Danylo Mikulahttps://mikula.dev/Recent content on Danylo MikulaHugo -- gohugo.ioenSun, 30 Nov 2025 00:00:00 +0000Building My Personal Website: From Idea to Automated Deployment (Part 2)https://mikula.dev/posts/infrastructure/building-personal-website-part-2/Sun, 30 Nov 2025 00:00:00 +0000https://mikula.dev/posts/infrastructure/building-personal-website-part-2/<h1 id="building-my-personal-website-from-idea-to-automated-deployment-part-2">Building My Personal Website: From Idea to Automated Deployment (Part 2)</h1> <p>In the <a href="https://mikula.dev/posts/building-my-personal-website-part-1/" >first part</a> of this series, I covered the high-level architecture and the tools I chose for building my personal website. Now let&rsquo;s dive deeper into the technical implementation, starting with the Terraform modules.</p> <h2 id="infrastructure-overview">Infrastructure Overview</h2> <p>To deploy the minimal infrastructure with everything needed on Hetzner Cloud, we need to configure the following components:</p> <ul> <li><strong>Network</strong> — private network for internal communication</li> <li><strong>Firewall</strong> — security rules to restrict traffic</li> <li><strong>SSH Key</strong> — authentication for server access</li> <li><strong>Server</strong> — the actual compute instance</li> </ul> <p>I created Terraform modules for each of these components. Let&rsquo;s go through them one by one.</p><h1 id="building-my-personal-website-from-idea-to-automated-deployment-part-2">Building My Personal Website: From Idea to Automated Deployment (Part 2)</h1> <p>In the <a href="https://mikula.dev/posts/building-my-personal-website-part-1/" >first part</a> of this series, I covered the high-level architecture and the tools I chose for building my personal website. Now let&rsquo;s dive deeper into the technical implementation, starting with the Terraform modules.</p> <h2 id="infrastructure-overview">Infrastructure Overview</h2> <p>To deploy the minimal infrastructure with everything needed on Hetzner Cloud, we need to configure the following components:</p> <ul> <li><strong>Network</strong> — private network for internal communication</li> <li><strong>Firewall</strong> — security rules to restrict traffic</li> <li><strong>SSH Key</strong> — authentication for server access</li> <li><strong>Server</strong> — the actual compute instance</li> </ul> <p>I created Terraform modules for each of these components. Let&rsquo;s go through them one by one.</p> <h2 id="network-module">Network Module</h2> <p>The first piece of infrastructure we need is a private network. For this, I created the <a href="https://github.com/danylomikula/terraform-hcloud-network" >terraform-hcloud-network</a> module.</p> <p>This module provides comprehensive network management for Hetzner Cloud:</p> <ul> <li>Optional creation of a new network or reuse of an existing one</li> <li>Support for multiple subnets across different network zones and types (<code>server</code>, <code>cloud</code>, or <code>vswitch</code>)</li> <li>Optional custom routes for advanced scenarios like VPN gateways</li> <li>Consistent outputs for easy integration with other modules</li> </ul> <p>Here&rsquo;s my network configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;network&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/network/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> create_network</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">project_slug</span> </span></span><span class="line"><span class="cl"><span class="n"> ip_range</span> <span class="o">=</span> <span class="s2">&#34;10.100.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> subnets</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> web</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> type</span> <span class="o">=</span> <span class="s2">&#34;cloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> network_zone</span> <span class="o">=</span> <span class="s2">&#34;eu-central&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> ip_range</span> <span class="o">=</span> <span class="s2">&#34;10.100.1.0/24&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>I chose the <code>eu-central</code> network zone because it offers the best pricing. This configuration creates a network with a <code>/16</code> CIDR block (<code>10.100.0.0/16</code>) and a single subnet with a <code>/24</code> block (<code>10.100.1.0/24</code>). For a single server, this is more than enough address space.</p> <h2 id="firewall-module">Firewall Module</h2> <p>Next, we need to set up a firewall to restrict external traffic. As I mentioned in the first part, I only allow HTTP/HTTPS traffic from Cloudflare IP addresses and SSH access from my home IP.</p> <p>For this, I created the <a href="https://github.com/danylomikula/terraform-hcloud-firewall" >terraform-hcloud-firewall</a> module. It supports:</p> <ul> <li>Creating multiple firewalls with custom rules</li> <li>Both inbound and outbound rules</li> <li>Flexible port and IP restrictions</li> <li>Common labels across all firewalls</li> </ul> <p>Here&rsquo;s my firewall configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;firewall&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/firewall/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> firewalls</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> &#34;${local.resource_names.website}&#34;</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> rules</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> port</span> <span class="o">=</span> <span class="s2">&#34;22&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="p">[</span><span class="k">var</span><span class="p">.</span><span class="k">my_homelab_ip</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow ssh&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">,</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> port</span> <span class="o">=</span> <span class="s2">&#34;80&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">cloudflare_all_ips</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow http from cloudflare&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">,</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> port</span> <span class="o">=</span> <span class="s2">&#34;443&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">cloudflare_all_ips</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow https from cloudflare&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">,</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;icmp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;0.0.0.0/0&#34;, &#34;::/0&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow ping&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> service</span> <span class="o">=</span> <span class="s2">&#34;firewall&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> common_labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><h3 id="dynamic-cloudflare-ip-fetching">Dynamic Cloudflare IP Fetching</h3> <p>Cloudflare publishes their IP ranges publicly, so I fetch them dynamically using Terraform&rsquo;s <code>http</code> data source:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">data</span> <span class="s2">&#34;http&#34; &#34;cloudflare_ips_v4&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> url</span> <span class="o">=</span> <span class="s2">&#34;https://www.cloudflare.com/ips-v4&#34;</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">data</span> <span class="s2">&#34;http&#34; &#34;cloudflare_ips_v6&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> url</span> <span class="o">=</span> <span class="s2">&#34;https://www.cloudflare.com/ips-v6&#34;</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">locals</span> { </span></span><span class="line"><span class="cl"><span class="n"> cloudflare_ipv4_cidrs</span> <span class="o">=</span> <span class="k">split</span><span class="p">(</span><span class="s2">&#34;\n&#34;</span><span class="p">,</span> <span class="k">trimspace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="k">http</span><span class="p">.</span><span class="k">cloudflare_ips_v4</span><span class="p">.</span><span class="k">response_body</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n"> cloudflare_ipv6_cidrs</span> <span class="o">=</span> <span class="k">split</span><span class="p">(</span><span class="s2">&#34;\n&#34;</span><span class="p">,</span> <span class="k">trimspace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="k">http</span><span class="p">.</span><span class="k">cloudflare_ips_v6</span><span class="p">.</span><span class="k">response_body</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n"> cloudflare_all_ips</span> <span class="o">=</span> <span class="k">concat</span><span class="p">(</span><span class="k">local</span><span class="p">.</span><span class="k">cloudflare_ipv4_cidrs</span><span class="p">,</span> <span class="k">local</span><span class="p">.</span><span class="k">cloudflare_ipv6_cidrs</span><span class="p">)</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>This approach ensures that whenever Cloudflare updates their IP ranges, a simple <code>terraform apply</code> will update the firewall rules automatically.</p> <blockquote> <p><strong>Important:</strong> For this setup to work, you need to enable the Proxy toggle on your A and AAAA records in Cloudflare DNS settings.</p> </blockquote> <h2 id="ssh-key-module">SSH Key Module</h2> <p>Before creating the server, we need an SSH key for authentication. I created the <a href="https://github.com/danylomikula/terraform-hcloud-ssh-key" >terraform-hcloud-ssh-key</a> module for this purpose.</p> <p>This module is quite flexible and supports:</p> <ul> <li>Automated key generation (ED25519, RSA, or ECDSA)</li> <li>Automatic local save of generated keys</li> <li>Uploading existing public keys</li> <li>Referencing keys already in Hetzner Cloud by ID or name</li> </ul> <p>Here&rsquo;s my configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;ssh_key&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/ssh-key/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> create_key</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">project_slug</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> save_private_key_locally</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> local_key_directory</span> <span class="o">=</span> <span class="k">path</span><span class="p">.</span><span class="k">module</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>This generates an ED25519 key pair (the default and recommended algorithm) and saves both the private and public keys locally for easy access.</p> <h2 id="server-module">Server Module</h2> <p>Finally, let&rsquo;s create the server itself using the <a href="https://github.com/danylomikula/terraform-hcloud-server" >terraform-hcloud-server</a> module. Like the others, it&rsquo;s designed to be flexible and supports:</p> <ul> <li>Multi-server management with a single module invocation</li> <li>Private network attachments with static IPs</li> <li>Firewall integration at creation time</li> <li>Placement groups for high availability</li> <li>All <code>hcloud_server</code> resource attributes</li> </ul> <p>Here&rsquo;s my server configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;servers&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/server/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> servers</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> &#34;${local.resource_names.website}&#34;</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> server_type</span> <span class="o">=</span> <span class="s2">&#34;cx23&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> location</span> <span class="o">=</span> <span class="s2">&#34;hel1&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> image</span> <span class="o">=</span> <span class="k">data</span><span class="p">.</span><span class="k">hcloud_image</span><span class="p">.</span><span class="k">rocky</span><span class="p">.</span><span class="k">name</span> </span></span><span class="line"><span class="cl"><span class="n"> user_data</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">cloud_init_config</span> </span></span><span class="line"><span class="cl"><span class="n"> ssh_keys</span> <span class="o">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="k">ssh_key</span><span class="p">.</span><span class="k">ssh_key_id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> firewall_ids</span> <span class="o">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="k">firewall</span><span class="p">.</span><span class="k">firewall_ids</span><span class="p">[</span><span class="k">local</span><span class="p">.</span><span class="k">resource_names</span><span class="p">.</span><span class="k">website</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"><span class="n"> networks</span> <span class="o">=</span> <span class="p">[</span>{ </span></span><span class="line"><span class="cl"><span class="n"> network_id</span> <span class="o">=</span> <span class="k">module</span><span class="p">.</span><span class="k">network</span><span class="p">.</span><span class="k">network_id</span> </span></span><span class="line"><span class="cl"><span class="n"> ip</span> <span class="o">=</span> <span class="s2">&#34;10.100.1.10&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> service</span> <span class="o">=</span> <span class="s2">&#34;website&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> common_labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>I chose the <code>cx23</code> server type as it&rsquo;s the cheapest option available and costs me less than $5 per month in the Helsinki (<code>hel1</code>) region. Its specifications are more than enough for a static website.</p> <p>Notice how I&rsquo;m passing variables from previous modules dynamically — the SSH key ID, firewall ID, and network ID are all referenced from their respective module outputs. This eliminates manual configuration and reduces the chance of errors.</p> <h2 id="complete-configuration">Complete Configuration</h2> <p>Here&rsquo;s the full Terraform configuration with all the pieces together:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">locals</span> { </span></span><span class="line"><span class="cl"><span class="n"> project_slug</span> <span class="o">=</span> <span class="s2">&#34;mikula-dev&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> common_labels</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> environment</span> <span class="o">=</span> <span class="s2">&#34;production&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> project</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">project_slug</span> </span></span><span class="line"><span class="cl"><span class="n"> managed_by</span> <span class="o">=</span> <span class="s2">&#34;terraform&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> resource_names</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> website</span> <span class="o">=</span> <span class="s2">&#34;${local.project_slug}-web&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> cloud_init_config</span> <span class="o">=</span> <span class="k">templatefile</span><span class="p">(</span><span class="s2">&#34;${path.module}/cloud-init.tpl&#34;</span><span class="p">,</span> { </span></span><span class="line"><span class="cl"><span class="n"> ansible_ssh_public_key</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">ansible_user_ssh_public_key</span> </span></span><span class="line"><span class="cl"> }<span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> cloudflare_ipv4_cidrs</span> <span class="o">=</span> <span class="k">split</span><span class="p">(</span><span class="s2">&#34;\n&#34;</span><span class="p">,</span> <span class="k">trimspace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="k">http</span><span class="p">.</span><span class="k">cloudflare_ips_v4</span><span class="p">.</span><span class="k">response_body</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n"> cloudflare_ipv6_cidrs</span> <span class="o">=</span> <span class="k">split</span><span class="p">(</span><span class="s2">&#34;\n&#34;</span><span class="p">,</span> <span class="k">trimspace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="k">http</span><span class="p">.</span><span class="k">cloudflare_ips_v6</span><span class="p">.</span><span class="k">response_body</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n"> cloudflare_all_ips</span> <span class="o">=</span> <span class="k">concat</span><span class="p">(</span><span class="k">local</span><span class="p">.