The latest articles on Forem by Danylo Mikula (@mikula). https://forem.com/mikula https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3294336%2F07bb6c0a-7ba7-4729-89ff-974bd83859e3.jpg https://forem.com/mikula en Danylo Mikula Thu, 04 Dec 2025 15:50:39 +0000 https://forem.com/mikula/building-my-personal-website-from-idea-to-automated-deployment-part-2-21g4 https://forem.com/mikula/building-my-personal-website-from-idea-to-automated-deployment-part-2-21g4 <p>In the <a href="https://dev.to/mikula/building-my-personal-website-from-idea-to-automated-deployment-part-1-427p">first part</a> of this series, I covered the high-level architecture and the tools I chose for building my personal website. Now let's dive deeper into the technical implementation, starting with the Terraform modules.</p> <h2> Infrastructure Overview </h2> <p>To deploy the minimal infrastructure with everything needed on Hetzner Cloud, we need to configure the following components:</p> <ul> <li> <strong>Network</strong> — private network for internal communication</li> <li> <strong>Firewall</strong> — security rules to restrict traffic</li> <li> <strong>SSH Key</strong> — authentication for server access</li> <li> <strong>Server</strong> — the actual compute instance</li> </ul> <p>I created Terraform modules for each of these components. Let's go through them one by one.</p> <h2> Network Module </h2> <p>The first piece of infrastructure we need is a private network. For this, I created the <a href="https://github.com/danylomikula/terraform-hcloud-network" rel="noopener noreferrer">terraform-hcloud-network</a> module.</p> <p>This module provides comprehensive network management for Hetzner Cloud:</p> <ul> <li>Optional creation of a new network or reuse of an existing one</li> <li>Support for multiple subnets across different network zones and types (<code>server</code>, <code>cloud</code>, or <code>vswitch</code>)</li> <li>Optional custom routes for advanced scenarios like VPN gateways</li> <li>Consistent outputs for easy integration with other modules</li> </ul> <p>Here's my network configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/network/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">create_network</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">project_slug</span> <span class="nx">ip_range</span> <span class="p">=</span> <span class="s2">"10.100.0.0/16"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">web</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cloud"</span> <span class="nx">network_zone</span> <span class="p">=</span> <span class="s2">"eu-central"</span> <span class="nx">ip_range</span> <span class="p">=</span> <span class="s2">"10.100.1.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I chose the <code>eu-central</code> network zone because it offers the best pricing. This configuration creates a network with a <code>/16</code> CIDR block (<code>10.100.0.0/16</code>) and a single subnet with a <code>/24</code> block (<code>10.100.1.0/24</code>). For a single server, this is more than enough address space.</p> <h2> Firewall Module </h2> <p>Next, we need to set up a firewall to restrict external traffic. As I mentioned in the first part, I only allow HTTP/HTTPS traffic from Cloudflare IP addresses and SSH access from my home IP.</p> <p>For this, I created the <a href="https://github.com/danylomikula/terraform-hcloud-firewall" rel="noopener noreferrer">terraform-hcloud-firewall</a> module. It supports:</p> <ul> <li>Creating multiple firewalls with custom rules</li> <li>Both inbound and outbound rules</li> <li>Flexible port and IP restrictions</li> <li>Common labels across all firewalls</li> </ul> <p>Here's my firewall configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"firewall"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/firewall/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">firewalls</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${local.resource_names.website}"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"22"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">my_homelab_ip</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow ssh"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_all_ips</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow http from cloudflare"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"443"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_all_ips</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow https from cloudflare"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">,</span> <span class="s2">"::/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow ping"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"firewall"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">common_labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="p">}</span> </code></pre> </div> <h3> Dynamic Cloudflare IP Fetching </h3> <p>Cloudflare publishes their IP ranges publicly, so I fetch them dynamically using Terraform's <code>http</code> data source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"http"</span> <span class="s2">"cloudflare_ips_v4"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://www.cloudflare.com/ips-v4"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"http"</span> <span class="s2">"cloudflare_ips_v6"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://www.cloudflare.com/ips-v6"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">cloudflare_ipv4_cidrs</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"</span><span class="err">\</span><span class="s2">n"</span><span class="p">,</span> <span class="nx">trimspace</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">cloudflare_ips_v4</span><span class="p">.</span><span class="nx">response_body</span><span class="p">))</span> <span class="nx">cloudflare_ipv6_cidrs</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"</span><span class="err">\</span><span class="s2">n"</span><span class="p">,</span> <span class="nx">trimspace</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">cloudflare_ips_v6</span><span class="p">.</span><span class="nx">response_body</span><span class="p">))</span> <span class="nx">cloudflare_all_ips</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_ipv4_cidrs</span><span class="p">,</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_ipv6_cidrs</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>This approach ensures that whenever Cloudflare updates their IP ranges, a simple <code>terraform apply</code> will update the firewall rules automatically.</p> <blockquote> <p><strong>Important:</strong> For this setup to work, you need to enable the Proxy toggle on your A and AAAA records in Cloudflare DNS settings.</p> </blockquote> <h2> SSH Key Module </h2> <p>Before creating the server, we need an SSH key for authentication. I created the <a href="https://github.com/danylomikula/terraform-hcloud-ssh-key" rel="noopener noreferrer">terraform-hcloud-ssh-key</a> module for this purpose.</p> <p>This module is quite flexible and supports:</p> <ul> <li>Automated key generation (ED25519, RSA, or ECDSA)</li> <li>Automatic local save of generated keys</li> <li>Uploading existing public keys</li> <li>Referencing keys already in Hetzner Cloud by ID or name</li> </ul> <p>Here's my configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"ssh_key"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/ssh-key/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">create_key</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">project_slug</span> <span class="nx">save_private_key_locally</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">local_key_directory</span> <span class="p">=</span> <span class="nx">path</span><span class="p">.</span><span class="nx">module</span> <span class="nx">labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="p">}</span> </code></pre> </div> <p>This generates an ED25519 key pair (the default and recommended algorithm) and saves both the private and public keys locally for easy access.</p> <h2> Server Module </h2> <p>Finally, let's create the server itself using the <a href="https://github.com/danylomikula/terraform-hcloud-server" rel="noopener noreferrer">terraform-hcloud-server</a> module. Like the others, it's designed to be flexible and supports:</p> <ul> <li>Multi-server management with a single module invocation</li> <li>Private network attachments with static IPs</li> <li>Firewall integration at creation time</li> <li>Placement groups for high availability</li> <li>All <code>hcloud_server</code> resource attributes</li> </ul> <p>Here's my server configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"servers"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/server/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">servers</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${local.resource_names.website}"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">server_type</span> <span class="p">=</span> <span class="s2">"cx23"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"hel1"</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">hcloud_image</span><span class="p">.</span><span class="nx">rocky</span><span class="p">.</span><span class="nx">name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloud_init_config</span> <span class="nx">ssh_keys</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">ssh_key</span><span class="p">.</span><span class="nx">ssh_key_id</span><span class="p">]</span> <span class="nx">firewall_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">firewall</span><span class="p">.</span><span class="nx">firewall_ids</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">resource_names</span><span class="p">.</span><span class="nx">website</span><span class="p">]]</span> <span class="nx">networks</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">network_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_id</span> <span class="nx">ip</span> <span class="p">=</span> <span class="s2">"10.100.1.10"</span> <span class="p">}]</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"website"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">common_labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="p">}</span> </code></pre> </div> <p>I chose the <code>cx23</code> server type as it's the cheapest option available and costs me less than $5 per month in the Helsinki (<code>hel1</code>) region. Its specifications are more than enough for a static website.</p> <p>Notice how I'm passing variables from previous modules dynamically — the SSH key ID, firewall ID, and network ID are all referenced from their respective module outputs. This eliminates manual configuration and reduces the chance of errors.</p> <h2> Complete Configuration </h2> <p>Here's the full Terraform configuration with all the pieces together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">project_slug</span> <span class="p">=</span> <span class="s2">"mikula-dev"</span> <span class="nx">common_labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">project_slug</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="nx">resource_names</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">website</span> <span class="p">=</span> <span class="s2">"${local.project_slug}-web"</span> <span class="p">}</span> <span class="nx">cloud_init_config</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"${path.module}/cloud-init.tpl"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">ansible_ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ansible_user_ssh_public_key</span> <span class="p">})</span> <span class="nx">cloudflare_ipv4_cidrs</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"</span><span class="err">\</span><span class="s2">n"</span><span class="p">,</span> <span class="nx">trimspace</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">cloudflare_ips_v4</span><span class="p">.</span><span class="nx">response_body</span><span class="p">))</span> <span class="nx">cloudflare_ipv6_cidrs</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"</span><span class="err">\</span><span class="s2">n"</span><span class="p">,</span> <span class="nx">trimspace</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">cloudflare_ips_v6</span><span class="p">.</span><span class="nx">response_body</span><span class="p">))</span> <span class="nx">cloudflare_all_ips</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_ipv4_cidrs</span><span class="p">,</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_ipv6_cidrs</span><span class="p">)</span> <span class="p">}</span> <span class="c1"># Fetch Cloudflare IP ranges for firewall rules</span> <span class="nx">data</span> <span class="s2">"http"</span> <span class="s2">"cloudflare_ips_v4"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://www.cloudflare.com/ips-v4"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"http"</span> <span class="s2">"cloudflare_ips_v6"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://www.cloudflare.com/ips-v6"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/network/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">create_network</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">project_slug</span> <span class="nx">ip_range</span> <span class="p">=</span> <span class="s2">"10.100.0.0/16"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">web</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cloud"</span> <span class="nx">network_zone</span> <span class="p">=</span> <span class="s2">"eu-central"</span> <span class="nx">ip_range</span> <span class="p">=</span> <span class="s2">"10.100.1.0/24"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ssh_key"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/ssh-key/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">create_key</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">project_slug</span> <span class="nx">save_private_key_locally</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">local_key_directory</span> <span class="p">=</span> <span class="nx">path</span><span class="p">.