Fresh/Brewed

Gemma4, Claude and Pi

2026-04-09T01:01:01+00:00

I had two things I wanted to tackle today: Comparing using Anthropic via Pi CLI versus Claude Code, then taking a look at Gemma4 - the new open model Google released last week. In this article, I want to dig into Gemma4 more thoroughly rather than rush an article just to get on the headline bandwagon.

As I’ll get into below, the first section (Pi vs Claude) came from a user request via LinkedIn. I tend to avoid Anthropic just due to price.

Anthropic CLI vs Pi

Sam Hegge asked me if I could compare Claude Code versus Pi CLI as a comment on my last LI post which was about the Pi agent how it compared to Claude CLI.

I focus on Gemini CLI mostly because I’m generally Google-first, but also because Gemini AI Pro is covered and Anthropic usage tends to cost me.

That said, it’s a fair question - How might Pi work compared to Claude? I’m willing to feed AI some coins to see.

Anthropic setup with Pi

You just need to set an Anthropic key in your environment for Pi to pick up:

$ export ANTHROPIC_API_KEY=sk-ant-api03-X-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
$ pi

Now when I ask for models, we can see the latest Anthropic ones listed:

I picked the latest claude-3-7-sonnet-latest to use.

I actually have a desire to make some skills today, so I will actually use a Skill builder Skill for this activity.

I found a good one from Anthropic here: https://github.com/anthropics/skills/blob/main/skills/skill-creator/SKILL.md

I actually already keep a local clone of Anthropic’s primary Skills library, so I just need to update it:

builder@DESKTOP-QADGF36:~/Workspaces/skills/skills$ ls
algorithmic-art   canvas-design    docx             internal-comms  pdf   skill-creator      theme-factory          webapp-testing
brand-guidelines  doc-coauthoring  frontend-design  mcp-builder     pptx  slack-gif-creator  web-artifacts-builder  xlsx
builder@DESKTOP-QADGF36:~/Workspaces/skills/skills$ cd ..
builder@DESKTOP-QADGF36:~/Workspaces/skills$ git remote show origin
* remote origin
  Fetch URL: https://github.com/anthropics/skills.git
  Push  URL: https://github.com/anthropics/skills.git
  HEAD branch: main
  Remote branches:
    andibrae/create-top-level-namespace tracked
    klazuka/add-3p-notices              tracked
    klazuka/add-cc-instructions         tracked
    klazuka/add-cc-marketplace          tracked
    klazuka/doc-skills                  tracked
    klazuka/export                      tracked
    klazuka/export-20260203             new (next fetch will store in remotes/origin)
    klazuka/frontend-design-skill       tracked
    klazuka/pptx-cleanup                new (next fetch will store in remotes/origin)
    klazuka/spec                        tracked
    mahesh/add-to-readme                tracked
    mahesh/clarify-claude-code-install  tracked
    main                                tracked
    mattpic-ant/blog-small-fix          tracked
  Local branch configured for 'git pull':
    main merges with remote main
  Local ref configured for 'git push':
    main pushes to main (local out of date)
builder@DESKTOP-QADGF36:~/Workspaces/skills$ git pull
remote: Enumerating objects: 226, done.
remote: Counting objects: 100% (12/12), done.
remote: Total 226 (delta 12), reused 12 (delta 12), pack-reused 214 (from 1)
Receiving objects: 100% (226/226), 293.56 KiB | 2.39 MiB/s, done.
Resolving deltas: 100% (60/60), completed with 5 local objects.
From https://github.com/anthropics/skills
   69c0b1a..98669c1  main                    -> origin/main
 * [new branch]      klazuka/export-20260203 -> origin/klazuka/export-20260203
 * [new branch]      klazuka/pptx-cleanup    -> origin/klazuka/pptx-cleanup
Updating 69c0b1a..98669c1
Fast-forward
 .claude-plugin/marketplace.json                                                             |   10 +
 skills/claude-api/LICENSE.txt                                                               |  202 ++
 skills/claude-api/SKILL.md                                                                  |  262 +++
 skills/claude-api/csharp/claude-api.md                                                      |  402 ++++
 skills/claude-api/curl/examples.md                                                          |  216 +++
 skills/claude-api/go/claude-api.md                                                          |  421 +++++
 skills/claude-api/java/claude-api.md                                                        |  432 +++++
 skills/claude-api/php/claude-api.md                                                         |  375 ++++
 skills/claude-api/python/agent-sdk/README.md                                                |  355 ++++
 skills/claude-api/python/agent-sdk/patterns.md                                              |  359 ++++
 skills/claude-api/python/claude-api/README.md                                               |  420 +++++
 skills/claude-api/python/claude-api/batches.md                                              |  185 ++
 skills/claude-api/python/claude-api/files-api.md                                            |  165 ++
 skills/claude-api/python/claude-api/streaming.md                                            |  162 ++
 skills/claude-api/python/claude-api/tool-use.md                                             |  590 ++++++
 skills/claude-api/ruby/claude-api.md                                                        |  113 ++
 skills/claude-api/shared/error-codes.md                                                     |  206 ++
 skills/claude-api/shared/live-sources.md                                                    |  121 ++
 skills/claude-api/shared/models.md                                                          |  119 ++
 skills/claude-api/shared/prompt-caching.md                                                  |  128 ++
 skills/claude-api/shared/tool-use-concepts.md                                               |  305 +++
 skills/claude-api/typescript/agent-sdk/README.md                                            |  297 +++
 skills/claude-api/typescript/agent-sdk/patterns.md                                          |  209 +++
 skills/claude-api/typescript/claude-api/README.md                                           |  333 ++++
 skills/claude-api/typescript/claude-api/batches.md                                          |  106 ++
 skills/claude-api/typescript/claude-api/files-api.md                                        |   98 +
 skills/claude-api/typescript/claude-api/streaming.md                                        |  178 ++
 skills/claude-api/typescript/claude-api/tool-use.md                                         |  527 ++++++
 skills/docx/SKILL.md                                                                        |  659 +++++--
 skills/docx/docx-js.md                                                                      |  350 ----
 skills/docx/ooxml.md                                                                        |  610 ------
 skills/docx/ooxml/scripts/pack.py                                                           |  159 --
 skills/docx/ooxml/scripts/unpack.py                                                         |   29 -
 skills/docx/ooxml/scripts/validate.py                                                       |   69 -
 skills/docx/ooxml/scripts/validation/docx.py                                                |  274 ---
 skills/docx/scripts/__init__.py                                                             |    2 +-
 skills/docx/scripts/accept_changes.py                                                       |  135 ++
 skills/docx/scripts/comment.py                                                              |  318 ++++
 skills/docx/scripts/document.py                                                             | 1276 -------------
 skills/docx/scripts/office/helpers/__init__.py                                              |    0
 skills/docx/scripts/office/helpers/merge_runs.py                                            |  199 ++
 skills/docx/scripts/office/helpers/simplify_redlines.py                                     |  197 ++
 skills/docx/scripts/office/pack.py                                                          |  159 ++
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chart.xsd             |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd      |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd           |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd      |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-main.xsd              |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-picture.xsd           |    0
 .../docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd   |    0
 .../{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd     |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/pml.xsd                   |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd                |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd   |    0
 .../docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd                  |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd                |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd                 |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd               |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd           |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-math.xsd           |    0
 .../{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd  |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/sml.xsd                   |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-main.xsd              |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd     |    0
 .../docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd  |    0
 .../docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd   |    0
 .../{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd     |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/wml.xsd                   |    0
 skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/xml.xsd                   |    0
 skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-contentTypes.xsd       |    0
 skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-coreProperties.xsd     |    0
 skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-digSig.xsd             |    0
 skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-relationships.xsd      |    0
 skills/docx/{ooxml => scripts/office}/schemas/mce/mc.xsd                                    |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-2010.xsd                        |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-2012.xsd                        |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-2018.xsd                        |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-cex-2018.xsd                    |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-cid-2016.xsd                    |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-sdtdatahash-2020.xsd            |    0
 skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-symex-2015.xsd                  |    0
 skills/docx/scripts/office/soffice.py                                                       |  183 ++
 skills/docx/scripts/office/unpack.py                                                        |  132 ++
 skills/docx/scripts/office/validate.py                                                      |  111 ++
 skills/docx/{ooxml/scripts/validation => scripts/office/validators}/__init__.py             |    0
 skills/{pptx/ooxml/scripts/validation => docx/scripts/office/validators}/base.py            |  310 +---
 skills/docx/scripts/office/validators/docx.py                                               |  446 +++++
 skills/{pptx/ooxml/scripts/validation => docx/scripts/office/validators}/pptx.py            |   44 +-
 skills/docx/{ooxml/scripts/validation => scripts/office/validators}/redlining.py            |   74 +-
 skills/docx/scripts/templates/comments.xml                                                  |    4 +-
 skills/docx/scripts/templates/commentsExtended.xml                                          |    4 +-
 skills/docx/scripts/templates/commentsExtensible.xml                                        |    4 +-
 skills/docx/scripts/templates/commentsIds.xml                                               |    4 +-
 skills/docx/scripts/templates/people.xml                                                    |    4 +-
 skills/docx/scripts/utilities.py                                                            |  374 ----
 skills/pdf/SKILL.md                                                                         |   34 +-
 skills/pdf/forms.md                                                                         |  283 ++-
 skills/pdf/scripts/check_bounding_boxes.py                                                  |    5 -
 skills/pdf/scripts/check_bounding_boxes_test.py                                             |  226 ---
 skills/pdf/scripts/check_fillable_fields.py                                                 |    1 -
 skills/pdf/scripts/convert_pdf_to_images.py                                                 |    2 -
 skills/pdf/scripts/create_validation_image.py                                               |    4 -
 skills/pdf/scripts/extract_form_field_info.py                                               |   32 +-
 skills/pdf/scripts/extract_form_structure.py                                                |  115 ++
 skills/pdf/scripts/fill_fillable_fields.py                                                  |   16 -
 skills/pdf/scripts/fill_pdf_form_with_annotations.py                                        |   61 +-
 skills/pptx/SKILL.md                                                                        |  652 ++-----
 skills/pptx/editing.md                                                                      |  205 ++
 skills/pptx/html2pptx.md                                                                    |  625 -------
 skills/pptx/ooxml.md                                                                        |  427 -----
 skills/pptx/ooxml/scripts/pack.py                                                           |  159 --
 skills/pptx/ooxml/scripts/unpack.py                                                         |   29 -
 skills/pptx/ooxml/scripts/validate.py                                                       |   69 -
 skills/pptx/ooxml/scripts/validation/docx.py                                                |  274 ---
 skills/pptx/pptxgenjs.md                                                                    |  420 +++++
 skills/pptx/scripts/__init__.py                                                             |    0
 skills/pptx/scripts/add_slide.py                                                            |  195 ++
 skills/pptx/scripts/clean.py                                                                |  286 +++
 skills/pptx/scripts/html2pptx.js                                                            |  979 ----------
 skills/pptx/scripts/inventory.py                                                            | 1020 ----------
 skills/pptx/scripts/office/helpers/__init__.py                                              |    0
 skills/pptx/scripts/office/helpers/merge_runs.py                                            |  199 ++
 skills/pptx/scripts/office/helpers/simplify_redlines.py                                     |  197 ++
 skills/pptx/scripts/office/pack.py                                                          |  159 ++
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chart.xsd             |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd      |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd           |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd      |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-main.xsd              |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-picture.xsd           |    0
 .../pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd   |    0
 .../{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd     |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/pml.xsd                   |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd                |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd   |    0
 .../pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd                  |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd                |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd                 |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd               |    0
 .../office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd           |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-math.xsd           |    0
 .../{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd  |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/sml.xsd                   |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-main.xsd              |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd     |    0
 .../pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd  |    0
 .../pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd   |    0
 .../{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd     |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/wml.xsd                   |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/xml.xsd                   |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-contentTypes.xsd       |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-coreProperties.xsd     |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-digSig.xsd             |    0
 skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-relationships.xsd      |    0
 skills/pptx/{ooxml => scripts/office}/schemas/mce/mc.xsd                                    |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-2010.xsd                        |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-2012.xsd                        |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-2018.xsd                        |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-cex-2018.xsd                    |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-cid-2016.xsd                    |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-sdtdatahash-2020.xsd            |    0
 skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-symex-2015.xsd                  |    0
 skills/pptx/scripts/office/soffice.py                                                       |  183 ++
 skills/pptx/scripts/office/unpack.py                                                        |  132 ++
 skills/pptx/scripts/office/validate.py                                                      |  111 ++
 skills/pptx/{ooxml/scripts/validation => scripts/office/validators}/__init__.py             |    0
 skills/{docx/ooxml/scripts/validation => pptx/scripts/office/validators}/base.py            |  310 +---
 skills/pptx/scripts/office/validators/docx.py                                               |  446 +++++
 skills/{docx/ooxml/scripts/validation => pptx/scripts/office/validators}/pptx.py            |   44 +-
 skills/pptx/{ooxml/scripts/validation => scripts/office/validators}/redlining.py            |   74 +-
 skills/pptx/scripts/rearrange.py                                                            |  231 ---
 skills/pptx/scripts/replace.py                                                              |  385 ----
 skills/pptx/scripts/thumbnail.py                                                            |  399 ++--
 skills/skill-creator/SKILL.md                                                               |  555 +++---
 skills/skill-creator/agents/analyzer.md                                                     |  274 +++
 skills/skill-creator/agents/comparator.md                                                   |  202 ++
 skills/skill-creator/agents/grader.md                                                       |  223 +++
 skills/skill-creator/assets/eval_review.html                                                |  146 ++
 skills/skill-creator/eval-viewer/generate_review.py                                         |  471 +++++
 skills/skill-creator/eval-viewer/viewer.html                                                | 1325 +++++++++++++
 skills/skill-creator/references/output-patterns.md                                          |   82 -
 skills/skill-creator/references/schemas.md                                                  |  430 +++++
 skills/skill-creator/references/workflows.md                                                |   28 -
 skills/skill-creator/scripts/__init__.py                                                    |    0
 skills/skill-creator/scripts/aggregate_benchmark.py                                         |  401 ++++
 skills/skill-creator/scripts/generate_report.py                                             |  326 ++++
 skills/skill-creator/scripts/improve_description.py                                         |  247 +++
 skills/skill-creator/scripts/init_skill.py                                                  |  303 ---
 skills/skill-creator/scripts/package_skill.py                                               |   40 +-
 skills/skill-creator/scripts/quick_validate.py                                              |   14 +-
 skills/skill-creator/scripts/run_eval.py                                                    |  310 ++++
 skills/skill-creator/scripts/run_loop.py                                                    |  328 ++++
 skills/skill-creator/scripts/utils.py                                                       |   47 +
 skills/xlsx/SKILL.md                                                                        |   21 +-
 skills/xlsx/recalc.py                                                                       |  178 --
 skills/xlsx/scripts/office/helpers/__init__.py                                              |    0
 skills/xlsx/scripts/office/helpers/merge_runs.py                                            |  199 ++
 skills/xlsx/scripts/office/helpers/simplify_redlines.py                                     |  197 ++
 skills/xlsx/scripts/office/pack.py                                                          |  159 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd                        | 1499 +++++++++++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd                 |  146 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd                      | 1085 +++++++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd                 |   11 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd                         | 3081 ++++++++++++++++++++++++++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd                      |   23 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd           |  185 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd        |  287 +++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd                              | 1676 +++++++++++++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd |   28 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd              |  144 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd         |  174 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd   |   25 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd |   18 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd  |   59 +
 .../xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd   |   56 +
 .../scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd    |  195 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd                      |  582 ++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd     |   25 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd                              | 4439 ++++++++++++++++++++++++++++++++++++++++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd                         |  570 ++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd                |  509 +++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd          |   12 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd           |  108 ++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd        |   96 +
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd                              | 3646 ++++++++++++++++++++++++++++++++++++
 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd                              |  116 ++
 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd                  |   42 +
 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd                |   50 +
 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd                        |   49 +
 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd                 |   33 +
 skills/xlsx/scripts/office/schemas/mce/mc.xsd                                               |   75 +
 skills/xlsx/scripts/office/schemas/microsoft/wml-2010.xsd                                   |  560 ++++++
 skills/xlsx/scripts/office/schemas/microsoft/wml-2012.xsd                                   |   67 +
 skills/xlsx/scripts/office/schemas/microsoft/wml-2018.xsd                                   |   14 +
 skills/xlsx/scripts/office/schemas/microsoft/wml-cex-2018.xsd                               |   20 +
 skills/xlsx/scripts/office/schemas/microsoft/wml-cid-2016.xsd                               |   13 +
 skills/xlsx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd                       |    4 +
 skills/xlsx/scripts/office/schemas/microsoft/wml-symex-2015.xsd                             |    8 +
 skills/xlsx/scripts/office/soffice.py                                                       |  183 ++
 skills/xlsx/scripts/office/unpack.py                                                        |  132 ++
 skills/xlsx/scripts/office/validate.py                                                      |  111 ++
 skills/xlsx/scripts/office/validators/__init__.py                                           |   15 +
 skills/xlsx/scripts/office/validators/base.py                                               |  847 +++++++++
 skills/xlsx/scripts/office/validators/docx.py                                               |  446 +++++
 skills/xlsx/scripts/office/validators/pptx.py                                               |  275 +++
 skills/xlsx/scripts/office/validators/redlining.py                                          |  247 +++
 skills/xlsx/scripts/recalc.py                                                               |  184 ++
 249 files changed, 41029 insertions(+), 10062 deletions(-)
 create mode 100644 skills/claude-api/LICENSE.txt
 create mode 100644 skills/claude-api/SKILL.md
 create mode 100644 skills/claude-api/csharp/claude-api.md
 create mode 100644 skills/claude-api/curl/examples.md
 create mode 100644 skills/claude-api/go/claude-api.md
 create mode 100644 skills/claude-api/java/claude-api.md
 create mode 100644 skills/claude-api/php/claude-api.md
 create mode 100644 skills/claude-api/python/agent-sdk/README.md
 create mode 100644 skills/claude-api/python/agent-sdk/patterns.md
 create mode 100644 skills/claude-api/python/claude-api/README.md
 create mode 100644 skills/claude-api/python/claude-api/batches.md
 create mode 100644 skills/claude-api/python/claude-api/files-api.md
 create mode 100644 skills/claude-api/python/claude-api/streaming.md
 create mode 100644 skills/claude-api/python/claude-api/tool-use.md
 create mode 100644 skills/claude-api/ruby/claude-api.md
 create mode 100644 skills/claude-api/shared/error-codes.md
 create mode 100644 skills/claude-api/shared/live-sources.md
 create mode 100644 skills/claude-api/shared/models.md
 create mode 100644 skills/claude-api/shared/prompt-caching.md
 create mode 100644 skills/claude-api/shared/tool-use-concepts.md
 create mode 100644 skills/claude-api/typescript/agent-sdk/README.md
 create mode 100644 skills/claude-api/typescript/agent-sdk/patterns.md
 create mode 100644 skills/claude-api/typescript/claude-api/README.md
 create mode 100644 skills/claude-api/typescript/claude-api/batches.md
 create mode 100644 skills/claude-api/typescript/claude-api/files-api.md
 create mode 100644 skills/claude-api/typescript/claude-api/streaming.md
 create mode 100644 skills/claude-api/typescript/claude-api/tool-use.md
 delete mode 100644 skills/docx/docx-js.md
 delete mode 100644 skills/docx/ooxml.md
 delete mode 100755 skills/docx/ooxml/scripts/pack.py
 delete mode 100755 skills/docx/ooxml/scripts/unpack.py
 delete mode 100755 skills/docx/ooxml/scripts/validate.py
 delete mode 100644 skills/docx/ooxml/scripts/validation/docx.py
 create mode 100755 skills/docx/scripts/accept_changes.py
 create mode 100755 skills/docx/scripts/comment.py
 delete mode 100755 skills/docx/scripts/document.py
 create mode 100644 skills/docx/scripts/office/helpers/__init__.py
 create mode 100644 skills/docx/scripts/office/helpers/merge_runs.py
 create mode 100644 skills/docx/scripts/office/helpers/simplify_redlines.py
 create mode 100755 skills/docx/scripts/office/pack.py
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chart.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-main.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-picture.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/pml.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-math.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/sml.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-main.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/wml.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/xml.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-contentTypes.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-coreProperties.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-digSig.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-relationships.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/mce/mc.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-2010.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-2012.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-2018.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-cex-2018.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-cid-2016.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-sdtdatahash-2020.xsd (100%)
 rename skills/docx/{ooxml => scripts/office}/schemas/microsoft/wml-symex-2015.xsd (100%)
 create mode 100644 skills/docx/scripts/office/soffice.py
 create mode 100755 skills/docx/scripts/office/unpack.py
 create mode 100755 skills/docx/scripts/office/validate.py
 rename skills/docx/{ooxml/scripts/validation => scripts/office/validators}/__init__.py (100%)
 rename skills/{pptx/ooxml/scripts/validation => docx/scripts/office/validators}/base.py (71%)
 create mode 100644 skills/docx/scripts/office/validators/docx.py
 rename skills/{pptx/ooxml/scripts/validation => docx/scripts/office/validators}/pptx.py (79%)
 rename skills/docx/{ooxml/scripts/validation => scripts/office/validators}/redlining.py (72%)
 delete mode 100755 skills/docx/scripts/utilities.py
 delete mode 100644 skills/pdf/scripts/check_bounding_boxes_test.py
 create mode 100755 skills/pdf/scripts/extract_form_structure.py
 create mode 100644 skills/pptx/editing.md
 delete mode 100644 skills/pptx/html2pptx.md
 delete mode 100644 skills/pptx/ooxml.md
 delete mode 100755 skills/pptx/ooxml/scripts/pack.py
 delete mode 100755 skills/pptx/ooxml/scripts/unpack.py
 delete mode 100755 skills/pptx/ooxml/scripts/validate.py
 delete mode 100644 skills/pptx/ooxml/scripts/validation/docx.py
 create mode 100644 skills/pptx/pptxgenjs.md
 create mode 100644 skills/pptx/scripts/__init__.py
 create mode 100755 skills/pptx/scripts/add_slide.py
 create mode 100755 skills/pptx/scripts/clean.py
 delete mode 100755 skills/pptx/scripts/html2pptx.js
 delete mode 100755 skills/pptx/scripts/inventory.py
 create mode 100644 skills/pptx/scripts/office/helpers/__init__.py
 create mode 100644 skills/pptx/scripts/office/helpers/merge_runs.py
 create mode 100644 skills/pptx/scripts/office/helpers/simplify_redlines.py
 create mode 100755 skills/pptx/scripts/office/pack.py
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chart.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-main.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-picture.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/pml.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-math.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/sml.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-main.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/wml.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ISO-IEC29500-4_2016/xml.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-contentTypes.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-coreProperties.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-digSig.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/ecma/fouth-edition/opc-relationships.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/mce/mc.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-2010.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-2012.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-2018.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-cex-2018.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-cid-2016.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-sdtdatahash-2020.xsd (100%)
 rename skills/pptx/{ooxml => scripts/office}/schemas/microsoft/wml-symex-2015.xsd (100%)
 create mode 100644 skills/pptx/scripts/office/soffice.py
 create mode 100755 skills/pptx/scripts/office/unpack.py
 create mode 100755 skills/pptx/scripts/office/validate.py
 rename skills/pptx/{ooxml/scripts/validation => scripts/office/validators}/__init__.py (100%)
 rename skills/{docx/ooxml/scripts/validation => pptx/scripts/office/validators}/base.py (71%)
 create mode 100644 skills/pptx/scripts/office/validators/docx.py
 rename skills/{docx/ooxml/scripts/validation => pptx/scripts/office/validators}/pptx.py (79%)
 rename skills/pptx/{ooxml/scripts/validation => scripts/office/validators}/redlining.py (72%)
 delete mode 100755 skills/pptx/scripts/rearrange.py
 delete mode 100755 skills/pptx/scripts/replace.py
 create mode 100644 skills/skill-creator/agents/analyzer.md
 create mode 100644 skills/skill-creator/agents/comparator.md
 create mode 100644 skills/skill-creator/agents/grader.md
 create mode 100644 skills/skill-creator/assets/eval_review.html
 create mode 100644 skills/skill-creator/eval-viewer/generate_review.py
 create mode 100644 skills/skill-creator/eval-viewer/viewer.html
 delete mode 100644 skills/skill-creator/references/output-patterns.md
 create mode 100644 skills/skill-creator/references/schemas.md
 delete mode 100644 skills/skill-creator/references/workflows.md
 create mode 100644 skills/skill-creator/scripts/__init__.py
 create mode 100755 skills/skill-creator/scripts/aggregate_benchmark.py
 create mode 100755 skills/skill-creator/scripts/generate_report.py
 create mode 100755 skills/skill-creator/scripts/improve_description.py
 delete mode 100755 skills/skill-creator/scripts/init_skill.py
 create mode 100755 skills/skill-creator/scripts/run_eval.py
 create mode 100755 skills/skill-creator/scripts/run_loop.py
 create mode 100644 skills/skill-creator/scripts/utils.py
 delete mode 100644 skills/xlsx/recalc.py
 create mode 100644 skills/xlsx/scripts/office/helpers/__init__.py
 create mode 100644 skills/xlsx/scripts/office/helpers/merge_runs.py
 create mode 100644 skills/xlsx/scripts/office/helpers/simplify_redlines.py
 create mode 100755 skills/xlsx/scripts/office/pack.py
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/mce/mc.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-2010.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-2012.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-2018.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-cex-2018.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-cid-2016.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd
 create mode 100644 skills/xlsx/scripts/office/schemas/microsoft/wml-symex-2015.xsd
 create mode 100644 skills/xlsx/scripts/office/soffice.py
 create mode 100755 skills/xlsx/scripts/office/unpack.py
 create mode 100755 skills/xlsx/scripts/office/validate.py
 create mode 100644 skills/xlsx/scripts/office/validators/__init__.py
 create mode 100644 skills/xlsx/scripts/office/validators/base.py
 create mode 100644 skills/xlsx/scripts/office/validators/docx.py
 create mode 100644 skills/xlsx/scripts/office/validators/pptx.py
 create mode 100644 skills/xlsx/scripts/office/validators/redlining.py
 create mode 100755 skills/xlsx/scripts/recalc.py
builder@DESKTOP-QADGF36:~/Workspaces/skills$ ls
README.md  THIRD_PARTY_NOTICES.md  skills  spec  template
builder@DESKTOP-QADGF36:~/Workspaces/skills$ ls skills/
algorithmic-art   canvas-design  doc-coauthoring  frontend-design  mcp-builder  pptx           slack-gif-creator  web-artifacts-builder  xlsx
brand-guidelines  claude-api     docx             internal-comms   pdf          skill-creator  theme-factory      webapp-testing

