update workflow

.conf/nginx/nginx.conf

@@ -1,5 +1,5 @@
 worker_processes 4;
-pid /run/nginx.pid;
+pid /tmp/nginx.pid;
 
 
 error_log /dev/stderr info;

.conf/supervisor/supervisord.conf

@@ -2,7 +2,7 @@
 nodaemon=true
 logfile=/dev/null
 logfile_maxbytes=0
-pidfile=/run/supervisord.pid
+pidfile=/tmp/supervisord.pid
 
 
 [program:nginx]

.gitea/workflows/production/build-deploy-docs.yml

@@ -1,9 +1,9 @@
 on:
   push:
-    paths:
-      - "content/**"
-      - "static/**"
-      - "templates/**"
+    # paths:
+    #   - "content/**"
+    #   - "static/**"
+    #   - "templates/**"
     branches:
       - "main"
 
@@ -19,17 +19,17 @@ jobs:
         run: echo "::set-output name=date::$(date +'%Y%m%d%H%M%S')"
       -
         name: Checkout the git repo...
-        uses: actions/checkout@v3
+        uses: https://github.com/actions/checkout@v3
       -
         name: Set up docker buildx...
-        uses: docker/setup-buildx-action@v3
+        uses: https://github.com/docker/setup-buildx-action@v3
       -
         name: Login to gitea registry
-        uses: docker/login-action@v3
+        uses: https://github.com/docker/login-action@v3
         with:
           registry: gitea.raer.me
-          username: ${{ secrets.PRODUCTION_REGISTRY_USERNAME }}
-          password: ${{ secrets.PRODUCTION_REGISTRY_TOKEN }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
       -
         name: Install required system packages...
         run: |
@@ -40,8 +40,8 @@ jobs:
       -
         name: Install pipenv, build blog...
         env:
-          PIPENV_USER: ${{ secrets.PRODUCTION_REGISTRY_USERNAME }}
-          PIPENV_PASS: ${{ secrets.PRODUCTION_REGISTRY_TOKEN }}
+          PIPENV_USER: ${{ secrets.REGISTRY_USERNAME }}
+          PIPENV_PASS: ${{ secrets.REGISTRY_TOKEN }}
         run: |
           pip install pipenv
           pipenv install
@@ -51,37 +51,30 @@ jobs:
         run: 7z a -mx=9 ./artifact.7z build
       -
         name: Upload artifact...
-        uses: actions/upload-artifact@v3
+        uses: https://github.com/actions/upload-artifact@v3
         with:
           name: artifact_${{ steps.date.outputs.date }}
           path: ./artifact.7z
           retention-days: 7
       -
         name: Build and push docker image to gitea package store
-        uses: docker/build-push-action@v5
+        uses: https://github.com/docker/build-push-action@v5
         with:
           context: .
           push: true
-          platforms: linux/amd64
+          platforms: linux/arm64
           tags: gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}
   job2:
     needs: job1
     name: Connect to deployment host, update, and redeploy docs website.
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Install required system packages...
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          apt update
-          apt upgrade -y
-          apt install -y iputils-ping
       -
         name: Configure SSH...
         env:
-          SSH_USER: ${{ secrets.PRODUCTION_SSH_USER }}
-          SSH_KEY: ${{ secrets.PRODUCTION_SSH_KEY }}
-          SSH_HOST: ${{ secrets.PRODUCTION_SSH_HOST }}
+          SSH_USER: ${{ secrets.DEPLOYMENT_USER }}
+          SSH_KEY: ${{ secrets.DEPLOYMENT_KEY }}
+          SSH_HOST: ${{ secrets.DEPLOYMENT_HOST }}
         run: |
           mkdir -p ~/.ssh/
           echo "$SSH_KEY" > ~/.ssh/staging.key
@@ -95,38 +88,5 @@ jobs:
           END
           cat ~/.ssh/config
       -
-        name: Test SSH Host...
-        env:
-          SSH_HOST: ${{ secrets.PRODUCTION_SSH_HOST }}
-        run: |
-          ping -c 3 $SSH_HOST
-          ssh staging 'ls'
-      -
-        name: Safety check (ensure dirs exist and repo has been cloned)...
-        run: |
-          echo "Adding ci dir if it doesn't exist..."
-          ssh staging 'bash -c "[ -d ci ] || mkdir ci"'
-          echo "Cloning git repo if it isn't already cloned..."
-          ssh staging 'cd ci; bash -c "[ -d ${{ gitea.event.repository.name }} ] || git clone https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository }}.git"'
-      -
-        name: Deploy testing script on remote...
-        run: |
-          ssh staging '\
-            cd ci/${{ gitea.event.repository.name }}; \
-            git remote remove origin; \
-            git remote add origin https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository} }.git; \
-            git checkout ${{ gitea.ref_name }}; \
-            git reset --hard HEAD; \
-            git pull origin ${{ gitea.ref_name }}; \
-            git remote remove origin;'
-      -
-        name: Pull new image and redeploy...
-        run: |
-          ssh staging '\
-            echo "${{ secrets.PRODUCTION_REGISTRY_TOKEN }}" | docker login --password-stdin --username ${{ secrets.PRODUCTION_REGISTRY_USERNAME }} gitea.raer.me; \
-            docker stop blog.raer.me-prod; \
-            docker rm blog.raer.me-prod; \
-            docker pull gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
-            docker run -d --name blog.raer.me-prod -p ${{ secrets.PRODUCTION_DEPLOYMENT_HOST }}:4020:80 gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
-            docker logout gitea.raer.me;'
-
+        name: Run deploy script.
+        run: ssh staging