</span><span class="nx">module</span> <span class="nx">labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"firewall"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/firewall/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">firewalls</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${local.resource_names.website}"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"22"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">my_homelab_ip</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow ssh"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_all_ips</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow http from cloudflare"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"443"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloudflare_all_ips</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow https from cloudflare"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">,</span> <span class="s2">"::/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"allow ping"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"firewall"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">common_labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"servers"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"danylomikula/server/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">servers</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${local.resource_names.website}"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">server_type</span> <span class="p">=</span> <span class="s2">"cx23"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"hel1"</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">hcloud_image</span><span class="p">.</span><span class="nx">rocky</span><span class="p">.</span><span class="nx">name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cloud_init_config</span> <span class="nx">ssh_keys</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">ssh_key</span><span class="p">.</span><span class="nx">ssh_key_id</span><span class="p">]</span> <span class="nx">firewall_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">firewall</span><span class="p">.</span><span class="nx">firewall_ids</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">resource_names</span><span class="p">.</span><span class="nx">website</span><span class="p">]]</span> <span class="nx">networks</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">network_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">network_id</span> <span class="nx">ip</span> <span class="p">=</span> <span class="s2">"10.100.1.10"</span> <span class="p">}]</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"website"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">common_labels</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">common_labels</span> <span class="p">}</span> </code></pre> </div> <p>With this configuration, running <code>terraform apply</code> provisions the complete infrastructure in just a few minutes.</p> <h2> Server Bootstrapping with Ansible </h2> <p>Now let's look at bootstrapping the actual website. For this, I'm using an Ansible collection that I also created and published publicly: <a href="https://github.com/danylomikula/ansible-hugo-deploy" rel="noopener noreferrer">ansible-hugo-deploy</a>.</p> <p>For the operating system, I chose Rocky Linux 10. For the web server — Caddy.</p> <p>The Ansible collection handles the complete deployment pipeline:</p> <ul> <li> <strong>Hugo Static Site Deployment</strong> — automated cloning and building of Hugo websites</li> <li> <strong>Custom Caddy Build</strong> — compiles Caddy with custom plugins from source</li> <li> <strong>SSL/TLS Automation</strong> — automatic HTTPS certificates via Let's Encrypt with Cloudflare DNS challenge</li> <li> <strong>Built-in Rate Limiting</strong> — protection against bots and abuse</li> <li> <strong>Cloudflare Integration</strong> — DNS-01 ACME challenge support</li> <li> <strong>GitHub Deploy Key Generation</strong> — automatic SSH key generation for secure repository access</li> <li> <strong>Automated Updates</strong> — systemd timer for periodic Git pulls and site rebuilds</li> <li> <strong>Firewall Configuration</strong> — automated firewalld setup with sensible defaults</li> <li> <strong>Version Pinning</strong> — full control over Hugo, Caddy, and Go versions</li> </ul> <h3> My Ansible Configuration </h3> <p>Here's my complete configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Domain configuration.</span> <span class="na">domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mikula.dev"</span> <span class="na">admin_email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">admin@{{</span><span class="nv"> </span><span class="s">domain</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># Git repository for website source.</span> <span class="na">website_repo_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">git@github.com:danylomikula/mikula.dev.git"</span> <span class="na">website_repo_branch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">master"</span> <span class="c1"># Web content paths.</span> <span class="na">website_root</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/var/www/{{</span><span class="nv"> </span><span class="s">domain</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">caddy_log_path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/var/log/caddy"</span> <span class="na">website_public_dir</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">website_root</span><span class="nv"> </span><span class="s">}}/public"</span> <span class="c1"># Deploy SSH key configuration.</span> <span class="na">deploy_ssh_key_user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">caddy"</span> <span class="na">deploy_ssh_key_group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">deploy_ssh_key_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">deploy_ssh_key_dir</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/var/lib/{{</span><span class="nv"> </span><span class="s">deploy_ssh_key_user</span><span class="nv"> </span><span class="s">}}/.ssh"</span> <span class="na">deploy_ssh_key_path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">deploy_ssh_key_dir</span><span class="nv"> </span><span class="s">}}/deploy_key"</span> <span class="na">deploy_ssh_key_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ed25519"</span> <span class="na">deploy_ssh_key_comment</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">domain</span><span class="nv"> </span><span class="s">}}-deploy-key"</span> <span class="c1"># Website rebuild configuration.</span> <span class="na">webrebuild_schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*-*-*</span><span class="nv"> </span><span class="s">04:00:00"</span> <span class="na">webrebuild_boot_delay</span><span class="pi">:</span> <span class="s2">"</span><span class="s">180"</span> <span class="na">webrebuild_service_user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">caddy"</span> <span class="na">webrebuild_service_group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">caddy"</span> <span class="na">webrebuild_commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">pull</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">website_repo_branch</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">hugo</span><span class="nv"> </span><span class="s">--gc</span><span class="nv"> </span><span class="s">--minify"</span> <span class="na">hugo_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.152.2"</span> <span class="c1"># Caddy configuration.</span> <span class="na">caddy_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2.10.2"</span> <span class="na">caddy_go_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.25.4"</span> <span class="na">caddy_modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">github.com/mholt/caddy-ratelimit</span> <span class="pi">-</span> <span class="s">github.com/caddy-dns/cloudflare</span> <span class="na">caddy_rate_limit</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">events</span><span class="pi">:</span> <span class="m">60</span> <span class="na">window</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1m"</span> <span class="na">caddy_compression_formats</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">gzip</span> <span class="pi">-</span> <span class="s">zstd</span> <span class="c1"># DNS / ACME configuration.</span> <span class="na">cloudflare_api_token</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">vault_cloudflare_api_token</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">caddy_acme_ca</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://acme-v02.api.letsencrypt.org/directory"</span> <span class="c1"># Firewall configuration.</span> <span class="na">firewall_zone</span><span class="pi">:</span> <span class="s2">"</span><span class="s">public"</span> <span class="na">firewall_allowed_services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh</span> <span class="pi">-</span> <span class="s">http</span> <span class="pi">-</span> <span class="s">https</span> <span class="na">firewall_allowed_ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">firewall_allowed_icmp</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">firewall_allowed_icmp_types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo-request</span> </code></pre> </div> <h3> Custom Caddy Build with Plugins </h3> <p>Since I'm using Cloudflare with proxy enabled, the standard Caddy build isn't enough for automatic certificate provisioning. I need the <a href="https://github.com/caddy-dns/cloudflare" rel="noopener noreferrer">caddy-dns/cloudflare</a> module to pass the DNS-01 ACME challenge for certificate verification.</p> <p>Since I'm already building a custom Caddy binary, I decided to add another useful module — <a href="https://github.com/mholt/caddy-ratelimit" rel="noopener noreferrer">caddy-ratelimit</a> for rate limiting protection against bots and scanners.</p> <p>The configuration for these modules is available in my Ansible playbook. If you don't want to use one of them or want to add additional modules, you can easily customize the <code>caddy_modules</code> list.</p> <h3> Automated Content Updates </h3> <p>We can now deploy the website, but one problem remains: how do we update the content automatically without manually logging into the server? I want to simply push to Git and have the website update itself after some time.</p> <p>To solve this, I'm using GitHub deploy keys. These keys are read-only, meaning all they can do is read the content of the Git repository — nothing more.</p> <p>The Ansible playbook generates this key automatically, outputs the public part to the console, and waits for your confirmation while you configure your GitHub repository. After confirmation, it clones the content, builds it, and starts the Hugo server.</p> <h3> systemd Timer for Periodic Updates </h3> <p>For periodic content updates, I use a simple systemd timer that runs every morning and updates the website with new content.</p> <p><strong>webrebuild.service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">Rebuild website from Git repository</span> <span class="py">After</span><span class="p">=</span><span class="s">network-online.target</span> <span class="py">Wants</span><span class="p">=</span><span class="s">network-online.target</span> <span class="nn">[Service]</span> <span class="py">Type</span><span class="p">=</span><span class="s">oneshot</span> <span class="py">User</span><span class="p">=</span><span class="s">{{ webrebuild_service_user }}</span> <span class="py">Group</span><span class="p">=</span><span class="s">{{ webrebuild_service_group }}</span> <span class="py">WorkingDirectory</span><span class="p">=</span><span class="s">{{ website_root }}</span> <span class="py">Environment</span><span class="p">=</span><span class="s">PATH={{ caddy_webserver_rebuild_path }}</span> <span class="err">{%</span> <span class="err">for</span> <span class="err">command</span> <span class="err">in</span> <span class="err">webrebuild_commands</span> <span class="err">%}</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/usr/bin/env bash -c "{{ command }}"</span> <span class="err">{%</span> <span class="err">endfor</span> <span class="err">%}</span> <span class="py">StandardOutput</span><span class="p">=</span><span class="s">journal</span> <span class="py">StandardError</span><span class="p">=</span><span class="s">journal</span> </code></pre> </div> <p><strong>webrebuild.timer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">Rebuild website daily</span> <span class="py">RefuseManualStart</span><span class="p">=</span><span class="s">no</span> <span class="py">RefuseManualStop</span><span class="p">=</span><span class="s">no</span> <span class="nn">[Timer]</span> <span class="c"># Run {{ webrebuild_boot_delay }} seconds after boot for the first time. </span><span class="py">OnBootSec</span><span class="p">=</span><span class="s">{{ webrebuild_boot_delay }}</span> <span class="c"># Run daily at scheduled time. </span><span class="py">OnCalendar</span><span class="p">=</span><span class="s">{{ webrebuild_schedule }}</span> <span class="py">Unit</span><span class="p">=</span><span class="s">webrebuild.service</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">timers.target</span> </code></pre> </div> <p>With this setup, every morning at 4:00 AM the timer triggers, pulls the latest changes from the repository, and rebuilds the site with Hugo. If I need an immediate update, I can always trigger it manually with <code>sudo systemctl start webrebuild.service</code>.