I’ve started using podman on my new laptop. It has worked well so far, even with the rootless configuration. However, I’ve never got it to save my credentials to Docker Hub, which has been annoying. I’ve had to do a podman login after every reboot. Not very convenient. The man page gave a way to store the credentials in clear text on disk, but that didn’t feel very nice from a security perspective.
On most laptops I use wg-quick to setup my WireGuard tunnels, but recently I got a bit curious about using systemd-networkd to the the same. In particular I want the same split-tunnel setup that I’ve used before to work also with systemd-networkd. Worth noticing is that the setup I describe here will automatically start the tunnel when launching the computer. I haven’t really investigated if it is possible to do it on demand.
You have probably all seen the shebang at top of shell scripts, the first line starting with #!/bin/sh. The initial characters #! tells the OS that this isn’t a regular binary, but rather something that needs to run through an interpreter, namely the interpreter after #!. Therefore you can see lines like #!/usr/bin/perl, #!/usr/bin/awk, or #!/usr/bin/python. Executing a file like ./test.sh, having the shebang #!/bin/sh, is similar to calling this command: /bin/sh .
I recently wanted to rewrite parts of an existing Node.js application in Rust. A complete rewrite would take a lot of time, so I was browsing through ways to rewrite some parts in Rust. While it seems possible to call Rust from Node by compiling Rust into a Node js module using FFI, it felt a bit messy. Instead I opted to look into gRPC, which I’ve been wanting to look into anyway.
In this post I’ll use a Yubikey, running the PIV application, to store a keypair and certificate to be used for mutual TLS. The Yubikey will generate the private key on the device, and the private key will never leave the device. Nice for security! I’ll also configure Firefox to discover the certificate stored on the device, so it can be used when browsing to a site requiring a client certificate.
I’ve traditionally used only SSH to connect to my home network while being away, but recently I got tired of using only SSH tunnels and SOCKS proxies, and decided to actually fix a working Wireguard configuration. My router is running OpenBSD, and I want Wireguard clients to be able to reach several different internal subnets. However, I don’t want to route all traffic through the VPN tunnel, only traffic to my internal network.
My goal here is to automatically launch a script when a certain USB stick is connected to the system. When plugging in the stick, the partition should be automatically mounted, a script should be executed, and some notifications should be shown on the screen. Identifying and automounting the drive My USB stick is a simple FAT32 drive, so to identify it I set a filesystem label. This allows me to distinguish this drive from other ones.
I recently got a new laptop, and wanted to setup a dual-boot solution. To do this, most guides simply tell you to disable Secure Boot and then leave it that way. I wanted to keep Secure Boot enabled. Secure Boot basics I will construct a PKI according to the image below. There are three types of keys in a Secure Boot PKI. Platform Key (PK): A single root key, used to sign the Key Exchange Keys below it.
This is a continuation of my previous article regarding FreeRADIUS with SQlite as storage backend. I recently came to think that it sometimes would be nice to be able to temporarily disable (or enable) accounts. For example, consider a scenario where you have some friends who does not come and visit you very often. Why keep their accounts activated all the time? Wouldn’t it be convenient (and more secure) just to enable their accounts when they are visiting, and then disable the accounts again?
I recently bought a UniFI AP AC Pro  access point to replace my old useless AP. For obvious geeky reasons I wanted to use WPA2 Enterprise instead of WPA2 Personal. In that way, I can have different accounts for accessing my wireless network, which means I can easily revoke access to someone using my WiFi. Using WPA2 Enterprise requires the use of a RADIUS server, so I have written down the steps I used to configure this together with RADIUS assigned VLANs, so that different accounts gets different VLANs.