ui.clipboard.osc52").paste("*"),
  },
}

-- Use system clipboard for all yank/paste operations
vim.opt.clipboard = "unnamedplus"

Tmux

Add to ~/.tmux.conf

Botkube

Sun, 23 Nov 2025 10:14:23 +0100

Botkube Installation Guide

Overview

This guide covers the installation of Botkube on a K3s Raspberry Pi 5 cluster with Slack integration, using HashiCorp Vault for secret management and FluxCD for GitOps deployment.

Architecture

Cluster: K3s on Raspberry Pi 5
GitOps: FluxCD
Secret Management: HashiCorp Vault + External Secrets Operator
Communication: Slack (Socket Mode)
Storage: Persistent volume for plugin caching

Prerequisites

K3s cluster running
FluxCD installed and configured
HashiCorp Vault deployed with KV secrets engine
External Secrets Operator installed with ClusterSecretStore configured
Slack workspace with admin access

Directory Structure

infrastructure/
├── controllers/base/botkube/
│   ├── kustomization.yaml
│   ├── kustomizeconfig.yaml
│   ├── namespace.yaml
│   ├── pvc.yaml
│   ├── release.yaml
│   ├── repository.yaml
│   └── values.yaml
└── configs/base/botkube/
    ├── botkube-slack-secrets.yaml
    └── kustomization.yaml

Step 1: Create Slack App

1.1 Create the App

Go to https://api.slack.com/apps
Click “Create New App” → “From scratch”
Name it “Botkube” (or your preferred name)
Select your workspace

1.2 Configure OAuth Scopes

Navigate to OAuth & Permissions and add these Bot Token Scopes:

Custom Root Ca Arch Linux

Sun, 16 Nov 2025 10:00:52 +0100

This is my personal guide for installing the UCLab root CA certificate on Arch Linux, ensuring it’s trusted by the system and all major browsers including Microsoft Edge.

Prerequisites

Root/sudo access
The uclab-root-ca.cer certificate file
The certificate is already in PEM format (no conversion needed)

Step 1: Install Certificate System-Wide

Copy the UCLab certificate to the system trust store:

sudo cp uclab-root-ca.cer /etc/ca-certificates/trust-source/anchors/

Update the system trust store:

sudo trust extract-compat

Verify the certificate was added:

Archiving Files

Wed, 12 Nov 2025 10:38:48 +0100

tar is the Tape Archiver, a utility that was created long ago for backing up data to tape drives. Despite its age, it remains one of the most widely used archiving tools in Unix-like systems today.

Key Characteristics

By default, tar does not compress data—it simply bundles multiple files and directories into a single archive file. Compression can be added as an optional step using various compression algorithms.

Basic Operations

The three fundamental operations you’ll perform with tar are:

Cloudnativepg Plugin

Sun, 09 Nov 2025 21:19:44 +0100

CloudNativePG provides a plugin for kubectl to manage a cluster in Kubernetes.

Install

curl -sSfL \
  https://github.com/cloudnative-pg/cloudnative-pg/raw/main/hack/install-cnpg-plugin.sh | \
  sudo sh -s -- -b /usr/local/bin

Auto-completion

cat > kubectl_complete-cnpg <<EOF
#!/usr/bin/env sh

# Call the __complete command passing it all arguments
kubectl cnpg __complete "\$@"
EOF

chmod +x kubectl_complete-cnpg

# Important: the following command may require superuser permission
sudo mv kubectl_complete-cnpg /usr/local/bin

Use

kubectl cnpg COMMAND [ARGS...]

Onedrive Rclone

Sun, 09 Nov 2025 19:30:09 +0100

This guide walks you through setting up Microsoft OneDrive on Linux using rclone.

Prerequisites

rclone installed on your Linux system
A Microsoft OneDrive account
A web browser for authentication

Installation

sudo pacman -S rclone

Configuration Steps

1. Start rclone Configuration

rclone config

2. Create a New Remote

When prompted, select:

n for New remote
Enter a name for your remote (e.g., OneDrive)

3. Select Storage Type

Choose option 38 for Microsoft OneDrive
Or type onedrive

4. OAuth Configuration

Leave the following blank (press Enter):

Pass Store

Sat, 08 Nov 2025 14:13:56 +0100

Complete Guide to pass: The Standard Unix Password Manager.

pass is a simple, Unix-philosophy-based password manager that stores each password in a GPG-encrypted file. It uses standard Unix tools and can be version-controlled with Git, making it perfect for developers and anyone who appreciates simple, transparent tools.

Why pass?

