fix typo

Dockerfile

@@ -8,7 +8,7 @@ RUN \
   chown -R nobody:nobody /var/cache/nginx /var/log/nginx && \
   sed -i 's/listen\s\+80;/listen 8080;/' /etc/nginx/conf.d/default.conf && \
   sed -i 's/index  index.html index.htm;/index   mdwiki.html;/' /etc/nginx/conf.d/default.conf && \
-  sed -i 's,pid\s\+/var/run/nginx.pid;,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf
+  sed -i 's,pid\s\+/run/nginx.pid;,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf
 USER nobody
 # ------------
 EXPOSE 8080

content/index.md

@@ -1,4 +1,4 @@
 # Minimal Setups
 
-![](/static/IMG_3019.png)
+![](/static/IMG_3019.jpg)
 

content/keys.md

@@ -1,16 +1,6 @@
 ## My Public GPG and SSH Keys
 
-### SSH Keys
 
-* [My SSH Keys](/static/mysshkeys.txt)
-
-
-### GPG Keys
-
-* [`2306AA47A6D7A534B1B7446C836E9E1192A6B132`](/static/2306AA47A6D7A534B1B7446C836E9E1192A6B132.txt)
-* [`082071E0415E0A2D87A2385B5159E88B93B67538`](/static/082071E0415E0A2D87A2385B5159E88B93B67538.txt)
-* [`7B5C0BB6AFCADDC8E3435746B76E53073EE19643`](/static/7B5C0BB6AFCADDC8E3435746B76E53073EE19643.txt)
-* [`90E1D1E935FC6AB94444B15B18FDFA577A8871AD`](/static/90E1D1E935FC6AB94444B15B18FDFA577A8871AD.txt)
-* [`BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469`](/static/BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469.txt)
+The overview on keys is at [static.hottis.de](https://static.hottis.de)
 
 

content/snippets/0260-administring-a-cisco-switch.md

@@ -5,6 +5,14 @@ date: 2025-04-17
 
 # Administring a Cisco Switch - Basics for the Homelab Usage
 
+## Connecting to the Switch
+
+Only quite old ssh parameters are supported:
+
+```
+ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa admin@192.168.2.1
+```
+
 ## Saving the Configuration
 
 Never forget, otherwise after reboot changes are gone!
@@ -33,19 +41,39 @@ exit
 exit
 ```
 
-The first `exit` leaves the interface, the second `exit` leaves the config session.
+The first `exit` leaves the VLAN, the second `exit` leaves the config session.
 
-If the VLAN should be used for management purposes it needs an IP address:
+If the VLAN should be used for management purposes additionally an interface for this VLAN is required with an IP address:
 
