/blog/Recent content in Blog on Yet Another SysAdmin WebsiteHugo -- gohugo.ioen-us2026-05-29/blog/2026/05/29/installing-freebsd-15-on-any-vps/2026-05-29/blog/2026/05/29/installing-freebsd-15-on-any-vps/<h2 id="introduction">Introduction</h2> <p>Not many Virtual Private Server (VPS) providers consider FreeBSD a first-class citizen, and few encourage you to encrypt your hard drive from inside the VPS.</p> <p>Though encrypting a VPS hard drive does not protect against everything and requires one to access the web KVM of the provider to type in a password on each reboot, I still find it reassuring.</p> <p>You need a little know-how to be able to set up FreeBSD in a not so friendly environment. There are several procedures to achieve this floating around the Internet, but I found those either too complicated or out of date. This article presents my preferred way to install a FreeBSD operating system on a provider that does not officially support it, and it works even for other unsupported operating systems.</p> <h2 id="install-a-linux-system-to-inspect-the-pre-provisioned-vps">Install a Linux system to inspect the pre-provisioned VPS</h2> <p>Depending on your provider, you will want to prepare either a BIOS boot image (for example at OVH) or a UEFI boot image (for example on Azure or on Oracle Cloud). One way to find out which one is to install any Linux image supported by your provider and run:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">dmesg <span class="p">|</span> grep -i <span class="s2">&#34;efi:&#34;</span> </span></span></code></pre></div><p>If you see lines like the following, then you need to prepare a UEFI boot image. Otherwise, prepare a BIOS boot image:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span> 0.000000<span class="o">]</span> efi: EFI v2.7 by EDK II </span></span><span class="line"><span class="cl"><span class="o">[</span> 0.000000<span class="o">]</span> efi: <span class="nv">SMBIOS</span><span class="o">=</span>0xbbea9000 <span class="nv">ACPI</span><span class="o">=</span>0xbbf9c000 ACPI 2.0<span class="o">=</span>0xbbf9c014 <span class="nv">MEMATTR</span><span class="o">=</span>0xba639518 <span class="nv">MOKvar</span><span class="o">=</span>0xbbe97000 </span></span></code></pre></div><h2 id="bootstrap-the-freebsd-installer-on-a-local-virtual-machine">Bootstrap the FreeBSD installer on a local virtual machine</h2> <p>Create the RAW hard drive image for your virtual machine. Using the minimal necessary size will speed up the later image transfer. At the time of this writing, FreeBSD bootstraps fine on 1.6G of storage:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">qemu-img create -f raw freebsd.raw 1600M </span></span></code></pre></div><p>Download the installer image from <a href="https://download.freebsd.org/releases/amd64/amd64/ISO-IMAGES/15.0/FreeBSD-15.0-RELEASE-amd64-bootonly.iso">an official mirror</a> then start up the installer in the virtual machine.</p> <p>I start a BIOS booted virtual machine with something like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">qemu-system-x86_64 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -drive <span class="k">if</span><span class="o">=</span>none,id<span class="o">=</span>disk,file<span class="o">=</span><span class="nv">$PWD</span>/freebsd.raw,format<span class="o">=</span>raw,cache<span class="o">=</span>writeback <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cdrom <span class="nv">$HOME</span>/Downloads/FreeBSD-15.0-RELEASE-amd64-bootonly.iso <span class="se">\ </span></span></span><span class="line"><span class="cl"> -boot d -machine <span class="nv">type</span><span class="o">=</span>q35,accel<span class="o">=</span>kvm <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cpu host -smp <span class="m">2</span> -m <span class="m">4096</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -nic user,model<span class="o">=</span>virtio-net-pci,hostfwd<span class="o">=</span>tcp::10022-:22 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-blk-pci,drive<span class="o">=</span>disk <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-serial-pci <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtserialport,chardev<span class="o">=</span>spicechannel0,name<span class="o">=</span>com.redhat.spice.0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -vga qxl -spice <span class="nv">port</span><span class="o">=</span>5902,addr<span class="o">=</span>127.0.0.1,disable-ticketing<span class="o">=</span>on <span class="se">\ </span></span></span><span class="line"><span class="cl"> -chardev spicevmc,id<span class="o">=</span>spicechannel0,name<span class="o">=</span>vdagent </span></span></code></pre></div><p>To boot in UEFI mode instead, add the following line somewhere in the middle. You might need to install another package and customize the path on your system, this one is for Gentoo:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"> -bios /usr/share/edk2/OvmfX64/OVMF_CODE.fd <span class="se">\ </span></span></span></code></pre></div><p>If you are short on memory, tune down the <code>-m 4096</code> flag that configures the amount allocated to the virtual machine.</p> <p>This virtual machine starts up with a SPICE display device, which I like better than VNC, and can be accessed with a SPICE client like <code>spicy</code>. If you would rather use VNC instead, replace the lines mentioning SPICE with the following to start a VNC server on port 5900:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"> -display vnc 127.0.0.1:0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -vga none -device virtio-vga,edid<span class="o">=</span>on,xres<span class="o">=</span>2560,yres<span class="o">=</span><span class="m">1440</span> </span></span></code></pre></div><h2 id="install-freebsd">Install FreeBSD</h2> <p>Proceed to install FreeBSD as you normally would. I personally switched to <code>pkgbase</code> instead of the venerable distribution sets and am very happy with this choice. For simple host setups like this with only one drive, I use the auto ZFS partitioning mode. Make sure to choose the correct <code>Partitioning Scheme</code> and to encrypt your disks if you wish to. I also disable swap at this point.</p> <p>To type in passwords, either for disk encryption or for the root and user accounts, the SPICE or VNC GUI can be unwieldy. When it is time for a password prompt, I like to use <code>xdotool</code> to simulate the keyboard inputs, bypassing the fact that copy/paste is not functional:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">read</span> -rs pass </span></span><span class="line"><span class="cl">sleep 2<span class="p">;</span> xdotool <span class="nb">type</span> -- <span class="s2">&#34;</span><span class="nv">$pass</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">unset</span> pass </span></span></code></pre></div><p>After pressing Enter to execute this command, I have two seconds to switch to the SPICE or VNC window before the password is typed for me.</p> <p>Once the installation is complete, shut down the virtual machine.</p> <h2 id="prepare-the-network-configuration">Prepare the network configuration</h2> <p>Restart the virtual machine on the newly installed system by setting the boot device to <code>c</code> and removing the ISO image flags. Make sure to keep the UEFI setting if you need it!</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">qemu-system-x86_64 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -drive <span class="k">if</span><span class="o">=</span>none,id<span class="o">=</span>disk,file<span class="o">=</span><span class="nv">$PWD</span>/freebsd.raw,format<span class="o">=</span>raw,cache<span class="o">=</span>writeback <span class="se">\ </span></span></span><span class="line"><span class="cl"> -boot c -machine <span class="nv">type</span><span class="o">=</span>q35,accel<span class="o">=</span>kvm <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cpu host -smp <span class="m">2</span> -m <span class="m">4096</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -nic user,model<span class="o">=</span>virtio-net-pci,hostfwd<span class="o">=</span>tcp::10022-:22 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-blk-pci,drive<span class="o">=</span>disk <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-serial-pci <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtserialport,chardev<span class="o">=</span>spicechannel0,name<span class="o">=</span>com.redhat.spice.0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -vga qxl -spice <span class="nv">port</span><span class="o">=</span>5902,addr<span class="o">=</span>127.0.0.1,disable-ticketing<span class="o">=</span>on <span class="se">\ </span></span></span><span class="line"><span class="cl"> -chardev spicevmc,id<span class="o">=</span>spicechannel0,name<span class="o">=</span>vdagent </span></span></code></pre></div><p>Log in as root, then edit your <code>/etc/rc.conf</code>. You likely used DHCP for the installation, but for most providers this needs to be customized for FreeBSD (in particular if you want IPv6). I found that there are no general rules here: the best indicator is to install a Linux system supported by your VPS provider and inspect the pre-provisioned configuration.</p> <p>For example on an OVH VPS, I set everything statically in a <code>/etc/start_if.vtnet0</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ifconfig vtnet0 inet 37.187.244.19/32 </span></span><span class="line"><span class="cl">route -4 add 37.187.244.1/32 -interface vtnet0 </span></span><span class="line"><span class="cl">route -4 add default 37.187.244.1 </span></span><span class="line"><span class="cl">ifconfig vtnet0 inet6 2001:41d0:401:3100::fd5/64 </span></span><span class="line"><span class="cl">route -6 add default 2001:41d0:401:3100::1 </span></span></code></pre></div><p>But on Oracle Cloud Infrastructure, I use something like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ifconfig vtnet0 inet 10.0.0.62/24 </span></span><span class="line"><span class="cl">route -4 add default 10.0.0.1 </span></span><span class="line"><span class="cl">ifconfig vtnet0 inet6 2603:c022:c002:8500:e2a4:f02e:43b0:c1d8/64 accept_rtadv </span></span></code></pre></div><p>You will have to figure out what you need based on the provider you chose.</p> <h2 id="boot-the-vps-in-rescue-mode-and-transfer-the-disk-image">Boot the VPS in rescue mode and transfer the disk image</h2> <p>Most VPS providers offer a rescue mode that will boot your server on a Linux image with diagnostic tooling. If yours does not offer that capability, maybe you can do something similar by creating a second Linux server and attaching the boot disk of the first one to it (that&rsquo;s what I did to get my FreeBSD image to Oracle Cloud).</p> <p>Whatever way you proceed, your first step is to identify what the <code>/dev</code> path of the target block device is with <code>blkid</code> and <code>fdisk -l</code>. I will use <code>/dev/sdb</code> as an example. Make sure your disk is not mounted anywhere (rescue modes love to do that).</p> <p>Once ready, completely erase your disk with <code>blkdiscard /dev/sdb</code>. If <code>blkdiscard</code> is unsupported for some reason, you can skip it. Then copy over your raw image. I usually copy it in place with a command like the following (replace <code>myth.adyxax.org</code> with your actual server address):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">dd <span class="k">if</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$PWD</span><span class="s2">/freebsd.raw&#34;</span> <span class="p">|</span> ssh root@myth.adyxax.org dd <span class="nv">of</span><span class="o">=</span>/dev/sdb </span></span></code></pre></div><h2 id="first-boot">First boot</h2> <p>Once the image has finished transferring, you should be able to disable rescue mode (or shut down the temporary installation instance and reattach the boot disk to your original instance if you went that route). Reboot your server to enjoy your new FreeBSD system!</p> <p>If you chose full disk encryption, or if anything goes wrong and you need to debug the boot process, then the web KVM of your provider will be your best friend.</p> <h2 id="resizing-the-root-disk">Resizing the root disk</h2> <p>I deliberately set up a very small virtual disk as to speed up transfer of the resulting image. After booting into the new system, we will want to make use of the full storage space allocated to the instance. When using FreeBSD with root on ZFS, I first inspect the storage layout with these two commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># gpart show -p</span> </span></span><span class="line"><span class="cl"><span class="o">=</span>&gt; <span class="m">40</span> <span class="m">41942960</span> da0 GPT <span class="o">(</span>20G<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="m">40</span> <span class="m">1024</span> da0p1 freebsd-boot <span class="o">(</span>512K<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="m">1064</span> <span class="m">984</span> - free - <span class="o">(</span>492K<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="m">2048</span> <span class="m">41940952</span> da0p2 freebsd-zfs <span class="o">(</span>20G<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># zpool status -P</span> </span></span><span class="line"><span class="cl"> pool: zroot </span></span><span class="line"><span class="cl"> state: ONLINE </span></span><span class="line"><span class="cl">config: </span></span><span class="line"><span class="cl"> NAME STATE READ WRITE CKSUM </span></span><span class="line"><span class="cl"> zroot ONLINE <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"> /dev/da0p2.eli ONLINE <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> </span></span></code></pre></div><p>I then do the resizing with something like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">gpart recover da0 </span></span><span class="line"><span class="cl">gpart resize -i <span class="m">2</span> da0 </span></span><span class="line"><span class="cl">geli resize /dev/da0p2 </span></span><span class="line"><span class="cl">zpool online -e zroot /dev/da0p2.eli </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>This method has served me well for years, and I am glad I finally took the time to write the FreeBSD version of these instructions for future reference.</p>/blog/2026/04/29/my-current-nftables-laptop-configuration/2026-04-29/blog/2026/04/29/my-current-nftables-laptop-configuration/<h2 id="introduction">Introduction</h2> <p>I have blogged about my pf firewall configurations a few times, but never my Linux ones. There is nothing especially unusual about it, but it does differ somewhat from the common nftables examples.</p> <h2 id="configuration">Configuration</h2> <p>This is the configuration for my Gentoo laptop. It has two Wireguard interfaces and references two egress interfaces, one for Ethernet and one for WiFi:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-cfg" data-lang="cfg"><span class="line"><span class="cl"><span class="c1">#!/sbin/nft -f</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">flush ruleset</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">define allowed_icmp_types</span> <span class="o">=</span> <span class="s">{ echo-reply, echo-request };</span> </span></span><span class="line"><span class="cl"><span class="na">define trusted_icmp_types</span> <span class="o">=</span> <span class="s">{ destination-unreachable, time-exceeded };</span> </span></span><span class="line"><span class="cl"><span class="na">define allowed_icmpv6_types</span> <span class="o">=</span> <span class="s">{ nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, echo-request, echo-reply };</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">define egress_ifs</span> <span class="o">=</span> <span class="s">{ enp0s31f6, wlp0s20f3 };</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">table inet filter {</span> </span></span><span class="line"><span class="cl"> <span class="na">set private4 {</span> </span></span><span class="line"><span class="cl"> <span class="na">type ipv4_addr;</span> </span></span><span class="line"><span class="cl"> <span class="na">flags constant, interval;</span> </span></span><span class="line"><span class="cl"> <span class="na">elements</span> <span class="o">=</span> <span class="s">{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> set private6 { </span></span></span><span class="line"><span class="cl"><span class="s"> type ipv6_addr; </span></span></span><span class="line"><span class="cl"><span class="s"> flags constant, interval; </span></span></span><span class="line"><span class="cl"><span class="s"> elements = { fd00::/8, fe80::/10 }; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain forward_docker { </span></span></span><span class="line"><span class="cl"><span class="s"> # forward docker traffic only to the Internet, not to wireguard, our LAN or </span></span></span><span class="line"><span class="cl"><span class="s"> # other interfaces </span></span></span><span class="line"><span class="cl"><span class="s"> oifname $egress_ifs ip saddr @private4 ip daddr != @private4 counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> oifname $egress_ifs ip6 saddr @private6 ip6 daddr != fd00::/8 counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain input_docker { </span></span></span><span class="line"><span class="cl"><span class="s"> # Allow container access to local Postgres and Valkey </span></span></span><span class="line"><span class="cl"><span class="s"> ct state new tcp dport { 5432, 6379 } counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain input_egress { </span></span></span><span class="line"><span class="cl"><span class="s"> ct state new tcp dport ssh limit rate 5/minute counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain input_wireguard_adyxax { </span></span></span><span class="line"><span class="cl"><span class="s"> icmp type $trusted_icmp_types counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ip protocol ospf counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ip6 nexthdr ospf counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> udp dport { 3784, 4784 } accept; # Allow BFD </span></span></span><span class="line"><span class="cl"><span class="s"> ct state new tcp dport ssh counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain input_wireguard_normal { </span></span></span><span class="line"><span class="cl"><span class="s"> icmp type $trusted_icmp_types counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state new tcp dport ssh limit rate 5/minute counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> # Chain hooks </span></span></span><span class="line"><span class="cl"><span class="s"> chain input { </span></span></span><span class="line"><span class="cl"><span class="s"> type filter hook input priority 0; </span></span></span><span class="line"><span class="cl"><span class="s"> policy drop; </span></span></span><span class="line"><span class="cl"><span class="s"> iifname lo accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state {established, related} counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state invalid counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> icmp type $allowed_icmp_types counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> icmpv6 type $allowed_icmpv6_types counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> iifname docker0 counter jump input_docker; </span></span></span><span class="line"><span class="cl"><span class="s"> iifname $egress_ifs counter jump input_egress; </span></span></span><span class="line"><span class="cl"><span class="s"> iifname wg-myth counter jump input_wireguard_adyxax; </span></span></span><span class="line"><span class="cl"><span class="s"> iifname wg-normal counter jump input_wireguard_normal; </span></span></span><span class="line"><span class="cl"><span class="s"> # drop mDNS traffic without logging </span></span></span><span class="line"><span class="cl"><span class="s"> ip daddr 224.0.0.251 udp dport 5353 counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> # drop multicast membership traffic without logging </span></span></span><span class="line"><span class="cl"><span class="s"> ip protocol igmp counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> log prefix &#34;input drop: &#34; limit rate 10/second counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain forward { </span></span></span><span class="line"><span class="cl"><span class="s"> type filter hook forward priority 0; </span></span></span><span class="line"><span class="cl"><span class="s"> policy drop; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state {established, related} counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state invalid counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> iifname docker0 counter jump forward_docker; </span></span></span><span class="line"><span class="cl"><span class="s"> log prefix &#34;forward drop: &#34; limit rate 10/second counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> } </span></span></span><span class="line"><span class="cl"><span class="s"> chain output { </span></span></span><span class="line"><span class="cl"><span class="s"> type filter hook output priority 0; </span></span></span><span class="line"><span class="cl"><span class="s"> policy accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state {established, related} counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state invalid counter drop; </span></span></span><span class="line"><span class="cl"><span class="s"> ct state new counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ip protocol icmp counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> ip6 nexthdr icmpv6 counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> meta l4proto ipv6-icmp counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> log prefix &#34;output accept: &#34; counter accept; </span></span></span><span class="line"><span class="cl"><span class="s"> }</span> </span></span><span class="line"><span class="cl"><span class="na">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">table ip nat {</span> </span></span><span class="line"><span class="cl"> <span class="na">chain postrouting {</span> </span></span><span class="line"><span class="cl"> <span class="na">type nat hook postrouting priority srcnat;</span> </span></span><span class="line"><span class="cl"> <span class="na">policy accept;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Only NAT traffic to the Internet, not to our LAN</span> </span></span><span class="line"><span class="cl"> <span class="na">oifname $egress_ifs \</span> </span></span><span class="line"><span class="cl"> <span class="na">ip daddr !</span><span class="o">=</span> <span class="s">10.0.0.0/8 \ </span></span></span><span class="line"><span class="cl"><span class="s"> ip daddr != 172.16.0.0/12 \ </span></span></span><span class="line"><span class="cl"><span class="s"> ip daddr != 192.168.0.0/16 \ </span></span></span><span class="line"><span class="cl"><span class="s"> counter masquerade; </span></span></span><span class="line"><span class="cl"><span class="s"> }</span> </span></span><span class="line"><span class="cl"><span class="na">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">table netdev filter {</span> </span></span><span class="line"><span class="cl"> <span class="na">chain ingress {</span> </span></span><span class="line"><span class="cl"> <span class="na">type filter hook ingress device $egress_ifs priority -500;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Drop all fragments.</span> </span></span><span class="line"><span class="cl"> <span class="na">ip frag-off &amp; 0x1fff !</span><span class="o">=</span> <span class="s">0 counter drop </span></span></span><span class="line"><span class="cl"><span class="s"> # Drop XMAS packets. </span></span></span><span class="line"><span class="cl"><span class="s"> tcp flags &amp; (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop </span></span></span><span class="line"><span class="cl"><span class="s"> # Drop NULL packets. </span></span></span><span class="line"><span class="cl"><span class="s"> tcp flags &amp; (fin|syn|rst|psh|ack|urg) == 0x0 counter drop </span></span></span><span class="line"><span class="cl"><span class="s"> # Drop uncommon MSS values. </span></span></span><span class="line"><span class="cl"><span class="s"> tcp flags syn tcp option maxseg size 1-535 counter drop </span></span></span><span class="line"><span class="cl"><span class="s"> }</span> </span></span><span class="line"><span class="cl"><span class="na">}</span> </span></span></code></pre></div><p>I like the private IPv4 and IPv6 sets (taken from my pf configurations), though they are not as convenient to use in nftables as they are in pf. Nftables does not let sets express inverted matches like pf does, which limits how compactly some rules can be written. They are also scoped to a single table rather than being globally reusable.</p> <p>I do not allow Docker to modify my firewall ruleset, I want it to remain all static and predictable. That is why the Docker related rules are written explicitly here.</p> <h2 id="conclusion">Conclusion</h2> <p>Overall, this setup is fairly conservative: default drop on input and forward while explicit handling of traffic on each interface for egress, containers and wireguard.</p> <p>If you have nftables tips, I would be glad to read them. Feel free to reach me by email or on Mastodon.</p>/blog/2026/04/10/toying-with-ospf-over-wireguard-on-freebsd/2026-04-10/blog/2026/04/10/toying-with-ospf-over-wireguard-on-freebsd/<h2 id="introduction">Introduction</h2> <p>For almost a decade, I have been operating my own mesh overlay network using a combination of point to point OpenVPN tunnels with OSPF on top. It was well automated with Ansible and served me well all these years.</p> <p>I decided it was time I tried to move this to Wireguard instead and spent a bit of time making it all work. This article does not explain everything I did, but will present some lessons I learned in the process.</p> <h2 id="routing-ospf-over-wireguard">Routing OSPF over Wireguard</h2> <p>By default, Wireguard encourages you to only allow the minimum set of IP prefixes over a Wireguard tunnel. It filters only that traffic, and conveniently populates a host&rsquo;s routing table with static routes to the tunnel for each allowed prefix.</p> <p>Wireguard also supports configuring multiple peers for a single Wireguard interface which is very convenient, but sadly cannot work with OSPF. Wireguard uses the allowed IP prefixes to decide which peer will receive a packet, and this is incompatible with a protocol that relies on multicast traffic in order to work. I therefore need one Wireguard interface per peer over which to run OSPF.</p> <p>Also since I need to route traffic for dynamically learned routes, the allowed IP filters pretty much need to be <code>0.0.0.0/0, ::/0</code> and cover everything. In practice I could also use the more restrictive <code>10/8, 172.16/12, 192.168/16, 224.0.0.5, 224.0.0.6, fd00::/8, fe80::/10, ff02::5, ff02::6</code>.</p> <p>Since I cannot have Wireguard insert multiple identical routes for all my Wireguard interfaces, I also need to disable this functionality. When using the popular <code>wg-quick</code> method, one needs to add <code>Table = off</code> to the <code>[Interface]</code> configuration. The native implementations do not need this, it is really only for <code>wg-quick</code>.</p> <p>My FreeBSD <code>/etc/start_if.wg0</code> config therefore looks like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ifconfig wg0 create up description <span class="s2">&#34;laptop&#34;</span> </span></span><span class="line"><span class="cl">ifconfig wg0 inet 172.31.254.0/31 </span></span><span class="line"><span class="cl">ifconfig wg0 inet6 fd00:172:31:254::/127 </span></span><span class="line"><span class="cl">ifconfig wg0 inet6 fe80::/64 </span></span><span class="line"><span class="cl">wg syncconf wg0 /etc/wg0.conf </span></span></code></pre></div><p>And the corresponding <code>/etc/wg0.conf</code> looks like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span>Interface<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PrivateKey</span> <span class="o">=</span> gFAoJwJSfA0A8g+FhfxHLWXj6+CZdmPH4EW5pghqv30<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">ListenPort</span> <span class="o">=</span> <span class="m">342</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>Peer<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PublicKey</span> <span class="o">=</span> bAg8bmMQxPFoNSG+Qq2VteCW4VUsi//VleBQBNa5Mno<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">AllowedIPs</span> <span class="o">=</span> 0.0.0.0/0,::/0 </span></span></code></pre></div><h2 id="freebsd-vs-linux-bridge-and-wireguard-interfaces">FreeBSD vs Linux bridge and wireguard interfaces</h2> <p>On FreeBSD, I had a little trouble making OSPF v3 (for IPv6) work on a detached bridge interface (that I use for VNET jails), and on a wireguard interface.</p> <p>The problem was that FreeBSD does not generate link-local IPv6 addresses for these kinds of interfaces, because they are not backed by a MAC address. And it turns out that the Bird routing daemon needs these link-local IPv6 addresses in order to work in point-to-point mode!</p> <p>Luckily these are in effect point-to-point interfaces, so it matters very little which link-local address I set manually. I just used <code>fe80::/64</code> everywhere and it worked.</p> <p>Linux does not have this issue and will assign random link-local addresses to all its interfaces which really made this a confusing debugging session.</p> <h2 id="some-pf-configuration-rules">Some PF configuration rules</h2> <p>While not something I learned this time around, I will record here that one can allow OSPF traffic via PF with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">table &lt;myself&gt; const <span class="o">{</span> self <span class="o">}</span> </span></span><span class="line"><span class="cl">table &lt;private&gt; const <span class="o">{</span> 10/8, 172.16/12, 192.168/16, fd00::/8, fe80::/10 <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">pass out from &lt;myself&gt; to any </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">pass on <span class="o">{</span> wg0, wg1 <span class="o">}</span> from &lt;private&gt; to &lt;private&gt; </span></span><span class="line"><span class="cl">pass on <span class="o">{</span> wg0, wg1 <span class="o">}</span> proto ospf allow-opts </span></span></code></pre></div><h2 id="some-bird-configuration">Some Bird configuration</h2> <p>Here is a basic Bird3 configuration to reproduce my setup:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">log syslog all<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">router id 172.31.253.1<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol device <span class="o">{</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol direct <span class="o">{</span> </span></span><span class="line"><span class="cl"> disabled<span class="p">;</span> </span></span><span class="line"><span class="cl"> ipv4<span class="p">;</span> </span></span><span class="line"><span class="cl"> ipv6<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol kernel <span class="o">{</span> </span></span><span class="line"><span class="cl"> ipv4 <span class="o">{</span> <span class="nb">export</span> all<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> persist<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol kernel <span class="o">{</span> </span></span><span class="line"><span class="cl"> ipv6 <span class="o">{</span> <span class="nb">export</span> all<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> persist<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol static <span class="o">{</span> ipv4<span class="p">;</span> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol ospf v2 ospf4 <span class="o">{</span> </span></span><span class="line"><span class="cl"> area <span class="m">0</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;bridge0&#34;</span> <span class="o">{</span> stub<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg0&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg1&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol ospf v3 ospf6 <span class="o">{</span> </span></span><span class="line"><span class="cl"> area <span class="m">0</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;bridge0&#34;</span> <span class="o">{</span> stub<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg0&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg1&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol bfd <span class="o">{</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg*&#34;</span> <span class="o">{}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>I cannot say yet if I will rewrite my Ansible automation for OSPF over Wireguard, but I certainly had fun figuring these out. I will probably toy with BGP again next, just because it is also &ldquo;fun&rdquo; to redistribute routes this way.</p>/blog/2026/03/19/how-to-run-syncthing-from-termux-and-tasker-on-android/2026-03-19/blog/2026/03/19/how-to-run-syncthing-from-termux-and-tasker-on-android/<h2 id="introduction">Introduction</h2> <p>I recently had my phone die on me and had to get a new one. One of the first apps I install is <a href="https://syncthing.net/">Syncthing</a>, in order to restore my photos and app data.</p> <p>Syncthing on Android has had quite the history, and for a time it was the norm to use Syncthing-Fork. A few months ago, this fork went through an ownership change, and I stopped updating this app until things settled.</p> <p>On a new device, I wanted an up to date setup I could trust long-term and maintain myself. I found that the safest way for me to run Syncthing on Android was to turn to <a href="https://github.com/termux/termux-app">Termux</a>.</p> <h2 id="termux">Termux</h2> <p>I have been using Termux for about a decade. It is a simple and reliable way to get a Linux shell running on your phone. I only used it to SSH on servers and run some tools while on the go up until now, but of course it is possible to run server software on it.</p> <p>Installing Termux is not difficult, but a few post installation steps need to be performed. I personally download the APK from <a href="https://f-droid.org/en/packages/com.termux/">f-droid</a>, without installing f-droid itself.</p> <p>When running Termux for the first time, I update it then setup the internal phone&rsquo;s storage access with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">apt update -qq <span class="o">&amp;&amp;</span> apt dist-upgrade -y </span></span><span class="line"><span class="cl">termux-setup-storage </span></span></code></pre></div><p>It is important to go into the Termux app settings and allow Termux to run in the background by disabling battery optimizations. Without that, it will get killed periodically by Android.</p> <p>I then install and initialize syncthing with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">apt install syncthing -y </span></span><span class="line"><span class="cl">syncthing </span></span></code></pre></div><p>This opens a web browser (or prints a URL you can open, depending on your environment) with the usual syncthing configuration page. In the settings I change the following for privacy:</p> <ul> <li>Disable anonymous usage reporting.</li> <li>Set a gui authentication user and password.</li> <li>Disable NAT traversal.</li> <li>Disable local discovery.</li> <li>Disable global discovery.</li> <li>Disable relaying.