</span><span class="k">cloudflare_ipv4_cidrs</span><span class="p">,</span> <span class="k">local</span><span class="p">.</span><span class="k">cloudflare_ipv6_cidrs</span><span class="p">)</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># Fetch Cloudflare IP ranges for firewall rules </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">data</span> <span class="s2">&#34;http&#34; &#34;cloudflare_ips_v4&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> url</span> <span class="o">=</span> <span class="s2">&#34;https://www.cloudflare.com/ips-v4&#34;</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">data</span> <span class="s2">&#34;http&#34; &#34;cloudflare_ips_v6&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> url</span> <span class="o">=</span> <span class="s2">&#34;https://www.cloudflare.com/ips-v6&#34;</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;network&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/network/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> create_network</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">project_slug</span> </span></span><span class="line"><span class="cl"><span class="n"> ip_range</span> <span class="o">=</span> <span class="s2">&#34;10.100.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> subnets</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> web</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> type</span> <span class="o">=</span> <span class="s2">&#34;cloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> network_zone</span> <span class="o">=</span> <span class="s2">&#34;eu-central&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> ip_range</span> <span class="o">=</span> <span class="s2">&#34;10.100.1.0/24&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;ssh_key&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/ssh-key/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> create_key</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">project_slug</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> save_private_key_locally</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> local_key_directory</span> <span class="o">=</span> <span class="k">path</span><span class="p">.</span><span class="k">module</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;firewall&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/firewall/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> firewalls</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> &#34;${local.resource_names.website}&#34;</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> rules</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> port</span> <span class="o">=</span> <span class="s2">&#34;22&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="p">[</span><span class="k">var</span><span class="p">.</span><span class="k">my_homelab_ip</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow ssh&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">,</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> port</span> <span class="o">=</span> <span class="s2">&#34;80&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">cloudflare_all_ips</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow http from cloudflare&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">,</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> port</span> <span class="o">=</span> <span class="s2">&#34;443&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">cloudflare_all_ips</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow https from cloudflare&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">,</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> direction</span> <span class="o">=</span> <span class="s2">&#34;in&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;icmp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source_ips</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;0.0.0.0/0&#34;, &#34;::/0&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;allow ping&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> service</span> <span class="o">=</span> <span class="s2">&#34;firewall&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> common_labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;servers&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;danylomikula/server/hcloud&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;1.0.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> servers</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> &#34;${local.resource_names.website}&#34;</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> server_type</span> <span class="o">=</span> <span class="s2">&#34;cx23&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> location</span> <span class="o">=</span> <span class="s2">&#34;hel1&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> image</span> <span class="o">=</span> <span class="k">data</span><span class="p">.</span><span class="k">hcloud_image</span><span class="p">.</span><span class="k">rocky</span><span class="p">.</span><span class="k">name</span> </span></span><span class="line"><span class="cl"><span class="n"> user_data</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">cloud_init_config</span> </span></span><span class="line"><span class="cl"><span class="n"> ssh_keys</span> <span class="o">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="k">ssh_key</span><span class="p">.</span><span class="k">ssh_key_id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> firewall_ids</span> <span class="o">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="k">firewall</span><span class="p">.</span><span class="k">firewall_ids</span><span class="p">[</span><span class="k">local</span><span class="p">.</span><span class="k">resource_names</span><span class="p">.</span><span class="k">website</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"><span class="n"> networks</span> <span class="o">=</span> <span class="p">[</span>{ </span></span><span class="line"><span class="cl"><span class="n"> network_id</span> <span class="o">=</span> <span class="k">module</span><span class="p">.</span><span class="k">network</span><span class="p">.</span><span class="k">network_id</span> </span></span><span class="line"><span class="cl"><span class="n"> ip</span> <span class="o">=</span> <span class="s2">&#34;10.100.1.10&#34;</span> </span></span><span class="line"><span class="cl"> }<span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> labels</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> service</span> <span class="o">=</span> <span class="s2">&#34;website&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> common_labels</span> <span class="o">=</span> <span class="k">local</span><span class="p">.</span><span class="k">common_labels</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>With this configuration, running <code>terraform apply</code> provisions the complete infrastructure in just a few minutes.</p> <h2 id="server-bootstrapping-with-ansible">Server Bootstrapping with Ansible</h2> <p>Now let&rsquo;s look at bootstrapping the actual website. For this, I&rsquo;m using an Ansible collection that I also created and published publicly: <a href="https://github.com/danylomikula/ansible-hugo-deploy" >ansible-hugo-deploy</a>.</p> <p>For the operating system, I chose Rocky Linux 10. For the web server — Caddy.</p> <p>The Ansible collection handles the complete deployment pipeline:</p> <ul> <li><strong>Hugo Static Site Deployment</strong> — automated cloning and building of Hugo websites</li> <li><strong>Custom Caddy Build</strong> — compiles Caddy with custom plugins from source</li> <li><strong>SSL/TLS Automation</strong> — automatic HTTPS certificates via Let&rsquo;s Encrypt with Cloudflare DNS challenge</li> <li><strong>Built-in Rate Limiting</strong> — protection against bots and abuse</li> <li><strong>Cloudflare Integration</strong> — DNS-01 ACME challenge support</li> <li><strong>GitHub Deploy Key Generation</strong> — automatic SSH key generation for secure repository access</li> <li><strong>Automated Updates</strong> — systemd timer for periodic Git pulls and site rebuilds</li> <li><strong>Firewall Configuration</strong> — automated firewalld setup with sensible defaults</li> <li><strong>Version Pinning</strong> — full control over Hugo, Caddy, and Go versions</li> </ul> <h3 id="my-ansible-configuration">My Ansible Configuration</h3> <p>Here&rsquo;s my complete configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Domain configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">domain</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;mikula.dev&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">admin_email</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;admin@{{ domain }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Git repository for website source.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">website_repo_url</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;git@github.com:danylomikula/mikula.dev.git&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">website_repo_branch</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;master&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Web content paths.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">website_root</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/www/{{ domain }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_log_path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/log/caddy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">website_public_dir</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ website_root }}/public&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Deploy SSH key configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">deploy_ssh_key_user</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;caddy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">deploy_ssh_key_group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ deploy_ssh_key_user }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">deploy_ssh_key_dir</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/lib/{{ deploy_ssh_key_user }}/.ssh&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">deploy_ssh_key_path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ deploy_ssh_key_dir }}/deploy_key&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">deploy_ssh_key_type</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ed25519&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">deploy_ssh_key_comment</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ domain }}-deploy-key&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Website rebuild configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">webrebuild_schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*-*-* 04:00:00&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">webrebuild_boot_delay</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;180&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">webrebuild_service_user</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;caddy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">webrebuild_service_group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;caddy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">webrebuild_commands</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;git pull origin {{ website_repo_branch }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;hugo --gc --minify&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">hugo_version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0.152.2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Caddy configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2.10.2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_go_version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1.25.4&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_modules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">github.com/mholt/caddy-ratelimit</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">github.com/caddy-dns/cloudflare</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_rate_limit</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">events</span><span class="p">:</span><span class="w"> </span><span class="m">60</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">window</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_compression_formats</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">gzip</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">zstd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># DNS / ACME configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cloudflare_api_token</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ vault_cloudflare_api_token }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">caddy_acme_ca</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://acme-v02.api.letsencrypt.org/directory&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Firewall configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">firewall_zone</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;public&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">firewall_allowed_services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ssh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">http</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">firewall_allowed_ports</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">firewall_allowed_icmp</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">firewall_allowed_icmp_types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">echo-request</span><span class="w"> </span></span></span></code></pre></div><h3 id="custom-caddy-build-with-plugins">Custom Caddy Build with Plugins</h3> <p>Since I&rsquo;m using Cloudflare with proxy enabled, the standard Caddy build isn&rsquo;t enough for automatic certificate provisioning. I need the <a href="https://github.com/caddy-dns/cloudflare" >caddy-dns/cloudflare</a> module to pass the DNS-01 ACME challenge for certificate verification.</p> <p>Since I&rsquo;m already building a custom Caddy binary, I decided to add another useful module — <a href="https://github.com/mholt/caddy-ratelimit" >caddy-ratelimit</a> for rate limiting protection against bots and scanners.</p> <p>The configuration for these modules is available in my Ansible playbook. If you don&rsquo;t want to use one of them or want to add additional modules, you can easily customize the <code>caddy_modules</code> list.</p> <h3 id="automated-content-updates">Automated Content Updates</h3> <p>We can now deploy the website, but one problem remains: how do we update the content automatically without manually logging into the server? I want to simply push to Git and have the website update itself after some time.</p> <p>To solve this, I&rsquo;m using GitHub deploy keys. These keys are read-only, meaning all they can do is read the content of the Git repository — nothing more.</p> <p>The Ansible playbook generates this key automatically, outputs the public part to the console, and waits for your confirmation while you configure your GitHub repository. After confirmation, it clones the content, builds it, and starts the Hugo server.</p> <h3 id="systemd-timer-for-periodic-updates">systemd Timer for Periodic Updates</h3> <p>For periodic content updates, I use a simple systemd timer that runs every morning and updates the website with new content.