Puppeteers Blog

Multi-part cloud-init provisioning with Terraform

Cloud-Init is "a standard for customizing" cloud instances, typically on their first boot. It is allows mixing state-based configuration management with imperative provisioning commands (details in our IaC article). By using cloud-init most of the annoyances of SSH-based provisioning can be avoided: Having to use (possibly shared) SSH keys for provisioning Having to have direct […]

X11 Connection Rejected

When switching to root after the typical SSH with X11 forwarding enabled this error can appear: The workaround seems to include copying the MIT-MAGIC-COOKIE-1 from the user who ssh'd in to the root user using xauth. Here's how: First verify the $DISPLAY being used and list the MIT-MAGIC-COOKIE-1 used for it : Next switch to […]

Data-driven Terraform: Kubernetes cluster in Hetzner Cloud

Terraform does not have a particularly strong decoupling between data and code, at least not from a best practices perspective. It is possible and useful, however, to use data to define Terraform resources - if not for any other reason but to reduce code repetition for common resources that require defining lots of parameters. Here's […]

Enabling system tray on Fedora 35

System tray is a "legacy" tray where various applications (e.g. Nextcloud, Pidgin and Signal) have an icon with which you can interact with the application without actually opening the main application window. I said "legacy", because phasing it out was the plan in the Gnome 3 project, but it seems like we're not getting rid […]

Terraform Enum data type

In Terraform you have access to basic data types like bool or string. Defining the data type is a good start for starting to improve the quality of your modules. However, you may want to validate that a certain string matches a list of pre-defined options, and if not, fail validation early. Terraform, unlike Puppet, […]

Debugging Puppet Bolt inventory plugins

Puppet Bolt handles inventories in a very flexible and powerful manner: you can combine static target definitions and different targets into a single inventory. For example, you can have an inventory which defines some static node names combined with the AWS inventory, or one that combines static nodes with the Vagrant inventory. Puppet Bolt inventory […]

Terraform remote-exec: wait until a webpage is reachable

Terraform's remote-exec provisioner fails immediately if any command in a script exists with a non-zero exit code. This makes building polling loops a bit more involved than it normally is. So, here is an example loop that checks if a URL can be reached: When the URL is unreachable, the "||" will ensure that "sleep" […]

How software companies can end up in a Cloud hell, and how to fix it

The slippery slope Custom software development services are in high demand today. Organizations are willing to pay considerable amounts of money for development of custom software, be it mobile applications relying on backend services in the Cloud, or tailoring of open source software to better fit their needs. This has provided the impetus for rapid […]

Is Small Business Awards a scam?

This is a question I asked myself in September 2021 when I was informed by Corporate Vision that we were nominated as candidate for being the best company in the "IT Infrastructure Management Specialists - Finland" category for Small Business Awards. At that time (before this blog post) there was very little information online about […]

Hiera lookups in rspec-puppet

While rspec-puppet documentation is quite decent, it does not really explain how to test classes that get their parameters via Hiera lookups, such as profiles in the roles and profiles pattern. Several parameters related to Hiera are listed in the rspec-puppet configuration reference, but that's all. The other documentation you find on the Internet is […]

Mautic spam prevention

Mautic is a widely used open source email marketing automation application written in PHP. Email marketing is typically used in conjunction with inbound marketing done by asking people to give their email address in exchange for something, like a free ebook or a newsletter with good content. As you're asking for the email address on […]

Windows domain in Azure

I wrote this article to better understand all the pieces called "AD" or "Active Directory" in Microsoft Azure fit together. The pieces are as follows: Active Directory (AD): The is the classic on-premise Active Directory with LDAP, Kerberos, group policies and all that. Traditionally Windows machines in larger environments have been domain-joined to on-premise AD. […]

Conditional provisioner blocks in Terraform

I'll start with a spoiler: what the title suggests is not possible. It is, however, possible to accomplish this with cloud-init and Terraform templates as described in the Multi-part cloud-init provisioning with Terraform blog post. If you need to use SSH/WinRM provisioning, then there are various workarounds you can apply, and this article explains some […]

Showing SQL statements with Keycloak

Sometimes you might find yourself wondering whether there is some paranormal activity going on with your keycloak and its database. To check if things are still in the realm of physical reality, and to restore your child's faith in the programmer who never makes mistakes, it might be soothing to check what's actually happening to […]

Serverless Puppet with control repo, Hiera, roles and profiles and Puppet Bolt

The traditional way of managing systems with Puppet is to install Puppet agent on the nodes being managed and point those agents to a Puppet server (more details here). This approach works well for environments with tens or hundreds of nodes, but is an overkill for small environments with just a handful of nodes. Fortunately […]

Multiple Bitbucket Cloud accounts with SSH authentication

In Bitbucket usernames are unique across whole of Bitbucket. Moreover, the same SSH key can only be configured for one user. If you registered your Bitbucket account using a corporate email and used your primary SSH key with it, you're pretty much hosed if you then need to create another corporate Bitbucket account and wanted […]

Managing OpenVPN-based Azure VPN Gateway certificates with easyrsa3

The Azure VPN Gateway supports the OpenVPN protocol (except the "Basic SKU"). Unlike, for example, the commercial Access Server, the VPN Gateway does not have a built-in certificate authority (CA) tool for managing client certificates. And client certificates are essentially a requirement if you need to support clients other than Windows and Mac, such as […]

Dealing with multiple AWS accounts with one Keycloak client for Single-Sign On

This article assumes that the user backend for Keycloak is FreeIPA. Regardless of that the instructions will apply to any other setup with minor modifications. Here we use two different AWS accounts renamed to 123412341234 and 567856785678 to protect the personal information of the innocent. The Keycloak staging cluster on which this integration was done […]

Allowing external email forwarding in Office 365

We use Zimbra as our main email server. We also have Office 365 subscription to make working with our clients a bit easier. The challenge is that when customers send us, say, Teams meeting invites, they typically use autofill and the email gets sent to our Office 365 mailboxes which nobody really looks at. It […]

Short introduction to Packer and Vagrant

This article is a short introduction to Packer and Vagrant - tools that we often recommend to our customers but which may be a bit hard to understand if you have no previous expose to them. Packer Packer is used to “create identical machine images for multiple platforms from a single source configuration”. Packer works […]
1 2 3 4 5 6 7 8 9 10