</li> </ul> <p>I then proceed to add remote servers and folders.</p> <h2 id="tasker">Tasker</h2> <p>Since I use syncthing to synchronize my photos with my NAS at home, one of the main features of the Syncthing apps for me was to stop the background sync while not connected to a WiFi network.</p> <p>By combining <a href="https://tasker.joaoapps.com/">Tasker</a> and <a href="https://github.com/termux/termux-tasker">Tmux:Tasker</a>, I managed to get this feature back and improved, since I can now also filter on which networks I allow Syncthing to run.</p> <p>If you left Syncthing running in Termux, now is the time to <code>C-c</code> to close it. In Termux, edit <code>~/.termux/termux.properties</code> and uncomment the following so that Tasker can execute commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-properties" data-lang="properties"><span class="line"><span class="cl"><span class="na">allow-external-apps</span> <span class="o">=</span> <span class="s">true</span> </span></span></code></pre></div><p>Go to Tasker&rsquo;s Android app permissions, and under <code>Additional permissions</code> select <code>Run commands in Termux environment</code>. Restart Termux for the changes to take effect.</p> <p>Then I create the Termux:Tasker script directory as well as the start and stop scripts:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cat &gt;~/.termux/tasker/start-syncthing.sh <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">#!/data/data/com.termux/files/usr/bin/bash </span></span></span><span class="line"><span class="cl"><span class="s">pgrep -x syncthing || syncthing serve --no-browser </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl">cat &gt;~/.termux/tasker/stop-syncthing.sh <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">#!/data/data/com.termux/files/usr/bin/bash </span></span></span><span class="line"><span class="cl"><span class="s">pkill -x syncthing </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl">chmod +x ~/.termux/tasker/*.sh </span></span></code></pre></div><p>Then I open Tasker and create a profile for <code>State</code>, <code>Net</code>, <code>WiFi Connected</code>. I set my WiFi SSID, then add a task named <code>Start Syncthing</code> and configure it with:</p> <ul> <li>Add <code>Action</code>, select <code>Plugin</code> then <code>Termux:Tasker</code>.</li> <li>Click <code>Configuration</code> then set <code>start-syncthing.sh</code> as the command then disable <code>wait for result</code>.</li> <li>Go back to the profile and long press the task. Select <code>Add Exit Task</code> and name it <code>Stop Syncthing</code>.</li> <li>Add <code>Action</code>, select <code>Plugin</code> then <code>Termux:Tasker</code>.</li> <li>Click <code>Configuration</code> then set <code>stop-syncthing.sh</code> as the command then disable <code>wait for result</code>.</li> </ul> <p>All that remains to do is test by connecting and disconnecting the WiFi and run <code>pgrep -x syncthing &gt;/dev/null &amp;&amp; echo running</code>.</p> <h2 id="conclusion">Conclusion</h2> <p>I am very happy with this setup, it works perfectly and provides me with a robust and trustworthy way to run Syncthing again.</p>/blog/2026/03/09/how-to-check-that-an-ssl-certificate-and-its-private-key-match/2026-03-09/blog/2026/03/09/how-to-check-that-an-ssl-certificate-and-its-private-key-match/<h2 id="introduction">Introduction</h2> <p>Though it is less common nowadays, SSL certificate provisioning can still be full of surprises when dealing with old school setups in client environments.</p> <p>Some colleagues did not know how to easily check if a certificate and private key match in a clean one liner, and their LLM research came up with &ldquo;interesting&rdquo; suggestions with at least 6 pipes and too many checksum operations.</p> <p>This prompted me to document my way of doing this.</p> <h2 id="extracting-the-public-key">Extracting the public key</h2> <p>The public key can be extracted with openssl using two commands. Here is the first one for the certificate:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">openssl x509 -in mycertificate.crt -noout -pubkey </span></span></code></pre></div><p>Here is the second one for the private key:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">openssl pkey -in mykey.key -pubout </span></span></code></pre></div><h2 id="the-diff-command-and-process-substitutions">The diff command and process substitutions</h2> <p>Bash process substitutions are very useful, in particular in this context. They allow a command to read the output of other commands as pseudo files. For our purpose it looks like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">diff -quw &lt;<span class="o">(</span>openssl x509 -in mycertificate.crt -noout -pubkey<span class="o">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> &lt;<span class="o">(</span>openssl pkey -in mykey.key -pubout<span class="o">)</span> </span></span></code></pre></div><p>The <code>-quw</code> flags are not important here, just a habit of mine. <code>-q</code> is to ask diff to be quiet, <code>-u</code> is to ask for a unified output while <code>-w</code> is to ignore whitespace differences.</p> <p>If running the diff command from a script, know that it also exits <code>0</code> when the inputs are the same, 1 if they are different and &gt;1 if another error occurred.</p> <h2 id="conclusion">Conclusion</h2> <p>This provides a quick way to verify that a certificate and its private key match, while also demonstrating Bash process substitution. I encourage anyone to use these process substitutions more, they have many practical uses and can simplify command line workflows.</p>/blog/2026/02/04/updating-dependencies/2026-02-04/blog/2026/02/04/updating-dependencies/<h2 id="introduction">Introduction</h2> <p>I find most of the popular dependency update automation tools like Dependabot or Renovate cumbersome to integrate, first and foremost because they cannot be run locally easily. Secondly, they cover everything and the kitchen sink and you cannot easily pick some languages or ecosystems to support. But if I could somehow ignore that, sadly they are clunky even in a forge setting as soon as you have to deal with private repositories and need to tightly manage access control.</p> <p>I understand how valuable these popular tools can be though, especially in ecosystems that churn out new versions every other day. This makes these dependency update automation tools a must have at work where you need to reliably manage security updates across dozens of repositories I often do not own.</p> <p>Since I try to avoid dependencies as much as I can in my personal development and infrastructure management, I believe I can get 90% of the value of these tools for 10% of the complexity thanks to a few lighweight scripts.</p> <h2 id="updating-dependencies">Updating dependencies</h2> <h3 id="docker-hub">Docker Hub</h3> <p>The Docker Hub offers the an API endpoint to check the latest tags on a specific image. The trick is to write the right grep filter that will select only the release tags you care about:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">local</span> new_version </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nv">new_version</span><span class="o">=</span><span class="k">$(</span>curl -sSfL <span class="s2">&#34;https://hub.docker.com/v2/repositories/valkey/valkey/tags?page_size=100&amp;ordering=last_updated&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> jq -r <span class="s1">&#39;.results|.[]|.name&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> grep -E <span class="s1">&#39;^[0-9](\.[0-9]){2}$&#39;</span><span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sort -V <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> tail -n1<span class="k">)</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get new version from docker hub tags&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> -z <span class="s2">&#34;</span><span class="nv">$new_version</span><span class="s2">&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get a non empty version from docker hub tags&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="s2">&#34;</span><span class="nv">$new_version</span><span class="s2">&#34;</span> !<span class="o">=</span> <span class="s2">&#34;</span><span class="nv">$version</span><span class="s2">&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;updating the repository to </span><span class="nv">$project</span><span class="s2"> version </span><span class="nv">$new_version</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">version</span><span class="p">//./</span><span class="se">\\</span><span class="p">.</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> sed -e <span class="s2">&#34;s!^version=&#39;</span><span class="nv">$version</span><span class="s2">&#39;\$!version=&#39;</span><span class="nv">$new_version</span><span class="s2">&#39;!&#34;</span> -i make.sh </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></div><h3 id="git-tags">Git tags</h3> <p>The Git CLI can be used quite efficiently to get the latest tags on a specific repository. The trick is again to write the right filter the select only the tags you care about:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">local</span> new_seaweedfs_version </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nv">new_seaweedfs_version</span><span class="o">=</span><span class="k">$(</span>git ls-remote --tags --refs https://github.com/seaweedfs/seaweedfs <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> perl -lane <span class="s1">&#39;print $1 if /refs\/tags\/(\d.*)/&#39;</span><span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sort -V <span class="p">|</span> </span></span><span class="line"><span class="cl"> tail -n1<span class="k">)</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get new seaweedfs version from git RELEASE tags&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> -z <span class="s2">&#34;</span><span class="nv">$new_seaweedfs_version</span><span class="s2">&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get a non empty seaweedfs git RELEASE tag&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="s2">&#34;</span><span class="nv">$new_seaweedfs_version</span><span class="s2">&#34;</span> !<span class="o">=</span> <span class="s2">&#34;</span><span class="nv">$seaweedfs_version</span><span class="s2">&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;Updating the repository for </span><span class="nv">$project</span><span class="s2"> version </span><span class="nv">$new_seaweedfs_version</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> sed -e <span class="s2">&#34;s!^seaweedfs_version=&#39;</span><span class="nv">$seaweedfs_version</span><span class="s2">&#39;\$!seaweedfs_version=&#39;</span><span class="nv">$new_seaweedfs_version</span><span class="s2">&#39;!&#34;</span> -i make.sh </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></div><h3 id="go">Go</h3> <p>The official Go website conveniently offers a simple API endpoint to check the latest releases. I also update all module dependencies in this step for personal convenience:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">local</span> new_golang_version </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nv">new_golang_version</span><span class="o">=</span><span class="k">$(</span>curl -fsSL <span class="s1">&#39;https://go.dev/dl/?mode=json&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> jq -r <span class="s1">&#39;[.[] | select(.stable == true)][0].version&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sed -e <span class="s1">&#39;s/^go//&#39;</span><span class="k">)</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get new golang version from go.dev&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> -z <span class="s2">&#34;</span><span class="nv">$new_golang_version</span><span class="s2">&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get a non empty golang version number&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl">sed -e <span class="s2">&#34;s/^go [0-9\\.]\+\$/go </span><span class="nv">$new_golang_version</span><span class="s2">/&#34;</span> -i go.mod </span></span><span class="line"><span class="cl">go get -t -u ./... <span class="o">&amp;&amp;</span> go mod tidy </span></span></code></pre></div><h3 id="opentofuterraform">OpenTofu/Terraform</h3> <p>Fetching the latest versions of OpenTofu/Terraform providers is trickier because proper parsing is needed to handle the files correctly.</p> <p>I work around this by enforcing conventions. First I keep all provider definitions and configurations separate in a <code>providers.tf</code> file. Then I keep the <code>source =</code> and <code>version =</code> statements always sorted in that order (not a problem for me because I sort everything alphabetically anywhere I can, but critical for the script to work). I also do not use trailing comments for the source and version statements.</p> <p>Note that this will pick the latest versions of each provider, not necessarily the latest compatible with your infrastructure code. One could update the script to filter on the same major versions the code currently relies on, but I do not bother in my personal circumstances and prefer to know and upgrade my code.</p> <p>If I find any changes, I regenerate the Opentofu/Terraform lock file.</p> <p>With this considered, I can forego proper parsing for the simpler:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">get_latest_version<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">source</span><span class="o">=</span><span class="nv">$1</span> latest </span></span><span class="line"><span class="cl"> <span class="k">if</span> ! <span class="nv">latest</span><span class="o">=</span><span class="k">$(</span>curl -fsSL <span class="s2">&#34;https://registry.terraform.io/v1/providers/</span><span class="si">${</span><span class="nv">source</span><span class="si">}</span><span class="s2">/versions&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> jq -r <span class="s1">&#39;.versions[].version&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sort -V <span class="p">|</span> tail -n1<span class="k">)</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get </span><span class="nv">$source</span><span class="s2"> tofu provider version from the registry&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[[</span> -z <span class="s2">&#34;</span><span class="nv">$latest</span><span class="s2">&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get a non empty </span><span class="nv">$source</span><span class="s2"> tofu provider version number&#34;</span> &gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;%s&#39;</span> <span class="s2">&#34;</span><span class="nv">$latest</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">process_tf_file<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> line <span class="nb">source</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r line &lt;<span class="p">&amp;</span>3<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[[</span> <span class="s2">&#34;</span><span class="nv">$line</span><span class="s2">&#34;</span> <span class="o">=</span>~ ^<span class="o">[[</span>:space:<span class="o">]]</span>+source<span class="o">[[</span>:space:<span class="o">]]</span>+<span class="o">=[[</span>:space:<span class="o">]]</span><span class="se">\&#34;</span><span class="o">([</span>A-Za-z0-9/<span class="o">]</span>+<span class="o">)</span><span class="se">\&#34;</span>$ <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;%s\n&#39;</span> <span class="s2">&#34;</span><span class="nv">$line</span><span class="s2">&#34;</span> &gt;<span class="p">&amp;</span><span class="m">4</span> </span></span><span class="line"><span class="cl"> <span class="nv">source</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">BASH_REMATCH</span><span class="p">[1]</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="o">[[</span> <span class="s2">&#34;</span><span class="nv">$line</span><span class="s2">&#34;</span> <span class="o">=</span>~ ^<span class="o">([[</span>:space:<span class="o">]]</span>+version<span class="o">[[</span>:space:<span class="o">]]</span>+<span class="o">=[[</span>:space:<span class="o">]])</span><span class="se">\&#34;</span><span class="o">[</span>0-9<span class="se">\.</span><span class="o">]</span>+<span class="se">\&#34;</span>$ <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;%s&#34;%s&#34;\n&#39;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">BASH_REMATCH</span><span class="p">[1]</span><span class="si">}</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span>get_latest_version <span class="s2">&#34;</span><span class="nv">$source</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> &gt;<span class="p">&amp;</span><span class="m">4</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;%s\n&#39;</span> <span class="s2">&#34;</span><span class="nv">$line</span><span class="s2">&#34;</span> &gt;<span class="p">&amp;</span><span class="m">4</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="nb">exec</span> 3&lt;providers.tf </span></span><span class="line"><span class="cl"><span class="nb">exec</span> 4&gt;<span class="p">|</span>providers_new.tf </span></span><span class="line"><span class="cl">process_tf_file </span></span><span class="line"><span class="cl"><span class="nb">exec</span> 3&lt;<span class="p">&amp;</span>- </span></span><span class="line"><span class="cl"><span class="nb">exec</span> 4&gt;<span class="p">&amp;</span>- </span></span><span class="line"><span class="cl">mv providers_new.tf providers.tf </span></span><span class="line"><span class="cl"><span class="k">if</span> ! git diff --quiet providers.tf<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> tofu providers lock -platform<span class="o">=</span>linux_amd64 </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>Dependency management and updates are tricky subjects, and I am a firm believer that reducing the amount of dependencies is the best thing you can do in the long term. Dependency management software is no exception in my view, as they are another rather big dependency themselves.