Jekyll2026-03-23T14:04:43+00:00https://www.wassupy.com/feed.xmlMicrosoft Ergonomic Keyboard Acting Weird2026-03-05T00:00:00+00:002026-03-05T00:00:00+00:00https://www.wassupy.com/2026/03/microsoft-ergo-keyboard-acting-weird<p><img src="/assets/2026/IMG_3652.jpeg" width="3811" height="1720" /></p>
<p>Here’s something that’s happened to me enough times that I’m writing about it:</p>
<p>My MS Ergo Sculpt keyboard is acting funny. It double types, or misses key strokes, adds unexpected tildes, flashes my
terminal, or messes up my keyboard shortcuts, such as PasteBot’s cmd-shift-v.</p>
<p>In my <em>many years</em> of using this device I have found two solutions to the various ways my favorite keyboard acts up:</p>
<h2 id="rf-interferencemy-most-common-problem">RF interference—my most common problem</h2>
<p>Try moving the little USB dongle closer to the keyboard closer to the keyboard. Also try a regular USB-2 port if possible
(i.e. not a blue-colored port, if available). Ever since I started connecting the dongle with a cheap USB extension cable,
things have been great</p>
<h2 id="a-stuck-key">A stuck key</h2>
<p>I’m embarrassed to admit that each time this has happened, it’s taken me <em>far too long</em> to figure out. This usually
happens to me when I have just cleaned my desk and wiped off my keyboard with a damp towel. <strong>The half-height function
keys on this keyboard are easily jammed.</strong> Check each one to see if they are free. I seem to be really good at getting
the F5 key stuck.</p>
<p>When one of those is jammed, my computer acts <em>very strangely</em>. When this happened today it took writing a quick little keylogger to figure out what was happening.</p>
<p>I wrote this:</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python3
</span>
<span class="kn">import</span> <span class="n">Quartz</span>
<span class="kn">import</span> <span class="n">sys</span>
<span class="k">def</span> <span class="nf">key_callback</span><span class="p">(</span><span class="n">proxy</span><span class="p">,</span> <span class="n">type_</span><span class="p">,</span> <span class="n">event</span><span class="p">,</span> <span class="n">refcon</span><span class="p">):</span>
<span class="k">if</span> <span class="n">type_</span> <span class="o">==</span> <span class="n">Quartz</span><span class="p">.</span><span class="n">kCGEventKeyDown</span><span class="p">:</span>
<span class="n">keycode</span> <span class="o">=</span> <span class="n">Quartz</span><span class="p">.</span><span class="nc">CGEventGetIntegerValueField</span><span class="p">(</span>
<span class="n">event</span><span class="p">,</span> <span class="n">Quartz</span><span class="p">.</span><span class="n">kCGKeyboardEventKeycode</span>
<span class="p">)</span>
<span class="n">chars</span> <span class="o">=</span> <span class="n">Quartz</span><span class="p">.</span><span class="nc">CGEventKeyboardGetUnicodeString</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span>
<span class="c1"># chars returns tuple(count, string)
</span> <span class="k">if</span> <span class="n">chars</span> <span class="ow">and</span> <span class="n">chars</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span>
<span class="n">text</span> <span class="o">=</span> <span class="n">chars</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">text</span> <span class="o">=</span> <span class="s">""</span>
<span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"keycode=</span><span class="si">{</span><span class="n">keycode</span><span class="si">}</span><span class="s"> text='</span><span class="si">{</span><span class="n">text</span><span class="si">}</span><span class="s">'"</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span>
<span class="k">return</span> <span class="n">event</span>
<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
<span class="n">tap</span> <span class="o">=</span> <span class="n">Quartz</span><span class="p">.</span><span class="nc">CGEventTapCreate</span><span class="p">(</span>
<span class="n">Quartz</span><span class="p">.</span><span class="n">kCGSessionEventTap</span><span class="p">,</span>
<span class="n">Quartz</span><span class="p">.</span><span class="n">kCGHeadInsertEventTap</span><span class="p">,</span>
<span class="n">Quartz</span><span class="p">.</span><span class="n">kCGEventTapOptionDefault</span><span class="p">,</span>
<span class="n">Quartz</span><span class="p">.</span><span class="nc">CGEventMaskBit</span><span class="p">(</span><span class="n">Quartz</span><span class="p">.</span><span class="n">kCGEventKeyDown</span><span class="p">),</span>
<span class="n">key_callback</span><span class="p">,</span>
<span class="bp">None</span><span class="p">,</span>
<span class="p">)</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">tap</span><span class="p">:</span>
<span class="nf">print</span><span class="p">(</span><span class="s">"Failed to create event tap. Grant Accessibility permissions."</span><span class="p">,</span> <span class="nb">file</span><span class="o">=</span><span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">)</span>
<span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">runloop_source</span> <span class="o">=</span> <span class="n">Quartz</span><span class="p">.</span><span class="nc">CFMachPortCreateRunLoopSource</span><span class="p">(</span><span class="bp">None</span><span class="p">,</span> <span class="n">tap</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">Quartz</span><span class="p">.</span><span class="nc">CFRunLoopAddSource</span><span class="p">(</span>
<span class="n">Quartz</span><span class="p">.</span><span class="nc">CFRunLoopGetCurrent</span><span class="p">(),</span>
<span class="n">runloop_source</span><span class="p">,</span>
<span class="n">Quartz</span><span class="p">.</span><span class="n">kCFRunLoopCommonModes</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">Quartz</span><span class="p">.</span><span class="nc">CGEventTapEnable</span><span class="p">(</span><span class="n">tap</span><span class="p">,</span> <span class="bp">True</span><span class="p">)</span>
<span class="nf">print</span><span class="p">(</span><span class="s">"Listening for global key presses..."</span><span class="p">)</span>
<span class="n">Quartz</span><span class="p">.</span><span class="nc">CFRunLoopRun</span><span class="p">()</span>
<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">"__main__"</span><span class="p">:</span>
<span class="nf">main</span><span class="p">()</span>
</code></pre></div></div>
<p>And ran it with this:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python3 <span class="nt">-m</span> venv .venv
<span class="nb">source</span> .venv/bin/activate
python <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">--upgrade</span> pip
python <span class="nt">-m</span> pip <span class="nb">install </span>pyobjc-framework-Quartz
python ./keylogger.py
</code></pre></div></div>
<p>The first time you run it, you’ll need to approve it in Accessibility settings. Then run it again.</p>
<p>Then hammer the keyboard until the weirdness happens. In my case it immediately went nuts:</p>
<pre><code class="language-plain">ckeycode=9 text='v'
vkeycode=7 text='x'
xkeycode=8 text='c'
ckeycode=9 text='v'
keycode=96 text=''
v^[[15~keycode=96 text=''
^[[15~keycode=96 text=''
^[[15~keycode=96 text=''
^[[15~keycode=96 text=''
^[[15~keycode=96 text=''
^[[15~keycode=96 text=''
^[[15~keycode=96 text=''
# ...lots of repeating, without me pressing anything
</code></pre>
<p>Then I looked up keycode <code class="language-plaintext highlighter-rouge">96</code> and saw it was <code class="language-plaintext highlighter-rouge">F5</code>. Sure enough, that key was jammed.</p>
<p>I was pretty close to buying a new keyboard 😮💨.</p>Crudely capture working files2026-02-27T00:00:00+00:002026-02-27T00:00:00+00:00https://www.wassupy.com/2026/02/capture-working-files-before-they-disappear<p>We recently had a situation where a tool was:</p>
<ol>
<li>Creating a work directory, e.g. <code class="language-plaintext highlighter-rouge">job-1234</code> (randomly generated)</li>
<li>Doing some stuff there</li>
<li>Deleting the work directory</li>
</ol>
<p>That middle step wasn’t working quite right so we wanted to inspect it before it vanished. For complicated reasons, it was tricky to pause the tool before step 3 so here’s what we did:</p>
<p>Watch for the working folder and just clone it every 1 second:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># PowerShell script to backup directories with timestamp extensions</span><span class="w">
</span><span class="c"># Usage: </span><span class="w">
</span><span class="c"># cd C:\path\to\directory</span><span class="w">
</span><span class="c"># .\monitor-folder.ps1</span><span class="w">
</span><span class="c"># Use current working directory where the script is run from</span><span class="w">
</span><span class="nv">$TargetDirectory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Location</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Monitoring directory: </span><span class="nv">$TargetDirectory</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Backing up directories every 1 second..."</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Press Ctrl+C to stop..."</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">""</span><span class="w">
</span><span class="kr">while</span><span class="w"> </span><span class="p">(</span><span class="bp">$true</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="nv">$timestamp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Date</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="s2">"HH.mm.ss"</span><span class="w">
</span><span class="c"># Get all directories directly in the target directory (not recursive)</span><span class="w">
</span><span class="nv">$directories</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$TargetDirectory</span><span class="w"> </span><span class="nt">-Directory</span><span class="w">
</span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$dir</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="nv">$directories</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="c"># Skip directories that are already backups</span><span class="w">
</span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$dir</span><span class="o">.</span><span class="nf">Name</span><span class="w"> </span><span class="o">-like</span><span class="w"> </span><span class="s2">"*.bak"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="kr">continue</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="nv">$backupName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="nv">$dir</span><span class="o">.</span><span class="nf">Name</span><span class="si">)</span><span class="s2">.</span><span class="nv">$timestamp</span><span class="s2">.bak"</span><span class="w">