I noticed since I updated last, they removed claude-api. Wonder if the leaks of their code had anything to do with that.

My mode of using skills is to sym-link or copy them in the more global ~/.agent/skills

I’ll go ahead and link that skill creator there

$ ln -s /home/builder/Workspaces/skills/skills/skill-creator /home/builder/.agents/skills/skill-creator

My second habit is to aggregate my newly created skills into their own private GIT repo

Since I actually care about these now, I’ll do a backup to Codeberg (always good to do 2 homes for GIT)

Now that that is sorted, let’s clone our own agentskills repo to build something

builder@DESKTOP-QADGF36:~/Workspaces$ git clone https://forgejo.freshbrewed.science/builderadmin/agentskills.git
Cloning into 'agentskills'...
remote: Enumerating objects: 11, done.
remote: Counting objects: 100% (11/11), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 11 (delta 1), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (11/11), 4.07 KiB | 4.07 MiB/s, done.
Resolving deltas: 100% (1/1), done.
builder@DESKTOP-QADGF36:~/Workspaces$ cd agentskills/
builder@DESKTOP-QADGF36:~/Workspaces/agentskills$ nvm use lts/jod
Now using node v22.22.0 (npm v10.9.4)

I fired up Pi and tried to load my skill.. seems i need to feed the pig…

I have auto-reload disabled so when it’s out it’s out. So i fed it a $20

Anthropic also does this use it or lose it thing

So that’s another reason I’m not a giant fan of them, even if their tooling is pretty good.

My next issue was Sonnet 3.7 isn’t available.. I think my eyes just screwed that up seeing the “.7”.. 4.6 is the latest, not 3.7

I can use the Skill creator with “/skill:skill-creator” - this makes Pi definitely load that creator skill for our next step.

Loading the skill already cost me 7c

Let’s now build a skill out with Sonnet 4.6

As we can see, that took about 5 minutes with Pi and cost about US$0.395

Claude native

Let’s now fire up Claude natively in the same directory

As we can see, it can create a new Helm Chart skill, but it loves to launch agents in Parallel which I fear is going to cost me.

it finished

And it did build out a skill

builder@DESKTOP-QADGF36:~/Workspaces/agentskills$ tree ./helm-charts-workspace/
./helm-charts-workspace/
└── iteration-1
    ├── benchmark.json
    ├── benchmark.md
    ├── eval-1
    │   ├── eval_metadata.json
    │   ├── with_skill
    │   │   └── run-1
    │   │       ├── grading.json
    │   │       ├── outputs
    │   │       │   ├── Chart.yaml
    │   │       │   ├── templates
    │   │       │   │   ├── NOTES.txt
    │   │       │   │   ├── _helpers.tpl
    │   │       │   │   ├── deployment.yaml
    │   │       │   │   ├── ingress.yaml
    │   │       │   │   ├── namespace.yaml
    │   │       │   │   ├── pvc.yaml
    │   │       │   │   └── service.yaml
    │   │       │   └── values.yaml
    │   │       └── timing.json
    │   └── without_skill
    │       └── run-1
    │           ├── grading.json
    │           ├── outputs
    │           │   ├── Chart.yaml
    │           │   ├── templates
    │           │   │   ├── NOTES.txt
    │           │   │   ├── _helpers.tpl
    │           │   │   ├── deployment.yaml
    │           │   │   ├── ingress.yaml
    │           │   │   ├── namespace.yaml
    │           │   │   ├── pvc.yaml
    │           │   │   └── service.yaml
    │           │   └── values.yaml
    │           └── timing.json
    ├── eval-2
    │   ├── eval_metadata.json
    │   ├── with_skill
    │   │   └── run-1
    │   │       ├── grading.json
    │   │       ├── outputs
    │   │       │   ├── Chart.yaml
    │   │       │   ├── templates
    │   │       │   │   ├── NOTES.txt
    │   │       │   │   ├── _helpers.tpl
    │   │       │   │   ├── deployment.yaml
    │   │       │   │   └── service.yaml
    │   │       │   └── values.yaml
    │   │       └── timing.json
    │   └── without_skill
    │       └── run-1
    │           ├── grading.json
    │           ├── outputs
    │           │   ├── Chart.yaml
    │           │   ├── templates
    │           │   │   ├── NOTES.txt
    │           │   │   ├── _helpers.tpl
    │           │   │   ├── deployment.yaml
    │           │   │   └── service.yaml
    │           │   └── values.yaml
    │           └── timing.json
    └── eval-3
        ├── eval_metadata.json
        ├── with_skill
        │   └── run-1
        │       ├── grading.json
        │       ├── outputs
        │       │   ├── templates
        │       │   │   ├── ingress.yaml
        │       │   │   └── namespace.yaml
        │       │   └── values_ingress_section.yaml
        │       └── timing.json
        └── without_skill
            └── run-1
                ├── grading.json
                ├── outputs
                │   ├── templates
                │   │   ├── ingress.yaml
                │   │   └── namespace.yaml
                │   └── values_ingress_section.yaml
                └── timing.json

28 directories, 53 files

But cost me at least $2.30

I think that’s why heavy users quickly switch from the free model with pay-per-token to a Claude Pro or Max plan

Gemma 4

I’m on my Windows box at the moment, so let’s pull down Gemma4 which dropped in Ollama just last night

While it would appear I could download with my Ollama

I’m prompted to upgrade them moment i try and use it

In Windows, I don’t know a great way to just tell it to pull a model other than launch from system tray and try and use it. The first time you do it downloads the model of which you seek

Let’s ask a coding question about Perl and see what it comes back with. I’ll pause a few times, but leave the timer up

That took about 2 minutes. This is pretty promising especially because my desktop nVidia 3070 only has 8Gb dedicated memory so it’s not ‘giant’ (my new laptop has 12Gb, but let’s keep with Windows for the moment).