</p> <p>Last but not least: this scripting approach makes me happy than I can discover new updates and bump pinned versions with a few curl, jq commands and regexes tailored to my stack.</p>/blog/2026/01/15/using-forgejo-actions-without-nodejs/2026-01-15/blog/2026/01/15/using-forgejo-actions-without-nodejs/<h2 id="introduction">Introduction</h2> <p>I have been using Forgejo Actions to run CI tasks for about a year. I have been mostly content with them because they are well integrated with Forgejo itself, but I always thoroughly disliked relying on a stack of nodejs Actions that do way too much and that need to be updated way too often.</p> <p>With all the supply chain attacks that make the headlines on hacker news, I started experimenting with simple handwritten shell actions that do only the minimal subset of what I need.</p> <h2 id="checkout">Checkout</h2> <p>The most commonly used Action must be <code>actions/checkout</code> which is the first step of almost every CI job. I suspect most Action users must have never looked at the source code of this action, but I encourage you to do so. Excluding tests, there are about 3k lines of typescript code, and it in turn has dependencies on other actions and libraries.</p> <p>After years of GitHub Actions and now Forgejo Actions, I can count on one hand the number of times when I needed more than the simplest shallow clone. Therefore I replaced this action with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;checkout&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> set -eu </span></span></span><span class="line"><span class="cl"><span class="sd"> git init --quiet --initial-branch main </span></span></span><span class="line"><span class="cl"><span class="sd"> git remote add origin &#34;https://git.adyxax.org/${GITHUB_REPOSITORY}.git&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> git fetch --quiet --no-tags --depth=1 origin &#34;$GITHUB_SHA&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> git checkout --quiet &#34;$GITHUB_SHA&#34;</span><span class="w"> </span></span></span></code></pre></div><p>When I need to support authentication, submodules, git LFS, or to checkout only a few sparse files, this small boilerplate can easily be taylored.</p> <h2 id="complete-workflow-example">Complete workflow example</h2> <p>Using the same principles of minimal shell-based steps all the way, here is what this website&rsquo;s main workflow looks like now:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;main&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">workflow_dispatch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">all</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;self-hosted&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;checkout&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> set -eu </span></span></span><span class="line"><span class="cl"><span class="sd"> git init --quiet --initial-branch main </span></span></span><span class="line"><span class="cl"><span class="sd"> git remote add origin &#34;https://git.adyxax.org/${GITHUB_REPOSITORY}.git&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> git fetch --quiet --no-tags --depth=1 origin &#34;$GITHUB_SHA&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> git checkout --quiet &#34;$GITHUB_SHA&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;fmt&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;./make.sh tidy --fail-if-dirty=true&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;build&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;./make.sh build&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># we need the build step done before running check because the `search`</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># server embeds the `index.html` file, which gets generated by hugo during</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># the build step.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;check&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;./make.sh check&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;deploy&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;./make.sh deploy&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SSH_PRIVATE_KEY</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;${{ secrets.SSH_PRIVATE_KEY }}&#39;</span><span class="w"> </span></span></span></code></pre></div><p>The <code>make.sh</code> script from this example allows for both local development and CI Actions which is how I prefer to think about CI: as a thin wrapper around the same commands you run locally.</p> <p>I use a shell script because I am comfortable with shell scripting, but it could be a Perl or Raku script, a GNUmakefile or another tool as long as it can drive the full workflow locally using the same entrypoints as the CI.</p> <h2 id="conclusion">Conclusion</h2> <p>I do not mind a little boilerplate, especially when I know I will rarely need to update it. And if I ever do need to update it, it is so simple that I fully understand and control it.</p> <p>I did not mention a nice bonus: my CI is four times faster! The time spent building my blog went from about 24 seconds all the way down to about 6 seconds!</p> <p>The true test on this journey will be to migrate my Terraform providers Actions workflows, more about this in another article.</p>/blog/2026/01/06/advent-of-code-2025-in-haskell/2026-01-06/blog/2026/01/06/advent-of-code-2025-in-haskell/<h2 id="introduction">Introduction</h2> <p>I participated in <a href="https://adventofcode.com/2025">Advent of Code 2025</a> in Haskell. It was a fun experience as always! Why write about this now? Because I finished the last puzzle last Saturday!</p> <p>I did all the puzzles each day on time last December except for day 10: part 2 was harder than all the rest combined! Life happened around Christmas, and I took the usual long break away from the puzzles before finishing.</p> <h2 id="haskell-for-puzzles">Haskell for puzzles</h2> <p>The puzzles were all interesting without overstaying their welcome. Well except for day 10 part 2, but you need one of those for things to stay interesting! In this section I will present some of the days I enjoyed the most.</p> <p>One of my favourite puzzles was day 3 where you need to find number patterns in the input. I found <a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2025/03-Lobby/second.hs">my solution</a> elegant:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-haskell" data-lang="haskell"><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Input</span> <span class="ow">=</span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">maxWithIndex</span> <span class="ow">::</span> <span class="kt">String</span> <span class="ow">-&gt;</span> <span class="p">(</span><span class="kt">Int</span><span class="p">,</span> <span class="kt">Char</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nf">maxWithIndex</span> <span class="p">(</span><span class="n">x</span><span class="kt">:</span><span class="n">xs</span><span class="p">)</span> <span class="ow">=</span> <span class="kr">let</span> <span class="p">(</span><span class="kr">_</span><span class="p">,</span> <span class="n">i</span><span class="p">,</span> <span class="n">m</span><span class="p">)</span> <span class="ow">=</span> <span class="kt">L</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="n">step</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="n">xs</span> <span class="kr">in</span> <span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">m</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="kr">where</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="ow">::</span> <span class="p">(</span><span class="kt">Int</span><span class="p">,</span> <span class="kt">Int</span><span class="p">,</span> <span class="kt">Char</span><span class="p">)</span> <span class="ow">-&gt;</span> <span class="kt">Char</span> <span class="ow">-&gt;</span> <span class="p">(</span><span class="kt">Int</span><span class="p">,</span> <span class="kt">Int</span><span class="p">,</span> <span class="kt">Char</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="p">(</span><span class="n">index</span><span class="p">,</span> <span class="n">maxIndex</span><span class="p">,</span> <span class="n">max</span><span class="p">)</span> <span class="n">c</span> <span class="o">|</span> <span class="n">max</span> <span class="o">&lt;</span> <span class="n">c</span> <span class="ow">=</span> <span class="p">(</span><span class="n">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">index</span><span class="p">,</span> <span class="n">c</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">otherwise</span> <span class="ow">=</span> <span class="p">(</span><span class="n">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">maxIndex</span><span class="p">,</span> <span class="n">max</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">::</span> <span class="kt">Input</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">=</span> <span class="n">sum</span> <span class="o">.</span> <span class="n">map</span> <span class="n">compute&#39;</span> </span></span><span class="line"><span class="cl"> <span class="kr">where</span> </span></span><span class="line"><span class="cl"> <span class="n">compute&#39;</span> <span class="ow">::</span> <span class="kt">String</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"> <span class="n">compute&#39;</span> <span class="n">n</span> <span class="ow">=</span> <span class="n">read</span> <span class="o">.</span> <span class="n">fst</span> <span class="o">$</span> <span class="kt">L</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="n">compute&#39;&#39;</span> <span class="p">(</span><span class="s">&#34;&#34;</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">$</span> <span class="n">drop</span> <span class="p">(</span><span class="n">length</span> <span class="n">n</span> <span class="o">-</span> <span class="mi">11</span><span class="p">)</span> <span class="o">$</span> <span class="kt">L</span><span class="o">.</span><span class="n">inits</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> <span class="n">compute&#39;&#39;</span> <span class="ow">::</span> <span class="p">(</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)</span> <span class="ow">-&gt;</span> <span class="kt">String</span> <span class="ow">-&gt;</span> <span class="p">(</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">compute&#39;&#39;</span> <span class="p">(</span><span class="n">acc</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">s</span> <span class="ow">=</span> <span class="kr">let</span> <span class="p">(</span><span class="n">ai</span><span class="p">,</span> <span class="n">a</span><span class="p">)</span> <span class="ow">=</span> <span class="n">maxWithIndex</span> <span class="p">(</span><span class="n">drop</span> <span class="n">i</span> <span class="n">s</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="kr">in</span> <span class="p">(</span><span class="n">acc</span> <span class="o">++</span> <span class="p">[</span><span class="n">a</span><span class="p">],</span> <span class="n">i</span> <span class="o">+</span> <span class="n">ai</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> </span></span></code></pre></div><p>I found <a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2025/05-Cafeteria/second.hs">Day 5</a> particularly satisfying to write. The puzzle is about merging intervals:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-haskell" data-lang="haskell"><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Interval</span> <span class="ow">=</span> <span class="p">(</span><span class="kt">Int</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="kr">data</span> <span class="kt">Input</span> <span class="ow">=</span> <span class="kt">Input</span> <span class="p">[</span><span class="kt">Interval</span><span class="p">]</span> <span class="p">[</span><span class="kt">Int</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">::</span> <span class="kt">Input</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="p">(</span><span class="kt">Input</span> <span class="n">intervals</span> <span class="kr">_</span><span class="p">)</span> <span class="ow">=</span> <span class="n">sum</span> <span class="o">$</span> <span class="n">map</span> <span class="n">ilen</span> <span class="n">intervals&#39;</span> </span></span><span class="line"><span class="cl"> <span class="kr">where</span> </span></span><span class="line"><span class="cl"> <span class="n">ilen</span> <span class="ow">::</span> <span class="kt">Interval</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"> <span class="n">ilen</span> <span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="ow">=</span> <span class="n">b</span> <span class="o">-</span> <span class="n">a</span> <span class="o">+</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">i</span><span class="kt">:</span><span class="n">is</span><span class="p">)</span> <span class="ow">=</span> <span class="kt">L</span><span class="o">.</span><span class="n">sortOn</span> <span class="n">fst</span> <span class="n">intervals</span> </span></span><span class="line"><span class="cl"> <span class="n">intervals&#39;</span> <span class="ow">=</span> <span class="kt">L</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="n">step</span> <span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="n">is</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="ow">::</span> <span class="p">[</span><span class="kt">Interval</span><span class="p">]</span> <span class="ow">-&gt;</span> <span class="kt">Interval</span> <span class="ow">-&gt;</span> <span class="p">[</span><span class="kt">Interval</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="n">acc</span><span class="o">@</span><span class="p">((</span><span class="n">c</span><span class="p">,</span> <span class="n">d</span><span class="p">)</span><span class="kt">:</span><span class="n">xs</span><span class="p">)</span> <span class="n">i</span><span class="o">@</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="o">|</span> <span class="n">a</span> <span class="o">&gt;</span> <span class="n">d</span> <span class="ow">=</span> <span class="n">i</span><span class="kt">:</span><span class="n">acc</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">otherwise</span> <span class="ow">=</span> <span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">max</span> <span class="n">b</span> <span class="n">d</span><span class="p">)</span><span class="kt">:</span><span class="n">xs</span> </span></span></code></pre></div><p><a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2025/06-Trash_Compactor/second.hs">Day 6</a> was all about parsing operations with a twist (we transpose the input to parse column wise), and I always enjoy these problems:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-haskell" data-lang="haskell"><span class="line"><span class="cl"><span class="kr">data</span> <span class="kt">Op</span> <span class="ow">=</span> <span class="kt">Add</span> <span class="o">|</span> <span class="kt">Mul</span> <span class="kr">deriving</span> <span class="p">(</span><span class="kt">Eq</span><span class="p">,</span> <span class="kt">Show</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Input</span> <span class="ow">=</span> <span class="p">[</span><span class="kt">Int</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Parser</span> <span class="ow">=</span> <span class="kt">Parsec</span> <span class="kt">Void</span> <span class="kt">String</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseNumber</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">parseNumber</span> <span class="ow">=</span> <span class="n">read</span> <span class="o">&lt;$&gt;</span> <span class="p">(</span><span class="n">some</span> <span class="n">digitChar</span> <span class="o">&lt;*</span> <span class="n">optional</span> <span class="n">hspace</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseOp&#39;</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="kt">Op</span> </span></span><span class="line"><span class="cl"><span class="nf">parseOp&#39;</span> <span class="ow">=</span> <span class="n">char</span> <span class="sc">&#39;+&#39;</span> <span class="o">$&gt;</span> <span class="kt">Add</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;|&gt;</span> <span class="n">char</span> <span class="sc">&#39;*&#39;</span> <span class="o">$&gt;</span> <span class="kt">Mul</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseOp</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">parseOp</span> <span class="ow">=</span> <span class="kr">do</span> </span></span><span class="line"><span class="cl"> <span class="n">n</span> <span class="ow">&lt;-</span> <span class="n">optional</span> <span class="n">hspace</span> <span class="o">*&gt;</span> <span class="n">parseNumber</span> </span></span><span class="line"><span class="cl"> <span class="n">op</span> <span class="ow">&lt;-</span> <span class="n">parseOp&#39;</span> <span class="o">&lt;*</span> <span class="n">eol</span> </span></span><span class="line"><span class="cl"> <span class="n">ns</span> <span class="ow">&lt;-</span> <span class="n">some</span> <span class="p">(</span><span class="n">optional</span> <span class="n">hspace</span> <span class="o">*&gt;</span> <span class="n">parseNumber</span> <span class="o">&lt;*</span> <span class="n">eol</span> <span class="o">&lt;*</span> <span class="n">optional</span> <span