Service on Nobody's Home

Hugo Static Site Generator

Fri, 24 Apr 2026 00:00:00 +0000

Hugo Site Example:

Introduction

This guide is not all inclusive. RTFM. Hugo is a static site generator, converting your .md text files, and a chosen theme into a modern looking website (like this one). There are a staggering number of themes to give you the look and feel that your site needs.

Everything Up Front

It all starts with the hugo.yaml file (you can use .toml too, but that’s beyond my expertise, consult the hugo documentation). Here is the configuration for this site:

Docker Permissions

Sun, 12 Apr 2026 00:00:00 +0000

References:

Man Page

Install Docker Tutorial

Docker Containers Can Do Too Much

Your containers can do too much. Look at all the capabilities a Docker container gets by default:

  - SYS_ADMIN
  - NET_ADMIN
  - NET_RAW
  - FOWNER
  - SETGID
  - SETUID
  - CHOWN
  - AUDIT_CONTROL
  - AUDIT_READ
  - AUDIT_WRITE
  - BLOCK_SUSPEND
  - BPF
  - CHECKPOINT_RESTORE
  - DAC_READ_SEARCH
  - DAC_OVERRIDE
  - FSETID
  - IPC_LOCK
  - KILL
  - LEASE
  - LINUX_IMMUTABLE
  - MAC_ADMIN
  - MAC_OVERRIDE
  - MKNOD
  - NET_ADMIN
  - NET_BIND_SERVICE
  - NET_BROADCAST
  - PERFMON
  - SETFCAP
  - SETPCAP
  - SYS_BOOT
  - SYS_CHROOT
  - SYS_NICE
  - SYS_PACCT
  - SYS_PTRACE
  - SYS_RAWIO
  - SYS_RESOURCE
  - SYS_TIME
  - SYS_TTY_CONFIG
  - SYSLOG
  - WAKE_ALARM

This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it?

AdGuardHome

Sat, 14 Mar 2026 00:00:00 +0000

References

AdGuardHome Download AdGuardHome Fix systemd-resolved

Why AdGuardHome?

AdGuard has become a key service in my homelab. I’m so used to having ads blocked across my network, it’s a surprise loading a site away from home and seeing the broken hellscape of ads everywhere. Get a network level adblocker and learn how to use it. The less tech savvy folks in your home will thank you.

Installation

Download the latest version of AdGuardHome
Extract using tar -xf AdGuardHome_linux_amd64.tar.gz
Move the folder to the destination: mv AdGuardHome [DESTINATION]
- Fedora: /usr/local/bin/
- Ubuntu: /opt/
Install using sudo ./AdGuardHome -s install
Set up your account at http://ADGUARD-SERVER:3000
Set your router’s DNS server to point at your AdGuardHome server (steps will vary by router)
Set your AdGuard
- Block Lists
- Upstream Providers
- DNS Rewrites
- Allow Lists
- Custom Rules
- Back up you AdGuardHome.yaml

Deploy with Docker Compose:

services:
  adguardhome:
    image: adguard/adguardhome
    container_name: adguardhome
    volumes:
	    #place AdGuardHome.yaml here if you already have a configured instance
      - [map to your /conf directory]:/opt/adguardhome/conf 
      - [map to your /work directory]:/opt/adguardhome/work
    deploy: 
      mode: global
    ports:
      - "53:53/udp"  # <Host Port>:<Container Port>
      - "53:53/tcp"
      - "67:67/udp"
#      - "68:68/udp"
      - "80:80/tcp"
      - "443:443/tcp"
      - "443:443/udp"
      - "3000:3000/tcp"
      - "853:853/tcp"
      - "853:853/udp"
      - "8853:8853/udp"
      - "784:784/udp"
      - "5443:5443/tcp"
      - "5443:5443/udp"
    restart: unless-stopped

Troubleshooting

Systemd-Resolved

Reference: Fix systemd-resolved Us these steps when systemd is using port 53:

Proton Sieve Filters

Wed, 18 Feb 2026 00:00:00 +0000

References:

Why Sieve Filters?

Rather than a long list of email filter rules that become unmanageable, Proton encourages the use of sieve filters - and limits users to 250 filters total. Sieve allows a user to combine what might by over a dozen filter rules down into one logical, legible, flexible flow.

This little blog post is specific to Proton and how they do email filters with Sieve. This post is not all encompassing, RTFM.

Dockhand

Wed, 04 Feb 2026 00:00:00 +0000

References

Setup

Docker Compose:

services:
  dockhand:
    image: fnsys/dockhand:latest
    container_name: dockhand
    restart: unless-stopped
    ports:
      - "3000:3000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/app/data
      - /home/mechanicus/Code/compose:/mnt/compose

Notes: using a separate data directory instead of a volume mount will make the container easier to manage and transfer if necessary

Adding Environments

My preferred method is to use the hawser connector:

docker run -d --name hawser --restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /home/mechanicus/code/docker-compose/:/mnt/compose \
-p 2376:2376 -e TOKEN==[SECURE TOKEN] \
ghcr.io/finsys/hawser:latest

Note: Include the location of compose files for easier management

Tailscale: Easy VPN

Tue, 03 Feb 2026 00:00:00 +0000

References

Overview

This walkthough is the very basics of setting up a Tailscale VPN for travel.

Scenario: You like to travel, but have trouble accessing your accounts (banking, social media, entertainment) while you’re abroad. You travel with a laptop, but you also have a desktop device back home. Wouldn’t it be great if you could just access your accounts and services like you were sitting at your desktop?

