Linux on /var/log/janio

SOPS + age: Declarative, Secure Secrets Management Without GPG Headache

Tue, 26 May 2026 07:00:00 +0000

As I previously discussed in my post on secret management in macOS and Linux, the real challenge of managing keys and tokens isn’t the encryption itself, but reducing accidental leakage without turning the sysadmin’s daily routine into a bureaucratic nightmare. Over the last few years, however, a duo of tools has gained significant traction and completely changed this dynamic: Mozilla SOPS and age. Together, they enable a declarative, GitOps-friendly, and extremely secure approach with virtually zero friction. This post is a detailed look at how these tools work and how to integrate them practically into your daily workflow.

Secret Management on macOS and Linux: a Practical-Theoretical Approach

Sun, 17 May 2026 11:54:00 +0000

At some point in the life of almost every sysadmin, there comes a slightly uncomfortable realization: too many secrets are scattered across the environment.

A password inside a .env file here, a token buried in shell history there, a forgotten webhook inside a docker-compose.yml, an API key hardcoded into a “temporary” script that somehow survived for two years in production. None of those things seem catastrophic individually. The problem is that infrastructure rarely collapses because of one gigantic mistake; most of the time, it collapses under the accumulated weight of dozens of tiny operational shortcuts.

Cleaning up old Snap revisions to free up space on Ubuntu

Fri, 17 Apr 2026 11:05:00 +0000

If you’ve been using Ubuntu for a while, you’ve probably noticed that the /var/lib/snapd directory grows silently and steadily. The reason isn’t the Snap packages you’ve installed — it’s the old copies the system automatically keeps every time one of those packages is updated. On a system with dozens of snaps, it’s common to find 5, 8, or even more gigabytes occupied by revisions you’ll never use. This issue is especially troublesome on smaller partitions, SSDs with limited space, or VMs with tight disk capacity. The good news is that identifying and removing this excess takes just a few minutes, as long as you know where to look and what not to delete.

Monitoring Files and Folders on Linux with systemd path units (and inotifywait for those without root)

Fri, 17 Apr 2026 11:05:00 +0000

In the previous post, macOS’s launchd watched files and directories with WatchPaths to fire scripts automatically when something changed. The model is reactive — instead of running a backup every hour or a conversion every five minutes, the system watches the path on disk and only runs the job when it detects an actual modification. No polling, no waste, no vulnerability window between the change and the action.

Linux has the same capability, but implemented differently and with more options. systemd offers path units — .path files that monitor filesystem paths and automatically activate an associated service when the condition is met. It is the direct equivalent of launchd’s WatchPaths, with the same declarative philosophy: you describe what to watch in a configuration file, the system handles the rest. For anyone working on servers or desktops with systemd, which at this point means practically every mainstream distribution, path units are the right tool.

Exposing homelab services to the internet with Cloudflare Tunnel

Fri, 27 Mar 2026 18:24:00 +0000

In the previous post, I showed how SSH-J.com solves a specific problem: accessing a machine behind NAT via SSH, without opening ports on the router and without relying on a public IP. The reverse tunnel works well for interactive sessions and file transfers, and SSH-J.com as a jump host makes everything trivial to configure. For SSH, it remains the simplest solution I know.

But SSH is just one piece of the puzzle. Anyone who maintains a homelab — even if it’s just a mini PC under the desk or a Raspberry Pi in the corner of the room — inevitably ends up running web services: an RSS reader, a monitoring dashboard, a Gitea, a Jellyfin, an Immich. These services listen on local HTTP ports and work perfectly as long as you’re on the same network. The problem appears when you want to access them from outside — from the office, from your phone on the bus, from anywhere that isn’t your local network.

Automatically Converting Images to WEBP and AVIF

Thu, 26 Mar 2026 22:19:00 +0000

The two previous posts built the monitoring infrastructure — WatchPaths on macOS, systemd path units and inotifywait on Linux — and promised the scripts would come later. The trigger is ready: launchd or systemd detects when something changes in a directory and fires a command. What is missing is the command itself.

This post delivers the image conversion script that those triggers will fire. The goal is simple: PNGs and JPGs go into a folder, WEBP or AVIF come out. The originals are deleted or moved, depending on the configuration. The script detects which encoders are available on the machine and picks the best one among those installed, with a fallback chain that ensures it works even when the ideal tool is not present. If no compatible encoder is found, the script tells you what to install and from which package manager.

SSH Behind NAT? SSH-J.com Solves It.

Wed, 25 Mar 2026 22:26:00 +0000

You work remotely, have a server at home, a Raspberry Pi running services, or a machine at the office you need to reach every now and then. The scenario is common and the obvious solution is SSH — already installed, secure, and battle-tested for decades. The problem is that between your machine and the rest of the internet sits a router, a NAT, and possibly an ISP that does not give you a fixed public IP or blocks incoming ports. Suddenly, the most reliable protocol in system administration becomes unreachable from outside your local network.

Systemd Timers: Time to Retire cron

Mon, 23 Mar 2026 06:21:00 +0000

If you have been managing Debian or Ubuntu servers for any length of time, you probably have a comfort relationship with cron. One line in the crontab, five scheduling fields, and the path to a script — done. cron has worked this way since the 1970s, and that simplicity is exactly what kept it relevant for so long.

The problem is that “it works” and “it works well in 2026” are different things. When a job fails silently at three in the morning, when you need to figure out which of twenty crontabs scattered across the system contains that one specific task, or when the server reboots and simply misses the execution that should have happened during downtime — those are the moments when cron shows it was designed for an era with different expectations around observability and resilience.