My next test will use Gemma4 in VS Code by way of Continue.dev’s plugin. My plugin uses JSON, but yours might use YAML

  "models": [
    {
      "title": "gemma4:e4b",
      "provider": "ollama",
      "model": "gemma4:e4b"
    },
    ...
  ]

I worked through making a service skill

Many times over, it would get stuck making files and i would nudge it along. In the end, I just made the files for it and put in the contents. While i spent roughly 30m on this, I was also distracted and reading some articles so it was more like 15m to get the the work done.

I wanted to see if any of the charts were a bit borked, so I did a local test:

$ helm install --dry-run --debug myfakeskill ./helm-chart/
install.go:225: 2026-04-03 09:17:27.184010461 -0500 CDT m=+0.282573365 [debug] Original chart version: ""
install.go:242: 2026-04-03 09:17:27.184974141 -0500 CDT m=+0.283537045 [debug] CHART PATH: /home/builder/Workspaces/agentskills/python-app-setup/helm-chart

Error: INSTALLATION FAILED: template: fastapi-service/templates/secret.yaml:10:21: executing "fastapi-service/templates/secret.yaml" at <.Values.secret.apiKeyValue>: nil pointer evaluating interface {}.apiKeyValue
helm.go:86: 2026-04-03 09:17:27.265751891 -0500 CDT m=+0.364314795 [debug] template: fastapi-service/templates/secret.yaml:10:21: executing "fastapi-service/templates/secret.yaml" at <.Values.secret.apiKeyValue>: nil pointer evaluating interface {}.apiKeyValue
INSTALLATION FAILED
main.newInstallCmd.func2
        helm.sh/helm/v3/cmd/helm/install.go:158
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/cobra@v1.8.1/command.go:985
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/cobra@v1.8.1/command.go:1117
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/cobra@v1.8.1/command.go:1041
main.main
        helm.sh/helm/v3/cmd/helm/helm.go:85
runtime.main
        runtime/proc.go:283
runtime.goexit
        runtime/asm_amd64.s:1700

Let’s now try to fix this with Pi using our locally hosted models

I’ll create (or update) ~/.pi/agent/models.json

{
  "providers": {
    "ollama": {
      "baseUrl": "http://192.168.1.160:11434/v1",
      "api": "openai-completions",
      "apiKey": "ollama",
      "models": [
        { "id": "gemma4:e4b" },
        { "id": "qwen3:latest" }
      ]
    }
  }
}

Now, most will use localhost for the baseURL. But I found WSL doesn’t “see” my windows hosted Ollama and if i use Ollama in WSL, it doesn’t properly see my nVidia card. So even tho this is running in WSL on that exact host, I’m using my local IP seen in Windows (192.168.1.160) for the address.

Let’s ask Pi (using Gemma4) to fix it

It took about 2:40 to come up with it’s first idea for a fix, which required me to confirm (though Pi didn’t really suggest that, i just wrote “yes, do that” and hit enter).

However, over and over it would claim to do an edit but then just sit there. i ran that 3 times

OpenCode

Like Pi, there is another local CLI we can use with Ollama, Opencode

builder@DESKTOP-QADGF36:~/Workspaces/agentskills$ npm i -g opencode-ai

added 5 packages in 8s

I need to create a local opencode json file with models

builder@DESKTOP-QADGF36:~/Workspaces/agentskills$ cat opencode.json
{
  "$schema": "https://opencode.ai/config.json",
  "provider": {
    "ollama": {
      "npm": "@ai-sdk/openai-compatible",
      "name": "Ollama (local)",
      "options": {
        "baseURL": "http://192.168.1.160:11434/v1"
      },
      "models": {
        "gemma4:e4b": {
          "name": "gemma4"
        }
      }
    }
  }
}

It picked up the Anthropic key so I need to move to the gemma4 model I defined

I’ll feed the same prompt

This will kick in as it talks to Ollama in Windows

But it too failed

Here I feel like the guy with a Roomba who keeps setting it on top of the same piece of trash instead of just picking it up.

Fine, I’ll fix the damn error myself.

When we see:

Error: INSTALLATION FAILED: template: fastapi-service/templates/secret.yaml:10:26: executing “fastapi-service/templates/secret.yaml” at <.Values.secret.apiKeyValue>: nil pointer evaluating interface {}.apiKeyValue helm.go:86: 2026-04-03 14:35:03.126362357 -0500 CDT m=+0.433510017 [debug] template: fastapi-service/templates/secret.yaml:10:26: executing “fastapi-service/templates/secret.yaml” at <.Values.secret.apiKeyValue>: nil pointer evaluating interface {}.apiKeyValue

It is pretty clear that the secret should be wrapped in an if block and exposed in the values file.

We need to wrap it with an if, ie.g

{{- if .Values.secret.enabled }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "chart.fullname" . }}-secret
  labels:
    {{- include "chart.labels" . | nindent 2 }}
type: Opaque
data:
  # Example data key/value pair
  api_key: {{ with .Values.secret.apiKeyValue }}{{ . | b64enc }}{{ end }}
{{- end }}

Then drop an enable (which is false by default) in the values

secret:
  enabled: false
  apiKeyValue: ""

I fixed the ingress and serviceaccount yamls and then it worked.

Commentary: Those who say you can just vibe code and don’t need to know things are fooling themselves.

Using the Skills we made with Pi and Gemma4

Again, just as before, you’ll see I have to nudge it along…

It made a start but really it just gave a start and couldn’t get much farther.

Gemini CLI

I plan to just try Gemini CLI now to see if it can finish the job

I’ll give it the same prompt:

Create a containerized Perl app using the perl-app-setup skill. The app should show a list of todos as stored locally in a local datastore and let the user check off items and add new items. they can also delete items.

It very quickly wrapped up, mostly using the Gemini 2.5 flash and 3 flash models

Testing

Let’s test the candidate work.

I’ll do a quick docker build

builder@DESKTOP-QADGF36:~/Workspaces/newApp$ docker build -t todo-app .
[+] Building 64.9s (17/17) FINISHED                                                                                       docker:default
 => [internal] load build definition from Dockerfile                                                                                0.0s
 => => transferring dockerfile: 801B                                                                                                0.0s
 => [internal] load metadata for docker.io/library/perl:5.38                                                                        1.3s
 => [internal] load metadata for docker.io/library/perl:5.38-slim                                                                   1.3s
 => [auth] library/perl:pull token for registry-1.docker.io                                                                         0.0s
 => [internal] load .dockerignore                                                                                                   0.0s
 => => transferring context: 158B                                                                                                   0.0s
 => [builder 1/6] FROM docker.io/library/perl:5.38@sha256:53060e111843f9b002cdea543dba7bfed54ff78e84b4abdf3b8df00451ea59c6         41.2s
 => => resolve docker.io/library/perl:5.38@sha256:53060e111843f9b002cdea543dba7bfed54ff78e84b4abdf3b8df00451ea59c6                  0.0s
 => => sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32B / 32B                                            0.3s
 => => sha256:47077a70fcc3f1fb0ef4638f82fd22d1b93ab6a3e98e64f66a157f4ce9ebedba 2.50kB / 2.50kB                                      0.0s
 => => sha256:53060e111843f9b002cdea543dba7bfed54ff78e84b4abdf3b8df00451ea59c6 9.01kB / 9.01kB                                      0.0s
 => => sha256:c663d63fb5298262de60d5e229e4b408d4c354795fe8019e9c8ccb6456a26613 5.83kB / 5.83kB                                      0.0s
 => => sha256:8f6ad858d0a46fa8ee628532c70b8dc82d06179d543b0b09ec19fc03d4c5b373 49.30MB / 49.30MB                                    4.1s
 => => sha256:b012eb15dff0bce418c03ec940325aee6aa4300d771c325728855697e620c63a 25.62MB / 25.62MB                                    3.4s
 => => sha256:ee3a0e7d77f0c84203cab438fcf345647c8121bbd80506a3c692f8608a14c4f4 67.78MB / 67.78MB                                    7.2s
 => => sha256:8688d0f2f567884eb217c6f80efa063bdb13a1951e92e6c5cac1ae5b736f5e1b 236.08MB / 236.08MB                                 12.9s
 => => sha256:6623c4016360f6a494137f7a0696634876fd3b5f84b642440e829aca640bd3b2 1.37kB / 1.37kB                                      4.3s
 => => extracting sha256:8f6ad858d0a46fa8ee628532c70b8dc82d06179d543b0b09ec19fc03d4c5b373                                           3.6s
 => => sha256:dd84d29e92517951df8c584ef70adac3b219a9e94e47073c3477b437fee3d6d3 15.56MB / 15.56MB                                    6.0s
 => => sha256:5c58bc0a198b5b32b37cf1fa1d2fc7bd96b5b9145df52faecab5106829908cff 132B / 132B                                          6.3s
 => => extracting sha256:b012eb15dff0bce418c03ec940325aee6aa4300d771c325728855697e620c63a                                           1.4s
 => => extracting sha256:ee3a0e7d77f0c84203cab438fcf345647c8121bbd80506a3c692f8608a14c4f4                                           5.3s
 => => extracting sha256:8688d0f2f567884eb217c6f80efa063bdb13a1951e92e6c5cac1ae5b736f5e1b                                          23.1s
 => => extracting sha256:6623c4016360f6a494137f7a0696634876fd3b5f84b642440e829aca640bd3b2                                           0.0s
 => => extracting sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1                                           0.0s
 => => extracting sha256:dd84d29e92517951df8c584ef70adac3b219a9e94e47073c3477b437fee3d6d3                                           2.4s
 => => extracting sha256:5c58bc0a198b5b32b37cf1fa1d2fc7bd96b5b9145df52faecab5106829908cff                                           0.0s
 => [internal] load build context                                                                                                   0.0s
 => => transferring context: 11.19kB                                                                                                0.0s
 => [runtime 1/4] FROM docker.io/library/perl:5.38-slim@sha256:877a0596aa8b5ef64dd7bde002fac9da4fbcebdc727927ee3cb36d520ad8a5dc     8.3s
 => => resolve docker.io/library/perl:5.38-slim@sha256:877a0596aa8b5ef64dd7bde002fac9da4fbcebdc727927ee3cb36d520ad8a5dc             0.0s
 => => sha256:c3507f6b13e970e15b0a7f80894ebaf5585dcc16d37c13332bcd4ace74cf9de1 1.37kB / 1.37kB                                      0.4s
 => => sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32B / 32B                                            0.3s
 => => sha256:877a0596aa8b5ef64dd7bde002fac9da4fbcebdc727927ee3cb36d520ad8a5dc 9.02kB / 9.02kB                                      0.0s
 => => sha256:b82b5ea7daa1a0755078a5297c8ecdf26e7ae43e8e759a372e1df8d0f7570dc9 1.92kB / 1.92kB                                      0.0s
 => => sha256:77f07f06f0362b7b34dcaed39280b3ea0f8ec3b0d21492b86b5071e2fa5a7b69 4.75kB / 4.75kB                                      0.0s
 => => sha256:ec781dee3f4719c2ca0dd9e73cb1d4ed834ed1a406495eb6e44b6dfaad5d1f8f 29.78MB / 29.78MB                                    1.5s
 => => sha256:444f25e108e264b00dae5fb350a4fbac78784586273ef37f290bdd3c8889599f 31.60MB / 31.60MB                                    2.9s
 => => sha256:e1debe2bad764c01de94cf2890688af6b6128e923bca730b5814a2696dd457f5 132B / 132B                                          0.7s
 => => extracting sha256:ec781dee3f4719c2ca0dd9e73cb1d4ed834ed1a406495eb6e44b6dfaad5d1f8f                                           2.3s
 => => extracting sha256:c3507f6b13e970e15b0a7f80894ebaf5585dcc16d37c13332bcd4ace74cf9de1                                           0.0s
 => => extracting sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1                                           0.0s
 => => extracting sha256:444f25e108e264b00dae5fb350a4fbac78784586273ef37f290bdd3c8889599f                                           3.8s
 => => extracting sha256:e1debe2bad764c01de94cf2890688af6b6128e923bca730b5814a2696dd457f5                                           0.0s
 => [runtime 2/4] WORKDIR /app                                                                                                      1.3s
 => [builder 2/6] WORKDIR /app                                                                                                      1.8s
 => [builder 3/6] RUN cpan App::cpanminus &&     apt-get update && apt-get install -y --no-install-recommends     build-essential  11.8s
 => [builder 4/6] COPY cpanfile .                                                                                                   0.0s
 => [builder 5/6] RUN cpanm --installdeps --notest .                                                                                6.3s
 => [builder 6/6] COPY . .                                                                                                          0.0s
 => [runtime 3/4] COPY --from=builder /usr/local/lib/perl5 /usr/local/lib/perl5                                                     0.7s
 => [runtime 4/4] COPY --from=builder /app .                                                                                        0.0s
 => exporting to image                                                                                                              0.6s
 => => exporting layers                                                                                                             0.5s
 => => writing image sha256:91c275518148c8e09222cd3c9c1f3db6719bd4105156aabd3cd11035e538f29c                                        0.0s
 => => naming to docker.io/library/todo-app                                                                                         0.0s

Running it shows this is just a command line app

builder@DESKTOP-QADGF36:~/Workspaces/newApp$ docker run -it --rm -v $(pwd)/data:/app/data todo-app -l
No todos found.
builder@DESKTOP-QADGF36:~/Workspaces/newApp$ docker run -it --rm -v $(pwd)/data:/app/data todo-app
No todos found.

I suppose I never demanded it be web-based. I can just add a task and see it listed

builder@DESKTOP-QADGF36:~/Workspaces/newApp$ perl bin/app.pl --add "Complete the coding challenge"
Added todo: Complete the coding challenge (ID: 1)
builder@DESKTOP-QADGF36:~/Workspaces/newApp$ docker run -it --rm -v $(pwd)/data:/app/data todo-app
ID  | Status     | Description
----------------------------------------
1   | [ ]        | Complete the coding challenge

Testing Python app skill

Let’s now test the Kubernetes service Python app skill

$ ln -s /home/builder/Workspaces/agentskills/python-app-setup /home/builder/.agents/skills/python-app-setup

I’m going to set a higher autocomplete and set steering and followup to all

I’m going to pick the skill to sort of prime the pump on it

My hope is that with Python, it might move faster than with Perl (which is arguably older and less common).

But time and time again, it failed to actually dot he work it planned

However, when I moved to my Linux laptop and ran the same prompt:

Create a new project based on the guidelines from the skill my-python-app-skill. It should be a Todo app that is exposed via kubernetes and has a web interface. do not confirm each step, just proceed

It went way faster and had no issues writing files

I decided to test again using Gemma via Continue.dev.

This time I would use the larger video card in the gaming laptop (which is on 192.168.1.220), but with my local windows VS Code

{
  "models": [
    {
      "title": "gemma4:e4b",
      "provider": "ollama",
      "model": "gemma4:e4b"
    },
    {
      "model": "gemma4:e4b",
      "title": "gemma4:e4b (Legion)",
      "completionOptions": {},
      "apiBase": "http://192.168.1.220:11434",
      "provider": "ollama"
    },
    {
      "model": "gemma4:26b",
      "title": "gemma4:26b (Legion)",
      "completionOptions": {},
      "apiBase": "http://192.168.1.220:11434",
      "provider": "ollama"
    },
    ...

I could get it to list files, but not read them when trying to create an Ansible index:

using the @files just sends it to lunch and it never returns.