</span><span class="nv">$backupPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$TargetDirectory</span><span class="w"> </span><span class="nv">$backupName</span><span class="w">
</span><span class="kr">try</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="c"># Copy directory recursively - continue even if some files are in use</span><span class="w">
</span><span class="n">Copy-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$dir</span><span class="o">.</span><span class="nf">FullName</span><span class="w"> </span><span class="nt">-Destination</span><span class="w"> </span><span class="nv">$backupPath</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[</span><span class="si">$(</span><span class="n">Get-Date</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="s1">'HH:mm:ss'</span><span class="p">)</span><span class="s2">] Backed up: </span><span class="si">$(</span><span class="nv">$dir</span><span class="o">.</span><span class="nf">Name</span><span class="si">)</span><span class="s2"> -> </span><span class="nv">$backupName</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Cyan</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="kr">catch</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[</span><span class="si">$(</span><span class="n">Get-Date</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="s1">'HH:mm:ss'</span><span class="p">)</span><span class="s2">] WARNING: Partial backup of </span><span class="si">$(</span><span class="nv">$dir</span><span class="o">.</span><span class="nf">Name</span><span class="si">)</span><span class="s2"> (some files may be skipped)"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="n">Start-Sleep</span><span class="w"> </span><span class="nt">-Seconds</span><span class="w"> </span><span class="nx">1</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>With that running, the job came and went, and left behind what we needed:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>- job-1234-10.57.12.bak
- job-1234-10.57.13.bak
- job-1234-10.57.14.bak
- job-1234-10.57.15.bak
- job-1234-10.57.16.bak
- job-1234-10.57.17.bak
</code></pre></div></div>
<p>There are lots of ways to solve this problem, but this one was good enough for what we needed and extremely simple to generate and execute.</p>We recently had a situation where a tool was:Drain Octopus Deploy workers for patching2025-03-11T00:00:00+00:002025-03-11T00:00:00+00:00https://www.wassupy.com/2025/03/drain-octopus-workers-for-patching<p>If you reboot a Linux Octopus worker while a deploy is running, that deploy will fail. It’s better to decluster it during routine patching/maintenance. The following Ansible tasks do that:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Patch octopus workers</span>
<span class="na">hosts</span><span class="pi">:</span> <span class="s">workers</span>
<span class="na">gather_facts</span><span class="pi">:</span> <span class="kc">false</span>
<span class="na">vars</span><span class="pi">:</span>
<span class="na">api_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://octopusserver"</span>
<span class="na">api_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">TODO"</span>
<span class="na">tasks</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Get worker status</span>
<span class="na">uri</span><span class="pi">:</span>
<span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_url</span><span class="nv"> </span><span class="s">}}/api/workers/{{</span><span class="nv"> </span><span class="s">octopus_id</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">method</span><span class="pi">:</span> <span class="s">GET</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">X-Octopus-ApiKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_key</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">body_format</span><span class="pi">:</span> <span class="s">json</span>
<span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span>
<span class="na">register</span><span class="pi">:</span> <span class="s">worker_status</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Determine if worker requires draining</span>
<span class="na">set_fact</span><span class="pi">:</span>
<span class="na">is_draining_required</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">worker_status.json.IsDisabled</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">false</span><span class="nv"> </span><span class="s">}}"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Is draining required?</span>
<span class="na">debug</span><span class="pi">:</span>
<span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Draining</span><span class="nv"> </span><span class="s">required:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">is_draining_required</span><span class="nv"> </span><span class="s">}}"</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Disable worker</span>
<span class="na">when</span><span class="pi">:</span> <span class="s">is_draining_required</span>
<span class="na">uri</span><span class="pi">:</span>
<span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_url</span><span class="nv"> </span><span class="s">}}/api/workers/{{</span><span class="nv"> </span><span class="s">octopus_id</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">method</span><span class="pi">:</span> <span class="s">PUT</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">X-Octopus-ApiKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_key</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">body</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">worker_status.json</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">combine({'IsDisabled':</span><span class="nv"> </span><span class="s">true})</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">to_json</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">body_format</span><span class="pi">:</span> <span class="s">json</span>
<span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for worker to drain</span>
<span class="na">when</span><span class="pi">:</span> <span class="s">is_draining_required</span>
<span class="na">block</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check for active leases</span>
<span class="na">uri</span><span class="pi">:</span>
<span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_url</span><span class="nv"> </span><span class="s">}}/api/Spaces-1/workertaskleases?skip=0&take=1000"</span>
<span class="na">method</span><span class="pi">:</span> <span class="s">GET</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">X-Octopus-ApiKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_key</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span>
<span class="na">register</span><span class="pi">:</span> <span class="s">lease_status</span>
<span class="c1"># if you have jmespath installed this can be improved</span>
<span class="na">until</span><span class="pi">:</span> <span class="s2">"</span><span class="s">not</span><span class="nv"> </span><span class="s">lease_status</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">search(octopus_id)"</span>
<span class="na">retries</span><span class="pi">:</span> <span class="m">60</span>
<span class="na">delay</span><span class="pi">:</span> <span class="m">15</span>
<span class="c1"># do patching</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sleep to simulate patching</span>
<span class="na">pause</span><span class="pi">:</span>
<span class="na">seconds</span><span class="pi">:</span> <span class="m">5</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Enable worker</span>
<span class="na">when</span><span class="pi">:</span> <span class="s">is_draining_required</span>
<span class="na">uri</span><span class="pi">:</span>
<span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_url</span><span class="nv"> </span><span class="s">}}/api/workers/{{</span><span class="nv"> </span><span class="s">octopus_id</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">method</span><span class="pi">:</span> <span class="s">PUT</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">X-Octopus-ApiKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">api_key</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">body</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">worker_status.json</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">combine({'IsDisabled':</span><span class="nv"> </span><span class="s">false})</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">to_json</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">body_format</span><span class="pi">:</span> <span class="s">json</span>
<span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span>
</code></pre></div></div>
<p>Example inventory:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">workers</span><span class="pi">:</span>
<span class="na">hosts</span><span class="pi">:</span>
<span class="na">worker1a</span><span class="pi">:</span>
<span class="na">octopus_id</span><span class="pi">:</span> <span class="s">Workers-1</span>
</code></pre></div></div>
<p>This attempts to leave the worker status in the same state it finds it, but that handling could be improved to better
handle failures.</p>If you reboot a Linux Octopus worker while a deploy is running, that deploy will fail. It’s better to decluster it during routine patching/maintenance. The following Ansible tasks do that:Download GEO IP Maxmind Database with Powershell or Bash on Windows/Mac/Linux2025-03-11T00:00:00+00:002025-03-11T00:00:00+00:00https://www.wassupy.com/2025/03/download-geoip-maxmind-database<p>Here’s a tiny shell script for downloading a Maxmind database if you can use something scrappy:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">LICENSE_KEY</span><span class="o">=</span><span class="s1">'YOUR_LICENSE_KEY'</span>
<span class="c"># GeoLite2-City, GeoLite2-Country, GeoIP2-City, GeoIP2-Country"</span>
<span class="nv">DATABASE_TYPE</span><span class="o">=</span><span class="s1">'GeoIP2-Country'</span>
<span class="nv">MAXMIND_URL</span><span class="o">=</span><span class="s2">"https://download.maxmind.com/app/geoip_download?edition_id=</span><span class="nv">$DATABASE_TYPE</span><span class="s2">&license_key=</span><span class="nv">$LICENSE_KEY</span><span class="s2">&suffix=tar.gz"</span>
<span class="nv">CURL_OPTIONS</span><span class="o">=</span><span class="s2">"-Ls --fail"</span>
