]]>I moved my blog from GitHub to my own hosting ( powered by Procolix ).
Procolix sponsored my hosting for 20 years, till I decided to start my company Mask27.dev.
One reason is that Microsoft seems to like to put “copilot everywhere”, including on repositories hosted on github. While I don’t dislike AI ( artificial intelligence ), LLM ( Large Language Models ) are a nice piece of technology. The security, privacy, and other issues are overlooked or even just ignored.
The migration was a bit more complicated as usual, as nothing “is easy” ;-)
You’ll find the pitfalls of moving my blog below as they might be useful for somebody else ( including the future me ).
I use Jekyll to generate my webpages on my blog. I might switch to HUGO in the future.
While there’re Jekyll plugins available to preform a redirect, I decide to keep it simple and added a http header to _includes/head.html
<meta http-equiv="refresh" content="0; url=https://blog.wagemakers.be/blog/2026/01/26/blog-wagemakers-be/" />
I had some hardcoded links for image, url, etc on my blog posts.
I used the script below to update the links in my _post directory.
#!/bin/sh
set -o errexit
set -o pipefail
set -o nounset
for file in *; do
echo "... Processing file: ${file}"
sed -i ${file} -e s@https://stafwag.github.io/blog/blog/@https://blog.wagemakers.be/blog/@g
sed -i ${file} -e s@https://stafwag.github.io/blog/images/@https://blog.wagemakers.be/images/@g
sed -i ${file} -e s@\(https://stafwag.github.io/blog\)@\(https://blog.wagemakers.be\)@
done
I use DISQUS as the comment system on my blog. As the HTML pages got a proper redirect, I could ask Disqus to reindex the pages so the old comments became available again.
More information is available at: https://help.disqus.com/en/articles/1717126-redirect-crawler
Without a redirect, you can download the URL in a csv and add a migration URL to the csv file and upload it to Disqus. You can find information about it in the link below.
https://help.disqus.com/en/articles/1717129-url-mapper
I didn’t find a good way to redirect for RSS feeds, which RSS readers use correctly.
If you know a good way to handle it, please let me know.
I tried to add an XML redirect as suggested at: https://www.rssboard.org/redirect-rss-feed. But this doesn’t seem to work with the RSS readers I tested (NewsFlash, Akregator).
These are the steps I took.
I added the following headers to _includes/head.html
<link rel="self" type="application/atom+xml" href="{{ site.url }}{{ site.baseurl }}/atom.xml" />
<link rel="alternate" type="application/atom+xml" title="Wagemakers Atom Feed" href="https://wagemakers.be/atom.xml">
<<link rel="self" type="application/rss+xml" href="{{ site.url }}{{ site.baseurl }}/atom.xml" />
<link rel="alternate" type="application/rss+xml" title="Wagemakers Atom Feed" href="https://wagemakers.be/atom.xml">
When I switched from Octopress to “plain jekyll” I started to use the jekyll-feedplugin. But I still had the old RSS page from Octopress available, so I decided to use it to generate atom.xml and feed.xml in the link rel=self and link rel="alternate" directives.
Full code below or on GitHub: https://github.com/stafwag/blog/blob/gh-pages/feed.xml
---
layout: null
---
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title><![CDATA[stafwag Blog]]></title>
<link href="https://blog.wagemakers.be//atom.xml" rel="self"/>
<link rel="alternate" href="https://blog.wagemakers.be/atom.xml" /> <link href="https://blog.wagemakers.be }}"/>
<link rel="self" type="application/atom+xml" href="https://blog.wagemakers.be//atom.xml" />
<link rel="alternate" type="application/atom+xml" href="https://blog.wagemakers.be/atom.xml" />
<link rel="self" type="application/rss+xml" href="https://blog.wagemakers.be//atom.xml" />
<link rel="alternate" type="application/rss+xml" href="https://blog.wagemakers.be/atom.xml" />
<updated>2026-01-26T20:10:56+01:00</updated>
<id>https://blog.wagemakers.be</id>
<author>
<name><![CDATA[Staf Wagemakers]]></name>
</author>
<generator uri="http://octopress.org/">Octopress</generator>
{% for post in site.posts limit: 10000 %}
<entry>
<title type="html"><![CDATA[{% if site.titlecase %}{{ post.title | titlecase | cdata_escape }}{% else %}{{ post.title | cdata_escape }}{% endif %}]]></title>
<link href="{{ site.url }}{{ site.baseurl }}{{ post.url }}"/>
<updated></updated>
<id>https://blog.wagemakers.be/</id>
<content type="html"><![CDATA[]]></content>
</entry>
{% endfor %}
</feed>
I created this blog post to notify the users ;-)
Have fun!