I pivoted to Pi in WSL, but using the more powerful laptop (updating the ~/.pi/agent/models.json)

I used . to try and tell Gemma4 to ‘move it along’

But it didn’t update the index

I tried several rounds with qwen3.5 as well, being very explicit in my ask - it too failed

I even tried Ollama code

Is my ask too hard? I needed to sanity check it against Gemini CLI

This just used the flash model and knocked it out.

Research

Let’s put a pin in GenAI coding for now. How about just general research?

It made a table, but it’s not readable - likely an Ollama Code issue more than a model issue

It immediately forgot it’s last request, so i just rephrased without asking for a table and got a good start for an article

I’m not a finance guy, so I wouldn’t really write a piece like that, but I might ask for some examples to punch up a topic I am writing about:

This could be a windows issue, but for the life of me I couldn’t get Ollama code to stop truncating the tables. I did, however, figure out a workaround - just use a ridiculous large terminal window

Summary

The first part of this article covered a user request to review Anthropics Claude Code versus using the same models in Pi.

The behavior of Claude code was to kick out up to 6 agents to do things, then come back and another 6 agents to evaluate and judge the work. The output in the end was fine, but it also wasn’t particularly fast. I found the time I spent building out the helm chart skill with Claude Code was about the same as it was building perl app skill. The quality might be better with helm but at what price?

I spent about US$0.35 making the Perl skill and about US$2.30 with Claude Code making the helm chart one. Both used the Anthropic “skill builder” skill. Assuming the quality is similar, I might use Pi from here on out. However, as a “free tier” user that pays per token, the money factor might really be my underlying driver.

Next we looked at Gemma4, which Google dropped just last week. It’s quite thorough and gave good answers. I tested it in VS Code with Continue.dev, Opencode, Ollama-code and Pi. I used Windows and Linux. Overall, I had better success with Pi and Opencode in Linux than anything else.

However, for coding work, Gemma4 is so damn timid. It just wants to check constantly back with the user. When you are using lightweight coding agents without much memory, this becomes a real issue as it just keeps forgetting what it was just asking you about and starts back over. I had really limited success with all my approaches. I just wanted to tell Gemma4 “just do the damn thing and don’t ask me!” but regardless of how I would phrase things, it would quickly forget and fail to write files.

To sanity check, I would pivot over to a Github free version of Copilot, or using Gemini CLI with Gemini 3 Flash/Flash lite and each time they would complete the work.

I will own that this could be a user error, some kind of “me problem” that needs more investigation.

When I pivoted to using Gemma4 for ideaation it did fantastic. While I’m not planning to write blog posts on refinancing, using it to come up with ideas for MCP vs Skills is something I might do. The use case here for such things becomes apparent when you are in the life phase with kids in sports.

Often I’ll be killing time in the backfield of Softball practice or in a swimming pool area built like a Faraday cage and just unable to get signal. Having an LLM option to help come up with ideas is really useful.

My common case is I’ll be writing a blog, or updating a deck for a presentation and find one area is kind of light on examples. I’ll ask the LLM something like “provide 5 common ways to migrate a vSphere hosted windows VM to GCP Compute Engine” and then of the 5 returned, 3 might sound plausible to me and get me going again. It can help provide that spark when my mental matches are wet.

AI Video in 2026

2026-04-07T10:00:01+00:00

A user recently requested by way of the form at the top that I look into Kubrix AI. I wasn’t sure if it the person was involved with the project or genuine interest. Either way, I warned them I would do an honest take.

While I’m at it, I’ll try a bunch of the prior AI video generation sites I’ve used (Kling, Pollo) as well as my tried and true Gemini and Midjourney. I’ll also see what I can find that is new (and most important “free”) while I’m at it.

Kubrix

First, the splash screen makes me want to vomit.

I gave it a prompt and then picked a size and duration

I used Analog File for a style

lighting style

A frame

Then a model

and an optional start image

Lastly, a Generate page that says this 4-second video will be “1800 credits”

It showed it would use the prompt:

A cinematic 4-second opening sequence for a modern ALF reboot. The shot begins with a rapid, smooth dolly-in across a sleek, contemporary suburban living room bathed in the amber glow of a California sunset and accented by cool teal and magenta smart-lighting. ALF, the iconic alien from Melmac, is perched on a minimalist charcoal velvet sofa, looking more realistic than ever with high-fidelity, hand-groomed brown fur textures and expressive, glossy eyes that reflect the room’s ambient light. As the camera zooms in, ALF nonchalantly tosses a high-tech tablet aside, turns toward the lens, and breaks the fourth wall with a signature mischievous smirk and a quick, knowing wink. The atmosphere is vibrant and polished, featuring professional 8K resolution, shallow depth of field that blurs the modern kitchen in the background, and crisp, cinematic color grading. In the final second, a sleek, chrome-textured “ALF” logo with a subtle digital glitch effect emerges in the foreground, pulsing with retro-wave energy.

I signed in next and see as a new user I get 100 credits and the new price is now only 1000 credits

This leads me to “how to get credits”.

I can either subscribe to a monthly fee, the lowest of which is US$30

or a one-time top up for $40

I was willing to deal with at most US$10 to try a thing so unfortunately we will have to pass.

Midjourney

I was curious what Midjourney would do with that prompt. Even though I mostly use Gemini now when I need a bit of AI graphics, I still pay for MJ as it was the first that really offered solid AI Generated art.

As you can see, it’s generally best to get some images then run a video from the best of them (if there is a best of them)

I tried the same prompt, but this time fed it an ALF still to start

The text is a mess, but I was surprised how it accurately figured out how Shumway talked just from a still

and a regen

Gemini (VEO2) video

Let’s put the same thing in Gemini to see what it comes up with

Here is the video (with some strange sound effects)

I gave it an image to refine the video

which did better visually

One last refinement. I asked “Can you give him a deeper New York snarky comedic voice”?

I tried again the next day…

When I asked it to tweak the voice for a NJ accent, it re-imagined the look again

This highlights one small limit. Using Google AI Pro (which I got a year of with my last Google Pixel Fold phone), I get 3 videos a day. So to do more, I either pay out of pocket in AI Studio in GCP or I just wait till tomorrow.

Kling

Next I gave Kling a try

But even though I have sufficient credits, it would seem they paused the free tier

I came back a couple days in a row just to check, but it was still blocking free tier.

Self (ComfyUI)

As we’ve shown, using something like ComfyUI on a computer with a GPU, one can just create these kind of things locally.

I fired up ComfyUI.

I’m going to use a Wan Vace 14b template I have bookmarked.

It might looking daunting, but really I just need to give a seed image and a prompt (see the arrows)

I’ve translated those Chinese statements in the negative block before and they are pretty canned “no watermark, no junk, etc…”.

I then tried with LTX2 (needed a 40Gb model downloaded)

a little weird but could be a start

I tried LTX 2.3 which can take a video input with the same prompt and ALF still

Though it gave me the oddest output

A second pass with just asking for a “The TV intro for an ALF sitcom reboot.” (but also with the still)

One last go, I set the prompt to “The TV intro for an ALF sitcom reboot. Should include this character”

Seevideo.ai

I found an AI Video site, seevideo.ai that would give me just enough first-time credits (100) to try Seedance 1.5. It isn’t the latest 2.0, but it was worth a try

Dreamina capcut

Another one that gave me just enough for Seedance 1.5 Pro was Dreamina

Pollo AI

Pollo.ai has it’s own model as well as others. I’ve used them in the past for some nice intro videos.

It was interesting how it showed the still but then just did it’s own thing

Seedance2ai

One that wouldn’t let me use Seedance2 (for pro customers), but did let me try the now defunct Sora2 was Seedance2ai

But I have a feeling it will never complete

In the end my generated workspace disappeared (but didn’t charge the credits)

Summary

We tried many many AI video generators today. It is not that surprising that we can find an endless assortment of new AI startups that will give just enough credits to try a video or two so I question those video generation sites that give new users nothing. There is no real motivation.

This post started with a user request to review Kubrix AI. Since they offer me nothing and have this awful background video, I can say confidently I won’t be returning. Of the new ones, the closest I got to paying was Seedance2ai.io as if I dropped the coin for an annual plan, I could have used Seedance2. That said, soro2.ai would let me if I dropped a one-time $50 top up.

I could have used PowerDirector as I have 100 credits in there as an annual subscriber. but they didn’t offer any unique models I wanted to try

If I was tasked on making a TV intro with just the tools at hand, I would likely splice some MJ clips together and use Suno to make a Jingle…

then create with a style

Something like

OS Apps: Dynacat and Seafile

2026-04-02T01:01:01+00:00

A while back I saw this Marius post about Dynacat, an interesting fork of Glances that looks to be more self-contained.

Also from a Marius post I noted Seafile. Seafile looks to be a much more complete file sharing and wiki suite which can run in Docker. We’ll give that a shot as well.

Dynacat install

We’ll find the install steps on the Github page

mkdir dynacat && cd dynacat && \
curl -sL https://github.com/glanceapp/docker-compose-template/archive/refs/heads/main.tar.gz | tar -xzf - --strip-components 2 && \
sed -i \
  -e 's/^  glance:/  dynacat:/' \
  -e 's/^    container_name: glance/    container_name: dynacat/' \
  -e 's/^    image: glanceapp\/glance/    image: panonim\/dynacat/' \
  docker-compose.yml && \
mv config/glance.yml config/dynacat.yml

Let’s execute that

builder@DESKTOP-QADGF36:~/Workspaces/dynacat$ mkdir dynacat && cd dynacat && \
curl -sL https://github.com/glanceapp/docker-compose-template/archive/refs/heads/main.tar.gz | tar -xzf - --strip-components 2 && \
sed -i \
  -e 's/^  glance:/  dynacat:/' \
  -e 's/^    container_name: glance/    container_name: dynacat/' \
  -e 's/^    image: glanceapp\/glance/    image: panonim\/dynacat/' \
  docker-compose.yml && \
mv config/glance.yml config/dynacat.yml
builder@DESKTOP-QADGF36:~/Workspaces/dynacat/dynacat$ cat config/dynacat.yml
server:
  assets-path: /app/assets

theme:
  # Note: assets are cached by the browser, changes to the CSS file
  # will not be reflected until the browser cache is cleared (Ctrl+F5)
  custom-css-file: /assets/user.css

pages:
  # It's not necessary to create a new file for each page and include it, you can simply
  # put its contents here, though multiple pages are easier to manage when separated
  - $include: home.yml
builder@DESKTOP-QADGF36:~/Workspaces/dynacat/dynacat$ cat docker-compose.yml
services:
  dynacat:
    container_name: dynacat
    image: panonim/dynacat
    restart: unless-stopped
    volumes:
      - ./config:/app/config
      - ./assets:/app/assets
      - /etc/localtime:/etc/localtime:ro
      # Optionally, also mount docker socket if you want to use the docker containers widget
      # - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 8080:8080
    env_file: .env

Now we can launch Dynacat with Docker compose up

builder@DESKTOP-QADGF36:~/Workspaces/dynacat/dynacat$ docker compose up
[+] Running 5/5
 ✔ dynacat Pulled                                                                                                       3.4s
   ✔ bc1da058f299 Pull complete                                                                                         1.2s
   ✔ 5ab4e787c3f9 Pull complete                                                                                         1.2s
   ✔ e7c021652cab Pull complete                                                                                         2.0s
   ✔ 7df5d8721fac Pull complete                                                                                         2.1s
[+] Running 2/2
 ✔ Network dynacat_default  Created                                                                                     0.1s
 ✔ Container dynacat        Created                                                                                     0.2s
Attaching to dynacat
dynacat  | 2026/03/28 16:33:15 Starting server on :8080 (base-url: "", assets-path: "/app/assets")

We can see it fired up on 8080

Let’s take a look at the config

$ cat config/home.yml
- name: Home
  # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look
  # hide-desktop-navigation: true
  columns:
    - size: small
      widgets:
        - type: calendar
          first-day-of-week: sunday

        - type: rss
          limit: 10
          collapse-after: 3
          cache: 12h
          feeds:
            - url: https://selfh.st/rss/
              title: selfh.st
            - url: https://ciechanow.ski/atom.xml
            - url: https://www.joshwcomeau.com/rss.xml
              title: Josh Comeau
            - url: https://freshbrewed.science/feed.xml
              title: Fresh Brewed
            - url: https://ishadeed.com/feed.xml
              title: Ahmad Shadeed

        - type: twitch-channels
          channels:
            - theprimeagen
            - j_blow
            - giantwaffle
            - cohhcarnage
            - christitustech
            - EJ_SA

    - size: full
      widgets:
        - type: group
          widgets:
            - type: hacker-news
            - type: lobsters

        - type: videos
          channels:
            - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips
            - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling
            - UCsBjURrPoezykLs9EqgamOA # Fireship
            - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee
            - UCi8C7TNs2ohrc6hnRQ5Sn2w # Kai Lentit

        - type: group
          widgets:
            - type: reddit
              subreddit: technology
              show-thumbnails: true
            - type: reddit
              subreddit: selfhosted
              show-thumbnails: true

    - size: small
      widgets:
        - type: weather
          location: Woodbury, Minnesota
          units: imperial # alternatively "metric"
          hour-format: 12h # alternatively "24h"
          # Optionally hide the location from being displayed in the widget
          # hide-location: true

        - type: markets
          markets:
            - symbol: SPY
              name: S&P 500
            - symbol: BTC-USD
              name: Bitcoin
            - symbol: NVDA
              name: NVIDIA
            - symbol: AAPL
              name: Apple
            - symbol: MSFT
              name: Microsoft

        - type: releases
          cache: 1d
          # Without authentication the Github API allows for up to 60 requests per hour. You can create a
          # read-only token from your Github account settings and use it here to increase the limit.
          # token: ...
          repositories:
            - glanceapp/glance
            - go-gitea/gitea
            - immich-app/immich
            - syncthing/syncthing

I had to tweak the config a bit to get weather to work, but my final working one was

$ cat config/home.yml
- name: Home
  # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look
  # hide-desktop-navigation: true
  columns:
    - size: small
      widgets:
        - type: calendar
          first-day-of-week: sunday

        - type: rss
          limit: 10
          collapse-after: 3
          cache: 12h
          feeds:
            - url: https://selfh.st/rss/
              title: selfh.st
            - url: https://ciechanow.ski/atom.xml
            - url: https://www.joshwcomeau.com/rss.xml
              title: Josh Comeau
            - url: https://freshbrewed.science/feed.xml
            - url: https://ishadeed.com/feed.xml
              title: Ahmad Shadeed

        - type: twitch-channels
          channels:
            - theprimeagen
            - j_blow
            - giantwaffle
            - cohhcarnage
            - christitustech
            - EJ_SA

    - size: full
      widgets:
        - type: group
          widgets:
            - type: hacker-news
            - type: lobsters

        - type: videos
          channels:
            - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips
            - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling
            - UCsBjURrPoezykLs9EqgamOA # Fireship
            - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee
            - UCi8C7TNs2ohrc6hnRQ5Sn2w # Kai Lentit

        - type: group
          widgets:
            - type: reddit
              subreddit: technology
              show-thumbnails: true
            - type: reddit
              subreddit: selfhosted
              show-thumbnails: true

    - size: small
      widgets:
        - type: weather
          location: Woodbury, Minnesota, USA
          units: imperial # alternatively "metric"
          hour-format: 12h # alternatively "24h"
          # Optionally hide the location from being displayed in the widget
          # hide-location: true

        - type: markets
          markets:
            - symbol: SPY
              name: S&P 500
            - symbol: BSX
              name: Boston Scientific
            - symbol: MDT
              name: Medtronic
            - symbol: ABT
              name: Abbott
            - symbol: MSFT
              name: Microsoft

        - type: releases
          cache: 1d
          # Without authentication the Github API allows for up to 60 requests per hour. You can create a
          # read-only token from your Github account settings and use it here to increase the limit.
          # token: ...
          repositories:
            - glanceapp/glance
            - go-gitea/gitea
            - immich-app/immich
            - syncthing/syncthing

Which I launched

$ docker compose up
Attaching to dynacat
dynacat  | 2026/03/28 16:45:45 Starting server on :8080 (base-url: "", assets-path: "/app/assets")

And we can see the weather and stocks look correct

I’m finding it okay, but not sure what is the big difference with glance which I’ve had running at https://glance.tpk.pw/ for quite some time, at least since I wrote about it back in May 2025.