Dockerfile

@@ -4,12 +4,17 @@
 ##      Used by automation. Can be built manually for testing.
 ##
 ####
-FROM alpine:3.17
+FROM alpine:3.20
 RUN apk add nginx supervisor
 RUN mkdir -p /var/www
 RUN rm -rf /etc/nginx
 COPY build /var/www/build
 COPY .conf/nginx /etc/nginx
 COPY .conf/supervisor/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+RUN chown -R nobody /var/www
+RUN chown -R nobody /etc/nginx
+RUN chown -R nobody /var/www/build
+RUN chown -R nobody /etc/supervisor/conf.d/
+USER nobody
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
 EXPOSE 80

Pipfile

@@ -9,7 +9,8 @@ verify_ssl = true
 name = "gitea"
 
 [packages]
-blag = {version = "==2.3.0", index = "gitea"}
+blag = {version = "==2.4.0", index = "gitea"}
+pymdown-extensions = {version = "==10.9", index = "pypi"}
 
 [dev-packages]
 

content/2024/01/18/baja-tacos.md

@@ -0,0 +1,58 @@
+title: Baja-style tacos
+description: Some seafood tacos.
+tags: cooking, recipes
+date: 2024-01-19 05:59
+
+# Baja Tacos
+
+## Ingredients
+
+- Street taco size tortillas
+- Mayo
+- Sour Cream
+
+### Fresh
+
+- 12x limes (some for juicing, some for serving)
+- shredded coleslaw mix (or cabbage for shredding)
+
+### Spices
+
+- chili powder
+- kosher salt
+- black pepper
+- garlic powder
+- cumin
+
+### Protein
+
+- 1lb large prawns, shrimp, or fish filets
+
+## Directions
+
+### Prep
+
+- Butterfly the protein.
+- Mix spices in order most to least: Chili powder, cumin, garlic powder, salt, black pepper
+- Preheat and oil a large skillet
+- halve some limes. Cut some halves into quarters, save some for juicing.
+
+### Slaw
+
+Toss shredded slaw veggie mix with the juice of 1-2 lime halves, season lightly with salt and pepper
+
+### Sauce
+
+Mix 60:40 sour cream to mayo. Make about 2 cups worth. Give generous pinch of salt. few generous shakes of coarse black pepper and garlic powder. Mix juice of 2-4 lime halves. Sauce should be tangy with a hint of garlic.
+
+### Rub
+
+Rub the protein liberally with the spice mixture. Cook in hot oil until tender. (Butterflied shrimp/fish cook very fast this way)
+
+## Assemble
+
+1. Taco shell
+2. Dallop and smear of sauce
+3. generous helping of slaw
+4. 2x prawns/shrimp OR 1x fish filet
+5. Drizzle with sauce, serve with lime slice