]]>And created a few ansible roles to provision the virtual machines with cloud image with cloud-init and deploy k3s on it.
I updated the roles below to be compatible with the latest Debian release: Debian 13 Trixie.
With this release comes a new movie ;-)
The latest version 1.3.0 is available at: https://github.com/stafwag/ansible-k3s-on-vms
Have fun!
stafwag.delegated_vm_install is available at: https://github.com/stafwag/ansible-role-delegated_vm_install
stafwag.virt_install_vm 1.1.0 is available at: https://github.com/stafwag/ansible-role-virt_install_vm
stafwag.qemu_img 2.3.3 available at: https://github.com/stafwag/ansible-role-qemu_img
Lookat 2.1.0 is the latest stable release of Lookat/Bekijk, a user-friendly Unix file browser/viewer that supports colored man pages.
The focus of the 2.1.0 release is to add ANSI Color support.
Lookat / Bekijk 2.1.0rc2 has been released as Lookat / Bekijk 2.1.0
Lookat 2.1.0rc2 is the second release candicate of Lookat 2.1.0
Have fun!
]]>
Lookat 2.1.0rc2 is the second release candicate of release of Lookat/Bekijk 2.1.0, a user-friendly Unix file browser/viewer that supports colored man pages.
The focus of the 2.1.0 release is to add ANSI Color support.
Lookat 2.1.0rc2 is the second release candicate of Lookat 2.1.0
Have fun!
]]>
Terraform or OpenTofu (the open-source fork supported by the Linux Foundation) is a nice tool to setup the infrastructure on different cloud environments. There is also a provider that supports libvirt.
If you want to get started with OpenTofu there is a free training available from the Linux foundation:
I also joined the talk about OpenTofu and Infrastructure As Code, in general, this year in the Virtualization and Cloud Infrastructure DEV Room at FOSDEM this year:
I’ll not start to explain “Declarative” vs “Imperative” in this blog post, there’re already enough blog posts or websites that’re (trying) to explain this in more detail (the links above are a good start).
The default behaviour of OpenTofu is not to try to update an existing environment. This makes it usable to create disposable environments.
Tails is a nice GNU/Linux distribution to connect to the Tor network.
Personally, I’m less into the “privacy” aspect of the Tor network (although being aware that you’re tracked and followed is important), probably because I’m lucky to live in the “Free world”.
For people who are less lucky (People who live in a country where freedom of speech isn’t valued) or journalists for example, there’re good reasons to use the Tor network and hide their internet traffic.
To make it easier to spin up a virtual machine with the latest tail environment I created a Terraform/OpenTofu module to spin up a virtual machine with the latest Tails version on libvirt.
There’re security considerations when you run tails in a virtual machine. See
for more information.
The source code of the module is available at the git repository:
The module is published on the Terraform Registry and the OpenTofu Registry.
Have fun!
]]>
Lookat 2.1.0rc1 is the latest development release of Lookat/Bekijk, a user-friendly Unix file browser/viewer that supports colored man pages.
The focus of the 2.1.0 release is to add ANSI Color support.
Lookat 2.1.0rc1 is the first release candicate of Lookat 2.1.0
Have fun!
]]>
I decided to leave twitter.
