Learning Journey of Alexander Allgäuer

Gitlab CI/CD Docker Rsync

Sun, 19 Apr 2026 00:00:00 +0000

In Progress..

Gitlab CI/CD Deployment of this blog.

YubiKey: SSH with FIDO2

Wed, 15 Apr 2026 00:00:00 +0000

The YubiKey supports four methods to enable hardware-backed SSH authentication.

FIDO2
PIV
PGP
OTP

FIDO2 provides the highest security and comes with low complexity. The private key is non-exportable.

Limitations

OpenSSH v 8.2.p1 is a requirement better 8.3 for the verify-required option, shouldn’t be an issue since both versions were released in 2020.
Windows SSH at the time of writing not supported.
The Mac OS bundled openssh version doesn’t support it but this can be fixed.

Full Disk Encryption (FDE).md

Tue, 14 Apr 2026 00:00:00 +0000

Insightful articles about TPM

https://gist.github.com/osy/45e612345376a65c56d0678834535166?permalink_comment_id=4685731\

From the founder of Systemd https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html\

Microsoft recommendations https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures

k9s

Tue, 14 Apr 2026 00:00:00 +0000

I never quite understood how developers come up with product names. k8s is Kubernetes, k0s is a quick and easy Kubernetes, k3s is a minimal Kubernetes , minikube is yet another mini Kubernetes.

Anyway, k9s is phenomenal…

Saves time while navigating the cluster.

https://k9scli.io/

Readeck

Tue, 14 Apr 2026 00:00:00 +0000

The bookmark app i liked the most so far. https://readeck.org/en/

Is available as Docker Image https://readeck.org/en/docs/#with-docker-or-podman

Browser Extension:

https://codeberg.org/readeck/browser-extension I would recommend to not install the prebuild extension and read the code and build it yourself.

Secureboot Arch Linux

Tue, 14 Apr 2026 00:00:00 +0000

Configuration Guide for Secure Boot ArchLinux.

Update Bios

fwupdmgr refresh
fwupdmgr refresh
fwupdmgr get-updates
fwupdmgr update

sbctl status
***
*Setup Mode: X Disabled
*Secure Boot: X Disabled
***

In BIOS delete your PlatformKeys to get into setupMode.

sbctl status
***
*Setup Mode: ✓ Enabled
*Secure Boot: X Disabled
***

@slexi  sudo sbctl create-keys Created Owner UUID 636e0dc7-096e-4e10-8f7f-831dfa8b5b97 ✓ Secure boot keys created!

@slexi  sudo sbctl enroll-keys ‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f You need to chattr -i files in efivarfs

systemd-udevd.service

Tue, 14 Apr 2026 00:00:00 +0000

Udev is part of systemd.

It manages the directory /dev

Default system rules for udev

udev rules shipped from packages are in /usr/lib/udev/rules.d/

here we can see what happens what happens when a attached device says it’s a mouse. cat 70-mouse.rules
do not edit this file, it will be overwritten on update

ACTION==“remove”, GOTO=“mouse_end” KERNEL!=“event*”, GOTO=“mouse_end” ENV{ID_INPUT_MOUSE}=="", GOTO=“mouse_end”

#mouse::vp:name::* KERNELS==“input*”, ENV{ID_BUS}==“usb”,
IMPORT{builtin}=“hwdb ‘mouse:$env{ID_BUS}:v$attr{id/vendor}p$attr{id/product}:name:$attr{name}:’”,
GOTO=“mouse_end” KERNELS==“input*”, ENV{ID_BUS}==“bluetooth”,
IMPORT{builtin}=“hwdb ‘mouse:$env{ID_BUS}:v$attr{id/vendor}p$attr{id/product}:name:$attr{name}:’”,
GOTO=“mouse_end” DRIVERS==“psmouse”, SUBSYSTEMS==“serio”,
IMPORT{builtin}=“hwdb ‘mouse:ps2::name:$attr{device/name}:’”,
GOTO=“mouse_end”

YubiKey: Autolockscreen via udev (Hyprland)

Tue, 14 Apr 2026 00:00:00 +0000

Automatically lock your Hyprland session the moment you pull your YubiKey out of the USB port. A udev rule triggers a screen lock script.

Read hyprlock doc first!

⚠️ : If you are using hyprland the default application to lock the screen is Hyprlock. Hyprlock does not automatically create a config, and without one, hyprlock will not render anything. But even without a config, your session will get locked and thus Hyprland will cover your session with a black screen.
https://wiki.hypr.land/Hypr-Ecosystem/hyprlock/

YubiKey: Passwordless Sudo

Tue, 14 Apr 2026 00:00:00 +0000

Use a YubiKey touch to replace your password for sudo .