There are plenty of available widgets for Dynacat.

One that caught my eye was monitor

I added a block for some of my hosted services. I found icons for all but Gancio

        - type: monitor
          cache: 1m
          title: Services
          sites:
            - title: Forgejo
              url: https://forgejo.freshbrewed.science
              icon: sh:forgejo
            - title: Gitea
              url: https://gitea.freshbrewed.science
              icon: sh:gitea
            - title: Immich
              url: https://photos.freshbrewed.science
              icon: sh:immich
            - title: Harbor
              url: https://harbor.freshbrewed.science
              icon: sh:harbor
            - title: Gancio
              url: https://gancio.tpk.pw
              icon: mdi:calendar-month

I would say that looks pretty clean

Now, if I wanted to host this in k8s, I could convert the docker compose to a kubernetes manifest with PVCs.

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: dynacat-config-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: dynacat-assets-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Secret
metadata:
  name: dynacat-secret
type: Opaque
stringData:
  MY_SECRET_TOKEN: "12345"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dynacat
  labels:
    app: dynacat
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dynacat
  template:
    metadata:
      labels:
        app: dynacat
    spec:
      containers:
      - name: dynacat
        image: panonim/dynacat
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP
        env:
        - name: MY_SECRET_TOKEN
          valueFrom:
            secretKeyRef:
              name: dynacat-secret
              key: MY_SECRET_TOKEN
        volumeMounts:
        - name: config
          mountPath: /app/config
        - name: assets
          mountPath: /app/assets
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "500m"
      volumes:
      - name: config
        persistentVolumeClaim:
          claimName: dynacat-config-pvc
      - name: assets
        persistentVolumeClaim:
          claimName: dynacat-assets-pvc
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: dynacat-service
  labels:
    app: dynacat
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: dynacat
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dynacat-ingress
  labels:
    app: dynacat
spec:
  ingressClassName: nginx
  rules:
  - host: dynacat.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: dynacat-service
            port:
              number: 80

I’ll give it a try by setting an A record

$ az account set --subscription "Pay-As-You-Go" && az network dns record-set a add-record -g idjdnsrg -z tpk.pw -a 76.156.69.232 -n dynacat
{
  "ARecords": [
    {
      "ipv4Address": "76.156.69.232"
    }
  ],
  "TTL": 3600,
  "etag": "c4823121-b5ed-48f0-9a8d-7fae02e910c3",
  "fqdn": "dynacat.tpk.pw.",
  "id": "/subscriptions/d955c0ba-13dc-44cf-a29a-8fed74cbb22d/resourceGroups/idjdnsrg/providers/Microsoft.Network/dnszones/tpk.pw/A/dynacat",
  "name": "dynacat",
  "provisioningState": "Succeeded",
  "resourceGroup": "idjdnsrg",
  "targetResource": {},
  "trafficManagementProfile": {},
  "type": "Microsoft.Network/dnszones/A"

I’ll tweak up the Ingress to use TLS and my A name

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dynacat-ingress
  annotations:
    cert-manager.io/cluster-issuer: azuredns-tpkpw
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.org/client-max-body-size: "0"
    nginx.org/proxy-connect-timeout: "3600"
    nginx.org/proxy-read-timeout: "3600"
    nginx.org/websocket-services: dynacat-service
  labels:
    app: dynacat
spec:
  ingressClassName: nginx
  rules:
  - host: dynacat.tpk.pw
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: dynacat-service
            port:
              number: 80
  tls:
  - hosts:
    - dynacat.tpk.pw
    secretName: dynacat-tls

Then apply

$ kubectl apply -f ./kubernetes-manifest.yaml
persistentvolumeclaim/dynacat-config-pvc created
persistentvolumeclaim/dynacat-assets-pvc created
secret/dynacat-secret created
deployment.apps/dynacat created
service/dynacat-service created
ingress.networking.k8s.io/dynacat-ingress created

Ahh - a bit of an issue - the pod needs the config to boot up, but I cant just kubectl cp to a crashing pod

builder@DESKTOP-QADGF36:~/Workspaces/dynacat/dynacat$ kubectl get po | grep dyna
dynacat-7f94f84bb9-gnh77                             0/1     CrashLoopBackOff   1 (10s ago)        19s
builder@DESKTOP-QADGF36:~/Workspaces/dynacat/dynacat$ kubectl logs dynacat-7f94f84bb9-gnh77
parsing config: reading /app/config/dynacat.yml: open /app/config/dynacat.yml: no such file or directory

I wasn’t sure the right approach - a utility pod to load, an init file, new Configmaps to mount so I sought some input from Claude and it suggested using some init pods to load at the start:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dynacat-config-files
data:
  dynacat.yml: |
    server:
      assets-path: /app/assets

    theme:
      # Note: assets are cached by the browser, changes to the CSS file
      # will not be reflected until the browser cache is cleared (Ctrl+F5)
      custom-css-file: /assets/user.css

    pages:
      # It's not necessary to create a new file for each page and include it, you can simply
      # put its contents here, though multiple pages are easier to manage when separated
      - $include: home.yml
  home.yml: |
    - name: Home
      # Optionally, if you only have a single page you can hide the desktop navigation for a cleaner look
      # hide-desktop-navigation: true
      columns:
        - size: small
          widgets:
            - type: calendar
              first-day-of-week: sunday

            - type: rss
              limit: 10
              collapse-after: 3
              cache: 12h
              feeds:
                - url: https://selfh.st/rss/
                  title: selfh.st
                - url: https://ciechanow.ski/atom.xml
                - url: https://www.joshwcomeau.com/rss.xml
                  title: Josh Comeau
                - url: https://freshbrewed.science/feed.xml
                - url: https://ishadeed.com/feed.xml
                  title: Ahmad Shadeed

            - type: twitch-channels
              channels:
                - theprimeagen
                - j_blow
                - giantwaffle
                - cohhcarnage
                - christitustech
                - EJ_SA

        - size: full
          widgets:
            - type: group
              widgets:
                - type: hacker-news
                - type: lobsters

            - type: videos
              channels:
                - UCXuqSBlHAE6Xw-yeJA0Tunw # Linus Tech Tips
                - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling
                - UCsBjURrPoezykLs9EqgamOA # Fireship
                - UCBJycsmduvYEL83R_U4JriQ # Marques Brownlee
                - UCi8C7TNs2ohrc6hnRQ5Sn2w # Kai Lentit

            - type: group
              widgets:
                - type: reddit
                  subreddit: technology
                  show-thumbnails: true
                - type: reddit
                  subreddit: selfhosted
                  show-thumbnails: true
    
        - size: small
          widgets:
            - type: weather
              location: Woodbury, Minnesota, USA
              units: imperial # alternatively "metric"
              hour-format: 12h # alternatively "24h"
              # Optionally hide the location from being displayed in the widget
              # hide-location: true
    
            - type: monitor
              cache: 1m
              title: Services
              sites:
                - title: Forgejo
                  url: https://forgejo.freshbrewed.science
                  icon: sh:forgejo
                - title: Gitea
                  url: https://gitea.freshbrewed.science
                  icon: sh:gitea
                - title: Immich
                  url: https://photos.freshbrewed.science
                  icon: sh:immich
                - title: Harbor
                  url: https://harbor.freshbrewed.science
                  icon: sh:harbor
                - title: Gancio
                  url: https://gancio.tpk.pw
                  icon: mdi:calendar-month
    
            - type: markets
              markets:
                - symbol: SPY
                  name: S&P 500
                - symbol: BSX
                  name: Boston Scientific
                - symbol: MDT
                  name: Medtronic
                - symbol: ABT
                  name: Abbott
                - symbol: MSFT
                  name: Microsoft
    
            - type: releases
              cache: 1d
              # Without authentication the Github API allows for up to 60 requests per hour. You can create a
              # read-only token from your Github account settings and use it here to increase the limit.
              # token: ...
              repositories:
                - glanceapp/glance
                - go-gitea/gitea
                - immich-app/immich
                - syncthing/syncthing
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: dynacat-config-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: dynacat-assets-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Secret
metadata:
  name: dynacat-secret
type: Opaque
stringData:
  MY_SECRET_TOKEN: "12345"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dynacat
  labels:
    app: dynacat
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dynacat
  template:
    metadata:
      labels:
        app: dynacat
    spec:
      initContainers:
      - name: init-config
        image: busybox:1.35
        command: ['sh', '-c']
        args:
          - |
            cp /config-src/dynacat.yml /config-dst/dynacat.yml
            cp /config-src/home.yml /config-dst/home.yml
        volumeMounts:
        - name: config-src
          mountPath: /config-src
        - name: config
          mountPath: /config-dst
      containers:
      - name: dynacat
        image: panonim/dynacat
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP
        env:
        - name: MY_SECRET_TOKEN
          valueFrom:
            secretKeyRef:
              name: dynacat-secret
              key: MY_SECRET_TOKEN
        volumeMounts:
        - name: config
          mountPath: /app/config
        - name: assets
          mountPath: /app/assets
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "500m"
      volumes:
      - name: config-src
        configMap:
          name: dynacat-config-files
      - name: config
        persistentVolumeClaim:
          claimName: dynacat-config-pvc
      - name: assets
        persistentVolumeClaim:
          claimName: dynacat-assets-pvc
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: dynacat-service
  labels:
    app: dynacat
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: 8080
    protocol: TCP
  selector:
    app: dynacat
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dynacat-ingress
  annotations:
    cert-manager.io/cluster-issuer: azuredns-tpkpw
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.org/client-max-body-size: "0"
    nginx.org/proxy-connect-timeout: "3600"
    nginx.org/proxy-read-timeout: "3600"
    nginx.org/websocket-services: dynacat-service
  labels:
    app: dynacat
spec:
  ingressClassName: nginx
  rules:
  - host: dynacat.tpk.pw
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: dynacat-service
            port:
              number: 80
  tls:
  - hosts:
    - dynacat.tpk.pw
    secretName: dynacat-tls

I found Nginx gets a bit stuck sometimes on ingress updates, so I’ll delete the Ingress then apply

$ kubectl delete ingress dynacat-ingress
ingress.networking.k8s.io "dynacat-ingress" deleted
$ kubectl apply -f ./kubernetes-manifest.yaml
configmap/dynacat-config-files created
persistentvolumeclaim/dynacat-config-pvc unchanged
persistentvolumeclaim/dynacat-assets-pvc unchanged
secret/dynacat-secret configured
deployment.apps/dynacat configured
service/dynacat-service unchanged
ingress.networking.k8s.io/dynacat-ingress created

This time it worked

dynacat-846f8b69c7-g7mnq                             1/1     Running            0                   26s

The cert was already good

$ kubectl get cert | grep dyna
dynacat-tls                         True    dynacat-tls                         74s

This time the website loaded

Seafile

Another interesting app I bookmarked from a Marius post is Seafile.

What surprised me right way was that the Seafile documentation has many gaps.

It talks in detail about the docker compose envs, but lacks showing a docker compose file. This page based on links used to show a compose YAML.

In this case we are going to use the Docker Compose from the MariusHosting article

services:
  db:
    image: mariadb:11.8-noble #LTS Long Time Support Until October 15, 2033.
    container_name: Seafile-DB
    hostname: seafile-db
    security_opt:
      - no-new-privileges:false
    volumes:
      - /volume1/docker/seafile/db:/var/lib/mysql:rw
    environment:
      MYSQL_ROOT_PASSWORD: rootpass
      MYSQL_DATABASE: seafile_db
      MYSQL_USER: seafileuser
      MYSQL_PASSWORD: seafilepassword
      TZ: America/Chicago
    restart: on-failure:5

  cache:
    image: memcached:1.6
    entrypoint: memcached -m 256
    container_name: Seafile-CACHE
    hostname: memcached
    security_opt:
      - no-new-privileges:true
    read_only: true
    user: 1026:100
    restart: on-failure:5
    
  redis:
    image: redis
    container_name: Seafile-REDIS
    command:
      - /bin/sh
      - -c
      - redis-server --requirepass redispass
    hostname: redis
    security_opt:
      - no-new-privileges:true
    read_only: false
    user: 1026:100
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping || exit 1"]
    volumes:
      - /volume1/docker/seafile/redis:/data:rw
    environment:
      TZ: America/Chicago
    restart: on-failure:5
    
  seafile:
    image: seafileltd/seafile-mc:13.0-latest
    container_name: Seafile
    user: 0:0
    hostname: seafile
    security_opt:
      - no-new-privileges:false
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost
    volumes:
      - /volume1/docker/seafile/data:/shared:rw
    ports:
      - 8611:80
    environment:
       INIT_SEAFILE_MYSQL_ROOT_PASSWORD: rootpass
       SEAFILE_MYSQL_DB_HOST: seafile-db
       SEAFILE_MYSQL_DB_USER: seafileuser
       SEAFILE_MYSQL_DB_PORT: 3306
       SEAFILE_MYSQL_DB_PASSWORD: seafilepassword
       SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: seafile_db
       SEAFILE_MYSQL_DB_CCNET_DB_NAME: ccnet_db
       SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: seahub_db
       CACHE_PROVIDER: redis
       REDIS_HOST: redis
       REDIS_PORT: 6379
       REDIS_PASSWORD: redispass
       TIME_ZONE: America/Chicago
       SEAFILE_VOLUME: /opt/seafile-data
       SEAFILE_MYSQL_VOLUME: /opt/seafile-mysql/db
       INIT_SEAFILE_ADMIN_EMAIL: isaac.johnson@gmail.com
       INIT_SEAFILE_ADMIN_PASSWORD: notmypassword
       JWT_PRIVATE_KEY: dOxZYTTZgXKMHkqLBIQVImayQXAVWdzGBPuFJKggzcgvgPJPXpWzqzKaUOIOGGIr
       SEADOC_VOLUME: /opt/seadoc-data
       SEADOC_IMAGE: seafileltd/sdoc-server:2.0-latest
       ENABLE_SEADOC: false #or true
       SEADOC_SERVER_URL: https://seafile.tpk.pw/sdoc-server
       SEAFILE_SERVER_HOSTNAME: seafile.tpk.pw
       SEAFILE_SERVER_PROTOCOL: https
       FORCE_HTTPS_IN_CONF: true
       SEAFILE_SERVER_LETSENCRYPT: false
    depends_on:
      db:
        condition: service_started
      cache:
        condition: service_started
      redis:
        condition: service_started
    restart: on-failure:5

I’ll want to forward traffic here, so right off the bat, I’ll create an A Record in Azure DNS

$ az account set --subscription "Pay-As-You-Go" && az network dns record-set a add-record -g idjdnsrg -z tpk.pw -a 76.156.69.232 -n seafile
{
  "ARecords": [
    {
      "ipv4Address": "76.156.69.232"
    }
  ],
  "TTL": 3600,
  "etag": "2e615ee2-6bd7-4e42-8bec-e288fada805c",
  "fqdn": "seafile.tpk.pw.",
  "id": "/subscriptions/d955c0ba-13dc-44cf-a29a-8fed74cbb22d/resourceGroups/idjdnsrg/providers/Microsoft.Network/dnszones/tpk.pw/A/seafile",
  "name": "seafile",
  "provisioningState": "Succeeded",
  "resourceGroup": "idjdnsrg",
  "targetResource": {},
  "trafficManagementProfile": {},
  "type": "Microsoft.Network/dnszones/A"
}

