Locking down Traefik systemd service

On one of my server I’m running two bare instances of Traefik and Minio. Traefik is used as the HTTP reverse proxy, mainly because of its ability to automatically retrieve certificates from Let’s Encrypt for any domain it is hosting. Minio is a self-hosted, S3-compatible object storage. The usual approach to deploy these two applications is Docker (especially since Traefik has the awesome ability to configure itself automatically through Docker), but for this setup I decided to go down a different path: plain, old system services.

Project Idea: XMPP Message Transfer Adapter

XMPP, the Extensible Messaging and Presence Protocol, should be preferred over any other centralized and/or proprietary messaging protocol. Unfortunately, sometimes it can be cumbersome to use XMPP, at least compared to other solutions. One reason may be that certain port ranges are simply blocked by the network operator (restrictive firewalls). At work for example I can not connect to various XMPP ports through the internal network. Another reason might be the integration overhead is too high, or the integration simply has not been done (yet).

Modify process credentials in Linux kernel

Linux uses a massive, singular structure to manage information about each running process, referred to as task_struct and defined in include/linux/sched.h. It contains the current status of the process (runnable, stopped, etc.), process identifier (PID), scheduling information, its parent, siblings and children and many, many other. Below is a short snippet of the struct, but if you’re curious you should really scroll through the entire structure, maybe something will peak your interest: task_struct

Query CPUID with Inline Assembly

As part of my bachelor thesis on Intel PT Hooking I had to determine the availability of different processor features. Since the usage details were not as well documented as I thought they could be, I will share my findings, explanations and examples here. On all x86 processors (the feature was introduced in 1993) retrieving information about the processor’s features and capabilities is done by calling the CPUID machine instruction. Depending on the values in the registers EAX, EBX, ECX and EDX, different information can be queried.

Boot encrypted Linux from GRUB

So I just had a very unpleasent system hang during a kernel upgrade which lead me to being dumped into the GRUB shell - on Sunday evening at 10 pm. And I need my laptop tomorrow… Well, let’s do this! I have three partitions on my (single) drive: /dev/sda1: MBR /dev/sda2: /boot partition /dev/sda3: /root partition, encrypted, mounted as /dev/mapper/sda3_crypt First we need to tell GRUB which Linux image (vmlinuz) we’ll be using and which partition the kernel mounts as its root partition.

Sequential Unit Startup in Systemd

At work we are running some (new) nodes in Puppet Masterless mode. This means instead of querying a Puppet server, they collect the resource and compile the code themselves before applying it. That requires having the Puppet and Hiera code present on the machine, for which we use g10k (a blazing fast reimplementation of r10k in Go) and a custom postrun for linking the appropriate modules in each environment. To run and regularly execute these tasks, we deployed systemd services and timers.

Xiaomi Mi A1 LineageOS with microG

After getting my Xiaomi Mi A1 Global (tissot) I immediately wanted to install LineageOS 15.1 with microG on the device. After a few hours of research, I found the necessary steps for a successful installation. Special thanks go to heinhuiz for the complete instructions and abhishek987 for the TWRP port! https://forum.xda-developers.com/mi-a1/development/rom-lineageos-15-1-t3757938 If you have installed a custom ROM before, I recommend flashing the stock ROM again before starting this guide.

Synology NAS: Samba, NFS and Kerberos with FreeIPA LDAP

This work is a collaboration with my colleague Markus Opolka (@martialblog). Since we migrated our old, hacky LDAP server to a completely new FreeIPA instance, authenticating Samba and NFS users with the new LDAP server (provided by FreeIPA) was no longer possible. As we don’t have that many users, the short-term fix was to locally create the required accounts on the Synology NAS. This has the disadvantage of splitting the password management, so we wanted to fix it.


Sometimes you just need some motivation - in the morning, during the day or in the evening. Here, take this poster: Motivation Poster SVG, Motivation Poster PDF, Licensed under CC-0 (Public Domain). These are the quotes used: Discipline is Greater than Motivation. – Elliot Hulse No pain, no gain. – Arnold Schwarzenegger Success is not about the money, the fame or the big house. It’s about becoming THE BEST VERSION OF YOURSELF.

Real Life

Judge: When was the first time you met in real life? Peter Sunde: We don’t use that expression. We say AFK - we think the internet is for real. My blog mostly deals with software and hardware, i.e. the stuff computers are made of. And though one of my favorite quotes addresses how real the internet (the construct a network of computers forms) is, sometimes you really have to do something in “real life”.