</p> <p><strong>webrebuild.service:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[Unit]</span> </span></span><span class="line"><span class="cl"><span class="na">Description</span><span class="o">=</span><span class="s">Rebuild website from Git repository</span> </span></span><span class="line"><span class="cl"><span class="na">After</span><span class="o">=</span><span class="s">network-online.target</span> </span></span><span class="line"><span class="cl"><span class="na">Wants</span><span class="o">=</span><span class="s">network-online.target</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Service]</span> </span></span><span class="line"><span class="cl"><span class="na">Type</span><span class="o">=</span><span class="s">oneshot</span> </span></span><span class="line"><span class="cl"><span class="na">User</span><span class="o">=</span><span class="s">{{ webrebuild_service_user }}</span> </span></span><span class="line"><span class="cl"><span class="na">Group</span><span class="o">=</span><span class="s">{{ webrebuild_service_group }}</span> </span></span><span class="line"><span class="cl"><span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">{{ website_root }}</span> </span></span><span class="line"><span class="cl"><span class="na">Environment</span><span class="o">=</span><span class="s">PATH={{ caddy_webserver_rebuild_path }}</span> </span></span><span class="line"><span class="cl"><span class="na">{% for command in webrebuild_commands %}</span> </span></span><span class="line"><span class="cl"><span class="na">ExecStart</span><span class="o">=</span><span class="s">/usr/bin/env bash -c &#34;{{ command }}&#34;</span> </span></span><span class="line"><span class="cl"><span class="na">{% endfor %}</span> </span></span><span class="line"><span class="cl"><span class="na">StandardOutput</span><span class="o">=</span><span class="s">journal</span> </span></span><span class="line"><span class="cl"><span class="na">StandardError</span><span class="o">=</span><span class="s">journal</span> </span></span></code></pre></div><p><strong>webrebuild.timer:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[Unit]</span> </span></span><span class="line"><span class="cl"><span class="na">Description</span><span class="o">=</span><span class="s">Rebuild website daily</span> </span></span><span class="line"><span class="cl"><span class="na">RefuseManualStart</span><span class="o">=</span><span class="s">no</span> </span></span><span class="line"><span class="cl"><span class="na">RefuseManualStop</span><span class="o">=</span><span class="s">no</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Timer]</span> </span></span><span class="line"><span class="cl"><span class="c1"># Run {{ webrebuild_boot_delay }} seconds after boot for the first time.</span> </span></span><span class="line"><span class="cl"><span class="na">OnBootSec</span><span class="o">=</span><span class="s">{{ webrebuild_boot_delay }}</span> </span></span><span class="line"><span class="cl"><span class="c1"># Run daily at scheduled time.</span> </span></span><span class="line"><span class="cl"><span class="na">OnCalendar</span><span class="o">=</span><span class="s">{{ webrebuild_schedule }}</span> </span></span><span class="line"><span class="cl"><span class="na">Unit</span><span class="o">=</span><span class="s">webrebuild.service</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Install]</span> </span></span><span class="line"><span class="cl"><span class="na">WantedBy</span><span class="o">=</span><span class="s">timers.target</span> </span></span></code></pre></div><p>With this setup, every morning at 4:00 AM the timer triggers, pulls the latest changes from the repository, and rebuilds the site with Hugo. If I need an immediate update, I can always trigger it manually with <code>sudo systemctl start webrebuild.service</code>.</p> <h3 id="caddyfile-configuration">Caddyfile Configuration</h3> <p>The Caddy server is configured using a config file called <code>Caddyfile</code>. Here&rsquo;s the complete template:</p> <pre tabindex="0"><code># Caddyfile for {{ domain }} # Managed by Ansible - do not edit manually. {% if (cloudflare_api_token | length &gt; 0) or (caddy_acme_ca | length &gt; 0) %} { {% if caddy_acme_ca | length &gt; 0 %} acme_ca {{ caddy_acme_ca }} {% endif %} {% if cloudflare_api_token | length &gt; 0 %} acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} {% endif %} } {% endif %} www.{{ domain }} { # Redirect www to non-www domain. redir https://{{ domain }}{uri} permanent } {{ domain }} { # Root directory for static files. root * {{ website_public_dir }} # Enable static file server. file_server {% if caddy_rate_limit.enabled | default(false) %} # Basic rate limiting per client IP to slow down bots/scanners. rate_limit { zone per_client { key {remote_ip} events {{ caddy_rate_limit.events }} window {{ caddy_rate_limit.window }} } } {% endif %} # Enable compression. encode {% for format in caddy_compression_formats %}{{ format }} {% endfor %} # TLS configuration with admin email. tls {{ admin_email }} # Access logging. log { output file {{ caddy_log_path }}/access.log { roll_size 100MiB roll_local_time roll_keep_for 15d } } # Security headers. header { Strict-Transport-Security &#34;max-age=63072000; includeSubDomains; preload&#34; X-Content-Type-Options &#34;nosniff&#34; Content-Security-Policy &#34;default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39; https://www.googletagmanager.com https://static.cloudflareinsights.com; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https://static.cloudflareinsights.com; font-src &#39;self&#39; data:; frame-ancestors &#39;none&#39;; object-src &#39;none&#39;; base-uri &#39;self&#39;; form-action &#39;self&#39;; connect-src &#39;self&#39; https://www.google-analytics.com https://www.googletagmanager.com https://static.cloudflareinsights.com https://cloudflareinsights.com&#34; Referrer-Policy &#34;strict-origin-when-cross-origin&#34; } } </code></pre><p>This configuration includes:</p> <ul> <li><strong>www to non-www redirect</strong> — all traffic to <code>www.mikula.dev</code> is permanently redirected to <code>mikula.dev</code></li> <li><strong>Static file serving</strong> — serves files from the Hugo build output directory</li> <li><strong>Rate limiting</strong> — limits requests per client IP to protect against abuse</li> <li><strong>Compression</strong> — gzip and zstd compression for better performance</li> <li><strong>Automatic TLS</strong> — certificates via Let&rsquo;s Encrypt with Cloudflare DNS challenge</li> <li><strong>Access logging</strong> — with automatic log rotation</li> <li><strong>Security headers</strong> — HSTS, CSP, and other security-related headers</li> </ul> <h2 id="conclusion">Conclusion</h2> <p>That&rsquo;s it! With this setup, I can deploy a fully functional, secure, and automated website infrastructure in about 15 minutes. The entire workflow is:</p> <ol> <li>Run <code>terraform apply</code> to provision the infrastructure</li> <li>Push content to the repository</li> <li>Run the Ansible playbook to configure the server</li> <li>Add the deploy key to GitHub</li> </ol> <p>From that point on, the website updates itself automatically every day.</p> <p>I hope this guide helps you set up your own website even faster than I did. Feel free to use my ready-made configurations as a starting point.</p> <p>All the code is open source:</p> <ul> <li><strong>Terraform Modules:</strong> <ul> <li><a href="https://github.com/danylomikula/terraform-hcloud-network" >terraform-hcloud-network</a></li> <li><a href="https://github.com/danylomikula/terraform-hcloud-firewall" >terraform-hcloud-firewall</a></li> <li><a href="https://github.com/danylomikula/terraform-hcloud-ssh-key" >terraform-hcloud-ssh-key</a></li> <li><a href="https://github.com/danylomikula/terraform-hcloud-server" >terraform-hcloud-server</a></li> </ul> </li> <li><strong>Ansible Collection:</strong> <ul> <li><a href="https://github.com/danylomikula/ansible-hugo-deploy" >ansible-hugo-deploy</a></li> </ul> </li> </ul> <hr> <p><em>Have questions or suggestions? Feel free to reach out or open an issue on GitHub.</em></p>Building My Personal Website: From Idea to Automated Deployment (Part 1)https://mikula.dev/posts/infrastructure/building-personal-website-part-1/Thu, 27 Nov 2025 00:00:00 +0000https://mikula.dev/posts/infrastructure/building-personal-website-part-1/<h1 id="building-my-personal-website-from-idea-to-automated-deployment-part-1">Building My Personal Website: From Idea to Automated Deployment (Part 1)</h1> <p>The idea of creating my own personal website—a place where I could share projects I&rsquo;m working on and document my technical journey—has been on my mind for a long time. But as with many personal projects, it kept getting pushed aside. Finally, I found the time, and here it is: <a href="https://mikula.dev" >mikula.dev</a>. In this post, I want to share how I built it, what tools I chose, and why.</p><h1 id="building-my-personal-website-from-idea-to-automated-deployment-part-1">Building My Personal Website: From Idea to Automated Deployment (Part 1)</h1> <p>The idea of creating my own personal website—a place where I could share projects I&rsquo;m working on and document my technical journey—has been on my mind for a long time. But as with many personal projects, it kept getting pushed aside. Finally, I found the time, and here it is: <a href="https://mikula.dev" >mikula.dev</a>. In this post, I want to share how I built it, what tools I chose, and why.</p> <h2 id="choosing-the-right-static-site-generator">Choosing the Right Static Site Generator</h2> <p>When looking for a site generator, I had a few requirements in mind: it needed to be simple yet flexible, fast, and shouldn&rsquo;t require hours of configuration just to get started. After evaluating several options, I settled on <a href="https://gohugo.io/" >Hugo</a>.</p> <p>Hugo is one of the fastest static site generators out there. Written in Go, it can build thousands of pages in seconds. But speed isn&rsquo;t the only advantage—it generates pure static HTML files, which makes hosting incredibly straightforward. No databases, no server-side processing, no complex runtime dependencies. Just files that can be served by any web server.</p> <p>The fact that Hugo outputs static files also brings security benefits—there&rsquo;s simply no dynamic attack surface. Combined with its extensive templating capabilities and active community, it was an easy choice.</p> <h2 id="finding-the-perfect-theme">Finding the Perfect Theme</h2> <p>I didn&rsquo;t want to spend weeks developing my own theme from scratch. Instead, I looked for something that matched my aesthetic preferences and could be customized easily. I found <a href="https://github.com/panr/hugo-theme-terminal" >Terminal</a> by Radek Kozieł, and it was exactly what I was looking for.</p> <p>The theme has a clean, retro terminal-inspired look with beautiful syntax highlighting powered by Chroma. It uses <a href="https://github.com/tonsky/FiraCode" >Fira Code</a> as the default monospace font, is fully responsive, and supports customizable color schemes. While it covered most of my needs out of the box, I did extend it with some additional functionality—like better post organization and a dedicated resume page.</p> <h2 id="where-to-host">Where to Host?</h2> <p>Since Hugo generates static files, I had several hosting options to consider: GitHub Pages, AWS S3 with CloudFront, or a small cloud server. Each has its merits, but I went with a dedicated server on <a href="https://www.hetzner.com/cloud" >Hetzner Cloud</a>.</p> <p>Why? Flexibility. While GitHub Pages and S3 are excellent for simple static hosting, having my own server gives me complete control over the infrastructure. I can configure custom caching rules, set up rate limiting, add custom header and run additional services if needed. Plus, Hetzner offers excellent performance at very competitive prices.</p> <h2 id="caddy-the-modern-web-server">Caddy: The Modern Web Server</h2> <p>For the web server, I evaluated a few options—nginx, Apache, and Caddy. I chose <a href="https://caddyserver.com/" >Caddy</a> for several compelling reasons.</p> <p>First, automatic HTTPS. Caddy handles SSL certificate provisioning and renewal through Let&rsquo;s Encrypt completely automatically. No more manual certificate management, no cron jobs for renewal, no forgetting to renew and having your site go down. It just works.</p> <p>Second, simplicity. Caddy&rsquo;s configuration format (the Caddyfile) is remarkably straightforward compared to nginx or Apache configurations. A basic site configuration can be just a few lines, yet it still offers powerful customization options when you need them.</p> <p>I&rsquo;m also using a custom Caddy build with additional plugins: <a href="https://github.com/caddy-dns/cloudflare" >caddy-dns/cloudflare</a> for DNS-01 ACME challenges (so I can get certificates even before DNS propagation completes) and <a href="https://github.com/mholt/caddy-ratelimit" >caddy-ratelimit</a> to protect against bots and abuse.</p> <h2 id="dns-and-security-with-cloudflare">DNS and Security with Cloudflare</h2> <p>For DNS management, I&rsquo;m using <a href="https://www.cloudflare.com/" >Cloudflare</a>. But it&rsquo;s not just about DNS—I have Cloudflare Proxy enabled, which means all traffic to my site goes through Cloudflare&rsquo;s network first. This provides several benefits: DDoS protection, CDN caching, and most importantly, it hides my server&rsquo;s real IP address from the public.</p> <p>To take security a step further, I configured firewall rules directly in Hetzner Cloud to only allow incoming HTTP/HTTPS traffic from Cloudflare&rsquo;s IP ranges. This means even if someone discovers my server&rsquo;s actual IP address, they can&rsquo;t connect to the web server directly—all requests must go through Cloudflare. This setup effectively creates an additional security layer and ensures that all traffic benefits from Cloudflare&rsquo;s protection.</p> <p>Cloudflare publishes their IP ranges publicly, so keeping the firewall rules updated is straightforward. Combined with Caddy&rsquo;s rate limiting, this gives me a solid defense-in-depth approach without adding complexity to the daily operations.</p> <h2 id="infrastructure-as-code-with-terraform">Infrastructure as Code with Terraform</h2> <p>As someone who believes in automating everything, I needed proper Infrastructure as Code for my cloud setup. I looked for existing Terraform modules for Hetzner Cloud but didn&rsquo;t find anything that met my standards for flexibility and maintainability. So I built my own.</p> <p>I created a set of reusable Terraform modules that cover the essential Hetzner Cloud resources:</p> <ul> <li><a href="https://github.com/danylomikula/terraform-hcloud-server" >terraform-hcloud-server</a> — Multi-server management with support for private networks and firewalls.</li> <li><a href="https://github.com/danylomikula/terraform-hcloud-network" >terraform-hcloud-network</a> — VPC and subnet management</li> <li><a href="https://github.com/danylomikula/terraform-hcloud-firewall" >terraform-hcloud-firewall</a> — Firewall rules configuration</li> <li><a href="https://github.com/danylomikula/terraform-hcloud-ssh-key" >terraform-hcloud-ssh-key</a> — SSH key management with support for key generation</li> </ul> <p>These modules are designed to work together seamlessly while remaining flexible enough for various use cases. They&rsquo;re all open source and available on both GitHub and the Terraform Registry.</p> <h2 id="configuration-management-with-ansible">Configuration Management with Ansible</h2> <p>With infrastructure sorted out, I needed a way to automate the actual server configuration and site deployment. For this, I created an Ansible collection: <a href="https://github.com/danylomikula/ansible-hugo-deploy" >ansible-hugo-deploy</a>.</p> <p>This collection handles the complete deployment pipeline:</p> <ul> <li>Installing and configuring Caddy with custom builds (including the Cloudflare DNS and rate limiting plugins)</li> <li>Generating SSH deploy keys for secure repository access</li> <li>Cloning the Hugo site from GitHub</li> <li>Building the site with Hugo</li> <li>Obtaining and managing SSL certificates</li> <li>Configuring rate limiting and security headers</li> <li>Setting up automated content updates via systemd timer</li> </ul> <p>The systemd timer runs daily, pulling the latest changes from the repository and rebuilding the site. This means I can just push a new post to GitHub, and within a day (or I can trigger it manually), the site updates automatically. No SSH-ing into the server, no manual deployments.</p> <h2 id="the-complete-picture">The Complete Picture</h2> <p>Here&rsquo;s how everything fits together:</p> <ol> <li><strong>Terraform</strong> provisions the infrastructure on Hetzner Cloud—server, network, firewall rules (allowing only Cloudflare IPs), and SSH keys</li> <li><strong>Ansible</strong> configures the server—installs Caddy, Hugo, sets up the deployment pipeline</li> <li><strong>Hugo</strong> generates the static site from Markdown content</li> <li><strong>Caddy</strong> serves the site with automatic HTTPS, compression, and rate limiting</li> <li><strong>Cloudflare</strong> handles DNS, proxies all traffic, provides DDoS protection and CDN caching</li> <li><strong>systemd timer</strong> keeps the content automatically updated</li> </ol> <p>The entire setup—from bare server to fully functional website—takes about 15 minutes. And once it&rsquo;s running, I never need to touch the server for content updates. Write a post in Markdown, push to GitHub, and the site updates itself.</p> <h2 id="whats-next">What&rsquo;s Next?