content/2024/01/18/cheesecake-recipe.md

@@ -0,0 +1,77 @@
+title: Cheesecake
+description: My birthday is soon, here's a cheesecake recipe.
+tags: baking, cooking, cheesecake, recipes
+date: 2024-01-18 12:05
+
+# New York style cheesecake
+
+Shamelessly stolen from [martha stewart dot com](https://www.marthastewart.com/865202/new-york-style-cheesecake). Thanks `Lucinda Scala Quinn` for a great recipe!
+
+Converted to markdown and posted here to preserve for my own purposes.
+
+## Ingredients
+
+### For the Crust
+
+- 4 ounces graham crackers, broken into pieces
+- ¼ teaspoon coarse salt
+- ⅓ cup sugar
+- 4 tablespoons unsalted butter, melted
+
+### For the Filling
+
+- 2 ½ pounds cream cheese (five 8-ounce packages), room temperature
+- 4 ounces unsalted butter, room temperature
+- 8 ounces sour cream, room temperature
+- 1 ¾ cups granulated sugar
+- 5 large eggs, plus 2 egg yolks
+- Zest of 1 lemon
+- 1 teaspoon vanilla extract
+
+## Directions
+
+1. **Preheat oven and prepare pan:**
+   - Preheat oven to 375°F with rack in the lower third of the oven.
+   - Butter bottom and sides of a 9-inch springform pan.
+   - Line sides of the pan with 4-inch-high strips of parchment and butter parchment.
+
+2. **Combine graham crackers and sugar for crust:**
+   - In a food processor, pulse graham crackers with salt and sugar to fine crumbs.
+   - Add butter and pulse until fully incorporated.
+
+3. **Bake and cool crust:**
+   - Press evenly into the bottom of the prepared springform pan and bake until the crust is golden brown and set (15 minutes).
+   - Remove from oven and transfer to a wire rack to cool for 10 minutes.
+   - Use the bottom of a measuring cup or the flat side of a drinking glass to press the crumbs into a compact layer.
+
+   > Other cookies, like chocolate disks, gingersnaps, or Biscoff wafers, can be used instead of graham crackers.
+
+4. **Mix cheesecake filling:**
+   - In a large stand mixer fitted with the paddle attachment, beat cream cheese, butter, and sour cream with sugar until light and smooth.
+   - Add eggs, yolks, zest, and vanilla:
+     - Beat in eggs one at a time until fully incorporated.
+     - Beat in remaining egg yolks, zest, and vanilla extract.
+
+5. **Line pan with foil and parchment:**
+   - Crisscross two long pieces of foil and place a piece of parchment on top.
+
+6. **Wrap exterior of pan in foil:**
+   - Place the springform in the center of the foil and wrap the foil tightly around the bottom and sides of the pan.
+
+   > Lining the pan with foil helps keep water from seeping into the cheesecake, which causes the crust to become soggy.
+
+7. **Place pan in water bath; transfer to oven and bake:**
+   - Transfer to a roasting pan, pour filling into the springform pan, and smooth the top.
+   - Pour boiling water into the roasting pan to come halfway up the sides of the springform pan and carefully transfer to the oven.
+   - Bake for 1 hour until the top of the cheesecake is golden brown, edges are set, and the center jiggles slightly.
+
+8. **Remove from water bath and foil; chill:**
+   - Lift cheesecake from the water bath, remove foil and parchment from outside of springform, and chill cheesecake in the refrigerator for at least 8 hours.
+
+9. **Slice the cheesecake and serve:**
+   - To serve, remove the side of the springform pan and parchment strips.
+   - Cut the cheesecake with a long, thin-bladed knife.
+
+### How to Slice Cheesecake
+
+For perfect slices every time, run a long thin-bladed knife under hot tap water, wiping it clean between cuts.

content/2024/01/31/mediterranean-rice.md

@@ -0,0 +1,37 @@
+title: Mediterranean-style rice
+description: A very tasty rice and veggies recipe.
+tags: cooking
+date: 2024-01-31 18:45
+
+# Mediterranean style rice
+
+This recipe is inspired by a rice dish served by a mediterranean restaurant I used to go to in my hometown.
+
+## Ingredeints
+
+- 2 cups cooked basmati rice
+- 1x medium to large sweet onion, diced
+- 2x roma tomatoes, cut into 1cm thick slices and then strips.
+- 1x green bell pepper, diced
+- 2-3 cloves minced garlic
+- 1 cup pickled banana peppers, diced.
+- 0.5-1.0 cups banana pepper brine.
+
+### Spices
+
+- kosher salt
+- black pepper
+- turmeric
+- oregano
+- dill
+- nutmeg
+
+### Cooking fat
+
+- olive oil
+
+## Cooking instructions
+
+In a hot cast iron skillet with near smoking olive oil, sweat the onions and bell peppers until all are soft and starting to brown/darken. Add minced garlic and stir into still sizzling onions/pepper until fragrent. Add generous pinch of kosher salt and coarse black pepper. A tablespoon or two of oregano. A teaspoon or two of dill. A teaspoon of turmeric. And half a teaspoon of nutmeg. Add roma tomato and banana peppers and a glug of olive oil and mix until tomatoes are soft. Add the brine and bring to a boil.
+
+Serve heaping spoonful of vegetables over rice, with a splash of banana pepper brine on top.