Yes, this has something to do with the change of ownership, the name change to x, …
There is only 1 X to me, and that’s X.org
Twitter has become a platform that doesn’t value #freedomofspeech anymore.
My account even got flagged as possible spam to “factchecking” #fakenews
The mean reason is that there is a better alternative in the form of the Fediverse #Fediverse is the protocol that Mastodon uses.
It allows for a truly decentralised social media platform.
It allows organizations to set up their own Mastodon instance and take ownership and accountability for their content and accounts.
Mastodon is a nice platform; you probably feel at home there.
People who follow me on twitter can continue to follow me at Mastodon if they want.
https://mastodon.social/@stafwag
I’ll post this message a couple of times to twitter before I close my twitter account, so people can decide if they want to follow me on Mastodon …or not ;-).
Have fun!
]]>
Unbound is a popular DNS resolver, that has native DNS-over-TLS support.
Unbound and Stubby were among the first resolvers to implement DNS-over-TLS.
I wrote a few blog posts on how to use Stubby on GNU/Linux and FreeBSD.
The implementation status of DNS-over-TLS and other DNS privacy options is available at: https://dnsprivacy.org/.
See https://dnsprivacy.org/implementation_status/ for more details.
It’s less known that it can also be used as authoritative DNS server (aka a real DNS server). Since I discovered this feature and Unbound got native DNS-over-TLS support I started to it as my DNS server.
I created a docker container for it a couple of years back to use it as an authoritative DNS server.
I recently updated the container, the latest version (2.1.0) is available at: https://github.com/stafwag/docker-stafwag-unbound
Dockerfile to run unbound inside a docker container.
The unbound daemon will run as the unbound user. The uid/gid is mapped to
5000153.
$ git clone https://github.com/stafwag/docker-stafwag-unbound.git
$ cd docker-stafwag-unbound
The default DNS port is set to 5353 this port is mapped with the docker command to the default port 53 (see below).
If you want to use another port, you can edit etc/unbound/unbound.conf.d/interface.conf.
scripts/create_zone_config.sh helper scriptThe create_zone_config.sh helper script, can help you to create the zones.conf configuration file.
It’s executed during the container build and creates the zones.conf from the datafiles in etc/unbound/zones.
If you want to use a docker volume or configmaps/persistent volumes on Kubernetes. You can use this script to
generate the zones.conf a zones data directory.
create_zone_config.sh has following arguments:
To use unbound as an authoritative authoritive DNS server - a DNS server that hosts DNS zones - add your zones file etc/unbound/zones/.
During the creation of the image scripts/create_zone_config.sh is executed to create the zones configuration file.
Alternatively, you can also use a docker volume to mount /etc/unbound/zones/ to your zone files. And a volume mount for the zones.conf
configuration file.
You can use subdirectories. The zone file needs to have $ORIGIN set to our zone origin.
The default configuration uses quad9 to forward the DNS queries over TLS. If you want to use another vendor or you want to use the root DNS servers director you can remove this file.
$ docker build -t stafwag/unbound .
To use a different BASE_IMAGE, you can use the –build-arg BASE_IMAGE=your_base_image.
$ docker build --build-arg BASE_IMAGE=stafwag/debian:bookworm -t stafwag/unbound .
Run
$ docker run -d --rm --name myunbound -p 127.0.0.1:53:5353 -p 127.0.0.1:53:5353/udp stafwag/unbound
Test
$ dig @127.0.0.1 www.wagemakers.be
If you want to use unbound as an authoritative dns server you can use the steps below.
[staf@vicky ~]$ mkdir -p ~/docker/volumes/unbound/zones/stafnet
[staf@vicky ~]$
[staf@vicky stafnet]$ cd ~/docker/volumes/unbound/zones/stafnet
[staf@vicky ~]$
stafnet.zone:
$TTL 86400 ; 24 hours
$ORIGIN stafnet.local.
@ 1D IN SOA @ root (
20200322001 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; minimum
)
@ 1D IN NS @
stafmail IN A 10.10.10.10
stafnet-rev.zone:
$TTL 86400 ;
$ORIGIN 10.10.10.IN-ADDR.ARPA.