Simple: Just encrypted files in ~/.password-store/
Transparent: No proprietary formats, everything is GPG-encrypted text
Version Controlled: Built-in Git support for tracking changes
Flexible: Organize passwords however you want with folders
Portable: Sync across multiple machines using Git
Scriptable: Easy to integrate with other tools

Installation

Arch:

Mount NFS Systemd

Sat, 08 Nov 2025 14:00:24 +0100

This guide demonstrates how to mount an NFS share using systemd mount units instead of traditional /etc/fstab entries. Systemd mount units provide better integration with the system’s dependency management and offer more control over mount behavior.

Prerequisites

NFS utilities installed on your system
Access to an NFS server
Root or sudo privileges

Step 1: Create the Mount Point

First, create the directory where the NFS share will be mounted:

sudo mkdir /mnt/vmnfs

Step 2: Generate the Systemd Unit Name

Use systemd-escape to generate the correct systemd unit name from your mount path:

Arch-Linux Fingerprint

Sat, 08 Nov 2025 13:34:27 +0100

Fingerprint Authentication Setup for Arch Linux

Complete guide for setting up fingerprint authentication on Arch Linux with SDDM and Hyprland.

Prerequisites

Arch Linux with SDDM display manager
Hyprland window manager
A working fingerprint reader

Installation

1. Install Required Package

sudo pacman -S fprintd

2. Enroll Your Fingerprint

# Enroll your fingerprint (follow the prompts - scan multiple times)
fprintd-enroll antonis

# Verify it works
fprintd-verify antonis

Replace antonis with your actual username.

Arch-Linux Webex

Sat, 08 Nov 2025 12:16:41 +0100

How to Get Cisco Webex Working on Arch Linux (Wayland / Hyprland).

yay -S webex-bin

– Start the app via command line:

env QT_QPA_PLATFORM=xcb /opt/Webex/bin/CiscoCollabHost

[Desktop Entry]
Version=45.10.0.33234
Name=Webex
Comment=Webex
Exec=env QT_QPA_PLATFORM=xcb /opt/Webex/bin/CiscoCollabHost
Icon=/opt/Webex/bin/sparklogosmall.png
Terminal=false
Type=Application
Categories=Utility;Application;
MimeType=x-scheme-handler/webexteams;x-scheme-handler/ciscospark;x-scheme-handler/webex

It seems to fix the problem under Wayland, but doesn’t allow to share screen.

Arch-Linux Secureboot

Thu, 06 Nov 2025 14:12:28 +0100

Complete guide for setting up Arch Linux with Secure Boot using Ubuntu’s signed shim and systemd-boot on systems with locked BIOS (cannot disable Secure Boot or enroll custom keys).

Prerequisites

Ventoy USB with Secure Boot support enabled
Official Arch Linux ISO
System with Secure Boot enabled (locked BIOS)
Internet connection for AUR packages

Overview

This setup uses:

Ventoy to boot the official Arch ISO with Secure Boot enabled
Ubuntu’s signed shim (trusted by Microsoft) as first-stage bootloader
systemd-boot as second-stage bootloader (renamed to grubx64.efi)
Personal MOK keys to sign kernel and bootloader
Pacman hooks for automatic signing on updates

Step 1: Install Arch Linux

Boot from Ventoy, select the Arch Linux ISO, and perform a standard Arch installation with systemd-boot as your bootloader.

KEDA Autoscaling with Nginx

Tue, 04 Nov 2025 15:24:21 +0100

A demonstration of Kubernetes Event-Driven Autoscaling (KEDA) with Nginx deployment, featuring automated load testing and real-time scaling monitoring.

📋 Overview

This project demonstrates horizontal pod autoscaling using KEDA based on CPU utilization. The setup automatically scales an Nginx deployment between 3-10 replicas when CPU usage exceeds 40%.

🚀 Features

CPU-Based Autoscaling: Scales based on 40% CPU utilization threshold
Configurable Replica Range: 3 minimum, 10 maximum pods
Intelligent Cooldown: 30-second cooldown period between scaling events
Load Testing Script: Python-based concurrent load generator
Real-Time Monitoring: Live pod count and request distribution tracking
Even Load Distribution: Kubernetes service ensures balanced traffic across pods

📁 Configuration

KEDA ScaledObject (`nginx-scaler.yaml`)

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: nginx-scaler
spec:
  scaleTargetRef:
    name: nginx
  minReplicaCount: 3
  maxReplicaCount: 10
  cooldownPeriod: 30
  pollingInterval: 10
  triggers:
    - type: cpu
      metricType: Utilization
      metadata:
        value: "40"

Key Parameters

Parameter	Value	Description
`minReplicaCount`	3	Minimum number of pods
`maxReplicaCount`	10	Maximum number of pods
`cooldownPeriod`	30s	Wait time before scaling down
`pollingInterval`	10s	Frequency of metric checks
`cpu.value`	40%	CPU threshold for scaling

📦 Baseline Setup

Initial Deployment State

Before load testing, the environment was configured with:

Webex Twilio

Mon, 03 Nov 2025 21:32:36 +0100

🚀 Homelab Project: Certificate-based Local Gateway (CUBE) integration between Webex Calling and Twilio.