I can now fire up Docker compose on the docker host (192.168.1.143 in this case)

builder@bosgamerz9:~/Workspaces/Seafile$ docker compose up -d
[+] Running 38/38
 ✔ cache Pulled                                                                                                                                   10.9s
   ✔ ec781dee3f47 Pull complete                                                                                                                    9.7s
   ✔ 51dec6de03b1 Pull complete                                                                                                                    9.7s
   ✔ e6a929ea558d Pull complete                                                                                                                    9.7s
   ✔ b8f4f23b254e Pull complete                                                                                                                    9.8s
   ✔ 6ae38152dcb8 Pull complete                                                                                                                    9.8s
   ✔ e839fccf1879 Pull complete                                                                                                                    9.8s
 ✔ db Pulled                                                                                                                                       3.9s
   ✔ 817807f3c64e Pull complete                                                                                                                    1.7s
   ✔ 5843c951070e Pull complete                                                                                                                    1.7s
   ✔ 61a0e6ba478b Pull complete                                                                                                                    1.8s
   ✔ c688148c30c1 Pull complete                                                                                                                    1.8s
   ✔ 86447b1c7e20 Pull complete                                                                                                                    1.8s
   ✔ 943dc8eb543e Pull complete                                                                                                                    2.9s
   ✔ af136b8199a6 Pull complete                                                                                                                    2.9s
   ✔ 7761d3ebebab Pull complete                                                                                                                    2.9s
 ✔ seafile Pulled                                                                                                                                 14.7s
   ✔ 505b3596871d Pull complete                                                                                                                    5.8s
   ✔ c083fef1fc73 Pull complete                                                                                                                    5.9s
   ✔ be8b84cba34b Pull complete                                                                                                                    6.8s
   ✔ 8bedc8e9293a Pull complete                                                                                                                    6.9s
   ✔ 622aaad4b3db Pull complete                                                                                                                    7.1s
   ✔ b873e65fb3d4 Pull complete                                                                                                                    7.8s
   ✔ 1d2e2524dcdd Pull complete                                                                                                                    8.4s
   ✔ 601ae82f9133 Pull complete                                                                                                                    9.7s
   ✔ 35a091cd3e29 Pull complete                                                                                                                   11.5s
   ✔ fadc521a35fb Pull complete                                                                                                                   11.5s
   ✔ 55d2f36eefb8 Pull complete                                                                                                                   11.5s
   ✔ b9383a1b21d0 Pull complete                                                                                                                   11.5s
   ✔ c18edc61dfc9 Pull complete                                                                                                                   11.5s
   ✔ 8ee4a48da408 Pull complete                                                                                                                   13.6s
 ✔ redis Pulled                                                                                                                                   11.5s
   ✔ 5f7274725e4f Pull complete                                                                                                                    9.7s
   ✔ f4f2f7018ed9 Pull complete                                                                                                                    9.7s
   ✔ 3f63903b0cb8 Pull complete                                                                                                                   10.4s
   ✔ c9ff57cee690 Pull complete                                                                                                                   10.4s
   ✔ 4f4fb700ef54 Pull complete                                                                                                                   10.4s
   ✔ 3e6b2202a764 Pull complete                                                                                                                   10.5s
[+] Running 5/5
 ✔ Network seafile_default  Created                                                                                                                0.0s
 ✔ Container Seafile-REDIS  Started                                                                                                                0.6s
 ✔ Container Seafile-DB     Started                                                                                                                0.5s
 ✔ Container Seafile-CACHE  Started                                                                                                                0.6s
 ✔ Container Seafile        Started                                                                                                                0.3s

Then fire up a kubernetes ingress pointer manifest that should include an Endpoint, Service, and Ingress object for the A record

builder@DESKTOP-QADGF36:~$ cat seafile.ingress.yaml
apiVersion: v1
kind: Endpoints
metadata:
  name: seafile-external-ip
subsets:
- addresses:
  - ip: 192.168.1.143
  ports:
  - name: seafileint
    port: 8611
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: seafile-external-ip
spec:
  clusterIP: None
  clusterIPs:
  - None
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  - IPv6
  ipFamilyPolicy: RequireDualStack
  ports:
  - name: seafile
    port: 80
    protocol: TCP
    targetPort: 8611
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: azuredns-tpkpw
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.org/websocket-services: seafile-external-ip
  generation: 1
  name: seafileingress
spec:
  ingressClassName: nginx
  rules:
  - host: seafile.tpk.pw
    http:
      paths:
      - backend:
          service:
            name: seafile-external-ip
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - seafile.tpk.pw
    secretName: seafile-tls
builder@DESKTOP-QADGF36:~$ kubectl apply -f ./seafile.ingress.yaml
endpoints/seafile-external-ip created
service/seafile-external-ip created
ingress.networking.k8s.io/seafileingress created

When I see the cert is satisfied

builder@DESKTOP-QADGF36:~$ kubectl get cert seafile-tls
NAME          READY   SECRET        AGE
seafile-tls   False   seafile-tls   27s
builder@DESKTOP-QADGF36:~$ kubectl get cert seafile-tls
NAME          READY   SECRET        AGE
seafile-tls   False   seafile-tls   59s
builder@DESKTOP-QADGF36:~$ kubectl get cert seafile-tls
NAME          READY   SECRET        AGE
seafile-tls   True    seafile-tls   83s

I can access the portal page

I logged in with the admin account to see the welcome splash

From here, we can see we already have a “My Library” created

It’s a little strange in that I can “create” a blank PPTX file

Then download it

which, indeed, made an empty PPTX

For a test, I filled in a couple slides

Uploading it back noted it would be replaced

That said, a quick upload showed the new file was there

That said, there is a history section and it looks like I can restore old copies

I tried loading a larger file (3.6Mb) and it stalled out

A refresh showed it crashed

It wasn’t coming back, yet the logs showed no errors

CONTAINER ID   IMAGE                                          COMMAND                  CREATED          STATUS                        PORTS                                                                                                     NAMES
f3e3f2b0e9c9   seafileltd/seafile-mc:13.0-latest              "/sbin/my_init -- /s…"   22 minutes ago   Up 22 minutes (unhealthy)     0.0.0.0:8611->80/tcp, [::]:8611->80/tcp                                                                   Seafile
5eb404efd7f1   memcached:1.6                                  "memcached -m 256"       22 minutes ago   Up 22 minutes                 11211/tcp                                                                                                 Seafile-CACHE
e9182e277087   mariadb:11.8-noble                             "docker-entrypoint.s…"   22 minutes ago   Up 22 minutes                 3306/tcp                                                                                                  Seafile-DB
c60aa6ab51bc   redis                                          "docker-entrypoint.s…"   22 minutes ago   Up 22 minutes (healthy)       6379/tcp                                                                                                  Seafile-REDIS

with the main container logs

builder@bosgamerz9:~/Workspaces/Seafile$ docker logs Seafile
*** Running /etc/my_init.d/01_create_data_links.sh...
*** Booting runit daemon...
*** Runit started as PID 11
*** Running /scripts/enterpoint.sh...
2026-03-30 05:56:28 Waiting Nginx
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
2026-03-30 05:56:28 Nginx ready
2026-03-30 05:56:28 This is an idle script (infinite loop) to keep container running.
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
[2026-03-30 05:56:37] Now running setup-seafile-mysql.py in auto mode.
Checking python on this machine ...


verifying password of user root ...  done

verifying password of user seafileuser ...  done

---------------------------------
This is your configuration
---------------------------------

    server name:            seafile
    server ip/domain:       seafile.tpk.pw

    seafile data dir:       /opt/seafile/seafile-data
    fileserver port:        8082

    database:               create new
    ccnet database:         ccnet_db
    seafile database:       seafile_db
    seahub database:        seahub_db
    database user:          seafileuser


Generating seafile configuration ...

done
Generating seahub configuration ...

----------------------------------------
Now creating seafevents database tables ...

----------------------------------------
----------------------------------------
Now creating ccnet database tables ...

----------------------------------------
----------------------------------------
Now creating seafile database tables ...

----------------------------------------
----------------------------------------
Now creating seahub database tables ...

----------------------------------------

creating seafile-server-latest symbolic link ...  done




-----------------------------------------------------------------
Your seafile server configuration has been finished successfully.
-----------------------------------------------------------------

run seafile server:     ./seafile.sh { start | stop | restart }
run seahub  server:     ./seahub.sh  { start  | stop | restart  }

-----------------------------------------------------------------
If you are behind a firewall, remember to allow input/output of these tcp ports:
-----------------------------------------------------------------

port of seafile fileserver:   8082
port of seahub:               8000

When problems occur, Refer to

        https://download.seafile.com/published/seafile-manual/home.md

for information.


[2026-03-30 05:56:39] Updating version stamp

Starting seafile server, please wait ...
Seafile server started

Done.

Starting seahub at port 8000 ...



----------------------------------------
Successfully created seafile admin
----------------------------------------




Seahub is started

Done.

I tried a restart

builder@bosgamerz9:~/Workspaces/Seafile$ docker restart Seafile
Seafile

builder@bosgamerz9:~/Workspaces/Seafile$ docker logs Seafile | tail -n 10
*** Running /etc/my_init.d/01_create_data_links.sh...
*** Booting runit daemon...
*** Runit started as PID 11
*** Running /scripts/enterpoint.sh...
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
[2026-03-30 05:56:37] Now running setup-seafile-mysql.py in auto mode.
[2026-03-30 05:56:39] Updating version stamp
*** Shutting down /scripts/enterpoint.sh (PID 12)...
*** Shutting down runit daemon (PID 11)...
*** Running /etc/my_init.post_shutdown.d/10_syslog-ng.shutdown...
*** Init system aborted.
*** Killing all processes...
*** Running /etc/my_init.d/01_create_data_links.sh...
*** Booting runit daemon...
*** Runit started as PID 15
*** Running /scripts/enterpoint.sh...
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
[2026-03-30 06:19:53] Skip running setup-seafile-mysql.py because there is existing seafile-data folder.
Seafile server started

Done.

Starting seahub at port 8000 ...

Seahub is started

Done.

But still no go

My next try was a full stop and start

builder@bosgamerz9:~/Workspaces/Seafile$ docker compose down
[+] Running 5/5
 ✔ Container Seafile        Removed                                                                                                                1.6s
 ✔ Container Seafile-REDIS  Removed                                                                                                               10.1s
 ✔ Container Seafile-CACHE  Removed                                                                                                                0.5s
 ✔ Container Seafile-DB     Removed                                                                                                                0.5s
 ✔ Network seafile_default  Removed                                                                                                                0.1s
builder@bosgamerz9:~/Workspaces/Seafile$ docker compose up
[+] Running 5/5
 ✔ Network seafile_default  Created                                                                                                                0.0s
 ✔ Container Seafile-DB     Created                                                                                                                0.0s
 ✔ Container Seafile-REDIS  Created                                                                                                                0.0s
 ✔ Container Seafile-CACHE  Created                                                                                                                0.0s
 ✔ Container Seafile        Created                                                                                                                0.0s
Attaching to Seafile, Seafile-CACHE, Seafile-DB, Seafile-REDIS
Seafile-REDIS  | 10:C 30 Mar 2026 06:21:49.430 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
Seafile-REDIS  | 10:C 30 Mar 2026 06:21:49.430 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
Seafile-REDIS  | 10:C 30 Mar 2026 06:21:49.430 * Redis version=8.6.2, bits=64, commit=00000000, modified=1, pid=10, just started
Seafile-REDIS  | 10:C 30 Mar 2026 06:21:49.430 * Configuration loaded
Seafile-REDIS  | 10:M 30 Mar 2026 06:21:49.430 * monotonic clock: POSIX clock_gettime
Seafile-REDIS  | 10:M 30 Mar 2026 06:21:49.431 * Running mode=standalone, port=6379.
Seafile-REDIS  | 10:M 30 Mar 2026 06:21:49.431 * Server initialized
Seafile-REDIS  | 10:M 30 Mar 2026 06:21:49.431 * Ready to accept connections tcp
Seafile-DB     | 2026-03-30 06:21:49-05:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.8.6+maria~ubu2404 started.
Seafile        | *** Running /etc/my_init.d/01_create_data_links.sh...
Seafile        | *** Booting runit daemon...
Seafile        | *** Runit started as PID 15
Seafile        | *** Running /scripts/enterpoint.sh...
Seafile        | 2026-03-30 06:21:49 Waiting Nginx
Seafile        | nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
Seafile-DB     | 2026-03-30 06:21:49-05:00 [Warn] [Entrypoint]: /sys/fs/cgroup///memory.pressure not writable, functionality unavailable to MariaDB
Seafile-DB     | 2026-03-30 06:21:49-05:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
Seafile-DB     | 2026-03-30 06:21:49-05:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.8.6+maria~ubu2404 started.
Seafile        | 2026-03-30 06:21:49 Nginx ready
Seafile        | 2026-03-30 06:21:49 This is an idle script (infinite loop) to keep container running.
Seafile-DB     | 2026-03-30 06:21:49-05:00 [Note] [Entrypoint]: MariaDB upgrade not required
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] Starting MariaDB 11.8.6-MariaDB-ubu2404 source revision 9bfea48ce1214cc4470f6f6f8a4e30352cef84e7 server_uid YKPNagnfIROmJPf794u8unHaCSA= as process 1
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Compressed tables use zlib 1.3
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Number of transaction pools: 1
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
Seafile-DB     | 2026-03-30  6:21:49 0 [Warning] mariadbd: io_uring_queue_init() failed with EPERM: sysctl kernel.io_uring_disabled has the value 2, or 1 and the user of the process is not a member of sysctl kernel.io_uring_group. (see man 2 io_uring_setup).
Seafile-DB     | create_uring failed: falling back to libaio
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Using Linux native AIO
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: innodb_buffer_pool_size_max=128m, innodb_buffer_pool_size=128m
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Completed initialization of buffer pool
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: File system buffers for log disabled (block size=512 bytes)
Seafile        | nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: End of log at LSN=1297842
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Opened 3 undo tablespaces
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: 128 rollback segments in 3 undo tablespaces are active.
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Setting file './ibtmp1' size to 12.000MiB. Physically writing the file full; Please wait ...
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: File './ibtmp1' size is now 12.000MiB.
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: log sequence number 1297842; transaction id 1045
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] Plugin 'FEEDBACK' is disabled.
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] Plugin 'wsrep-provider' is disabled.
Seafile-DB     | 2026-03-30  6:21:49 0 [Note] InnoDB: Buffer pool(s) load completed at 260330  6:21:49
Seafile-DB     | 2026-03-30  6:21:51 0 [Note] Server socket created on IP: '0.0.0.0', port: '3306'.
Seafile-DB     | 2026-03-30  6:21:51 0 [Note] Server socket created on IP: '::', port: '3306'.
Seafile-DB     | 2026-03-30  6:21:51 0 [Note] mariadbd: Event Scheduler: Loaded 0 events
Seafile-DB     | 2026-03-30  6:21:51 0 [Note] mariadbd: ready for connections.
Seafile-DB     | Version: '11.8.6-MariaDB-ubu2404'  socket: '/run/mysqld/mysqld.sock'  port: 3306  mariadb.org binary distribution
Seafile        | [2026-03-30 06:21:51] Skip running setup-seafile-mysql.py because there is existing seafile-data folder.
Seafile        | waiting for mysql server to be ready: mysql is not ready
Seafile        | [03/30/2026 06:21:51][upgrade]: The container was recreated, start fix the media symlinks
Seafile        | mv: not replacing '/shared/seafile/seahub-data/avatars/default-non-register.jpg'
Seafile        | mv: not replacing '/shared/seafile/seahub-data/avatars/default.png'
Seafile        | mv: not replacing '/shared/seafile/seahub-data/avatars/groups'
Seafile        | [03/30/2026 06:21:51][upgrade]: Done
Seafile        |
Seafile        | Starting seafile server, please wait ...