Install pam-u2f

sudo pacman -S pam-u2f
mkdir -p ~/.config/Yubico

Register the keys

pamu2fcfg > ~/.config/Yubico/u2f_keys # primary key
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys # append backup key

Edit PAM

⚠️ Warning: Keep a root session open in another terminal in case something goes wrong.

sudo nano /etc/pam.d/sudo

Add at the top:

auth sufficient pam_u2f.so cue

sufficient → the YubiKey alone is enough to authenticate.
Change to required if you want 2FA (YubiKey and password).
cue prints a hint when a touch is needed.

Test it

sudo -s
Please touch the FIDO authenticator.

certbot

Mon, 13 Apr 2026 00:00:00 +0000

Certbot is a free, open-source cli tool that automates obtaining and renewing SSL/TLS Certificates from let’s encrypt. Domain Ownership verification via DNS-01 challenges let you fetch wildcard certificates. The API of cloudflare is compatible with DNS-01 challenges, this allows wildcard certs and getting certificates for non public facing internal webservices.

Filesystem Comparison, ext4, btrfs, xfs

Mon, 13 Apr 2026 00:00:00 +0000

A good comparison between the ext4, btrfs and xfs.

https://www.linuxteck.com/linux-file-system-comparison-ext4-xfs-btrfs/

Impressum

Mon, 13 Apr 2026 00:00:00 +0000

contact@bitlex.li
This is a non-commercial personal blog. No tracking, no cookies, no google fonts.

k0s

Mon, 13 Apr 2026 00:00:00 +0000

k0s

K0s is my favourite method to quick and easy spin up a new cluster.

https://docs.k0sproject.io/stable/install/

I usually export the admin kubeconfig to give access to the cluster for k9s, helm etc \

mkdir -p ~/.kube
k0s kubeconfig admin > /.kube/config
export KUBECONFIG=/.kube/config

KeePassXC

Mon, 13 Apr 2026 00:00:00 +0000

KeePassXC is essentially KeePass with a modern UI, rebuilt from scratch to run natively on Windows, macOS, and Linux. Instead of relying on plugins like KeePass does, it ships with the most important features already built in, including:

YubiKey support (see Yubikey HMAC-SHA1 Challenge-Response)
Browser integration (Chrome, Firefox, Edge, and more)
TOTP/2FA code generation
SSH agent support
Have I Been Pwned breach checking
Passkey support

YubiKey: HMAC-SHA1 Challenge-Response

Mon, 13 Apr 2026 00:00:00 +0000

Configure HMAC-SHA1 Challenge-Response on a YubiKey’s second OTP slot.

Check slot status

Use ykman otp info to make sure your second slot isn’t already used. Slot 1 is typically reserved for Yubico OTP.

ykman otp info
# Slot 1: programmed
# Slot 2: empty

Configure OTP slot 2

Generate a shared secret and program both YubiKeys (primary + backup) with the same secret so either can open the database.

SECRET=$(openssl rand -hex 20)
ykman otp chalresp --touch 2 $SECRET # Key 1
ykman otp chalresp --touch 2 $SECRET # Key 2
unset SECRET

The --touch flag is optional, but when you think about it, it absolutely makes sense — you want physical presence confirmation before the key responds.

YubiKey: Introduction

Mon, 13 Apr 2026 00:00:00 +0000

YubiKey is a hardware security key manufactured by Yubico.

YubiKeys support a wide range of authentication standards, including:

FIDO2 / WebAuthn
FIDO U2F
Smart card (PIV)
OpenPGP
OATH-TOTP / HOTP
Yubico OTP

Rule #1: Always buy two

When ordering a YubiKey, always put two of them in the shopping cart. Saving a few bucks on a backup key can leave you with a single point of catastrophic failure. They come with a hole that lets you attach one to your keychain while the other stays in another safe, trusted location.

YubiKey: Management Tool

Mon, 13 Apr 2026 00:00:00 +0000

Yubikey Management Tools Installation

We need yubikey-manager Smart Card Daemon middlware.

sudo pacman -S yubikey-manager pcsclite ccid
sudo systemctl enable --now pcscd.service
sudo systemctl enable --now pcscd.socket

Verify if the key is detected:

ykman info

 @slexi  ykman info 
Device type: YubiKey 5C NFC
Serial number: 25997589
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled

Applications USB NFC 
Yubico OTP Enabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Enabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Enabled Enabled

Learning Journey of Alexander Allgäuer

Gitlab CI/CD Docker Rsync

YubiKey: SSH with FIDO2

Limitations

Full Disk Encryption (FDE).md

Insightful articles about TPM

k9s

Readeck

Secureboot Arch Linux

Update Bios

systemd-udevd.service

Default system rules for udev

YubiKey: Autolockscreen via udev (Hyprland)

Read hyprlock doc first!

YubiKey: Passwordless Sudo

Install pam-u2f

Register the keys

Edit PAM

Test it

certbot

Filesystem Comparison, ext4, btrfs, xfs

Impressum

k0s

k0s

KeePassXC

Links

YubiKey: HMAC-SHA1 Challenge-Response

Check slot status

Configure OTP slot 2

YubiKey: Introduction

Rule #1: Always buy two

YubiKey: Management Tool

Yubikey Management Tools Installation