logo

Håvards page

Securely Sending Systemd Credentials to Podman Containers

Also posted on medium Systemd got the ability to securely pass credentials to services a while ago, as I have previously written about. Podman has long had the ability to run kubernetes pod and deployment manifests and with podman-systemd.unit it’s easy to automatically generate systemd services to run these. With these two building blocks, we have the tools to pass credentials to container applications, but the question is how to do so easily and securely.

Christmas beer blind tasting 2024

This year we were a bit early and Vinmonopolet had not yet released the Christmas beers, so there were not many of this years beers available and we had to get out more of the stored beer instead. The results are available , the winner this year is Amundsen Sticky Little Fingers Toffee from 2023.

Using systemd credentials to pass secrets from Hashicorp Vault to systemd services

Also posted on medium. When running services on a Linux system, there is the issue of how to pass in secrets that the service needs in a secure way. Usually this is done by creating a config file with credentials and then protecting this with file system permissions and also possible a Linux security module such as Apparmour or SELinux. This still leaves the issue that the credentials are stored in a plain text file, which can be compromised.

Baconday 2021

This year was our 10 year anniversary, so we had re-runs of some of the dishes from the last 10 years (with some twists). For the canapes, we this year did a contest.

Running cec-client with Raspberry PI on Debian or Ubuntu 64-bit

Using cec-client with a raspberry pi on debian or ubuntu does not work out of the box, as the cec-client in the debian and ubuntu repositories has not been compiled with support for the propriary raspberry libraries. In addition, these libraries are 32-bit only. This is a guide in how to get this working. First you need to set up a 32-bit chroot environment. Install debootstrap and then run debootstrap --variant=buildd --arch=armhf bullseye /opt/cec-client/ You will then need to download the raspberry pi libraries.

Letsencrypt using DNS verification with CFEngine

To use this bundle, you will need to set up dynamic DNS, for instance as I explained in https://haavard.name/2016/03/15/setting-up-key-based-dynamic-dns-updates-with-cfengine/. I’m using a file repository in $(def.dir_files) where you will need to download letsencrypt.sh in $(def.dir\_files)/usr/local/bin. You also need to setup config.sh in $(def.dir\_files)/etc/letsencrypt.sh/config.sh. Use the default config.sh and modify as you see fit, the important settings is CHALLENGETYPE="dns-01" BASEDIR=/etc/letsencrypt.sh HOOK=/etc/letsencrypt.sh/hook-dns.sh Then install this hook script for updating dns when needed to verify ownership

Setting up key based dynamic DNS updates with CFEngine

In order to set up key based dynamic DNS updates, you need to generate a public/private key pair using dnssec-keygen and add the public key as a key record on the name you want to be able to update using the key pair. In addition, you need in the zone config in bind to allow updates using cryptographic verification: zone "example.com" { type master; file "/etc/bind/zones/db.example.com"; update-policy { grant local-ddns zonesub any; grant * selfsub * A AAAA TXT SSHFP; }; }; If you use selfsub, the matching key record will also be allowed to update subrecords which is very useful for using DNS verification in letsencrypt for instance.

jolla owncloud uploader

I created a small perl script to automatically upload photos from the jolla phone and uploaded it as a project on github, https://github.com/umglurf/owncloud-uploader.

Christmas beer blind tasting 2013

As usual we did a christmas beer blind tasting this year as well (double blind mind you) and you can check out the results. The results from previous years is also included. The winner this year was Aass premium 2011 followed by the newcomer Ægir Ymir.

This year we also included a small blind test of christmas soda which is the last three entries.

Building a Debian GNU/Linux IPv6 home router

Introduction This short post describes how i configured my own IPv6 home router using Debian GNU/Linux. I used a Dreamplug, but any form of device with at least 2 NICs should be usable. Allthough this guide describes the setup using Debian, it should be no problem using another distribution or one of the BSD variants. I will not go into to many details about the configurations, for more information you should read the man pages and/or documentation.

Connecting to a Checkpoint Endpoint VPN using radius or SecureID with racoon

Introduction At work we use a Checkpoint Endpoint VPN and although SNX works, it is not ideal and I would much rather have native IPsec. Thus the quest began. I found this page which helped me get on the right track. I also found Andrew de Quincey’s patch. I then had all the components required to set this up. Setting it up Patching ipsec-tools You need to patch ipsec-tools with the patch from Andrew de Quincey to add support for Checkpoints xauth to ipsec-tools.

Factorization for j2me phones

I don’t know about the rest of you, but I sometimes find it useful to factor numbers or find prime numbers, for instance when paying restaurant bills 🙂 To address this and also to learn a little j2me programming, I created a small midlet. You can install the midlet or download the source. The program uses simple Trial division. I thought using a more advanced method, but for the numbers a j2me phone is able to handle Trial division is quick enough.