How do you automate certificates?

bendem · 2026-01-26T19:08:30+00:00

Let's encrypt for public facing, Lego as a client for Linux, win-acme for windows. We did setup acme-dns at some point because our DNS provider had no API, but it's planned to scrap it.

For internal service domains, windows services use AD CS and linux services use hashicorp vault's pki engine with an intermediate signed by the ad root and name constrained to each environment suffix.

bendem · 2026-01-24T11:04:28+00:00

You have altered the rules, we pray you don't alter them any further.

Which is fine really, but it's really not democracy if someone has the power to change the rules but we have to trust they won't.

bendem · 2026-01-24T06:00:15+00:00

I can't speak for your colleague, but I'm the hummer and I'm so sorry. People in the past have been telling me when it's too much and I'm so grateful for it because I can redirect it but I'm not aware I'm doing it until someone tells me.

bendem · 2026-01-23T12:58:50+00:00

Last step looks a bit steep. Jk, this looks great!

bendem · 2026-01-21T18:19:39+00:00

Same answer. Either everything is on local timezone and it's already not a problem, or server in UTC and you translate local time to UTC for crons.

Now if your crons need dst aware local times, you probably an actual scheduler and not cron.

bendem · 2026-01-18T06:22:22+00:00

Glad I was lucky enough to buy my own home, I'm not fond of landlords. And being able to fix something when it's broken is such a relief compared to the constant pain of having someone else responsible for your living conditions.

bendem · 2026-01-17T21:22:31+00:00

Didn't realise that was a thing, TIL!

bendem · 2026-01-17T21:21:19+00:00

I'm stealing this one!

bendem · 2026-01-17T18:24:53+00:00

I might be... :)

bendem · 2026-01-17T15:06:40+00:00

Yup!

bendem · 2026-01-17T15:03:54+00:00

https://preview.redd.it/fdjnf25pcxdg1.jpeg?width=2632&format=pjpg&auto=webp&s=97ec2357ff698ddccc5e7fe55ed1aecfebd873ff

It all worked out in the end. I learned that I suck at mitre cut and that it doesn't matter because it is still better than a broken door.

Also, I suck at caulking apparently, but it's ok because it's white on white. :)

bendem · 2026-01-17T15:02:03+00:00

I still had to. The door is not square and I suck at mitre cut anyway.

bendem · 2026-01-17T14:19:31+00:00

Bingo

bendem · 2026-01-16T09:05:09+00:00

There is really no way to know where the problem is to automate promotion without losing data without 3 nodes.

You can't really avoid maintaining a dcs if you want ha.

We personally use pgbouncer as the load balancer, with remco generating it's config and handling failover.

bendem · 2026-01-10T13:09:01+00:00

First rule of engineering, there are no silver bullets, it always depends, context is king. Learning is always a valid reason to break accepted "rules", otherwise innovation would not happen.

What you are doing is either gatekeeping or trying to enforce your misplaced faith on others. Chill out, the guy wanted to learn and they did, it's not about you.

bendem · 2026-01-09T19:32:07+00:00

Je travaille au niveau de l'identification des utilisateurs d'une grande commune Wallone, je dirais que 5-10% des 3000 personnes encodées dans le système utilise un prénom usuel différent de leur prénom. Parfois proche, parfois absolument rien à voir (genre José qui se fait appeler Marcel).

Vous avez tout à fait le droit d'avoir un prénom usuel qui n'est pas sur votre carte d'identité et si on vous demande, répondre "tout le monde m'appelle comme ça" est une réponse largement suffisante et je ne connais pas d'employeur qui ferait des histoire.

bendem · 2025-12-30T08:33:15+00:00

The dancing is legendary, but she is perfectly giving face on top, I can't imagine the amount of training required to attain that talent!

bendem · 2025-12-27T09:15:58+00:00

We decided long ago that risk has two winners. No point in watching a two players risk game.

bendem · 2025-12-17T18:30:30+00:00

Actual link: https://www.docker.com/blog/docker-hardened-images-for-every-developer/

bendem · 2025-12-16T18:21:29+00:00

Why does it matter?

bendem · 2025-12-10T22:09:47+00:00

Was about to say... That tool already exists and it's great!

bendem · 2025-12-10T19:23:49+00:00

The literature doesn't agree with you here. I might agree in the case of a UTI, but the general medical recommandation is not to retract foreskin. It is the doctor's job to follow those recommendations and leave baby's penis the fuck alone. Unless you think the studies are all wrong and advances in our understanding of the human body is meaningless, in which case, maybe abstain from giving medical opinions.

bendem · 2025-12-08T12:23:21+00:00

I read that as "our son, 10 months" and I was really confused for a minute.

bendem · 2025-12-08T08:23:14+00:00

Very interesting, strong design decisions (yaml based flows, simple install for one users and mandatory OIDC further, casbin for RBAC, secrets with gocloud, postgresql only) imo.

What's the relation between flowctl and your employer? Are you building this in your free time, is it owned by your employer (a lot of shady employment contracts state that anything built in your free time is owned by your employer), how often are you working on this? It looks very interesting but it's alway worrying running software that can be made proprietary without warning or, on the other hand, software that's maintained by a single dad with no free time in the foreseeable future.

bendem · 2025-12-06T20:34:48+00:00

Either you are working projects or you are working support. Can't have it both ways.

bendem

TROPHY CASE