</h2> <p>In the second part of this series, I&rsquo;ll dive deeper into the technical details of both the Terraform modules and the Ansible collection. I&rsquo;ll walk through the code, explain the design decisions, and show how you can use these tools for your own projects.</p> <p>All the code is open source and available on my GitHub:</p> <ul> <li><a href="https://github.com/danylomikula?tab=repositories&amp;q=terraform-hcloud" >Terraform Hetzner Cloud Modules</a></li> <li><a href="https://github.com/danylomikula/ansible-hugo-deploy" >Ansible Hugo Deploy Collection</a></li> </ul> <p>Feel free to use them, contribute, or just take inspiration for your own automation journey!</p>Build a Highly Available Pi-hole Cluster with Ansible (VRRP)https://mikula.dev/posts/infrastructure/homelab/ansible-pihole-cluster/Thu, 06 Nov 2025 00:00:00 -0500https://mikula.dev/posts/infrastructure/homelab/ansible-pihole-cluster/<p>Step-by-step guide to prepare two Linux hosts, then use Ansible to deploy a highly available Pi-hole pair with keepalived (VRRP) and a Virtual IP, plus config sync and validation - powered by my open-source playbook: <a href="https://github.com/danylomikula/ansible-pihole-cluster" >ansible-pihole-cluster</a></p> <h1 id="download--flash-the-os-for-raspberry-pi">Download &amp; flash the OS for Raspberry Pi</h1> <p>Both <a href="https://github.com/danylomikula/ansible-bootstrap" >ansible-bootstrap</a> and <a href="https://github.com/danylomikula/ansible-pihole-cluster" >ansible-pihole-cluster</a> support the following distributions:</p> <ul> <li>Debian 13 (Trixie)</li> <li>Ubuntu 24.04 (Noble Numbat)</li> <li>Rocky Linux 10</li> </ul> <p>This guide uses Rocky Linux as an example, but feel free to pick whichever you prefer.</p><p>Step-by-step guide to prepare two Linux hosts, then use Ansible to deploy a highly available Pi-hole pair with keepalived (VRRP) and a Virtual IP, plus config sync and validation - powered by my open-source playbook: <a href="https://github.com/danylomikula/ansible-pihole-cluster" >ansible-pihole-cluster</a></p> <h1 id="download--flash-the-os-for-raspberry-pi">Download &amp; flash the OS for Raspberry Pi</h1> <p>Both <a href="https://github.com/danylomikula/ansible-bootstrap" >ansible-bootstrap</a> and <a href="https://github.com/danylomikula/ansible-pihole-cluster" >ansible-pihole-cluster</a> support the following distributions:</p> <ul> <li>Debian 13 (Trixie)</li> <li>Ubuntu 24.04 (Noble Numbat)</li> <li>Rocky Linux 10</li> </ul> <p>This guide uses Rocky Linux as an example, but feel free to pick whichever you prefer.</p> <h3 id="1-get-the-raspberry-pi-image">1) Get the Raspberry Pi image</h3> <ol> <li>Go to the official <a href="https://rockylinux.org/download?arch=aarch64" >Rocky Linux Download page</a>: pick ARM (aarch64).</li> <li>Scroll to the Raspberry Pi Images section and download the image for your Pi.</li> </ol> <h3 id="2-flash-the-image-to-a-microsd-card">2) Flash the image to a microSD card</h3> <p>You can use balenaEtcher (what I use below), or Raspberry Pi Imager—both work.</p> <h4 id="option-a--balenaetcher">Option A — balenaEtcher</h4> <ol> <li>Install/open <a href="https://etcher.balena.io/" >balenaEtcher</a>.</li> <li>Flash from file → pick the Rocky Linux RPi image.</li> <li>Select target → choose your microSD card.</li> <li>Flash! → wait for completion.</li> </ol> <p><img src="https://mikula.dev/images/posts/pihole-cluster/balena-etcher.webp" alt="balenaEtcher interface"></p> <h4 id="option-b--raspberry-pi-imager">Option B — Raspberry Pi Imager</h4> <ol> <li>Open <a href="https://www.raspberrypi.com/software/" >Raspberry Pi Imager</a>.</li> <li>Click Choose OS → Use custom and select the Rocky Linux RPi image.</li> <li>Choose your microSD card and Next.</li> <li>When asked &ldquo;Would you like to apply OS customisation settings?&rdquo; click No (we&rsquo;ll configure users/SSH/hostname later).</li> <li>You&rsquo;ll get a Warning that all data on the card will be erased — click Yes.</li> </ol> <p><img src="https://mikula.dev/images/posts/pihole-cluster/rpi-imager.webp" alt="Raspberry Pi Imager"></p> <p>Repeat this flashing process for both microSD cards (one per Raspberry Pi), then boot each Pi and make sure it gets a DHCP address on your network.</p> <hr> <h1 id="bootstrap-admin-user-ssh-keys-ssh-hardening-networking-filesystem-expansion">Bootstrap: admin user, SSH keys, SSH hardening, networking, filesystem expansion</h1> <p>Before deploying Pi-hole, each node needs initial setup — an admin user with SSH key access, hardened SSH, static IP configuration, firewall rules, and the filesystem expanded to use the full microSD card. You can automate all of this with <a href="https://github.com/danylomikula/ansible-bootstrap" >ansible-bootstrap</a>:</p> <ul> <li>Creates admin user with passwordless sudo</li> <li>Generates and deploys SSH keys</li> <li>Hardens SSH (disables password authentication and root login)</li> <li>Configures static IPv4/IPv6 addresses, gateway, and DNS</li> <li>Sets up firewall (firewalld) with custom zones and services</li> <li>Expands the filesystem to use all available disk space</li> </ul> <h3 id="1-install-the-collection">1) Install the collection</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ansible-galaxy collection install danylomikula.ansible_bootstrap </span></span></code></pre></div><h3 id="2-create-the-inventory">2) Create the inventory</h3> <p>Create <code>inventory.ini</code> with your nodes. The <code>ansible_host</code> should be the current DHCP address of each Pi, while <code>bootstrap_static_ip</code> and <code>bootstrap_gateway</code> define the static network configuration that will be applied:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[servers]</span> </span></span><span class="line"><span class="cl"><span class="na">pihole-master ansible_host</span><span class="o">=</span><span class="s">10.20.160.251 bootstrap_static_ip=10.20.0.50/16 bootstrap_gateway=10.20.0.1</span> </span></span><span class="line"><span class="cl"><span class="na">pihole-backup ansible_host</span><span class="o">=</span><span class="s">10.20.200.39 bootstrap_static_ip=10.20.0.51/16 bootstrap_gateway=10.20.0.1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[servers:vars]</span> </span></span><span class="line"><span class="cl"><span class="na">ansible_user</span><span class="o">=</span><span class="s">rocky</span> </span></span></code></pre></div><blockquote> <p><strong>Note:</strong> On first run, <code>ansible_user</code> is the default OS user (e.g., <code>rocky</code> for Rocky Linux). After bootstrap completes, the new admin user is created and the nodes are accessible via SSH keys.</p> </blockquote> <h3 id="3-create-the-bootstrap-playbook">3) Create the bootstrap playbook</h3> <p>Create <code>site.yml</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Bootstrap servers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span><span class="l">all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">become</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vars</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_user</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;dan&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_ssh_key_generate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_network_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_dns4</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;1.1.1.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;1.0.0.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_firewall_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_firewall_zone</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;public&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_firewall_services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ssh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">http</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">dns</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_firewall_custom_zones</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ftl</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interface</span><span class="p">:</span><span class="w"> </span><span class="l">lo</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">4711</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">proto</span><span class="p">:</span><span class="w"> </span><span class="l">tcp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_firewall_allow_icmp</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_expand_fs_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">roles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">danylomikula.ansible_bootstrap.bootstrap</span><span class="w"> </span></span></span></code></pre></div><h3 id="4-run-the-bootstrap-playbook">4) Run the bootstrap playbook</h3> <p>On the first run, SSH keys are not yet deployed, so you need to provide the password interactively:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ansible-playbook -i inventory.ini site.yml -k -K </span></span></code></pre></div><blockquote> <p><strong>Default credentials for Rocky Linux:</strong> User: <code>rocky</code>, Password: <code>rockylinux</code></p> </blockquote> <p>After bootstrap completes, the nodes reboot with their new static IPs. SSH keys are generated in the <code>ssh_keys/</code> directory — you&rsquo;ll reference these keys later in the Pi-hole cluster inventory.</p> <p>See the <a href="https://github.com/danylomikula/ansible-bootstrap#readme" >ansible-bootstrap README</a> for the full list of configuration options.</p> <hr> <h1 id="deploy-pi-hole-cluster-with-ansible">Deploy Pi-hole cluster with Ansible</h1> <blockquote> <p><strong>Prerequisites:</strong> <a href="https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html" >Ansible</a> installed on your configuration device and both nodes bootstrapped (see previous section).</p> </blockquote> <h3 id="1-install-the-collection-1">1) Install the collection</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ansible-galaxy collection install danylomikula.ansible_pihole_cluster </span></span></code></pre></div><h3 id="2-create-the-inventory-1">2) Create the inventory</h3> <p>Create <code>inventory.ini</code> with your nodes. Point <code>ansible_ssh_private_key_file</code> to the SSH keys generated by <code>ansible-bootstrap</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[master]</span> </span></span><span class="line"><span class="cl"><span class="na">pihole-master ansible_host</span><span class="o">=</span><span class="s">10.20.0.50 ansible_ssh_private_key_file=../pihole-bootstrap/ssh_keys/pihole-master_ed25519 priority=150</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[backup]</span> </span></span><span class="line"><span class="cl"><span class="na">pihole-backup ansible_host</span><span class="o">=</span><span class="s">10.20.0.51 ansible_ssh_private_key_file=../pihole-bootstrap/ssh_keys/pihole-backup_ed25519 priority=140</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[pihole_cluster:children]</span> </span></span><span class="line"><span class="cl"><span class="na">master</span> </span></span><span class="line"><span class="cl"><span class="na">backup</span> </span></span></code></pre></div><blockquote> <p><strong>Note:</strong> Adjust the <code>ansible_ssh_private_key_file</code> paths to match where your bootstrap SSH keys are stored.</p> </blockquote> <h3 id="3-create-the-playbook">3) Create the playbook</h3> <p>Create <code>site.yml</code> with all cluster configuration in one place:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy Pi-hole HA Cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span><span class="l">pihole_cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">become</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vars</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ansible_user</span><span class="p">:</span><span class="w"> </span><span class="l">dan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap_timezone</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;America/New_York&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keepalived_vip_ipv4</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.20.0.53/16&#34;</span><span class="w"> </span><span class="c"># Virtual IP for failover</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pihole_web_password</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;SUPER_SECURE_PASSWORD&#34;</span><span class="w"> </span><span class="c"># Use ansible-vault!</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pihole_version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;6.3&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nebula_sync_version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;v0.11.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pihole_local_domain</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;homelab.local&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">local_dns_records</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> 10.20.0.88 node.homelab.local </span></span></span><span class="line"><span class="cl"><span class="sd"> 10.20.0.96 nas.homelab.local</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">roles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.updates</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.bootstrap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.docker</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.keepalived</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.unbound</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.pihole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.pihole_updatelists</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.nebula_sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">danylomikula.ansible_pihole_cluster.status</span><span class="w"> </span></span></span></code></pre></div><blockquote> <p>See the full list of available variables in the <a href="https://github.com/danylomikula/ansible-pihole-cluster/blob/main/group_vars/all.yml" >group_vars/all.yml</a> example.</p> </blockquote> <p><strong>What the playbook installs (and why)</strong></p> <ul> <li><strong>keepalived</strong> — Provides VRRP and the floating Virtual IP so one node is always the active DNS endpoint. If the master goes down, the backup takes over automatically.</li> <li><strong>unbound</strong> — A local validating, recursive DNS resolver. Pi-hole forwards queries to Unbound on-box instead of public resolvers, improving privacy and reducing external dependency. <a href="https://docs.pi-hole.net/guides/dns/unbound/" >Pi-hole&rsquo;s official guide</a></li> <li><strong>nebula-sync</strong> — A lightweight synchronizer that keeps Pi-hole config/state in sync between nodes (lists, local DNS, settings). <a href="https://github.com/lovelaze/nebula-sync" >Project</a></li> <li><strong>pihole-updatelists</strong> — Automates fetching and applying block/allow lists from remote sources on a schedule. <a href="https://github.com/jacklul/pihole-updatelists" >Project</a></li> </ul> <h3 id="4-optional-quick-connectivity-test">4) (Optional) Quick connectivity test</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ansible all -i inventory.ini -m ping </span></span></code></pre></div><h3 id="5-deploy-the-cluster">5) Deploy the cluster</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ansible-playbook -i inventory.ini site.yml </span></span></code></pre></div><h3 id="6-point-your-network-to-the-virtual-ip">6) Point your network to the Virtual IP</h3> <p>Update your DHCP/router (or manual client settings) to use the VIP you set in <code>site.yml</code>:</p> <ul> <li>IPv4 DNS: <code>keepalived_vip_ipv4</code> (e.g., <code>10.20.0.53</code>)</li> <li>IPv6 DNS: <code>ipv6_vip</code> (if configured)</li> </ul> <p><img src="https://mikula.dev/images/posts/pihole-cluster/pihole-ansible-result.webp" alt="Pi-hole Ansible Result"></p> <h3 id="7-verify">7) Verify</h3> <p>On whichever node should be master (higher <code>priority</code>), check that the VIP is present:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ip a show dev eth0 </span></span></code></pre></div><p>Confirm Pi-hole is answering:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dig @10.20.0.53 example.com +short </span></span></code></pre></div><p>If that resolves, you&rsquo;re done — your HA Pi-hole pair is live behind a single Virtual IP.