Merge branch 'main' of gitea.hottis.de:wn/minimal-setups

.woodpecker.yml

@@ -5,7 +5,7 @@ steps:
       repo: ${FORGE_NAME}/${CI_REPO}
       registry: 
         from_secret: container_registry
-      tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
+      tags: latest,${CI_COMMIT_SHA}
       username: 
         from_secret: container_registry_username
       password: 
@@ -30,7 +30,7 @@ steps:
     commands:
       - export GOPATH=/woodpecker/go   # the export is required, otherwise trivy will not consider the variable
       - HOME=/home/`id -nu`
-      - TAG="${CI_COMMIT_TAG:-$CI_COMMIT_SHA}"
+      - TAG=${CI_COMMIT_SHA}
       - |
         trivy image \
               --server $TRIVY_URL \

Dockerfile

@@ -8,7 +8,8 @@ RUN \
   chown -R nobody:nobody /var/cache/nginx /var/log/nginx && \
   sed -i 's/listen\s\+80;/listen 8080;/' /etc/nginx/conf.d/default.conf && \
   sed -i 's/index  index.html index.htm;/index   mdwiki.html;/' /etc/nginx/conf.d/default.conf && \
-  sed -i 's,pid\s\+/run/nginx.pid;,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf
+  sed -i 's,pid\s\+/run/nginx.pid;,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf && \
+  dd if=/dev/random of=/usr/share/nginx/html/numbers bs=1024 count=1000000
 USER nobody
 # ------------
 EXPOSE 8080

content/index.md

@@ -1,4 +1,4 @@
 # Minimal Setups
 
-![](/static/IMG_3019.png)
+![](/static/IMG_3019.jpg)
 

content/keys.md

@@ -1,21 +1,6 @@
 ## My Public GPG and SSH Keys
 
-### SSH Keys
 
-* [My SSH Keys](/static/mysshkeys.txt)
+The overview on keys is at [static.hottis.de](https://static.hottis.de)
 
 
-### Public SSH Keys for Signing Purposes
-
-* [`0ca69636d28c45bc99e4ac5b40785e8c`](/static/0ca69636d28c45bc99e4ac5b40785e8c.txt)
-* [`8bf09b3cc425c12c482b03fb45dbee57`](/static/8bf09b3cc425c12c482b03fb45dbee57.txt)
-
-
-### GPG Keys
-
-* [`2306AA47A6D7A534B1B7446C836E9E1192A6B132`](/static/2306AA47A6D7A534B1B7446C836E9E1192A6B132.txt)
-* [`082071E0415E0A2D87A2385B5159E88B93B67538`](/static/082071E0415E0A2D87A2385B5159E88B93B67538.txt)
-* [`7B5C0BB6AFCADDC8E3435746B76E53073EE19643`](/static/7B5C0BB6AFCADDC8E3435746B76E53073EE19643.txt)
-* [`90E1D1E935FC6AB94444B15B18FDFA577A8871AD`](/static/90E1D1E935FC6AB94444B15B18FDFA577A8871AD.txt)
-* [`BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469`](/static/BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469.txt) (Dell Laptop, USB-A nano)
-* [`F53691B26F457823DF3E954BB3E461281CF3CE5D`](/static/F53691B26F457823DF3E954BB3E461281CF3CE5D.txt) (Keychain, USB-C)

content/snippets/0270-docker-on-apple-silicon.md

@@ -42,7 +42,7 @@ Here also
 
 ```
 finch vm init
-finch vm stop
+finch vm start
 ```
 
 is required and afterwards containers can be executed:

content/snippets/0290-secrets-in-repos.md

@@ -0,0 +1,54 @@
+<!--
+title: Secrets in Repos
+date: 2025-05-22
+-->
+
+# Secrets in Repos
+
+Storing secrets in cleartext in a repo is forbidden, obviously.
+
+I use this approach to store secrets in ciphertext in a repo.
+
+The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
+
+```
+gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+```
+
+The passphrase for the encryption must be entered on the prompt from gpg.
+
+To decrypt the file, in a CI script I use
+
+```
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
+```
+
+The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
+
+To decrypt interactively the commandline
+
+```
+gpg --decrypt --output secrets.txt secrets.asc
+```
+
+can be used.
+
+Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
+
+
+## Remark: Problems with passphrase input
+
+Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add
+
+```
+--pinentry-mode loopback
+```
+
+to the commandline:
+
+
+```
+gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+
+gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc
+```