 ```
 configure terminal
 vlan 2000
 name vlan2000
+exit
+
+interface vlan 2000
 ip address dhcp
 exit
+
 exit
 ```
 
+or
+
+```
+configure terminal
+vlan 2000
+name vlan2000
+exit
+
+interface vlan 2000
+ip address 192.168.88.3 255.255.255.0
+exit
+
+ip default-gateway 192.168.88.1
+
+exit
+```
 
 Check your work:
 
@@ -94,3 +122,56 @@ exit
 `native` makes the VLAN untagged on that port.
 
 
+### SSH access and hardening measures
+
+First of all, the switch needs to know about time and requires a name:
+
+About time:
+```
+configure terminal
+ntp server de.pool.ntp.org
+clock timezone Etc/Utc
+exit
+```
+
+About names:
+```
+configure terminal
+hostname switch01
+ip domain-name mynetwork.intern
+exit
+```
+
+An user is required:
+```
+configure terminal
+username admin password geheim123
+exit
+```
+
+A host key must be generated:
+```
+crypto key generate rsa
+```
+This command will ask for the key length. Select 2048 bits.
+
+Set the SSH version:
+```
+ip ssh version 2
+```
+
+Configure the virtual terminals accordingly:
+```
+configure terminal
+line vty 0 15
+transport input ssh
+login local
+exit
+```
+
+As mentioned about, the switches support only quite old SSH protocols, so to access it use on the client side:
+```
+ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa admin@192.168.2.1
+```
+
+

content/snippets/0270-docker-on-apple-silicon.md

@@ -0,0 +1,73 @@
+<!--
+title: Docker on Apple Silicon
+date: 2025-05-12
+-->
+
+# Docker on Apple Silicon - without longrunning background processes and without Rosetta
+
+Docker itself comes with some background processes. Fine for servers, which only exists to run the containers all the time, disadvantageous for a laptop where you run a container only now and then. ChatGPT proposed `podman` and `finch` and as I already heard and read about `podman` I tried it first.
+
+## podman
+
+```
+brew install podman
+```
+
+Afterwards,
+
+```
+podman machine init
+podman machine start
+```
+
+is required to start a VM to run containers within. However,, while the init command directly worked, when issueing the start command I was demanded to install Rosetta. I don't want.
+
+So
+
+```
+podman machine rm
+brew uninstall podman
+```
+
+
+## finch
+
+This is a open source product of AWS: [https://aws.amazon.com/de/blogs/opensource/introducing-finch-an-open-source-client-for-container-development/](https://aws.amazon.com/de/blogs/opensource/introducing-finch-an-open-source-client-for-container-development/).
+
+```
+brew install finch
+```
+
+Here also
+
+```
+finch vm init
+finch vm start
+```
+
+is required and afterwards containers can be executed:
+
+```
+finch run -it ubuntu bash
+```
+
+It appears, that the commandline interface of `finch` it compatible with the one of `docker`, at least I haven't found any flaws yet. Since, I usually have full docker commandline in my notes I created an alias:
+
+```
+alias docker="echo -e '\033[1;31m>>> REMEMBER: docker is finch here <<<\033[0m' && finch"
+```
+
+Using this alias (I've it in my `.bashrc`) I can call `docker` and `finch` is executed, with a big reminder that it actually is `finch`.
+
+As soon as I don't need to run containers anymore, I can call
+
+```
+finch vm stop
+```
+
+and no process remains running. Fine.
+
+
+
+
+

content/snippets/0280-secure-enclave-on-mac.md

@@ -0,0 +1,70 @@
+<!--
+title: SSH Keys in Secure Enclave on Mac
+date: 2025-05-12
+-->
+
+# SSH Keys in Secure Enclave on Mac
+
+The Secure Enclave on the Mac is a security device to generate, hold and utilize keys. A key generated in the Secure Enclave can not be read or copied, it just can be used. Comparable to keys on OpenPGP cards or YubiKeys.
+
+## Secretive
+
