Lukáš Zapletal

Netbird DNS Split Configuration

Wed, 08 Apr 2026 08:16:58 +0200

Many companies provide NetBird VPN access configured with a mandatory DNS resolving service to ensure malware protection. While this is a solid IT recommendation for the general workforce, it can be frustrating if you run your own DNS blocker at home (like Pi-hole or AdGuard Home) and want to keep your personal traffic routing through it for better performance or hostname rewrites.

If your company’s NetBird configuration forces all DNS queries through their resolvers, you can bypass this and configure split DNS manually. Here is how to do it on both MacOS and Linux.

Running Jellyfin in Podman

Fri, 03 Apr 2026 19:55:00 +0100

This guide covers deploying a streamlined, self-hosted audio and video archiving setup using Podman Quadlets. The stack integrates UN/BT tools and a web-based file management. All services are running rootful with SELinux in enforcing mode.

Some containers are configured with host network for maximum performance of the network stack, this only works in rootful mode.

By leveraging Quadlets, we can define our containers directly as native systemd units, allowing for easy daemonless management and auto-updating without relying on Docker Compose.

Running Immich in Podman

Fri, 03 Apr 2026 19:50:00 +0100

Immich has rapidly become the go-to solution for self-hosters looking to replace Google Photos. It is a high-performance, self-hosted photo and video backup application that boasts mobile apps, smooth timeline scrolling, and robust machine-learning capabilities for facial recognition and object detection.

While the official documentation heavily leans on Docker Compose, deploying Immich using Podman Quadlets is an excellent choice for a daemonless, systemd-native setup. Quadlets allow you to define container workloads directly via systemd unit files, making management, auto-updating, and logging incredibly clean.

Hardened ssh in Fedora 43

Wed, 25 Mar 2026 07:50:03 +0100

If you have a Fedora 43 (or older) system with public IP with ssh port opened, you are probably getting a lot of records like these:

sshd-session[20884]: refusing RSA key: Invalid key length [preauth]
sshd-session[31595]: Invalid user shop from 172.94.9.155 port 37434
sshd-session[57487]: Connection closed by 139.0.12.92 port 62968

These are scripts, bots or AI, trying to get in. As you already know, password authentication is not something that should be used in 2026, so you are fine with public keys. But still, this is polluting the system journal.

SecureBoot/HTTPS Provisioning with Foreman/Satellite

Wed, 11 Mar 2026 16:16:34 +0200

We live in a world where security is paramount, yet network provisioning is often still done via the ancient PXE protocol, which is by design basically an insecure remote execution. Hardware has moved on since the PXE times, and we now have powerful BMC software with capabilities that are a great fit for a secure, end-to-end network provisioning workflow.

This post describes a way to leverage the EFI firmware stack on Intel x86_64 to do most of the security heavy lifting. What you will read was all tested on a Fedora hypervisor running a Red Hat Satellite 6.18 VM (Katello 4.18), and the installed host was a Red Hat Enterprise Linux 10.1 VM. This should also work in other similar environments (e.g., ARM64 EFI) or with Linux distributions that use the Anaconda installer.

Deploy AdGuard Home via Podman Quadlets

Wed, 24 Sep 2025 11:02:47 +0200

Update 2026: Few changes, added host network mode which is more simple and less confusing.

Let’s install AdGuard Home via Podman Quadlets. Volumes:

sudo podman volume create adguard-work
sudo podman volume create adguard-conf

Everything must be done as root since AdGuard needs to bind UDP port. Volume units:

cat <<EOF | sudo tee /etc/containers/systemd/adguard-work.volume > /dev/null
[Volume]
VolumeName=adguard-work
EOF

cat <<EOF | sudo tee /etc/containers/systemd/adguard-conf.volume > /dev/null
[Volume]
VolumeName=adguard-conf
EOF

Now the container unit:

Fixed Hugo alias noindex bug

Mon, 15 Sep 2025 18:46:34 +0200

I was experiencing a weird behavior of Google treating my blog - specifically with pages that had an alias. Turned out that Hugo generator, which I use for my blog, use client side redirect for aliases:

---
type: "post"
aliases:
- /2013/07/hidden-gems-of-xterm.html
date: "2013-07-17T00:00:00Z"
tags:
- linux
- fedora
title: Hidden gems of xterm
---