</p>Automated macOS Setup with Dotfileshttps://mikula.dev/posts/infrastructure/automated-macos-setup-with-dotfiles/Thu, 04 Sep 2025 00:00:00 +0000https://mikula.dev/posts/infrastructure/automated-macos-setup-with-dotfiles/<h1 id="automated-macos-setup-with-dotfiles">Automated macOS Setup with Dotfiles</h1> <p><strong>Repository:</strong> <a href="https://github.com/danylomikula/dotfiles" >github.com/danylomikula/dotfiles</a></p> <p>A comprehensive automation solution for setting up macOS development environments. This dotfiles repository handles everything from Homebrew package installation to SSH/GPG key generation and GitHub integration – all through an interactive bootstrap script.</p> <hr> <h2 id="the-problem">The Problem</h2> <p>Every DevOps engineer knows the pain:</p> <ul> <li>New laptop arrives – 4-8 hours of manual setup</li> <li>Switching between personal/work machines – different configs everywhere</li> <li>Team onboarding – &ldquo;just install these 50 things&hellip;&rdquo;</li> <li>Disaster recovery – scrambling to remember every tool and setting</li> </ul> <p>Traditional approaches fall short:</p><h1 id="automated-macos-setup-with-dotfiles">Automated macOS Setup with Dotfiles</h1> <p><strong>Repository:</strong> <a href="https://github.com/danylomikula/dotfiles" >github.com/danylomikula/dotfiles</a></p> <p>A comprehensive automation solution for setting up macOS development environments. This dotfiles repository handles everything from Homebrew package installation to SSH/GPG key generation and GitHub integration – all through an interactive bootstrap script.</p> <hr> <h2 id="the-problem">The Problem</h2> <p>Every DevOps engineer knows the pain:</p> <ul> <li>New laptop arrives – 4-8 hours of manual setup</li> <li>Switching between personal/work machines – different configs everywhere</li> <li>Team onboarding – &ldquo;just install these 50 things&hellip;&rdquo;</li> <li>Disaster recovery – scrambling to remember every tool and setting</li> </ul> <p>Traditional approaches fall short:</p> <ul> <li><strong>Manual installation</strong>: Error-prone, inconsistent, undocumented</li> <li><strong>Basic dotfiles</strong>: Only manage config files, not installation</li> <li><strong>Homebrew Brewfile</strong>: Doesn&rsquo;t handle SSH/GPG keys or directory structures</li> <li><strong>Ansible playbooks</strong>: Overkill for personal use, slow iteration</li> </ul> <h2 id="the-solution-intelligent-bootstrap-script">The Solution: Intelligent Bootstrap Script</h2> <p>I built a <a href="https://github.com/danylomikula/dotfiles" >comprehensive dotfiles repository</a> that handles everything through a single <code>bootstrap.sh</code> script with interactive prompts using <code>gum</code> for a beautiful TUI experience.</p> <h3 id="what-it-does">What It Does</h3> <p><strong>Core Installation:</strong></p> <ul> <li>Homebrew + analytics disabled</li> <li>Nerd Fonts (Hack, Ubuntu Mono, Fira Code, Courier Prime)</li> <li>Oh-My-Zsh with plugins (autosuggestions, syntax highlighting, you-should-use)</li> <li>Modern CLI tools: <code>eza</code>, <code>zoxide</code>, <code>fzf</code>, <code>starship</code>, <code>zellij</code></li> <li>Python via <code>pyenv</code> with latest version auto-installed</li> </ul> <p><strong>Applications:</strong></p> <ul> <li><strong>Productivity</strong>: Zen, Obsidian, Maccy, BetterDisplay, Grammarly</li> <li><strong>Communication</strong>: Signal, Telegram, Slack, Discord</li> <li><strong>Development</strong>: VSCode, Alacritty, Fork, Lens</li> <li><strong>DevOps/Cloud</strong>: AWS CLI, kubectl, helm, terraform, vault, argocd, ansible</li> <li><strong>Security</strong>: Mullvad VPN, Tailscale, GPG Suite</li> <li><strong>Utilities</strong>: AldDente, Bartender, AppCleaner, Shottr</li> </ul> <p><strong>Git Configuration:</strong></p> <ul> <li>Global <code>.gitconfig</code> with sane defaults</li> <li>Separate directories for personal/work repos with automatic context switching</li> <li><code>includeIf</code> directives for email/name per directory</li> <li>Global <code>.gitignore</code> setup</li> <li>Branch sorting by commit date, auto column UI</li> </ul> <p><strong>SSH Key Generation:</strong></p> <ul> <li>Ed25519 keys with modern crypto</li> <li>Automatic GitHub CLI integration</li> <li>Adds key to GitHub via API</li> <li>Tests SSH connection to GitHub</li> </ul> <p><strong>GPG Key Generation:</strong></p> <ul> <li>Ed25519 + Curve25519 keys for signing/encryption</li> <li>Configures <code>pinentry-mac</code> for macOS Keychain integration</li> <li>Automatic GitHub integration via API</li> <li>Sets global signing key in Git</li> </ul> <p><strong>Dotfiles Management:</strong></p> <ul> <li>GNU Stow for symlink management</li> <li>Configs for: zsh, starship, alacritty, zellij, k9s, docker, git, gh</li> <li>Alacritty themes auto-cloned (200+ colorschemes)</li> </ul> <p><strong>AI Agents Configuration:</strong></p> <ul> <li>Configures <a href="https://github.com/danylomikula/codex-cli" >Codex</a> and <a href="https://claude.ai/" >Claude</a> for development workflow</li> <li>Installs Context7 MCP server for automatic library documentation</li> <li>Sets up global Copilot instructions at <code>~/.config/Code/User/prompts/context7.instructions.md</code></li> <li>Enables AI agents to automatically fetch library docs during code generation</li> <li>Configured via standalone <code>configure-ai-agents.sh</code> script</li> </ul> <hr> <h2 id="architecture">Architecture</h2> <h3 id="directory-structure">Directory Structure</h3> <pre tabindex="0"><code>dotfiles/ ├── bootstrap.sh # Main installation script ├── configure-git.sh # Standalone Git config tool ├── configure-ai-agents.sh # Standalone AI agents setup ├── generate-gpg-key.sh # Standalone GPG key generator ├── generate-ssh-key.sh # Standalone SSH key generator ├── alacritty/ │ └── .config/alacritty/ │ ├── alacritty.toml │ └── themes/ # 200+ themes via git submodule ├── claude/ # Claude Code AI agent config │ └── .claude/ │ └── CLAUDE.md ├── codex/ # Codex AI agent config │ └── .codex/ │ ├── AGENTS.md │ └── config.toml ├── docker/.docker/ │ └── config.json ├── git/ │ ├── .gitconfig │ └── .gitignore_global ├── github-cli/.config/gh/ ├── k9s/.config/k9s/ ├── starship/.config/ │ └── starship.toml ├── zellij/.config/zellij/ │ └── config.kdl └── zshrc/ └── .zshrc </code></pre><h3 id="key-design-decisions">Key Design Decisions</h3> <p><strong>1. Interactive Prompts with Gum</strong></p> <p>Instead of environment variables or config files, I use <a href="https://github.com/charmbracelet/gum" >charmbracelet/gum</a> for beautiful TUI prompts:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gum style --foreground <span class="s2">&#34;#00FF00&#34;</span> --bold <span class="s2">&#34;Do you want to generate a GPG key?&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">CHOICE</span><span class="o">=</span><span class="k">$(</span>gum choose <span class="s2">&#34;Yes&#34;</span> <span class="s2">&#34;No&#34;</span><span class="k">)</span> </span></span></code></pre></div><p>This makes the script:</p> <ul> <li>Self-documenting (you see what&rsquo;s being configured)</li> <li>Flexible (skip sections you don&rsquo;t need)</li> <li>Beginner-friendly (no prior knowledge required)</li> </ul> <p><strong>2. Conditional Directory Creation</strong></p> <p>The script offers to create separate Git directories:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/git/ </span></span><span class="line"><span class="cl">├── personal/ <span class="c1"># Personal projects with personal email</span> </span></span><span class="line"><span class="cl">└── work/ <span class="c1"># Work projects with work email</span> </span></span></code></pre></div><p>Git automatically switches context using <code>includeIf</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[includeIf &#34;gitdir:~/git/personal/**&#34;]</span> </span></span><span class="line"><span class="cl"> <span class="na">path</span> <span class="o">=</span> <span class="s">~/git/personal/.gitconfig</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[includeIf &#34;gitdir:~/git/work/**&#34;]</span> </span></span><span class="line"><span class="cl"> <span class="na">path</span> <span class="o">=</span> <span class="s">~/git/work/.gitconfig</span> </span></span></code></pre></div><p><strong>3. Modern Crypto Defaults</strong></p> <ul> <li><strong>SSH</strong>: Ed25519 (fast, secure, small keys)</li> <li><strong>GPG</strong>: Ed25519 for signing + Curve25519 for encryption</li> <li>No RSA 2048/4096 bloat</li> </ul> <p><strong>4. GitHub API Integration</strong></p> <p>Keys aren&rsquo;t just generated–they&rsquo;re automatically added to GitHub:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SSH key</span> </span></span><span class="line"><span class="cl">gh ssh-key add <span class="s2">&#34;</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">.pub&#34;</span> --title <span class="s2">&#34;</span><span class="k">$(</span>hostname<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># GPG key </span> </span></span><span class="line"><span class="cl">gh gpg-key add &lt;<span class="o">(</span>gpg --armor --export <span class="s2">&#34;</span><span class="nv">$KEY_ID</span><span class="s2">&#34;</span><span class="o">)</span> </span></span></code></pre></div><p><strong>5. Stow for Symlink Management</strong></p> <p>GNU Stow creates symlinks from <code>dotfiles/</code> to <code>$HOME</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">stow zshrc starship alacritty zellij k9s docker git github-cli </span></span></code></pre></div><p>This keeps your actual configs in Git while making them available system-wide.</p> <p><strong>6. AI Agents with Context7 MCP</strong></p> <p>The <code>configure-ai-agents.sh</code> script sets up AI development assistants:</p> <ul> <li><strong>Codex CLI</strong>: Command-line AI agent for shell tasks</li> <li><strong>Claude Integration</strong>: Configured for VS Code with Copilot</li> <li><strong>Context7 MCP Server</strong>: Provides automatic library documentation via Model Context Protocol</li> <li><strong>Global Instructions</strong>: Creates <code>~/.config/Code/User/prompts/context7.instructions.md</code> with rule to always use Context7 for docs</li> </ul> <p>This enables AI agents to automatically fetch up-to-date documentation when generating code, reducing hallucinations and improving accuracy.</p> <h2 id="usage">Usage</h2> <h3 id="quick-start-full-bootstrap">Quick Start (Full Bootstrap)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/danylomikula/dotfiles.git ~/dotfiles </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ~/dotfiles </span></span><span class="line"><span class="cl">chmod +x bootstrap.sh </span></span><span class="line"><span class="cl">./bootstrap.sh </span></span></code></pre></div><p>The script will:</p> <ol> <li>Install Homebrew and packages (5-10 min)</li> <li>Configure Oh-My-Zsh and plugins</li> <li>Sync dotfiles via Stow</li> <li>Prompt for Git configuration (optional)</li> <li>Offer to generate SSH key (optional)</li> <li>Offer to generate GPG key (optional)</li> <li>Offer to configure AI agents (optional)</li> </ol> <h3 id="standalone-scripts">Standalone Scripts</h3> <p>Each script can run independently:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Just configure Git</span> </span></span><span class="line"><span class="cl">./configure-git.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Just generate SSH key</span> </span></span><span class="line"><span class="cl">./generate-ssh-key.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Just generate GPG key </span> </span></span><span class="line"><span class="cl">./generate-gpg-key.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Just configure AI agents</span> </span></span><span class="line"><span class="cl">./configure-ai-agents.sh </span></span></code></pre></div><h3 id="customization">Customization</h3> <p><strong>Add/Remove Packages:</strong></p> <p>Edit the <code>brew install</code> lines in <code>bootstrap.sh</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Add your tools here</span> </span></span><span class="line"><span class="cl">brew install --cask your-app-here </span></span></code></pre></div><p><strong>Add New Dotfiles:</strong></p> <ol> <li>Create directory: <code>mkdir -p newtool/.config/newtool</code></li> <li>Add config: <code>newtool/.config/newtool/config.yaml</code></li> <li>Stow it: <code>stow newtool</code></li> </ol> <p><strong>Change Alacritty Theme:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># ~/.config/alacritty/alacritty.toml</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">general</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">import</span> <span class="p">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;~/.config/alacritty/themes/themes/tokyo-night.toml&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span></code></pre></div><p><strong>Customize AI Agents:</strong></p> <p>Edit <code>~/.config/Code/User/prompts/context7.instructions.md</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">applyTo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;**&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Global-Context7-Rule&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="l">Always use context7 when I need code generation, setup steps, or library docs.</span><span class="w"> </span></span></span></code></pre></div><p>You can add more rules or change the <code>applyTo</code> pattern to scope instructions to specific file types.</p> <h2 id="real-world-usage">Real-World Usage</h2> <h3 id="new-machine-setup">New Machine Setup</h3> <p>Time to productive workstation: <strong>~15 minutes</strong> (mostly package downloads)</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># On new Mac</span> </span></span><span class="line"><span class="cl">git clone https://github.com/danylomikula/dotfiles.git ~/dotfiles </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ~/dotfiles </span></span><span class="line"><span class="cl">./bootstrap.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Answer prompts:</span> </span></span><span class="line"><span class="cl"><span class="c1"># - Configure Git? Yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># - Personal dir? ~/git/personal</span> </span></span><span class="line"><span class="cl"><span class="c1"># - Work dir? ~/git/work </span> </span></span><span class="line"><span class="cl"><span class="c1"># - Generate SSH? Yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># - Generate GPG? Yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># - Add to GitHub? Yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># - Configure AI agents? Yes</span> </span></span></code></pre></div><p>Result: Fully configured machine with:</p> <ul> <li>All dev tools installed</li> <li>SSH key in GitHub</li> <li>GPG signing configured</li> <li>Git context switching working</li> <li>Terminal customized</li> <li>AI agents with Context7 MCP ready</li> <li>Ready to <code>git clone</code> and start working</li> </ul> <h3 id="disaster-recovery">Disaster Recovery</h3> <p>Laptop dies or needs rebuild:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># On replacement machine</span> </span></span><span class="line"><span class="cl">git clone https://github.com/danylomikula/dotfiles.git ~/dotfiles </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ~/dotfiles </span></span><span class="line"><span class="cl">./bootstrap.sh </span></span></code></pre></div><p>Back to 100% productivity in under an hour (including restoring data from backups).