Developing markdown.download: Exporing val.town, deno, jsr.io

I read a lot. I enjoy reading on black and white e-readers. Unfortunately many websites make it hard to read them on simple devices. https://markdown.download is my really simple solution to that. Prepend it to any website and curl: curl https://markdown.download/https://dev.to/amnish04/introducing-the-idea-of-web-handlers-in-chatcraft-1b4i That turns a user-hostile website into a thing that almost anything can render: It’s amazing how much cleaner the web is when stripped down to essence. Turns out markdown (or html restricted to what markdown can do) renders fantastic on readers of all types. Since markdown.download is so utterly simple, I decided to try using it to learn a new-to-me dev tool: val.town. Rest of this post covers what I learned. I initially was going to publish this project as an npm lib and deploy on cloudflare, but was putting it off because I loathe the amount of bureaucracy that involves. I love the type system in Typescript. I love Node.JS because it’s the least-bad way to write/deploy apps, but much room for improvement remains. My spare time is too valuable to spend it suffering. val.town: brutally efficient microservice dev-ux...

March 24, 2024 · 5 min · Taras Glek

ssh-via-cloudflare-tunnel: Alternative way to expose machines behind NAT

I have an intermittent issue where one of my machines on a specifc network seems to be operational locally on network but not accessible over netbird some of the time. I could not tell if the problem was due to the network the problematic machine was on or due to netbird. So to debug this I: Setup a grafana node agent to report journald logs to https://grafana.com/ Setup to docker to log to journald Wrote ssh-via-cloudflare-tunnel docker-compose stack to tunnel ssh over websocat to internet over cloudflared. Set docker compose to restart-on-failure. Today netbird had some downtime (tailscale had theirs just a few days before that). I was able to log into grafana, look up the temporary hostname cloudflare assigned to me and ssh in using ssh -o ProxyCommand="websocat -E --binary - -v %h" -o ServerAliveInterval=10 wss://library-won-nt-gauge.trycloudflare.com Architecture graph TD; A[ssh client] <-->|Invoke websocat over ProxyCommand| B[websocat client-mode] B <-->|WebSocket to Stdio| D(Cloudflare) D <-->|HTTPS to WebSocket| E[cloudflared Server] E <-->|Reverse proxy over HTTPS| F[websocat server-mode] F <-->|Stdio to SSH| G[sshd server] style A fill:#f9f,stroke:#333,stroke-width:2px style B fill:#dfd,stroke:#333,stroke-width:2px style D fill:#bbf,stroke:#333,stroke-width:2px style E fill:#ddf,stroke:#333,stroke-width:2px style F fill:#dfd,stroke:#333,stroke-width:2px style G fill:#f9f,stroke:#333,stroke-width:2px Conclusion This turned out trivial to do. However it took me over 5 years of pondering, discovering ssh ProxyCommand, cloudflared, websocat and deciding to combine them to conveniently expose ssh over web. I think it’s pretty cool how Cloudflare allows one expose geographically distributed tunnels without requiring any signups. I wish their UX simpler so it was equally easy to expose tunnels with fixed dns. Cloudflare actually has something similar as an official ssh feature, but it requires more hoop jumping. websocat is amazing. I use websockets a lot more now that I have a robust way to utilize them without writing any code. Why Would I Want To Do This? As a fallback to tailscale/netbird that uses a completely different network topology as in this case To temporarily grant ssh to some machine without requiring end-users to install a vpn To bypass restrictive gsm/wifi networks that block access to ssh As an alternative to port-knocking to obscure ssh (eg hide ssh behind http basic-auth) How would you improve this? Checkout ssh-via-cloudflare-tunnel on github.

March 10, 2024 · 2 min · Taras Glek

github-to-sops: Easy way to manage passwords/keys with Github and SOPS

Let’s face it, managing secrets in software projects can be as thrilling as being stabbed in the eye. Yet, it’s a necessary evil that we all have to deal with. Problem: we have a set of a developers and set of infrastructure that all needs to share secrets. Would like to minimize infrastructure and keep cognitive load to a minimum so we can focus on writing code. Sure you’ve got AWS Secrets Manager and Hashicorp Vault for the heavy lifting, but that’s like using a tractor to crack a nut. And then there’s the keep-all-your-secrets-in-github-action-ENVs which leads to “push-and-pray” mentality (https://dagger.io/ talks on CI/CD are awesome). Not exactly the pinnacle of security or convenience, right? Enter SOPS, the cool kid on the block that encrypts your files without the bullshit (You know it’s cool cos it’s the latest in a long line of tech abandoned by Mozilla). But setting it up? Still sucks. This post is about how github-to-sops helps. ...

January 10, 2024 · 3 min · Taras Glek

Lightweight Virtualization Metallize Libkrun Vsock

libkrun + krunvm Github randomly recommended me libkrun which is a library backing krunvm. It’s something similar to firecracker, but even simpler. ...

August 30, 2023 · 2 min · Taras Glek

Trying pixi: Modern package management for Python

I have been working with Python a lot more recently, and it feels like I spend more time fighting packaging than writing code. Python’s primary package manager, pip, is roughly equivalent to the best 1990s had to offer(Perl CPAN), it makes it depressingly easy to end up with a broken environment. Pixi: A modern packaging system for Python pixi is a modern package manager along the lines of deno/pnpm, but for Python. It’s a single binary that you can download and run. It will install Python + native packages within a single subdirectory. It will use pixi.toml file to track dependencies + pixi.lock to track exact versions of transitive dependencies. ...

August 25, 2023 · 2 min · Taras Glek