<span class="nv">TAR_OPTIONS</span><span class="o">=</span><span class="s2">"-Ozx --no-anchored </span><span class="nv">$DATABASE_TYPE</span><span class="s2">.mmdb"</span>
curl <span class="nv">$CURL_OPTIONS</span> <span class="s2">"</span><span class="nv">$MAXMIND_URL</span><span class="s2">"</span> | <span class="nb">tar</span> <span class="nv">$TAR_OPTIONS</span> <span class="o">></span> <span class="s2">"</span><span class="nv">$DATABASE_TYPE</span><span class="s2">.mmdb"</span>
</code></pre></div></div>
<p>Here’s a fuller version with more bells and whistles:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span>
<span class="c"># exit on error</span>
<span class="nb">set</span> <span class="nt">-eo</span> pipefail
<span class="c"># Usage message</span>
usage<span class="o">()</span> <span class="o">{</span>
<span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> <license_key> <database_type> [output]"</span>
<span class="nb">echo</span> <span class="s2">" license_key: Your MaxMind license key"</span>
<span class="nb">echo</span> <span class="s2">" database_type: One of: GeoLite2-City, GeoLite2-Country, GeoIP2-City, GeoIP2-Country"</span>
<span class="nb">echo</span> <span class="s2">" output: Optional. Path to save the downloaded database file"</span>
<span class="nb">exit </span>1
<span class="o">}</span>
<span class="c"># Check for license_key argument</span>
<span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then
</span><span class="nb">echo</span> <span class="o">></span>&2 <span class="s2">"Error: MaxMind license key is required"</span>
usage
<span class="k">fi
</span><span class="nv">license_key</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span>
<span class="nv">database_type</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span>
<span class="nv">output</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span>
<span class="c"># Validate database type if provided</span>
<span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$database_type</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then
case</span> <span class="s2">"</span><span class="nv">$database_type</span><span class="s2">"</span> <span class="k">in</span>
<span class="s2">"GeoLite2-City"</span><span class="p">|</span><span class="s2">"GeoLite2-Country"</span><span class="p">|</span><span class="s2">"GeoIP2-City"</span><span class="p">|</span><span class="s2">"GeoIP2-Country"</span><span class="p">)</span>
<span class="c"># Valid option</span>
<span class="p">;;</span>
<span class="k">*</span><span class="p">)</span>
<span class="nb">echo</span> <span class="o">></span>&2 <span class="s2">"Error: Invalid database type '</span><span class="nv">$database_type</span><span class="s2">'"</span>
usage
<span class="p">;;</span>
<span class="k">esac</span>
<span class="k">fi</span>
<span class="c"># Set default output if not provided</span>
<span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$output</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then
</span><span class="nv">output</span><span class="o">=</span><span class="s2">"</span><span class="nv">$database_type</span><span class="s2">.mmdb"</span>
<span class="k">fi</span>
<span class="c"># check requirements</span>
<span class="k">if</span> <span class="o">!</span> <span class="nb">type </span>curl <span class="o">></span> /dev/null 2>&1<span class="p">;</span> <span class="k">then
</span><span class="nb">echo</span> <span class="o">></span>&2 <span class="s2">"curl is required but was not found"</span>
<span class="nb">exit </span>1
<span class="k">fi
</span><span class="nb">echo</span> <span class="s2">"Downloading </span><span class="nv">$database_type</span><span class="s2"> database..."</span>
<span class="nv">MAXMIND_URL</span><span class="o">=</span><span class="s2">"https://download.maxmind.com/app/geoip_download?edition_id=</span><span class="nv">$database_type</span><span class="s2">&license_key=</span><span class="nv">$license_key</span><span class="s2">&suffix=tar.gz"</span>
<span class="nv">CURL_OPTIONS</span><span class="o">=</span><span class="s2">"-Ls --fail"</span>
<span class="nv">TAR_OPTIONS</span><span class="o">=</span><span class="s2">"-Ozx --no-anchored </span><span class="nv">$database_type</span><span class="s2">.mmdb"</span>
curl <span class="nv">$CURL_OPTIONS</span> <span class="s2">"</span><span class="nv">$MAXMIND_URL</span><span class="s2">"</span> | <span class="nb">tar</span> <span class="nv">$TAR_OPTIONS</span> <span class="o">></span> <span class="s2">"</span><span class="nv">$output</span><span class="s2">"</span>
<span class="nb">echo</span> <span class="s2">"Saved to </span><span class="nv">$output</span><span class="s2">"</span>
</code></pre></div></div>
<p>If you save that to <code class="language-plaintext highlighter-rouge">update-db.sh</code> (and run <code class="language-plaintext highlighter-rouge">chmod +x update-db.sh</code>), then you can invoke it like this:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./update-db.sh <span class="s1">'your-license-key'</span> GeoIP2-Country bash-country.mmdb
</code></pre></div></div>
<hr />
<p>And here’s a Powershell version, which works on Server 2019+ or Windows 10+ (earlier versions of Windows require you to install
<code class="language-plaintext highlighter-rouge">tar</code> yourself):</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kr">function</span><span class="w"> </span><span class="nf">Get-MaxMindDatabase</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="cm"><#
</span><span class="cs">.SYNOPSIS</span><span class="cm">
Downloads a MaxMind GeoIP database, extracts the .mmdb file, and saves it to the specified location.
</span><span class="cs">.DESCRIPTION</span><span class="cm">
This function downloads a MaxMind database using a license key, extracts the .mmdb file
and saves it to the specified output file.
</span><span class="cs">.PARAMETER</span><span class="cm"> LicenseKey
Your MaxMind license key.
</span><span class="cs">.PARAMETER</span><span class="cm"> DatabaseType
The type of database to download. Must be one of: GeoLite2-City, GeoLite2-Country, GeoIP2-City, GeoIP2-Country.
</span><span class="cs">.PARAMETER</span><span class="cm"> OutputFile
The path where the extracted .mmdb file should be saved.
</span><span class="cs">.EXAMPLE</span><span class="cm">
Get-MaxMindDatabase -LicenseKey "your_license_key" -DatabaseType "GeoLite2-City" -OutputFile "C:\GeoIP\GeoLite2-City.mmdb"
#></span><span class="w">
</span><span class="p">[</span><span class="n">CmdletBinding</span><span class="p">()]</span><span class="w">
</span><span class="kr">param</span><span class="w"> </span><span class="p">(</span><span class="w">
</span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$true</span><span class="p">)]</span><span class="w">
</span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$LicenseKey</span><span class="p">,</span><span class="w">
</span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$true</span><span class="p">)]</span><span class="w">
</span><span class="p">[</span><span class="n">ValidateSet</span><span class="p">(</span><span class="s2">"GeoLite2-City"</span><span class="p">,</span><span class="w"> </span><span class="s2">"GeoLite2-Country"</span><span class="p">,</span><span class="w"> </span><span class="s2">"GeoIP2-City"</span><span class="p">,</span><span class="w"> </span><span class="s2">"GeoIP2-Country"</span><span class="p">)]</span><span class="w">
</span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$DatabaseType</span><span class="p">,</span><span class="w">
</span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$true</span><span class="p">)]</span><span class="w">
</span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$OutputFile</span><span class="w">
</span><span class="p">)</span><span class="w">
</span><span class="kr">try</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="c"># Create temporary files</span><span class="w">
</span><span class="nv">$tempArchiveFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">Combine</span><span class="p">([</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">GetTempPath</span><span class="p">(),</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="p">[</span><span class="n">System.Guid</span><span class="p">]::</span><span class="n">NewGuid</span><span class="p">(</span><span class="si">)</span><span class="s2">.ToString()).tar.gz"</span><span class="p">)</span><span class="w">
</span><span class="nv">$tempDirectory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">Combine</span><span class="p">([</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">GetTempPath</span><span class="p">(),</span><span class="w"> </span><span class="p">[</span><span class="n">System.Guid</span><span class="p">]::</span><span class="n">NewGuid</span><span class="p">()</span><span class="o">.</span><span class="nf">ToString</span><span class="p">())</span><span class="w">
</span><span class="c"># Create the download URL</span><span class="w">
</span><span class="nv">$downloadUrl</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"https://download.maxmind.com/app/geoip_download?edition_id=</span><span class="nv">$DatabaseType</span><span class="s2">&license_key=</span><span class="nv">$LicenseKey</span><span class="s2">&suffix=tar.gz"</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Downloading from </span><span class="nv">$downloadUrl</span><span class="s2"> to </span><span class="nv">$tempArchiveFile</span><span class="s2">"</span><span class="w">
</span><span class="c"># Download the file</span><span class="w">
</span><span class="nv">$webClient</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">New-Object</span><span class="w"> </span><span class="nx">System.Net.WebClient</span><span class="w">
</span><span class="nv">$webClient</span><span class="o">.</span><span class="nf">DownloadFile</span><span class="p">(</span><span class="nv">$downloadUrl</span><span class="p">,</span><span class="w"> </span><span class="nv">$tempArchiveFile</span><span class="p">)</span><span class="w">
</span><span class="c"># Create a temporary directory for extraction</span><span class="w">
</span><span class="n">New-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$tempDirectory</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="nx">Directory</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-Null</span><span class="w">
</span><span class="nx">Write-Host</span><span class="w"> </span><span class="s2">"Extracting tar.gz file to </span><span class="nv">$tempDirectory</span><span class="s2">"</span><span class="w">