content/2024/05/01/20240512.md

@@ -0,0 +1,36 @@
+title: Using passwords in script, securely!
+description: Keeping passwords inside of scripts safe from prying eyes.
+tags: security, scripting, unix, linux
+date: 2024-05-12 21:35
+
+# Storing passwords in plaintext (sorta)
+
+I came across an issue recently wherein I wanted to automate a backup process that requires three different passwords. I had just discovered [borg backup](https://borgbackup.readthedocs.io/en/stable/) and wanted to use it in place of the periodic `rsync -azvh --delete` that I was doing. The rsync method would just sync my home folder to a USB ssd, and one of my two fileservers. This worked, but didn't have the deduplication or archiving benefits of borg. It also required me to mount my fileservers vis nfs which is another manual step in the backup process.
+
+Borg backup works by copying data in blocks. Its much smarter than rsync, and you can encrypt the backups on the fly. For remote backups, they recommend using ssh. They allow you to put the encryption passphrase in an environment variable for automation. I wanted to use borg to backup to three different locations at the push of a button, without storing the backup encryption passphrases in plaintext or entering them every time I run a backup.
+
+Through some trial and error, I settled upon writing my script - passhprases and all - then writing *another* script that encrypts it with my gpg key, and sticks it into *yet another* script that will first decrypt the encrypted script then pipe it directly to bash. That looks like this:
+
+```bash
+
+#!/bin/bash
+
+## This will stop the script if there's no script.sh file in the root dir.
+set -e
+mv script.sh script.sh
+
+
+GPG_ID='ENTER_YOUR_GPG_ID'
+
+cat script.sh | gpg --encrypt --armor -r $GPG_ID | base64 --wrap 0 > script.gpg.b64
+
+printf "#!/bin/bash\n\nSCRIPT=\"$(cat script.gpg.b64)\"\n\necho \$SCRIPT | base64 -d | gpg --decrypt --quiet | bash\n\n" > script.obf
+
+chmod +x script.obf
+
+rm script.gpg.b64
+
+
+```
+
+Now I can take *any* script with passwords in it, and obfuscate it behind a gpg passphrase! How neat!

content/2024/09/06/2024090601.md

@@ -0,0 +1,30 @@
+title: Some changes have ocurred
+tags: servers, server layout, gitops, devops
+date: 2024-09-06 03:27
+
+# Some changes have ocurred
+
+Server layout has undergone some changes, most notably:
+
+- the OS on my pi
+- how i do gitops
+- how the deployment works
+
+
+## Pi os
+
+I needed docker on my pi, so i abandoned freebsd. It was a good run and taught me a lot about unix. But implementing a custom freebsd server is just. not my thing anymore. Docker is so much easier for versioning. And if i want to compile from scratch? I have that option, too, with docker.
+
+The pi now runs openSUSE Leap 15.6.
+
+## How I do gitops
+
+I've more or less solidified how I do gitops. When I need to version control files on a remote server, I make a local git repo with those files that also contains a script which is used to deploy any of said files on the remote server. This is achieved over SSH. A bare git repo is initialized on the remote server, and added as a remote in the gitops repo. Then, that remote is pushed to in a way that it is always synced perfectly with the local copy. Then, a script in the git repo can SSH into the remote, clone the repo from the local copy, and do stuff with the files.
+
+## How the deployment server works.
+
+Before, i used rootless docker and usernames to sort of namespace things in an ineffective way. I was also using gitea actions configs to do things on the deployment server with an ssh key that had unlimited access to the user account. This provided a false sense of security.
+
+Now, I'm just running a single rootful docker instance. I'm mindful of network segregation, ensuring no unsafe directories are given to containers, and I'm also not allowing any privileged containers.
+
+I'm also doing CI a different way. An SSH keypair is made for each CI repository on gitea. Then, the private key is stored as a secret in the repo's actions settings. Then, a script is written and pushed to the deployment server that is called by the SSH public key. This ensures that no rogue activity happens, essentially locking each SSH key to a specific deployment script.