Seafile        | Seafile server started
Seafile        |
Seafile        | Done.
Seafile        |
Seafile        | Starting seahub at port 8000 ...
Seafile        |
Seafile        | Seahub is started
Seafile        |
Seafile        | Done.
Seafile        |

That worked, and my last file was still there. I tried uploading again

I tried Firefox and chrome, but without luck. It was not uploading anymore

I also tried logging in directly to the app using the local URL, but it choked on uploads

Last shot, a full destroy then fire up

# cleanup local files
builder@bosgamerz9:/volume1$ cd docker/
builder@bosgamerz9:/volume1/docker$ ls
seafile
builder@bosgamerz9:/volume1/docker$ sudo rm -rf ./seafile/
builder@bosgamerz9:/volume1/docker$ sudo mkdir seafile
builder@bosgamerz9:/volume1/docker$ sudo chmod 777 seafile/


# Now docker destroy
builder@bosgamerz9:~/Workspaces/Seafile$ docker compose down -v --rmi all --remove-orphans
[+] Running 4/4
 ✔ Image seafileltd/seafile-mc:13.0-latest  Removed                                                                                                1.2s
 ✔ Image mariadb:11.8-noble                 Removed                                                                                                1.4s
 ✔ Image memcached:1.6                      Removed                                                                                                0.1s
 ✔ Image redis:latest                       Removed                                                                                                0.0s
builder@bosgamerz9:~/Workspaces/Seafile$ docker compose up -d
[+] Running 38/38
 ✔ seafile Pulled                                                                                                                                 15.4s
   ✔ 505b3596871d Pull complete                                                                                                                    5.5s
   ✔ c083fef1fc73 Pull complete                                                                                                                    5.5s
   ✔ be8b84cba34b Pull complete                                                                                                                    6.5s
   ✔ 8bedc8e9293a Pull complete                                                                                                                    6.5s
   ✔ 622aaad4b3db Pull complete                                                                                                                    6.9s
   ✔ b873e65fb3d4 Pull complete                                                                                                                    7.7s
   ✔ 1d2e2524dcdd Pull complete                                                                                                                    9.1s
   ✔ 601ae82f9133 Pull complete                                                                                                                   10.4s
   ✔ 35a091cd3e29 Pull complete                                                                                                                   12.1s
   ✔ fadc521a35fb Pull complete                                                                                                                   12.1s
   ✔ 55d2f36eefb8 Pull complete                                                                                                                   12.1s
   ✔ b9383a1b21d0 Pull complete                                                                                                                   12.2s
   ✔ c18edc61dfc9 Pull complete                                                                                                                   12.2s
   ✔ 8ee4a48da408 Pull complete                                                                                                                   14.3s
 ✔ cache Pulled                                                                                                                                    5.2s
   ✔ 51dec6de03b1 Pull complete                                                                                                                    3.9s
   ✔ e6a929ea558d Pull complete                                                                                                                    3.9s
   ✔ b8f4f23b254e Pull complete                                                                                                                    4.1s
   ✔ 6ae38152dcb8 Pull complete                                                                                                                    4.1s
   ✔ e839fccf1879 Pull complete                                                                                                                    4.2s
 ✔ redis Pulled                                                                                                                                    5.2s
   ✔ ec781dee3f47 Pull complete                                                                                                                    3.9s
   ✔ 5f7274725e4f Pull complete                                                                                                                    3.9s
   ✔ f4f2f7018ed9 Pull complete                                                                                                                    3.9s
   ✔ 3f63903b0cb8 Pull complete                                                                                                                    4.1s
   ✔ c9ff57cee690 Pull complete                                                                                                                    4.1s
   ✔ 4f4fb700ef54 Pull complete                                                                                                                    4.1s
   ✔ 3e6b2202a764 Pull complete                                                                                                                    4.2s
 ✔ db Pulled                                                                                                                                       4.1s
   ✔ 817807f3c64e Pull complete                                                                                                                    1.4s
   ✔ 5843c951070e Pull complete                                                                                                                    1.4s
   ✔ 61a0e6ba478b Pull complete                                                                                                                    1.6s
   ✔ c688148c30c1 Pull complete                                                                                                                    1.6s
   ✔ 86447b1c7e20 Pull complete                                                                                                                    1.6s
   ✔ 943dc8eb543e Pull complete                                                                                                                    3.0s
   ✔ af136b8199a6 Pull complete                                                                                                                    3.0s
   ✔ 7761d3ebebab Pull complete                                                                                                                    3.0s
[+] Running 5/5
 ✔ Network seafile_default  Created                                                                                                                0.0s
 ✔ Container Seafile-CACHE  Started                                                                                                                0.4s
 ✔ Container Seafile-REDIS  Started                                                                                                                0.4s
 ✔ Container Seafile-DB     Started                                                                                                                0.4s
 ✔ Container Seafile        Started                                                                                                                0.3s

Again, I found uploading small files under 1Mb seemed to be fine, but the moment we used something larger like a 3Mb jpg, it fell down

wikis

Let’s try some of the other features, perhaps they’ll work better. We can go to Wikis to create a new Wiki

Once created, we can click on the wiki to see some basic nav and page create

New Page, however, just gave me a spinning icon and error

Fat Client

I’ll try the fat client on windows

I could then login

and it prompted me to sync files

and…. error

My next thought was perhaps I needed a new container. Sometimes we use older images in writeups and it just needs something a tad newer.

However, the latest container is 13.0-latest

Kubernetes native

They seemed to strip out their setup docs from versions 12 and 13, but I found a K8s guide for 11 here

I was losing patience so I just asked Gemini to build the single manifest

I tweaked a few settings including using HTTPS and the newer 13 image. Also, because we would be creating a memcache and mysql database, i felt we should do this in a namespace, so I created a “seafile” namespace to launch it all in

builder@DESKTOP-QADGF36:~$ kubectl create ns seafile
namespace/seafile created
builder@DESKTOP-QADGF36:~$ cat ./seafile.ingress.yaml
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: azuredns-tpkpw
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.org/websocket-services: seafile
  generation: 1
  name: seafileingress
spec:
  ingressClassName: nginx
  rules:
  - host: seafile.tpk.pw
    http:
      paths:
      - backend:
          service:
            name: seafile
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - seafile.tpk.pw
    secretName: seafile-tls
---
# --- MariaDB Storage ---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: mariadb-data
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /opt/seafile-mysql/db
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mariadb-data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
# --- MariaDB Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mariadb
spec:
  selector:
    matchLabels:
      app: mariadb
  replicas: 1
  template:
    metadata:
      labels:
        app: mariadb
    spec:
      containers:
      - name: mariadb
        image: mariadb:10.11
        env:
        - name: MARIADB_ROOT_PASSWORD
          value: "db_dev"
        - name: MARIADB_AUTO_UPGRADE
          value: "true"
        ports:
        - containerPort: 3306
        volumeMounts:
        - name: mariadb-data
          mountPath: /var/lib/mysql
      volumes:
      - name: mariadb-data
        persistentVolumeClaim:
          claimName: mariadb-data
---
apiVersion: v1
kind: Service
metadata:
  name: mariadb
spec:
  selector:
    app: mariadb
  ports:
  - protocol: TCP
    port: 3306
    targetPort: 3306
---
# --- Memcached Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: memcached
spec:
  replicas: 1
  selector:
    matchLabels:
      app: memcached
  template:
    metadata:
      labels:
        app: memcached
    spec:
      containers:
      - name: memcached
        image: memcached:1.6.18
        args: ["-m", "256"]
        ports:
        - containerPort: 11211
---
apiVersion: v1
kind: Service
metadata:
  name: memcached
spec:
  selector:
    app: memcached
  ports:
  - protocol: TCP
    port: 11211
    targetPort: 11211
---
# --- Seafile Storage ---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: seafile-data
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /opt/seafile-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: seafile-data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
# --- Seafile Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: seafile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: seafile
  template:
    metadata:
      labels:
        app: seafile
    spec:
      imagePullSecrets:
      - name: regcred
      containers:
      - name: seafile
        image: seafileltd/seafile-mc:13.0-latest
        env:
        - name: DB_HOST
          value: "mariadb"
        - name: DB_ROOT_PASSWD
          value: "db_dev"
        - name: TIME_ZONE
          value: "America/Chicago"
        - name: SEAFILE_ADMIN_EMAIL
          value: "isaac.johnson@gmail.com"
        - name: SEAFILE_ADMIN_PASSWORD
          value: "notmypassword!"
        - name: SEAFILE_SERVER_LETSENCRYPT
          value: "false"
        - name: SEAFILE_SERVER_HOSTNAME
          value: "seafile.tpk.pw"
        - name: SEAFILE_SERVER_PROTOCOL
          value: "https"
        volumeMounts:
        - name: seafile-data
          mountPath: /shared
      volumes:
      - name: seafile-data
        persistentVolumeClaim:
          claimName: seafile-data
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: seafile
spec:
  selector:
    app: seafile
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    name: seafile
builder@DESKTOP-QADGF36:~$ kubectl apply -f ./seafile.ingress.yaml -n seafile
ingress.networking.k8s.io/seafileingress created
persistentvolume/mariadb-data created
persistentvolumeclaim/mariadb-data created
deployment.apps/mariadb created
service/mariadb created
deployment.apps/memcached created
service/memcached created
persistentvolume/seafile-data created
persistentvolumeclaim/seafile-data created
deployment.apps/seafile created
service/seafile created

The TLS was satisfied quickly

$ kubectl get cert -n seafile
NAME          READY   SECRET        AGE
seafile-tls   True    seafile-tls   115s

I got a bad gateway and even tested with a port-forward

$ kubectl port-forward svc/seafile 8088:80 -n seafile
Forwarding from 127.0.0.1:8088 -> 80
Forwarding from [::1]:8088 -> 80
Handling connection for 8088

I suspect that the newer 13 image uses 8611 for ingress wheres the older used 80.

I updated the service, but then the port-forward failed again

$ kubectl port-forward svc/seafile 8088:80 -n seafile
Forwarding from 127.0.0.1:8088 -> 8611
Forwarding from [::1]:8088 -> 8611
Handling connection for 8088
Handling connection for 8088
E0330 07:16:09.747304   92389 portforward.go:424] "Unhandled Error" err="an error occurred forwarding 8088 -> 8611: error forwarding port 8611 to pod c1aa362dd7787302b716ebed56bda756d463d23766877717f5eabb2d59a4ea4b, uid : failed to execute portforward in network namespace \"/var/run/netns/cni-9f586fd4-dd56-1ac4-2bc0-a5b1d3c74659\": failed to connect to localhost:8611 inside namespace \"c1aa362dd7787302b716ebed56bda756d463d23766877717f5eabb2d59a4ea4b\", IPv4: dial tcp4 127.0.0.1:8611: connect: connection refused IPv6 dial tcp6: address localhost: no suitable address found "
error: lost connection to pod

The pod seems confused about the MariaDB (MySQL)

$ kubectl logs seafile-75c9d8ccbb-bp5xk  -n seafile
*** Running /etc/my_init.d/01_create_data_links.sh...
*** Booting runit daemon...
*** Runit started as PID 11
*** Running /scripts/enterpoint.sh...
2026-03-30 07:10:19 Nginx ready
2026-03-30 07:10:19 This is an idle script (infinite loop) to keep container running.
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
waiting for mysql server to be ready: mysql is not ready
waiting for mysql server to be ready: mysql is not ready
waiting for mysql server to be ready: mysql is not ready
waiting for mysql server to be ready: mysql is not ready

I kept banging away at it, adding the missing Redis, setting MysQL ports

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: azuredns-tpkpw
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.org/websocket-services: seafile
  generation: 1
  name: seafileingress
spec:
  ingressClassName: nginx
  rules:
  - host: seafile.tpk.pw
    http:
      paths:
      - backend:
          service:
            name: seafile
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - seafile.tpk.pw
    secretName: seafile-tls
---
# --- MariaDB Storage ---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: mariadb-data
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /opt/seafile-mysql/db
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mariadb-data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
# --- MariaDB Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mariadb
spec:
  selector:
    matchLabels:
      app: mariadb
  replicas: 1
  template:
    metadata:
      labels:
        app: mariadb
    spec:
      containers:
      - name: mariadb
        image: mariadb:10.11
        env:
        - name: MARIADB_ROOT_PASSWORD
          value: "db_dev"
        - name: MARIADB_AUTO_UPGRADE
          value: "true"
        - name: MARIADB_DATABASE
          value: "seafile_db"
        - name: MARIADB_USER
          value: "seafileuser"
        - name: MARIADB_PASSWORD
          value: "seafilepassword"
        ports:
        - containerPort: 3306
        volumeMounts:
        - name: mariadb-data
          mountPath: /var/lib/mysql
      volumes:
      - name: mariadb-data
        persistentVolumeClaim:
          claimName: mariadb-data
---
apiVersion: v1
kind: Service
metadata:
  name: mariadb
spec:
  selector:
    app: mariadb
  ports:
  - protocol: TCP
    port: 3306
    targetPort: 3306
---
# --- Memcached Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: memcached
spec:
  replicas: 1
  selector:
    matchLabels:
      app: memcached
  template:
    metadata:
      labels:
        app: memcached
    spec:
      containers:
      - name: memcached
        image: memcached:1.6.18
        args: ["-m", "256"]
        ports:
        - containerPort: 11211
---
apiVersion: v1
kind: Service
metadata:
  name: memcached
spec:
  selector:
    app: memcached
  ports:
  - protocol: TCP
    port: 11211
    targetPort: 11211
---
# --- Redis Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:latest
        command: 
          - redis-server
          - "--requirepass"
          - "redispass"
        ports:
        - containerPort: 6379
        volumeMounts:
        - name: redis-data
          mountPath: /data
      volumes:
      - name: redis-data
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: redis
spec:
  selector:
    app: redis
  ports:
  - protocol: TCP
    port: 6379
    targetPort: 6379
---
# --- Seafile Storage ---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: seafile-data
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /opt/seafile-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: seafile-data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
# --- Seafile Deployment & Service ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: seafile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: seafile
  template:
    metadata:
      labels:
        app: seafile
    spec:
      imagePullSecrets:
      - name: regcred
      containers:
      - name: seafile
        image: seafileltd/seafile-mc:13.0-latest
        env:
        - name: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
          value: "db_dev"
        - name: SEAFILE_MYSQL_DB_HOST
          value: "mariadb"
        - name: SEAFILE_MYSQL_DB_USER
          value: "seafileuser"
        - name: SEAFILE_MYSQL_DB_PASSWORD
          value: "seafilepassword"
        - name: SEAFILE_MYSQL_DB_PORT
          value: "3306"
        - name: SEAFILE_MYSQL_DB_SEAFILE_DB_NAME
          value: "seafile_db"
        - name: SEAFILE_MYSQL_DB_CCNET_DB_NAME
          value: "ccnet_db"
        - name: SEAFILE_MYSQL_DB_SEAHUB_DB_NAME
          value: "seahub_db"
        - name: CACHE_PROVIDER
          value: "redis"
        - name: REDIS_HOST
          value: "redis"
        - name: REDIS_PORT
          value: "6379"
        - name: REDIS_PASSWORD
          value: "redispass"
        - name: TIME_ZONE
          value: "America/Chicago"
        - name: SEAFILE_VOLUME
          value: "/opt/seafile-data"
        - name: SEAFILE_MYSQL_VOLUME
          value: "/opt/seafile-mysql/db"
        - name: INIT_SEAFILE_ADMIN_EMAIL
          value: "isaac.johnson@gmail.com"
        - name: INIT_SEAFILE_ADMIN_PASSWORD
          value: "notmypassword!"
        - name: JWT_PRIVATE_KEY
          value: "dOxZYTTZgXKMHkqLBIQVImayQXAVWdzGBPuFJKggzcgvgPJPXpWzqzKaUOIOGGIr"
        - name: SEADOC_VOLUME
          value: "/opt/seadoc-data"
        - name: SEADOC_IMAGE
          value: "seafileltd/sdoc-server:2.0-latest"
        - name: ENABLE_SEADOC
          value: "false"
        - name: SEADOC_SERVER_URL
          value: "https://seafile.tpk.pw/sdoc-server"
        - name: SEAFILE_SERVER_HOSTNAME
          value: "seafile.tpk.pw"
        - name: SEAFILE_SERVER_PROTOCOL
          value: "https"
        - name: FORCE_HTTPS_IN_CONF
          value: "true"
        volumeMounts:
        - name: seafile-data
          mountPath: /shared
      volumes:
      - name: seafile-data
        persistentVolumeClaim:
          claimName: seafile-data
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: seafile
spec:
  selector:
    app: seafile
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8611
    name: seafile

apply as I went

$ kubectl apply -f ./seafile.ingress.yaml -n seafile
ingress.networking.k8s.io/seafileingress unchanged
persistentvolume/mariadb-data unchanged
persistentvolumeclaim/mariadb-data unchanged
deployment.apps/mariadb unchanged
service/mariadb unchanged
deployment.apps/memcached unchanged
service/memcached unchanged
deployment.apps/redis created
service/redis created
persistentvolume/seafile-data unchanged
persistentvolumeclaim/seafile-data unchanged
deployment.apps/seafile configured
service/seafile unchanged

And after changing the service targetPort from 8611 back to 80

---
apiVersion: v1
kind: Service
metadata:
  name: seafile
spec:
  selector:
    app: seafile
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    name: seafile

it finally worked

But just as before, it failed to upload any file of even moderate size

and there are no crashes nor anything in the logs

builder@DESKTOP-QADGF36:~/Workspaces/Seafile$ kubectl get po -n seafile
NAME                        READY   STATUS    RESTARTS   AGE
mariadb-86dbcfffb-hhr8h     1/1     Running   0          42m
memcached-d45ccfcd7-qjgwv   1/1     Running   0          42m
redis-5bb476f74b-pqfmq      1/1     Running   0          34m
seafile-5b4dbf44b6-7b28j    1/1     Running   0          34m
builder@DESKTOP-QADGF36:~/Workspaces/Seafile$ kubectl logs seafile-5b4dbf44b6-7b28j -n seafile
*** Running /etc/my_init.d/01_create_data_links.sh...
*** Booting runit daemon...
*** Runit started as PID 14
*** Running /scripts/enterpoint.sh...
2026-03-30 07:32:04 Waiting Nginx
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
2026-03-30 07:32:04 Nginx ready
2026-03-30 07:32:04 This is an idle script (infinite loop) to keep container running.
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
[2026-03-30 07:32:04] Skip running setup-seafile-mysql.py because there is existing seafile-data folder.
[03/30/2026 07:32:04][upgrade]: The container was recreated, start fix the media symlinks
mv: not replacing '/shared/seafile/seahub-data/avatars/default-non-register.jpg'
mv: not replacing '/shared/seafile/seahub-data/avatars/default.png'
mv: not replacing '/shared/seafile/seahub-data/avatars/groups'
[03/30/2026 07:32:04][upgrade]: Done

Starting seafile server, please wait ...
Seafile server started

Done.