</p> <hr> <h2 id="technical-deep-dive">Technical Deep Dive</h2> <h3 id="gpg-key-generation-with-batch-mode">GPG Key Generation with Batch Mode</h3> <p>I use GPG&rsquo;s batch mode to avoid interactive prompts:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">GPG_BATCH_FILE</span><span class="o">=</span><span class="k">$(</span>mktemp<span class="k">)</span> </span></span><span class="line"><span class="cl">cat &gt; <span class="s2">&#34;</span><span class="nv">$GPG_BATCH_FILE</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">%echo Generating a GPG key </span></span></span><span class="line"><span class="cl"><span class="s">Key-Type: eddsa </span></span></span><span class="line"><span class="cl"><span class="s">Key-Curve: ed25519 </span></span></span><span class="line"><span class="cl"><span class="s">Subkey-Type: ecdh </span></span></span><span class="line"><span class="cl"><span class="s">Subkey-Curve: cv25519 </span></span></span><span class="line"><span class="cl"><span class="s">Name-Real: ${GPG_OWNER_NAME} </span></span></span><span class="line"><span class="cl"><span class="s">Name-Email: ${GPG_OWNER_EMAIL} </span></span></span><span class="line"><span class="cl"><span class="s">Expire-Date: 0 </span></span></span><span class="line"><span class="cl"><span class="s">Passphrase: ${GPG_PASSWORD} </span></span></span><span class="line"><span class="cl"><span class="s">%commit </span></span></span><span class="line"><span class="cl"><span class="s">%echo done </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">gpg --batch --gen-key <span class="s2">&#34;</span><span class="nv">$GPG_BATCH_FILE</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">rm <span class="s2">&#34;</span><span class="nv">$GPG_BATCH_FILE</span><span class="s2">&#34;</span> </span></span></code></pre></div><p>This creates:</p> <ul> <li><strong>Primary key</strong>: Ed25519 for signing</li> <li><strong>Subkey</strong>: Curve25519 for encryption</li> <li><strong>No expiration</strong>: Suitable for long-term code signing</li> </ul> <h3 id="detecting-new-gpg-key-after-generation">Detecting New GPG Key After Generation</h3> <p>Since we generate the key non-interactively, we need to find the new key ID:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Capture existing keys before generation</span> </span></span><span class="line"><span class="cl"><span class="nv">EXISTING_KEYS</span><span class="o">=</span><span class="k">$(</span>gpg --list-secret-keys --keyid-format<span class="o">=</span>long <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="p">|</span> awk <span class="s1">&#39;/^sec/ {print $2}&#39;</span> <span class="p">|</span> cut -d<span class="s1">&#39;/&#39;</span> -f2<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Generate key...</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Find the new key</span> </span></span><span class="line"><span class="cl"><span class="nv">NEW_KEYS</span><span class="o">=</span><span class="k">$(</span>gpg --list-secret-keys --keyid-format<span class="o">=</span>long <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="p">|</span> awk <span class="s1">&#39;/^sec/ {print $2}&#39;</span> <span class="p">|</span> cut -d<span class="s1">&#39;/&#39;</span> -f2<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">KEY_ID</span><span class="o">=</span><span class="k">$(</span>comm -13 &lt;<span class="o">(</span><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$EXISTING_KEYS</span><span class="s2">&#34;</span> <span class="p">|</span> sort<span class="k">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$NEW_KEYS</span><span class="s2">&#34;</span> <span class="p">|</span> sort<span class="o">)</span> <span class="p">|</span> head -n 1<span class="o">)</span> </span></span></code></pre></div><p>This uses <code>comm</code> to find the set difference–the new key ID.</p> <h3 id="github-cli-integration">GitHub CLI Integration</h3> <p>Adding keys to GitHub via API:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Authenticate (opens browser for OAuth)</span> </span></span><span class="line"><span class="cl">gh auth login </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Add SSH key</span> </span></span><span class="line"><span class="cl">gh ssh-key add <span class="s2">&#34;</span><span class="nv">$HOME</span><span class="s2">/.ssh/id_ed25519.pub&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --title <span class="s2">&#34;</span><span class="k">$(</span>hostname<span class="k">)</span><span class="s2">&#34;</span> --type authentication </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Test connection</span> </span></span><span class="line"><span class="cl">ssh -T git@github.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Add GPG key </span> </span></span><span class="line"><span class="cl">gh gpg-key add &lt;<span class="o">(</span>gpg --armor --export <span class="s2">&#34;</span><span class="nv">$KEY_ID</span><span class="s2">&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Configure Git to use it</span> </span></span><span class="line"><span class="cl">git config --global user.signingkey <span class="s2">&#34;</span><span class="nv">$KEY_ID</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">git config --global commit.gpgsign <span class="nb">true</span> </span></span><span class="line"><span class="cl">git config --global tag.gpgSign <span class="nb">true</span> </span></span></code></pre></div><p>No manual copying of keys into GitHub UI!</p> <h3 id="pinentry-configuration-for-macos">Pinentry Configuration for macOS</h3> <p>macOS Keychain integration requires <code>pinentry-mac</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install pinentry-mac </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Configure GPG agent</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;pinentry-program </span><span class="k">$(</span>which pinentry-mac<span class="k">)</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> &gt;&gt; ~/.gnupg/gpg-agent.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Restart agent</span> </span></span><span class="line"><span class="cl">killall gpg-agent </span></span></code></pre></div><p>Now GPG passphrase prompts use macOS Keychain–enter once, cached securely.</p> <h3 id="ai-agents-configuration-deep-dive">AI Agents Configuration Deep Dive</h3> <p>The <code>configure-ai-agents.sh</code> script sets up CLI and desktop AI coding assistants with Context7 MCP integration.</p> <p><strong>1. Tools Installation:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install node codex <span class="c1"># Codex CLI</span> </span></span><span class="line"><span class="cl">brew install --cask claude-code <span class="c1"># Claude desktop app</span> </span></span></code></pre></div><p><strong>2. Codex CLI Configuration:</strong></p> <p>Creates <code>~/.codex/AGENTS.md</code> with global instructions:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown"><span class="line"><span class="cl"><span class="gh"># Global instructions </span></span></span><span class="line"><span class="cl"><span class="gh"></span> </span></span><span class="line"><span class="cl"><span class="gu">## context7 instructions </span></span></span><span class="line"><span class="cl"><span class="gu"></span><span class="k">-</span> Always use context7 when I need code generation, setup or configuration </span></span><span class="line"><span class="cl"> steps, or library/API documentation. This means you should automatically </span></span><span class="line"><span class="cl"> use the Context7 MCP tools to resolve library id and get library docs </span></span><span class="line"><span class="cl"> without me having to explicitly ask. </span></span></code></pre></div><p>Creates <code>~/.codex/config.toml</code> with MCP server configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="nx">model</span> <span class="p">=</span> <span class="s2">&#34;gpt-5.1-codex&#34;</span> </span></span><span class="line"><span class="cl"><span class="nx">model_reasoning_effort</span> <span class="p">=</span> <span class="s2">&#34;high&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">mcp_servers</span><span class="p">.</span><span class="nx">context7</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">command</span> <span class="p">=</span> <span class="s2">&#34;npx&#34;</span> </span></span><span class="line"><span class="cl"><span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;@upstash/context7-mcp&#34;</span><span class="p">]</span> </span></span></code></pre></div><p><strong>3. Claude Desktop Configuration:</strong></p> <p>Creates <code>~/.claude/CLAUDE.md</code> with Context7 usage instructions:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-markdown" data-lang="markdown"><span class="line"><span class="cl"><span class="gh"># Context7 MCP usage </span></span></span><span class="line"><span class="cl"><span class="gh"></span><span class="k">-</span> Always use context7 when I need code generation, setup or configuration </span></span><span class="line"><span class="cl"> steps, or library/API documentation. This means you should automatically </span></span><span class="line"><span class="cl"> use the Context7 MCP tools to resolve library id and get library docs </span></span><span class="line"><span class="cl"> without me having to explicitly ask. </span></span></code></pre></div><p>Enables MCP server for Claude:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">claude mcp add context7 -- npx -y @upstash/context7-mcp </span></span></code></pre></div><p><strong>4. How It Works:</strong></p> <p>Both agents can now automatically fetch library documentation via Context7 MCP:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Codex CLI usage</span> </span></span><span class="line"><span class="cl">$ codex <span class="s2">&#34;Add authentication with Supabase&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Codex automatically fetches Supabase docs via Context7 MCP<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="s2">&#34;Installing supabase-js and configuring auth...&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Claude Desktop usage</span> </span></span><span class="line"><span class="cl">User: <span class="s2">&#34;Add authentication with Supabase&#34;</span> </span></span><span class="line"><span class="cl">Claude: <span class="o">[</span>fetches Supabase docs via Context7<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;I&#39;ll help you set up Supabase authentication...&#34;</span> </span></span></code></pre></div><p>This eliminates manual documentation lookups and reduces hallucinations by grounding AI responses in actual library docs.</p> <h2 id="conclusion">Conclusion</h2> <p>This dotfiles setup has saved me countless hours across:</p> <ul> <li>5+ fresh installs on new machines</li> <li>Daily context switching between personal/work</li> <li>Team onboarding</li> </ul> <h2 id="resources">Resources</h2> <ul> <li><a href="https://github.com/danylomikula/dotfiles" >My dotfiles repository</a></li> <li><a href="https://github.com/charmbracelet/gum" >Gum - Glamorous shell scripts</a></li> <li><a href="https://www.gnu.org/software/stow/" >GNU Stow</a></li> <li><a href="https://github.com/context7/mcp" >Context7 MCP Server</a></li> <li><a href="https://modelcontextprotocol.io/" >Model Context Protocol</a></li> <li><a href="https://github.com/alacritty/alacritty-theme" >Alacritty themes</a></li> <li><a href="https://cli.github.com/" >GitHub CLI</a></li> <li><a href="https://ohmyz.sh/" >Oh My Zsh</a></li> </ul> <hr> <p><em>Have questions or improvements? Open an issue or PR on the <a href="https://github.com/danylomikula/dotfiles" >dotfiles repo</a>!</em></p>YubiKey + PGP: Offline Primary, Subkeys, Backups, and Git Signinghttps://mikula.dev/posts/security/yubikey-pgp-guide/Thu, 21 Aug 2025 00:00:00 -0500https://mikula.dev/posts/security/yubikey-pgp-guide/<h2 id="what-well-build">What we&rsquo;ll build</h2> <p>In this guide we&rsquo;ll set up a modern PGP workflow anchored by a YubiKey. We&rsquo;ll generate an offline, certification-only primary key and three subkeys for sign, encrypt, and auth.</p> <p>We&rsquo;ll also create secure backups before moving anything to hardware, set expiration dates on the subkeys, load the subkeys onto our primary YubiKey with touch policies, and then clone those subkeys to a second YubiKey as a spare. Finally, we&rsquo;ll integrate the setup with Git commit signing.</p><h2 id="what-well-build">What we&rsquo;ll build</h2> <p>In this guide we&rsquo;ll set up a modern PGP workflow anchored by a YubiKey. We&rsquo;ll generate an offline, certification-only primary key and three subkeys for sign, encrypt, and auth.</p> <p>We&rsquo;ll also create secure backups before moving anything to hardware, set expiration dates on the subkeys, load the subkeys onto our primary YubiKey with touch policies, and then clone those subkeys to a second YubiKey as a spare. Finally, we&rsquo;ll integrate the setup with Git commit signing.</p> <p>This guide is written for macOS, but the steps translate easily to Linux.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>A <a href="https://www.yubico.com/products/yubikey-5-overview/" >YubiKey</a> with the OpenPGP applet (e.g., YubiKey 5 series).</li> <li>macOS with <a href="https://brew.sh/" >Homebrew</a> installed.</li> <li>Basic terminal familiarity.</li> </ul> <h3 id="install-the-tools-macos">Install the tools (macOS)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install gnupg ykman pinentry-mac </span></span></code></pre></div><h2 id="basic-gnupg-setup">Basic GnuPG setup</h2> <p>We&rsquo;ll work inside a temporary GnuPG home so we don&rsquo;t touch any existing setup.</p> <h3 id="1-create-a-temporary-gnupghome">1) Create a temporary GNUPGHOME</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mktemp -d -t gpg-<span class="k">$(</span>date +%Y.%m.%d<span class="k">))</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">chmod <span class="m">700</span> <span class="s2">&#34;</span><span class="nv">$GNUPGHOME</span><span class="s2">&#34;</span> </span></span></code></pre></div><h3 id="2-create-gpgconf">2) Create <code>gpg.conf</code></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat &gt; <span class="s2">&#34;</span><span class="nv">$GNUPGHOME</span><span class="s2">/gpg.conf&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s"># === Crypto preferences === </span></span></span><span class="line"><span class="cl"><span class="s">personal-cipher-preferences AES256 AES192 AES </span></span></span><span class="line"><span class="cl"><span class="s">personal-digest-preferences SHA512 SHA384 SHA256 </span></span></span><span class="line"><span class="cl"><span class="s">personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed </span></span></span><span class="line"><span class="cl"><span class="s">default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># === Strong digests &amp; s2k === </span></span></span><span class="line"><span class="cl"><span class="s">cert-digest-algo SHA512 </span></span></span><span class="line"><span class="cl"><span class="s">s2k-digest-algo SHA512 </span></span></span><span class="line"><span class="cl"><span class="s">s2k-cipher-algo AES256 </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># === Output / UX === </span></span></span><span class="line"><span class="cl"><span class="s">charset utf-8 </span></span></span><span class="line"><span class="cl"><span class="s">no-comments </span></span></span><span class="line"><span class="cl"><span class="s">no-emit-version </span></span></span><span class="line"><span class="cl"><span class="s">no-greeting </span></span></span><span class="line"><span class="cl"><span class="s">keyid-format 0xlong </span></span></span><span class="line"><span class="cl"><span class="s">list-options show-uid-validity </span></span></span><span class="line"><span class="cl"><span class="s">verify-options show-uid-validity </span></span></span><span class="line"><span class="cl"><span class="s">with-fingerprint </span></span></span><span class="line"><span class="cl"><span class="s">use-agent </span></span></span><span class="line"><span class="cl"><span class="s">armor </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># === Security hardening === </span></span></span><span class="line"><span class="cl"><span class="s">require-cross-certification </span></span></span><span class="line"><span class="cl"><span class="s">require-secmem </span></span></span><span class="line"><span class="cl"><span class="s">no-symkey-cache </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># === New keys default === </span></span></span><span class="line"><span class="cl"><span class="s">default-new-key-algo ed25519/cert,sign+cv25519/encr+ed25519/auth </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><h3 id="3-create-gpg-agentconf">3) Create <code>gpg-agent.conf</code></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat &gt; <span class="s2">&#34;</span><span class="nv">$GNUPGHOME</span><span class="s2">/gpg-agent.conf&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s"># === Path to pinentry on macOS/Homebrew (Apple Silicon) === </span></span></span><span class="line"><span class="cl"><span class="s">pinentry-program /opt/homebrew/bin/pinentry-mac </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># === SSH Support === </span></span></span><span class="line"><span class="cl"><span class="s">enable-ssh-support </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># === Cache TTLs === </span></span></span><span class="line"><span class="cl"><span class="s">default-cache-ttl 86400 </span></span></span><span class="line"><span class="cl"><span class="s">max-cache-ttl 86400 </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><h3 id="4-reload-agent-to-pick-up-the-config">4) Reload agent to pick up the config:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpgconf --kill gpg-agent </span></span></code></pre></div><h2 id="prepare-the-yubikey">Prepare the YubiKey</h2> <p>If you keep a spare YubiKey, run all steps below on both devices (one at a time).