Generates this alias page:

<!DOCTYPE html>
<html lang="en-us">
 <head>
 <title>http://localhost:1313/posts/2013/hidden-gems-of-xterm/</title>
 <link rel="canonical" href="http://localhost:1313/posts/2013/hidden-gems-of-xterm/">
 <meta name="robots" content="noindex">
 <meta charset="utf-8">
 <meta http-equiv="refresh" content="0; url=http://localhost:1313/posts/2013/hidden-gems-of-xterm/">
 </head>
</html>

The problem is the noindex meta which, for some reason, Google understands as “do not index this redirect as well as the canonical page”. Therefore, all Hugo pages with an alias are excluded from Google index completely. Other search engines behave differently, for example duckduckgogo is fine.

Reserved Custom Keyboard Key in VSCode

Fri, 18 Jul 2025 10:37:35 +0200

While my primary editor is, and always will be, Vim, I find myself using VS Code more and more for longer editing sessions on larger projects. With its great Go support, decent (though not ideal) refactoring tools, and Copilot, it’s an excellent tool.

Recently, I was exploring its Git capabilities and realized there are no default shortcuts for important actions like git commit or git push. Users are expected to perform these tasks using the mouse in the Source Control view, which is quite limited for editing commit messages; for example, it lacks automatic text wrapping.

Connect to Ancient SSH Server

Mon, 12 May 2025 15:02:59 +0200

Modern Linux distributions configure OpenSSH client to refuse connecting to servers without newer ciphers or key exchange algos. Symptoms are:

Unable to negotiate with 192.168.200.83 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

The solution is clunky, so I created a small Debian-based container with OpenSSH client installed, it is an “oldstable” version old enough not to have a modern SSH client with modern configuration. Usage:

Directory Similarity Comparison Tool: walkalike

Thu, 24 Apr 2025 08:00:03 +0200

I wrote a small but fast tool called walkalike which calculates how two or more filesystem trees (or OS images) are similar. Usage:

walkalike dir1 dirN

Processing is optimized for SSDs and index creation is parallelized. Example command:

walkalike testdata/a testdata/b

Should print:

0.4444444444444 testdata/a testdata/b

Similarity coefficient is between 0.0, when two trees are not similar at all, or 1.0, when two trees are exactly the same. When multiple directories are provided, the first directory is compared against 2nd, 3rd and so on.

Generate testing MTLS certificates more easily

Wed, 20 Nov 2024 15:48:23 +0100

I found a much better tool to generate testing X509 TLS certificates than my own script which by the way is not correct. Here is how to generate a MTLS pair for typical web testing:

#!/bin/bash -e

wget -nc https://raw.githubusercontent.com/redhat-qe-security/certgen/refs/heads/master/certgen/lib.sh
source lib.sh

x509KeyGen ca
x509KeyGen server
x509KeyGen client
x509SelfSign --notAfter "13 years" -t ca ca
x509CertSign --notAfter "13 years" --CA ca -t webserver server
x509CertSign --notAfter "13 years" --CA ca -t webclient client

openssl x509 -in ca/cert.pem -text -noout
openssl x509 -in server/cert.pem -text -noout
openssl x509 -in client/cert.pem -text -noout
openssl verify -CAfile ca/cert.pem server/cert.pem
openssl verify -CAfile ca/cert.pem client/cert.pem

Quick test, a server:

MacOS Text Replacements in Firefox

Thu, 10 Oct 2024 09:33:07 +0200

I use MacOS built-in text replacement feature a ton, however, after I started using Firefox recently I quickly found out that it does not work. The feature is disabled in about:config via setting named widget.macos.automatic.text_replacement, but even if you enable it it only works for textarea and not for widely used input element. And there is no solution so far.

Well, there is a workaround by using TextFast extension that does exactly what it is supposed to do. It is a tiny open-source extension and quick look does not show any network activity except optional storing of the list to Firefox Account (disabled by default). And it has a JSON-based importing / exporting capability.

Deploy Invidious via Podman

Sat, 28 Sep 2024 21:00:06 +0200

Here is how you deploy Invidious via Podman 5.x or higher. All commands are executed as a normal user, if you want to use root then you need to modify some paths. Root-less containers are preferred together with SELinux in enforcing mode for maximum security.