</p> <h3> Caddyfile Configuration </h3> <p>The Caddy server is configured using a config file called <code>Caddyfile</code>. Here's the complete template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Caddyfile for {{ domain }} # Managed by Ansible - do not edit manually. {% if (cloudflare_api_token | length &gt; 0) or (caddy_acme_ca | length &gt; 0) %} { {% if caddy_acme_ca | length &gt; 0 %} acme_ca {{ caddy_acme_ca }} {% endif %} {% if cloudflare_api_token | length &gt; 0 %} acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} {% endif %} } {% endif %} www.{{ domain }} { # Redirect www to non-www domain. redir https://{{ domain }}{uri} permanent } {{ domain }} { # Root directory for static files. root * {{ website_public_dir }} # Enable static file server. file_server {% if caddy_rate_limit.enabled | default(false) %} # Basic rate limiting per client IP to slow down bots/scanners. rate_limit { zone per_client { key {remote_ip} events {{ caddy_rate_limit.events }} window {{ caddy_rate_limit.window }} } } {% endif %} # Enable compression. encode {% for format in caddy_compression_formats %}{{ format }} {% endfor %} # TLS configuration with admin email. tls {{ admin_email }} # Access logging. log { output file {{ caddy_log_path }}/access.log { roll_size 100MiB roll_local_time roll_keep_for 15d } } # Security headers. header { Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" X-Content-Type-Options "nosniff" Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://static.cloudflareinsights.com; font-src 'self' data:; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com https://static.cloudflareinsights.com https://cloudflareinsights.com" Referrer-Policy "strict-origin-when-cross-origin" } } </code></pre> </div> <p>This configuration includes:</p> <ul> <li> <strong>www to non-www redirect</strong> — all traffic to <code>www.mikula.dev</code> is permanently redirected to <code>mikula.dev</code> </li> <li> <strong>Static file serving</strong> — serves files from the Hugo build output directory</li> <li> <strong>Rate limiting</strong> — limits requests per client IP to protect against abuse</li> <li> <strong>Compression</strong> — gzip and zstd compression for better performance</li> <li> <strong>Automatic TLS</strong> — certificates via Let's Encrypt with Cloudflare DNS challenge</li> <li> <strong>Access logging</strong> — with automatic log rotation</li> <li> <strong>Security headers</strong> — HSTS, CSP, and other security-related headers</li> </ul> <h2> Conclusion </h2> <p>That's it! With this setup, I can deploy a fully functional, secure, and automated website infrastructure in about 15 minutes. The entire workflow is:</p> <ol> <li>Run <code>terraform apply</code> to provision the infrastructure</li> <li>Push content to the repository</li> <li>Run the Ansible playbook to configure the server</li> <li>Add the deploy key to GitHub</li> </ol> <p>From that point on, the website updates itself automatically every day.</p> <p>I hope this guide helps you set up your own website even faster than I did. Feel free to use my ready-made configurations as a starting point.</p> <p>All the code is open source:</p> <ul> <li> <strong>Terraform Modules:</strong> <ul> <li><a href="https://github.com/danylomikula/terraform-hcloud-network" rel="noopener noreferrer">terraform-hcloud-network</a></li> <li><a href="https://github.com/danylomikula/terraform-hcloud-firewall" rel="noopener noreferrer">terraform-hcloud-firewall</a></li> <li><a href="https://github.com/danylomikula/terraform-hcloud-ssh-key" rel="noopener noreferrer">terraform-hcloud-ssh-key</a></li> <li><a href="https://github.com/danylomikula/terraform-hcloud-server" rel="noopener noreferrer">terraform-hcloud-server</a></li> </ul> </li> <li> <strong>Ansible Collection:</strong> <ul> <li><a href="https://github.com/danylomikula/ansible-hugo-deploy" rel="noopener noreferrer">ansible-hugo-deploy</a></li> </ul> </li> </ul> <p><em>Have questions or suggestions? Feel free to reach out or open an issue on GitHub.</em></p> devops cloud automation terraform Danylo Mikula Fri, 28 Nov 2025 21:58:57 +0000 https://forem.com/mikula/building-my-personal-website-from-idea-to-automated-deployment-part-1-427p https://forem.com/mikula/building-my-personal-website-from-idea-to-automated-deployment-part-1-427p <p>The idea of creating my own personal website—a place where I could share projects I'm working on and document my technical journey—has been on my mind for a long time. But as with many personal projects, it kept getting pushed aside. Finally, I found the time, and here it is: <a href="https://mikula.dev" rel="noopener noreferrer">mikula.dev</a>. In this post, I want to share how I built it, what tools I chose, and why.</p> <h2> Choosing the Right Static Site Generator </h2> <p>When looking for a site generator, I had a few requirements in mind: it needed to be simple yet flexible, fast, and shouldn't require hours of configuration just to get started. After evaluating several options, I settled on <a href="https://gohugo.io/" rel="noopener noreferrer">Hugo</a>.</p> <p>Hugo is one of the fastest static site generators out there. Written in Go, it can build thousands of pages in seconds. But speed isn't the only advantage—it generates pure static HTML files, which makes hosting incredibly straightforward. No databases, no server-side processing, no complex runtime dependencies. Just files that can be served by any web server.</p> <p>The fact that Hugo outputs static files also brings security benefits—there's simply no dynamic attack surface. Combined with its extensive templating capabilities and active community, it was an easy choice.</p> <h2> Finding the Perfect Theme </h2> <p>I didn't want to spend weeks developing my own theme from scratch. Instead, I looked for something that matched my aesthetic preferences and could be customized easily. I found <a href="https://github.com/panr/hugo-theme-terminal" rel="noopener noreferrer">Terminal</a> by Radek Kozieł, and it was exactly what I was looking for.</p> <p>The theme has a clean, retro terminal-inspired look with beautiful syntax highlighting powered by Chroma. It uses <a href="https://github.com/tonsky/FiraCode" rel="noopener noreferrer">Fira Code</a> as the default monospace font, is fully responsive, and supports customizable color schemes. While it covered most of my needs out of the box, I did extend it with some additional functionality—like better post organization and a dedicated resume page.</p> <h2> Where to Host? </h2> <p>Since Hugo generates static files, I had several hosting options to consider: GitHub Pages, AWS S3 with CloudFront, or a small cloud server. Each has its merits, but I went with a dedicated server on <a href="https://www.hetzner.com/cloud" rel="noopener noreferrer">Hetzner Cloud</a>.</p> <p>Why? Flexibility. While GitHub Pages and S3 are excellent for simple static hosting, having my own server gives me complete control over the infrastructure. I can configure custom caching rules, set up rate limiting, add custom header and run additional services if needed. Plus, Hetzner offers excellent performance at very competitive prices.</p> <h2> Caddy: The Modern Web Server </h2> <p>For the web server, I evaluated a few options—nginx, Apache, and Caddy. I chose <a href="https://caddyserver.com/" rel="noopener noreferrer">Caddy</a> for several compelling reasons.</p> <p>First, automatic HTTPS. Caddy handles SSL certificate provisioning and renewal through Let's Encrypt completely automatically. No more manual certificate management, no cron jobs for renewal, no forgetting to renew and having your site go down. It just works.</p> <p>Second, simplicity. Caddy's configuration format (the Caddyfile) is remarkably straightforward compared to nginx or Apache configurations. A basic site configuration can be just a few lines, yet it still offers powerful customization options when you need them.</p> <p>I'm also using a custom Caddy build with additional plugins: <a href="https://github.com/caddy-dns/cloudflare" rel="noopener noreferrer">caddy-dns/cloudflare</a> for DNS-01 ACME challenges (so I can get certificates even before DNS propagation completes) and <a href="https://github.com/mholt/caddy-ratelimit" rel="noopener noreferrer">caddy-ratelimit</a> to protect against bots and abuse.</p> <h2> DNS and Security with Cloudflare </h2> <p>For DNS management, I'm using <a href="https://www.cloudflare.com/" rel="noopener noreferrer">Cloudflare</a>. But it's not just about DNS—I have Cloudflare Proxy enabled, which means all traffic to my site goes through Cloudflare's network first. This provides several benefits: DDoS protection, CDN caching, and most importantly, it hides my server's real IP address from the public.</p> <p>To take security a step further, I configured firewall rules directly in Hetzner Cloud to only allow incoming HTTP/HTTPS traffic from Cloudflare's IP ranges. This means even if someone discovers my server's actual IP address, they can't connect to the web server directly—all requests must go through Cloudflare. This setup effectively creates an additional security layer and ensures that all traffic benefits from Cloudflare's protection.</p> <p>Cloudflare publishes their IP ranges publicly, so keeping the firewall rules updated is straightforward. Combined with Caddy's rate limiting, this gives me a solid defense-in-depth approach without adding complexity to the daily operations.</p> <h2> Infrastructure as Code with Terraform </h2> <p>As someone who believes in automating everything, I needed proper Infrastructure as Code for my cloud setup. I looked for existing Terraform modules for Hetzner Cloud but didn't find anything that met my standards for flexibility and maintainability. So I built my own.</p> <p>I created a set of reusable Terraform modules that cover the essential Hetzner Cloud resources:</p> <ul> <li> <a href="https://github.com/danylomikula/terraform-hcloud-server" rel="noopener noreferrer">terraform-hcloud-server</a> — Multi-server management with support for private networks and firewalls.</li> <li> <a href="https://github.com/danylomikula/terraform-hcloud-network" rel="noopener noreferrer">terraform-hcloud-network</a> — VPC and subnet management</li> <li> <a href="https://github.com/danylomikula/terraform-hcloud-firewall" rel="noopener noreferrer">terraform-hcloud-firewall</a> — Firewall rules configuration</li> <li> <a href="https://github.com/danylomikula/terraform-hcloud-ssh-key" rel="noopener noreferrer">terraform-hcloud-ssh-key</a> — SSH key management with support for key generation</li> </ul> <p>These modules are designed to work together seamlessly while remaining flexible enough for various use cases. They're all open source and available on both GitHub and the Terraform Registry.</p> <h2> Configuration Management with Ansible </h2> <p>With infrastructure sorted out, I needed a way to automate the actual server configuration and site deployment. For this, I created an Ansible collection: <a href="https://github.com/danylomikula/ansible-hugo-deploy" rel="noopener noreferrer">ansible-hugo-deploy</a>.</p> <p>This collection handles the complete deployment pipeline:</p> <ul> <li>Installing and configuring Caddy with custom builds (including the Cloudflare DNS and rate limiting plugins)</li> <li>Generating SSH deploy keys for secure repository access</li> <li>Cloning the Hugo site from GitHub</li> <li>Building the site with Hugo</li> <li>Obtaining and managing SSL certificates</li> <li>Configuring rate limiting and security headers</li> <li>Setting up automated content updates via systemd timer</li> </ul> <p>The systemd timer runs daily, pulling the latest changes from the repository and rebuilding the site. This means I can just push a new post to GitHub, and within a day (or I can trigger it manually), the site updates automatically. No SSH-ing into the server, no manual deployments.