content/2024/09/26/configuration-management.md

@@ -0,0 +1,35 @@
+title: Managing configs on my homeservers.
+description: Managing configuration files - some lessons I've learned over the years.
+tags: post, git, gitops, devops, ci/cd, tech, scripting
+date: 2024-09-26 05:21
+
+# Managing homeserver configs
+
+I've run my home services a number of different ways over the years. I've split things between multiple virtual machines, I've set up a 'bare metal ' kubernetes cluster distributed between multiple VMs and hardware devices on my home network. I've used FreeBSD and its Jails to run things I compiled by scratch in an effort to lower attack surface. I ran (and run) VMs and containers on proxmox, truenas core and truenas scale. Each method brings its pros & cons, security tradeoffs, and configuration complexity. Though I've practiced more complex enterprise-level user & permission management (ldap/active directory) techniques, I've settled on "good enough" security practices for my uses/needs (I don't have multiple people accessing things over ssh, for example, so I do the unthinkable and - gasp - ssh directly into root with an ed25519 keypair to administer servers). No SSH ports are exposed directly to the internet anyway - well, except for gitea. But that's also protected with keypairs.
+
+Similarly, I seek to reduce complexity of my configuration management. I like to do as much work as possible, in my text editor of choice (that's VScode. I know, I know. I use the microsoft text editor. Controversial opinion: its good. Shoot me, emacs and vim nerds). That means using things like webuis to enter configs is out the window (looking at you, truenas scale kubernetes bullshit). Doing things in the text editor means I'm using git to version manage. I also like to use a combination of custom shell scripts and gitea actions config files to automate workflows. Any commands I run frequently get stuck into a shell script, no matter how mundane. I spent a long time manually deploying configs for docker - I know how that tool works. Hell, I know how *all* my tools work. I want to spend less time entering `ssh host "docker compose down;docker compose up -d;"` and more time doing a `./sripts/docker-down-up`. I don't want to enter an ever-changing esoteric webui for some haphazard k3s deployment to look for/edit a hacky series of docker-compose configs rearranged into different parts of said webui. That stuff just annoys me when I have to change things.
+
+> __Speaking of k3s/k8s - Fuck that noise entirely in a home environment. Unless you're doing it to learn, I recommend staying away from kubernetes. Its just docker with extra steps and its far more trouble than its worth for the home - in my very strong opinion.__
+
+## So how do I do things?
+
+Well, as I alluded to earlier - I work in my text editor, out of git repositories. All of my services are deployed with docker - its just... easier, this way. I've run services so many different ways over the years and docker is simply the easiest to deal with. I can grab premade containers. Or I can make my own, push them to my gitea deployment, and pull them for use later. Its great. And its distro agnostic. Sure there are some security issues associated with it. But there are also well documented methods to nullify them. I can also use docker volumes to store everything in `/opt/{container_name}` which is super handy when it comes time to archive/back up the host since all I need to do to grab any important data is backup `/opt`!
+
+Most things get pushed directly to my gitea server. If there are actions that need to be run (such as building and pushing docker containers or other packages), I write a gitea actions config to handle that - its for all intents and puposes exactly the same as github actions. Which is nice. It simply uses a privilaged docker container to spin up other docker containers to do stuff that I would normally do by hand or with a script called `build` or `deploy`.
+
+Though, there are some things that have to be managed manually. one of them is the repo for all the config files for services run on the deployment host. The other, is the repo for my nginx reverse proxy - because if I use gitea to deploy that docker container, it will... turn off the reverse proxy. Which is a link between gitea and the act runner. So... Yeah... can't do that. Cus it causes issues.
+
+These manually managed repos are pushed directly to a bare repo on the deployment host. Then, a script is run that SSHs into the host and runs some commands.
+
+In the case of the main config repo, there also resides an ssh authorized_keys file, some scripts in a folder called `ci`, docker configs, and a big folder of scripts to deploy the thing, manually run actions on the docker configs, and more. The authorized_keys file and `ci` folder allow me to use gitea actions to deploy docker images on the host. I generate an ssh keypair, I store the private key as a secret in each individual repo that deploys to the host, then i put the public key in the authorized_keys file with a command that points to a script in `ci` that pulls and redeploys docker images.
+
+
+## conclusion
+
+This is more or less some rambling about how I manage configs in git. I hope any amount of this made sense.
+
+
+
+
+
+

templates/article.html

@@ -19,8 +19,8 @@
         <a href="/tags/{{ tag }}.html">#{{ tag }}</a>
       {%- endfor %}
     {% endif %}
-    </p>
-    <p>published on {{ date.date() }} </p>
+  </p>
+  <p>published on {{ date.date() }} at {{ date.time() }}</p>
     <p>{%- if edited %} edited on {{ edited }}{% endif -%}</p>
   </aside>