class="n">hspace</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">pure</span> <span class="o">$</span> <span class="kr">case</span> <span class="n">op</span> <span class="kr">of</span> </span></span><span class="line"><span class="cl"> <span class="kt">Add</span> <span class="ow">-&gt;</span> <span class="n">sum</span> <span class="o">$</span> <span class="n">n</span><span class="kt">:</span><span class="n">ns</span> </span></span><span class="line"><span class="cl"> <span class="kt">Mul</span> <span class="ow">-&gt;</span> <span class="n">product</span> <span class="o">$</span> <span class="n">n</span><span class="kt">:</span><span class="n">ns</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseInput&#39;</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="kt">Input</span> </span></span><span class="line"><span class="cl"><span class="nf">parseInput&#39;</span> <span class="ow">=</span> <span class="n">some</span> <span class="p">(</span><span class="n">parseOp</span> <span class="o">&lt;*</span> <span class="n">optional</span> <span class="n">eol</span><span class="p">)</span> <span class="o">&lt;*</span> <span class="n">eof</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseInput</span> <span class="ow">::</span> <span class="kt">String</span> <span class="ow">-&gt;</span> <span class="kt">IO</span> <span class="kt">Input</span> </span></span><span class="line"><span class="cl"><span class="nf">parseInput</span> <span class="n">filename</span> <span class="ow">=</span> <span class="kr">do</span> </span></span><span class="line"><span class="cl"> <span class="n">input</span> <span class="ow">&lt;-</span> <span class="n">lines</span> <span class="o">&lt;$&gt;</span> <span class="n">readFile</span> <span class="n">filename</span> </span></span><span class="line"><span class="cl"> <span class="kr">let</span> <span class="n">len</span> <span class="ow">=</span> <span class="n">maximum</span> <span class="o">$</span> <span class="n">map</span> <span class="n">length</span> <span class="n">input</span> </span></span><span class="line"><span class="cl"> <span class="n">input&#39;</span> <span class="ow">=</span> <span class="n">map</span> <span class="n">complete</span> <span class="n">input</span> </span></span><span class="line"><span class="cl"> <span class="n">complete</span> <span class="n">s</span> <span class="ow">=</span> <span class="n">s</span> <span class="o">++</span> <span class="n">take</span> <span class="p">(</span><span class="n">len</span> <span class="o">-</span> <span class="n">length</span> <span class="n">s</span><span class="p">)</span> <span class="p">(</span><span class="n">repeat</span> <span class="sc">&#39; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">input&#39;&#39;</span> <span class="ow">=</span> <span class="n">unlines</span> <span class="o">$</span> <span class="kt">L</span><span class="o">.</span><span class="n">transpose</span> <span class="n">input&#39;</span> </span></span><span class="line"><span class="cl"> <span class="kr">case</span> <span class="n">runParser</span> <span class="n">parseInput&#39;</span> <span class="n">filename</span> <span class="n">input&#39;&#39;</span> <span class="kr">of</span> </span></span><span class="line"><span class="cl"> <span class="kt">Left</span> <span class="n">bundle</span> <span class="ow">-&gt;</span> <span class="ne">error</span> <span class="o">$</span> <span class="n">errorBundlePretty</span> <span class="n">bundle</span> </span></span><span class="line"><span class="cl"> <span class="kt">Right</span> <span class="n">input&#39;</span> <span class="ow">-&gt;</span> <span class="n">return</span> <span class="n">input&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">::</span> <span class="kt">Input</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">=</span> <span class="n">sum</span> </span></span></code></pre></div><p><a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2025/07-Laboratories/second.hs">Day 7</a> was a fun set-management puzzle, at least that&rsquo;s how I approached it. I also had fun using Parsec&rsquo;s <code>getSourcePos</code> escape hatch to get the abscissa of the element being parsed:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-haskell" data-lang="haskell"><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Input</span> <span class="ow">=</span> <span class="p">[</span><span class="kt">S</span><span class="o">.</span><span class="kt">Set</span> <span class="kt">Int</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Parser</span> <span class="ow">=</span> <span class="kt">Parsec</span> <span class="kt">Void</span> <span class="kt">String</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseTile</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="p">(</span><span class="kt">Maybe</span> <span class="kt">Int</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nf">parseTile</span> <span class="ow">=</span> <span class="kr">do</span> </span></span><span class="line"><span class="cl"> <span class="kt">SourcePos</span> <span class="kr">_</span> <span class="kr">_</span> <span class="n">x</span> <span class="ow">&lt;-</span> <span class="n">getSourcePos</span> </span></span><span class="line"><span class="cl"> <span class="n">char</span> <span class="sc">&#39;.&#39;</span> <span class="o">$&gt;</span> <span class="kt">Nothing</span> <span class="o">&lt;|&gt;</span> <span class="p">(</span><span class="n">char</span> <span class="sc">&#39;^&#39;</span> <span class="o">&lt;|&gt;</span> <span class="n">char</span> <span class="sc">&#39;S&#39;</span><span class="p">)</span> <span class="o">$&gt;</span> <span class="kt">Just</span> <span class="p">(</span><span class="n">unPos</span> <span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseLine</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="p">(</span><span class="kt">S</span><span class="o">.</span><span class="kt">Set</span> <span class="kt">Int</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nf">parseLine</span> <span class="ow">=</span> <span class="kt">S</span><span class="o">.</span><span class="n">fromList</span> <span class="o">.</span> <span class="n">catMaybes</span> <span class="o">&lt;$&gt;</span> <span class="n">some</span> <span class="n">parseTile</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseInput&#39;</span> <span class="ow">::</span> <span class="kt">Parser</span> <span class="kt">Input</span> </span></span><span class="line"><span class="cl"><span class="nf">parseInput&#39;</span> <span class="ow">=</span> <span class="n">some</span> <span class="p">(</span><span class="n">parseLine</span> <span class="o">&lt;*</span> <span class="n">eol</span><span class="p">)</span> <span class="o">&lt;*</span> <span class="n">eof</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">parseInput</span> <span class="ow">::</span> <span class="kt">String</span> <span class="ow">-&gt;</span> <span class="kt">IO</span> <span class="kt">Input</span> </span></span><span class="line"><span class="cl"><span class="nf">parseInput</span> <span class="n">filename</span> <span class="ow">=</span> <span class="kr">do</span> </span></span><span class="line"><span class="cl"> <span class="n">input</span> <span class="ow">&lt;-</span> <span class="n">readFile</span> <span class="n">filename</span> </span></span><span class="line"><span class="cl"> <span class="kr">case</span> <span class="n">runParser</span> <span class="n">parseInput&#39;</span> <span class="n">filename</span> <span class="n">input</span> <span class="kr">of</span> </span></span><span class="line"><span class="cl"> <span class="kt">Left</span> <span class="n">bundle</span> <span class="ow">-&gt;</span> <span class="ne">error</span> <span class="o">$</span> <span class="n">errorBundlePretty</span> <span class="n">bundle</span> </span></span><span class="line"><span class="cl"> <span class="kt">Right</span> <span class="n">input&#39;</span> <span class="ow">-&gt;</span> <span class="n">return</span> <span class="n">input&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">::</span> <span class="kt">Input</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="p">(</span><span class="n">s</span><span class="kt">:</span><span class="n">ls</span><span class="p">)</span> <span class="ow">=</span> <span class="n">total</span> <span class="o">$</span> <span class="n">foldl&#39;</span> <span class="n">compute&#39;</span> <span class="p">(</span><span class="kt">M</span><span class="o">.</span><span class="n">fromList</span> <span class="o">$</span> <span class="n">zip</span> <span class="p">(</span><span class="kt">S</span><span class="o">.</span><span class="n">toList</span> <span class="n">s</span><span class="p">)</span> <span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="n">ls</span> </span></span><span class="line"><span class="cl"> <span class="kr">where</span> </span></span><span class="line"><span class="cl"> <span class="n">total</span> <span class="ow">::</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Int</span> <span class="kt">Int</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"> <span class="n">total</span> <span class="ow">=</span> <span class="kt">M</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="p">(</span><span class="o">+</span><span class="p">)</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">compute&#39;</span> <span class="ow">::</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Int</span> <span class="kt">Int</span> <span class="ow">-&gt;</span> <span class="kt">S</span><span class="o">.</span><span class="kt">Set</span> <span class="kt">Int</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Int</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"> <span class="n">compute&#39;</span> <span class="n">acc</span> <span class="n">splitters</span> <span class="ow">=</span> <span class="kr">let</span> <span class="n">splits</span> <span class="ow">=</span> <span class="kt">S</span><span class="o">.</span><span class="n">intersection</span> <span class="p">(</span><span class="kt">S</span><span class="o">.</span><span class="n">fromList</span> <span class="o">$</span> <span class="kt">M</span><span class="o">.</span><span class="n">keys</span> <span class="n">acc</span><span class="p">)</span> <span class="n">splitters</span> </span></span><span class="line"><span class="cl"> <span class="n">continuingBeams</span> <span class="ow">=</span> <span class="kt">M</span><span class="o">.</span><span class="n">difference</span> <span class="n">acc</span> <span class="o">$</span> <span class="kt">M</span><span class="o">.</span><span class="n">fromList</span> <span class="o">$</span> <span class="n">zip</span> <span class="p">(</span><span class="kt">S</span><span class="o">.</span><span class="n">toList</span> <span class="n">splits</span><span class="p">)</span> <span class="o">$</span> <span class="n">repeat</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="kr">in</span> <span class="kt">S</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="p">(</span><span class="n">split</span> <span class="n">acc</span><span class="p">)</span> <span class="n">continuingBeams</span> <span class="n">splits</span> </span></span><span class="line"><span class="cl"> <span class="n">split</span> <span class="ow">::</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Int</span> <span class="kt">Int</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Int</span> <span class="kt">Int</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Int</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"> <span class="n">split</span> <span class="n">origin</span> <span class="n">acc</span> <span class="n">i</span> <span class="ow">=</span> <span class="kr">let</span> <span class="n">v</span> <span class="ow">=</span> <span class="n">origin</span> <span class="kt">M</span><span class="o">.!</span> <span class="n">i</span> </span></span><span class="line"><span class="cl"> <span class="n">acc&#39;</span> <span class="ow">=</span> <span class="kr">case</span> <span class="kt">M</span><span class="o">.</span><span class="n">lookup</span> <span class="p">(</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span> <span class="n">acc</span> <span class="kr">of</span> </span></span><span class="line"><span class="cl"> <span class="kt">Just</span> <span class="n">n</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="n">insert</span> <span class="p">(</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span> <span class="p">(</span><span class="n">n</span><span class="o">+</span><span class="n">v</span><span class="p">)</span> <span class="n">acc</span> </span></span><span class="line"><span class="cl"> <span class="kt">Nothing</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="n">insert</span> <span class="p">(</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span> <span class="n">v</span> <span class="n">acc</span> </span></span><span class="line"><span class="cl"> <span class="kr">in</span> <span class="kr">case</span> <span class="kt">M</span><span class="o">.</span><span class="n">lookup</span> <span class="p">(</span><span class="n">i</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="n">acc</span> <span class="kr">of</span> </span></span><span class="line"><span class="cl"> <span class="kt">Just</span> <span class="n">n</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="n">insert</span> <span class="p">(</span><span class="n">i</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">(</span><span class="n">n</span><span class="o">+</span><span class="n">v</span><span class="p">)</span> <span class="n">acc&#39;</span> </span></span><span class="line"><span class="cl"> <span class="kt">Nothing</span> <span class="ow">-&gt;</span> <span class="kt">M</span><span class="o">.</span><span class="n">insert</span> <span class="p">(</span><span class="n">i</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="n">v</span> <span class="n">acc&#39;</span> </span></span></code></pre></div><p>I solved <a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2025/10-Factory/second.hs">day 10</a> by very stubbornly writing a solver for underconstrained systems of linear equations, and it was a lot of fun!</p> <p><a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2025/11-Reactor/second.hs">Day 11</a> might have been my favourite this year. It is about memoization and graph exploration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-haskell" data-lang="haskell"><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Label</span> <span class="ow">=</span> <span class="kt">String</span> </span></span><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Device</span> <span class="ow">=</span> <span class="p">(</span><span class="kt">Label</span><span class="p">,</span> <span class="p">[</span><span class="kt">Label</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Input</span> <span class="ow">=</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="kt">Label</span> <span class="p">[</span><span class="kt">Label</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kr">type</span> <span class="kt">Memo</span> <span class="ow">=</span> <span class="kt">M</span><span class="o">.</span><span class="kt">Map</span> <span class="p">(</span><span class="kt">Bool</span><span class="p">,</span> <span class="kt">Bool</span><span class="p">,</span> <span class="kt">Label</span><span class="p">)</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="ow">::</span> <span class="kt">Input</span> <span class="ow">-&gt;</span> <span class="kt">Int</span> </span></span><span class="line"><span class="cl"><span class="nf">compute</span> <span class="n">input</span> <span class="ow">=</span> <span class="p">(</span><span class="nf">\</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="ow">-&gt;</span> <span class="n">trace</span> <span class="p">(</span><span class="n">show</span> <span class="n">a</span><span class="p">)</span> <span class="n">b</span><span class="p">)</span> <span class="o">$</span> <span class="kt">L</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="n">step</span> <span class="p">(</span><span class="kt">M</span><span class="o">.</span><span class="n">empty</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">[(</span><span class="kt">False</span><span class="p">,</span> <span class="kt">False</span><span class="p">,</span> <span class="s">&#34;svr&#34;</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="kr">where</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="ow">::</span> <span class="p">(</span><span class="kt">Memo</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)</span> <span class="ow">-&gt;</span> <span class="p">(</span><span class="kt">Bool</span><span class="p">,</span> <span class="kt">Bool</span><span class="p">,</span> <span class="kt">Label</span><span class="p">)</span> <span class="ow">-&gt;</span> <span class="p">(</span><span class="kt">Memo</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">a</span><span class="p">)</span> <span class="p">(</span><span class="kt">True</span><span class="p">,</span> <span class="kt">True</span><span class="p">,</span> <span class="s">&#34;out&#34;</span><span class="p">)</span> <span class="ow">=</span> <span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">a</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="n">acc</span> <span class="p">(</span><span class="kr">_</span><span class="p">,</span> <span class="kr">_</span><span class="p">,</span> <span class="s">&#34;out&#34;</span><span class="p">)</span> <span class="ow">=</span> <span class="n">acc</span> </span></span><span class="line"><span class="cl"> <span class="n">step</span> <span class="n">acc</span><span class="o">@</span><span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">a</span><span class="p">)</span> <span class="n">e</span><span class="o">@</span><span class="p">(</span><span class="n">d</span><span class="p">,</span> <span class="n">f</span><span class="p">,</span> <span class="n">l</span><span class="p">)</span> <span class="ow">=</span> <span class="kr">case</span> <span class="kt">M</span><span class="o">.