</p> <h2> The Complete Picture </h2> <p>Here's how everything fits together:</p> <ol> <li> <strong>Terraform</strong> provisions the infrastructure on Hetzner Cloud—server, network, firewall rules (allowing only Cloudflare IPs), and SSH keys</li> <li> <strong>Ansible</strong> configures the server—installs Caddy, Hugo, sets up the deployment pipeline</li> <li> <strong>Hugo</strong> generates the static site from Markdown content</li> <li> <strong>Caddy</strong> serves the site with automatic HTTPS, compression, and rate limiting</li> <li> <strong>Cloudflare</strong> handles DNS, proxies all traffic, provides DDoS protection and CDN caching</li> <li> <strong>systemd timer</strong> keeps the content automatically updated</li> </ol> <p>The entire setup—from bare server to fully functional website—takes about 15 minutes. And once it's running, I never need to touch the server for content updates. Write a post in Markdown, push to GitHub, and the site updates itself.</p> <h2> What's Next? </h2> <p>In the second part of this series, I'll dive deeper into the technical details of both the Terraform modules and the Ansible collection. I'll walk through the code, explain the design decisions, and show how you can use these tools for your own projects.</p> <p>All the code is open source and available on my GitHub:</p> <ul> <li><a href="https://github.com/danylomikula?tab=repositories&amp;q=terraform-hcloud" rel="noopener noreferrer">Terraform Hetzner Cloud Modules</a></li> <li><a href="https://github.com/danylomikula/ansible-hugo-deploy" rel="noopener noreferrer">Ansible Hugo Deploy Collection</a></li> </ul> <p>Feel free to use them, contribute, or just take inspiration for your own automation journey!</p> tutorial terraform ansible automation Danylo Mikula Sat, 15 Nov 2025 05:28:13 +0000 https://forem.com/mikula/automated-macos-setup-with-dotfiles-4221 https://forem.com/mikula/automated-macos-setup-with-dotfiles-4221 <p>A comprehensive automation solution for setting up macOS development environments. This dotfiles repository handles everything from Homebrew package installation to SSH/GPG key generation and GitHub integration – all through an interactive bootstrap script.</p> <p><strong>Repository:</strong> <a href="https://github.com/danylomikula/dotfiles" rel="noopener noreferrer">github.com/danylomikula/dotfiles</a></p> <h2> The Problem </h2> <p>Every DevOps engineer knows the pain:</p> <ul> <li>New laptop arrives – 4-8 hours of manual setup</li> <li>Switching between personal/work machines – different configs everywhere </li> <li>Team onboarding – "just install these 50 things..."</li> <li>Disaster recovery – scrambling to remember every tool and setting</li> </ul> <p>Traditional approaches fall short:</p> <ul> <li> <strong>Manual installation</strong>: Error-prone, inconsistent, undocumented</li> <li> <strong>Basic dotfiles</strong>: Only manage config files, not installation</li> <li> <strong>Homebrew Brewfile</strong>: Doesn't handle SSH/GPG keys or directory structures</li> <li> <strong>Ansible playbooks</strong>: Overkill for personal use, slow iteration</li> </ul> <h2> The Solution: Intelligent Bootstrap Script </h2> <p>I built a <a href="https://github.com/danylomikula/dotfiles" rel="noopener noreferrer">comprehensive dotfiles repository</a> that handles everything through a single <code>bootstrap.sh</code> script with interactive prompts using <code>gum</code> for a beautiful TUI experience.</p> <h3> What It Does </h3> <p><strong>Core Installation:</strong></p> <ul> <li>Homebrew + analytics disabled</li> <li>Nerd Fonts (Hack, Ubuntu Mono, Fira Code, Courier Prime)</li> <li>Oh-My-Zsh with plugins (autosuggestions, syntax highlighting, you-should-use)</li> <li>Modern CLI tools: <code>eza</code>, <code>zoxide</code>, <code>fzf</code>, <code>starship</code>, <code>zellij</code> </li> <li>Python via <code>pyenv</code> with latest version auto-installed</li> </ul> <p><strong>Applications:</strong></p> <ul> <li> <strong>Productivity</strong>: Zen, Obsidian, Maccy, BetterDisplay, Grammarly</li> <li> <strong>Communication</strong>: Signal, Telegram, Slack, Discord</li> <li> <strong>Development</strong>: VSCode, Alacritty, Fork, Lens</li> <li> <strong>DevOps/Cloud</strong>: AWS CLI, kubectl, helm, terraform, vault, argocd, ansible</li> <li> <strong>Security</strong>: Mullvad VPN, Tailscale, GPG Suite</li> <li> <strong>Utilities</strong>: AldDente, Bartender, AppCleaner, Shottr</li> </ul> <p><strong>Git Configuration:</strong></p> <ul> <li>Global <code>.gitconfig</code> with sane defaults</li> <li>Separate directories for personal/work repos with automatic context switching</li> <li> <code>includeIf</code> directives for email/name per directory</li> <li>Global <code>.gitignore</code> setup</li> <li>Branch sorting by commit date, auto column UI</li> </ul> <p><strong>SSH Key Generation:</strong></p> <ul> <li>Ed25519 keys with modern crypto</li> <li>Automatic GitHub CLI integration</li> <li>Adds key to GitHub via API</li> <li>Tests SSH connection to GitHub</li> </ul> <p><strong>GPG Key Generation:</strong></p> <ul> <li>Ed25519 + Curve25519 keys for signing/encryption</li> <li>Configures <code>pinentry-mac</code> for macOS Keychain integration</li> <li>Automatic GitHub integration via API</li> <li>Sets global signing key in Git</li> </ul> <p><strong>Dotfiles Management:</strong></p> <ul> <li>GNU Stow for symlink management</li> <li>Configs for: zsh, starship, alacritty, zellij, k9s, docker, git, gh</li> <li>Alacritty themes auto-cloned (200+ colorschemes)</li> </ul> <p><strong>AI Agents Configuration:</strong></p> <ul> <li>Configures <a href="https://github.com/danylomikula/codex-cli" rel="noopener noreferrer">Codex</a> and <a href="https://claude.ai/" rel="noopener noreferrer">Claude</a> for development workflow</li> <li>Installs Context7 MCP server for automatic library documentation</li> <li>Sets up global Copilot instructions at <code>~/.config/Code/User/prompts/context7.instructions.md</code> </li> <li>Enables AI agents to automatically fetch library docs during code generation</li> <li>Configured via standalone <code>configure-ai-agents.sh</code> script</li> </ul> <h2> Architecture </h2> <h3> Directory Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dotfiles/ ├── bootstrap.sh # Main installation script ├── configure-git.sh # Standalone Git config tool ├── configure-ai-agents.sh # Standalone AI agents setup ├── generate-gpg-key.sh # Standalone GPG key generator ├── generate-ssh-key.sh # Standalone SSH key generator ├── alacritty/ │ └── .config/alacritty/ │ ├── alacritty.toml │ └── themes/ # 200+ themes via git submodule ├── claude/ # Claude Code AI agent config │ └── .claude/ │ └── CLAUDE.md ├── codex/ # Codex AI agent config │ └── .codex/ │ ├── AGENTS.md │ └── config.toml ├── docker/.docker/ │ └── config.json ├── git/ │ ├── .gitconfig │ └── .gitignore_global ├── github-cli/.config/gh/ ├── k9s/.config/k9s/ ├── starship/.config/ │ └── starship.toml ├── zellij/.config/zellij/ │ └── config.kdl └── zshrc/ └── .zshrc </code></pre> </div> <h3> Key Design Decisions </h3> <p><strong>1. Interactive Prompts with Gum</strong></p> <p>Instead of environment variables or config files, I use <a href="https://github.com/charmbracelet/gum" rel="noopener noreferrer">charmbracelet/gum</a> for beautiful TUI prompts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gum style <span class="nt">--foreground</span> <span class="s2">"#00FF00"</span> <span class="nt">--bold</span> <span class="s2">"Do you want to generate a GPG key?"</span> <span class="nv">CHOICE</span><span class="o">=</span><span class="si">$(</span>gum choose <span class="s2">"Yes"</span> <span class="s2">"No"</span><span class="si">)</span> </code></pre> </div> <p>This makes the script:</p> <ul> <li>Self-documenting (you see what's being configured)</li> <li>Flexible (skip sections you don't need)</li> <li>Beginner-friendly (no prior knowledge required)</li> </ul> <p><strong>2. Conditional Directory Creation</strong></p> <p>The script offers to create separate Git directories:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/git/ ├── personal/ <span class="c"># Personal projects with personal email</span> └── work/ <span class="c"># Work projects with work email</span> </code></pre> </div> <p>Git automatically switches context using <code>includeIf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[includeIf "gitdir:~/git/personal/**"]</span> <span class="py">path</span> <span class="p">=</span> <span class="s">~/git/personal/.gitconfig</span> <span class="nn">[includeIf "gitdir:~/git/work/**"]</span> <span class="py">path</span> <span class="p">=</span> <span class="s">~/git/work/.gitconfig</span> </code></pre> </div> <p><strong>3. Modern Crypto Defaults</strong></p> <ul> <li> <strong>SSH</strong>: Ed25519 (fast, secure, small keys)</li> <li> <strong>GPG</strong>: Ed25519 for signing + Curve25519 for encryption</li> <li>No RSA 2048/4096 bloat</li> </ul> <p><strong>4. GitHub API Integration</strong></p> <p>Keys aren't just generated–they're automatically added to GitHub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH key</span> gh ssh-key add <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">.pub"</span> <span class="nt">--title</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> <span class="c"># GPG key </span> gh gpg-key add &lt;<span class="o">(</span>gpg <span class="nt">--armor</span> <span class="nt">--export</span> <span class="s2">"</span><span class="nv">$KEY_ID</span><span class="s2">"</span><span class="o">)</span> </code></pre> </div> <p><strong>5. Stow for Symlink Management</strong></p> <p>GNU Stow creates symlinks from <code>dotfiles/</code> to <code>$HOME</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>stow zshrc starship alacritty zellij k9s docker git github-cli </code></pre> </div> <p>This keeps your actual configs in Git while making them available system-wide.</p> <p><strong>6. AI Agents with Context7 MCP</strong></p> <p>The <code>configure-ai-agents.sh</code> script sets up AI development assistants:</p> <ul> <li> <strong>Codex CLI</strong>: Command-line AI agent for shell tasks</li> <li> <strong>Claude Integration</strong>: Configured for VS Code with Copilot</li> <li> <strong>Context7 MCP Server</strong>: Provides automatic library documentation via Model Context Protocol</li> <li> <strong>Global Instructions</strong>: Creates <code>~/.config/Code/User/prompts/context7.instructions.md</code> with rule to always use Context7 for docs</li> </ul> <p>This enables AI agents to automatically fetch up-to-date documentation when generating code, reducing hallucinations and improving accuracy.</p> <h2> Usage </h2> <h3> Quick Start (Full Bootstrap) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/danylomikula/dotfiles.git ~/dotfiles <span class="nb">cd</span> ~/dotfiles <span class="nb">chmod</span> +x bootstrap.sh ./bootstrap.sh </code></pre> </div> <p>The script will:</p> <ol> <li>Install Homebrew and packages (5-10 min)</li> <li>Configure Oh-My-Zsh and plugins</li> <li>Sync dotfiles via Stow</li> <li>Prompt for Git configuration (optional)</li> <li>Offer to generate SSH key (optional)</li> <li>Offer to generate GPG key (optional)</li> <li>Offer to configure AI agents (optional)</li> </ol> <h3> Standalone Scripts </h3> <p>Each script can run independently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Just configure Git</span> ./configure-git.sh <span class="c"># Just generate SSH key</span> ./generate-ssh-key.sh <span class="c"># Just generate GPG key </span> ./generate-gpg-key.sh <span class="c"># Just configure AI agents</span> ./configure-ai-agents.sh </code></pre> </div> <h3> Customization </h3> <p><strong>Add/Remove Packages:</strong></p> <p>Edit the <code>brew install</code> lines in <code>bootstrap.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add your tools here</span> brew <span class="nb">install</span> <span class="nt">--cask</span> your-app-here </code></pre> </div> <p><strong>Add New Dotfiles:</strong></p> <ol> <li>Create directory: <code>mkdir -p newtool/.config/newtool</code> </li> <li>Add config: <code>newtool/.config/newtool/config.yaml</code> </li> <li>Stow it: <code>stow newtool</code> </li> </ol> <p><strong>Change Alacritty Theme:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># ~/.config/alacritty/alacritty.toml</span> <span class="nn">[general]</span> <span class="py">import</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"~/.config/alacritty/themes/themes/tokyo-night.toml"</span> <span class="p">]</span> </code></pre> </div> <p><strong>Customize AI Agents:</strong></p> <p>Edit <code>~/.config/Code/User/prompts/context7.instructions.md</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">applyTo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**"</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Global-Context7-Rule"</span> <span class="nn">---</span> <span class="s">Always use context7 when I need code generation, setup steps, or library docs.</span> </code></pre> </div> <p>You can add more rules or change the <code>applyTo</code> pattern to scope instructions to specific file types.