SleepMap (Posts about admin)

New PGP key ID 1793DAD5D803A8FFD7451697BB992F9864FAD168

David Runge — Sat, 30 Apr 2022 08:35:57 GMT

As my current PGP key 91BD8815FE0040FA7FF5D68754C28F4FF5A1A949 will be expired soon, I have created a new one to replace it.

You can get my new key 1793DAD5D803A8FFD7451697BB992F9864FAD168 as well as the old one and the cross-signatures required to establish the chain of trust between the two via Web Key Directory (WKD) (which should be used automatically by gpg >= 2.1.23).

To not deal with the rather convoluted gnupg tooling I have created a deployment method for this using sequoia-pgp's sq, about which you can read in the rest of this article.

Securely serving webapps using uWSGI

David Runge — Sat, 08 Oct 2016 07:00:00 GMT

Ever since I have been running my own Arch Linux box to serve my services, I used nginx in conjunction with uWSGI.
So instead of using php-fpm and be limited to just PHP, I can use a single application server to do all of them (CGI, Python, PHP and even the stuff I don't use, such as Ruby Rack, Mono, Java, Lua, Perl, WebDAV). They are all separately installable as plugins.
Static sites, such as this, default to being served by nginx directly of course.
Over time I found uWSGI to be a very versatile and powerful piece of software that has many advantages (over e.g. Apache):

socket activation
webapp encapsulation and jailing
self-healing
being able to separetely manage services
exit after idle

I'll explain the services I use (MantisBT, roundcube, ownCloud, Mailman, Stikked, Wordpress, Postfixadmin, phpMyAdmin, cgit, MediaWiki, Etherpad ) along with configuration examples and their possible pitfalls.

In my last post about Let's Encrypt I already showed some examples on how to configure nginx for the use with uWSGI. Let's jump right in.

Let's encrypt it all

David Runge — Thu, 29 Sep 2016 18:00:00 GMT

For a couple of months now I have been using Let's Encrypt to generate free and valid certificates for all the services I run.
In many places the free Certificate Authority (short CA) has spread like wild-fire. From small to large scale services, many adopted it and the amount of issued certificates has grown over 1 million in just four months.
As a visitor to this website you have probably noticed the small green lock sign next to the address bar. The certificate used for this website is accepted to be valid by your browser (and also by your operating system).
If you're up for some background knowledge, just read on. If you're up for some hands-on technical stuff, jump right on to the howto.
Just note: This is a veeeeeeery long article in any case.

SSH tunnel with single hop, using systemd-networkd and autossh

David Runge — Sun, 01 Feb 2015 18:00:00 GMT

Recently I had the pleasure of setting up a SSH tunnel between two virtual machines that share no route and are located in two different subnets.
They can however reach each other via SSH, hopping their host.
Let's assume the following setup:

client1 (Arch Linux) has 10.0.5.2/24
client2 (Arch Linux) has 10.0.6.2/24
host (Debian) is 10.0.5.1/24 to client1 and 10.0.6.1/24 to client2

As I needed the two clients to be able to send mail to each other and reach each others' services, I did some digging and opted for a SSH connection using TUN devices (aka. "poor man's VPN").

The following is needed to set this up:

root access on both virtual machines (client1 & client2)
a user account on the host system
SSH (OpenSSH assumed) installed on all three machines