Deploy Docker Container from Gitlab CI

Containers are all the rage nowadays and for a good reason. They help in unifying development and production environments. They also provide application encapsulation and isolation, among other things. But to get the most out of them, you should build and deploy them automatically. This post will show you how to do it using Gitlab CI and docker-compose.

Read more…

Run Nikola Blog in Docker

A lot of you might have a blog or a personal website created by static generator. Thanks to their simple requirements (just a webserver, really), they are an ideal starting point for your dockerization journey. In this post, I will explain how to run a Nikola website in a container. Nikola powers this website and is my static generator of choice. But the steps should be fairly similar for other generators out there.


The dockerfile I am using looks like this:

FROM python:latest AS builder

# Copy the whole repository into Docker container
COPY . . 

# Build the blog
RUN pip install nikola \
    && run nikola build

FROM nginx:alpine

# Copy output to the default nginx directory
COPY --from=builder output /usr/share/nginx/html

# Copy nginx host configuration
COPY nginx/default.conf /etc/nginx/conf.d/

Read more…

Modify All Items in Ansible List

Ansible lets you easily interpolate list items within values (like interpolated_{{ item }}_value). However, sometimes you need a more powerful transformation. This is where the map filter comes to rescue again. You can use it to perform regular expression replace on each item in a list. As you can see, the syntax is relatively simple:

map('regex_replace', REGEX_PATTERN, OUTPUT)

For a concrete example, let us say you want to extract network mask from a list of IP addresses ( for example). Assuming this list is stored in the ip_addresses variable, the regex replace would look like this:

{{ ip_addresses | map('regex_replace', '.*/([0-9]{1,2})', '\\1') | list }}

Of course, you can easily use it as a part of longer jinja2 pipelines. If you also want to learn how to loop over dictionary attribute, or see other Ansible tips, take a look here.

Loop Over Dictionary Attribute in Ansible

Working with variables can sometimes get tricky in Ansible. Say, you have a dictionary where you want loop over a certain attribute, not all values. For example, when your variables are declared like this:

    mask: 16
    mask: 24

How do you just loop over all the IP addresses? This is where the map filter comes in:

  ip_addresses: "{{ interfaces.values() | map(attribute='container') | list }}"

The snippet takes all values from the interfaces dictionary (eth0, eth1) and then extracts the ip attribute from them. Finally, it casts the result into list.

Ansible filters are a very powerful tool, so I would recommend you take some time to read it thoroughly. If you are looking for more Ansible tips, such as how to make a playbook distribution agnostic or setup your laptop with Ansible, look here.

One-liner to Download Latest PHPMyAdmin

Even though the PHPMyAdmin’s heyday is long gone by, it still remains quite popular. However, unless you are running it as a Docker container or similar, it is difficult to maintain updated. The reason being, that the creators do not offer any direct link to get the latest version. And the version in system repositories is usually few releases behind.

Luckily, their website design has remained fairly stale, so you can scrape the download link from there. The bash one-liner below (split into three lines for readability :)) will achieve just that:

curl 2>/dev/null \
  | grep -oP '(?<=href=")[^"]*(?=")' \
  | head -n 1

It uses the nifty look-ahead feature ((?<=)) of the Perl-like expression matching. But that is specific to GNU Grep, so you might need to install it, if you are on BSD or MacOS.

Use Caddy Reverse Proxy for Kibana

Nginx is probably the most widely used reverse proxy software out there. But when it comes to Docker, I have started to favor Caddy over it. Caddy is a lightweight web server written in Go. Among its advantages are extremely simple configuration and support for automatic Let’s Encrypt certificates. Certainly the automatic HTTPS simplifies any Docker setup. While it is not yet included in repositories and therefore lacks automatic updates, Docker nullifies this drawback. So, I will show you how to setup Caddy reverse proxy for Kibana.

Read more…

The Glimpse Controversy

The first version of Glimpse photo editor, a fork of Gimp, just came out. Unfortunately, an avalanche of criticism by some community members has promptly followed. The reactions range from claiming the Glimpse team are not bringing any value, to accusing them of stealing the Gimp code. To be honest, I found the overall tone quite unreasonable. So, I will try to refute the claims and explain why forking Gimp into Glimpse is a positive development.