</p> <h2> Real-World Usage </h2> <h3> New Machine Setup </h3> <p>Time to productive workstation: <strong>~15 minutes</strong> (mostly package downloads)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On new Mac</span> git clone https://github.com/danylomikula/dotfiles.git ~/dotfiles <span class="nb">cd</span> ~/dotfiles ./bootstrap.sh <span class="c"># Answer prompts:</span> <span class="c"># - Configure Git? Yes</span> <span class="c"># - Personal dir? ~/git/personal</span> <span class="c"># - Work dir? ~/git/work </span> <span class="c"># - Generate SSH? Yes</span> <span class="c"># - Generate GPG? Yes</span> <span class="c"># - Add to GitHub? Yes</span> <span class="c"># - Configure AI agents? Yes</span> </code></pre> </div> <p>Result: Fully configured machine with:</p> <ul> <li>All dev tools installed</li> <li>SSH key in GitHub</li> <li>GPG signing configured</li> <li>Git context switching working</li> <li>Terminal customized</li> <li>AI agents with Context7 MCP ready</li> <li>Ready to <code>git clone</code> and start working</li> </ul> <h3> Disaster Recovery </h3> <p>Laptop dies or needs rebuild:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On replacement machine</span> git clone https://github.com/danylomikula/dotfiles.git ~/dotfiles <span class="nb">cd</span> ~/dotfiles ./bootstrap.sh </code></pre> </div> <p>Back to 100% productivity in under an hour (including restoring data from backups).</p> <h2> Technical Deep Dive </h2> <h3> GPG Key Generation with Batch Mode </h3> <p>I use GPG's batch mode to avoid interactive prompts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">GPG_BATCH_FILE</span><span class="o">=</span><span class="si">$(</span><span class="nb">mktemp</span><span class="si">)</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$GPG_BATCH_FILE</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> %echo Generating a GPG key Key-Type: eddsa Key-Curve: ed25519 Subkey-Type: ecdh Subkey-Curve: cv25519 Name-Real: </span><span class="k">${</span><span class="nv">GPG_OWNER_NAME</span><span class="k">}</span><span class="sh"> Name-Email: </span><span class="k">${</span><span class="nv">GPG_OWNER_EMAIL</span><span class="k">}</span><span class="sh"> Expire-Date: 0 Passphrase: </span><span class="k">${</span><span class="nv">GPG_PASSWORD</span><span class="k">}</span><span class="sh"> %commit %echo done </span><span class="no">EOF </span>gpg <span class="nt">--batch</span> <span class="nt">--gen-key</span> <span class="s2">"</span><span class="nv">$GPG_BATCH_FILE</span><span class="s2">"</span> <span class="nb">rm</span> <span class="s2">"</span><span class="nv">$GPG_BATCH_FILE</span><span class="s2">"</span> </code></pre> </div> <p>This creates:</p> <ul> <li> <strong>Primary key</strong>: Ed25519 for signing</li> <li> <strong>Subkey</strong>: Curve25519 for encryption</li> <li> <strong>No expiration</strong>: Suitable for long-term code signing</li> </ul> <h3> Detecting New GPG Key After Generation </h3> <p>Since we generate the key non-interactively, we need to find the new key ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Capture existing keys before generation</span> <span class="nv">EXISTING_KEYS</span><span class="o">=</span><span class="si">$(</span>gpg <span class="nt">--list-secret-keys</span> <span class="nt">--keyid-format</span><span class="o">=</span>long <span class="se">\</span> | <span class="nb">awk</span> <span class="s1">'/^sec/ {print $2}'</span> | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">'/'</span> <span class="nt">-f2</span><span class="si">)</span> <span class="c"># Generate key...</span> <span class="c"># Find the new key</span> <span class="nv">NEW_KEYS</span><span class="o">=</span><span class="si">$(</span>gpg <span class="nt">--list-secret-keys</span> <span class="nt">--keyid-format</span><span class="o">=</span>long <span class="se">\</span> | <span class="nb">awk</span> <span class="s1">'/^sec/ {print $2}'</span> | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">'/'</span> <span class="nt">-f2</span><span class="si">)</span> <span class="nv">KEY_ID</span><span class="o">=</span><span class="si">$(</span><span class="nb">comm</span> <span class="nt">-13</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$EXISTING_KEYS</span><span class="s2">"</span> | <span class="nb">sort</span><span class="o">)</span> <span class="se">\</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$NEW_KEYS</span><span class="s2">"</span> | <span class="nb">sort</span><span class="o">)</span> | <span class="nb">head</span> <span class="nt">-n</span> 1<span class="si">)</span> </code></pre> </div> <p>This uses <code>comm</code> to find the set difference–the new key ID.</p> <h3> GitHub CLI Integration </h3> <p>Adding keys to GitHub via API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Authenticate (opens browser for OAuth)</span> gh auth login <span class="c"># Add SSH key</span> gh ssh-key add <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.ssh/id_ed25519.pub"</span> <span class="se">\</span> <span class="nt">--title</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> <span class="nt">--type</span> authentication <span class="c"># Test connection</span> ssh <span class="nt">-T</span> git@github.com <span class="c"># Add GPG key </span> gh gpg-key add &lt;<span class="o">(</span>gpg <span class="nt">--armor</span> <span class="nt">--export</span> <span class="s2">"</span><span class="nv">$KEY_ID</span><span class="s2">"</span><span class="o">)</span> <span class="c"># Configure Git to use it</span> git config <span class="nt">--global</span> user.signingkey <span class="s2">"</span><span class="nv">$KEY_ID</span><span class="s2">"</span> git config <span class="nt">--global</span> commit.gpgsign <span class="nb">true </span>git config <span class="nt">--global</span> tag.gpgSign <span class="nb">true</span> </code></pre> </div> <p>No manual copying of keys into GitHub UI!</p> <h3> Pinentry Configuration for macOS </h3> <p>macOS Keychain integration requires <code>pinentry-mac</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>pinentry-mac <span class="c"># Configure GPG agent</span> <span class="nb">echo</span> <span class="s2">"pinentry-program </span><span class="si">$(</span>which pinentry-mac<span class="si">)</span><span class="s2">"</span> <span class="se">\</span> <span class="o">&gt;&gt;</span> ~/.gnupg/gpg-agent.conf <span class="c"># Restart agent</span> killall gpg-agent </code></pre> </div> <p>Now GPG passphrase prompts use macOS Keychain–enter once, cached securely.</p> <h3> AI Agents Configuration Deep Dive </h3> <p>The <code>configure-ai-agents.sh</code> script sets up CLI and desktop AI coding assistants with Context7 MCP integration.</p> <p><strong>1. Tools Installation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>node codex <span class="c"># Codex CLI</span> brew <span class="nb">install</span> <span class="nt">--cask</span> claude-code <span class="c"># Claude desktop app</span> </code></pre> </div> <p><strong>2. Codex CLI Configuration:</strong></p> <p>Creates <code>~/.codex/AGENTS.md</code> with global instructions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Global instructions</span> <span class="gu">## context7 instructions</span> <span class="p">-</span> Always use context7 when I need code generation, setup or configuration steps, or library/API documentation. This means you should automatically use the Context7 MCP tools to resolve library id and get library docs without me having to explicitly ask. </code></pre> </div> <p>Creates <code>~/.codex/config.toml</code> with MCP server configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">model</span> <span class="p">=</span> <span class="s">"gpt-5.1-codex"</span> <span class="py">model_reasoning_effort</span> <span class="p">=</span> <span class="s">"high"</span> <span class="nn">[mcp_servers.context7]</span> <span class="py">command</span> <span class="p">=</span> <span class="s">"npx"</span> <span class="py">args</span> <span class="p">=</span> <span class="p">[</span><span class="s">"-y"</span><span class="p">,</span> <span class="s">"@upstash/context7-mcp"</span><span class="p">]</span> </code></pre> </div> <p><strong>3. Claude Desktop Configuration:</strong></p> <p>Creates <code>~/.claude/CLAUDE.md</code> with Context7 usage instructions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Context7 MCP usage</span> <span class="p">-</span> Always use context7 when I need code generation, setup or configuration steps, or library/API documentation. This means you should automatically use the Context7 MCP tools to resolve library id and get library docs without me having to explicitly ask. </code></pre> </div> <p>Enables MCP server for Claude:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>claude mcp add context7 <span class="nt">--</span> npx <span class="nt">-y</span> @upstash/context7-mcp </code></pre> </div> <p><strong>4. How It Works:</strong></p> <p>Both agents can now automatically fetch library documentation via Context7 MCP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Codex CLI usage</span> <span class="nv">$ </span>codex <span class="s2">"Add authentication with Supabase"</span> <span class="o">[</span>Codex automatically fetches Supabase docs via Context7 MCP] <span class="s2">"Installing supabase-js and configuring auth..."</span> <span class="c"># Claude Desktop usage</span> User: <span class="s2">"Add authentication with Supabase"</span> Claude: <span class="o">[</span>fetches Supabase docs via Context7] <span class="s2">"I'll help you set up Supabase authentication..."</span> </code></pre> </div> <p>This eliminates manual documentation lookups and reduces hallucinations by grounding AI responses in actual library docs.</p> <h2> Conclusion </h2> <p>This dotfiles setup has saved me countless hours across:</p> <ul> <li>5+ fresh installs on new machines</li> <li>Daily context switching between personal/work</li> <li>Team onboarding</li> </ul> <h2> Resources </h2> <ul> <li><a href="https://github.com/danylomikula/dotfiles" rel="noopener noreferrer">My dotfiles repository</a></li> <li><a href="https://github.com/charmbracelet/gum" rel="noopener noreferrer">Gum - Glamorous shell scripts</a></li> <li><a href="https://www.gnu.org/software/stow/" rel="noopener noreferrer">GNU Stow</a></li> <li><a href="https://github.com/context7/mcp" rel="noopener noreferrer">Context7 MCP Server</a></li> <li><a href="https://modelcontextprotocol.io/" rel="noopener noreferrer">Model Context Protocol</a></li> <li><a href="https://github.com/alacritty/alacritty-theme" rel="noopener noreferrer">Alacritty themes</a></li> <li><a href="https://cli.github.com/" rel="noopener noreferrer">GitHub CLI</a></li> <li><a href="https://ohmyz.sh/" rel="noopener noreferrer">Oh My Zsh</a></li> </ul> <p><em>Have questions or improvements? Open an issue or PR on the <a href="https://github.com/danylomikula/dotfiles" rel="noopener noreferrer">dotfiles repo</a>!</em></p> tutorial macos dotfiles automation Danylo Mikula Fri, 07 Nov 2025 00:55:34 +0000 https://forem.com/mikula/build-a-highly-available-pi-hole-cluster-with-ansible-vrrp-gbp https://forem.com/mikula/build-a-highly-available-pi-hole-cluster-with-ansible-vrrp-gbp <p>Step-by-step guide to prepare two Linux hosts, then use Ansible to deploy a highly available Pi-hole pair with keepalived (VRRP) and a Virtual IP, plus config sync and validation - powered by my open-source playbook: <a href="https://github.com/danylomikula/ansible-pihole-cluster" rel="noopener noreferrer">ansible-pihole-cluster</a></p> <h2> Download &amp; flash the OS for Raspberry Pi </h2> <p>Both <a href="https://github.com/danylomikula/ansible-bootstrap" rel="noopener noreferrer">ansible-bootstrap</a> and <a href="https://github.com/danylomikula/ansible-pihole-cluster" rel="noopener noreferrer">ansible-pihole-cluster</a> support the following distributions:</p> <ul> <li>Debian 13 (Trixie)</li> <li>Ubuntu 24.04 (Noble Numbat)</li> <li>Rocky Linux 10</li> </ul> <p>This guide uses Rocky Linux as an example, but feel free to pick whichever you prefer.</p> <h3> 1) Get the Raspberry Pi image </h3> <ol> <li>Go to the official <a href="https://rockylinux.org/download?arch=aarch64" rel="noopener noreferrer">Rocky Linux <strong>Download</strong> page</a>: pick <strong>ARM (aarch64)</strong>.</li> <li>Scroll to the <strong>Raspberry Pi Images</strong> section and download the image for your Pi.</li> </ol> <h3> 2) Flash the image to a microSD card </h3> <p>You can use <strong>balenaEtcher</strong> (what I use below), or <strong>Raspberry Pi Imager</strong>—both work.</p> <h3> Option A — balenaEtcher </h3> <ol> <li>Install/open <a href="https://etcher.balena.io/" rel="noopener noreferrer"><strong>balenaEtcher</strong></a>.</li> <li> <strong>Flash from file</strong> → pick the Rocky Linux RPi image.</li> <li> <strong>Select target</strong> → choose your microSD card.</li> <li> <strong>Flash!</strong> → wait for completion.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfx16zlxrmj0flgkaz8c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfx16zlxrmj0flgkaz8c.png" alt="balenaEtcher" width="800" height="476"></a></p> <h3> Option B — Raspberry Pi Imager </h3> <ol> <li>Open <a href="https://www.raspberrypi.com/software/" rel="noopener noreferrer"><strong>Raspberry Pi Imager</strong></a>.</li> <li>Click <strong>Choose OS → Use custom</strong> and select the Rocky Linux RPi image.</li> <li>Choose your microSD card and <strong>Next</strong>.