Skip to content

Instantly share code, notes, and snippets.

View Jip-Hop's full-sized avatar

Jip-Hop

29 followers · 4 following
View GitHub Profile
@Jip-Hop
Jip-Hop / Dockerfile
Created February 4, 2026 19:19
Create /tmp dir (root owned, 1777 mode with sticky bit) inside FROM scratch image using only Dockerfile. No .tar file hack or running any command as root user during build. This is an elegant workaround as it's not possible to set the 1777 mode with COPY directly and permissions are not preserved when copying the tmp directory directly.
FROM alpine AS builder
# Run as non-root user
USER 64646:64646
WORKDIR /app
# NOTE: build your app here
# Create a new empty image directory, used as our scratch root dir
# Create the tmp dir with required sticky bit mode as a subdirectory
@Jip-Hop
Jip-Hop / README.md
Last active February 1, 2026 16:16
Ansible Vault + Docker Compose

Before developing ojster I decrypted my environment variables with ansible-vault and injected them when running docker compose up. While this worked I found it had several downsides.

  • You can't see which environment variables (keys) are present in the vault, unless you decrypt the entire vault
  • You need the private key to add new environment variables
  • This approach requires wrapping around the docker compose up command
  • The decrypted environment variable values end up in the container spec and may leak (visible via docker inspect, Portainer, logs etc.)

So I tried to migrate my secrets to native file based Docker secrets, but this has 2 issues:

  1. You can't safely manage Docker secrets through Git
  2. Many images expect secrets as environment variables instead of files
@Jip-Hop
Jip-Hop / README.md
Last active January 14, 2026 19:32
Simple but Effective Outbound "Firewall" using Vanilla Docker-Compose

Domain‑Based Egress Control in Docker Using Internal Networks and a Unified TCP Proxy

Modern Kubernetes clusters offer powerful primitives like FQDN‑based network policies (e.g., via Cilium, Calico, or Gatekeeper). These let you express rules such as “this workload may only talk to github.com and example.com” without worrying about IP churn, TLS hostname validation, or container‑level DNS quirks.

Docker, however, does not provide anything comparable out of the box.

This article documents a practical approach to implementing domain‑based egress control in plain Docker Compose, without modifying application containers, without terminating TLS, and without introducing heavyweight service meshes. It also covers the pitfalls we encountered—especially around QUIC/HTTP‑3—and compares our approach with the pattern suggested in the [Creating a Simple but Effective Outbound "Firewall" using Vanilla Docker-Compose](sequentialread.com/creating-a-simple-but-effective-firewall-using-vanilla-docker-co

@Jip-Hop
Jip-Hop / truenas_scale_sysext_example.sh
Last active January 29, 2025 02:07
Temporarily extend available packages in TrueNAS SCALE using systemd-sysext. For educational purposes. Use at your own risk!
#!/usr/bin/env bash
# Specify destination for extension rootfs
ROOTFS_PATH=/mnt/tank/some/dataset/ext/rootfs
# List of packages to install
PACKAGES="usbutils"
# Download minimal debian base rootfs
mkdir -p "$ROOTFS_PATH"
curl -L https://github.com/debuerreotype/docker-debian-artifacts/raw/dist-amd64/bookworm/slim/rootfs.tar.xz | tar -xJ -C "$ROOTFS_PATH" --numeric-owner
@Jip-Hop
Jip-Hop / install_and_run.py
Created June 18, 2024 13:03
Python script which installs packages it requires with pip inside a venv that's created on the fly.
#!/usr/bin/env python3
import os
import sys
__requirements__ = {"docker==7.1.0"}
def _setup_env():
venv = os.path.join(os.path.dirname(__file__), ".venv")
@Jip-Hop
Jip-Hop / README.md
Last active July 6, 2025 02:44
Simple comment preserving ConfigParser class to read/update/write INI files WITHOUT indented sections/keys/comments.

See the example usage inside configparser.py. Output when running the configparser.py file:

# Comments may appear before the first section

[Simple Values]
key = value
spaces in keys = allowed
spaces in values = allowed as well
spaces around the delimiter = obviously
@Jip-Hop
Jip-Hop / Dockerfile
Created March 26, 2023 07:15
Distroless alpine docker image: no shell, no package manager, no busybox. Only the specified packages + dependencies.
FROM alpine as bootstrap
# Optionally add e.g. coreutils (if you don't want to remove the shell)
ARG PACKAGES_TO_INSTALL="openjdk11-jre"
ARG REMOVE_SHELL=1
# Create rootfs folder and enable apk repo
RUN mkdir -p /rootfs/etc/apk && \
cp -a /etc/apk/repositories /rootfs/etc/apk/repositories && \
cp -a /etc/apk/keys /rootfs/etc/apk/keys
@Jip-Hop
Jip-Hop / README.md
Last active May 14, 2025 03:04
Persistent Debian 'jail' on TrueNAS SCALE to install software (docker-compose, portainer, podman, etc.) with full access to all files via bind mounts. Without modifying the host OS at all thanks to systemd-nspawn!
@Jip-Hop
Jip-Hop / pop-up-videos.js
Created October 3, 2021 10:18
Open all videos in a tab as pop-up windows. Basic (non-extension) version of https://github.com/Jip-Hop/pop-up-videos. To be copy-pasted in the browser console.
(function enable() {
var titleSuffixCounter = 0;
var popupWidth = 480;
var popupHeight = 270;
var xOffset = screen.availLeft,
yOffset = screen.availTop;
const data = {
windows: [],
@Jip-Hop
Jip-Hop / boot.sh
Last active December 25, 2025 11:27
Using Docker on TrueNAS SCALE (no Kubernetes)
#!/usr/bin/env bash
#
# Enable docker and docker-compose on TrueNAS SCALE (no Kubernetes)
#
# This script is a hack! Use it at your own risk!!
# Using this script to enable Docker is NOT SUPPORTED by ix-systems!
# You CANNOT use SCALE Apps while using this script!
#
# 1 Create a dedicated Docker zvol on one of your zpools: zfs create -V 100G data/_docker