</span><span class="n">tar</span><span class="w"> </span><span class="nt">-xzf</span><span class="w"> </span><span class="nv">$tempArchiveFile</span><span class="w"> </span><span class="nt">-C</span><span class="w"> </span><span class="nv">$tempDirectory</span><span class="w">
</span><span class="c"># Check if the extraction was successful</span><span class="w">
</span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$LASTEXITCODE</span><span class="w"> </span><span class="o">-ne</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="kr">throw</span><span class="w"> </span><span class="s2">"Failed to extract the downloaded archive."</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="c"># Find the .mmdb file</span><span class="w">
</span><span class="nv">$mmdbFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$tempDirectory</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span><span class="nt">-Filter</span><span class="w"> </span><span class="s2">"*.mmdb"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-First</span><span class="w"> </span><span class="nx">1</span><span class="w">
</span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="bp">$null</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="nv">$mmdbFile</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="kr">throw</span><span class="w"> </span><span class="s2">"No .mmdb file found in the downloaded archive."</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Found .mmdb file: </span><span class="si">$(</span><span class="nv">$mmdbFile</span><span class="o">.</span><span class="nf">FullName</span><span class="si">)</span><span class="s2">"</span><span class="w">
</span><span class="nv">$outputDirectory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.IO.Path</span><span class="p">]::</span><span class="n">GetDirectoryName</span><span class="p">(</span><span class="nv">$OutputFile</span><span class="p">)</span><span class="w">
</span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]::</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="nv">$outputDirectory</span><span class="p">)</span><span class="w"> </span><span class="o">-and</span><span class="w"> </span><span class="o">-not</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Path</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$outputDirectory</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="kr">throw</span><span class="w"> </span><span class="s2">"Output directory '</span><span class="nv">$outputDirectory</span><span class="s2">' not found."</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="c"># Copy the file to the output location</span><span class="w">
</span><span class="n">Copy-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$mmdbFile</span><span class="o">.</span><span class="nf">FullName</span><span class="w"> </span><span class="nt">-Destination</span><span class="w"> </span><span class="nv">$OutputFile</span><span class="w"> </span><span class="nt">-Force</span><span class="w">
</span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"Database saved to </span><span class="nv">$OutputFile</span><span class="s2">"</span><span class="w">
</span><span class="c"># Return the path to the output file</span><span class="w">
</span><span class="kr">return</span><span class="w"> </span><span class="nv">$OutputFile</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="kr">catch</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="n">Write-Error</span><span class="w"> </span><span class="s2">"Failed to download and extract MaxMind database: </span><span class="bp">$_</span><span class="s2">"</span><span class="w">
</span><span class="kr">throw</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="kr">finally</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="c"># Clean up temporary files</span><span class="w">
</span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Path</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$tempArchiveFile</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="n">Remove-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$tempArchiveFile</span><span class="w"> </span><span class="nt">-Force</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Path</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$tempDirectory</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="n">Remove-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$tempDirectory</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span><span class="nt">-Force</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>You can dot-include it, and then run it, like this:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># include the function</span><span class="w">
</span><span class="o">.</span><span class="w"> </span><span class="o">.</span><span class="n">/Get-MaxmindDatabase.ps1</span><span class="w">
</span><span class="nv">$licenseKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'your-license-key'</span><span class="w">
</span><span class="c"># download database</span><span class="w">
</span><span class="n">Get-MaxmindDatabase</span><span class="w"> </span><span class="nt">-LicenseKey</span><span class="w"> </span><span class="nv">$licenseKey</span><span class="w"> </span><span class="nt">-DatabaseType</span><span class="w"> </span><span class="nx">GeoIP2-Country</span><span class="w"> </span><span class="nt">-OutputFile</span><span class="w"> </span><span class="o">.</span><span class="nx">/country.mddb</span><span class="w">
</span></code></pre></div></div>
<p><strong>Note:</strong> these <code class="language-plaintext highlighter-rouge">mddb</code> endpoints only support the suffix <code class="language-plaintext highlighter-rouge">.tar.gz</code>. There are also <code class="language-plaintext highlighter-rouge">csv</code> endpoints that support <code class="language-plaintext highlighter-rouge">zip</code>, but you can’t uze <code class="language-plaintext highlighter-rouge">zip</code> here.</p>
<p><strong>Note:</strong> at the time of this writing, those databases are approximately this big:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">GeoIP2-City.mmdb</code>: 117 MB</li>
<li><code class="language-plaintext highlighter-rouge">GeoLite2-City.mmdb</code>: 58 MB</li>
</ul>
<p>and:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">GeoIP2-Country.mmdb</code>: 8.6 MB</li>
<li><code class="language-plaintext highlighter-rouge">GeoLite2-Country.mmdb</code>: 8.7 MB (yes, bigger than the non-lite database!)</li>
</ul>Here’s a tiny shell script for downloading a Maxmind database if you can use something scrappy:Command line server TLS certificate inspector2025-03-05T00:00:00+00:002025-03-05T00:00:00+00:00https://www.wassupy.com/2025/03/bash-cert-inspector<p>I can never remember this command to inspect a remote server’s certificate from bash/shell/terminal:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl s_client <span class="nt">-connect</span> example.com:443 < /dev/null | openssl x509 <span class="nt">-noout</span> <span class="nt">-text</span>
</code></pre></div></div>
<p>So I wrapped it in a function and stuck it into my <code class="language-plaintext highlighter-rouge">~/.bash_profile</code> like this:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cert <span class="o">()</span>
<span class="o">{</span>
openssl s_client <span class="nt">-connect</span> <span class="nv">$1</span>:443 < /dev/null | openssl x509 <span class="nt">-noout</span> <span class="nt">-text</span>
<span class="o">}</span>
</code></pre></div></div>
<p>And now I just have to remember <code class="language-plaintext highlighter-rouge">cert [hostname]</code>, like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cert github.com
Connecting to 140.82.112.3
...
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA
Validity
Not Before: Feb 5 00:00:00 2025 GMT
Not After : Feb 5 23:59:59 2026 GMT
Subject: CN=github.com
...
</code></pre></div></div>
<p>And if you’re looking for something in particular, you can just <code class="language-plaintext highlighter-rouge">grep</code> for it:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>cert github.com | <span class="nb">grep </span>github
Subject: <span class="nv">CN</span><span class="o">=</span>github.com
DNS:github.com, DNS:www.github.com
</code></pre></div></div>
<p>Very handy.</p>I can never remember this command to inspect a remote server’s certificate from bash/shell/terminal:Automatic dog food status light2025-01-04T00:00:00+00:002025-01-04T00:00:00+00:00https://www.wassupy.com/2025/01/dog-food-status-light<h3 id="the-goal-feed-the-dogs-2xday">The goal: feed the dogs 2x/day</h3>
<p><img src="/assets/2025/puppies-bed.jpeg" width="1280" height="721" alt="two dogs on a green dog bed. One is a beagle puppy looking at the other one, who is a black puggle mix" /></p>
<p>Ideally my two pups would be fed roughly the right amount of food at roughly the right time, twice a day.</p>
<p>And we’d all be sure that it happened.</p>
<h3 id="the-problem-did-someone-feed-the-dogs">The problem: did someone feed the dogs?</h3>
<p>We faced uncertainty nearly every day. With humans coming and going to various things, it was often difficult to
know and this surely led to under- and over-feeding.</p>
<p class="pq">This is a classic systems/process problem (with perhaps a dash of volunteer’s dilemma): the way we managed dog feeding
was designed to ellicit bad outcomes, and eliminating those bad outcomes (i.e. under/over feeding) requires a change to
the system. “Trying harder” won’t cut it. (More on this <a href="#an-aside-on-systemic-problems">at the end</a>.)</p>
<h3 id="some-ideas">Some ideas</h3>
<p>As a family we talked about possible solutions to this problem:</p>
<ul>
<li>Designate one caretaker as the person responsible for making sure the dogs get fed each day</li>
<li>Make a note when they’re fed</li>
<li>Pre-measure their food for the week, and pour it out of the day’s marked container each day</li>
<li>Change nothing (the dogs will tell us when we forget!)</li>
</ul>
<p>We tried all of these things and they all helped a little. But they all had significant shortcomings:</p>
<ul>
<li>Each person is busy and has a relatively chaotic schedule</li>
<li>People forget, and it’s hard to fill in the gaps without knowing if the gap exists or not</li>
<li>Keeping notes and/or pre-measuring is extra work and isn’t necessarily reliable</li>
<li>My pups are unreliable witnesses</li>
</ul>
<h3 id="a-real-solution">A real solution</h3>
<p>I knew about <a href="https://www.timercap.com" title="Timer Cap medicine bottles">medicine bottles</a> that show time-since-last-open and thought something like that would be wonderful.