</li> <li>When asked <em>“Would you like to apply OS customisation settings?”</em> click <strong>No</strong> (we’ll configure users/SSH/hostname later).</li> <li>You’ll get a <em>Warning</em> that all data on the card will be erased — click <strong>Yes</strong>.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folf3tedkpggksdc91v7i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folf3tedkpggksdc91v7i.png" alt="Raspberry Pi Imager" width="800" height="561"></a></p> <p>Repeat this flashing process for both microSD cards (one per Raspberry Pi), then boot each Pi and make sure it gets a DHCP address on your network.</p> <h2> Bootstrap: admin user, SSH keys, SSH hardening, networking, filesystem expansion </h2> <p>Before deploying Pi-hole, each node needs initial setup — an admin user with SSH key access, hardened SSH, static IP configuration, firewall rules, and the filesystem expanded to use the full microSD card. You can automate all of this with <a href="https://github.com/danylomikula/ansible-bootstrap" rel="noopener noreferrer">ansible-bootstrap</a>:</p> <ul> <li>Creates admin user with passwordless sudo</li> <li>Generates and deploys SSH keys</li> <li>Hardens SSH (disables password authentication and root login)</li> <li>Configures static IPv4/IPv6 addresses, gateway, and DNS</li> <li>Sets up firewall (firewalld) with custom zones and services</li> <li>Expands the filesystem to use all available disk space</li> </ul> <h3> 1) Install the collection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible-galaxy collection <span class="nb">install </span>danylomikula.ansible_bootstrap </code></pre> </div> <h3> 2) Create the inventory </h3> <p>Create <code>inventory.ini</code> with your nodes. The <code>ansible_host</code> should be the current DHCP address of each Pi, while <code>bootstrap_static_ip</code> and <code>bootstrap_gateway</code> define the static network configuration that will be applied:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[servers]</span> <span class="err">pihole-master</span> <span class="py">ansible_host</span><span class="p">=</span><span class="s">10.20.160.251 bootstrap_static_ip=10.20.0.50/16 bootstrap_gateway=10.20.0.1</span> <span class="err">pihole-backup</span> <span class="py">ansible_host</span><span class="p">=</span><span class="s">10.20.200.39 bootstrap_static_ip=10.20.0.51/16 bootstrap_gateway=10.20.0.1</span> <span class="nn">[servers:vars]</span> <span class="py">ansible_user</span><span class="p">=</span><span class="s">rocky</span> </code></pre> </div> <blockquote> <p><strong>Note:</strong> On first run, <code>ansible_user</code> is the default OS user (e.g., <code>rocky</code> for Rocky Linux). After bootstrap completes, the new admin user is created and the nodes are accessible via SSH keys.</p> </blockquote> <h3> 3) Create the bootstrap playbook </h3> <p>Create <code>site.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Bootstrap servers</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">bootstrap_user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dan"</span> <span class="na">bootstrap_ssh_key_generate</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">bootstrap_network_enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">bootstrap_dns4</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">1.1.1.1"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">1.0.0.1"</span> <span class="na">bootstrap_firewall_enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">bootstrap_firewall_zone</span><span class="pi">:</span> <span class="s2">"</span><span class="s">public"</span> <span class="na">bootstrap_firewall_services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh</span> <span class="pi">-</span> <span class="s">http</span> <span class="pi">-</span> <span class="s">https</span> <span class="pi">-</span> <span class="s">dns</span> <span class="na">bootstrap_firewall_custom_zones</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ftl</span> <span class="na">interface</span><span class="pi">:</span> <span class="s">lo</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">4711</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">bootstrap_firewall_allow_icmp</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">bootstrap_expand_fs_enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">danylomikula.ansible_bootstrap.bootstrap</span> </code></pre> </div> <h3> 4) Run the bootstrap playbook </h3> <p>On the first run, SSH keys are not yet deployed, so you need to provide the password interactively:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible-playbook <span class="nt">-i</span> inventory.ini site.yml <span class="nt">-k</span> <span class="nt">-K</span> </code></pre> </div> <blockquote> <p><strong>Default credentials for Rocky Linux:</strong> User: <code>rocky</code>, Password: <code>rockylinux</code></p> </blockquote> <p>After bootstrap completes, the nodes reboot with their new static IPs. SSH keys are generated in the <code>ssh_keys/</code> directory — you'll reference these keys later in the Pi-hole cluster inventory.</p> <p>See the <a href="https://github.com/danylomikula/ansible-bootstrap#readme" rel="noopener noreferrer">ansible-bootstrap README</a> for the full list of configuration options.</p> <h2> Deploy Pi-hole cluster with Ansible </h2> <blockquote> <p><strong>Prerequisites:</strong> <a href="https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html" rel="noopener noreferrer">Ansible</a> installed on your configuration device and both nodes bootstrapped (see previous section).</p> </blockquote> <h3> 1) Install the collection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible-galaxy collection <span class="nb">install </span>danylomikula.ansible_pihole_cluster </code></pre> </div> <h3> 2) Create the inventory </h3> <p>Create <code>inventory.ini</code> with your nodes. Point <code>ansible_ssh_private_key_file</code> to the SSH keys generated by <code>ansible-bootstrap</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[master]</span> <span class="err">pihole-master</span> <span class="py">ansible_host</span><span class="p">=</span><span class="s">10.20.0.50 ansible_ssh_private_key_file=../pihole-bootstrap/ssh_keys/pihole-master_ed25519 priority=150</span> <span class="nn">[backup]</span> <span class="err">pihole-backup</span> <span class="py">ansible_host</span><span class="p">=</span><span class="s">10.20.0.51 ansible_ssh_private_key_file=../pihole-bootstrap/ssh_keys/pihole-backup_ed25519 priority=140</span> <span class="nn">[pihole_cluster:children]</span> <span class="err">master</span> <span class="err">backup</span> </code></pre> </div> <blockquote> <p><strong>Note:</strong> Adjust the <code>ansible_ssh_private_key_file</code> paths to match where your bootstrap SSH keys are stored.</p> </blockquote> <h3> 3) Create the playbook </h3> <p>Create <code>site.yml</code> with all cluster configuration in one place:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Pi-hole HA Cluster</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">pihole_cluster</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">ansible_user</span><span class="pi">:</span> <span class="s">dan</span> <span class="na">bootstrap_timezone</span><span class="pi">:</span> <span class="s2">"</span><span class="s">America/New_York"</span> <span class="na">keepalived_vip_ipv4</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10.20.0.53/16"</span> <span class="c1"># Virtual IP for failover</span> <span class="na">pihole_web_password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SUPER_SECURE_PASSWORD"</span> <span class="c1"># Use ansible-vault!</span> <span class="na">pihole_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6.3"</span> <span class="na">nebula_sync_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">v0.11.1"</span> <span class="na">pihole_local_domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">homelab.local"</span> <span class="na">local_dns_records</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">10.20.0.88 node.homelab.local</span> <span class="s">10.20.0.96 nas.homelab.local</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.updates</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.bootstrap</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.docker</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.keepalived</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.unbound</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.pihole</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.pihole_updatelists</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.nebula_sync</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">danylomikula.ansible_pihole_cluster.status</span> </code></pre> </div> <blockquote> <p>See the full list of available variables in the <a href="https://github.com/danylomikula/ansible-pihole-cluster/blob/main/group_vars/all.yml" rel="noopener noreferrer">group_vars/all.yml</a> example.</p> </blockquote> <p><strong>What the playbook installs (and why)</strong></p> <ul> <li> <strong>keepalived</strong> — Provides VRRP and the floating Virtual IP so one node is always the active DNS endpoint. If the master goes down, the backup takes over automatically.</li> <li> <strong>unbound</strong> — A local validating, recursive DNS resolver. Pi-hole forwards queries to Unbound on-box instead of public resolvers, improving privacy and reducing external dependency. <a href="https://docs.pi-hole.net/guides/dns/unbound/" rel="noopener noreferrer">Pi-hole's official guide</a> </li> <li> <strong>nebula-sync</strong> — A lightweight synchronizer that keeps Pi-hole config/state in sync between nodes (lists, local DNS, settings). <a href="https://github.com/lovelaze/nebula-sync" rel="noopener noreferrer">Project</a> </li> <li> <strong>pihole-updatelists</strong> — Automates fetching and applying block/allow lists from remote sources on a schedule. <a href="https://github.com/jacklul/pihole-updatelists" rel="noopener noreferrer">Project</a> </li> </ul> <h3> 4) (Optional) Quick connectivity test </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible all <span class="nt">-i</span> inventory.ini <span class="nt">-m</span> ping </code></pre> </div> <h3> 5) Deploy the cluster </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible-playbook <span class="nt">-i</span> inventory.ini site.yml </code></pre> </div> <h3> 6) Point your network to the Virtual IP </h3> <p>Update your DHCP/router (or manual client settings) to use the VIP you set in <code>site.yml</code>:</p> <ul> <li>IPv4 DNS: <code>keepalived_vip_ipv4</code> (e.g., <code>10.20.0.53</code>)</li> <li>IPv6 DNS: <code>ipv6_vip</code> (if configured)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1nv2yaqzgj9qopqv0xk.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1nv2yaqzgj9qopqv0xk.webp" alt="Pi-hole Ansible Result" width="800" height="198"></a></p> <h3> 7) Verify </h3> <p>On whichever node should be master (higher <code>priority</code>), check that the VIP is present:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip a show dev eth0 </code></pre> </div> <p>Confirm Pi-hole is answering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig @10.20.0.53 example.com +short </code></pre> </div> <p>If that resolves, you're done — your HA Pi-hole pair is live behind a single Virtual IP.</p> pihole raspberrypi ansible tutorial Danylo Mikula Fri, 22 Aug 2025 03:25:38 +0000 https://forem.com/mikula/yubikey-pgp-end-to-end-offline-primary-subkeys-backups-and-a-spare-4m09 https://forem.com/mikula/yubikey-pgp-end-to-end-offline-primary-subkeys-backups-and-a-spare-4m09 <h1> What we’ll build </h1> <p>In this guide we’ll set up a modern PGP workflow anchored by a YubiKey. We’ll generate an <strong>offline, certification-only primary key</strong> and three <strong>subkeys</strong> for <strong>sign</strong>, <strong>encrypt</strong>, and <strong>auth</strong>.</p> <p><strong>We’ll also create secure backups</strong> before moving anything to hardware, set expiration dates on the subkeys, load the subkeys onto our <strong>primary YubiKey</strong> with touch policies, and then clone those subkeys to a <strong>second YubiKey</strong> as a spare. Finally, we’ll integrate the setup with <strong>Git commit signing</strong>.</p> <p><em>This guide is written for macOS, but the steps translate easily to Linux.</em></p> <h1> Prerequisites </h1> <ul> <li>A <a href="https://www.yubico.com/products/yubikey-5-overview/" rel="noopener noreferrer"><strong>YubiKey</strong></a> with the <strong>OpenPGP</strong> applet (e.g., YubiKey 5 series).</li> <li>macOS with <a href="https://brew.sh/" rel="noopener noreferrer"><strong>Homebrew</strong></a> installed.</li> <li>Basic terminal familiarity.</li> </ul> <h3> Install the tools (macOS) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>gnupg ykman pinentry-mac </code></pre> </div> <h1> Basic GnuPG setup </h1> <p>We’ll work inside a <strong>temporary GnuPG home</strong> so we don’t touch any existing setup.</p> <h3> 1) Create a temporary GNUPGHOME </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">mktemp</span> <span class="nt">-d</span> <span class="nt">-t</span> gpg-<span class="si">$(</span><span class="nb">date</span> +%Y.