Anthony Scalisi scalp42

Ivacy IKEv2 on Debian

Install strongSwan

sudo apt-get -y update
sudo apt-get -y install strongswan strongswan-libcharon libcharon-extra-plugins

Download Trusted CA

How to setup a practically free CDN using Backblaze B2 and Cloudflare

⚠️ Note 2023-01-21
Some things have changed since I originally wrote this in 2016. I have updated a few minor details, and the advice is still broadly the same, but there are some new Cloudflare features you can (and should) take advantage of. In particular, pay attention to Trevor Stevens' comment here from 22 January 2022, and Matt Stenson's useful caching advice. In addition, Backblaze, with whom Cloudflare are a Bandwidth Alliance partner, have published their own guide detailing how to use Cloudflare's Web Workers to cache content from B2 private buckets. That is worth reading,

How to disable systemd-resolved in Ubuntu

Stages

Disable and stop the systemd-resolved service:

  sudo systemctl disable systemd-resolved.service
  sudo systemctl stop systemd-resolved

Then put the following line in the [main] section of your /etc/NetworkManager/NetworkManager.conf:

NB: This document describles a 'Old-School' way of using Yubikey with SSH

Modern OpenSSH has native support for FIDO Authentication. Its much simpler and should also be more stable with less moving parts. OpenSSH also now has support for signing arbitary files witch can be used as replacement of gnupg. Git also supports signing commits/tags with ssh keys.

Pros of FIDO

Simpler stack / less moving parts
Works directly with ssh, ssh-add and ssh-keygen on most computers
Simpler
Private key can never leave the FIDO device

Cons of FIDO

Gem Install Dockerfile Hack

If you're hacking on your Gemfile and using Docker, you know the pain of having the bundle install command run after you've added or removed a gem. Using docker-compose you could mount a volume and stage your gems there, but this adds additional complexity and doesn't always really solve the problem.

Enter this imperfect solution:

What if we installed every gem into it's own Docker layer which would be happily cached for us?

gem-inject-docker does just that. It takes the list of gems used by your app via bundle list and transforms it into a list of RUN gem install <your gem> -v <gem version> statements and injects them into the Dockerfile at a point of your choosing.

I've done a bit of a deep dive into how we produce our env. The flow is slightly complicated as some environment comes from the shell that the agent runs in and some comes from buildkite.com and then some is generated each job.

For context, the code that generates the job environment is here: https://github.com/buildkite/agent/blob/2f3d6935996d45877071c01f7b19ae07db302d69/agent/job_runner.go#L307-L426

Paraphrased, the process is:

A build is triggered on buildkite.com, with user-provided environment (step or pipeline level) and bk specific env
Write out base job environment to an env file for future reference and set BUILDKITE_ENV_FILE
The agent job runner merges in it's env (overwriting anything set above, creating "protected" env)

This document outlines the steps to set up a one tunnel IPSec Site to site VPN on AWS and a VM on another cloud provider (Packet) running Strongswan.

(References:

https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

https://openvpn.net/vpn-server-resources/extending-vpn-connectivity-to-amazon-aws-vpc-using-aws-vpc-vpn-gateway-service/)

Spin up packet VM and install strongswan

(This can be any cloud provider. It does not have to be Packet)

	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"iam:CreateInstanceProfile",
	"iam:DeleteInstanceProfile",
	"iam:GetRole",
	"iam:GetInstanceProfile",

	func CopyFile(src, dst string) error {
	r, err := os.Open(src)
	if err != nil {
	return err
	}
	defer r.Close()

	w, err := os.Create(dst)
	if err != nil {
	return err