Tech

Why did I build my own when there’s a hundred of these already? Because I don’t like how most of the others work. Fairy 🧚 only uses Go’s flag package underneath. There’s no custom flag parsing involved, but it can do some things Go’s standard library package doesn’t provide. I quite like Go’s flag package. I don’t care that it doesn’t do GNU-style opts, that it’s not perfectly docopt etc. It fits my needs 95% of the time and unless you need a hyperscale Cloud Native CNCF approved CLI it probably is enough for just about any project.

This blog post is technically incorrect. It only aims to give you an in practice correct enough understanding of using OpenTelemetry in your Go projects and how to set it up. Lets dive in. Update 2024-05-02: Code has been updated to use the autoexport package to simplify setup a lot. Concepts There are a few concepts we need to be aware of: Providers. Meters and Tracers. Metric instruments and Spans. Exporters.

Github has always been a very enticing code forge. You get a lot of things for free. Code hosting, decent issue management, Gists, Pages, CI etc. Of course, all of these things are also there to make the service more sticky. They’ve moved the baseline expectations of the services a forge should provide for free so far up it’s hard for entities without VC capital or Microsoft’s war chest to provide an enticing, competing offer.

Getting started with building on the fediverse can be a big chore, there’s a lot to learn and handle. Pana is a new library in Go to help simplify things. It provides the buildiing blocks for handling ActivityStreams messages, the message format used between servers to exchanges actvivities and enable federation. A picture is worth more than a thousand worth, and good examples are worth more than me trying to convince you with words or pictures.

On my Linux desktop I have multiple sound devices. Typically it’s the built-in sound card, the graphics card audio output and my GoXLR outputs. I don’t ever want to use the built-in audio or have audio routed to my monitor. But the Linux desktop has this habit of sometimes switching to one of those outputs, especially when coming out of standby because the USB audio devices provided by the GoXLR disappear.

A little annoyance I always run into when configuring a new laptop is getting Gnome Display Manager to use Colemak on the login screen. For some reason, it’s impossible to configure the GDM keyboard layout unless there’s at least 2 users on the system. Otherwise Gnome Settings refuses to show the UI for it. I’m not sure why this weirdly hostile feature towards folks with alternative keyboard layouts on a single-user system exists in Gnome, but here we are.

For a long time, I’ve had a setup with Keycloak as the IDM. But Keycloak is heavy. It’ll OOM with less than 2G of RAM and needs a database too. It also has features I don’t care for, like realms. As I’ve been slowly moving to self-host a few more things, including outside of my home, I want to have a way to centralise authentication for those services too. I want to keep the IDM for the home lab separate from my cloud things.

In a previous post I showed you how to setup Keycloak to provide you with OpenID Connect and SAML capabilities. The problem with Keycloak is is that’s it’s a pretty big beast, whereas most of the time we don’t need all the functionality. It’s also tricky to run in a highly available fashion and is annoyingly slow to start up. In this post we’ll drop Keycloak in favour of Dex, a small OpenID Connect Provider that supports a number of backends including LDAP.

In a previous post I showed you how to set up Gatekeeper as a proxy to enfroce authorization on requests. The problem with Gatekeeper is that it required a lot of additional configuration, an additional proxy hop and is a separate component. What this post will do instead is use the OpenResty build of nginx with the OIDC plugin to avoid all of that. This brings the complexity back down to just running nginx with it acting as a Relaying Party to do authenticaiton and provide authorization information to backends.

NOTE: A much simpler solution is describe in BeyondCorp @ Home: Authentication and authorization proxy with OpenResty In a previous post I showed you how to set up a “Lite” version of a BeyondCorp style access layer for a home or startup environment. The reason I called it lite is because though it does do full authentication, it didn’t have separate controls for authorization. Meaning if you could authenticate you were authorized, I couldn’t specify that for certain endpoints you have to be part of a specific group or be granted a certain role before you get access.