%m.%d<span class="si">))</span><span class="s2">"</span> <span class="nb">chmod </span>700 <span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">"</span> </code></pre> </div> <h3> 2) Create <code>gpg.conf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">/gpg.conf"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' # === Crypto preferences === personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed # === Strong digests &amp; s2k === cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 # === Output / UX === charset utf-8 no-comments no-emit-version no-greeting keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint use-agent armor # === Security hardening === require-cross-certification require-secmem no-symkey-cache # === New keys default === default-new-key-algo ed25519/cert,sign+cv25519/encr+ed25519/auth </span><span class="no">EOF </span></code></pre> </div> <h3> 3) Create <code>gpg-agent.conf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">/gpg-agent.conf"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' # === Path to pinentry on macOS/Homebrew (Apple Silicon) === pinentry-program /opt/homebrew/bin/pinentry-mac # === SSH Support === enable-ssh-support # === Cache TTLs === default-cache-ttl 86400 max-cache-ttl 86400 </span><span class="no">EOF </span></code></pre> </div> <h3> 4) Reload agent to pick up the config: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpgconf <span class="nt">--kill</span> gpg-agent </code></pre> </div> <h1> Prepare the YubiKey </h1> <p>If you keep a <strong>spare YubiKey</strong>, run all steps below on <strong>both</strong> devices (one at a time).</p> <blockquote> <p>Insert only one YubiKey at a time to avoid confusion.</p> </blockquote> <h3> 1) Enable KDF </h3> <p>KDF (Key Derivation Function) makes the YubiKey store a hash of the PIN and derive it locally, rather than accepting the PIN as plain text.</p> <blockquote> <p>Older/legacy OpenPGP clients (especially some mobile apps) may not support KDF; those clients will fail PIN checks if KDF is enabled.</p> </blockquote> <p><strong>Order of operations:</strong> Enable KDF <strong>before</strong> changing PINs or moving subkeys to the card, otherwise you may hit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gpg: error for setup KDF: Conditions of use not satisfied </code></pre> </div> <p>Enable KDF:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-edit</span> gpg/card&gt; admin gpg/card&gt; kdf-setup <span class="c"># pinentry will prompt for the Admin PIN (default is 12345678 on a fresh card)</span> gpg/card&gt; quit </code></pre> </div> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-status</span> | <span class="nb">grep</span> <span class="s1">'KDF setting'</span> <span class="c"># KDF setting ......: on</span> </code></pre> </div> <blockquote> <p>Do this on <strong>each</strong> YubiKey (primary and spare) before proceeding to change PINs, set touch policies, or move subkeys.</p> </blockquote> <h3> 2) Change the default PINs </h3> <p>Generate random numeric PINs and store these securely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">ADMIN_PIN</span><span class="o">=</span><span class="si">$(</span><span class="nv">LC_ALL</span><span class="o">=</span>C <span class="nb">tr</span> <span class="nt">-dc</span> <span class="s1">'0-9'</span> &lt;/dev/urandom | <span class="nb">fold</span> <span class="nt">-w8</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="nb">export </span><span class="nv">USER_PIN</span><span class="o">=</span><span class="si">$(</span><span class="nv">LC_ALL</span><span class="o">=</span>C <span class="nb">tr</span> <span class="nt">-dc</span> <span class="s1">'0-9'</span> &lt;/dev/urandom | <span class="nb">fold</span> <span class="nt">-w6</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="nb">printf</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">Admin PIN: %12s</span><span class="se">\n</span><span class="s2">User PIN: %12s</span><span class="se">\n\n</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ADMIN_PIN</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$USER_PIN</span><span class="s2">"</span> </code></pre> </div> <p>Change the PINs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-edit</span> gpg/card&gt; admin gpg/card&gt; passwd <span class="c"># 1 - Change PIN (default 123456) -&gt; enter $USER_PIN</span> <span class="c"># 3 - Change Admin PIN (default 12345678) -&gt; enter $ADMIN_PIN</span> <span class="c"># Q - quit</span> gpg/card&gt; quit </code></pre> </div> <blockquote> <p>Default User PIN = 123456, default Admin PIN = 12345678</p> </blockquote> <h3> 3) Set touch policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Require touch for every signature</span> ykman openpgp keys set-touch sig on <span class="c"># Cache touch after PIN entry for encryption and auth</span> ykman openpgp keys set-touch enc cached ykman openpgp keys set-touch aut cached </code></pre> </div> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ykman openpgp info </code></pre> </div> <p><strong>Touch policy modes:</strong></p> <ul> <li> <code>off</code> — no touch required</li> <li> <code>on</code> — touch required for <strong>every</strong> operation</li> <li> <code>fixed</code> — like <code>on</code>, but cannot be changed without resetting the OpenPGP applet</li> <li> <code>cached</code> — touch once per PIN session (until PIN cache expires or card is removed)</li> <li> <code>cached-fixed</code> — like <code>cached</code>, but cannot be changed without reset</li> </ul> <h3> 4) Set key attributes (Ed25519 / cv25519 / Ed25519) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-edit</span> gpg/card&gt; admin gpg/card&gt; key-attr <span class="c"># Signature : ECC -&gt; Curve 25519 (Ed25519)</span> <span class="c"># Encryption: ECC -&gt; Curve 25519 (cv25519 / X25519)</span> <span class="c"># Authentication: ECC -&gt; Curve 25519 (Ed25519)</span> gpg/card&gt; quit </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiw1tmxxd4u1jvnotjd4h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiw1tmxxd4u1jvnotjd4h.png" alt="Set key attributes (Ed25519 / cv25519 / Ed25519)" width="800" height="990"></a></p> <h3> 5) Cardholder info </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-edit</span> gpg/card&gt; admin gpg/card&gt; name <span class="c"># Lastname, Firstname</span> gpg/card&gt; lang <span class="c"># en</span> gpg/card&gt; login <span class="c"># your.email@example.com</span> gpg/card&gt; quit </code></pre> </div> <p>Check card status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-status</span> </code></pre> </div> <p>When finished, repeat the same steps on your <strong>spare</strong> (if you have one).</p> <h1> Generate the offline Master (Certify) key (Ed25519) </h1> <p>The primary (master) key is the <strong>Certify</strong> key. It’s used only to issue subkeys for <strong>sign</strong>, <strong>encrypt</strong>, and <strong>auth</strong>.<br> We keep this key <strong>offline at all times</strong> and use it only in a dedicated, secure environment to <strong>create</strong> or <strong>revoke</strong> subkeys.</p> <blockquote> <p>Do <strong>not</strong> set an expiration date on the Certify key.</p> </blockquote> <h3> 1) Generate a strong passphrase for the master key </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">CERTIFY_PASS</span><span class="o">=</span><span class="si">$(</span><span class="nv">LC_ALL</span><span class="o">=</span>C <span class="nb">tr</span> <span class="nt">-dc</span> <span class="s2">"A-Z2-9"</span> &lt; /dev/urandom | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s2">"IOUS5"</span> | <span class="nb">fold</span> <span class="nt">-w</span> <span class="k">${</span><span class="nv">PASS_GROUPSIZE</span><span class="k">:-</span><span class="nv">4</span><span class="k">}</span> | <span class="nb">paste</span> <span class="nt">-sd</span> <span class="k">${</span><span class="nv">PASS_DELIMITER</span><span class="k">:-</span><span class="p">-</span><span class="k">}</span> - | <span class="nb">head</span> <span class="nt">-c</span> <span class="k">${</span><span class="nv">PASS_LENGTH</span><span class="k">:-</span><span class="nv">29</span><span class="k">}</span><span class="si">)</span> <span class="nb">printf</span> <span class="s2">"</span><span class="se">\n</span><span class="nv">$CERTIFY_PASS</span><span class="se">\n\n</span><span class="s2">"</span> </code></pre> </div> <blockquote> <p>We will use it when GnuPG prompts during key creation.</p> </blockquote> <h3> 2) Create the Certify-only primary key </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--expert</span> <span class="nt">--full-generate-key</span> </code></pre> </div> <p>When prompted:</p> <ol> <li> <strong>Key type:</strong> choose <strong>ECC (set your own capabilities)</strong>.</li> <li> <strong>Capabilities:</strong> leave <strong>only “Certify (C)” enabled</strong>. Disable Sign/Encrypt/Auth if shown.</li> <li> <strong>Curve:</strong> choose <strong>Curve 25519 (Ed25519)</strong>.</li> <li> <strong>Expiration:</strong> choose <strong>no expiration</strong> (enter <code>0</code>).</li> <li> <strong>User ID:</strong> enter your real name and email (comment optional).</li> <li> <strong>Passphrase:</strong> enter the passphrase you generated in step 1.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ffa8k7q8vuko582ciby.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ffa8k7q8vuko582ciby.png" alt="Offline Master (Certify) key" width="800" height="676"></a></p> <p>After creation, note the key ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">KEYID</span><span class="o">=</span><span class="si">$(</span>gpg <span class="nt">--list-keys</span> <span class="nt">--keyid-format</span> 0xlong <span class="nt">--with-colons</span> | <span class="nb">awk</span> <span class="nt">-F</span>: <span class="s1">'/^pub:/ {print $5; exit}'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Primary KEYID: </span><span class="nv">$KEYID</span><span class="s2">"</span> </code></pre> </div> <h3> 3) Verify the primary key is Certify-only </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">-K</span> <span class="nt">--keyid-format</span> long </code></pre> </div> <p>You should see something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sec ed25519/XXXXXXXXXX YYYY-MM-DD [C] Key fingerprint = XXXXXXXXXXXXXXXXX uid [ultimate] Your Name &lt;you@example.com&gt; </code></pre> </div> <p>Only <strong>[C]</strong> should appear on the <code>sec</code> line (no <code>[S]</code>, <code>[E]</code>, or <code>[A]</code>).</p> <h1> Create subkeys </h1> <p>We’ll add three subkeys to the offline primary key: <strong>Sign (Ed25519)</strong>, <strong>Encrypt (cv25519/X25519)</strong>, and <strong>Auth (Ed25519)</strong>.</p> <p>Open the key editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> </code></pre> </div> <h3> 1) Sign subkey </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gpg&gt; addkey # Choose: ECC (set your own capabilities) # number may be (11) # Curve: 25519 (Ed25519) # Capabilities: leave ONLY [S] Sign (toggle others off) # Expiration: 5y (or your preference) </code></pre> </div> <h3> 2) Encrypt subkey </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gpg&gt; addkey # Choose: ECC (encrypt only) # number may be (12) # Curve: 25519 # Expiration: 5y </code></pre> </div> <h3> 3) Auth subkey </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gpg&gt; addkey # Choose: ECC (set your own capabilities) # number may be (11) # Capabilities: leave ONLY [A] Authenticate # Curve: 25519 # Expiration: 5y gpg&gt; save </code></pre> </div> <h3> 4) Verify </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">-K</span> <span class="nt">--keyid-format</span> long </code></pre> </div> <p>You should see your primary key with <strong>[C]</strong> only, and three <code>ssb</code> lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sec ed25519/XXXXXXXXXX YYYY-MM-DD [C] uid Your Name &lt;you@example.com&gt; ssb ed25519/XXXXXXXXXX YYYY-MM-DD [S] [expires: YYYY-MM-DD] ssb cv25519/XXXXXXXXXX YYYY-MM-DD [E] [expires: YYYY-MM-DD] ssb ed25519/XXXXXXXXXX YYYY-MM-DD [A] [expires: YYYY-MM-DD] </code></pre> </div> <h1> Export backups (master, subkeys, public) </h1> <blockquote> <p>Do this <strong>before</strong> moving any keys to the YubiKey.</p> </blockquote> <h3> 1) Create a private backups folder: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> gnupg-backups <span class="nb">chmod </span>700 gnupg-backups </code></pre> </div> <h3> 2) Export the keys: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Master (primary + subkeys): full secret material</span> gpg <span class="nt">--output</span> <span class="s2">"gnupg-backups/</span><span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="s2">-certify-</span><span class="si">$(</span><span class="nb">date</span> +%F<span class="si">)</span><span class="s2">.key"</span> <span class="nt">--armor</span> <span class="nt">--export-secret-keys</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="s2">"</span> <span class="c"># Secret subkeys only (no primary secret) — use for loading to YubiKey / cloning to spare</span> gpg <span class="nt">--output</span> <span class="s2">"gnupg-backups/</span><span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="s2">-subkeys-</span><span class="si">$(</span><span class="nb">date</span> +%F<span class="si">)</span><span class="s2">.key"</span> <span class="nt">--armor</span> <span class="nt">--export-secret-subkeys</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="s2">"</span> <span class="c"># Public key (safe to share)</span> gpg <span class="nt">--output</span> <span class="s2">"gnupg-backups/</span><span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="s2">-public-</span><span class="si">$(</span><span class="nb">date</span> +%F<span class="si">)</span><span class="s2">.asc"</span> <span class="nt">--armor</span> <span class="nt">--export</span> <span class="s2">"</span><span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <blockquote> <p>Store copies in <strong>two separate offline locations</strong> (e.g., two encrypted USB drives kept in different places).