I recently built a full voice integration lab combining:

🔹 Cisco Catalyst 8000V as CUBE (Local Gateway)
🔹 Webex Calling (sandbox trial)
🔹 Twilio Elastic SIP Trunk (free account)

The setup uses SIP/TLS and SRTP to ensure secure end-to-end communication between Webex Calling and Twilio.

cube-config.md

##  Baseline configuration
hostname cube1

ip name-server 1.1.1.1
ip domain name example.com

interface GigabitEthernet1
 ip address 10.10.10.5 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.10.10.1

line vty 0 4
 exec-timeout 30 0
 logging synchronous
 login local
 transport input ssh

ntp server de.pool.ntp.org

## License Configuration

license boot level network-premier addon dna-premier
platform hardware throughput level MB 1000


## Protect STUN Credentials

key config-key password-encrypt PASSWORD
password encryption aes


## Certificate Configuration

!! Create an RSA key pair
crypto key generate rsa general-keys exportable label lgw-key modulus 4096

!! Create a trustpoint for the certificate
crypto pki trustpoint LGW_CERT
 enrollment terminal pem
 fqdn none
 subject-name cn=cube1.example.com
 subject-alt-name cube1.example.com
 revocation-check none
 rsakeypair lgw-key
 hash sha256 

!! Generate CSR
crypto pki enroll LGW_CERT

!! Paste Intermediate X.509 base64 certificate here
crypto pki authenticate LGW_CERT

!! Paste CUBE host certificate here
crypto pki import LGW_CERT certificate

!! Enable TLS 1.2
sip-ua
 crypto signaling default trustpoint LGW_CERT
 transport tcp tls v1.2

!! Install Cisco root CA bundle
ip http client source-interface GigabitEthernet1
crypto pki trustpool import clean url http://www.cisco.com/security/pki/trs/ios_core.p7b

!! Install Digicert global root CA (for Twilio SIP trunk)
crypto pki trustpoint twilio
 enrollment terminal
 revocation-check none

crypto pki authenticate twilio
<paste Digicert global root CA certificate here>


## Global SIP Configuration

voice service voip
 ip address trusted list
  ipv4 23.89.0.0 255.255.0.0  !Webex Calling IPs
  ipv4 62.109.192.0 255.255.192.0
  ipv4 85.119.56.0 255.255.254.0
  ipv4 128.177.14.0 255.255.255.0
  ipv4 128.177.36.0 255.255.255.0
  ipv4 135.84.168.0 255.255.248.0
  ipv4 139.177.64.0 255.255.248.0
  ipv4 139.177.72.0 255.255.254.0
  ipv4 144.196.0.0 255.255.0.0
  ipv4 150.253.128.0 255.255.128.0
  ipv4 163.129.0.0 255.255.128.0
  ipv4 170.72.0.0 255.255.0.0
  ipv4 170.133.128.0 255.255.192.0
  ipv4 185.115.196.0 255.255.252.0
  ipv4 199.19.196.0 255.255.254.0
  ipv4 199.19.199.0 255.255.255.0
  ipv4 199.59.64.0 255.255.248.0
 
  ipv4 54.171.127.192 255.255.255.192 !Twilio Service Provider IPs
  ipv4 54.171.127.192 255.255.255.192
  ipv4 54.244.51.0 255.255.255.0
  ipv4 54.172.60.0 255.255.254.0
  ipv4 54.172.60.0 255.255.255.252
  ipv4 54.244.51.0 255.255.255.252
  ipv4 54.171.127.192 255.255.255.252
  ipv4 35.156.191.128 255.255.255.252
  ipv4 54.65.63.192 255.255.255.252
  ipv4 54.169.127.128 255.255.255.252
  ipv4 54.252.254.64 255.255.255.252
  ipv4 177.71.206.192 255.255.255.252
  exit
 exit

## SIP Global Commands

voice service voip
 address-hiding
 mode border-element
 allow-connections sip to sip
 no supplementary-service sip refer
 trace
 media statistics
 stun
  stun flowdata agent-id 1 boot-count 4
  stun flowdata shared-secret 0 Password123$
  exit
 sip
  asymmetric payload full
  early-offer forced
  sip-profiles inbound
  exit


