Skip to content

Instantly share code, notes, and snippets.

View hivelogic2018's full-sized avatar

Kim Tran hivelogic2018

1 follower · 1 following
View GitHub Profile
@hivelogic2018
hivelogic2018 / qna.md
Created August 6, 2025 17:50
Teleport, WireGuard and Tailscale

Explain the difference of Teleport, WireGuard and Tailscale. Explain also in layman terms the difference of Teleport, WireGuard and Tailscale.

Explain if in my infra setup, I would need a nginx container spinned up, given that Teleport has already taken ports 40 and 443. Explain why one would need them and in what order? how do they interact and in which flow/order?

Teleport, WireGuard, and Tailscale are all tools for securing network access, but they serve different purposes. WireGuard is a low-level, high-performance VPN protocol. Tailscale is a service that uses WireGuard to create a user-friendly, zero-configuration VPN, and Teleport is an identity-aware access platform that provides secure, auditable access to infrastructure.

Technical Differences

@hivelogic2018
hivelogic2018 / gist:6050dbb3196e3c2a1d1cc0008540cf30
Created August 16, 2025 07:44
Traefik setup

Regarding access perimeter, I have a small company with myself and my partner being the managers (manager role), 2 devops personnels (devops role), a few devs (dev role), 2 product owners / scrum masters (product role), 2 qa personnels (qa role), a few interested individuals/ prospective investors (shareholder role)

Review my files and the fact for your reference that I already got Portainer works through this setup with dokploy-traefik, meaning that I can access Portainer on the browser at docker.zingastay.com

to help me update these files to achieve the following requirements:

  • Strictly adhere to dnschallenge (DNS-01) through dokploy-traefik to serve 80/443 for public access to teleport.zingastay.com for Teleport connect, tsh and teleport web ui to work.

Hence, other services: Forgejo (git.infra.zingastay.com), dokploy-traefik UI (dashboard), Dokploy UI, to be guarded post-Teleport successful auth. After a successful auth with Teleport, users can view and launch infra services through Teleport dashboar

@hivelogic2018
hivelogic2018 / qna.md
Created August 17, 2025 13:43
how to make and force Teleport using the trusted certificates from Traefik ?

To make and force Teleport to use the trusted certificates from Traefik, you need to configure it to use the certificates that Traefik's ACME resolver has obtained from Let's Encrypt. This is the correct, secure way to solve the 500 Internal Server Error without using insecureSkipVerify.

This process involves four main steps:

  1. Extract the Certificates: The certificates obtained by Traefik are stored in the /var/traefik/certs/cloudflare-acme.json file inside your Traefik container. You will need to access this file and extract the certificate and private key. This is a manual step you must perform.
  2. Create a Shared Volume: You will need to create a shared volume or a host mount that allows both Traefik and Teleport containers to access the same directory where the certificates will be stored.
  3. Update Teleport's Configuration: You must modify your Teleport container's teleport.yaml file to tell it to use the new, trusted certificates instead of its self-signed ones.
  4. **Restart
@hivelogic2018
hivelogic2018 / qna.md
Created August 17, 2025 16:19
teleport Certificate Extraction

  1. then why do I have to bother worrying about the extraction for the pair of cert & key files? clearly elaborate and outline benefits

  2. in Teleport Dashboard, When I click on Traefik to launch, it prompts me to a new tab with this url https://traefik.infra.zingastay.com/x-teleport-auth?cluster=zingastay.com&addr=traefik.infra.zingastay.com

I want to be able to access to the non-public, Teleport-guarded traefik dashboard

1) The Purpose of Certificate Extraction

The certificate extraction was a crucial step that did not defeat the purpose of security. It was the correct and necessary step to fix a different problem: the public-facing connection between your browser and Teleport.

@hivelogic2018
hivelogic2018 / debloat-ubuntu.sh
Last active August 21, 2025 10:01
Ubuntu vps
#!/bin/bash
# ======================================================
# ✅ Ubuntu 24.04 Debloat Script
# Goal: Remove bloat to behave more like Debian
# Tested on: Ubuntu 24.04 LTS
# Run as: root or sudo-enabled user (e.g., devops2)
# ======================================================
echo "[+] Starting Ubuntu debloat..."
@hivelogic2018
hivelogic2018 / traefik-vs-caddy.md
Created August 21, 2025 17:47
Traefik advantage

explain traefik dynamic service discovery ? meaning working with docker services, I don't need to restart traefik container? fair to say, essentially, changes of labels for portainer, forgejo services, don't require a restart on traefik? any other benefits traefik dynamic service discovery offers besides that?

Yes, it is fair to say that with Traefik's dynamic service discovery, you don't need to restart the Traefik container when you add, remove, or change labels on other Docker services like Portainer or Forgejo. This is a core feature that makes it a "cloud-native" reverse proxy.

How It Works

Traefik works by acting as a proxy and a watcher. 🧐 It connects to the Docker API and constantly monitors for changes in the container's state. When you start, stop, or update a container with the appropriate Traefik labels, Docker emits an event. Traefik listens for these events and instantly reconfigures itself in memory without needing a restart. It reads the labels from the new or changed container

@hivelogic2018
hivelogic2018 / q&a.md
Last active August 23, 2025 07:10
MongoDBConnection

I have my db connection object for instantiation like this. Looks like a factory design for db connection pool establishing. Going through my code files, analyze, explain to me about them and its implementation. How to use db connection class and use it together with DTO/? Also, analyze and explain how effective/redundant it is. Also, in Mongodb, is it necessary and required to perform dbConnection.close() often? how often? Advise me on best practices to streamline my development

Let’s dive into your codebase, analyzing the provided files, explaining their implementation, and addressing your questions about the MongoDBConnection class, its integration with DTOs, its effectiveness, the necessity of closing MongoDB connections, and best practices for streamlining development. I’ll also evaluate the design patterns and suggest improvements for efficiency and clarity.

Analysis of Provided Files

@hivelogic2018
hivelogic2018 / traefik_dynamic.md
Last active August 25, 2025 06:21
Traefik

is traefik_dynamic.yaml usually needed? while I already have command: --trusted-origins docker.infra.zingastay.com

traefik_dynamic.yaml

http:

serversTransports:

@hivelogic2018
hivelogic2018 / SSH TCP Ports.md
Last active September 5, 2025 11:24
Wireguard (WG-Easy)

I thought the port 3024 is simply enough

sudo ufw allow 3024/tcp # the ssh tunnel for Forgejo users' code commits

sudo ufw allow 2222/tcp # for Forgejo:Git SSH access via port 2222

The reason you need to open both port 3024 and 2222 is that they serve two distinct purposes in your Teleport and Forgejo setup.

Port 3024: The Reverse Tunnel 🚇

@hivelogic2018
hivelogic2018 / compose.yaml
Created August 30, 2025 03:38
Alpine-admin-box
# Alpine Admin/Tools Box
alpine-admin-box:
image: debian:stable-slim # A small image with git and basic tools
container_name: alpine-admin-box
env_file:
- /etc/infra.env
networks:
- infra_net
# You might want to keep it running for interactive use
restart: unless-stopped # Or 'unless-stopped' if you want it persistent