In-Cluster Prometheus

2022-07-27 | #k8s #prometheus

Up until recently, I was running two separate Prometheus instances – one on a Raspberry Pi, and the other in my k3s cluster using kube-prometheus-stack. I wanted to unify them, ideally to simplify management and version control. The challenge here is in how to manage the scrape targets for out-of-cluster resources. Thanks to my friend Justin, I was able to use a much more elegant solution. Options The basic way When deploying kube-prometheus-stack, define additionalScrapeConfigs.

Continue reading 

K3S, split-horizon DNS, DNSSEC, and PowerDNS

2022-05-30 | #dns #k8s

On my home K3S cluster, I was running into a string of weird DNS issues. Here’s how I ended up fixing it. Architecture Overview 6-node K3S cluster (3x worker, 3x control plane) In-cluster DNS using standard off-the-shelf CoreDNS Intranet DNS provided by PowerDNS 2 DNS servers Each runs PDNS Authoritative (for internal zone and reverse) Each runs PDNS Recursor (for all other queries; forwards to auth for Internet DNS for example.

Continue reading 

ALL the Zeldas (pt. 1)

2022-05-18 | #games #zelda

Last week, I completed a longtime personal goal. I can now say I’ve beaten all the mainline Zelda games! How do I define “mainline Zelda”? More or less, anything in the Hyrule Historia, plus BotW which wasn’t released when the book came out. This doesn’t include the CD-i games, nor any of the spinoff games such as Hyrule Warriors or Link’s Crossbow Training. It also doesn’t include the games that require you to have friends to play…

Continue reading 

In Search of Organization

2020-11-17 | #blog #organization #rfc #taskmanagement

I’ve long struggled with finding an organizational, note taking, and task management system that works for me. I feel like I’ve tried dang near everything out there, but nothing really “sticks”. In this blog post, I focus mostly on technological solutions. While not a hard requirement in my mind, the convenience of not having to keep a physical thing on my person. Plus, my handwriting is atrocious! A further problem I have is the divide between work and personal.

Continue reading 

Anatomy of a Phishing Email

2020-10-27 | #infosec #malware #reversing

Intro We all get spam. Most of it is devoured by our mail providers’ spam catcher, and we never see it. Every now and then, one slips through the cracks. In this case, I received an email earlier this week with a subject of “Re: Notification your test results COVID-19 [ note-7893 ]”. Classic, making me think it’s in reply to one of my email…that I sent about their test results?

Continue reading 

Configuring multiple routers & services with Traefik

2020-06-28 | #docker #traefik

Quick note on configuring a single Docker container that needs to expose multiple ports using Traefik. For this example, I’m using Ubooquity as it uses a separate port for admin that I wanted to just route on the same domain. version: "3.7" services: ubooquity: image: linuxserver/ubooquity container_name: ubooquity environment: - PUID=1000 - PGID=1000 - TZ=America/Chicago - MAXMEM=1024 # MB labels: - traefik.http.routers.ubooquity.rule=Host(``) - traefik.http.routers.ubooquity.service=ubooquity - - - traefik.http.routers.ubooquity.tls=true - traefik.

Continue reading 

Running certbot behind nginx

2020-04-27 | #letsencrypt #nginx

I’ve talked about my bizarre double-reverse-proxy approach before. Today I ran into an issue getting a real letsencrypt cert on a backend host. I just wanted to share the config – this goes on the frontend nginx host. Assuming you’re using the certbot-nginx plugin, no special config is needed on the backend. rewrite ^(/.well-known/acme-challenge/.*) $1 break; location ^~ /.well-known/acme-challenge { proxy_pass http://backend-host; } This will get around the sane default http -> https redirects you’ve probbaly set up.

Continue reading 

Migrating from vSphere to KVM

2020-04-20 | #kvm #networking #vmware

I recently acquired a new server to upgrade my aging HP Gen6 boxes. Since I was consolidating down from 2 to 1 host (but going up to 32 logical threads and 384GB memory), I figured the “HA” portion of VMware/vSphere/vCenter (I’ve entirely forgotten to mind my spheres & centers!) was less necessary. I could have switch to Proxmox, but where’s the challenge in that!? Instead, I switched to plain Ubuntu 20.

Continue reading 

Configuring LDAP auth for Traefik (and more!)

2020-02-17 | #ldap #nginx #traefik

As it stands now, my setup for web-accessible Docker-hosted sites is a bit convoluted. Traffic from the gateway flows into a bastion host in my DMZ. This is a tiny box running Nginx acting as a reverse proxy. There’s a hole in the firewall poked in from this bastion host to the Docker host running on my internal network. Traefik runs in Docker and provides SSL termination among other things.

Continue reading 