What we have finally arrived at is a solution that completely solves our problem with the following results:</p>
<ul>
<li>We have a status light that anyone can read at a glance: it turns red when the dogs need fed, and turns green when
they’ve recently beed fed</li>
<li>The status light updates automatically with no extra work (very important!)</li>
</ul>
<video autoplay="" loop="" muted="" playsinline="" width="1280" height="720" aria-label="A looping animation that shows a web page loading a grid of 24 contact cards. The contact cards quickly fade into view at slightly different times, over a period of about 1 second.">
<source src="/assets/2025/dog-food-light.mp4" type="video/mp4" />
<source src="/assets/2025/dog-food-light.webm" type="video/webm" />
<source src="/assets/2025/dog-food-light.ogg" type="video/ogg" />
<img src="/assets/2025/dog-food-light.gif" loading="lazy" />
</video>
<p>It’s basically an <a href="https://en.wikipedia.org/wiki/Andon_(manufacturing)" title="Andon (manufacturing)">andon light</a>/<a href="https://en.wikipedia.org/wiki/Stack_light" title="Stack light">stack light</a>, powered by Home Assistant and two components: an open/close sensor
on the dog food container and a smart RGB night light.</p>
<h3 id="build-details">Build details</h3>
<p>I used an <a href="https://www.aqara.com/us/product/door-and-window-sensor/" title="Aqara window/door sensor">Aqara door/window sensor</a> ($15) attached to the lid of my dog food container, and an <a href="https://3reality.com/product/matter-smart-color-night-light/" title="Smart Color Night Light">RGB smart night
light</a> ($30). Then I set up an automation in Home Assistant to do the following:</p>
<ol>
<li>Turn the light on, set to RED <span class="nodark">🔴</span>, at breakfast and dinner time</li>
<li>Set the light GREEN <span class="nodark">🟢</span> when a feeding occurs</li>
<li>Turn the light OFF <span class="nodark">⚪️</span> two hours after a feeding</li>
</ol>
<p>Here’s the heavily annotated <code class="language-plaintext highlighter-rouge">yaml</code>:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">alias</span><span class="pi">:</span> <span class="s">Set dog food status</span>
<span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span>
<span class="na">trigger</span><span class="pi">:</span>
<span class="c1"># trigger in the morning and evening so we can turn</span>
<span class="c1"># the light ON and RED for breakfast and dinner</span>
<span class="pi">-</span> <span class="na">alias</span><span class="pi">:</span> <span class="s">Morning</span>
<span class="na">platform</span><span class="pi">:</span> <span class="s">time</span>
<span class="na">at</span><span class="pi">:</span> <span class="s2">"</span><span class="s">07:00:00"</span>
<span class="na">id</span><span class="pi">:</span> <span class="s">morning</span>
<span class="pi">-</span> <span class="na">alias</span><span class="pi">:</span> <span class="s">Evening</span>
<span class="na">platform</span><span class="pi">:</span> <span class="s">time</span>
<span class="na">at</span><span class="pi">:</span> <span class="s2">"</span><span class="s">18:00:00"</span>
<span class="na">id</span><span class="pi">:</span> <span class="s">evening</span>
<span class="c1"># trigger when the dog food container changes to</span>
<span class="c1"># "closed" so we set the light to GREEN</span>
<span class="pi">-</span> <span class="na">platform</span><span class="pi">:</span> <span class="s">state</span>
<span class="na">entity_id</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">binary_sensor.open_close_xs_sensor_window_door_is_open_3</span>
<span class="na">to</span><span class="pi">:</span> <span class="s2">"</span><span class="s">off"</span>
<span class="na">alias</span><span class="pi">:</span> <span class="s">Fed</span>
<span class="na">id</span><span class="pi">:</span> <span class="s">fed</span>
<span class="na">action</span><span class="pi">:</span>
<span class="c1"># I found that changing the light was more reliable if</span>
<span class="c1"># I always turned it off first</span>
<span class="pi">-</span> <span class="na">service</span><span class="pi">:</span> <span class="s">light.turn_off</span>
<span class="na">metadata</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">target</span><span class="pi">:</span>
<span class="na">entity_id</span><span class="pi">:</span> <span class="s">light.dog_food_status_light_light</span>
<span class="na">alias</span><span class="pi">:</span> <span class="s">Light off</span>
<span class="pi">-</span> <span class="na">if</span><span class="pi">:</span>
<span class="c1"># if trigger=fed, i.e. food container was just closed,</span>
<span class="c1"># set the light to GREEN...</span>
<span class="pi">-</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">trigger</span>
<span class="na">id</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">fed</span>
<span class="na">then</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">alias</span><span class="pi">:</span> <span class="s">Turn light green</span>
<span class="na">service</span><span class="pi">:</span> <span class="s">light.turn_on</span>
<span class="na">metadata</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">data</span><span class="pi">:</span>
<span class="na">rgb_color</span><span class="pi">:</span>
<span class="pi">-</span> <span class="m">0</span>
<span class="pi">-</span> <span class="m">249</span>
<span class="pi">-</span> <span class="m">0</span>
<span class="na">brightness_pct</span><span class="pi">:</span> <span class="m">25</span>
<span class="na">target</span><span class="pi">:</span>
<span class="na">entity_id</span><span class="pi">:</span> <span class="s">light.dog_food_status_light_light</span>
<span class="c1"># ...and wait 2 hours...</span>
<span class="pi">-</span> <span class="na">delay</span><span class="pi">:</span>
<span class="na">hours</span><span class="pi">:</span> <span class="m">2</span>
<span class="na">minutes</span><span class="pi">:</span> <span class="m">0</span>
<span class="na">seconds</span><span class="pi">:</span> <span class="m">0</span>
<span class="na">milliseconds</span><span class="pi">:</span> <span class="m">0</span>
<span class="c1"># ...then turn it off. This way humans can tell long</span>
<span class="c1"># after feeding time that everything is cool</span>
<span class="pi">-</span> <span class="na">service</span><span class="pi">:</span> <span class="s">light.turn_off</span>
<span class="na">metadata</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">target</span><span class="pi">:</span>
<span class="na">entity_id</span><span class="pi">:</span> <span class="s">light.dog_food_status_light_light</span>
<span class="na">else</span><span class="pi">:</span>
<span class="c1"># else, the trigger is the breakfast or dinner timer</span>
<span class="c1"># so just turn it red</span>
<span class="pi">-</span> <span class="na">alias</span><span class="pi">:</span> <span class="s">Turn light red</span>
<span class="na">service</span><span class="pi">:</span> <span class="s">light.turn_on</span>
<span class="na">metadata</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">data</span><span class="pi">:</span>
<span class="na">rgb_color</span><span class="pi">:</span>
<span class="pi">-</span> <span class="m">255</span>
<span class="pi">-</span> <span class="m">38</span>
<span class="pi">-</span> <span class="m">0</span>
<span class="na">brightness_step_pct</span><span class="pi">:</span> <span class="m">100</span>
<span class="na">target</span><span class="pi">:</span>
<span class="na">entity_id</span><span class="pi">:</span> <span class="s">light.dog_food_status_light_light</span>
<span class="na">mode</span><span class="pi">:</span> <span class="s">single</span>
</code></pre></div></div>
<p>I cannot express just how helpful this has been <span class="nodark">😊</span>. And since it’s all in Home Assistant, it
shows up on my dashboard. Here you can see that they were last fed an hour ago, and keeps history, though that’s not
really necessary:</p>
<div class="--tile-300">
<picture>
<source srcset="/assets/2025/dog-food-dashboard.png" media="(prefers-color-scheme: dark)" />
<img class="border" width="888" height="764" src="/assets/2025/dog-food-dashboard-light.png" alt="A dashboard titled "Kitchen" that shows light switches, humidity, temperature, and "Dog Food Container", last closed 1 hour ago" />
</picture>
<picture>
<source srcset="/assets/2025/dog-food-log.png" media="(prefers-color-scheme: dark)" />
<img class="border" width="1124" height="1038" src="/assets/2025/dog-food-log-light.png" alt="A log titled "Dog Food Container" that shows it was last closed 1 hour ago, with earlier entries showing opens and closes" />
</picture>
</div>
<p>Happy humans and happy pups.</p>