Create a new volume for database:

podman volume create invidious-db

Start a temporary container:

podman run --rm -it --name invidious-init -v invidious-db:/var/lib/postgresql/data:Z -p 5432:5432 -e POSTGRES_DB=invidious -e POSTGRES_USER=kemal -e POSTGRES_PASSWORD=kemal docker.io/library/postgres:14

In another terminal, migrate the database:

Unifi Controller in Fedora/CentOS/RHEL

Thu, 12 Sep 2024 14:39:37 +0200

Update: Updated in 2026 with newer MongoDB version.

This article contains instructions how to run Unifi Controller from Ubiquiti via podman from Fedora, CentOS, RHEL, clones or pretty much any Linux distribution as long as it is version 5.x or higher. I tested this on Fedora versions 40-43 running with SELinux in enforcing mode and rootless containers via quadlets.

The article assumes this is a rootful deployment, but I also tested this on rootless containers. I tend to use rootful containers on my home-lab Fedora servers with SELinux turned on. If you intend to install as a regular user, make sure to use correct paths for systemd units.

AWS CLI via Podman

Tue, 11 Jun 2024 14:46:08 +0200

The extensive AWS CLI is quite painful to install on Fedora or RHEL since the API is moving so fast that is gets outdated quite quickly. Luckily, Amazon provides containers published both on AWS and Docker registries. Configuration is easy:

podman run --rm -it -v ~/.aws:/root/.aws amazon/aws-cli configure

AWS Access Key ID [****************xwcz]:
AWS Secret Access Key [****************CAC1]:
Default region name [None]: us-east-1
Default output format [None]:

Note the volume mapping, the configuration of the current user is shared with the container. If you want to keep the configuration separate, use a different directory.

Fedora 40 on Intel NUC 13th gen

Sat, 27 Apr 2024 22:52:03 +0200

My main machine for all upstream work was Intel NUC 8th gen running i3-8109U CPU, 32 GB RAM and NVME, SSD and two USB HDDs. Originally, I only used this little machine as a file server and backup server but shortly after I added bunch of other services which ended up with this mess of NVMe/SSD/HDD.

Last week when I was testing bootable container installations of Anaconda in a libvirt VM and decided to configure a new raw partition storage pool and (ehm) I made a small typo. As you guessed, I completely destroyed one of my volumes (file server data). Recovery from backups was painful as I do not have much experience with btrfs snapshots, I just wanted to try this file system out as I heard about it. But I did it, family photos and videos were saved, ton of “scratch” data was lost, probably nothing of a value.

Synchronize files with rclone over WebDAV

Sat, 27 Apr 2024 22:07:09 +0200

We have a mix of devices at home ranging from Linux workstations, servers, Macbooks, a Mac Mini and a Windows PC. Up until now, I was using Samba for a home “share” folder which was also used to do backups of the Windows PC (family photos and videos). But it was always a pain, smb protocol is somehow slow, unreliable and painful to set up for seamless MacOS integration. In fact, it never worked reliably for me.

Enable libvirt 5.6+ over TCP

Mon, 11 Sep 2023 09:09:11 +0200

I use libvirt quite a lot during my development and I like to use it both through local UNIX sockets and unauthenticated TCP. With the libvirt version 5.6.0 the project moved to socket activation and many tutorials on the internet are not correct on how to setup libvirt for TCP communication. This post will help.

The first thing to realize is that the options which were previously used for this have no effect anymore, this is documented in the example configuration:

About Structured Logging in Go 1.21

Wed, 28 Jun 2023 20:00:00 +0200

About structured logging in Go 1.21

Upcoming version of the Go programming language, which is expected to be released in the fall of 2023, will introduce a new package named slog. It provides a clean and consistent API for structured logging. Let’s take a closer look on how to use this new library.

Structured logging utilizes key-value structures for storing messages which can be parsed, filtered and analyzed more efficiently in contrast to traditional logging which is rather human readable and natural to write. Compare the following:

New in Go 1.20: wrapping multiple errors

Thu, 08 Dec 2022 09:21:12 +0100

Go 1.20, which is expected to be released in February 2023, comes with a small change that can possibly improve error handling in applications which heavily use error wrapping. Let’s take a look how it looks, but first, short recap of what error wrapping is. Feel free to skip to “New in Go 1.20” section down below for the news.

Errors in Go are values which implements a very simple interface: