Systemd-tmpfiles is a systemd utility that automatically manages the creation, deletion, and clean-up of volatile and temporary files and directories using conf files. Systemd-tmpfiles is critical to the functioning of your Linux system and supports many tasks that require the creation and deletion of ephemeral files. I use systemd-tmpfiles to keep my systems clean and as hard nudge to steer me towards automation and use of git. On my Linux servers I use systemd-tmpfiles to delete all files (excluding dot files) in user home directories when they reach 1 week in age. Having a hard deadline discourages me from making changes and leaving backup files and notes in my home directory and encourages me to push changes into git quickly.sed. ...

Mozilla SOPS (Secrets OPerationS) is a simple and flexible tool for managing secrets. SOPS provides the scaffolding to enable the use of various encryption solutions to encrypt and decrypt select values in files whilst leaving the keys in plain-text. SOPS supports yaml, json, env, ini and binary formats and can integrate with; Amazon Web Services Key Managemnt Service Google Cloud Platforms Key Management Service Azure Key Vault age and Pretty Good Privacy (PGP) When looking at options for secret management I was searching for a solution that would have minimal overhead and enable me to keep my secrets in git along with the code. With SOPS, I can use my existing hardware backed PGP key that I use to sign my git commits as well as a secondary PGP key stored in the git repository, the private half of which only exists in GitLab for CI/CD operations. ...

Cloud-init is an open source initialisation tool to get your systems configured and operational during the provisioning stage of the systems life cycle. Cloud-init can handle a range of tasks including configuring the hostname, network interfaces, creating user accounts, installing packages and running scripts. Cloud-init can also hand-off to external configuration management platforms such as Chef, Ansible and SaltStack to enrol the system into the through-life configuration management platform. Cloud-Init has become the defacto standard for system initialisation and is used by most if not all commercial cloud providers. The explanation below will refer to commercial cloud providers for ease of understanding however cloud-init is also used by platforms including VMWare, OpenStack, Proxmox, KVM and others. ...

I have never been someone who takes the time to customise their shell environment, perhaps I am missing out on all the hype around fish shell and atuin. Generally speaking my preference is to invest the time upfront to automate, implement health checks and recovery scripts so my time on the shell once the system is setup is minimal. Whilst I have been very pleased with how low maintenance my systems are I have found that when I do need to work on a system interactively that I am often searching through my history trying to recall some command I rarely use. This has been further complicated by my security enhancements made to bash history which excludes specific sensitive commands that require secrets as well as commands prepended with a space from being written to history. ...

I run various services that require TLS and use Lets Encrypt to obtain certificates. The web host that registers my domains provides DNS services but there is no API meaning that all of my Lets Encrypt certificate requests and renewals require that I manually create the _acme-challenge DNS TXT record. Looking for opportunity to reduce maintenance and improve my homelab, DNS resolution and TLS are so fundamental that it makes sense to invest the time to implement a robust solution. The solution I ended up implementing is BIND9 hosting multiple zones with an internal view for zones that I only want resolvable by internal hosts and an external view for the zones that are required to be resolvable by the Internet. ...

I was listening to the Late Night Linux podcast and a question was asked of the viewers, how do you keep your Linux systems secure. As someone who works in information security what stuck out me was that a most people took a very passive approach to security, they either trusted the distribution to provide packages with secure defaults or they isolated the system assuming it is not secure. There were some great answers like using the Center for Internet Security (CIS) Benchmarks but benchmarks alone may provide a false sense of security in that they may not mitigate the risks that are most important for the specific system and it’s use case. ...

If you have ever taken an interest in password security and data breaches you have no doubt come across Troy Hunts Have I been Pwned website. Have I been Pwned provides a free resource to quickly assess if you have been put at risk due to an online account having been compromised. As of April 2024 Have I been Pwned has indexed over 13 billion passwords from 770 separate data breaches. ...

Performing Actions at Logon in Linux I recently upgraded my Fedora Silverblue installation from 39 to 40 and sought to resolve two longstanding quality of life issues, the; OnlyKey client application autostarts at every logon Bluetooth soundbar requires reconnection at every logon. Solving the first issue paved the pathway to solving the second issue. Preventing the OnlyKey Application from Autostarting at Logon A quick Google search turned up on the Gnome Help page which specifically addressed how to add an auto start application for all users. This was a great start but it did not tell me how to override the autostart function. Drop-in files are used extensively in Linux and are often used to override system wide behaviour so my working theory is that there should be an option to use a drop-in override file to disable the autostart behaviour which raises two further questions; ...