</p> <blockquote> <p><strong>Note:</strong> Insert only one YubiKey at a time to avoid confusion.</p> </blockquote> <h3 id="1-enable-kdf">1) Enable KDF</h3> <p>KDF (Key Derivation Function) makes the YubiKey store a hash of the PIN and derive it locally, rather than accepting the PIN as plain text.</p> <blockquote> <p><strong>Warning:</strong> Older/legacy OpenPGP clients (especially some mobile apps) may not support KDF; those clients will fail PIN checks if KDF is enabled.</p> </blockquote> <p>Order of operations: Enable KDF before changing PINs or moving subkeys to the card, otherwise you may hit:</p> <pre tabindex="0"><code>gpg: error for setup KDF: Conditions of use not satisfied </code></pre><p>Enable KDF:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-edit </span></span><span class="line"><span class="cl">gpg/card&gt; admin </span></span><span class="line"><span class="cl">gpg/card&gt; kdf-setup </span></span><span class="line"><span class="cl"><span class="c1"># pinentry will prompt for the Admin PIN (default is 12345678 on a fresh card)</span> </span></span><span class="line"><span class="cl">gpg/card&gt; quit </span></span></code></pre></div><p>Verify:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-status <span class="p">|</span> grep <span class="s1">&#39;KDF setting&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># KDF setting ......: on</span> </span></span></code></pre></div><p>Do this on each YubiKey (primary and spare) before proceeding to change PINs, set touch policies, or move subkeys.</p> <h3 id="2-change-the-default-pins">2) Change the default PINs</h3> <blockquote> <p><strong>Note:</strong> Default User PIN = 123456, default Admin PIN = 12345678</p> </blockquote> <p>Generate random numeric PINs and store these securely:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">ADMIN_PIN</span><span class="o">=</span><span class="k">$(</span><span class="nv">LC_ALL</span><span class="o">=</span>C tr -dc <span class="s1">&#39;0-9&#39;</span> &lt;/dev/urandom <span class="p">|</span> fold -w8 <span class="p">|</span> head -1<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">USER_PIN</span><span class="o">=</span><span class="k">$(</span><span class="nv">LC_ALL</span><span class="o">=</span>C tr -dc <span class="s1">&#39;0-9&#39;</span> &lt;/dev/urandom <span class="p">|</span> fold -w6 <span class="p">|</span> head -1<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">printf</span> <span class="s2">&#34;\nAdmin PIN: %12s\nUser PIN: %12s\n\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$ADMIN_PIN</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$USER_PIN</span><span class="s2">&#34;</span> </span></span></code></pre></div><p>Change the PINs:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-edit </span></span><span class="line"><span class="cl">gpg/card&gt; admin </span></span><span class="line"><span class="cl">gpg/card&gt; passwd </span></span><span class="line"><span class="cl"><span class="c1"># 1 - Change PIN (default 123456) -&gt; enter $USER_PIN</span> </span></span><span class="line"><span class="cl"><span class="c1"># 3 - Change Admin PIN (default 12345678) -&gt; enter $ADMIN_PIN</span> </span></span><span class="line"><span class="cl"><span class="c1"># Q - quit</span> </span></span><span class="line"><span class="cl">gpg/card&gt; quit </span></span></code></pre></div><h3 id="3-set-touch-policies">3) Set touch policies</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Require touch for every signature</span> </span></span><span class="line"><span class="cl">ykman openpgp keys set-touch sig on </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Cache touch after PIN entry for encryption and auth</span> </span></span><span class="line"><span class="cl">ykman openpgp keys set-touch enc cached </span></span><span class="line"><span class="cl">ykman openpgp keys set-touch aut cached </span></span></code></pre></div><p>Verify:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ykman openpgp info </span></span></code></pre></div><p>Touch policy modes:</p> <ul> <li><code>off</code> — no touch required</li> <li><code>on</code> — touch required for every operation</li> <li><code>fixed</code> — like <code>on</code>, but cannot be changed without resetting the OpenPGP applet</li> <li><code>cached</code> — touch once per PIN session (until PIN cache expires or card is removed)</li> <li><code>cached-fixed</code> — like <code>cached</code>, but cannot be changed without reset</li> </ul> <h3 id="4-set-key-attributes-ed25519--cv25519--ed25519">4) Set key attributes (Ed25519 / cv25519 / Ed25519)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-edit </span></span><span class="line"><span class="cl">gpg/card&gt; admin </span></span><span class="line"><span class="cl">gpg/card&gt; key-attr </span></span><span class="line"><span class="cl"><span class="c1"># Signature : ECC -&gt; Curve 25519 (Ed25519)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Encryption: ECC -&gt; Curve 25519 (cv25519 / X25519)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Authentication: ECC -&gt; Curve 25519 (Ed25519)</span> </span></span><span class="line"><span class="cl">gpg/card&gt; quit </span></span></code></pre></div><p><img src="https://mikula.dev/images/posts/yubikey-pgp/key-attributes.webp" alt="Setting key attributes to Ed25519/cv25519"></p> <h3 id="5-cardholder-info">5) Cardholder info</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-edit </span></span><span class="line"><span class="cl">gpg/card&gt; admin </span></span><span class="line"><span class="cl">gpg/card&gt; name <span class="c1"># Lastname, Firstname</span> </span></span><span class="line"><span class="cl">gpg/card&gt; lang <span class="c1"># en</span> </span></span><span class="line"><span class="cl">gpg/card&gt; login <span class="c1"># your.email@example.com</span> </span></span><span class="line"><span class="cl">gpg/card&gt; quit </span></span></code></pre></div><p>Check card status:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-status </span></span></code></pre></div><p>When finished, repeat the same steps on your spare (if you have one).</p> <h2 id="generate-the-offline-master-certify-key-ed25519">Generate the offline Master (Certify) key (Ed25519)</h2> <p>The primary (master) key is the Certify key. It&rsquo;s used only to issue subkeys for sign, encrypt, and auth. We keep this key offline at all times and use it only in a dedicated, secure environment to create or revoke subkeys.</p> <blockquote> <p><strong>Important:</strong> Do not set an expiration date on the Certify key.</p> </blockquote> <h3 id="1-generate-a-strong-passphrase-for-the-master-key">1) Generate a strong passphrase for the master key</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">CERTIFY_PASS</span><span class="o">=</span><span class="k">$(</span><span class="nv">LC_ALL</span><span class="o">=</span>C tr -dc <span class="s2">&#34;A-Z2-9&#34;</span> &lt; /dev/urandom <span class="p">|</span> tr -d <span class="s2">&#34;IOUS5&#34;</span> <span class="p">|</span> fold -w <span class="si">${</span><span class="nv">PASS_GROUPSIZE</span><span class="k">:-</span><span class="nv">4</span><span class="si">}</span> <span class="p">|</span> paste -sd <span class="si">${</span><span class="nv">PASS_DELIMITER</span><span class="k">:-</span><span class="p">-</span><span class="si">}</span> - <span class="p">|</span> head -c <span class="si">${</span><span class="nv">PASS_LENGTH</span><span class="k">:-</span><span class="nv">29</span><span class="si">}</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">printf</span> <span class="s2">&#34;\n</span><span class="nv">$CERTIFY_PASS</span><span class="s2">\n\n&#34;</span> </span></span></code></pre></div><blockquote> <p><strong>Note:</strong> We will use it when GnuPG prompts during key creation.</p> </blockquote> <h3 id="2-create-the-certify-only-primary-key">2) Create the Certify-only primary key</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --expert --full-generate-key </span></span></code></pre></div><p>When prompted:</p> <ol> <li>Key type: choose ECC (set your own capabilities).</li> <li>Capabilities: leave only &ldquo;Certify (C)&rdquo; enabled. Disable Sign/Encrypt/Auth if shown.</li> <li>Curve: choose Curve 25519 (Ed25519).</li> <li>Expiration: choose no expiration (enter <code>0</code>).</li> <li>User ID: enter your real name and email (comment optional).</li> <li>Passphrase: enter the passphrase you generated in step 1.</li> </ol> <p><img src="https://mikula.dev/images/posts/yubikey-pgp/certify-key.webp" alt="Creating Certify-only primary key"></p> <p>After creation, note the key ID:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">KEYID</span><span class="o">=</span><span class="k">$(</span>gpg --list-keys --keyid-format 0xlong --with-colons <span class="p">|</span> awk -F: <span class="s1">&#39;/^pub:/ {print $5; exit}&#39;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Primary KEYID: </span><span class="nv">$KEYID</span><span class="s2">&#34;</span> </span></span></code></pre></div><h3 id="3-verify-the-primary-key-is-certify-only">3) Verify the primary key is Certify-only</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg -K --keyid-format long </span></span></code></pre></div><p>You should see something like:</p> <pre tabindex="0"><code>sec ed25519/XXXXXXXXXX YYYY-MM-DD [C] Key fingerprint = XXXXXXXXXXXXXXXXX uid [ultimate] Your Name &lt;you@example.com&gt; </code></pre><p>Only [C] should appear on the <code>sec</code> line (no <code>[S]</code>, <code>[E]</code>, or <code>[A]</code>).</p> <h2 id="create-subkeys">Create subkeys</h2> <p>We&rsquo;ll add three subkeys to the offline primary key: Sign (Ed25519), Encrypt (cv25519/X25519), and Auth (Ed25519).</p> <p>Open the key editor:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> </span></span></code></pre></div><h3 id="1-sign-subkey">1) Sign subkey</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg&gt; addkey </span></span><span class="line"><span class="cl"><span class="c1"># Choose: ECC (set your own capabilities) # number may be (11)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Curve: 25519 (Ed25519)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Capabilities: leave ONLY [S] Sign (toggle others off)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Expiration: 5y (or your preference)</span> </span></span></code></pre></div><h3 id="2-encrypt-subkey">2) Encrypt subkey</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg&gt; addkey </span></span><span class="line"><span class="cl"><span class="c1"># Choose: ECC (encrypt only) # number may be (12)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Curve: 25519</span> </span></span><span class="line"><span class="cl"><span class="c1"># Expiration: 5y</span> </span></span></code></pre></div><h3 id="3-auth-subkey">3) Auth subkey</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg&gt; addkey </span></span><span class="line"><span class="cl"><span class="c1"># Choose: ECC (set your own capabilities) # number may be (11)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Capabilities: leave ONLY [A] Authenticate</span> </span></span><span class="line"><span class="cl"><span class="c1"># Curve: 25519</span> </span></span><span class="line"><span class="cl"><span class="c1"># Expiration: 5y</span> </span></span><span class="line"><span class="cl">gpg&gt; save </span></span></code></pre></div><h3 id="4-verify">4) Verify</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg -K --keyid-format long </span></span></code></pre></div><p>You should see your primary key with [C] only, and three <code>ssb</code> lines:</p> <pre tabindex="0"><code>sec ed25519/XXXXXXXXXX YYYY-MM-DD [C] uid Your Name &lt;you@example.com&gt; ssb ed25519/XXXXXXXXXX YYYY-MM-DD [S] [expires: YYYY-MM-DD] ssb cv25519/XXXXXXXXXX YYYY-MM-DD [E] [expires: YYYY-MM-DD] ssb ed25519/XXXXXXXXXX YYYY-MM-DD [A] [expires: YYYY-MM-DD] </code></pre><h2 id="export-backups-master-subkeys-public">Export backups (master, subkeys, public)</h2> <blockquote> <p><strong>Critical:</strong> Do this before moving any keys to the YubiKey.</p> </blockquote> <h3 id="1-create-a-private-backups-folder">1) Create a private backups folder:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mkdir -p gnupg-backups </span></span><span class="line"><span class="cl">chmod <span class="m">700</span> gnupg-backups </span></span></code></pre></div><h3 id="2-export-the-keys">2) Export the keys:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Master (primary + subkeys): full secret material</span> </span></span><span class="line"><span class="cl">gpg --output <span class="s2">&#34;gnupg-backups/</span><span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span><span class="s2">-certify-</span><span class="k">$(</span>date +%F<span class="k">)</span><span class="s2">.key&#34;</span> --armor --export-secret-keys <span class="s2">&#34;</span><span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Secret subkeys only (no primary secret) — use for loading to YubiKey / cloning to spare</span> </span></span><span class="line"><span class="cl">gpg --output <span class="s2">&#34;gnupg-backups/</span><span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span><span class="s2">-subkeys-</span><span class="k">$(</span>date +%F<span class="k">)</span><span class="s2">.key&#34;</span> --armor --export-secret-subkeys <span class="s2">&#34;</span><span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Public key (safe to share)</span> </span></span><span class="line"><span class="cl">gpg --output <span class="s2">&#34;gnupg-backups/</span><span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span><span class="s2">-public-</span><span class="k">$(</span>date +%F<span class="k">)</span><span class="s2">.asc&#34;</span> --armor --export <span class="s2">&#34;</span><span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span><span class="s2">&#34;</span> </span></span></code></pre></div><blockquote> <p><strong>Important:</strong> Store copies in two separate offline locations (e.g., two encrypted USB drives kept in different places).</p> </blockquote> <h3 id="3-optional-encrypt-the-backup-files">3) (Optional) Encrypt the backup files</h3> <p>Symmetric (passphrase-based):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Encrypt each file with AES256; you&#39;ll be prompted for a passphrase</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> f in gnupg-backups/<span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span>-<span class="o">{</span>certify,subkeys<span class="o">}</span>-*.key gnupg-backups/<span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span>-public-*.asc<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> gpg --symmetric --cipher-algo AES256 <span class="s2">&#34;</span><span class="nv">$f</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></div><h4 id="optional-quick-integrity-check-of-the-backups">(Optional) Quick integrity check of the backups</h4> <p>Spin up a throwaway keyring, import, and list:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">TMPVERIFY</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mktemp -d -t gpg-verify-XXXX<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">chmod <span class="m">700</span> <span class="s2">&#34;</span><span class="nv">$TMPVERIFY</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$TMPVERIFY</span><span class="s2">&#34;</span> gpg --import gnupg-backups/<span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span>-public-*.asc </span></span><span class="line"><span class="cl"><span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$TMPVERIFY</span><span class="s2">&#34;</span> gpg --import gnupg-backups/<span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span>-subkeys-*.key </span></span><span class="line"><span class="cl"><span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$TMPVERIFY</span><span class="s2">&#34;</span> gpg --list-secret-keys --keyid-format 0xlong </span></span></code></pre></div><p>You should see <code>sec#</code> (stub for the primary) and <code>ssb</code> lines for subkeys after the subkeys import.