</span><span class="n">lookup</span> <span class="n">e</span> <span class="n">m</span> <span class="kr">of</span> </span></span><span class="line"><span class="cl"> <span class="kt">Just</span> <span class="n">v</span> <span class="ow">-&gt;</span> <span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">a</span><span class="o">+</span><span class="n">v</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="kt">Nothing</span> <span class="ow">-&gt;</span> <span class="kr">let</span> <span class="p">(</span><span class="n">m&#39;</span><span class="p">,</span> <span class="n">a&#39;</span><span class="p">)</span> <span class="ow">=</span> <span class="kt">L</span><span class="o">.</span><span class="n">foldl&#39;</span> <span class="n">step</span> <span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">$</span> <span class="n">zip3</span> <span class="p">(</span><span class="n">repeat</span> <span class="o">$</span> <span class="kr">if</span> <span class="n">l</span> <span class="o">==</span> <span class="s">&#34;dac&#34;</span> <span class="kr">then</span> <span class="kt">True</span> <span class="kr">else</span> <span class="n">d</span><span class="p">)</span> <span class="p">(</span><span class="n">repeat</span> <span class="o">$</span> <span class="kr">if</span> <span class="n">l</span> <span class="o">==</span> <span class="s">&#34;fft&#34;</span> <span class="kr">then</span> <span class="kt">True</span> <span class="kr">else</span> <span class="n">f</span><span class="p">)</span> <span class="p">(</span><span class="n">input</span> <span class="kt">M</span><span class="o">.!</span> <span class="n">l</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="kr">in</span> <span class="p">(</span><span class="kt">M</span><span class="o">.</span><span class="n">insert</span> <span class="n">e</span> <span class="n">a&#39;</span> <span class="n">m&#39;</span><span class="p">,</span> <span class="n">a</span> <span class="o">+</span> <span class="n">a&#39;</span><span class="p">)</span> </span></span></code></pre></div><h2 id="some-befunge-fun">Some Befunge fun</h2> <p>I only did day 1 in <a href="https://github.com/catseye/Funge-98/blob/master/doc/funge98.markdown">befunge</a>, but it was fun. I would love to do more puzzles in befunge but I really lack the time commitment.</p> <p>Part1 is about simple parsing and keeping track of counters and modulos:</p> <pre tabindex="0"><code class="language-befunge" data-lang="befunge">000p5a*&gt;6j@.g000~&amp;~$\&#39;L-| ^ _v#:%d&#39;&lt;-&lt; ^p00+1g00&lt; ^+&lt; </code></pre><p>Part2 is a bit more complex because you need some math, but not too bad:</p> <pre tabindex="0"><code class="language-befunge" data-lang="befunge">p5a*10p&gt;6j@.g000~&amp;~$\&#39;L-| v &gt;:10g\-&#39;d%&#39;d+&#39;d%\10g\:0w ;^p01p00+g00/d&#39;+&lt; &lt;;# &lt; &gt;\:!#;_aa*\- ^ &gt;:10g+&#39;d%\10g^ &lt; </code></pre><h2 id="conclusion">Conclusion</h2> <p>I will always recommend tackling this kind of challenge: it is good to maintain or develop proficiency in a programming language. Also I love Haskell! I wish I could use it daily and not just for seasonal puzzles.</p>/blog/2025/11/25/wireguard-jail-on-freebsd/2025-11-25/blog/2025/11/25/wireguard-jail-on-freebsd/<h2 id="introduction">Introduction</h2> <p>One of my readers contacted me with an interesting question regarding Wireguard on FreeBSD: how to run Wireguard inside a jail instead of on the host. I only ever ran Wireguard on the host since that&rsquo;s where I centralize all my routing and firewalling but was curious to explore the question.</p> <h2 id="requirements">Requirements</h2> <p>Nowadays Wireguard is easier to configure than ever on FreeBSD! But running it inside a jail needs two things that might not be straightforward: adding the <code>if_wg</code> module to <code>/boot/loader.conf</code> and using a <code>vnet</code> jail that exposes the right <code>devfs</code> rule set.</p> <p>I did not take for granted that the <code>if_wg</code> kernel module handled jails properly, so I checked the sources. Good news is that the module seems to have enough jail specific code to properly handle the network segregation.</p> <h3 id="loaderconf">Loader.conf</h3> <p>When running Wireguard on the host, the kernel module is loaded automatically by an <code>ifconfig wg0 create</code> command. While running inside a jail though, this command will produce the following error message:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">SIOCIFCREATE2 <span class="o">(</span>wg0<span class="o">)</span>: Invalid argument </span></span></code></pre></div><p>This is because ifconfig inside the jail does not have permissions to load kernel modules. To work around that, ensure that the module is loaded on boot by adding the following to <code>/boot/loader.conf</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">if_wg_load</span><span class="o">=</span><span class="s2">&#34;YES&#34;</span> </span></span></code></pre></div><h3 id="vnet-jail">Vnet jail</h3> <p>A standard vnet jail without special permissions is enough to run Wireguard. Just make sure to use the same <code>devfs</code> statements that I have in my <code>/etc/jail.conf.d/wireguard.conf</code> file:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">wireguard <span class="o">{</span> </span></span><span class="line"><span class="cl"> exec.consolelog <span class="o">=</span> <span class="s2">&#34;/var/log/jail_console_</span><span class="si">${</span><span class="nv">name</span><span class="si">}</span><span class="s2">.log&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># PERMISSIONS</span> </span></span><span class="line"><span class="cl"> exec.clean<span class="p">;</span> </span></span><span class="line"><span class="cl"> mount.devfs<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">devfs_ruleset</span> <span class="o">=</span> 5<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># HOSTNAME/PATH</span> </span></span><span class="line"><span class="cl"> host.hostname <span class="o">=</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">name</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">path</span> <span class="o">=</span> <span class="s2">&#34;/usr/local/jails/containers/</span><span class="si">${</span><span class="nv">name</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># NETWORK</span> </span></span><span class="line"><span class="cl"> vnet<span class="p">;</span> </span></span><span class="line"><span class="cl"> vnet.interface <span class="o">=</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2">b&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$id</span> <span class="o">=</span> <span class="s2">&#34;154&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$ip</span> <span class="o">=</span> <span class="s2">&#34;10.0.2.</span><span class="si">${</span><span class="nv">id</span><span class="si">}</span><span class="s2">/24&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$gateway</span> <span class="o">=</span> <span class="s2">&#34;10.0.2.2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$bridge</span> <span class="o">=</span> <span class="s2">&#34;bridge0&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$epair</span> <span class="o">=</span> <span class="s2">&#34;epair</span><span class="si">${</span><span class="nv">id</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ADD TO bridge INTERFACE</span> </span></span><span class="line"><span class="cl"> exec.prestart <span class="o">=</span> <span class="s2">&#34;/sbin/ifconfig </span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2"> create up&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.prestart +<span class="o">=</span> <span class="s2">&#34;/sbin/ifconfig </span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2">a up descr jail:</span><span class="si">${</span><span class="nv">name</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.prestart +<span class="o">=</span> <span class="s2">&#34;/sbin/ifconfig </span><span class="si">${</span><span class="nv">bridge</span><span class="si">}</span><span class="s2"> addm </span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2">a up&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.start <span class="o">=</span> <span class="s2">&#34;/sbin/ifconfig </span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2">b </span><span class="si">${</span><span class="nv">ip</span><span class="si">}</span><span class="s2"> up&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.start +<span class="o">=</span> <span class="s2">&#34;/sbin/route add default </span><span class="si">${</span><span class="nv">gateway</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.start +<span class="o">=</span> <span class="s2">&#34;/bin/sh /etc/rc&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.stop <span class="o">=</span> <span class="s2">&#34;/bin/sh /etc/rc.shutdown&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.poststop <span class="o">=</span> <span class="s2">&#34;/sbin/ifconfig </span><span class="si">${</span><span class="nv">bridge</span><span class="si">}</span><span class="s2"> deletem </span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2">a&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec.poststop +<span class="o">=</span> <span class="s2">&#34;/sbin/ifconfig </span><span class="si">${</span><span class="nv">epair</span><span class="si">}</span><span class="s2">a destroy&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><p>Make sure to change the jail Id, IP network, gateway and bridge interface name to match your setup.</p> <h3 id="wireguard">Wireguard</h3> <p>Create the following files inside your jail. An easy way to do that is to start the jail and exec into it:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">service jail start wireguard </span></span><span class="line"><span class="cl">jexec wireguard sh </span></span></code></pre></div><p>Wireguard works out of the box on an up to date FreeBSD 14.3 without any additional packages like <code>wireguard-tools</code>. Just set the interface name and IP address in <code>/etc/rc.conf</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">network_interfaces</span><span class="o">=</span><span class="s2">&#34;wg0&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">ifconfig_wg0</span><span class="o">=</span><span class="s2">&#34;inet 10.1.2.18/24&#34;</span> </span></span></code></pre></div><p>Then add the following to <code>/etc/start_if.wg0</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ifconfig wg0 create </span></span><span class="line"><span class="cl">wg syncconf wg0 /etc/wg0.conf </span></span></code></pre></div><p>And finally your Wireguard configuration at <code>/etc/wg0.conf</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span>Interface<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PrivateKey</span> <span class="o">=</span> XXXXXX </span></span><span class="line"><span class="cl"><span class="nv">ListenPort</span> <span class="o">=</span> <span class="m">342</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>Peer<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PublicKey</span> <span class="o">=</span> R4A01RXXqRJSY9TiKQrZGR85HsFNSXxhRKKEu/bEdTQ<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">Endpoint</span> <span class="o">=</span> 168.119.114.183:342 </span></span><span class="line"><span class="cl"><span class="nv">AllowedIPs</span> <span class="o">=</span> 10.1.2.9/32 </span></span><span class="line"><span class="cl"><span class="nv">PersistentKeepalive</span> <span class="o">=</span> <span class="m">60</span> </span></span></code></pre></div><p>Start or restart your jail, then confirm that Wireguard is running properly with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">jexec wireguard ifconfig wg0 </span></span><span class="line"><span class="cl">jexec wireguard wg </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>All this made me think that an interesting next step to take would be to configure a Wireguard interface on the host, then pass it as the only interface for a jail instead of a bridge. The ramifications of this sound pretty neat!</p>/blog/2025/11/13/scripting-the-download-of-a-private-repositorys-github-release-asset/2025-11-13/blog/2025/11/13/scripting-the-download-of-a-private-repositorys-github-release-asset/<h2 id="introduction">Introduction</h2> <p>Last week I needed to script the download of a specific asset from a release of a private GitHub repository. It turns out that there is no direct way to do this as you first need to resolve the asset name into an ID. Here is a little script that does just that without any big dependency like the <code>gh</code> CLI.</p> <h2 id="the-script">The script</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env bash </span></span></span><span class="line"><span class="cl"><span class="nb">set</span> -euCo pipefail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">github_pat</span><span class="o">=</span><span class="s2">&#34;XXXXXX&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">owner</span><span class="o">=</span><span class="s2">&#34;adyxax&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">repository</span><span class="o">=</span><span class="s2">&#34;private-repository&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">regex</span><span class="o">=</span><span class="s2">&#34;.*-linux-x86_64.tar.gz&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">tag</span><span class="o">=</span><span class="s2">&#34;v2025.11.06.0402&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nv">releases</span><span class="o">=</span><span class="k">$(</span>curl -fsSL <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s2">&#34;https://api.github.com/repos/</span><span class="nv">$owner</span><span class="s2">/</span><span class="nv">$repository</span><span class="s2">/releases/tags/</span><span class="nv">$tag</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Accept: application/vnd.github+json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Authorization: token </span><span class="nv">$github_pat</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;X-GitHub-Api-Version: 2022-11-28&#34;</span><span class="k">)</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to get latest release assets from GitHub&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">value</span><span class="o">=</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;%s&#39;</span> <span class="s2">&#34;</span><span class="nv">$releases</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> jq -r --arg regex <span class="s2">&#34;</span><span class="nv">$regex</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s1">&#39;first(.assets </span></span></span><span class="line"><span class="cl"><span class="s1"> |to_entries[] </span></span></span><span class="line"><span class="cl"><span class="s1"> |select(.value.name </span></span></span><span class="line"><span class="cl"><span class="s1"> |test($regex)) </span></span></span><span class="line"><span class="cl"><span class="s1"> |.value)&#39;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">id</span><span class="o">=</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;%s&#39;</span> <span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> <span class="p">|</span> jq -r <span class="s1">&#39;.id&#39;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nv">filename</span><span class="o">=</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;%s&#39;</span> <span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> <span class="p">|</span> jq -r <span class="s1">&#39;.name&#39;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! curl -fsSL <span class="s2">&#34;https://api.github.com/repos/</span><span class="nv">$owner</span><span class="s2">/</span><span class="nv">$repository</span><span class="s2">/releases/assets/</span><span class="nv">$id</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Accept: application/octet-stream&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Authorization: token </span><span class="nv">$github_pat</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;X-GitHub-Api-Version: 2022-11-28&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -o <span class="s2">&#34;</span><span class="nv">$filename</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;failed to download asset from GitHub&#34;</span> &gt;<span class="p">&amp;</span>2<span class="p">;</span> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>This is simple and works well. Scripting is fun!</p>/blog/2025/10/20/opentofu/terraform-state-locking-with-s3-object-locking/2025-10-20/blog/2025/10/20/opentofu/terraform-state-locking-with-s3-object-locking/<h2 id="introduction">Introduction</h2> <p>Today&rsquo;s AWS outage is a good time to remind sysadmins that AWS DynamoDB is no longer required to handle state file locking when storing state files on AWS S3.</p> <p>Since last year, the S3 state backend has supported state locking via S3 object locks. This locking method is simpler, faster and removes a dependency on an AWS service that we no longer need. DynamoDB was the default state backend locking mechanism for many years and has served us well, but today&rsquo;s AWS outage is a good time to move on if you have not already done so.</p> <h2 id="migration-steps">Migration steps</h2> <h3 id="make-sure-bucket-versioning-is-enabled">Make sure bucket versioning is enabled</h3> <p>I cannot imaging why anyone would store OpenTofu/Terraform state files without versioning, but if for some reason you did not already then know that versioning is a requirement for activating S3 object locks. A simple configuration like the following is enough:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_s3_bucket_versioning&#34; &#34;tofu_states&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> bucket</span> <span class="o">=</span> <span class="k">aws_s3_bucket</span><span class="p">.