## SIP Profiles

### Webex Calling (Outbound)

!! SIP profiles for outbound messages to Webex Calling; vCube behind NAT, internal ipv4 10.10.10.5 , NAT public ipv4 192.65.79.20
voice class sip-profiles 100
 rule 10 request ANY sip-header Contact modify "@.*:" "@cube1.example.com:"
 rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.example.com:"
 rule 30 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 10.10.10.5" "\1 192.65.79.20"
 rule 31 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 10.10.10.5" "\1 192.65.79.20"
 rule 40 response ANY sdp-header Audio-Connection-Info modify "IN IP4 10.10.10.5" "IN IP4 192.65.79.20"
 rule 41 request ANY sdp-header Audio-Connection-Info modify "IN IP4 10.10.10.5" "IN IP4 192.65.79.20"
 rule 50 request ANY sdp-header Connection-Info modify "IN IP4 10.10.10.5" "IN IP4 192.65.79.20"
 rule 51 response ANY sdp-header Connection-Info modify "IN IP4 10.10.10.5" "IN IP4 192.65.79.20"
 rule 60 response ANY sdp-header Session-Owner modify "IN IP4 10.10.10.5" "IN IP4 192.65.79.20"
 rule 61 request ANY sdp-header Session-Owner modify "IN IP4 10.10.10.5" "IN IP4 192.65.79.20"
 rule 70 request ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 10.10.10.5" "\1 192.65.79.20"
 rule 71 response ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 10.10.10.5" "\1 192.65.79.20"
 rule 80 request ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 10.10.10.5" "\1 192.65.79.20"
 rule 81 request ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 10.10.10.5" "\1 192.65.79.20"
!

### Webex Calling (Inbound)

voice class sip-profiles 110
 rule 10 response ANY sdp-header Video-Connection-Info modify "192.65.79.20" "10.10.10.5"
 rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.example.com:"
 rule 30 response ANY sdp-header Connection-Info modify "192.65.79.20" "10.10.10.5"
 rule 40 response ANY sdp-header Audio-Connection-Info modify "192.65.79.20" "10.10.10.5"
 rule 50 response ANY sdp-header Session-Owner modify "192.65.79.20" "10.10.10.5"
 rule 60 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 192.65.79.20" "\1 10.10.10.5"
 rule 70 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 192.65.79.20" "\1 10.10.10.5"
 rule 80 response ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 192.65.79.20" "\1 10.10.10.5"
!

### SIP Options Keepalive

voice class sip-profiles 115
 rule 10 request OPTIONS sip-header Contact modify "<sip:.*:" "<sip:cube1.example.com:"
 rule 30 request ANY sip-header Via modify "(SIP.*) 10.10.10.5" "\1 192.65.79.20"
 rule 40 response ANY sdp-header Connection-Info modify "10.10.10.5" "192.65.79.20"
 rule 50 response ANY sdp-header Audio-Connection-Info modify "10.10.10.5" "192.65.79.20"
!

### Twilio

voice class sip-profiles 200
 request REINVITE sip-header From modify "(<.*:.*)(@.*>)" "\1@example.pstn.twilio.com>"
 request CANCEL sip-header From modify "(<.*:.*)(@.*>)" "\1@example.pstn.twilio.com>"
 request INVITE sip-header To modify "(<.*:.*)(@.*>)" "\1@example.pstn.twilio.com>"
 request REINVITE sip-header To modify "(<.*:.*)(@.*>)" "\1@example.pstn.twilio.com>"
 request INVITE sip-header From modify "(<.*:.*)(@.*>)" "\1@example.pstn.twilio.com;user=phone>"
 request INVITE sip-header P-Asserted-Identity modify "(<.*:.*)(@.*>)" "\1@example.pstn.twilio.com;user=phone>"
 request ANY sip-header Contact modify "@.*:" "@192.65.79.20:"
 response ANY sip-header Contact modify "@.*:" "@192.65.79.20:"
!


## SIP config

!
voice class uri 100 sip
 pattern cube1.example.com:5062
!
voice class uri 200 sip
 pattern cube1.example.com:5061
!
voice class codec 100
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
!
voice class codec 200
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
!
voice class stun-usage 100
 stun usage firewall-traversal flowdata
 stun usage ice lite
!
voice class dpg 100
 description TWILIO PSTN to Webex Calling
 dial-peer 100
!
voice class dpg 200
 description Webex Calling to TWILIO PSTN
 dial-peer 200
!
voice class sip-options-keepalive 100
 description Keepalive for Webex Calling
 up-interval 5
 transport tcp tls
 sip-profiles 115
!
voice class sip-options-keepalive 200
 description Keepalive for Twilio Calling
 up-interval 5
 transport tcp tls
 sip-profiles 115
!
!
voice class srtp-crypto 100
 crypto 1 AES_CM_128_HMAC_SHA1_80
!
voice class srtp-crypto 200
 crypto 1 AES_CM_128_HMAC_SHA1_80
!