+[https://github.com/maxgoedjen/secretive](https://github.com/maxgoedjen/secretive) is a tool to generate keys and to act as an ssh agent, very important for agent-forwarding (using a key on a server where you logged in using that key).
+
+It can be installed via brew:
+
+```
+brew install --cask secretive
+```
+
+After installation, run it, add the proposed snippets into the `~/.ssh/config` and the `~/.bashrc` (or rc file of another shell):
+
+*`~/.ssh/config`*
+```
+Host *
+  IdentityAgent /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
+```
+
+*`~/.bashrc`*
+```
+SSH_AUTH_SOCK=/Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
+export SSH_AUTH_SOCK
+```
+
+(Obviously, use the right username.)
+
+It worked out of the box for me!
+
+
+## Git Signing using the Key
+
+This were also just a few lines in the `~/.gitconfig`:
+
+*`~/.gitconfig`*
+```
+[user]
+        name = Wolfgang Hottgenroth
+        email = wolfgang.hottgenroth@icloud.com
+        signingkey = /Users/wn/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0ca69636d28c45bc99e4ac5b40785e8c.pub
+[gpg]
+        format = ssh
+[commit]
+        gpgsign = true
+[gpg "ssh"]
+        allowedSignersFile = /Users/wn/.ssh/allowed_signers
+```
+
+To verify signatures locally using `git log --show-signature` the `allowed_signars` file mentioned in the last line above is required.
+
+It holds the email address followed by the public ssh key.
+
+That's it!
+
+I've added the key in my local Gitea instance. Cloning via ssh worked immediately, as expected. The verification of commits was only shown after verifying the key on the keys page in the setting. Just one commandline:
+
+```
+echo -n 'a-long-token-presented-to-you-by-gitea' | ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey
+```
+
+Don't be confused or scared: You list the path of the public key at `user.signingkey`, but obviously not the public key is used for signing. It is just used to identify the right private key in the Secure Enclave to be used for signing.
+

content/snippets/0290-secrets-in-repos.md

@@ -0,0 +1,54 @@
+<!--
+title: Secrets in Repos
+date: 2025-05-22
+-->
+
+# Secrets in Repos
+
+Storing secrets in cleartext in a repo is forbidden, obviously.
+
+I use this approach to store secrets in ciphertext in a repo.
+
+The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
+
+```
+gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+```
+
+The passphrase for the encryption must be entered on the prompt from gpg.
+
+To decrypt the file, in a CI script I use
+
+```
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
+```
+
+The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
+
+To decrypt interactively the commandline
+
+```
+gpg --decrypt --output secrets.txt secrets.asc
+```
+
+can be used.
+
+Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
+
+
+## Remark: Problems with passphrase input
+
+Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add
+
+```
+--pinentry-mode loopback
+```
+
+to the commandline:
+
+
+```
+gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+
+gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc
+```

content/static/0ca69636d28c45bc99e4ac5b40785e8c.txt

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC9ZZTUmyplzGlcEGktJu24Y58eOTujMyCdZNR8u8H7xTkZycvHqsszFYM5Y+5wAr9+bfDTSRdjHKB3LeIEPz7Y= 0x0CA69636

content/static/8bf09b3cc425c12c482b03fb45dbee57.txt

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm/2lNnOernN9XClZyyGl7gxx/eK8I7zFgDzyxK0clA8hkw0JsA+mGUajeXja8mwzOyjJWDDQYLHYZeXoutzBM= 0x8BF09B3C

content/static/F53691B26F457823DF3E954BB3E461281CF3CE5D.txt

@@ -0,0 +1,18 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZ+PYvBYJKwYBBAHaRw8BAQdAny08AcNHckbQ9+4yeP96NingMGoAnEFv//D7
