Last Friday was better at work for reasons I can’t put my fingers on. Made some good progress connecting our production Keycloak to Azure AD and restricting who can login based on an AD group in an Enterprise Application. So - neat to learn how to do that.

I then realised that I couldn’t log into Grafana-Loki as my non-AD user was already inside it - which I fixed by just giving up and deleting the user database. And Rancher wasn’t setup to use open id at all! Fixed all of that and moved back onto installing WAF into the Staging and Production environments, which got approved in various meetings last week.

Next Contract?

I’ve got 45 days left on my current role with no particular idea whether the actual client wants to renew me. However - today brought a possible return to one of my favourite contracts - Tesco Bank! They’ve sold a lot of their services to another bank and their continuity project’s gone far higher in priority so it could be an opportunity to get back to working in a positive, respectful environment. Fingers crossed!

Weekend Hacking

Completely finished rebuilding both my AWS servers into a common containerised platform running in a single Spot instance. The final piece was getting my Gitlab instance in place. I still haven’t imported the old server’s export. For anyone interested, I’ll do a more in depth explanation when I build my Cloudcauldron blog - but it basically looks like this:

  • A dedicated VPC, and EC2 Spot instance spun up with Terraform (OpenTofu ) running a Debian 12 AMI but encrypted.

  • Root volume is small and remains mostly untouched. Only enough changes to the root volume to enable it to reboot without needing any configuration changes.

  • All important persistent data and configuration lives on a separate encrypted volume mounted at /volume

  • Everything important is running as a Docker container via Docker Compose. There are 5 major Docker containers that need to remain up:

    • certbot : Mostly sleeping for 12 hours at a time but then checking for certs that need to be renewed
    • nginx : Powers all the static and tool sites.
    • php : Has the same mounts as nginx and runs any PHP needed
    • mariadb : Powers any needed mysql/mariadb databases.
    • gitlab : powers Gitlab separately. nginx reverse proxies it.
  • All Powering These Sites:

    • A Wordpress site powering a personal archive. (nginx and php)
    • - A 1 page CV site. (just nginx)
    • - A personal URL shortener. (nginx and php)
    • My personal blog (nginx and hugo), and tooling hidden underneath:
    • My business site (just nginx) - but soon to be my business blog (nginx and hugo)
    • My family tree site (just nginx)
  • There are 3 crontab jobs executing commands inside the docker containers:

    • Every 15 minutes, exec into php and update my TTRSS site to get check RSS feeds.
    • Every 31 minutes, exec into php and run the Nextcloud cron processing.
    • Every 5 minutes, use Git to pull all configuration from Github, then exec into the Hugo container and generate the static blogs.
  • Issues I still need to fix:

    • I couldn’t figure out how to move from MySQL to MariaDB quickly enough.
    • The Terraform isn’t in Gitlab and its state is local on my laptop.
    • The Gitlab repo that controls all of it stores the web certificates so I can’t make it public.
    • The big volume only has 1 snapshot and it’s not automated yet.


As per my usual, I got in a load of beer and cider and nachos, made some queso, heated up some chili, and put on my Dallas Cowboy’s jersey ready for the superbowl. The game was frankly a bit boring but it’s always an experience.