Install Docker

Sun, 31 Aug 2025 00:00:00 +0000

References

Docker

Setup: Debian Based

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Setup: Arch Based

# Pamac (manjaro)
sudo pamac install docker docker-compose

# Arch
sudo pacman -Syu docker docker-compose

Enable the docker service

Kasm Workspaces

Sun, 31 Aug 2025 00:00:00 +0000

References

Kasm Documentation Kasm System Requirements Kasm GPU Install

Prerequisites

Install Docker Tutorial
Swap Space

Installation

NOTE: check for the latest version

cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.18.1.tar.gz
tar -xf kasm_release_1.18.1.tar.gz
sudo bash kasm_release/install.sh --accept-eula --swap-size 8192

GPU Setup

The Nvidia container setup instructions, and standard GPU driver installation threw an error: nvidia runtime not found. The script on Kasm’s site worked.

#!/bin/bash

# Check for NVIDIA cards
if ! lspci | grep -i nvidia > /dev/null; then
    echo "No NVIDIA GPU detected"
    exit 0
fi

add-apt-repository -y ppa:graphics-drivers/ppa

curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
  && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
    sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
    sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list

apt update
apt install -y ubuntu-drivers-common

# Run ubuntu-drivers and capture the output
DRIVER_OUTPUT=$(ubuntu-drivers list 2>/dev/null)
# Extract server driver versions using grep and regex
# Pattern looks for nvidia-driver-XXX-server
SERVER_VERSIONS=$(echo "$DRIVER_OUTPUT" | grep -o 'nvidia-driver-[0-9]\+-server' | grep -o '[0-9]\+' | sort -n)
# Check if any server versions were found
if [ -z "$SERVER_VERSIONS" ]; then
    echo "Error: No NVIDIA server driver versions found." >&2
    exit 1
fi
# Find the highest version number
LATEST_VERSION=$(echo "$SERVER_VERSIONS" | tail -n 1)
# Validate that the version is numeric
if ! [[ "$LATEST_VERSION" =~ ^[0-9]+$ ]]; then
    echo "Error: Invalid version number: $LATEST_VERSION" >&2
    exit 2
fi
# Output only the version number
echo "Latest version is: $LATEST_VERSION"
ubuntu-drivers install "nvidia:$LATEST_VERSION-server"
apt install -y "nvidia-utils-$LATEST_VERSION-server"
# Install NVIDIA toolkit + configure for docker
apt-get install -y nvidia-container-toolkit
nvidia-ctk runtime configure --runtime=docker

Egress Setup: NordVPN

Get service credentials for the VPN: Available on the VPN dashboard
Download desired OpenVPN configuration files: Available on the VPN dashboard
On Kasm Administrator dashboard, select Egress (Infrastructure > Egress)
- Add the egress provider:
- Configure VPN type:
- Add egress gateways:
On the Workspaces > Workspace page, select the workspace to allow it to use the VPN, click edit and add the egress provider on the Egress tab.
On the Egress Credentials tab, add in the service credentials for the VPN

Keepalived

Sat, 27 Jul 2024 00:00:00 +0000

Explanation:

vrrp_instance: a virtual router
state: master or backup
priority: higher priority means that router gets chosen more often
authentication:
- auth_type: can integrate with other ticket based authentication protocols
- auth_pass: IPv4 sub 8 character passwords, IPv6 allows for longer passwords
virtual_ipaddress: the shared IP ranges for the virtual router (can be more than one)

Setup Examples

Manager:

vrrp_instance VI_1 {
        state MASTER
        interface eth0
        virtual_router_id 51
        priority 10
        advert_int 1
        authentication {
                auth_type AH
                auth_pass adguard
        }
        virtual_ipaddress {
                10.133.7.11/24
        }
}
vrrp_instance VI_2 {
        state MASTER
        interface eth0
        virtual_router_id 52
        priority 10
        advert_int 1
        authentication {
                auth_type PASS
                auth_pass adgaurdhome
        }
        virtual_ipaddress {
	       fd48:fb0a:cb3a:b8d4::1234/64
        }
}

Backup:

vrrp_instance VI_1 {
	state BACKUP
	interface eth0
     virtual_router_id 51
     priority 1
     advert_int 1
     authentication {
         auth_type AH
         auth_pass adguard
     }
     virtual_ipaddress {
         10.133.7.11/24
     }
}
 vrrp_instance VI_2 {
     state BACKUP
     interface eth0
     virtual_router_id 52
     priority 1
     advert_int 1
     authentication {
         auth_type PASS
         auth_pass adgaurdhome
     }       
     virtual_ipaddress {
         fd48:fb0a:cb3a:b8d4::1234/64
     }
}

Notes:

Separate setup for IPv4 and IPv6 addresses
Can have multiple setup for different interfaces

References:

Cloudflare Tunnel

Thu, 04 Jul 2024 00:00:00 +0000

Links

dash.cloudflare.com one.dash.cloudflare.com

Installing the service

Ubuntu

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && 

sudo dpkg -i cloudflared.deb && 

sudo cloudflared service install [TUNNEL KEY]

Red Hat

curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && 

sudo yum localinstall -y cloudflared.rpm && 

sudo cloudflared service install [TUNNEL KEY]

Docker

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [TUNNEL KEY]

Docker Compose

version: "3.8"

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    network_mode: host
    environment:
      - "TUNNEL_TOKEN=[TUNNEL KEY]"
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

Cloudflare as a Docker Sidecar

Cloudflare can serve ports from other docker containers without actually exposing the container ports on the host device. See the compose example below:

Smart Cards on Linux

Wed, 03 Jul 2024 00:00:00 +0000

Description

PCSCD serves as middleware to access a smart card using PC/SC. Install this program to

Installation

sudo apt install pcscd -y

Enable Socket

sudo systemctl enable --now pcscd.socket

Make Sure It’s Working

systemctl status pcscd.service