## Local Gateway Tenant (Webex Calling)

voice class tenant 100
  listen-port secure 5062
  no remote-party-id
  sip-server dns:eun01.sipconnect.bcld.webex.com
  srtp-crypto 100
  localhost dns:cube1.example.com
  session transport tcp tls
  no session refresh
  error-passthru
  rel1xx disable
  asserted-id pai
  bind control source-interface GigabitEthernet1
  bind media source-interface GigabitEthernet1
  no pass-thru content custom-sdp
  sip-profiles 100
  sip-profiles 110 inbound
  privacy-policy passthru
!

## Twilio PSTN Tenant

voice class tenant 200
  sip-server dns:example.pstn.twilio.com
  srtp-crypto 200
  localhost dns:cube1.example.com
  session transport tcp tls
  asserted-id pai
  bind control source-interface GigabitEthernet1
  bind media source-interface GigabitEthernet1
  sip-profiles 200
  early-offer forced
!

## Dial-Peers

!
dial-peer voice 100 voip
 description Inbound/Outbound Webex Calling
 destination-pattern BAD.BAD
 session protocol sipv2
 session target sip-server
 session transport tcp tls
 destination dpg 200
 incoming uri request 100
 voice-class codec 100
 voice-class stun-usage 100
 voice-class sip tenant 100
 voice-class sip options-keepalive profile 100
 dtmf-relay rtp-nte
 srtp
 no vad
!
dial-peer voice 200 voip  
 description Inbound/Outbound TWILIO PSTN
 destination-pattern BAD.BAD
 session protocol sipv2
 session target sip-server
 session transport tcp tls
 destination dpg 100
 incoming uri request 200
 voice-class codec 200
 voice-class sip tenant 200
 voice-class sip options-keepalive profile 200
 dtmf-relay rtp-nte
 srtp
 no vad

Arch-Linux Install

Mon, 03 Nov 2025 20:07:53 +0100

Environment Details

Boot Image: archlinux-2025.10.01-x86_64.iso

Virtualization Platform:  VMware ESXi
Virtual Machine Configuration:
CPU: 2 cores
RAM: 4 GB
Storage: 16 GB HDD

Boot the live environment

Arch Linux installation images do not support Secure Boot. You will need to disable Secure Boot to boot the installation medium.

Console fonts are located in /usr/share/kbd/consolefonts/ and can likewise be set with setfont(8) omitting the path and file extension. 
For example, to use one of the largest fonts suitable for HiDPI screens, run:

root@archiso ~ # setfont ter-132b

Verify the boot mode

Arch-Linux Chroot

Sun, 02 Nov 2025 13:25:46 +0100

There’s a significant difference between arch-chroot and chroot that’s important to understand when working with Arch Linux installations.

`arch-chroot /mnt`

This is a wrapper script provided by the Arch installation ISO that does much more than just chroot. It’s the preferred method during Arch Linux installation.

What it does automatically:

Mounts important filesystems (/proc, /sys, /dev, /dev/pts, /run)
Copies DNS configuration (/etc/resolv.conf) so networking works
Sets up the chroot environment properly
Uses bash by default (ignoring the shell specified in /etc/passwd)

Usage:

arch-chroot /mnt

Use this during Arch installation - it’s designed specifically for this purpose and handles all the tedious setup work for you.

Vault Install

Sun, 02 Nov 2025 12:21:27 +0100

This guide documents the process of installing and configuring vault to safely manage secrets/sensitive data.

System

# System version
ubuntu@vault:~$ uname -a
Linux vault 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@vault:~$
ubuntu@vault:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
ubuntu@vault:~$

Install

# Install Vault
sudo apt update && sudo apt upgrade -y
wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

# verify version
ubuntu@vault:~$ vault --version
Vault v1.21.0 (818ca8b3575ea937ca48b640baf35e1b2ede1833), built 2025-10-21T19:33:18Z
ubuntu@vault:~$

Configuration

# vault configuration file
cat /etc/vault.d/vault.hcl
# Copyright IBM Corp. 2016, 2025
# SPDX-License-Identifier: BUSL-1.1

# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# API address for cluster communication
api_addr = "https://vault.uclab8.net:8200"

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

# enable vault service
systemctl enable --now vault.service

Status

# verify service status
ubuntu@vault:~$ systemctl status vault.service
● vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/usr/lib/systemd/system/vault.service; enabled; preset: enabled)
     Active: active (running) since Sat 2025-10-25 11:01:03 UTC; 1 week 1 day ago
       Docs: https://developer.hashicorp.com/vault/docs
   Main PID: 2142 (vault)
      Tasks: 9 (limit: 7065)
     Memory: 98.5M (peak: 99.2M)
        CPU: 1h 56min 41.603s
     CGroup: /system.slice/vault.service
             └─2142 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Certificates