The authors are over-sensitive SJWs”

The most common critique is, that the project was started because of personal sensitivities. More specifically, because the team found “gimp” to be an offensive term. However, if you see their motivation behind the rebranding, you will learn, that it was not the case. Rather, the reason was, that the name hampered Gimp’s adoption in professional and education settings. Therefore, to further spread open-source software, a change was necessary. Since the Gimp team had no intention of rebranding it, they encouraged forking the project to rename it themselves.

Read more…

Did not find mosh server startup message

If you have just installed Mosh server and tried to connect to it, you might have run into the following error:

$ mosh user@server
/usr/bin/mosh: Did not find mosh server startup message.

This happens when your SSH session sends a locale that Mosh does not support. The fix is fairly easy, just configure your SSH not to send the LANG variable. To do that, open your /etc/ssh/ssh_config and comment out the following line:

# SendEnv LANG LC_*

That’s it, now you can use your Mosh without any hiccups.

Set up a Wireguard VPN in 15 minutes

Wireguard is the new kid on the block when it comes to VPNs. It offers significant advantages compared to the traditional choices of OpenVPN and IPSec. It is very lean with about 5,000 lines of code. Thanks to that, the codebase has already gone through a security. More importantly, it is extremely easy to set up (especially compared to IPSec). On top of that, it is also much faster (mainly in comparison to OpenVPN). Currently, Wireguard is in the process of being implemented in the Linux kernel. However, it is already available as a Linux kernel module. In this post, you will learn how to set up a simple VPN consisting of a server with public a IP address and two other machines running behind a NAT. First, some theory. Wireguard uses a peer to peer architecture, where each peer has their own private and public key pair. So, the peers authenticate each other by exchanging public keys. And this creates a bidirectional tunnel. As you can see, the key exchange is almost as easy as with SSH. The communication itself uses standard Linux network interface.

Configure a Debian server

Above, I have said that Wireguard is peer to peer. So, where does server suddenly come from? Well, since directly connecting machines behind a NAT is not an easy affair (you would need to use Dynamic DNS or a similar technique), you will need a peer with a public IP address, that the peers behind NAT will connect to. For the sake of clarity, I am just going to go ahead and call this peer a server and the rest clients. Before you start, enable packet forwarding on the server. In order to do that, you need to edit /etc/sysctl.conf and uncomment this line:


Then run:

$ sysctl -p

In Debian, Wireguard is available in the unstable repository. You enable this way:

$ echo "deb unstable main" > /etc/apt/sources.list.d/unstable.list
$ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable

After that, you can install the wireguard package. To build the module, you also need to install kernel headers:

$ apt update
$ apt install linux-headers-amd64 wireguard

Afterwards, enable the kernel module:

$ modprobe wireguard

Next, you need to generate the private and public keys:

$ cd /etc/wireguard
$ umask 077
$ wg genkey | tee privkey | wg pubkey > pubkey

The above commands create two files - /etc/wireguard/privkey and /etc/wireguard/pubkey. Now you just need to add configuration for the interface in /etc/wireguard/wg0.conf. It should look similar to this:

PrivateKey = PrivkeyOfServer
Address =

Later on, you will need to add peers. But for now, we are done. The default port for Wireguard is 51820, so make sure it’s open.

Read more…

Use passphrases instead of passwords

The other day I wanted to buy a concert ticket from a website I haven’t visited before. That meant creating a new account (even though that shouldn’t really be necessary). I went through the ordeal of filling in my details, clicked “Confirm” and bam… the password was not good enough. As is usual, the password needed to contain an uppercase letter, a numeral, a symbol, a Chinese character and 10 emojis (couldn’t you have told me earlier?). At this point, most people would just say screw it and use a variation of one their few passwords. Perhaps adding their birthdate or something along the lines. I draw that conclusion from publicly available lists of breached passwords. To be honest, I don’t blame them. Remembering tens of passwords is hard, even without all the weird characters. But even if you don’t feel like setting up a password manager, there is a better and safer alternative. Passphrases.

What are passphrases?

As you might have guessed, passphrases use several words, or a sentence, instead of a single word. Nowadays, you can readily use spaces in password. That’s why I would recommend using whole sentences. That typically makes your password much longer. And as a bonus, using commas etc., you will easily fulfill the special character criteria. However, it is important to choose a unique phrase, not something you would easily find on the Internet. While it might be tempting to just use “Winter is coming to Winterfell”, that’s about as good as “12345”. I recommend using something based on a memory.

Read more…