<p><img src="/assets/2025/puppies-jammies.jpeg" width="1280" height="720" alt="The same two dogs from the earlier photo, but older. They are wearing pajamas with cartoon zoo animals on them. They are standing alert on a tile floor and the beagle has one ear turned back" /></p>
<h3 id="an-aside-on-systemic-problems">An aside on systemic problems</h3>
<p>My most important professional skill is identifying and solving systemic problems. As W. Edwards Deming explains in <em>Out
of the Crisis</em>, issues that occur <em>within</em> a system need to be addressed by <em>changing the system</em>:</p>
<blockquote>
<p>Eighty-five percent of the reasons for failure are <strong>deficiencies in the systems and process</strong> rather than the
employee. The role of management is to change the process rather than badgering individuals to do better</p>
</blockquote>
<p>And L. David Marquet writes in <em>Leadership Is Language</em>:</p>
<blockquote>
<p>We need to always remember that the organization is perfectly tuned to deliver the behavior we see, and <strong>people’s
behaviors are the perfect result of the organization’s design</strong>. As individuals, we should embrace our responsibility
for being the best we can be within the design of the organization. But as leaders, <strong>our responsibility is to design
the organization so that individuals can be the best versions of themselves.</strong></p>
</blockquote>
<p>See also: <a href="https://heathbrothers.com/books/upstream/" title="Upstream book"><strong>Upstream</strong></a> by Dan Heath.</p>
<p>Sometimes (much to my family’s chagrin), I apply these lessons at home too.</p>The goal: feed the dogs 2x/dayThe Adobe Lightroom backup story is terrible2025-01-03T00:00:00+00:002025-01-03T00:00:00+00:00https://www.wassupy.com/2025/01/the-adobe-lightroom-backup-story-is-terrible<p>Backing up an Adobe Lightroom catalog is a bit of a pain. If you have local storage large enough to hold all your photos
then you can tell Lightroom to save a copy of every photo there, and then you can backup that location. That’s better
than nothing. But when you don’t have enough space (largely thanks to Apple’s exorbinate storage upgrade prices),
backing up everything, including what gets offloaded to Adobe’s cloud is difficult. As far as I can tell, there’s no
straightforward way to do this, especially not repeatedly.</p>
<p><strong>To be clear:</strong> the cloud storage Adobe uses for Lightroom is exceptionally convenient, but it is not a backup. I want
a backup that will survive account compromise, loss of access, or a major technical issue with the provider.</p>
<p><em>It’d be nice</em> if I could restore the backup without much disruption, but I’ll settle for an inconvenient, incomplete copy of
everything.</p>
<p>Here’s what I settled on:</p>
<ol>
<li>Get a large external USB hard drive ($99)</li>
<li>Use the Adobe Lightroom Downloader to download all the photos to it (25 hours)</li>
<li>Repeat periodically</li>
</ol>
<div class="--tile-300">
<picture>
<source srcset="/assets/2025/lightroom-downloader-dark.png" media="(prefers-color-scheme: dark)" />
<img height="1360" width="960" src="/assets/2025/lightroom-downloader-light.png" alt="a screenshot of an app titled "Lightroom Downloader", showing image files being downloaded and a progress bar at 17%. There is a button at the bottom labeled "Pause Download"" />
</picture>
</div>
<p>I’m disappointed that this doesn’t give me the high-fidelity backup I want, and that I have to manually do it every
month or two, and that it’s wildly inefficient to re-download all the photos every time, but it’s all I have.</p>
<h3 id="things-i-wish-i-could-do-instead">Things I wish I could do instead</h3>
<p>I wish I could use a web service to automatically backup photos to a 3rd party, e.g. Google Photos, S3, B2, etc.</p>
<p>I wish I could run a script or service on my home Linux server to download just the changes periodically and
automatically.</p>
<p>I wish the Lightroom Downloader had a “sync” feature so it didn’t have to download all 125k+ photos every time.</p>
<p>I wish the backup options didn’t lose so much data along the way, e.g. album strcuture, and I wish backups could be
easily restored.</p>Backing up an Adobe Lightroom catalog is a bit of a pain. If you have local storage large enough to hold all your photos then you can tell Lightroom to save a copy of every photo there, and then you can backup that location. That’s better than nothing. But when you don’t have enough space (largely thanks to Apple’s exorbinate storage upgrade prices), backing up everything, including what gets offloaded to Adobe’s cloud is difficult. As far as I can tell, there’s no straightforward way to do this, especially not repeatedly.Expose self-hosted Home Assistant to the internet (and companion app) with Cloudflare Tunnels and Docker Compose2024-12-29T00:00:00+00:002024-12-29T00:00:00+00:00https://www.wassupy.com/2024/12/self-hosting-home-assistant-with-cloudflare-tunnels<h2 id="prerequisites">Prerequisites</h2>
<p>This guide assumes you have the following:</p>
<ol>
<li>A Cloudflare account (free)</li>
<li>A domain name (bought from Cloudflare or elsewhere; $10/yr), set up in Cloudflare</li>
<li>A linux server with docker, which can be the same one where you run Home Assistant, but doesn’t need to be</li>
</ol>
<h2 id="the-general-idea">The general idea</h2>
<p>Web users connect to Cloudflare, and instead of Cloudflare reaching into our network, we run a service inside the
network that <em>reaches out to Cloudflare</em>:</p>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 874 240" font-size="20" stroke-width="4" stroke="black" fill="none" role="img">
<title>CF Tunnels</title>
<desc>Diagram of a client connecting to a Home Assistant instance inside a homelab via Cloudflare Tunnels. The diagram has three entities: client,
Cloudflare, home lab. The client is connected to Cloudflare. The home lab has two docker containers. The first is
labled "CF Tunnel" and it is connected to the Cloudflare entity, and the other container: Home Assistant</desc>
<defs>
<marker id="head" orient="auto" markerWidth="4" markerHeight="4" refX="0.1" refY="2">
<path d="M0,0 V4 L2,2 Z" stroke-width="1" fill="black" />
</marker>
</defs>
<g id="actor" fill="none">
<circle cx="50" cy="50" r="40" />
<line x1="50" y1="90" x2="50" y2="150" />
<line x1="50" y1="150" x2="25" y2="190" />
<line x1="50" y1="150" x2="75" y2="190" />
<line x1="25" y1="100" x2="75" y2="100" />
</g>
<path id="cloudflare" stroke-linecap="round" stroke-linejoin="round" d="M 172.498 118.768 C 172.498 175.125 220.749 189.214 244.868 189.214 L 376.449 189.214 C 396.186 189.214 435.661 177.687 435.661 131.576 C 435.661 85.467 396.186 73.94 376.449 73.94 C 376.449 54.727 356.712 9.898 310.658 9.898 C 273.816 9.898 251.447 35.515 244.868 48.323 C 220.749 48.323 172.498 62.413 172.498 118.768 Z" style="fill: none;" />
<g id="homelab">
<rect x="500" y="10" width="360" height="180" />
<rect x="520" y="80" width="110" height="40" />
<rect x="685" y="80" width="155" height="40" />
</g>
<g id="connections">
<path marker-end="url(#head)" d="M90,100 155,100" />
<path marker-end="url(#head)" d="M515,100 450,100" />
<path marker-end="url(#head)" d="M635,100 670,100 " />
</g>
<g id="labels" stroke-width="0" fill="black">
<text x="50" y="220" dominant-baseline="middle" text-anchor="middle">Client</text>
<text x="304" y="220" dominant-baseline="middle" text-anchor="middle">Cloudflare</text>
<text x="681.5" y="220" dominant-baseline="middle" text-anchor="middle">Homelab Containers</text>
<text x="530" y="108">CF Tunnel</text>
<text x="695" y="108">Home Assistant</text>
</g>
</svg>
<p>We are <strong>not</strong> opening any ports, e.g. http/https from our server to the local network or internet. We are <strong>not</strong>
messing with dynamic dns stuff. We don’t need to set up TLS.</p>
<h2 id="an-example-with-docker-compose">An example with Docker Compose</h2>
<h3 id="create-the-tunnel-config-at-cloudflare">Create the tunnel config at Cloudflare</h3>
<p>First create your tunnel in the Cloudflare dashboard > Zero Trust > Networks > Tunnels:</p>
<ul>
<li>Choose <code class="language-plaintext highlighter-rouge">cloudflared</code></li>
<li>Name it whatever you want, e.g. <code class="language-plaintext highlighter-rouge">homelab</code></li>
<li>Click the “docker” installation instructions just to <em>grab the token</em></li>
<li><em>Don’t actually install anything</em></li>
</ul>
<p>Copy that token for the next section.</p>
<h3 id="on-your-homelab-server">On your homelab server</h3>
<p>Create <code class="language-plaintext highlighter-rouge">docker-compose.yaml</code> like this, with the token you copied above:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.3"</span>
<span class="na">services</span><span class="pi">:</span>
