2023-09-19 //
4 min read
//
#buildkite
#hashicorp-vault
Earlier this year, Buildkite announced support for OpenID Connect tokens. Briefly, a Buildkite agent can request a signed JWT (JSON Web Token) from Buildkite representing details (claims) about its current job. This JWT can then be used to authenticate with systems that accept it.
For Hashicorp Vault, services typically authenticate using the AppRole method with a senstive set of credentials. It’s fine to use this flow on a Buildkite agent to access Vault secrets, but the credentials for this are long-lived.
The new OIDC flow removes to need to manage these long-lived credentials, and also makes it possible to craft fine-grained policies for a Buildkite agent without requiring multiple sets of login credentials!
Read more →
2023-07-17 //
4 min read
//
#buildkite
For a while now, I’ve built and published my own Terraform provider for retrieving secrets from a pass store. One of the requirements to publish a Terraform provider is that every release must be signed with a GPG key.
I have a Buildkite pipeline to build and publish these releases to GitHub. A step in this pipeline has access to a private key for signing, but it’s a different key from the one I use on my own machine. I consider the latter too sensitive to expose freely to my Buildkite agents.
With that said, managing a second key just to publish my Terraform provider is quite irksome when it has no other use for me. However, it’s unfortunately necessary if I don’t want to expose my regular key to my CI environment.
But if the worry is around exposing a secret to Buildkite agents running outside my machine, why not introduce an agent that runs specifically on my machine?
Read more →
2023-07-16 //
7 min read
Since late September, I’ve been working to establish an exercise routine as I improve my fitness. One of my decisions in that journey has been to buy a smart watch, and having just ticked over six months since purchase I thought it would be an opportune time to reflect on some of my highlights.
Read more →
Discovering a tradeoff Tailscale makes for convenience
2022-09-25 //
4 min read
//
#tailscale
I’ve been trying out Tailscale recently to simplify networking between my devices. With the beta launch of Tailscale SSH offering the ability to connect to my DigitalOcean droplet without SSH keypairs, I was eager to incorporate it into my setup.
Said setup is a matter for another time, but with Tailscale SSH enabled for my droplet I was able to remote in with a plain ssh nicholas@gandra-dee!
However, there was a visible half-second delay when entering commands. While not a dealbreaker, it made each session a frustrating experience!
Read more →
2022-03-14 //
2 min read
//
#gaming
As I’ve just found learned, today is the anniversary of Journey’s release ten years ago. It’s a video game from thatgamecompany where you guide a mysterious wanderer in robes on a pilgrimage to climb a distant mountain.
Journey is one of the games that’s stuck with me a lot since I’ve played it.
Read more →
2021-10-01 //
3 min read
//
#music
Somehow, we’re now into the final quarter of the year. Here’s a few things that interest me, and may interest you!
Read more →
2021-09-23 //
2 min read
I received an email from Cloudflare today about an account that had been created with my email address. Going by the details and the headers, it certainly seemed to have originated from Cloudflare. It looked like someone else had signed up with my details.
Read more →
2021-08-14 //
3 min read
//
#docker
I’ve been using Plausible Analytics on this website for a few months now and I’m a fan for three key reasons.
Being able to self-host Plausible gives me ownership of the data it collects, but it also makes me responsible for storing this data and backing it up. I manage backups for my instance with several Ansible playbooks, but the same can be done with plain shell commands.
Read more →
2021-07-24 //
2 min read
//
#ios-shortcuts
If you’ve snooped the MX records for this site recently, you might have noticed that I’ve moved to Fastmail. In addition to email hosting, Fastmail also offers CalDAV accounts for users, so I’m trying it out for my calendar and reminders.
Read more →
2021-07-15 //
3 min read
//
#nginx
When Nginx is serving this website, it’s usually serving static files from the local machine. One method to accomplish this is with the alias directive, which substitutes the request location for a filepath. I use it to map requests to nicholas.cloud/files/ to a directory for public file-sharing.
Read more →
•
Older posts
