/var/log/janio

SOPS + age: Declarative, Secure Secrets Management Without GPG Headache

Tue, 26 May 2026 07:00:00 +0000

As I previously discussed in my post on secret management in macOS and Linux, the real challenge of managing keys and tokens isn’t the encryption itself, but reducing accidental leakage without turning the sysadmin’s daily routine into a bureaucratic nightmare. Over the last few years, however, a duo of tools has gained significant traction and completely changed this dynamic: Mozilla SOPS and age. Together, they enable a declarative, GitOps-friendly, and extremely secure approach with virtually zero friction. This post is a detailed look at how these tools work and how to integrate them practically into your daily workflow.

Secret Management on macOS and Linux: a Practical-Theoretical Approach

Sun, 17 May 2026 11:54:00 +0000

At some point in the life of almost every sysadmin, there comes a slightly uncomfortable realization: too many secrets are scattered across the environment.

A password inside a .env file here, a token buried in shell history there, a forgotten webhook inside a docker-compose.yml, an API key hardcoded into a “temporary” script that somehow survived for two years in production. None of those things seem catastrophic individually. The problem is that infrastructure rarely collapses because of one gigantic mistake; most of the time, it collapses under the accumulated weight of dozens of tiny operational shortcuts.

Hugin on steroids: tags, links and editing in one TUI

Sat, 18 Apr 2026 13:13:00 +0000

In the post about Hugin I introduced the tool I use to generate tags and summaries for my Hugo blogs. Two weeks later, in the post about Munin, I showed its sibling: a second program that discovers and inserts internal links between posts using embeddings and an LLM.

Both worked well. Separately, they worked well.

The problem with having two programs

In theory, splitting responsibilities between tools is good practice. In practice, the workflow for processing a new post looked like this: open Hugin, navigate to the post, generate tags, generate summary, close Hugin. Open Munin, wait for the embedding model to load, navigate to the same post, check existing links, generate link suggestions, apply. If you needed to fix a typo in the title that only showed up after reviewing the post in Hugin, close everything and open Pages CMS or vim.

Hugin: tags and summaries for Hugo with AI

Fri, 17 Apr 2026 11:06:00 +0000

Anyone who maintains a static blog with Hugo knows there are two tasks nobody enjoys: classifying posts with tags and writing meta descriptions. These are the things you skip when publishing because the post is already done, the deploy is set up, and choosing between “selfhosted” and “self-hosted” isn’t exactly the best use of your time. The result is predictable: posts without tags, empty descriptions or ones copied from the first paragraph, and a taxonomy that hurts more than it helps.

Cleaning up old Snap revisions to free up space on Ubuntu

Fri, 17 Apr 2026 11:05:00 +0000

If you’ve been using Ubuntu for a while, you’ve probably noticed that the /var/lib/snapd directory grows silently and steadily. The reason isn’t the Snap packages you’ve installed — it’s the old copies the system automatically keeps every time one of those packages is updated. On a system with dozens of snaps, it’s common to find 5, 8, or even more gigabytes occupied by revisions you’ll never use. This issue is especially troublesome on smaller partitions, SSDs with limited space, or VMs with tight disk capacity. The good news is that identifying and removing this excess takes just a few minutes, as long as you know where to look and what not to delete.

Monitoring Files and Folders on Linux with systemd path units (and inotifywait for those without root)

Fri, 17 Apr 2026 11:05:00 +0000

In the previous post, macOS’s launchd watched files and directories with WatchPaths to fire scripts automatically when something changed. The model is reactive — instead of running a backup every hour or a conversion every five minutes, the system watches the path on disk and only runs the job when it detects an actual modification. No polling, no waste, no vulnerability window between the change and the action.

Linux has the same capability, but implemented differently and with more options. systemd offers path units — .path files that monitor filesystem paths and automatically activate an associated service when the condition is met. It is the direct equivalent of launchd’s WatchPaths, with the same declarative philosophy: you describe what to watch in a configuration file, the system handles the rest. For anyone working on servers or desktops with systemd, which at this point means practically every mainstream distribution, path units are the right tool.

Munin: internal links for Hugo with AI

Fri, 17 Apr 2026 10:49:00 +0000

In the post about Hugin I explained how I solved the tag and summary problem on my Hugo blog. But there was another problem, less obvious and more annoying: internal links. Those links that connect one post to another, help readers navigate related content, and that Google loves to see on a well-structured site.

The truth is nobody links anything. You write a post about systemd timers, another about cron, another about launchd — and none of the three mentions the others. They’re content islands that could be connected. The obvious solution is to reread every post, remember which others exist, and manually insert links. With 30 posts, it’s doable. With 400, it’s insane.