</span><span class="k">tofu_states</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> <span class="k">versioning_configuration</span> { </span></span><span class="line"><span class="cl"><span class="n"> status</span> <span class="o">=</span> <span class="s2">&#34;Enabled&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_s3_bucket_lifecycle_configuration&#34; &#34;tofu_states&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> bucket</span> <span class="o">=</span> <span class="k">aws_s3_bucket</span><span class="p">.</span><span class="k">tofu_states</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> <span class="k">rule</span> { </span></span><span class="line"><span class="cl"> <span class="k">filter</span> {} </span></span><span class="line"><span class="cl"><span class="n"> id</span> <span class="o">=</span> <span class="s2">&#34;main&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">noncurrent_version_expiration</span> { </span></span><span class="line"><span class="cl"><span class="n"> noncurrent_days</span> <span class="o">=</span> <span class="m">90</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> <span class="k">noncurrent_version_transition</span> { </span></span><span class="line"><span class="cl"><span class="n"> noncurrent_days</span> <span class="o">=</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="n"> storage_class</span> <span class="o">=</span> <span class="s2">&#34;STANDARD_IA&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> <span class="k">noncurrent_version_transition</span> { </span></span><span class="line"><span class="cl"><span class="n"> noncurrent_days</span> <span class="o">=</span> <span class="m">14</span> </span></span><span class="line"><span class="cl"><span class="n"> storage_class</span> <span class="o">=</span> <span class="s2">&#34;GLACIER&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"><span class="n"> status</span> <span class="o">=</span> <span class="s2">&#34;Enabled&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> depends_on</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_s3_bucket_versioning</span><span class="p">.</span><span class="k">tofu_states</span><span class="p">]</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><h3 id="activating-s3-object-locks">Activating S3 object locks</h3> <p>The first step is to activate object locks on the OpenTofu/Terraform states S3 bucket. Sadly, simply adding the attribute to the <code>aws_s3_bucket</code> resource won&rsquo;t be sufficient as OpenTofu/Terraform will then try to recreate the bucket.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">aws --profile core <span class="se">\ </span></span></span><span class="line"><span class="cl"> s3api put-object-lock-configuration <span class="se">\ </span></span></span><span class="line"><span class="cl"> --bucket adyxax-tofu-states <span class="se">\ </span></span></span><span class="line"><span class="cl"> --object-lock-configuration<span class="o">=</span><span class="s1">&#39;{&#34;ObjectLockEnabled&#34;:&#34;Enabled&#34;}&#39;</span> </span></span></code></pre></div><p>After typing this AWS CLI command, you will be able to update your <code>aws_s3_bucket</code> resource. Applying the changes will refresh the state and confirm the change is correctly implemented.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_s3_bucket&#34; &#34;tofu_states&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> bucket</span> <span class="o">=</span> <span class="s2">&#34;adyxax-tofu-states&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> object_lock_enabled</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><h3 id="reconfiguring-your-terraform-backend">Reconfiguring your terraform backend</h3> <p>Update your OpenTofu/Terraform S3 backend configuration blocks to add the <code>use_lockfile = true</code> attribute:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">terraform</span> { </span></span><span class="line"><span class="cl"> <span class="k">backend</span> <span class="s2">&#34;s3&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> bucket</span> <span class="o">=</span> <span class="s2">&#34;adyxax-tofu-states&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> dynamodb_table</span> <span class="o">=</span> <span class="s2">&#34;tofu-states&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> key</span> <span class="o">=</span> <span class="s2">&#34;repositories/${local.name}&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> profile</span> <span class="o">=</span> <span class="s2">&#34;core&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> region</span> <span class="o">=</span> <span class="s2">&#34;eu-west-3&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> use_lockfile</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>By setting both <code>dynamodb_table</code> and <code>use_lockfile</code>, applying changes will lock both systems at the same time. This is important if you need to roll out your change gradually as to not disrupt your colleagues work or your CI jobs.</p> <p>If you can afford the disruption, it will be faster to just delete the DynamoDB state locks table and remove the <code>dynamodb_table</code> attribute.</p> <p>As with all backend configuration changes, you will need to init your OpenTofu/Terraform folders again:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">tofu init -reconfigure </span></span></code></pre></div><p>Once the change has been applied in all your OpenTofu/Terraform folders and repositories, all your pull requests merged or rebased and you are sure everybody and everything is on the new locking system, you can safely remove the <code>dynamodb_table</code> from your backend configuration blocks:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">terraform</span> { </span></span><span class="line"><span class="cl"> <span class="k">backend</span> <span class="s2">&#34;s3&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> bucket</span> <span class="o">=</span> <span class="s2">&#34;adyxax-tofu-states&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> key</span> <span class="o">=</span> <span class="s2">&#34;repositories/${local.name}&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> profile</span> <span class="o">=</span> <span class="s2">&#34;core&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> region</span> <span class="o">=</span> <span class="s2">&#34;eu-west-3&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> use_lockfile</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> } </span></span></code></pre></div><p>You will need to <code>init -reconfigure</code> your folders again.</p> <h3 id="deleting-the-dynamodb-state-locks-table">Deleting the DynamoDB state locks table</h3> <p>The last step is to destroy the DynamoDB table that used to hold your locks. If you have deletion protection activated, remove it with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">aws --profile core --region eu-west-3 <span class="se">\ </span></span></span><span class="line"><span class="cl"> dynamodb update-table <span class="se">\ </span></span></span><span class="line"><span class="cl"> --table-name tofu-states <span class="se">\ </span></span></span><span class="line"><span class="cl"> --no-deletion-protection-enabled </span></span></code></pre></div><p>With this done, destroy your DynamoDB table and remove any IAM policies controlling DynamoDB access to the table and any cloudwatch alerts used to monitor it. I personally do this with a <code>tofu apply</code> because everything is managed from there.</p> <h2 id="conclusion">Conclusion</h2> <p>S3 object locks have served me well since they were made available as a backend locking mechanism. If you are still relying on DynamoDB, now is a good time to migrate away from this service.</p>/blog/2025/09/30/a-forgejo-action-for-opentofu-module-testing-on-aws/2025-09-30/blog/2025/09/30/a-forgejo-action-for-opentofu-module-testing-on-aws/<h2 id="introduction">Introduction</h2> <p>I have been using a Forgejo action (compatible with GitHub actions) for testing my OpenTofu/Terraform modules on AWS. I planned to blog this earlier, but since it worked without quirks I completely forgot to publish it.</p> <h2 id="usage-example">Usage example</h2> <p>The action relies on having an AWS IAM access key provisioned in your CI&rsquo;s secrets. An astute reader will notice I am naming the secret <code>AWS_ACCESS_KEY_SECRET</code> instead of the standard <code>AWS_SECRET_ACCESS_KEY</code>, mind this if trying to reproduce in your own environment:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://git.adyxax.org/adyxax/action-tofu-aws-test@2.0.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">aws-access-key-id</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${{ vars.AWS_ACCESS_KEY_ID }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">aws-access-key-secret</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${{ secrets.AWS_ACCESS_KEY_SECRET }}&#34;</span><span class="w"> </span></span></span></code></pre></div><h2 id="action-steps">Action steps</h2> <p>This action initializes the AWS credentials, then runs formatting and linting checks as well as tofu tests on the repository of an OpenTofu/Terraform module.</p> <h3 id="boilerplate">Boilerplate</h3> <p>Forgejo actions need some light boilerplate to define how they are to be used:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;tofu-aws-test&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Test a tofu module on AWS.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">inputs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">aws-access-key-id</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;AWS access key id.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">aws-access-key-secret</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;AWS access key secret.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">runs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">using</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;composite&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span></code></pre></div><h3 id="formatting-and-linting">Formatting and linting</h3> <p>These are two simple steps. The only caveat is that I need to unset the <code>GITHUB_TOKEN</code> environment variable before running <code>tflint</code>. This is because Forgejo strives for compatibility with GitHub actions, but sadly <code>tflint</code> will try to use said token for cloning its plugins. Since the token is generated on my Forgejo instance, it is only valid there and not on GitHub. This would cause the step to fail.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;fmt&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shell</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bash&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> tofu fmt -check -recursive</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;lint&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shell</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bash&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> unset GITHUB_TOKEN </span></span></span><span class="line"><span class="cl"><span class="sd"> tflint --init </span></span></span><span class="line"><span class="cl"><span class="sd"> tflint --recursive</span><span class="w"> </span></span></span></code></pre></div><h3 id="aws-credentials-initialization">AWS credentials initialization</h3> <p>If you followed my past articles you will know that I am using multiple AWS accounts to separate everything. I strive to have all my test resources created in a <code>tests</code> AWS account, but some things like DNS records will occasionally require access to my <code>core</code> AWS account where DNS zones are provisioned.</p> <p>I am using AWS policies to tightly control what tests can provision in this <code>core</code> account, but I will not detail it in this article.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;configure AWS profiles&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shell</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bash&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> ROLE_NAME=&#34;repository_${GITHUB_REPOSITORY/\//_}&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> cat &gt;aws_config &lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="sd"> [profile core] </span></span></span><span class="line"><span class="cl"><span class="sd"> role_arn = arn:aws:iam::123456789012:role/${ROLE_NAME} </span></span></span><span class="line"><span class="cl"><span class="sd"> source_profile = root </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> [profile root] </span></span></span><span class="line"><span class="cl"><span class="sd"> aws_access_key_id = ${{ inputs.aws-access-key-id }} </span></span></span><span class="line"><span class="cl"><span class="sd"> aws_secret_access_key = ${{ inputs.aws-access-key-secret }} </span></span></span><span class="line"><span class="cl"><span class="sd"> region = eu-west-3 </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> [profile tests] </span></span></span><span class="line"><span class="cl"><span class="sd"> role_arn = arn:aws:iam::345678901234:role/${ROLE_NAME} </span></span></span><span class="line"><span class="cl"><span class="sd"> source_profile = root </span></span></span><span class="line"><span class="cl"><span class="sd"> EOF</span><span class="w"> </span></span></span></code></pre></div><p>One should of course use their own AWS account IDs here!</p> <h3 id="opentofuterraform-lock-files">OpenTofu/Terraform lock files</h3> <p>It is important to make sure your lock files match the provider versions pinned in your configuration. This step does exactly this!</p> <p>This step has some code to recurse in subfolders because I love to use a pattern where some OpenTofu code specific to a repository lives alongside a module or some other code:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;check tofu providers lock files&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shell</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bash&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> unset GITHUB_TOKEN </span></span></span><span class="line"><span class="cl"><span class="sd"> export AWS_CONFIG_FILE=&#34;$(pwd)/aws_config&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> shopt -s globstar nullglob </span></span></span><span class="line"><span class="cl"><span class="sd"> for lockfile in **/.terraform.lock.hcl; do </span></span></span><span class="line"><span class="cl"><span class="sd"> (cd &#34;$(dirname &#34;$lockfile&#34;)&#34;; tofu init; tofu providers lock -platform=linux_amd64) </span></span></span><span class="line"><span class="cl"><span class="sd"> done </span></span></span><span class="line"><span class="cl"><span class="sd"> git diff --exit-code</span><span class="w"> </span></span></span></code></pre></div><h3 id="opentofuterraform-tests">OpenTofu/Terraform tests</h3> <p>I am running module tests with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;tofu test&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shell</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bash&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> export AWS_CONFIG_FILE=&#34;$(pwd)/aws_config&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> tofu init </span></span></span><span class="line"><span class="cl"><span class="sd"> tofu test</span><span class="w"> </span></span></span></code></pre></div><h3 id="cleanup">Cleanup</h3> <p>We clean up to be sure that the next steps in the workflow are not affected:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;clean&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shell</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;bash&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> rm aws_config</span><span class="w"> </span></span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>Here is <a href="https://git.adyxax.org/adyxax/action-tofu-aws-test">the link to the repository</a>. Writing composite actions like this one is a good exercise and can be used to keep your workflows tidy and DRY!</p>/blog/2025/09/19/how-to-set-the-vnc-resolution-of-a-qemu-virtual-machine/2025-09-19/blog/2025/09/19/how-to-set-the-vnc-resolution-of-a-qemu-virtual-machine/<h2 id="introduction">Introduction</h2> <p>I last blogged about how to run simple QEMU virtual machines in 2021 in <a href="/blog/2021/06/16/simple-qemu-vm/">this article</a>. I often use these commands to spawn virtual machines that I only access via SSH, but it was never for their GUI! Now the need arose and the necessary bits were harder to piece together than I expected.</p> <h2 id="installation">Installation</h2> <p>I updated the VNC and drive sections for modern QEMU flags compared to the last article:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">qemu-img create -f raw alpine.raw 16G </span></span><span class="line"><span class="cl">qemu-system-x86_64 -drive <span class="k">if</span><span class="o">=</span>none,id<span class="o">=</span>disk,file<span class="o">=</span>/alpine.raw,format<span class="o">=</span>raw,cache<span class="o">=</span>writeback <span class="se">\ </span> <span class="o">(</span>base<span class="o">)</span> </span></span><span class="line"><span class="cl"> -device virtio-blk-pci,drive<span class="o">=</span>disk <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cdrom Downloads/alpine.iso <span class="se">\ </span></span></span><span class="line"><span class="cl"> -boot d -machine <span class="nv">type</span><span class="o">=</span>q35,accel<span class="o">=</span>kvm <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cpu host -smp <span class="m">2</span> -m <span class="m">2048</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -display vnc 127.0.0.1:0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-net,netdev<span class="o">=</span>vmnic <span class="se">\ </span></span></span><span class="line"><span class="cl"> -netdev user,id<span class="o">=</span>vmnic,hostfwd<span class="o">=</span>tcp::10022-:22 </span></span></code></pre></div><p>Connect to the console with a <code>vncviewer :0</code>, or if an ssh server is running, use <code>ssh -p10022 root@localhost</code>.