# generate certificates
certbot certonly --preferred-challenges=dns --manual -d vault.uclab8.net

# set new certificates
cp /etc/letsencrypt/live/vault.uclab8.net/fullchain.pem /opt/vault/tls/tls.crt
cp /etc/letsencrypt/live/vault.uclab8.net/privkey.pem /opt/vault/tls/tls.key

# set permissions
chown vault:vault /opt/vault/tls/tls.crt /opt/vault/tls/tls.key
chmod 600 /opt/vault/tls/tls.crt /opt/vault/tls/tls.key

# export vault url
echo 'export VAULT_ADDR="https://vault.uclab8.net:8200"' >> ~/.bashrc

# restart service
systemctl restart vault

Initialize vault

# initialize and setup vault
vault operator init
vault operator unseal
vault login
vault secrets enable -path=apps kv-v2
vault auth enable userpass
cat <<EOF | vault policy write apps-manager -
# Allow full access to apps/ path (KV v2)
path "apps/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "apps/metadata/*" {
capabilities = ["list", "read", "delete"]
}
path "apps/*" {
capabilities = ["list"]
}
EOF
vault write auth/userpass/users/affragak   password=supersecretpassword   policies=apps-manager
vault write auth/userpass/users/affragak   password=supersecretpassword   policies=apps-manager

# vault login
vault login -method=userpass \
username=affragak  \
password=supersecretpassword

Vault

Sun, 02 Nov 2025 12:10:33 +0100

Steps to use vault; login , add and retrieve a secret.

Vault Environment

export VAULT_ADDR='https://vault.uclab8.net:8200'

Authentication

vault login -method=userpass \
    username=<username> \
    password=<password>

Status

❯ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.18.4
Build Date      2025-01-29T13:57:54Z
Storage Type    file
Cluster Name    vault-cluster-5c71a2e8
Cluster ID      1cdb3cce-a97a-c3ef-dc33-9385e1eae1b3
HA Enabled      false

Store a secret

# Put the kubeconfig from a file
vault kv put apps/k3s kubeconfig=@/path/to/your/kubeconfig

Retrieve a secret

# Retrieve the kubeconfig from a file
vault kv get -field=kubeconfig apps/k3s > kubeconfig

Arch-Linux Font installation

Sun, 02 Nov 2025 10:34:22 +0100

This guide covers user-level installation of Departure Mono fonts on Arch Linux.

Prerequisites

wget and unzip packages installed
Internet connection

Installation Steps

Download the Font

wget https://departuremono.com/assets/DepartureMono-1.422.zip

Create Fonts Directory

Create the local fonts directory if it doesn’t already exist:

mkdir -p ~/.local/share/fonts

Extract the Fonts

Unzip the font files to your local fonts directory:

unzip DepartureMono-1.422.zip -d ~/.local/share/fonts/

Update Font Cache

Refresh the font cache so your system recognizes the new fonts:

Migrating /home to a new encrypted drive

Sun, 02 Nov 2025 09:11:25 +0100

System: Arch Linux with LUKS + LVM

Overview

This guide documents the process of migrating /home from an existing LUKS+LVM setup to a new encrypted drive while maintaining the same security architecture (LVM on LUKS).

System Configuration:

Arch Linux
LUKS encryption
LVM for volume management
Existing setup: /dev/sda2 → LUKS → LVM (root, swap, home)
Goal: Move home to new /dev/sdb1 → LUKS → LVM

Prerequisites

Root access (SSH as root enabled)
New disk added to VM/system
Existing data backed up (recommended)

Step 1: Prepare the New Disk

1.1 Verify New Disk

lsblk

Expected output shows new disk (e.g., /dev/sdb).

External Dns

Tue, 28 Oct 2025 10:41:42 +0100

Gateway API Support

Gateways labeled with external-dns: enabled, creates DNS records for hostnames in HTTPRoutes.

provider:
  name: pihole
policy: sync

env:
  - name: EXTERNAL_DNS_PIHOLE_PASSWORD
    valueFrom:
      secretKeyRef:
        name: pihole-password
        key: EXTERNAL_DNS_PIHOLE_PASSWORD

extraArgs:
  - --pihole-server=http://pihole.pihole.svc.cluster.local
  - --pihole-api-version=6
  - --gateway-label-filter=external-dns==enabled

sources:
  - gateway-httproute

ingressClassFilters:
  - cilium

Gateway Example

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: blog
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production # Specify the name of your issuer resource
  labels:
    external-dns: enabled
spec:
  gatewayClassName: cilium
  listeners:
    - hostname: blog.uclab8.net # Specify a valid domain to reach your application
      name: blog-uclab8-net-http
      port: 80
      protocol: HTTP
    - hostname: blog.uclab8.net # Specify a valid domain to reach your application
      name: blog-uclab8-net-https
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - kind: Secret
            name: blog-uclab8-tls # Specify the secret name to be used with your application
      allowedRoutes:
        namespaces:
          from: All

Mikrotik Logs

Sun, 29 Jun 2025 16:59:03 +0200

Complementary to MKTXP, this project also adds some extra capabilities such an centralized Mikrotik log processing based on a syslog-ng / promtail / Loki stack.