@ IN SOA stafnet.local. root.localhost. (
20200322001; Serial
3h ; Refresh
15 ; Retry
1w ; Expire
3h ) ; Minimum
IN NS localhost.
10 IN PTR stafmail.
Make sure that the volume directoy and zone files have the correct permissions.
$ sudo chmod 750 ~/docker/volumes/unbound/zones/stafnet/
$ sudo chmod 640 ~/docker/volumes/unbound/zones/stafnet/*
$ sudo chown -R root:5000153 ~/docker/volumes/unbound/
Create the zones.conf configuration file.
[staf@vicky stafnet]$ cd ~/github/stafwag/docker-stafwag-unbound/
[staf@vicky docker-stafwag-unbound]$
The script will execute a chown and chmod on the generated zones.conf file and is excute with sudo for this reason.
[staf@vicky docker-stafwag-unbound]$ sudo scripts/create_zone_config.sh -f ~/docker/volumes/unbound/zones.conf -d ~/docker/volumes/unbound/zones/stafnet -p /etc/unbound/zones
Processing: /home/staf/docker/volumes/unbound/zones/stafnet/stafnet.zone
origin=stafnet.local
Processing: /home/staf/docker/volumes/unbound/zones/stafnet/stafnet-rev.zone
origin=1.168.192.IN-ADDR.ARPA
[staf@vicky docker-stafwag-unbound]$
Verify the generated zones.conf
[staf@vicky docker-stafwag-unbound]$ sudo cat ~/docker/volumes/unbound/zones.conf
auth-zone:
name: stafnet.local
zonefile: /etc/unbound/zones/stafnet.zone
auth-zone:
name: 1.168.192.IN-ADDR.ARPA
zonefile: /etc/unbound/zones/stafnet-rev.zone
[staf@vicky docker-stafwag-unbound]$
$ docker run --rm --name myunbound -v ~/docker/volumes/unbound/zones/stafnet:/etc//unbound/zones/ -v ~/docker/volumes/unbound/zones.conf:/etc/unbound/unbound.conf.d/zones.conf -p 127.0.0.1:53:5353 -p 127.0.0.1:53:5353/udp stafwag/unbound
[staf@vicky ~]$ dig @127.0.0.1 soa stafnet.local
; <<>> DiG 9.16.1 <<>> @127.0.0.1 soa stafnet.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37184
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stafnet.local. IN SOA
;; ANSWER SECTION:
stafnet.local. 86400 IN SOA stafnet.local. root.stafnet.local. 3020452817 10800 15 604800 10800
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 22 19:41:09 CET 2020
;; MSG SIZE rcvd: 83
[staf@vicky ~]$
Test reverse lookup.
[staf@vicky ~]$ dig -x 10.10.10.10 @127.0.0.1
; <<>> DiG 9.16.21 <<>> -x 10.10.10.10 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36250
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;10.10.10.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.10.10.in-addr.arpa. 86400 IN PTR stafmail.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 19 19:51:47 CEST 2021
;; MSG SIZE rcvd: 75
[staf@vicky ~]$
Have fun!
]]>
While the code ( if you call YAML “code” ) is already more than 5 years old. I finally took the take the make a proper release of my test “hello” OCI container.
I use this container to demo a container build and how to deploy it with helm on a Kubernetes cluster. Some test tools (ping, DNS, curl, wget) are included to execute some tests on the deployed pod.
It also includes a Makefile to build the container and deploy it on a Red Hat OpenShift Local (formerly Red Hat CodeReady Containers) cluster.
To deploy the container with the included helm charts to OpenShift local (Code Ready Containers), execute make crc_deploy.
This will:
I might include support for other Kubernetes in the future when I find the time.
docker-stafwag-hello_nginx v1.0.0 is available at:
https://github.com/stafwag/docker-stafwag-hello_nginx
Have fun!
]]>