</p> <h2 id="post-installation">Post-Installation</h2> <p>We boot from the installed disk and drop the options to mount the ISO image:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">qemu-system-x86_64 -drive <span class="k">if</span><span class="o">=</span>none,id<span class="o">=</span>disk,file<span class="o">=</span>/alpine.raw,format<span class="o">=</span>raw,cache<span class="o">=</span>writeback <span class="se">\ </span> <span class="o">(</span>base<span class="o">)</span> </span></span><span class="line"><span class="cl"> -device virtio-blk-pci,drive<span class="o">=</span>disk <span class="se">\ </span></span></span><span class="line"><span class="cl"> -boot c -machine <span class="nv">type</span><span class="o">=</span>q35,accel<span class="o">=</span>kvm <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cpu host -smp <span class="m">2</span> -m <span class="m">2048</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -display vnc 127.0.0.1:0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-net,netdev<span class="o">=</span>vmnic <span class="se">\ </span></span></span><span class="line"><span class="cl"> -netdev user,id<span class="o">=</span>vmnic,hostfwd<span class="o">=</span>tcp::10022-:22 </span></span></code></pre></div><h2 id="how-to-customize-the-vnc-resolution">How to customize the VNC resolution</h2> <p>You only needs to add an extra line of flags. Just substitute your native resolution (use <code>xrandr</code> on your host machine if you are in doubt about which values to use) in <code>xres=...,yres=...</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">qemu-system-x86_64 -drive <span class="k">if</span><span class="o">=</span>none,id<span class="o">=</span>disk,file<span class="o">=</span>/alpine.raw,format<span class="o">=</span>raw,cache<span class="o">=</span>writeback <span class="se">\ </span> <span class="o">(</span>base<span class="o">)</span> </span></span><span class="line"><span class="cl"> -device virtio-blk-pci,drive<span class="o">=</span>disk <span class="se">\ </span></span></span><span class="line"><span class="cl"> -boot c -machine <span class="nv">type</span><span class="o">=</span>q35,accel<span class="o">=</span>kvm <span class="se">\ </span></span></span><span class="line"><span class="cl"> -cpu host -smp <span class="m">2</span> -m <span class="m">2048</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -display vnc 127.0.0.1:0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -device virtio-net,netdev<span class="o">=</span>vmnic <span class="se">\ </span></span></span><span class="line"><span class="cl"> -netdev user,id<span class="o">=</span>vmnic,hostfwd<span class="o">=</span>tcp::10022-:22 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -vga none -device virtio-vga,edid<span class="o">=</span>on,xres<span class="o">=</span>2560,yres<span class="o">=</span><span class="m">1440</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>It is good to refresh one&rsquo;s memory for something so simple and useful: no virt-manager or other tools required, no complicated networking&hellip; QEMU is fun and easy!</p>/blog/2025/08/31/the-raku-programming-language/2025-08-31/blog/2025/08/31/the-raku-programming-language/<h2 id="introduction">Introduction</h2> <p>I gave <a href="https://raku.org/">Raku</a> several tries over the last 15 years. I was initially a bit disappointed when it was first released as Perl6 as it was very slow to start and a resource hog. I was disappointed again sometime in the late 2010s I tried the freshly renamed Raku. Still very slow to start up and consumming too much memory for what I was attempting, but much better.</p> <p>I tried again this summer and I am glad to see that Raku has become much more usable! The language and its ecosystem have made strides of progress. Startup time (critical for a scripting language imho) is now good. CPU and memory usage remain on the high side, but have become more reasonable.</p> <h2 id="the-language">The language</h2> <p>The language is clearly Perlish, with sigils and unusual syntax that seem alien compared to other programming languages. Having liked Perl, I must say that I very much like the subtle changes Raku brought to the overall syntax. One such change is the array indexing: where you would have written <code>$a[0]</code> in Perl, you now write <code>@a[0]</code> in Raku.</p> <p>I love all the convenience features and all the syntax sugar Raku brings to the table. For example, you can declare a list of string literals with <code>my @l = &lt;one two three&gt;;</code> instead of the heavier <code>my @l = (&quot;one&quot;, &quot;two&quot;, &quot;three&quot;);</code>. Note that the parentheses are also optional here. Another related example is about hash indexing when keys are string literals: <code>%h{'one'}</code> is equivalent to <code>%h&lt;one&gt;</code>.</p> <p>Raku has gradual typing, and its type system is really powerful. Two of my favorite features are junctions and subsets. Junctions in particular are wild:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-raku" data-lang="raku"><span class="line"><span class="cl"><span class="k">my</span> <span class="nv">$j</span> <span class="o">=</span> <span class="mi">0</span><span class="o">|</span><span class="mi">1</span><span class="o">|</span><span class="mi">2</span><span class="o">|</span><span class="mi">3</span><span class="p">;</span> <span class="c1"># $j is a junction, a composite value</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="mi">3</span> <span class="o">==</span> <span class="nv">$j</span> <span class="o">+</span> <span class="mi">1</span> <span class="p">{</span> <span class="c1"># this matches because 2 is a possible value for $j</span> </span></span><span class="line"><span class="cl"> <span class="nb">say</span> <span class="p">&#39;</span><span class="s1">yes</span><span class="p">&#39;;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Note that junctions are not sets, they are only meant for boolean evaluation. But they are very neat! Subsets are also fun, allowing you to write things like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-raku" data-lang="raku"><span class="line"><span class="cl"><span class="k">subset</span> <span class="nc">MyBiggerInts</span> <span class="k">of</span> <span class="kt">Int</span> <span class="k">where</span> <span class="o">*</span> <span class="o">&gt;=</span> <span class="mi">42</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">subset</span> <span class="nc">Three-letter</span> <span class="k">of</span> <span class="kt">Str</span> <span class="k">where</span> <span class="o">.</span><span class="nb">chars</span> <span class="o">==</span> <span class="mi">3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">subset</span> <span class="nc">Foo</span> <span class="k">of</span> <span class="kt">List</span> <span class="k">where</span> <span class="p">(</span><span class="kt">Int</span><span class="o">,</span><span class="kt">Str</span><span class="p">);</span> <span class="c1"># Only a List where the first element is an</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Int and the second a Str will pass the type check.</span> </span></span></code></pre></div><p>Many scripts are very concise in Raku. One of the neatest things is the amount of features, classes and functions that are built-in. This might seem trivial, but not having 10 lines of imports at the top of every script is refreshing! This is of course true for all the regex stuff, but also for some things like argument parsing on the command line. Here is how you write it in Raku:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-raku" data-lang="raku"><span class="line"><span class="cl"><span class="k">sub</span> <span class="nb">MAIN</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="kt">Str</span> <span class="nv">$file</span> <span class="k">where</span> <span class="o">*.</span><span class="kt">IO</span><span class="o">.</span><span class="nb">f</span> <span class="o">=</span> <span class="p">&#39;</span><span class="s1">file.dat</span><span class="p">&#39;</span><span class="o">,</span> <span class="k">#= </span><span class="sd">an existing file to frobnicate </span></span></span><span class="line"><span class="cl"> <span class="kt">Int</span> <span class="o">:</span><span class="nv">$length</span> <span class="o">=</span> <span class="mi">24</span><span class="o">,</span> <span class="k">#= </span><span class="sd">length needed for frobnication </span></span></span><span class="line"><span class="cl"> <span class="kt">Bool</span> <span class="o">:</span><span class="nv">$verbose</span><span class="o">,</span> <span class="k">#= </span><span class="sd">required verbosity </span></span></span><span class="line"><span class="cl"><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">say</span> <span class="nv">$length</span> <span class="k">if</span> <span class="nv">$length</span><span class="o">.</span><span class="nb">defined</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">say</span> <span class="nv">$file</span> <span class="k">if</span> <span class="nv">$file</span><span class="o">.</span><span class="nb">defined</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">say</span> <span class="p">&#39;</span><span class="s1">Verbosity </span><span class="p">&#39;</span><span class="o">,</span> <span class="p">(</span><span class="nv">$verbose</span> <span class="o">??</span> <span class="p">&#39;</span><span class="s1">on</span><span class="p">&#39;</span> <span class="o">!!</span> <span class="p">&#39;</span><span class="s1">off</span><span class="p">&#39;);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Calling a program with <code>--help</code> or invalid flags will produce the following for you, free of charge:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">Usage: </span></span><span class="line"><span class="cl"> frobnicate.raku <span class="o">[</span>--length<span class="o">=</span>&lt;Int&gt;<span class="o">]</span> <span class="o">[</span>--verbose<span class="o">]</span> <span class="o">[</span>&lt;file&gt;<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">[</span>&lt;file&gt;<span class="o">]</span> an existing file to frobnicate </span></span><span class="line"><span class="cl"> --length<span class="o">=</span>&lt;Int&gt; length needed <span class="k">for</span> frobnication </span></span><span class="line"><span class="cl"> --verbose required verbosity </span></span></code></pre></div><p>With all that I did not say anything yet about the object system which is very well thought out, the regexes and grammar which are a lot of fun, or all the convenience added to the standard classes. For example you can open a file and read its contents with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-raku" data-lang="raku"><span class="line"><span class="cl"><span class="p">&#34;</span><span class="s2">some/file.txt</span><span class="p">&#34;</span><span class="o">.</span><span class="kt">IO</span><span class="o">.</span><span class="nb">lines</span> </span></span></code></pre></div><p><a href="https://docs.raku.org/introduction">The documentation</a> and the <a href="https://docs.raku.org/reference">language reference</a> seem complete and are full of useful examples. Numeric maths are treated carefully: arithmetic is exact by default (big integrers when values exceed 64 bits, and rational numbers for fractions). How neat is that?</p> <h2 id="conclusion">Conclusion</h2> <p>Learning Raku has been a lot of fun and I recommend giving it a try. Installing it is easy thanks to a tool called <a href="https://rakubrew.org/">rakubrew</a>. Packages are managed with <code>zef</code> and finding libraries is easy by browsing <a href="https://raku.land/">raku.land</a>.</p> <p>Of course wanted to solve some puzzles in Raku, as I do when learning new languages: <a href="https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2019">https://git.adyxax.org/adyxax/advent-of-code/src/branch/master/2019</a></p>/blog/2025/07/24/advent-of-code-2024-in-haskell/2025-07-24/blog/2025/07/24/advent-of-code-2024-in-haskell/<h2 id="introduction">Introduction</h2> <p>I participated in <a href="https://adventofcode.com/2024">advent of code 2024</a> in Haskell: it was a fun experience as always! Why writing about this now? Because I just finished the last puzzle!</p> <p>I did the first 12 puzzles each day last December but then life happened and I could no longer complete one puzzle per day. I only finished the first 19 puzzles by Christmas then took the usual long break. I picked up this challenge again about a month ago while waiting at the airport and have now completed the last one.</p> <h2 id="haskell-for-puzzles">Haskell for puzzles</h2> <p>Usually this kind of article is an opportunity to explain some of the patterns I used and things I learned. Solving these puzzles was a lot of fun as always.</p> <p>The puzzles were interesting, my favorite one being day 24 in which you need to debug a binary adder. It is made of logic gates with a few wires that have been inverted and need to be fixed. It was the hardest challenge for me by far and I only solved it when I realized that instead of needing to simulate wire permutations I could try to build the adder from the pool of logic gates that were available. When I could not find a gate I needed, it meant I had to look for a wire to swap.</p> <p>I also thoroughly enjoyed day 21 where you need to input codes via proxy robots and need to compute a very convoluted shortest path algorithm where the key was careful usage of memoization.</p> <p>I will also make a special mention for day 13 where the problem can be reduced to a system of linear equations. I love an excuse to whip out a matrix triangularization to achieve this, but I doubly loved that I could use the Rational type to deal with exact ratio numbers computations. Haskell really shines in these situations!</p> <h2 id="conclusion">Conclusion</h2> <p>I recommend tackling this kind of challenge, it is good to maintain or develop proficiency in a programming language. I love Haskell, I wish I could use it daily and not just for seasonal puzzles.</p>/blog/2025/07/08/enforcing-aws-secret-version-with-opentofu/terraform/2025-07-08/blog/2025/07/08/enforcing-aws-secret-version-with-opentofu/terraform/<h2 id="introduction">Introduction</h2> <p>Managing secrets in AWS is a common task. It is therefore surprising that the default <code>aws_secretsmanager_secret_version</code> usage does not properly enforce a secret value.</p> <p>At first glance, it appears to enforce secret versions properly because updating the secret&rsquo;s value results in an updated AWS secret version accordingly. Furthermore, if the secret is deleted then OpenTofu/Terraform will recreate it with the proper value as well! However, the unexpected behavior occurs when the value of the secret is manually changed: in that case, OpenTofu/Terraform will do nothing to reconcile or restore the value.</p> <h2 id="properly-enforcing-a-secret-value">Properly enforcing a secret value</h2> <p>To solve this issue, the stage of the managed secret version needs to be enforced. Given the following basic resources that generate a random password and a secret:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;random_password&#34; &#34;main&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> length</span> <span class="o">=</span> <span class="m">64</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_secretsmanager_secret&#34; &#34;main&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;secret&#34;</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>A secret version stage can be enforced with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_secretsmanager_secret_version&#34; &#34;main&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> secret_id</span> <span class="o">=</span> <span class="k">aws_secretsmanager_secret</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"><span class="n"> secret_string</span> <span class="o">=</span> <span class="k">random_password</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">result</span> </span></span><span class="line"><span class="cl"><span class="n"> version_stages</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;AWSCURRENT&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>The important attribute in the context of this article is <code>version_stages</code>. Though optional and not mentioned in <a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version">the example usages of the resource&rsquo;s documentation</a>, it is what properly enforces this secret&rsquo;s value as the current version.</p> <h2 id="conclusion">Conclusion</h2> <p>I am in awe that I managed to go on for so many years without encountering this particular issue! Systematically specifying the <code>version_stages</code> attribute in all secret version resources is a boilerplate that I could have lived without, but necessary to ensure reliability. I find solace knowing that any manual changes to a secret value performed outside of OpenTofu/Terraform are now properly detected and corrected.</p>