Syslog-ng

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: syslog-ng
spec:
  replicas: 1
  selector:
    matchLabels:
      app: syslog-ng
  template:
    metadata:
      labels:
        app: syslog-ng
    spec:
      containers:
        - name: syslog-ng
          image: balabit/syslog-ng:4.8.0
          ports:
            - containerPort: 601
              protocol: TCP
            - containerPort: 514
              protocol: UDP
          volumeMounts:
            - name: config-volume
              mountPath: /etc/syslog-ng/syslog-ng.conf
              subPath: syslog-ng.conf
            - name: syslog-ng-logs
              mountPath: /var/log # Syslog-NG will write logs here
      volumes:
        - name: config-volume
          configMap:
            name: syslog-ng-config
        - name: syslog-ng-logs
          persistentVolumeClaim:
            claimName: syslog-ng-logs-pvc

Mikrotik Monitoring

Sun, 29 Jun 2025 16:38:17 +0200

Mikrotik Router Monitoring with Grafana/Prometheus.

MKTXP Exporter

source: https://github.com/akpw/mktxp

MKTXP is a Prometheus Exporter for Mikrotik RouterOS devices.
It gathers and exports a rich set of metrics across multiple routers, all easily configurable via built-in CLI interface.

Grafana Dashboard: https://grafana.com/grafana/dashboards/13679-mikrotik-mktxp-exporter/

Deployment

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mktxp-exporter
spec:
  selector:
    matchLabels:
      app: mktxp-exporter
  template:
    metadata:
      labels:
        app: mktxp-exporter
    spec:
      containers:
        - name: mktxp-exporter
          image: ghcr.io/akpw/mktxp:1.2.10
          args:
            - --cfg-dir
            - /mktxp_config
            - export
          resources:
            limits:
              memory: "256Mi"
              cpu: "200m"
          volumeMounts:
            - name: mktxp-credentials
              mountPath: /mktxp_config
          ports:
            - containerPort: 49090
      volumes:
        - name: mktxp-credentials
          secret:
            secretName: mktxp-credentials

Devcontainer Build

Sat, 14 Jun 2025 19:44:51 +0200

A streamlined approach to building development containers with Mise for tool version management and chezmoi for dotfiles synchronization, featuring automated setup and DevPod integration for portable development environments.

Prerequisites

Docker installed and running
DevPod CLI installed

  # Configure DevPod for terminal-based workflow (Neovim)
  devpod ide use none
  devpod provider add docker

Directory Structure

.devcontainer/
├── devcontainer.json
├── Dockerfile
└── scripts
    └── setup

Dockerfile

# Dockerfile
FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04

COPY --from=jdxcode/mise /usr/local/bin/mise /usr/local/bin/

# make sure mise is activated in both zsh and bash. Might be overridden by a user's dotfiles.
RUN echo 'eval "$(mise activate bash)"' >> /home/vscode/.bashrc && \
    echo 'eval "$(mise activate zsh)"' >> /home/vscode/.zshrc

Devcontainer

# devcontainer.json
{
  "build": {
    "context": "..",
    "dockerfile": "Dockerfile"
  },
  "remoteEnv": {
    "MISE_GITHUB_TOKEN": "${localEnv:MISE_GITHUB_TOKEN}"
  },
  "postCreateCommand": ".devcontainer/scripts/setup",
  "forwardPorts": [8000]
}

Script/setup

#!/bin/bash
/usr/local/bin/mise trust /workspaces/"$DEVPOD_WORKSPACE_ID"/mise.toml && /usr/local/bin/mise install

Build

devpod up . --dotfiles git@github.com:affragak/dotfiles-devpod.git

Connect

devpod ssh .

Flux Upgrade

Mon, 07 Apr 2025 14:24:59 +0200

Create a new workflow in GitHub repo under Actions.
Generate a classic PAT and create a secret.
Then use the below code.
That will create a pull-request in GitHub.

Flux Upgrade with with GitHub Actions.

# flux-upgrade.yaml
name: update-flux

on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 1 * *"

permissions:
  contents: write
  pull-requests: write

jobs:
  components:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Check for updates
        id: update
        run: |
          flux install \
            --export > ./clusters/athena/flux-system/gotk-components.yaml

          VERSION="$(flux -v)"
          echo "flux_version=$VERSION" >> $GITHUB_OUTPUT
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v7
        with:
            token: ${{ secrets.FLUX_UPDATE_PAT }}
            branch: update-flux
            commit-message: Update to ${{ steps.update.outputs.flux_version }}
            title: Update to ${{ steps.update.outputs.flux_version }}
            body: |
              ${{ steps.update.outputs.flux_version }}

K3s Home Lab

Sun, 12 Jan 2025 16:41:31 +0100

my kubernetes homelab

this is a post for my home lab kubernetes cluster.
main purpose of lab is to learn and have fun.