From WordPress to Hugo: Theming Is Not What You Think

Sat, 04 Apr 2026 15:20:00 +0000

Anyone who has worked with WordPress long enough develops a strong intuition for what a theme is and what it does. That intuition serves you well within the ecosystem: it guides decisions about file structure, where to put logic, and how to extend functionality. The trouble starts when you move to Hugo and try to apply the same mental model. The vocabulary overlaps — templates, layouts, partials — but what those words mean in practice is radically different.

Automatically deleting emails in Apple Mail with AppleScript + launchd

Mon, 30 Mar 2026 20:24:00 +0000

My inbox is always full of notifications with subjects like [Ticket ID: 12345] Ticket Update. They’re useful for a few hours and then become noise. These aren’t emails that need to be archived, replied to, or revisited, so they just end up taking up mental space.

Deleting them manually is the kind of small task that never becomes a priority, but silently costs you in distraction. So I decided to treat it like any other recurring problem: automate it locally, without relying on external services, no webhooks, and no integrations. The idea is to periodically run a script that moves to the trash any messages whose subject matches a specific pattern and that are older than 48 hours.

Tailscale in the Homelab — Remote Access Without Opening Ports

Sun, 29 Mar 2026 21:58:00 +0000

Anyone who runs a homelab — or even a single Raspberry Pi hosting services — eventually hits the same obstacle: how do you access those devices from outside the local network? The classic answer involves opening ports on the router, setting up port forwarding, dealing with dynamic IPs via DDNS, and hoping no bot discovers that SSH port exposed to the internet. It works, but the attack surface grows with every open port, and the maintenance becomes a silent headache that only shows up when something breaks.

Exposing homelab services to the internet with Cloudflare Tunnel

Fri, 27 Mar 2026 18:24:00 +0000

In the previous post, I showed how SSH-J.com solves a specific problem: accessing a machine behind NAT via SSH, without opening ports on the router and without relying on a public IP. The reverse tunnel works well for interactive sessions and file transfers, and SSH-J.com as a jump host makes everything trivial to configure. For SSH, it remains the simplest solution I know.

But SSH is just one piece of the puzzle. Anyone who maintains a homelab — even if it’s just a mini PC under the desk or a Raspberry Pi in the corner of the room — inevitably ends up running web services: an RSS reader, a monitoring dashboard, a Gitea, a Jellyfin, an Immich. These services listen on local HTTP ports and work perfectly as long as you’re on the same network. The problem appears when you want to access them from outside — from the office, from your phone on the bus, from anywhere that isn’t your local network.

Automatically Converting Images to WEBP and AVIF

Thu, 26 Mar 2026 22:19:00 +0000

The two previous posts built the monitoring infrastructure — WatchPaths on macOS, systemd path units and inotifywait on Linux — and promised the scripts would come later. The trigger is ready: launchd or systemd detects when something changes in a directory and fires a command. What is missing is the command itself.

This post delivers the image conversion script that those triggers will fire. The goal is simple: PNGs and JPGs go into a folder, WEBP or AVIF come out. The originals are deleted or moved, depending on the configuration. The script detects which encoders are available on the machine and picks the best one among those installed, with a fallback chain that ensures it works even when the ideal tool is not present. If no compatible encoder is found, the script tells you what to install and from which package manager.

Monitoring Files and Folders with launchd: WatchPaths in Practice

Thu, 26 Mar 2026 18:56:00 +0000

In the previous post about launchd, scheduling worked by time: StartCalendarInterval defined “every day at 7 AM” and the system took care of the rest, including recovering missed executions when the Mac was asleep. For periodic tasks like sending a daily briefing or running a maintenance script, that model works perfectly — it is the functional equivalent of cron, but integrated into the macOS lifecycle.

But not every automation makes sense tied to a clock. Some tasks only need to happen when something changes. A backup that runs every hour is wasting 23 executions per day if the database was only modified once. An image conversion that runs every 5 minutes has nothing to convert most of the time, and when it finally does, up to 5 minutes have passed since the file appeared. The time-based model works, but it is polling disguised as scheduling — and polling is almost always the least elegant solution to any synchronization problem.

SSH Behind NAT? SSH-J.com Solves It.

Wed, 25 Mar 2026 22:26:00 +0000

You work remotely, have a server at home, a Raspberry Pi running services, or a machine at the office you need to reach every now and then. The scenario is common and the obvious solution is SSH — already installed, secure, and battle-tested for decades. The problem is that between your machine and the rest of the internet sits a router, a NAT, and possibly an ISP that does not give you a fixed public IP or blocks incoming ports. Suddenly, the most reliable protocol in system administration becomes unreachable from outside your local network.

