Introduction Prometheus is an open source metrics and alerting solution used to monitor a wide range of things. Unlike many classic network monitoring systems Prometheus is focused on colleting metrics. This makes it quite easy to do things that would be difficult in others systems. For example excluding down targets in Prometheus is quite trivial. […]
Introduction This article tries to include everything you need to know about Keycloak Javascript policy deployment. By Javascript policies I mean authorization policies of Javascript type attached to Keycloak clients that have authorization enabled. If you don't know what Keycloak authorization services are, you are probably in the wrong place. While the process of creating […]
The symptoms I recently received and email from Amazon Route53 asking me to verify the contact details for one of our registered DNS domains (replaced here with example.org). And sure enough, I saw wrong Route53 domain contact details in the email: These wrong Route53 domain contact details originate from whois data for the registered domain. […]
Introduction Ansible has reasonably good support for managing various aspects of Keycloak. You can use the community.general.keycloak_realm module to handle realm management, including Keycloak realm SMTP server settings. However, in the true Ansible fashion the documentation looks good, but does not help you much. In fact, documentation only mentions that the smtp_server parameter is a […]
This article shows you how to convert a hash into JSON in Puppet using a simple ERB template that gets its data from Hiera. Suppose you have this data in Hiera: Converting a hash into a JSON file on the target node is surprisingly easy. First look up the data: Then create a simple ERB […]
You are 100% sure that all your Terraform resources are using terraform-provider-azurerm, yet Terraform attempts to download the deprecated "azure" provider: You grep the state file and find no references to the "azure" provider. You assume that the cause is some nested module that depends on it, but no, that's not it. You run "terraform […]
What are Ansible modules? Ansible modules provide the infrastructure as code building blocks for your Ansible roles, plays and playbooks. Modules manage things such as packages, files and services. The scope of a module is typically quite narrow: it does one thing but attempts to do it well. Writing custom Ansible modules is not particularly […]
What are Ansible Collections? Ansible is an infrastructure as code tool used for configuration management, network device management, orchestration and other tasks. Ansible Collections are a way to distribute Ansible content such as roles, playbooks and modules. They can be downloaded from Ansible Galaxy, Git repositories or local directories. Basically collections are a more modern […]
Computers were supposed to relieve us humans from boring and repetitive jobs. Here we turn this upside down and do the boring and repetitive job of a computer by importing Cloudflare DNS records to Terraform ourselves. Not fun, but someone’s gotta do it sometimes. If you’re reading this, that someone is probably you. Condolences. My […]
When you create a distribution, AWS creates several DNS A records with the same name (e.g. d25gma2ea3ckma.cloudfront.net) which point to IPs the distribution is using. Then, typically, you would define CNAME(s) pointing to that cloudfront.net address in your own DNS. Each Cloudfront distribution has a list of aliases, similar to Subject Alternative Names ("SAN") in […]
When deploying with Terraform to Azure you may sometimes encounter errors such as this: The problem is that in Azure you may need to register the provider for the service you intend to manage with Terraform. If you add resources from Azure Portal this registration part is handled automation. In the above case the Azure […]
I was working with Keycloak realm private/public key automation and it was not immediately obvious where Keycloak stores the keys. Figuring it out was actually easy, and this method applies to any web application that uses MySQL/MariaDB, not just Keycloak. Anyhow, on Ubuntu, you'd navigate to /var/lib/mysql/<name-of-database>. For example: Make sure that no changes have […]
In AWS EBS ("Elastic Block Storage") is the underlying technology that (virtual) hard disks of your instances (virtual machines) use. You can take snapshots of those virtual hard disks and use those snapshots to, for example: Debugging issues with unbootable virtual machines: attach and then mount the snapshot on another virtual machine and investigate what […]
Puppet Development Kit is probably the best thing since sliced bread if you work a lot with Puppet. It makes adding basic validation and unit tests trivial with help from rspec-puppet. It also makes it very easy to build module packages for the Puppet Forge. That said, there is a minor annoyance with it: whenever […]
Typically Linux nodes are joined to FreeIPA using admin credentials. While this works, it exposes fully privileged credentials unnecessarily, for example when used within a configuration management system (see for example puppet-ipa). Fortunately joining nodes to FreeIPA is possible with more limited privileges. The first step is to create a new FreeIPA role, e.g. "Enrollment […]
Every now and then a need to use the content of a file as a variable on an agent node arises. Here's one way to do it with the help of a custom fact. First create a custom fact on the puppet server: You can confine this to restrict it to be available only on […]
Adding OpenID to WordPress allows for existing users on a domain to connect without having to manage another account. In this setup, we will be using Keycloak to provide the existing accounts which the OpenID plugin will use. There are a few plugins for WordPress that allow this functionality, but we will be using OpenID-Connect-Generic […]
When switching to root after the typical SSH with X11 forwarding enabled this error can appear: The workaround seems to include copying the MIT-MAGIC-COOKIE-1 from the user who ssh'd in to the root user using xauth. Here's how: First verify the $DISPLAY being used and list the MIT-MAGIC-COOKIE-1 used for it : Next switch to […]
System tray is a "legacy" tray where various applications (e.g. Nextcloud, Pidgin and Signal) have an icon with which you can interact with the application without actually opening the main application window. I said "legacy", because phasing it out was the plan in the Gnome 3 project, but it seems like we're not getting rid […]
In Terraform you have access to basic data types like bool or string. Defining the data type is a good start for starting to improve the quality of your modules. However, you may want to validate that a certain string matches a list of pre-defined options, and if not, fail validation early. Terraform, unlike Puppet, […]