<span class="na">tunnel</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">cloudflare/cloudflared</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span>
<span class="na">command</span><span class="pi">:</span> <span class="s">tunnel run</span>
<span class="na">environment</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">TUNNEL_TOKEN=***insert CF Tunnel token here***</span>
</code></pre></div></div>
<p>Start up the containers:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker compose up <span class="nt">-d</span>
</code></pre></div></div>
<p>Tail the logs:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker compose logs <span class="nt">-f</span>
</code></pre></div></div>
<h3 id="back-in-the-cloudflare-dashboard">Back in the Cloudflare dashboard</h3>
<p>At this point, the Cloudflare dashboard should show your tunnel as <em>healthy</em>. If not, read those logs carefully for
errors and fix it before continuing.</p>
<p>Add a public hostname to your tunnel:</p>
<ul>
<li><strong>subdomain:</strong> anything you want (this DNS record will be added for you)</li>
<li><strong>domain:</strong> pick the domain you already set up in Cloudflare</li>
<li><strong>service:</strong> choose <code class="language-plaintext highlighter-rouge">http</code>, and set <code class="language-plaintext highlighter-rouge">url</code> to the internal IP and port of your Home Assistant inac name of your docker service. E.g. <code class="language-plaintext highlighter-rouge">http://192.168.1.100:8123</code></li>
<li><strong>additional application settings:</strong> none</li>
</ul>
<p>With that done, you should be able to browse to the subdomain you set up, and the response will be tunneled over from
your homelab server. You’ll probably get a <code class="language-plaintext highlighter-rouge">400</code> error. Don’t fret—you’re almost done.</p>
<p>Now you need to tell Home Assistant that the Cloudflare tunnel is allowed to proxy it. You can see the exact IP you need
in the Home Assistant error log, e.g.:</p>
<blockquote>
<p>“A request from a reverse proxy was received from 172.21.0.8, but your HTTP integration is not set-up for reverse proxies”</p>
</blockquote>
<p>That exact IP could change when your cftunnel container restarts, but the first two parts of the network probably won’t,
so you can just trust the whole thing like this, in HA <code class="language-plaintext highlighter-rouge">configuration.yaml</code>:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">http</span><span class="pi">:</span>
<span class="na">use_x_forwarded_for</span><span class="pi">:</span> <span class="kc">true</span>
<span class="na">trusted_proxies</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">172.21.0.0/16</span> <span class="c1"># add the actual IP of your cftunnels container, or the network it's on</span>
</code></pre></div></div>
<p>(And restart your HA instance.)</p>
<p>You can also find the anticipated proxy IP by checking the network details, too. First, list your docker networks:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker network ls
NETWORK ID NAME DRIVER SCOPE
37c19c0df841 bridge bridge local
da9f58733dc9 home-assistant_default bridge local
587ff440738c host host local
30a44b8290f3 none null local
0e1df72bc30c sites_default bridge local
</code></pre></div></div>
<p>Then pick the one <em>where you’re running your cftunnels container</em> (<strong>not</strong> the one running your HA instance!). In my case, it’s in a folder called <code class="language-plaintext highlighter-rouge">sites</code>, so I need the last one. Inspect it:</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">//</span><span class="w"> </span><span class="err">docker</span><span class="w"> </span><span class="err">network</span><span class="w"> </span><span class="err">inspect</span><span class="w"> </span><span class="err">sites_default</span><span class="w">
</span><span class="p">[</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sites_default"</span><span class="p">,</span><span class="w">
</span><span class="nl">"IPAM"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="nl">"Config"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="nl">"Subnet"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.21.0.0/16"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err"><--</span><span class="w"> </span><span class="err">this</span><span class="w"> </span><span class="err">is</span><span class="w"> </span><span class="err">what</span><span class="w"> </span><span class="err">you</span><span class="w"> </span><span class="err">want</span><span class="w">
</span><span class="nl">"Gateway"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.21.0.1"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">]</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="nl">"Containers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="nl">"6626c238..."</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sites-tunnel-1"</span><span class="p">,</span><span class="w">
</span><span class="nl">"IPv4Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.21.0.8/16"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">]</span><span class="w">
</span></code></pre></div></div>
<h2 id="do-i-need-to-do-tls-http-compression-etc">Do I need to do TLS, HTTP compression, etc.?</h2>
<p>No. Cloudflare handles TLS and HTTP compression for you. The tunnel is encrypted so no additional TLS is necessary for
that leg.</p>
<h2 id="im-still-getting-a-400-error-or-something-else-isnt-working">I’m still getting a <code class="language-plaintext highlighter-rouge">400</code> error, or something else isn’t working</h2>
<p>Check the logs!</p>PrerequisitesA dash of whimsy with a tiny loading animation2024-12-19T00:00:00+00:002024-12-19T00:00:00+00:00https://www.wassupy.com/2024/12/a-dash-of-whimsy<p>It’s neat how a teensy little animation can add a little whimsy to an otherwise <a href="https://vcfprinter.wassupy.com/">boring thing</a> like loading a bunch of contact cards:</p>
<video autoplay="" loop="" muted="" playsinline="" width="1866" height="1510" aria-label="A looping animation that shows a web page loading a grid of 24 contact cards. The contact cards quickly fade into view at slightly different times, over a period of about 1 second.">
<source src="/assets/2024/vcf-whimsy.mp4" type="video/mp4" />
<source src="/assets/2024/vcf-whimsy.webm" type="video/webm" />
<source src="/assets/2024/vcf-whimsy.ogg" type="video/ogg" />
<img src="/assets/2024/vcf-whimsy.gif" loading="lazy" />
</video>
<p>This is achieved with pretty much the most naive code you can imagine. I’m using JS to add the elements with <code class="language-plaintext highlighter-rouge">opacity: 0</code>, and then schedule their reveal with a random delay:</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// ...</span>
<span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">output</span><span class="dl">'</span><span class="p">).</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">el</span><span class="p">);</span>
<span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=></span> <span class="p">{</span>
<span class="nx">el</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">show</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// sets `opacity: 1;`</span>
<span class="p">},</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">500</span><span class="p">);</span>
</code></pre></div></div>
<p>This would work just as well for elements already in the DOM, too.</p>It’s neat how a teensy little animation can add a little whimsy to an otherwise boring thing like loading a bunch of contact cards:Easy self-hosting websites with Cloudflare and Docker Compose2024-12-19T00:00:00+00:002024-12-19T00:00:00+00:00https://www.wassupy.com/2024/12/easy-self-hosting-cloudflare<h2 id="prerequisites">Prerequisites</h2>
<p>This guide assumes you have the following:</p>
<ol>
<li>A Cloudflare account (free)</li>
<li>A domain name (bought from Cloudflare or elsewhere; $10/yr), set up in Cloudflare</li>
<li>A linux server with docker</li>
</ol>
<h2 id="the-general-idea">The general idea</h2>
<p>Web users connect to Cloudflare, and instead of Cloudflare reaching into our network, we run a service inside the
network that <em>reaches out to Cloudflare</em>:</p>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 879 240" font-size="20" stroke-width="4" stroke="black" fill="none" role="img">
<title>CF Tunnels</title>
<desc>Diagram of a user connecting to a homelab via Cloudflare Tunnels. The diagram has three entities: user,
Cloudflare, home lab. The user is connected to Cloudflare. The home lab has three docker containers. The first is
labled "CF Tunnel" and it is connected to the Cloudflare entity, and to each of the other two containers: Webapp1,
and Webapp2</desc>
<defs>
<marker id="head" orient="auto" markerWidth="4" markerHeight="4" refX="0.1" refY="2">