Immich: Your Photos, Your Server, Your Rules

Wed, 25 Mar 2026 07:18:00 +0000

There comes a moment when everyone stops and thinks about where their photos are. It usually happens when Google sends that friendly email letting you know your free storage is full — and that for just a few dollars a month you can keep storing your memories on their servers. It is a gentle nudge toward a monthly subscription that, added up over years, costs more than a multi-terabyte external hard drive. But the monetary price is only the most obvious part of the equation. There is a more subtle cost to leaving all your photos, videos, and personal memories in the hands of a company that profits from data — and it is worth talking about that cost before discussing any tool.

The Dark Side of Free Website: Limits and Alternatives for Hugo + GitHub + Cloudflare Pages + Pages CMS

Tue, 24 Mar 2026 10:45:00 +0000

In a previous post, we put together a complete blog with Hugo, GitHub, Cloudflare Pages, and Pages CMS without spending a cent. The stack works, it is fast, and for most personal blogs it will keep working for a long time without asking anything in return. But “free” does not mean “without limits,” and understanding where the walls are before you hit them is the kind of thing that saves headaches down the road.

Scheduling Tasks on macOS with launchd: No cron, No Workarounds

Mon, 23 Mar 2026 21:29:00 +0000

In the previous post I showed how systemd timers replace cron on Debian and Ubuntu servers with concrete advantages: integrated logging, missed execution recovery, declarative dependencies, and resource control. The logic is compelling and the migration is straightforward — as long as you are on a system running systemd. But if your daily routine includes a Mac, it is a different story.

macOS has its own scheduling system, predating systemd and built on a different philosophy. It is called launchd, it has been around since Mac OS X Tiger in 2005, and it is responsible for practically everything that runs in the background on the system — from internal Apple services to that Spotify updater you never asked to install. Despite being the official and recommended way to schedule tasks on a Mac, launchd lives in a kind of blind spot: people coming from Linux tend to reach for cron out of reflex, and Mac users without a sysadmin background do not even know the option exists.

Systemd Timers: Time to Retire cron

Mon, 23 Mar 2026 06:21:00 +0000

If you have been managing Debian or Ubuntu servers for any length of time, you probably have a comfort relationship with cron. One line in the crontab, five scheduling fields, and the path to a script — done. cron has worked this way since the 1970s, and that simplicity is exactly what kept it relevant for so long.

The problem is that “it works” and “it works well in 2026” are different things. When a job fails silently at three in the morning, when you need to figure out which of twenty crontabs scattered across the system contains that one specific task, or when the server reboots and simply misses the execution that should have happened during downtime — those are the moments when cron shows it was designed for an era with different expectations around observability and resilience.

Comments on static sites with Isso — lightweight, self-hosted, and tracking-free

Sat, 21 Mar 2026 00:00:00 +0000

A static site has no backend. No database, no application server processing requests — and that’s exactly what makes it fast, cheap, and resilient. But that simplicity comes at a cost when you need anything that depends on persistent state, and comments are the most obvious case. In WordPress or Ghost, the commenting system is part of the application. In a site generated by Hugo, Jekyll, or Eleventy, that layer simply doesn’t exist.

Why leave WordPress — and what to build instead with Hugo, Pages CMS, and Cloudflare

Fri, 20 Mar 2026 00:10:00 +0000

Why leave WordPress

The weight of running a dynamic CMS

WordPress is an extraordinary piece of software that powers nearly half the internet. That said, keeping a WordPress installation healthy is a job that never ends. Every visit to your site triggers a chain of events: the server receives the request, PHP wakes up, queries MySQL, assembles the page on the fly, and sends the HTML back to the browser. Multiply that by a hundred simultaneous visitors and you have a server sweating to deliver pages that, on most blogs, are exactly the same for everyone.

Hello, World!

Thu, 19 Mar 2026 01:00:00 +0000

This is the English side of /var/log/janio — a blog about Linux, macOS, self-hosting, homelab, and the small tools that make daily life in the terminal a little better.

Most of the content lives on the Portuguese side for now. Posts will be translated or written directly in English as the blog grows. If you read Portuguese, there’s a lot more waiting for you on the other side of the language switcher.

About

Mon, 01 Jan 0001 00:00:00 +0000

Janio Sarmento — sysadmin, 53, Brazilian working from home for the world. I manage Linux servers, LXC containers, email that doesn’t land in spam, and cats that won’t get off the keyboard.

This blog documents the daily life of someone keeping infrastructure running, including the things that break (and how to fix them).