Posts
Too many passwords
Just documenting current password strategy. Phasing out LastPass in favor of 1Password (I’ve already import into 1Password, but haven’t pulled the “delete” trigger yet). Both are set up with MFA at Authy (with cloud backup and password) and a YubiKey; kind of nice that they have a desktop application. Try and keep Authy as only a “top-level” 2FA, and put the rest of the 2FAs into 1Password. Authy is tied to a phone number, so, have to hang on to that. It’d be nice if multiple physical tokens could be added to 1Password (to physically vault one).
Just 1Password things
It took me a while to get Connect server going with Kubernetes, here are my notes. I haven’t gone very deep on this, I’m just starting with 1Password in earnest (beyond the simple use cases).
CI and SSH (and passphrases)
Took me a while to figure out SSH keys (with passphrases) in CI. I do much of my work (in operations) with Ansible. Typically, secrets in CI are handled with environment variables. Suppose you need to SSH from within CI to do some work; the following should do the trick (in a Linux or Linux-like runtime):
UniFi policy-based routing (PBR)
My home is powered by Ubiquiti’s UniFi product line. I’ve been using the kit for, oh, probably 3 or 4 years now, and it’s been fine (there’s much to be said for things that just work). I don’t jump on the latest-and-greatest firmware; typically, I’m probably months behind what’s current. At the time of writing, I’m at
6.0.45
and the blurb says that6.4.54
is out.Local dev environment for Concourse CI
Over the last couple of days, I’ve been writing a custom Concourse resource, and I thought I’d take a few to walk through how I set up my local development environment. If you’re not familiar with Concourse CI, and you’re doing some sort of CI/CD, give it a look. For me, it’s been quite refreshing. At
$lastjob
, we were a Jenkins shop, and, I’m not sure I miss it all that much:smile:
. When it comes down to usage, I’ll take declarative YAML over imperative Groovy every day of the week, including Sunday.PostgreSQL 10 and Patroni on Ubuntu 18.04
The following article continues on the previous by introducing Patroni. The project source is located here. Patroni will add a layer on top of our Postgres cluster enabling high availability (automatic failover, failback, etc). I’ll be using the same three nodes that I used in the last article. In order to do its works, Patroni needs what it refers to as a DCS (dynamic configuration store). Choices for the DCS can be Consul, etcd, etcd3, Zookeeper, or my personal favorite, Raft. The reason that I’m fond of Raft (not that I don’t like the others), is that Raft works “out of the box”. Meaning, we don’t have to have an existing, or set up any new deployments as we would with the other DCSs.
PostgreSQL 10 Streaming Replication on Ubuntu 18.04
The following article will walk through setting up PostgreSQL 10 on Ubuntu 18.04. We’ll set up three nodes, one leader and a pair of followers (replica). For the nodes, I’ll just spin up some Droplets on DigitalOcean. For the purposes of this article, I’ll leave configuration management out and we’ll do it by hand.
Ubiquiti UniFi's Cloud Key, Let's Encrypt and Namecheap
Just a quick writeup on doing real TLS on a Ubiquiti UniFi Cloud Key with Let’s Encrypt and Namecheap. Last night, my Cloud Key was acting up, so I took the time to do what I’ve been putting off for years out of sheer laziness. Not that doing TLS is overly complicated, but, it’s one of those “do I really care about this” situations. Since I was already spending time rescuing the Cloud Key, I thought, might as well do the crypto as well. You’ll have to have an API key for Namecheap, as I’m doing
dns-01
ACME validation in these steps.GitHub Deploy Keys
Just dropping a quick entry about GitHub and deploy keys. In particular, working around the “you can’t reuse them” limitation:
Pi-hole on KVM/QEMU
I’m going to write about this, not because it’s overly complicated, but mostly because I always end up (re)Googling all of these things, regularly. The older you get, the less you tend to waste time with rote memorization, seemingly. Most, if not all, of the math profs I had reinforced this – know the concepts, you can always look up the details. Frankly, I’m tired of looking these things up, so, here goes. If you haven’t heard of Pi-hole, take a look.
Some Prometheus Exporters
Just dropping a quick entry here to make mention of a couple of Prometheus exporters I’ve hacked together recently. Firstly, there’s a Speedtest exporter here. Next, there’s a Ambient Weather exporter here. They should both have enough in the
README.md
to get going. If not, raise an issue please.SSH Keys and LastPass
I’m regularly finding myself working towards minimalism, in particular, when it comes to tooling. It’s quite a common problem nowadays to have many hundreds of secrets to use and manage (cough, rotate, cough!) on a regular basis. Arguably, the best tools we have for the job right now are commonly referred to as “password managers” or “secret vaults”. There are lots of them out there: LastPass, 1Password, pass, and more. Right now, for better or worse, I happen use LastPass.
subscribe via RSS