<path d="M0,0 V4 L2,2 Z" stroke-width="1" fill="black" />
</marker>
</defs>
<g id="actor" fill="none">
<circle cx="50" cy="50" r="40" />
<line x1="50" y1="90" x2="50" y2="150" />
<line x1="50" y1="150" x2="25" y2="190" />
<line x1="50" y1="150" x2="75" y2="190" />
<line x1="25" y1="100" x2="75" y2="100" />
</g>
<path id="cloudflare" stroke-linecap="round" stroke-linejoin="round" d="M 172.498 118.768 C 172.498 175.125 220.749 189.214 244.868 189.214 L 376.449 189.214 C 396.186 189.214 435.661 177.687 435.661 131.576 C 435.661 85.467 396.186 73.94 376.449 73.94 C 376.449 54.727 356.712 9.898 310.658 9.898 C 273.816 9.898 251.447 35.515 244.868 48.323 C 220.749 48.323 172.498 62.413 172.498 118.768 Z" style="fill: none;" />
<g id="homelab">
<rect x="500" y="10" width="365" height="180" />
<rect id="cftunnel" x="520" y="80" width="135" height="40" />
<rect id="webapp1" x="710" y="30" width="135" height="40" />
<rect id="webapp2" x="710" y="130" width="135" height="40" />
</g>
<g id="connections">
<path marker-end="url(#head)" d="M90,100 155,100" />
<path marker-end="url(#head)" d="M515,100 450,100" />
<path marker-end="url(#head)" d="M660,90 695,75 " />
<path marker-end="url(#head)" d="M660,110 695,125 " />
</g>
<g id="labels" stroke-width="0" fill="black">
<text x="50" y="220" dominant-baseline="middle" text-anchor="middle">User</text>
<text x="304" y="220" dominant-baseline="middle" text-anchor="middle">Cloudflare</text>
<text x="681.5" y="220" dominant-baseline="middle" text-anchor="middle">Homelab Containers</text>
<text id="cftunnel-label" x="530" y="108">CF Tunnel</text>
<text id="webapp1-label" x="720" y="58">Webapp1</text>
<text id="webapp2-label" x="720" y="158">Webapp2</text>
</g>
</svg>
<p>We are <strong>not</strong> opening any ports, e.g. http/https from our server to the local network or internet. We are <strong>not</strong>
messing with dynamic dns stuff. We don’t need to set up TLS.</p>
<h2 id="an-example-with-docker-compose">An example with Docker Compose</h2>
<h3 id="create-the-tunnel-config-at-cloudflare">Create the tunnel config at Cloudflare</h3>
<p>First create your tunnel in the Cloudflare dashboard > Zero Trust > Networks > Tunnels:</p>
<ul>
<li>Choose <code class="language-plaintext highlighter-rouge">cloudflared</code></li>
<li>Name it whatever you want, e.g. <code class="language-plaintext highlighter-rouge">homelab</code></li>
<li>Click the “docker” installation instructions just to <em>grab the token</em></li>
<li><em>Don’t actually install anything</em></li>
</ul>
<p>Copy that token for the next section.</p>
<h3 id="on-your-homelab-server">On your homelab server</h3>
<p>Create <code class="language-plaintext highlighter-rouge">docker-compose.yaml</code> like this, with the token you copied above:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.3"</span>
<span class="na">services</span><span class="pi">:</span>
<span class="na">tunnel</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">cloudflare/cloudflared</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span>
<span class="na">command</span><span class="pi">:</span> <span class="s">tunnel run</span>
<span class="na">environment</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">TUNNEL_TOKEN=***insert CF Tunnel token here***</span>
<span class="na">web</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span>
</code></pre></div></div>
<p>Start up the containers:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker compose up <span class="nt">-d</span>
</code></pre></div></div>
<p>Tail the logs:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker compose logs <span class="nt">-f</span>
</code></pre></div></div>
<h3 id="back-in-the-cloudflare-dashboard">Back in the Cloudflare dashboard</h3>
<p>At this point, the Cloudflare dashboard should show your tunnel as <em>healthy</em>. If not, read those logs carefully for
errors and fix it before continuing.</p>
<p>Add a public hostname to your tunnel:</p>
<ul>
<li><strong>subdomain:</strong> anything you want (this DNS record will be added for you)</li>
<li><strong>domain:</strong> pick the domain you already set up in Cloudflare</li>
<li><strong>service:</strong> choose <code class="language-plaintext highlighter-rouge">http</code>, and set <code class="language-plaintext highlighter-rouge">url</code> to the name of your docker service. In the above example it’s <code class="language-plaintext highlighter-rouge">web</code></li>
<li><strong>additional application settings:</strong> none</li>
</ul>
<p>With that done, you should be able to browse to the subdomain you set up, and the response will be tunneled over from
your homelab server. Good job ✨</p>
<h2 id="adding-another-website">Adding another website</h2>
<p>You can add another container to the docker compose file like this:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.3"</span>
<span class="na">services</span><span class="pi">:</span>
<span class="na">tunnel</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">cloudflare/cloudflared</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span>
<span class="na">command</span><span class="pi">:</span> <span class="s">tunnel run</span>
<span class="na">environment</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">TUNNEL_TOKEN=<insert sensitive token here></span>
<span class="na">web</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span>
<span class="na">whoami</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">traefik/whoami</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span>
</code></pre></div></div>
<p>And add a public hostname mapping in your tunnel:</p>
<ul>
<li><strong>subdomain:</strong> anything you want (this DNS record will be added for you)</li>
<li><strong>domain:</strong> pick the domain you already set up in Cloudflare</li>
<li><strong>service:</strong> choose <code class="language-plaintext highlighter-rouge">http</code>, and set <code class="language-plaintext highlighter-rouge">url</code> to the name of your docker service. <strong>This time it’s <code class="language-plaintext highlighter-rouge">whoami</code></strong></li>
<li><strong>additional application settings:</strong> none</li>
</ul>
<h2 id="do-i-need-to-do-tls-http-compression-etc">Do I need to do TLS, HTTP compression, etc.?</h2>
<p>No. Cloudflare handles TLS and HTTP compression for you. The tunnel is encrypted so no additional TLS is necessary for
that leg.</p>
<p>I suggest setting up a global redirect rule in Cloudflare to handle http->https.</p>
<h2 id="can-i-build-my-own-containers">Can I build my own containers?</h2>
<p>Sure, that’s pretty easy. Your docker compose service can just point to a folder that itself contains a Dockerfile like
this:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># ...</span>
<span class="na">web</span><span class="pi">:</span>
<span class="na">build</span><span class="pi">:</span> <span class="s">./web</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span>
</code></pre></div></div>
<p>When you do <code class="language-plaintext highlighter-rouge">docker compose up -d</code> it will build the image for you and then start it.</p>
<p>…and run this to <em>rebuild</em> the image as needed: <code class="language-plaintext highlighter-rouge">docker compose up -d --build web</code></p>
<h2 id="why-dont-i-need-a-load-balancer-like-traefik">Why don’t I need a load balancer like Traefik?</h2>
<p>Often we’d carefully expose containers within docker to something <em>outside</em> of docker by configuring ports and proxying
traffic through a load balancer like nginx or traefik. We’re not actually accepting connections to our
containers from outside of docker so we don’t need to do that.</p>
<p>By default, docker compose containers can see each other and connect by service name (i.e. <code class="language-plaintext highlighter-rouge">web</code>, <code class="language-plaintext highlighter-rouge">whoami</code>, etc.). When
you configure the tunnel to resolve a public hostname to the internal docker service name, the tunnel container just
uses the docker network to talk to it. And the tunnel container can reach <em>out</em> of the docker network to connect to
Cloudflare. If your container is listening on port 80, you’re done—you don’t need to expose it to the host network.</p>
<h2 id="troubleshooting">Troubleshooting</h2>
<p>See logs from your containers, including the cloudflare tunnel (read those error messages carefully!):</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker compose logs <span class="nt">-f</span>
</code></pre></div></div>
<p>See if the tunnel state is healthy in the Cloudflare dashboard</p>
<p>See if your containers are running:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker container <span class="nb">ls</span>
</code></pre></div></div>Prerequisites