Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

How to install coreboot on a Lenovo x230

January 21, 2022 9 minute read

I already use coreboot on my Lenovo W500 with FreeBSD. I bought a Lenovo x230 for a nice price I decide to install coreboot on it. After reading a lot of online documentation. I decided to install the skulls coreboot distribution on it. The skulls project has nice documentation on how to install it.

To replace the BIOS with coreboot you will need to disassemble the laptop and use a clip on the BIOS chip to install it.

Best wishes 2022!

January 2, 2022 less than 1 minute read

Ansible role: package_update v2.0.2

October 31, 2021 1 minute read

Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

• Github: https://github.com/stafwag/ansible-role-package_update.
• Ansible galaxy: https://galaxy.ansible.com/stafwag/package_update

Version 2.0.2:

Changelog:

• Always update the apt cache on Debian based distributions.

Have fun!

Use unbound as an DNS-over-TLS resolver and authoritative dns server v2.0.0

October 17, 2021 4 minute read

In previous blog posts, I described howto setup stubby as a DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

I migrated to unbound last year and created a docker container for it. Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

This work was based on Debian Buster, I migrated the container to Debian Bullseye reorganize it a bit to make it easier to store the zones configuration outside the container like a configmap or persistent volume on Kubernetes.

Version 2.0.0 is available at https://github.com/stafwag/docker-stafwag-unbound.

Version 2.0.0:

Changelog:

• Updated the base image to debian:bullseye.
• Updated create_zone_config.sh to be able to run outside the container.
• Removed the zones.conf generation from the entrypoint
• Start the container as the unbound user
• Updated to logging.conf
• Set the pidfile /tmp/unbound.pid
• Added remote-control.conf
• Updated the documentation