</p> <h3 id="4-clean-up-the-temporary-directory">4) Clean up the temporary directory</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rm -rf <span class="s2">&#34;</span><span class="nv">$TMPVERIFY</span><span class="s2">&#34;</span> </span></span></code></pre></div><h2 id="transfer-subkeys-to-the-yubikey">Transfer subkeys to the YubiKey</h2> <blockquote> <p><strong>Important:</strong> Moving subkeys to a YubiKey turns their on-disk copies into stubs (<code>ssb#</code> → <code>ssb&gt;</code>), so they can&rsquo;t be moved again unless we re-import the secret-subkeys backup. Make sure backups are done.</p> </blockquote> <p>We&rsquo;ll need the Certify key passphrase (for decrypting the secret material) and the YubiKey Admin PIN (to write keys to the card).</p> <blockquote> <p><strong>Note:</strong> Keep only one YubiKey inserted at a time.</p> </blockquote> <h3 id="1-load-the-subkeys-onto-the-primary-yubikey">1) Load the subkeys onto the primary YubiKey</h3> <p>Insert the primary YubiKey, then:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --status-fd<span class="o">=</span><span class="m">2</span> --command-fd<span class="o">=</span><span class="m">0</span> --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s">key 1 </span></span></span><span class="line"><span class="cl"><span class="s">keytocard </span></span></span><span class="line"><span class="cl"><span class="s">1 </span></span></span><span class="line"><span class="cl"><span class="s">save </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --status-fd<span class="o">=</span><span class="m">2</span> --command-fd<span class="o">=</span><span class="m">0</span> --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s">key 2 </span></span></span><span class="line"><span class="cl"><span class="s">keytocard </span></span></span><span class="line"><span class="cl"><span class="s">2 </span></span></span><span class="line"><span class="cl"><span class="s">save </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --status-fd<span class="o">=</span><span class="m">2</span> --command-fd<span class="o">=</span><span class="m">0</span> --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s">key 3 </span></span></span><span class="line"><span class="cl"><span class="s">keytocard </span></span></span><span class="line"><span class="cl"><span class="s">3 </span></span></span><span class="line"><span class="cl"><span class="s">save </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><p>During these steps GnuPG will prompt for:</p> <ul> <li>your master (Certify) passphrase (to unlock the secret subkeys on disk), and</li> <li>the YubiKey Admin PIN (to write into the OpenPGP applet).</li> </ul> <h3 id="2-verify-subkeys-are-on-the-yubikey">2) Verify subkeys are on the YubiKey</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg -K --keyid-format long </span></span></code></pre></div><p>Each subkey should display as <code>ssb&gt;</code> (stored on smartcard), for example:</p> <pre tabindex="0"><code>sec ed25519 YYYY-MM-DD [C] uid Your Name &lt;you@example.com&gt; ssb&gt; ed25519 YYYY-MM-DD [S] [expires: …] ssb&gt; cv25519 YYYY-MM-DD [E] [expires: …] ssb&gt; ed25519 YYYY-MM-DD [A] [expires: …] </code></pre><p>Additionally:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-status </span></span></code></pre></div><p>Should list the Signature/Encryption/Authentication slots and the touch policies you set earlier.</p> <h3 id="3-if-you-have-a-spare-re-import-and-load-to-the-second-yubikey">3) (If you have a spare) Re-import and load to the second YubiKey</h3> <p>Because moving subkeys to the first YubiKey turned local copies into stubs, we&rsquo;ll clear any existing secret entries and re-import the pre-move secret-subkeys backup.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Ensure you&#39;re in the same GNUPGHOME you used for the guide</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$GNUPGHOME</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Remove current secret entries (drops stubs)</span> </span></span><span class="line"><span class="cl">gpg --delete-secret-keys <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Re-import secret subkeys</span> </span></span><span class="line"><span class="cl">gpg --import gnupg-backups/<span class="si">${</span><span class="nv">KEYID</span><span class="si">}</span>-subkeys-*.key </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Sanity check — these must be plain `ssb` (not `ssb#` or `ssb&gt;`)</span> </span></span><span class="line"><span class="cl">gpg -K --keyid-format long </span></span></code></pre></div><p>Insert the spare YubiKey (only this one inserted), then run the same transfer flow:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --status-fd<span class="o">=</span><span class="m">2</span> --command-fd<span class="o">=</span><span class="m">0</span> --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s">key 1 </span></span></span><span class="line"><span class="cl"><span class="s">keytocard </span></span></span><span class="line"><span class="cl"><span class="s">1 </span></span></span><span class="line"><span class="cl"><span class="s">save </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --status-fd<span class="o">=</span><span class="m">2</span> --command-fd<span class="o">=</span><span class="m">0</span> --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s">key 2 </span></span></span><span class="line"><span class="cl"><span class="s">keytocard </span></span></span><span class="line"><span class="cl"><span class="s">2 </span></span></span><span class="line"><span class="cl"><span class="s">save </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --status-fd<span class="o">=</span><span class="m">2</span> --command-fd<span class="o">=</span><span class="m">0</span> --expert --edit-key <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="s">&lt;&lt;&#39;EOF&#39; </span></span></span><span class="line"><span class="cl"><span class="s">key 3 </span></span></span><span class="line"><span class="cl"><span class="s">keytocard </span></span></span><span class="line"><span class="cl"><span class="s">3 </span></span></span><span class="line"><span class="cl"><span class="s">save </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></div><blockquote> <p><strong>Note:</strong> Pinentry will prompt for your master (Certify) passphrase and the Admin PIN.</p> </blockquote> <h3 id="4-verify-1">4) Verify:</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-status </span></span><span class="line"><span class="cl">gpg -K --keyid-format long </span></span></code></pre></div><p>You should see <code>ssb&gt;</code> for all three subkeys again, now on the spare as well.</p> <p>Done! Both YubiKeys now hold the same Sign/Encrypt/Auth subkeys.</p> <h2 id="post-setup">Post-Setup</h2> <h3 id="publish-your-public-key-keysopenpgporg-and-link-it-to-your-yubikey">Publish your public key (keys.openpgp.org) and link it to your YubiKey</h3> <p>Why? Publishing the public key makes it easy for others (and for your future machines) to discover it.</p> <h4 id="upload">Upload</h4> <ol> <li>Go to <a href="https://keys.openpgp.org/" >keys.openpgp.org</a> → Upload Key.</li> <li>Export and upload your public key:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --armor --export <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> &gt; pubkey-<span class="nv">$KEYID</span>.asc </span></span></code></pre></div><ol start="3"> <li>Click Send verification email.</li> <li>Check the inbox for the email on your key and click the verification link.</li> </ol> <h4 id="put-the-public-key-url-on-your-yubikey">Put the public key URL on your YubiKey</h4> <p>We&rsquo;ll store a permalink to your key on the card so any machine can fetch it with one command.</p> <p><strong>1) Get your full fingerprint and build the permalink:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">FPR</span><span class="o">=</span><span class="k">$(</span>gpg --with-colons --fingerprint <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="p">|</span> awk -F: <span class="s1">&#39;/^fpr:/ {print $10; exit}&#39;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Fingerprint: </span><span class="nv">$FPR</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Permalink : https://keys.openpgp.org/vks/v1/by-fingerprint/</span><span class="nv">$FPR</span><span class="s2">&#34;</span> </span></span></code></pre></div><p><strong>2) Write the URL into the card:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-edit </span></span><span class="line"><span class="cl">gpg/card&gt; admin </span></span><span class="line"><span class="cl">gpg/card&gt; url </span></span><span class="line"><span class="cl">https://keys.openpgp.org/vks/v1/by-fingerprint/<span class="nv">$FPR</span> </span></span><span class="line"><span class="cl">gpg/card&gt; quit </span></span></code></pre></div><blockquote> <p><strong>Note:</strong> Do this for each YubiKey you use (primary and spare).</p> </blockquote> <h4 id="on-a-new-machine-fetch-straight-from-the-card">On a new machine: fetch straight from the card</h4> <p>Insert the YubiKey and run:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-edit </span></span><span class="line"><span class="cl">gpg/card&gt; admin </span></span><span class="line"><span class="cl">gpg/card&gt; fetch </span></span><span class="line"><span class="cl">gpg/card&gt; quit </span></span></code></pre></div><p>This pulls your public key from the URL stored on the card and imports it into the new machine&rsquo;s keyring. You can verify with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --card-status </span></span><span class="line"><span class="cl">gpg -K --keyid-format long </span></span></code></pre></div><h3 id="github-sign-commits-with-your-yubikey-subkey">GitHub: sign commits with your YubiKey subkey</h3> <p>We&rsquo;ll upload your public key to GitHub and configure Git to sign with the Sign subkey that lives on your YubiKey.</p> <h4 id="1-get-the-sign-subkeys-long-id-automatically">1) Get the Sign subkey&rsquo;s long ID (automatically)</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Prints the first subkey with [S] capability (long 0x… ID)</span> </span></span><span class="line"><span class="cl"><span class="nv">SUBKEY_SIGN</span><span class="o">=</span><span class="k">$(</span> </span></span><span class="line"><span class="cl"> gpg -K --with-colons --keyid-format 0xlong <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> awk -F: <span class="s1">&#39;/^ssb/ &amp;&amp; $12 ~ /s/ {print $5; exit}&#39;</span> </span></span><span class="line"><span class="cl"><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Signing subkey: </span><span class="nv">$SUBKEY_SIGN</span><span class="s2">&#34;</span> </span></span></code></pre></div><h4 id="2-add-your-public-key-to-github">2) Add your public key to GitHub</h4> <ul> <li>Export your public key and copy it:</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gpg --armor --export <span class="s2">&#34;</span><span class="nv">$KEYID</span><span class="s2">&#34;</span> <span class="p">|</span> pbcopy <span class="c1"># macOS; use xclip/clipboard on Linux</span> </span></span></code></pre></div><ul> <li><a href="https://github.com/" >GitHub</a> → Settings → SSH and GPG keys → New GPG key → paste → Add GPG key.</li> </ul> <blockquote> <p><strong>Important:</strong> Your commit email must match a verified email on GitHub.</p> </blockquote> <h4 id="3-configure-git-to-use-that-subkey">3) Configure Git to use that subkey</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git config --global gpg.program gpg </span></span><span class="line"><span class="cl">git config --global gpg.format openpgp </span></span><span class="line"><span class="cl">git config --global user.signingkey <span class="s2">&#34;</span><span class="nv">$SUBKEY_SIGN</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">git config --global user.email <span class="s2">&#34;yubikey@example.com&#34;</span> <span class="c1"># must be a verified GitHub email</span> </span></span><span class="line"><span class="cl">git config --global commit.gpgsign <span class="nb">true</span> </span></span><span class="line"><span class="cl">git config --global tag.gpgSign <span class="nb">true</span> </span></span></code></pre></div>Expanding the Root Filesystem on Rocky Linux 10https://mikula.dev/posts/infrastructure/homelab/rocky9-root-resize/Fri, 17 Jan 2025 00:00:00 -0500https://mikula.dev/posts/infrastructure/homelab/rocky9-root-resize/<p>A practical guide for expanding the root (<code>/</code>) filesystem on Rocky Linux 10 when you&rsquo;re <strong>not using LVM</strong> and the filesystem is <strong>ext4</strong>. This process uses <code>cfdisk</code> for partition resizing and <code>resize2fs</code> to expand the filesystem.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Root access to your Rocky Linux 10 system</li> <li>The disk has unallocated space available</li> <li>Filesystem type: ext4 (no LVM)</li> <li>Basic understanding of disk partitioning</li> </ul> <h2 id="step-1-check-current-disk-layout">Step 1: Check Current Disk Layout</h2> <p>First, view your current disk and partition configuration:</p><p>A practical guide for expanding the root (<code>/</code>) filesystem on Rocky Linux 10 when you&rsquo;re <strong>not using LVM</strong> and the filesystem is <strong>ext4</strong>. This process uses <code>cfdisk</code> for partition resizing and <code>resize2fs</code> to expand the filesystem.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Root access to your Rocky Linux 10 system</li> <li>The disk has unallocated space available</li> <li>Filesystem type: ext4 (no LVM)</li> <li>Basic understanding of disk partitioning</li> </ul> <h2 id="step-1-check-current-disk-layout">Step 1: Check Current Disk Layout</h2> <p>First, view your current disk and partition configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">parted -l </span></span></code></pre></div><p>This will display all disks and their partitions. Note your root partition&rsquo;s current size.</p> <p>You can also use <code>lsblk</code> to see a tree view:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">lsblk </span></span></code></pre></div><h2 id="step-2-resize-the-root-partition">Step 2: Resize the Root Partition</h2> <p>Use <code>cfdisk</code> to resize the partition interactively:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cfdisk /dev/mmcblk0 </span></span></code></pre></div><p><strong>Note:</strong> Replace <code>/dev/mmcblk0</code> with your actual disk device (e.g., <code>/dev/sda</code>, <code>/dev/nvme0n1</code>).</p> <p>In the <code>cfdisk</code> interface:</p> <ol> <li><strong>Select</strong> the root partition (e.g., <code>mmcblk0p3</code>)</li> <li>Choose the <strong>Resize</strong> option</li> <li>Resize to use <strong>all available free space</strong></li> <li><strong>Write</strong> changes to disk</li> <li><strong>Quit</strong> the program</li> </ol> <blockquote> <p>⚠️ <strong>Important:</strong> No reboot is required at this stage. The kernel will recognize the new partition size.</p> </blockquote> <h2 id="step-3-verify-partition-resize">Step 3: Verify Partition Resize</h2> <p>Confirm that the partition was successfully resized:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">lsblk </span></span></code></pre></div><p>Check that your root partition (e.g., <code>mmcblk0p3</code>) now shows the expanded size.</p> <h2 id="step-4-expand-the-filesystem">Step 4: Expand the Filesystem</h2> <p>Now resize the ext4 filesystem to fill the newly expanded partition:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">resize2fs /dev/mmcblk0p3 </span></span></code></pre></div><p><strong>Note:</strong> Replace <code>/dev/mmcblk0p3</code> with your actual root partition device.</p> <p>You should see output similar to:</p> <pre tabindex="0"><code>resize2fs 1.46.5 (30-Dec-2021) Filesystem at /dev/mmcblk0p3 is mounted on / The filesystem on /dev/mmcblk0p3 is now XXXXXX blocks long. </code></pre><h2 id="step-5-verify-the-result">Step 5: Verify the Result</h2> <p>Finally, verify that the filesystem has been expanded:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">df -h / </span></span></code></pre></div><p>You should now see the full disk space available under <code>/</code>. The <code>Size</code> column should reflect your new partition size.</p> <p>Example output:</p> <pre tabindex="0"><code>Filesystem Size Used Avail Use% Mounted on /dev/mmcblk0p3 57G 12G 43G 22% / </code></pre><h2 id="summary">Summary</h2> <p>You&rsquo;ve successfully expanded your root filesystem on Rocky Linux 10 without LVM! This method works for ext4 filesystems and doesn&rsquo;t require a system reboot. The process involved:</p> <ol> <li>Checking current disk layout</li> <li>Resizing the partition with <code>cfdisk</code></li> <li>Expanding the filesystem with <code>resize2fs</code></li> <li>Verifying the changes</li> </ol>