/var/blog

Docker and Ansible: Using Utility Containers to replace NERDTools in Unraid

Desmond Rogers — Tue, 24 Jun 2025 02:16:37 GMT

Apparently, there was some disagreement between Lime Tech, the makers of Unraid, and the maintainers of the beloved Unraid Community plugin NerdTools about a change in the NAS OS company's business model. So, the NerdTools folks abandoned the project.

UPDATE: un-get appears to be the new tool power users from the community have gravitated toward. I still prefer the utility container approach though.

What is NERDtools

NerdTools is an Unraid OS plugin that allows you to install additional packages. From the looks of it, the plugin is essentially a GUI package manager for Unraid that installs Slackware packages (with dependencies) to the /boot/extra/ directory, which is where Unraid looks for additional packages.

Why move?

First, NERDtools was never an officially supported by Lime Tech.

It was great, but it only had a specific and limited set of utilities, so I found it lacking when I wanted to, for example, use vagrant with libvirt as a provider since Unraid uses libvirt as the backend for VMs. But that would have required going down a Slackware rabbithole, which I wasn't really committed to (although sbopkg looked promising).

Even those who have built tools specifically to install Slackware pkgs on Unraid like un-get recommend using Docker, LXC, or VMs before installing on bare metal. So I can't argue in terms of the isolation and portability.

So I removed the NERDtools plugins and moved associate scripts run by cron jobs to a local home lab code repository.

How everything is setup now

Simplest way to run things: containerize the process, then run via host cron.

First, to automate things with Ansible, I had to install Python 3 for Unraid which was essentially a suite of Slackware python tools.

I considered rolling my own Docker container and storing it in a self-hosted container distribution registry, which would keep the infrastructure internal and less reliant on external services like Dockerhub. But I later decided to build on the work of project maintainers since they tools I used already offered prebuilt images with the binaries baked in and decent documentation. I also considered adding a layer on top of theirs to have the args in the container, but that would make my playbooks less explicit. Although, I still might consider adding it in the future to reduce the number of tasks needed.

Here’s an example of one of the playbooks I now use for router backups:

---
- name: Backup router
  hosts: wrt

  tasks:
    - name: Mount backup share
      ansible.posix.mount:
        src: nas:/mnt/user/backup/openwrt
        path: /mnt/backup
        state: ephemeral 
        boot: false
        fstype: nfs

    - name: Generate backup
      ansible.builtin.shell: |
        umask go=
        sysupgrade -b /mnt/backup/backup-FriendlyWrt-{{ ansible_date_time.date }}.tar.gz

Result

This approach makes it so much easier to manage and backup the various services and servers I’ve setup.

Internet Failover

Desmond Rogers — Wed, 08 Jan 2025 03:34:15 GMT

Most ISPs provide a modem + router gateway combo to simplify network setup for the widest audience but if their network fails or is unreachable down for some reason, some IOT devices like cameras and smart locks that we increasingly rely on can become useless. Also, some of us have mobile deadzones in our living spaces and rely on Wi-Fi for messaging and calling most of the time. So to stay connected during power outages, storms and natural disasters, it's a good idea to setup the home network to have failover capability, or internet backup. My ISP offers an upgraded gateway that's supposed to failover to their cellular network, but while researching solutions I discovered that most people didn’t have good experiences. Also, I'd prefer not to put all of my eggs in one basket - so to speak - just in case SHTF and both their wire and mobile networks are unreachable.

TLDR; Decouple network components (modem, router, wifi access point) to provide more flexible configurations and redundancy during outages and scheduled maintenance. This setup also has the benefit of allowing upgrades to equipment as technology improves because the industries don't innovate at the same rate.

Original Setup

xfinity xFi router w/ xFi pod "mesh" extenders (ISP-provided)

New Setup w/ Failover

Topology

Multi-WAN router: TP-Link Omada Gigabit VPN Router ER605 V2 in Standalone Mode

Primary WAN: xFi modem/gateway (because free rental promotion at signup. I plan to switch in the future) in bridge mode - allowing the routing to be managed by a dedicated router

Failover WAN: Netgear LTE modem + T-mobile $10 30GB Cellular Data-only Plan

Wireless AP: eero 6+ wifi mesh in Bridge mode

This setup effectively keeps devices on the same subnet so that devices connected to wifi can communicate with devices wired to router like the NAS

💡

Pro-tip: The best way to prevent your Significant Other from getting upset because their device gets disconnected: keep the same SSID and password 😉. Most previously connected devices will switch to the new access point automatically.

