@wirestyle22 said in Terraform Discussion:

I'm looking into tools that could be useful to us and a friend of mine recommended Terraform. I saw an old install guide from @scottalanmiller in which @stacksofplates commented that it is used for configuration management and provisioning. Initially I thought that Terraform would compete with Ansible/Saltstack.

Is anyone using Terraform and if so, what are you doing with it? Are you using it in conjunction with Ansible/Saltstack?

Terraform complements tools like Ansible, not competes with them. Terraform is just for infrastructure provisioning. It has limited config management abilities but that's not it's focus.

Ansible also has infrastructure provisioning but Terraform keeps track of your infrastructure state where Ansible does not.

I have a pipeline I use to bring up nodes in VMware with Terraform and then Ansible joins them together into a k8s cluster.

Terraform also integrates with a lot of other things like Cloudflare, MySQL, and others. Here's there provider list: https://www.terraform.io/docs/providers/. There are also a lot of providers written by the community.

I know you were just explaining how to do it but this is a simple task with Ansible.

- name: Ensure user exists
  user:
    name: Joe
    state: present
    password: "password_hash"
    groups: wheel, libvirt

Instead of needing the hash up front you can do things like:

{{ Password1234 | password_hash('sha512') }}

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

So I finally read this trash. How is this goon a CISSP? The CA doesn't have access to the private key on your server. That's not how CAs work. So if someone "steals the CAs key" they can't just MITM your traffic with an existing key. It's amazing that this was even published....

Regardless of the context,
If someone steals the CAs key, they can impersonate the CA. Then at that point... well I'm sure you know what's next.

Right but that doesn't give you access to existing keys. Only newly generated keys. You can't just a steal someone's traffic because you got the CA key. And there are a ton of other security measures in place for that scenario.

Right, existing certs are fine. But then you have to question which are from the real CA and which are from the impersonating CA. The impersonating CA would hand out certs with known keys so mitm attacks can occur.

I wasn't arguing that, and he never made that argument. It was solely about it being free and the hackers can get your data now.

It's not like LE isn't monitoring their FIPS140-3 HSM with the non-exportable keys stored on it. And in the event someone somehow got in, they can immediately revoke and renew and everyone will get the new key on the next check in. Vs manual certs where you would have to log in to every server and remove the certs manually and add the new ones.

@IRJ said in Scripting partioning on AWS:

@stacksofplates said in Scripting partioning on AWS:

@IRJ said in Scripting partioning on AWS:

Found this chart on a somebody's project on github. Seems like a reasonable place to start?

Ours would have been more like:

mount	size
/	12GB
/home	1GB
/var	10GB
/var/log	5GB
/var/log/audit	5GB
/tmp	1GB

That's a little too liberal for EC2 instances. I could definitely see that working for on prem though.

Yeah. The numbers you had looked fine. Especially if they aren't going to be long living servers.

So how we did it the last place I worked. We used a mix of X2Go, X-11 forwarding/MobaXTerm, and RDP. It depended on the user as to how they wanted to do it.

RDP gave them a full desktop since X2Go couldn't any longer on GNOME 3. X2Go gave them just applications from a menu to pick. People who were used to the cli used X-11 forwarding because it's what they were used to.

It looks like GitLab now has feature flags available for the free users (at least on the hosted version). This is a pretty awesome free feature. Here's an example of how to leverage it.

First create your feature flag:

I opted to leave the bottom section of user specific flags alone.

Then make sure to get your config:

Then all you need to do is enable it in your application:

package main

import (
	"fmt"
	"os"

	"github.com/Unleash/unleash-client-go"
)

type metricsInterface struct {
}

func init() {
	environment := os.Getenv("APP_ENVIRONMENT")
	unleash.Initialize(
		unleash.WithUrl("https://gitlab.com/api/v4/feature_flags/unleash/14019607"),
		unleash.WithInstanceId("y_XXx-C3w2JjpHxxx19L"),
		unleash.WithAppName(environment),
		unleash.WithListener(&metricsInterface{}),
	)
}

func main() {
	if unleash.IsEnabled("test") {
		fmt.Println("This is the app with the feature flag on.")
	} else {
		fmt.Println("This is the app with the feature flag off.")
	}

}

So that's fairly self explanatory. We import the unleash library and then initialize unleash with the URL, instance ID, and environment. I opted to use an environment variable to define the app's environment. If the environment was "Production" the flag wouldn't even be used and would default to off. Then in your code, just include the name of the specific flag where you want to enable or disable a feature. Then when you enable or disable the flag in GitLab it will enable or disable the feature in your app. It goes without saying that your app will need internet access for this to work unless you're self hosting. Then you would just need LAN access. You can have multiple flags for one app, so just use the correct flag name in your code at the appropriate areas.

@Emad-R said in Containers on Bare Metal:

Does anyone have experience running the above? if so are you doing it in Prod/Dev ?

please dont start rant against certain technology, there are more stuff than docker out there , like LXD, OpenVZ etc.

It depends on how you're using them. If you're just treating them like systemd services (podman makes this easy) then it's just as easy as running normal services on a VM. I wouldn't worry about the extra abstraction if you don't want to until you are using orchestration tools like k8s, Nomad, Open shift, etc and you need to squeeze every bit of performance out of the application. But it's fine either way.

1. First choose a theme from here: https://themes.gohugo.io/
   For this example I'm just going to use this theme: https://themes.gohugo.io/meghna-hugo/#installation

2. Click download to go to their GitHub.

3. Make a themes directory

4. Clone the repo into your themes directory

5. Copy the contents of the exampleSite directory in the theme 3 levels up in your top level site directory.

6. Run hugo serve -D

7. Modify the content and watch it change live.

Here's what you get at localhost:1313

@Dashrender said in Buttercup Password Manager:

Ultimately the project owners want to turn it into a company like LastPass, generating their revenue from SaaS, but they are starting out as an open source project.

This is what Bitwarden does too. They are open source but have their free SaaS and their paid enterprise features.

For reference it's here: https://mangolassi.it/topic/12537/kvm-snapshot-backup-script

I used duo for MFA with push on my phone and yubikeys.

So for 3 hosts, that's $4,800. If you make $25 that's 24 days. You will have more time (money) learning how to do that, setting it up, and tuning it and less features than you would just buying this and using it out of the box.

You CAN do everything SCALE does too, but you're dumb if you don't just buy it.

If you don't want the Docker daemon running all of the time and you don't need the Docker socket, Podman is a nice alternative. The commands are identical (on purpose) and you can create pods like in K8s. You can even export your Pod configurations into a K8s deployment if you want.

@Obsolesce said in Password manager for ordinary users?:

and it also works on all devices including phones.

Except Linux?

Wow Doc, fire up the flux capacitor. Windows 7 and KVMs. I don't envy what you're working on.

So I'm writing this as a side project, mostly to learn. It sucks I know, but if you're a Go developer you can give me pointers.

It's called Piggy Bank because it's a poor man's version of Vault.

https://github.com/hooksie1/piggybank

I wrote a thing if you care:

https://hooks.technology/2020/08/functional-options/

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

@JaredBusch said in The future of the CentOS Project is CentOS Stream:

@coliver said in The future of the CentOS Project is CentOS Stream:

It's built from RHEL sources but it's not a clone

Correct. And it is not trivial.

Its def not trivial.

https://wiki.centos.org/About/Building_8

That's why when there is a new major RHEL release it takes months to get the CentOS release.

Put one of these on the wall and attach it to the phone: