Late Night Thinking

by Thomas L. Kula

Randomness on a PCEngines APU2

This weekend I've been noodling around with my perennial project of building a ersatz HSM (what are you using to protect your home CA root?) A fresh install of Debian 10 on a PCEngines APU2 later, I started some basic setup. One of the first things I started playing with was a source of randomness for the system. In "production" there won't physically be any network connections, and as an isolated box where presumably you'd boot it up, do one or two operations, and shut it back down, there's not a lot of chance to collect some entropy.

Cooking Pork Tenderloin on a Loaf of Bread

Inspired by this recent Chef John video. Prep a whole pork tenderloin as you normally would (I coat with a thin layer of vegetable oil and liberally apply kosher salt). Take a loaf of Italian bread (that's what my local store calls it, it's a long loaf of white bread with sesame seeds on the top), slice in half lengthwise, and coat with butter — I use one stick (1/2 cup) for a whole loaf split in two.

I Dream of Tornados, Part II

For ages, my psyche has marked the start of spring by having a dream about a tornado. At least back to high school, warmer weather, trees start budding and flowers start poking out and — boom, tornado dream. This year, however, I've had two dreams about tornados in the past week, which is the first time I can remember this happening. I'll have other dreams about weather, but just one with a tornado there ever spring.

Vault Secrets Engines

At home I make extensive use of both the Minio object storage server and the Backblaze B2 object storage service. I've also recently started making use of HashiCorp Vault. Given how useful it is to generate dynamic secrets with Vault, I wanted to extend that to my usage of Minio and B2, so writing a secrets engine plugin for Vault has been on my project list for quite some time.

Restic Systems Backup Setup, Part 5 - minio multi-user support

This is Part 5 of my series on building a restic-based system backup series. The rest of the articles can be found here. One of the original design decisions in my restic systems backup setup was isolation between hosts. I didn't want root on one system to be able to access the backups of other hosts, even if they were storing backups on a common backup server. At that time, Minio, the object storage server I was using on the backup server, only supported single-tenancy — there was a single "access key"/"secret key" per instance, with access to every object and every bucket in that instance.

Using gopass with mutt

I've been using gopass for a long time as my password manager — with my GnuPG and Yubikey setup accessing my passwords on both my laptop and my colocated box is pretty transparently the same. I randomly came across the fact that mutt will do backtick expansion in its configuration file. With that, I can keep my Mutt imap password in gopass and have mutt fetch it with set imap_pass=`pass mutt_imap_pass`

Wrapping Consul Lock

I've recently installed a Consul cluster at home, mostly to act as an HA backing store for Vault. If you've been following along, I've also been moving to Restic for my system backups so, of course, I want snapshots of Consul to end up there. But this isn't a post about that — when I've got it running well and cleaned up, I'll post it and talk about it.

Thoughts about On-Call

This month there have been a couple of interesting discussions about on-call rotations in the tech industry. The first was started by Charity Majors, who sparked a thread on Twitter: All this heated talk about on call is certainly revealing the particular pathologies of where those engineers work. Listen: 1) engineering is about building *and maintaining* services 2) on call should not be life-impacting 3) services are *better* when feedback loops are short

Disabling Yubikey 4 OTP

Since I can never remember this: I don't make use of the Yubikey OTP mode, so I don't want what a former co-worker called "yubidroppings" when I accidentially brush my key. Short answer: get ykpersonalize and run ./ykpersonalize -m 5, since I only want U2F and CCID modes enabled. Tell it yes twice.