</p> </blockquote> <h3> 3) (Optional) Encrypt the backup files </h3> <p><strong>Symmetric (passphrase-based):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Encrypt each file with AES256; you’ll be prompted for a passphrase</span> <span class="k">for </span>f <span class="k">in </span>gnupg-backups/<span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span>-<span class="o">{</span>certify,subkeys<span class="o">}</span>-<span class="k">*</span>.key gnupg-backups/<span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="nt">-public-</span><span class="k">*</span>.asc<span class="p">;</span> <span class="k">do </span>gpg <span class="nt">--symmetric</span> <span class="nt">--cipher-algo</span> AES256 <span class="s2">"</span><span class="nv">$f</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <h4> (Optional) Quick integrity check of the backups </h4> <p>Spin up a throwaway keyring, import, and list:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">TMPVERIFY</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">mktemp</span> <span class="nt">-d</span> <span class="nt">-t</span> gpg-verify-XXXX<span class="si">)</span><span class="s2">"</span> <span class="nb">chmod </span>700 <span class="s2">"</span><span class="nv">$TMPVERIFY</span><span class="s2">"</span> <span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">"</span><span class="nv">$TMPVERIFY</span><span class="s2">"</span> gpg <span class="nt">--import</span> gnupg-backups/<span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="nt">-public-</span><span class="k">*</span>.asc <span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">"</span><span class="nv">$TMPVERIFY</span><span class="s2">"</span> gpg <span class="nt">--import</span> gnupg-backups/<span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="nt">-subkeys-</span><span class="k">*</span>.key <span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">"</span><span class="nv">$TMPVERIFY</span><span class="s2">"</span> gpg <span class="nt">--list-secret-keys</span> <span class="nt">--keyid-format</span> 0xlong </code></pre> </div> <p>You should see <code>sec#</code> (stub for the primary) and <code>ssb</code> lines for subkeys after the subkeys import.</p> <h3> 4) Clean up the temporary directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="nv">$TMPVERIFY</span><span class="s2">"</span> </code></pre> </div> <h1> Transfer subkeys to the YubiKey </h1> <blockquote> <p><strong>Important:</strong> Moving subkeys to a YubiKey turns their on-disk copies into <strong>stubs</strong> (<code>ssb#</code> → <code>ssb&gt;</code>), so they can’t be moved again <strong>unless</strong> we re-import the <strong>secret-subkeys backup</strong>. Make sure backups are done.</p> </blockquote> <p>We’ll need the <strong>Certify key passphrase</strong> (for decrypting the secret material) and the YubiKey <strong>Admin PIN</strong> (to write keys to the card).</p> <blockquote> <p>Keep only <strong>one</strong> YubiKey inserted at a time.</p> </blockquote> <h3> 1) Load the subkeys onto the primary YubiKey </h3> <p>Insert the primary YubiKey, then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--status-fd</span><span class="o">=</span>2 <span class="nt">--command-fd</span><span class="o">=</span>0 <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' key 1 keytocard 1 save </span><span class="no">EOF </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--status-fd</span><span class="o">=</span>2 <span class="nt">--command-fd</span><span class="o">=</span>0 <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' key 2 keytocard 2 save </span><span class="no">EOF </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--status-fd</span><span class="o">=</span>2 <span class="nt">--command-fd</span><span class="o">=</span>0 <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' key 3 keytocard 3 save </span><span class="no">EOF </span></code></pre> </div> <p>During these steps GnuPG will prompt for:</p> <ul> <li>your <strong>master (Certify) passphrase</strong> (to unlock the secret subkeys on disk), and</li> <li>the YubiKey <strong>Admin PIN</strong> (to write into the OpenPGP applet).</li> </ul> <h3> 2) Verify subkeys are on the YubiKey </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">-K</span> <span class="nt">--keyid-format</span> long </code></pre> </div> <p>Each subkey should display as <code>ssb&gt;</code> (stored on smartcard), for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sec ed25519 YYYY-MM-DD [C] uid Your Name &lt;you@example.com&gt; ssb&gt; ed25519 YYYY-MM-DD [S] [expires: …] ssb&gt; cv25519 YYYY-MM-DD [E] [expires: …] ssb&gt; ed25519 YYYY-MM-DD [A] [expires: …] </code></pre> </div> <p>Additionally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-status</span> </code></pre> </div> <p>Should list the Signature/Encryption/Authentication slots and the touch policies you set earlier.</p> <h3> 3) (If you have a spare) Re-import and load to the second YubiKey </h3> <p>Because moving subkeys to the first YubiKey turned local copies into stubs, we’ll clear any existing secret entries and re-import the <strong>pre-move</strong> secret-subkeys backup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ensure you’re in the same GNUPGHOME you used for the guide</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">"</span> <span class="c"># Remove current secret entries (drops stubs)</span> gpg <span class="nt">--delete-secret-keys</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="c"># Re-import secret subkeys</span> gpg <span class="nt">--import</span> gnupg-backups/<span class="k">${</span><span class="nv">KEYID</span><span class="k">}</span><span class="nt">-subkeys-</span><span class="k">*</span>.key <span class="c"># Sanity check — these must be plain `ssb` (not `ssb#` or `ssb&gt;`)</span> gpg <span class="nt">-K</span> <span class="nt">--keyid-format</span> long </code></pre> </div> <p>Insert the <strong>spare</strong> YubiKey (only this one inserted), then run the same transfer flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--status-fd</span><span class="o">=</span>2 <span class="nt">--command-fd</span><span class="o">=</span>0 <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' key 1 keytocard 1 save </span><span class="no">EOF </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--status-fd</span><span class="o">=</span>2 <span class="nt">--command-fd</span><span class="o">=</span>0 <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' key 2 keytocard 2 save </span><span class="no">EOF </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--status-fd</span><span class="o">=</span>2 <span class="nt">--command-fd</span><span class="o">=</span>0 <span class="nt">--expert</span> <span class="nt">--edit-key</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' key 3 keytocard 3 save </span><span class="no">EOF </span></code></pre> </div> <blockquote> <p>Pinentry will prompt for your <strong>master (Certify) passphrase</strong> and the <strong>Admin PIN</strong>.</p> </blockquote> <h3> 4) Verify: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-status</span> gpg <span class="nt">-K</span> <span class="nt">--keyid-format</span> long </code></pre> </div> <p>You should see <code>ssb&gt;</code> for all three subkeys again, now on the <strong>spare</strong> as well.</p> <p>Done! Both YubiKeys now hold the same <strong>Sign/Encrypt/Auth</strong> subkeys.</p> <h1> Post-Setup </h1> <h2> Publish your public key (keys.openpgp.org) and link it to your YubiKey </h2> <p><strong>Why?</strong><br> Publishing the public key makes it easy for others (and for your future machines) to discover it.</p> <h3> Upload </h3> <p>1) Go to <strong><a href="https://keys.openpgp.org" rel="noopener noreferrer">keys.openpgp.org</a> → Upload Key</strong>.<br> 2) Export and upload your public key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> gpg <span class="nt">--armor</span> <span class="nt">--export</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> <span class="o">&gt;</span> pubkey-<span class="nv">$KEYID</span>.asc </code></pre> </div> <p>3) Click <strong>Send verification email</strong>.<br> 4) Check the inbox for the email on your key and click the verification link.</p> <h3> Put the public key URL on your YubiKey </h3> <p>We’ll store a permalink to your key on the card so any machine can fetch it with one command.</p> <h4> 1) Get your <strong>full fingerprint</strong> and build the permalink: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">FPR</span><span class="o">=</span><span class="si">$(</span>gpg <span class="nt">--with-colons</span> <span class="nt">--fingerprint</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> | <span class="nb">awk</span> <span class="nt">-F</span>: <span class="s1">'/^fpr:/ {print $10; exit}'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Fingerprint: </span><span class="nv">$FPR</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Permalink : https://keys.openpgp.org/vks/v1/by-fingerprint/</span><span class="nv">$FPR</span><span class="s2">"</span> </code></pre> </div> <h4> 2) Write the URL into the card: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-edit</span> gpg/card&gt; admin gpg/card&gt; url https://keys.openpgp.org/vks/v1/by-fingerprint/<span class="nv">$FPR</span> gpg/card&gt; quit </code></pre> </div> <blockquote> <p>Do this for <strong>each YubiKey</strong> you use (primary and spare).</p> </blockquote> <h3> On a new machine: fetch straight from the card </h3> <p>Insert the YubiKey and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-edit</span> gpg/card&gt; admin gpg/card&gt; fetch gpg/card&gt; quit </code></pre> </div> <p>This pulls your public key from the URL stored on the card and imports it into the new machine’s keyring.<br> You can verify with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gpg <span class="nt">--card-status</span> gpg <span class="nt">-K</span> <span class="nt">--keyid-format</span> long </code></pre> </div> <h2> GitHub: sign commits with your YubiKey subkey </h2> <p>We’ll upload your public key to GitHub and configure Git to sign with the <strong>Sign</strong> subkey that lives on your YubiKey.</p> <h3> 1) Get the Sign subkey’s long ID (automatically) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Prints the first subkey with [S] capability (long 0x… ID)</span> <span class="nv">SUBKEY_SIGN</span><span class="o">=</span><span class="si">$(</span> gpg <span class="nt">-K</span> <span class="nt">--with-colons</span> <span class="nt">--keyid-format</span> 0xlong <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> | <span class="nb">awk</span> <span class="nt">-F</span>: <span class="s1">'/^ssb/ &amp;&amp; $12 ~ /s/ {print $5; exit}'</span> <span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Signing subkey: </span><span class="nv">$SUBKEY_SIGN</span><span class="s2">"</span> </code></pre> </div> <h3> 2) Add your public key to GitHub </h3> <ul> <li>Export your public key and copy it: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> gpg <span class="nt">--armor</span> <span class="nt">--export</span> <span class="s2">"</span><span class="nv">$KEYID</span><span class="s2">"</span> | pbcopy <span class="c"># macOS; use xclip/clipboard on Linux</span> </code></pre> </div> <ul> <li> <a href="https://github.com/" rel="noopener noreferrer">GitHub</a> → <strong>Settings</strong> → <strong>SSH and GPG keys</strong> → <strong>New GPG key</strong> → paste → <strong>Add GPG key</strong>.</li> </ul> <blockquote> <p>Your commit email must match a <strong>verified</strong> email on GitHub.</p> </blockquote> <h3> 3) Configure Git to use that subkey </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> gpg.program gpg git config <span class="nt">--global</span> gpg.format openpgp git config <span class="nt">--global</span> user.signingkey <span class="s2">"</span><span class="nv">$SUBKEY_SIGN</span><span class="s2">"</span> git config <span class="nt">--global</span> user.email <span class="s2">"yubikey@example.com"</span> <span class="c"># must be a verified GitHub email</span> git config <span class="nt">--global</span> commit.gpgsign <span class="nb">true </span>git config <span class="nt">--global</span> tag.gpgSign <span class="nb">true</span> </code></pre> </div> yubikey pgp gpg gnupg