johanneskueber.com

Signed Dependency Updates with Renovate and Gitea

Tue, 26 May 2026 00:00:00 +0000

Keeping dependencies up to date is one of those chores that is easy to neglect and expensive to ignore. Renovate solves it nicely: it scans my repositories, opens pull requests for outdated dependencies, and - if I let it - merges them on its own. On a self-hosted Gitea instance with branch protection, however, there is a catch. If I require signed commits on my protected branches, an unsigned bot commit is simply rejected. So before automating anything, Renovate needs an identity and a signing key, and its commits need to show up as Verified.

Running a rootless NetBird Routing Peer Inside Kubernetes

Mon, 25 May 2026 00:00:00 +0000

This article documents how to run a NetBird client inside a Kubernetes cluster as a routing peer — rootless, with an in-memory state volume, a shell-based readiness probe, and dropped capabilities — so that remote mesh members can reach cluster-internal services over the encrypted overlay, without exposing kernel WireGuard and without making the cluster a peer of every workload.

1. Why a NetBird peer in the cluster

NetBird is a WireGuard-based identity mesh. Each peer holds keys, exchanges them via the management plane, and routes encrypted traffic to other peers. The default deployment runs the client on a host (Linux VM, MacBook, etc.) and uses the host’s kernel WireGuard.

Envoy Gateway Configuration to Reach SSL Labs A+

Thu, 14 May 2026 00:00:00 +0000

This article documents the Envoy Gateway configuration required to achieve an A+ rating on Qualys SSL Labs, with the rationale for each setting.

1. TLS security background

Before any application data flows over https://, the TLS session completes two steps:

Authentication. The server presents an X.509 certificate signed by a trusted Certificate Authority.
Key agreement and encryption. Client and server negotiate a session key via a cipher suite (key exchange, signature, bulk cipher, MAC) and encrypt the channel.

Weaknesses in this chain enable specific attack classes:

Intel iGPU passthrough with Proxmox and Talos

Sat, 11 Oct 2025 21:06:26 +0000

iGPU Passthrough with Proxmox and Talos

To use the GPU of the host system in K8s, it needs to be made aware of its existence. As I use VMs in Proxmox to run my Talos Cluster, there is an additional step to consider: passthrough of the hardware into the VM. The idea is the following:

Disable usage of GPU on the Proxmox Host - done via IOMMU and VFIO
Passthrough of the GPU into a Talos Worker Node - done via hostpci
Activation of GPU drivers in Talos - done via talhelper
GPU management in the cluster - done via Intel GPU Plugin
Usage of GPU in a deployment - by requesting the resource

There are quite some steps and all of them are specific to your environment. Different host system? Different steps. Different Cluster Software? You need to adept. Different GPU? You need other drivers and management. So please look out for the pitfalls and only copy and paste if you run proxmox with talos and have an Intel iGPU.

Use Longhorn with Talos 1.10 and userVolumes

Tue, 17 Jun 2025 07:06:26 +0000

When building a cluster, especially in a homelab, local storage is needed for application data. Especially for databases fast read and write is required. Offloading the workload to a NAS most of the time is slower. The solution I use is to provision on-node storage with Longhorn. Longhorn acts as a CSI and offers on-node storage, replication, backups and more.

As I am currently building a Talos cluster I need to integrate the longhorn CSI into the setup. This is not as straigt forward as with K3s oder K8s, as Talos has tighter security constraints and also needs additional plugins to handle SCSI - the underlying file system protocol used by longhorn. On top I am using Talhelper to allow a GitOps style usage of talosctl. The main advantage is the encryption of secrets used by talos config files with SOPS - something that I already use for Tofu and fluxCD.

Enable hardware acceleration for Jellyfin in Kubernetes - AMD Edition

Mon, 24 Jun 2024 07:06:26 +0000

Jellyfin is an open-source media server software that allows users to manage and stream their personal collection of movies, TV shows, music, and other media files. It is designed as an alternative to proprietary media server solutions like Plex and Emby, offering similar functionality but without any licensing costs or restrictions.

Jellyfin is running in my bare-metal kubernetes cluster. However, running the container without additional configuraion only gives Jellyfin access to the CPU for decoding video streams. If a GPU is available it would be better to use the GPU as it - most of the time - also has hardware acceleration for well-known codecs and in addition it takes some work off the CPU. In my case, the Athlon 3000G has an on-board Vega 3 graphics chip. Now the only thing left to do is to give Jellyfin access to the GPU.

Migrating data between baserow instances

Wed, 19 Jun 2024 07:06:26 +0000

Baserow is an open-source alternative to tools like Airtable and Google Sheets. It allows users to create databases and manage data in a user-friendly, spreadsheet-like interface. With Baserow, you can store, share, and collaborate on data with your team, all while maintaining full control over your data as it’s self-hosted. It offers features like row-level permissions, different field types, views (like table, gallery, kanban), and more. It also provides APIs for developers to build custom apps or integrations.

Running an SPA and an API in the same Docker Container

Wed, 28 Apr 2021 18:12:26 +0000

Hosting a static web page was never a problem. A simple Apache or nginx server and a local directory on the server was always enough. With cloud environment these tools are still available. And it is simple enough to mount a directory into an nginx container. However, you still need to spin up a container just for the purpose of hosting a static page. Using a JAMstack application, you also need an API container to connect to. In order to reduce the number of containers and the overhead, I will show how we can integrate the the server for the static page into our API server. This way, we will have everything included in a single container. This is all achieved by using dockers multi-stage builds.

Selfhosted Continuous Integration - all parts required

Wed, 08 Jan 2020 21:06:26 +0100

As of late I came to wonder how dependent I want to be on cloud-solutions. After some researching I decided I wanted to be independent. This also includes leaving out great open source communities such as Github. There are plenty of great solutions for every aspect of the Software Development Lifecycle - most of them are hosted in the cloud, i.e. the computer of someone else. This is not only a problem once your internet is not working - but it also happens to become a problem when a certain service is shut down. Sometimes without warning. Sometimes forever. So i wondered: could I set up a basic continuous integration environment completely hosted in my environment.

Getting the color palette of an image with Coil in Android

Thu, 12 Dec 2019 23:06:26 +0100

For part of my applications I wanted to load an image into an activity. Based on the images main colors, I wanted to adjust the UI of the activity. Loading of the image is the easy part. This can be done via a number of libraries. At the time of writing, the most prominent libraries are: Picasso and Glide. Lately however, there is a new library which targets Kotlin specifically: Coil (see coil-kt.github.io/coil/).

About

Mon, 01 Jan 0001 00:00:00 +0000

About johanneskueber.com

This homepage is dedicated to my work and pet projects all around IT. In no particular order I try to keep myself entertained with new technologies, programming, automation, (self-)hosting.

Mobile Development
- Android Architecture Components (↗),
  MVVM (↗),
  Dagger 2 (↗) (Hilt (↗)),
  Kotlin (↗),
  GRPC (↗),
  REST (↗)
- AngularJS (↗),
  Angular (↗),
  Vue.js (↗),
  Gridsome (↗),
  Nuxt (↗)
Backend Development
- Golang (↗),
  Kotlin (↗),
  Node.js (↗),
  Java (↗),
  PHP (↗)
Hosting and Toolchains
- K8s (↗),
  K3s (↗),
  K3d (↗),
  Minikube (↗),
  ArgoCD (↗),
  FluxCD (↗),
  GitHub (↗),
  GitHub Actions (↗),
  GHCR (↗),
  Renovate (↗),
  Docker (↗),
  Docker Swarm (↗),
  Drone.io (↗),
  Gitea (↗),
  CI/CD (↗)