Cluster provisioning

K3s: Lightweight Kubernetes distribution running on mixed ARM/x86 architecture.

Hardware

i use one Raspberry Pi 5 control plane and two Intel NUC8i7 worker nodes.

❯ k get nodes
NAME     STATUS   ROLES                  AGE     VERSION
athena   Ready    control-plane,master   8d      v1.33.4+k3s1
nuc242   Ready    <none>                 7d23h   v1.33.4+k3s1
nuc243   Ready    <none>                 7d18h   v1.33.4+k3s1

Features

Advanced networking - Cilium CNI with eBPF for high-performance networking
GitOps workflow - All configurations managed through Git
Encrypted secrets - External Secrets Operator with HashiCorp Vault for secure secret management
Database management - PostgreSQL clusters via CloudNative-PG operator
Complete observability - Grafana dashboards with Prometheus metrics
Automated TLS - Let’s Encrypt certificates via cert-manager
Zero-config internet access - Cloudflare Tunnels without firewall changes
Automatic dependency updates - Renovate bot for keeping applications current
Development ready - Preconfigured dev container for immediate productivity

No pods are allowed to be scheduled on the control plane.

Hugo on K3s

Sun, 12 Jan 2025 11:10:25 +0100

i decided to make a website. a static one. this one. with Hugo.
the main reason i have for needing a website is as a learning project, so i have some stuff to host in a Kubernetes cluster i’m running. the k3s cluster is also a learning project.
k3s running in Raspberry Pi 5 control plane and two Intel NUC8i7 worker nodes.
Cilium as cni. Flux as continuous delivery.
gitlab runs as selfhosted in a separate vm.
my repo structure according to fluxcd best practices.

Search

Mon, 01 Jan 0001 00:00:00 +0000

DevOps von UCLAB

Containers From Scratch

AI Devcontainer — Architecture & Setup

Overview

Host Requirements

File Structure

Docker Image

Vault on a Synology NAS and Migrating Secrets

Tmux Multiple Panes

Sending the Same Command to Multiple Panes/Windows in tmux

Building a Virtual Cisco Network Lab with Containerlab

Deploying NetBox on k3s

AWX in Practice

Deploying AWX on kubernetes

The Stack

Repository Structure

Kubectl Kustomize

Hello World in Python

The Code

What Everything Does

Detailed Breakdown

Extended Example

IDEAS

INSIGHTS

RECOMMENDATIONS

HABITS

FACTS

Adding Avatar to my Hugo blog

The Goal

Step 1 — Place the Image

Building a Microservice for my Hugo Blog on k3s

Architecture

Kubernetes Port Configuration

Key Insight: The Full Traffic Chain

containerPort is Documentation Only

Self-Hosting Meilisearch Search for a Hugo Blog on k3s

Why Meilisearch

Bash Scripting Logical Operators

Bash Scripting - Handling Defaults

Persistent vs. Temporary

${var:=default} — The Persistent Assignment

Pandoc Instant Markdown-to-HTML

The Basic Idea

Markdown

What Is Markdown?

Latex KaTex MathJax

What is Latex?

AKS Cluster: Flux GitOps

Overview

What Changed from Dev

AKS with Azure Key Vault Using Terraform

Overview

Authenticating with Azure CLI

Cloudflare Tunnels to Securely Expose Kubernetes Services

How It Works

Conventional Commits

Why Conventional Commits?

Enforcing Image Signing in k3s

The Goal

Hugo Blog — Hardening the Pipeline

Securing the CI/CD Chain

Kubernetes Architecture

The Two Big Pieces: Control Plane & Worker Nodes

Self-hosting Umami Analytics

Stack

Database

Automating Renovate PR Reviews with n8n

The Problem: Renovate Bot is Prolific

Forgejo on K3S

Architecture Overview

How to Safely Upgrade a k3s Cluster

My Cluster Layout

Hugo End-to-End Security

🔐 Hardened Hugo + NGINX Static Site on Kubernetes (PSS Restricted)

Secure Dockerfile

Hardened nginx.conf

Hardened Kubernetes Deployment

NetworkPolicy (Zero Trust Model)

Hugo Blog — Full CI/CD GitOps

Forgejo → k3s with Flux

`containerPort` is Documentation Only

What Does `echo "Hello" > /proc/1/fd/1` Actually Do?

The `/proc` Filesystem