Update (2 months later)

Eschew the advanced features of TP-Link Omada for the simplicity of smaller devices:

Netgear cellular modem with native failover and SMS alerts
Netgear 5-port switch
eero+ AP / Router for mesh wifi

Configuring TLS for Connecting Spring Boot to Elasticsearch

Desmond Rogers — Sun, 18 Jul 2021 20:41:09 GMT

I wanted to put together an article that combines everything I found around the web on how to use self-signed certificates with Spring Boot when using Elastic Cloud on Kubernetes.

The Keystore

There are two options for creating the keystore we need to connect securely to Elasticsearch: using the keytool or Keystore API. But I found that creating the Keystore programmatically was the better approach when publishing a Kubernetes cluster in the cloud since this configuration allows us to use the same configurations for a local development environment and in a cloud Kubernetes cluster such as AWS EKS.

Creating keystore with keytool

To create the keystore:

Download the cert from cluster secrets and save as tls.crt

kubectl get secret "es1-es-http-certs-public" -o go-template='{{index .data "tls.crt" | base64decode }}' > tls.crt

Use the keytool to create the keystore and import the certificate

keytool -import -v -trustcacerts -file tls.crt -keystore keystore.jks -keypass changeit -storepass changeit

Java Keystore API

For more information on the API see Baeldung's awesome article on the java keystore

To create a keystore programmatically that will store the certificate retrieved from Kubernetes cluster secrets used to authenticate with ES cluster

public class SSLConfig {
    private final char[] keyStorePass = "changeit".toCharArray();
    private final String certPathName = new File("/etc/es-certificates/tls.crt").isFile() ? "/etc/es-certificates/tls.crt" : "tls.crt";
    private final File keyStoreFile;

    public SSLConfig() throws Exception {
        keyStoreFile = this.generateKeyStoreFile();
    }

    Certificate generateCert() throws Exception {
        InputStream inStream = new FileInputStream(certPathName);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        return cf.generateCertificate(inStream);
    }

    File generateKeyStoreFile() throws Exception {
        String keyStoreName = "keystore.jks";
        File f = new File(keyStoreName);
        if (f.isFile()) return f;

        Certificate cert = this.generateCert();
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null);
        ks.setCertificateEntry("es-http-public", cert);
        ks.store(new FileOutputStream(keyStoreName), keyStorePass);
        return new File(keyStoreName);
    }

    public SSLContext getSSLContext() throws Exception {
        SSLContextBuilder builder = SSLContexts.custom();
            builder.loadTrustMaterial(keyStoreFile, keyStorePass, new TrustSelfSignedStrategy());
            return builder.build();
    }
}

Spring Elasticsearch Configuration

The Java High-Level REST Client is based on the Low-Level Client, which has can be used for encrypted communication

@Configuration
@ComponentScan
public class ESConfig extends AbstractElasticsearchConfiguration {
    @Value("${elasticsearch.url}")
    public String elasticsearchUrl;
    @Value("${elasticsearch.port}")
    public String elasticsearchPort;
    @Value("${elasticsearch.username}")
    public String elasticsearchUsername;
    @Value("${elasticsearch.password}")
    public String elasticsearchPassword;

    private SSLConfig sslConfig;

    public ESConfig() throws Exception {
        sslConfig = new SSLConfig();
    }

    @Override
    public RestHighLevelClient elasticsearchClient() {
        SSLContext sslContext = null;
        try {
            sslContext = sslConfig.getSSLContext();
        } catch (Exception e) {
            e.printStackTrace();
        }

        final ClientConfiguration config = ClientConfiguration.builder()
                .connectedTo(elasticsearchUrl + ":" + elasticsearchPort)
                .usingSsl(sslContext)
                .withBasicAuth(elasticsearchUsername, elasticsearchPassword)
                .build();
        return RestClients.create(config).rest();
    }
}

Using TLS Secret as a file in the Spring Pod

To use the certificate stored as a secret by ECK, we can mount it in our deployment manifest and make it available in the API container.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: search-api
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: search-api
  template:
    metadata:
      labels:
        app: search-api
        namespace: default
    spec:
      containers:
        - image: $IMAGE
          name: search-api
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: es-certificates
              mountPath: "/etc/es-certificates"
          env:
            - name: ES_CERT
              valueFrom:
                secretKeyRef:
                  name: es1-es-http-certs-public
                  key: tls.crt
            - name: ES_USER
              value: "elastic"
            - name: ES_PWD
              valueFrom:
                secretKeyRef:
                  name: es1-es-elastic-user
                  key: elastic
            - name: ES_URL
              value: "es1-es-http"
      volumes:
        - name: es-certificates
          secret:
            secretName: es1-es-http-certs-public