HackerTrans
TopNewTrendsCommentsPastAskShowJobs

antoniomika

no profile record

Submissions

Bluesky over SSH

termsky.app
5 points·by antoniomika·2 ปีที่แล้ว·0 comments

Roll your own ZFS NAS

blog.antonio.cx
1 points·by antoniomika·2 ปีที่แล้ว·2 comments

comments

antoniomika
·3 เดือนที่ผ่านมา·discuss
We added SSH certificates support to pico.sh [1] and it's been great. Utilizing principals gave us the ability to implement a RBAC like system for specific parts of the pico.sh ecosystem. Users get the flexibility they want with limited complexity.

[1] https://pico.sh/access-control#ssh-certificates
antoniomika
·ปีที่แล้ว·discuss
Currently, you can either provide the `BORG_REPO_PERMISSIONS` env var to borg [0] or `--permissions` flag to `borg serve` [1]. You can then enforce this as part of your `authorized_keys` command, for example.

[0] https://github.com/borgbackup/borg/blob/3cf8d7cf2f36246ded75...

[1] https://github.com/borgbackup/borg/blob/3cf8d7cf2f36246ded75...
antoniomika
·ปีที่แล้ว·discuss
This has been replaced with a permissions feature that still provides both delete and overwrite protections. The difference is the underlying store needs to implement it rather than running a server that understands the permission differences. You can read more about this change here: https://github.com/borgbackup/borg/issues/8823#issuecomment-...
antoniomika
·ปีที่แล้ว·discuss
Check out sysbox[0], it's a runc based runtime that allows you to run "system" containers without privilege.

[0]: https://github.com/nestybox/sysbox
antoniomika
·ปีที่แล้ว·discuss
Yep! tuns would be the service you want since it can support forwarding arbitrary backends: https://pico.sh/tuns#custom-domains
antoniomika
·ปีที่แล้ว·discuss
We’re actually using Unix sockets as the underlying transport layer for this. We’re also not using sshd, we custom wrote our own daemon that’s entire job is tunneling. If you’re curious about this, you can find the project here: https://github.com/antoniomika/sish

sish was actually my first foray into SSH apps. It was a lot of fun to write and pretty much implements tunnels with a routing system on top. It manages connectivity, routing, and reverse proxying all within user space. No namespaces required!

tuns can actually even tunnel UDP traffic over SSH, also entirely in user space. Docs for that can be found here: https://pico.sh/tuns#udp-tunneling
antoniomika
·ปีที่แล้ว·discuss
We're actually fully open source and all development occurs in the open! Here's the repo https://github.com/picosh/pico and you can find us on Libera IRC
antoniomika
·ปีที่แล้ว·discuss
Hrm that's odd! Just tested and everything looks fine. Any logs or errors you can share?
antoniomika
·ปีที่แล้ว·discuss
Our host keys are published here and are durable: https://pico.sh/host-keys
antoniomika
·ปีที่แล้ว·discuss
Ashburn, VA and Nuremberg, DE!
antoniomika
·ปีที่แล้ว·discuss
Woops! Delete is supported, will update that as well
antoniomika
·ปีที่แล้ว·discuss
Correct! The tunnels are protected using ssh auth as well, so you can ensure that only the users you want to access it can.
antoniomika
·ปีที่แล้ว·discuss
I'd actually highly recommend taking a look at vaxis (https://github.com/rockorager/vaxis). We've moved away from wish/bubbletea and have really enjoyed working with vaxis!
antoniomika
·ปีที่แล้ว·discuss
Sorry, this is a focus issue with a tui which we'll fix up soon! Should just need to hit <tab> until OK is highlighted and then press enter
antoniomika
·ปีที่แล้ว·discuss
We recently changed our tui framework and the functionality for focus is a bit different. You might have to hit <tab> until `ADD` is highlighted. You can also rsync/scp/sftp an authorized_keys file and we'll add that to your account!
antoniomika
·ปีที่แล้ว·discuss
And we're still free! Just added some payments to help keep things running smoothly and allow us to invest in more infrastructure. pgs (static sites) and tuns (tunneling) are both multi-region for example.
antoniomika
·ปีที่แล้ว·discuss
And we'd be happy for you too! All of our code/tools are open source and available here: https://github.com/picosh/pico
antoniomika
·2 ปีที่แล้ว·discuss
Honestly never had a chance to merge it/review it. Once the company wound down, I had to move onto other things (find a new job, work on other priorities, etc) and lost access to be able to do anything with it after. I thought about forking it and modernizing it but never came to fruition.
antoniomika
·2 ปีที่แล้ว·discuss
I wrote a system that did this >5 years ago (luckily was able to open source it before the startup went under[0]). The bastion would record ssh sessions in asciicast v2 format and store those for later playback directly from a control panel. The main issue that still isn't solved by a solution like this is user management on the remote (ssh server) side. In a more recent implementation, integration with LDAP made the most sense and allows for separation of user and login credentials. A single integrated solution is likely the holy grail in this space.

[0] https://github.com/notion/bastion
antoniomika
·2 ปีที่แล้ว·discuss
Nope! I utilize env files for all of my password/privileged settings. In the command entry for docker-compose.yml, you can then use a non-templated env var (one that docker-compose itself doesn't fill) by replacing a single dollar sign with two. That then loads the credential from the environment instead of command line.