+38R0aI+0JVdvbGZnYW5nIEhvdHRnZW5yb3RoIDx3b2hvQGhvdHRpcy5kZT6IkwQT
+FgoAOxYhBPU2kbJvRXgj3z6VS7PkYSgc885dBQJn49i8AhsDBQsJCAcCAiICBhUK
+CQgLAgQWAgMBAh4HAheAAAoJELPkYSgc885duXMBAOljrLHAVWR2M/4d7XiTYEDR
+LxyXkv0I3pKWyWf0+lKBAP9Nnlwqyi9IZGJgg4KDCDrvmwBWT/cs0AMzZyTo0IGS
+DrgzBGfj2LwWCSsGAQQB2kcPAQEHQPJB1WXrw8nMK+L09KAoDVZQ7t5UzLII1+6h
+xXDQnBh0iHgEGBYKACAWIQT1NpGyb0V4I98+lUuz5GEoHPPOXQUCZ+PYvAIbIAAK
+CRCz5GEoHPPOXbPHAQDKQLK3rFBj/i3KCcXNsSUyfgTlRpOyzh7NKJZNFGaRJQEA
+4Y8xDsiQV1Csw4LMzX46bXhuOlp+hMNUWcZ1nw5iCA64OARn49i8EgorBgEEAZdV
+AQUBAQdAtT+gDuinLXcJrlgODh1HZSOaMg65utHTZp41HMyzOXwDAQgHiHgEGBYK
+ACAWIQT1NpGyb0V4I98+lUuz5GEoHPPOXQUCZ+PYvAIbDAAKCRCz5GEoHPPOXWdn
+AQCuhYJ5PNQcYrtq0kRChO+FTwy1AGvln+Zjrm/1YUox9gD/dnwHgzZThnNQtufy
+uFWsbiylLFtWTSZ5gWpU2N7T1A4=
+=XfK5
+-----END PGP PUBLIC KEY BLOCK-----
+

content/static/mysshkeys.txt

@@ -6,3 +6,6 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgWpTiwD2v1PIfgEMB6/BjPhevD2pV6I7l6U08ESXc
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDA76VvXrpw03opLO6nWnY+hOsxUkba1uDl8CRG6JXlEtC4DvNaejJ2jnaa2kLD4M9a+3H2tXmmZlOm8UzdFQNcRJCkmAsapuedb5gI12w4G7O8aCPJftsQlO/ICojjsFj0OIDzxHWIMOMmJN9u4+FQdaiif6nUbVRmpTFS0oEX6niLqgKOMqp4a/+bD4IJpdLj6kEBnw0PFS+16p6S2BRIN8W/brOngvu/5RdmEN3bvco/H476OfGYU40IZW5JBl5uJd/qXqZ7GVW9YVnCFfpJQVvRT4fi2AmCrSHngsuRXzID+JxYtC+8Emw2AREKSFKG7H+iOdF7k92TL0JZmDU0JBzWd0/NJ4C+J5Hz4JDb62KVURglDcUhAy8WqHHmut919xjUCRuqjymEqr9WizQW21HPhIm3E7EjVz4id/lX97Vjy+qYIFIZtc7nDup1VSO4Rqt/1eQM96IVe0nxA0jGTCGouXcemdzxNtBck4grl8LmKACymFKxalB7q9RT9Ji6DCTs4oAi7r5lKd9h5zfXQMbK8H/TEDO5bP4coARQiAXbpOGgzmx7teTe7B/VP1mXUAFloA6uQmqlC3bcTp2TiwSrIS0y/YJBVPS3pIeC+iANvYBkVe93/VTIyH6+Zc4afM85YcPCd7p+NlMqvsKpPkIyBpGrlvB6GE9Kcgg/Fw== openpgp:0x8C28C039
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+9wuMSMxDylwcKNJzr8Z+HkyuuxEi1MKiV9lEDD4o4FuCuo3COqfhxl4hx2+B8e2hPiCUmEhNhRDIQZ25JS+LEywOdDUAqODNnrD0Tc8ueb6zI9MEqwg4mHa+F6LoJJLfNBX1BSdDgg5AVZpH5wu5n6f6YAhPo+ZbzEmObNt/38PcZsl2FO5q0lNpf0phGowDze8oteuATc21tM96K+1CYony5rzDtB2J6554WlRltNufzH4UcUUBvOceiqKu6n/KhkTuVFq76Wp3ERstF0TGMP7M5jEB58cI1hdhfEiC/GL3WIwpbhMAMsrFZrFlJJiDdivvqBnWDPxjfaRLKPEtXryyQ5NPuvN27TpjiQGvLVqskFbPmkaVH5iI4F835g2xrk+qKKQGRTNNh0rVHPqCCPSvYvS/7cRkrfepB2V1bYGAdMHdF6NvJpe9VqWb5lcl3uJxcLQY4evvv+53HLVPAz2DIjr/IF/8mmoHLvdxHlihHmCDlem7Yg4NIWFrl8v48uEHCbaBxtGU+aWbleE0Lr3Lo1OqoqMyAyBMQSl11WfOgq4PELK39OEkJipCAvMFI/FSc9plVSmaHWMuJzGsHCsrBPWnD/CS/G38LLaxgg1mXNt6GHLmDwrWw38PTbN0sNtXm80x5ReVjpvvVooIUZerYJ18sb8bOZ7O2jLE5w== openpgp:0x591AFDCE
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWP/CfohVMxpsuryOPwh5F0o6TNret5patWZTF3hstZop5/ghlDO8vm5LRg2/a6VrP1e0rOnU24tGjO6VlhZguWfz7ixQAHx7AbjllnD+NIY5nKXSk6RtKk2D42NzO9c8XDbReaVYfd91UNswxe6SpAPw6SuKaMY/zL7as2qYpBsFdrr1oyKbgZMI2yPRJloJjklqlznJcUC4SzEaxtVSnZRIUdx3ANLzt5xNxWhYZ7048oGen4cRfiOtiTypW5uAOwovQulJVtpavo2GTD9sSpnFF9UQhgRkqT+oFRgHQnnOHUqazLsc4uRv0h6/6wSBl9SkKys33x0Zxl1zpxM+0iJDFVnn8HnXLvuRLMCXAg9QWCmKkrQJ/SFU213Qg21O62Nbet6bRfFGz+uz0+9GeMaARmhPbxEGEgqBrscaadeO+JRWntEcoULupKsU0Mc77/DX3UfEYGUgvA8FIFTgpiPnOuGI2K/6kP/QLMqZzLXRAgYO4U+vyOniPy9kHadQ9ZEuCX5inhZhOFi5v/ofI7532skXktbbm1ue46j+7xGHSVcoeuz02dZNtnLZP36vCCi8UkE3CAvuU0hLa/ZBeos6M3GNogdIQ+pzesZ6htQhZcGUR7XHmrFLDwAwV4JTJUfXZ5nMwm78+Oh1CptLyH7Ww4z/k3an8caggxP2+QQ== openpgp:0xCD137F0B
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJB1WXrw8nMK+L09KAoDVZQ7t5UzLII1+6hxXDQnBh0 openpgp:0x27A0A980
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC9ZZTUmyplzGlcEGktJu24Y58eOTujMyCdZNR8u8H7xTkZycvHqsszFYM5Y+5wAr9+bfDTSRdjHKB3LeIEPz7Y= 0x0CA69636
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm/2lNnOernN9XClZyyGl7gxx/eK8I7zFgDzyxK0clA8hkw0JsA+mGUajeXja8mwzOyjJWDDQYLHYZeXoutzBM= 0x8BF09B3C

readme.md

@@ -2,3 +2,4 @@
    - to serve it locally, use `hugo server --bind 0.0.0.0 --baseURL http://172.16.3.33:1313`
 
 
+