nicholas.cloud

Pets have names, livestock is tagged

2025-07-12 // 2 min read // #ansible #devops #tailscale

There’s an oft-quoted phrase in the cloud/DevOps space.

Treat infrastructure as cattle, not pets.

To me, the advice is broad and emblematic for a lot of modern practices. Prefer disposable containers over long-lived hosts. Build infrastructure that scales horizontally to accomodate demand. Design architectures where components can be swapped out on the fly.

I thought I’d recap some recent changes to how I provision and manage this blog - addressing a few places where hostnames were hardcoded for convenience.

Read more →

Committing XML horrors to style my blogroll

2025-05-10 // 3 min read

For a while, I’ve provided a list of suggested blog/feeds on my website in a blogroll.

This blogroll takes the form of an OPML file that RSS readers can import. It’s pretty neat, but making it browser-friendly has always been on my wishlist.

So it was pretty cool to stumble across XSLT - a means for transforming XML documents.

Read more →

Using Buildkite OIDC with Hashicorp Vault

2023-09-19 // 4 min read // #buildkite #hashicorp-vault

Earlier this year, Buildkite announced support for OpenID Connect tokens. Briefly, a Buildkite agent can request a signed JWT (JSON Web Token) from Buildkite representing details (claims) about its current job. This JWT can then be used to authenticate with systems that accept it.

For Hashicorp Vault, services typically authenticate using the AppRole method with a senstive set of credentials. It’s fine to use this flow on a Buildkite agent to access Vault secrets, but the credentials for this are long-lived.

The new OIDC flow removes to need to manage these long-lived credentials, and also makes it possible to craft fine-grained policies for a Buildkite agent without requiring multiple sets of login credentials!

Read more →

Signing Terraform provider releases with a local Buildkite agent

2023-07-17 // 4 min read // #buildkite

For a while now, I’ve built and published my own Terraform provider for retrieving secrets from a pass store. One of the requirements to publish a Terraform provider is that every release must be signed with a GPG key.

I have a Buildkite pipeline to build and publish these releases to GitHub. A step in this pipeline has access to a private key for signing, but it’s a different key from the one I use on my own machine. I consider the latter too sensitive to expose freely to my Buildkite agents.

With that said, managing a second key just to publish my Terraform provider is quite irksome when it has no other use for me. However, it’s unfortunately necessary if I don’t want to expose my regular key to my CI environment.

But if the worry is around exposing a secret to Buildkite agents running outside my machine, why not introduce an agent that runs specifically on my machine?

Read more →

My Apple Watch, six months in

2023-07-16 // 7 min read

Since late September, I’ve been working to establish an exercise routine as I improve my fitness. One of my decisions in that journey has been to buy a smart watch, and having just ticked over six months since purchase I thought it would be an opportune time to reflect on some of my highlights.

Read more →

Fixing a slow Tailscale SSH connection

Discovering a tradeoff Tailscale makes for convenience

2022-09-25 // 4 min read // #tailscale

I’ve been trying out Tailscale recently to simplify networking between my devices. With the beta launch of Tailscale SSH offering the ability to connect to my DigitalOcean droplet without SSH keypairs, I was eager to incorporate it into my setup.

Said setup is a matter for another time, but with Tailscale SSH enabled for my droplet I was able to remote in with a plain ssh nicholas@gandra-dee!

However, there was a visible half-second delay when entering commands. While not a dealbreaker, it made each session a frustrating experience!

Read more →

Happy anniversary to Journey!

2022-03-14 // 2 min read // #gaming

As I’ve just found learned, today is the anniversary of Journey’s release ten years ago. It’s a video game from thatgamecompany where you guide a mysterious wanderer in robes on a pilgrimage to climb a distant mountain.

Journey is one of the games that’s stuck with me a lot since I’ve played it.

Read more →

A suspicious email from Cloudflare

2021-09-23 // 2 min read

I received an email from Cloudflare today about an account that had been created with my email address. Going by the details and the headers, it certainly seemed to have originated from Cloudflare. It looked like someone else had signed up with my details.

Read more →

Older posts