Starting seahub at port 8000 ...



----------------------------------------
Successfully created seafile admin
----------------------------------------




Seahub is started

Done.

I think at this point I’m done with Seafile

SaaS

There is a hosted edition one can use

You can store at most 1Gb, but it’s easy to register.

That said, I don’t think I’ll pursue the SaaS for now

Summary

Dynacat was easy to install and use. Much like its upstream glance, it does a good job of creating a landing page. It was easy to self host at https://dynacat.tpk.pw/. I tweaked it a bit for some YT feeds, stocks and services. I may circle back and do more but in truth, I’m not much of a landing page person.

Seafile started okay, but quickly fell down on any file of size. I tried many different options - from Docker to Kubernetes. The company itself is based in China and Singapore and has been around since 2012 so perhaps there are just bugs with this latest version as it’s less than a month old.

Coder in Docker and K8s

2026-03-31T10:00:01+00:00

I’ve been running Coder and Code-server for quite some time now. I generally operate locally, but there are times that having a good remote coding solution based on VS Code is quite handy.

Just last year after GCP Next 25, I updated and wrote about Coder and Code-server then around Christmas, revisited Code-server updates.

Upgrading

Again, I see there are updates

$ helm repo update
$ helm upgrade coder coder-v2/coder --namespace coder --version 2.30.5
coalesce.go:298: warning: cannot overwrite table with non table for coder.coder.ingress.tls (map[enable:false secretName: wildcardSecretName:])
coalesce.go:298: warning: cannot overwrite table with non table for coder.coder.ingress.tls (map[enable:false secretName: wildcardSecretName:])
Release "coder" has been upgraded. Happy Helming!
NAME: coder
LAST DEPLOYED: Fri Mar 27 07:30:26 2026
NAMESPACE: coder
STATUS: deployed
REVISION: 4
TEST SUITE: None
NOTES:
Enjoy Coder! Please create an issue at https://github.com/coder/coder if you run
into any problems! :)

Cleanup

Any workspace one doesn’t need can just be cleaned up with “Delete”.

which, after confirming, basically does a terraform destroy on the resource

Lest you think it failed, it just takes a minute to cleanup all the resources before briefly showing “deleting”

Launching existing Workspace

I’ll go to the one from 3 months ago which is a very large git repo and click start

Terraform then kicks in

before showing me a placeholder screen as it launches

In just a moment it was launched again and I could see usage details

But it just kept crashing

The logs suggested connectivity issues.

I see the pod up

$ kubectl get po -n coder
NAME                                                          READY   STATUS    RESTARTS   AGE
coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd   1/1     Running   0          6m18s
coder-6cd484f7f8-xqrzp                                        1/1     Running   0          11m
coder-db-postgresql-0                                         1/1     Running   0          94d

But the container keeps spitting logs

$ kubectl logs coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd -n coder
Error from server: Get "https://192.168.1.214:10250/containerLogs/coder/coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd/dev": net/http: TLS handshake timeout
$ kubectl logs coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd -n coder
Error from server: Get "https://192.168.1.214:10250/containerLogs/coder/coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd/dev": proxy error from 127.0.0.1:6443 while dialing 192.168.1.214:10250, code 502: 502 Bad Gateway

and the events suggest it keeps killing the container in the pod

$ kubectl describe po coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd -n coder | tail -n 9
Events:
  Type     Reason        Age                  From               Message
  ----     ------        ----                 ----               -------
  Normal   Scheduled     6m59s                default-scheduler  Successfully assigned coder/coder-5b5e3c82-075c-4243-983b-aff287de7ee9-55b865c49f-qc6zd to builder-hp-elitebook-850-g2
  Normal   Pulling       6m58s                kubelet            Pulling image "codercom/enterprise-base:ubuntu"
  Normal   Pulled        6m29s                kubelet            Successfully pulled image "codercom/enterprise-base:ubuntu" in 28.592s (28.592s including waiting). Image size: 376791434 bytes.
  Normal   Created       6m29s                kubelet            Created container: dev
  Normal   Started       6m29s                kubelet            Started container dev
  Warning  NodeNotReady  88s (x2 over 3m55s)  node-controller    Node is not ready

This just kept failing me.

I tried to make a new workspace but it just kept signing me out

I came back after a day (as the cluster control plane was misbehaving and I didn’t want to assume this was Coder’s fault)

I fired up a new workspace

While Github has now blocked the Github Copilot chat client

But we can use Google Code Assist (GCA) to quickly build and test a basic python app

Lastly, we can create a project in Gitlab and push these changes up for sharing

Which you can now check out here

Linux

let’s try just reducing some complexity and use the install script to run locally in Ubuntu

I initially had some failures

builder@bosgamerz7:~$ sudo systemctl enable --now coder
Created symlink /etc/systemd/system/multi-user.target.wants/coder.service → /lib/systemd/system/coder.service.
Job for coder.service failed because the control process exited with error code.
See "systemctl status coder.service" and "journalctl -xeu coder.service" for details.

This is because coder really wants to use port 3000 and that was used by Openweb-UI already

builder@bosgamerz7:~$ docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED       STATUS                 PORTS                                                        NAMES
a5e0885202bd   ghcr.io/open-webui/open-webui:main   "bash start.sh"          3 weeks ago   Up 3 weeks (healthy)   0.0.0.0:3000->8080/tcp, [::]:3000->8080/tcp                  open-webui
bb0f798b1570   nicolargo/glances:latest             "/bin/sh -c '/venv/b…"   5 weeks ago   Up 3 weeks             0.0.0.0:61208->61208/tcp, [::]:61208->61208/tcp, 61209/tcp   glances

I just needed to stop it and start the server again

builder@bosgamerz7:~$ docker stop open-webui
open-webui
builder@bosgamerz7:~$ sudo systemctl enable --now coder
builder@bosgamerz7:~$ journalctl -u coder.service -b

The logs showed a reverse proxy was setup which rather surprised me

Mar 27 08:19:27 bosgamerz7 systemd[1]: coder.service: Main process exited, code=exited, status=1/FAILURE
Mar 27 08:19:27 bosgamerz7 systemd[1]: coder.service: Failed with result 'exit-code'.
Mar 27 08:19:27 bosgamerz7 systemd[1]: Failed to start "Coder - Self-hosted developer workspaces on your infra".
Mar 27 08:19:32 bosgamerz7 systemd[1]: coder.service: Scheduled restart job, restart counter is at 17.
Mar 27 08:19:32 bosgamerz7 systemd[1]: Stopped "Coder - Self-hosted developer workspaces on your infra".
Mar 27 08:19:32 bosgamerz7 systemd[1]: Starting "Coder - Self-hosted developer workspaces on your infra"...
Mar 27 08:19:32 bosgamerz7 coder[2794252]: Started HTTP listener at http://127.0.0.1:3000
Mar 27 08:19:32 bosgamerz7 coder[2794252]: Using built-in PostgreSQL (/home/coder/.config/coderv2/postgres)
Mar 27 08:19:35 bosgamerz7 coder[2794252]: Opening tunnel so workspaces can connect to your deployment. For production scenarios, specify an external access URL
Mar 27 08:19:39 bosgamerz7 coder[2794252]: Using tunnel in US East Pittsburgh with latency 48.107215ms.
Mar 27 08:19:39 bosgamerz7 coder[2794252]: ╔═══════════════════════════════════════════════╗
Mar 27 08:19:39 bosgamerz7 coder[2794252]: ║               View the Web UI:                ║
Mar 27 08:19:39 bosgamerz7 coder[2794252]: ║   https://jb1ec3dknpbj4.pit-1.try.coder.app   ║
Mar 27 08:19:39 bosgamerz7 coder[2794252]: ╚═══════════════════════════════════════════════╝
Mar 27 08:19:45 bosgamerz7 coder[2794252]: 2026-03-27 13:19:45.172 [info]  coderd: injecting default github external auth provider  type=github  client_id=Iv1.6a2b4b4ae>
Mar 27 08:19:45 bosgamerz7 coder[2794252]: ==> Logs will stream in below (press ctrl+c to gracefully exit):
Mar 27 08:19:45 bosgamerz7 coder[2794252]: 2026-03-27 13:19:45.173 [info]  notifications.manager.notifier: started  notifier_id=7ff018a4-ae01-45cd-bb9c-fbaf29af80a0
Mar 27 08:19:45 bosgamerz7 coder[2794252]: 2026-03-27 13:19:45.176 [info]  notifications.report_generator: report generator is executing the job for the first time  not>
Mar 27 08:19:45 bosgamerz7 coder[2794252]: 2026-03-27 13:19:45.176 [info]  notifications.report_generator: report generator finished  duration=3.079398ms
Mar 27 08:19:46 bosgamerz7 systemd[1]: Started "Coder - Self-hosted developer workspaces on your infra".

I was able to login

Templates

I’ll first try a DinD template

I was fine with the defaults

which then launched the template

We can then “create workspace”

I’m not sure what will happen, but I’ll try adding a private git repo (it does have a devcontainer.json, but it’s not public and I see nowhere to add GIT credentials)

I can see a container was fired up on the host

I didn’t see it right away, but in the startup logs it asked to setup a Code app to see my repo

But even restarting failed to work and there really isn’t any details on how to sort this out.

While the DinD didn’t give me a code server, i tried adding the Docker Container one (not Docker in Docker), then using that for a new workspace

That fired up with a Code server. I can see we can use Github Copilot

But we can also use local models with the Continue.dev plugin

I’ll add an embedded, autocomplete and two chat models. Note, they use different servers in my network so i need to set the apiBase as well

Here we can see it in action

Hopefully one can appreciate what is going on above - I am using a reverse proxy tunnel to a shuttle Linux host that is running coder.

The coder workspace is then using a Continue.dev plugin to reach Ollama - both on that same host as well as a different Ollama host in my network.

This basically means I can have a Coding self hosted system entirely self contained.

When adding in a Gitea or Forgejo repo, we can even host our GIT code in-network safely as well (safely is a relative term… For my important code, i replicate between Forgejo and Gitea and for my most important code, I also sync it up to Codeberg)

And for reference, in both Forgejo and Gitea, those mirror settings are in main settings for each Repo

Summary

Today we circled back on Coder and upgrading my local Kubernetes based instance with helm. This initially didn’t go well, but what was really going on was my primary control plane server was acting up and ultimately I needed to reboot it. After a reboot, most of my services in Kubernetes started to behave again including Coder.

I fired up a containerized K8s-based workspace and initially tried to get Github Copilot to work (but as it won’t install properly anymore in codeserver instances, it was a no-go). I pivoted to Google Code Assist (GCA) which worked just fine to build a hello world python app, show it running then push it to a fresh repo in Gitlab.

I also explored running Coder natively on a Linux host. When one does it this way, there is a reverse proxy created on coder.app. We then connected there to create a new user and attempted to Auth to Github, but could not solve private repo access that way. However, we easily setup Docker-in-Docker as well Docker based containers using the Continue.dev plug for LLM usage against local infrastructure. Lastly, we saved our code out in a private Forgejo repository.

While I didn’t need to use VPN access as the LLM host was in the same 192.168 address space, this diagram covers the general setup

This means we have the best of both worlds - some use of SaaS services like Gitlab, Github and GCA, but by no means are we required to use them as we can host our GIT with Gitea/Forgejo just as easily. And while Cloud hosted LLMs have more speed and power than a shuttle PC in my network, using smaller 8b models does work at the cost of speed.

Pi Coding Agent

2026-03-26T10:00:01+00:00

I came across a YT video extolling the virtues of Pi CLI. While yes, it is another CLI, it has a very light footprint and just enough skills (like command line access) to do things.

We’ll test it on a few different hosts and models; both cloud and local. After some basic tests (involving good old Commander Keen), we’ll use Pi + Gemini to build a Pomodoro app.

Installing Pi

Like many other tools we can install npm

(base) builder@LuiGi:~/Workspaces/piagent$ npm install -g @mariozechner/pi-coding-agent
npm warn deprecated node-domexception@1.0.0: Use your platform's native DOMException instead

added 257 packages in 21s

34 packages are looking for funding
  run `npm fund` for details
(base) builder@LuiGi:~/Workspaces/piagent$

Now I just need to fire pi to launch

I gave a quick test to ask for Commander Keen as ASCII art but it just gave me a penguin afaik

It claims to have spent 12.5c on that

~/Workspaces/piagent
↑77k ↓1.6k R37k $0.124 0.8%/1.0M (auto)                                                     gemini-2.5-pro • medium

If I search models, we only see Google ones. This is because it noticed I only had a GEMINI API key set in my env vars so it just assumed I would use Google

Next, I tried setting an OPENAI KEY and BASE to match my GPT 5 Nano deployment in Azure AI Foundry.

However, as we can see, it doesn’t respect the env var for OPENAI_API_BASE to a cognativeservices URL.

However, once I switched to a proper OPENAI API Key, then it worked just fine

We can see it picked up my existing agent skills

Revisiting the providers docs, I think I need to use their format for the Azure OpenAI instances

Let’s set those

export AZURE_OPENAI_API_KEY=BgxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxiC
export AZURE_OPENAI_BASE_URL=https://isaac-mgp1gfv5-eastus2.cognitiveservices.azure.com
export AZURE_OPENAI_DEPLOYMENT=gpt-5-nano
export AZURE_OPENAI_API_VERSION=2024-12-01-preview

Though trying a few permutations for resource name, nothing seemed to work on GPT 5 via Azure AI Foundry

But we can see it works fine with Gemini Flash

Let’s compare to Gemini CLI

I thought it was interesting that this used 17k tokens to make a cow

Whereas Pi used just over 7k. Just to be sure of this, I tried again

and indeed it was about 4.5k used.

~/Workspaces/piagent
↑4.5k ↓63 R2.0k $0.003 0.2%/1.0M (auto)                                    (google) gemini-3-flash-preview • medium

Custom Models and Ollama

Right now we have no custom models

cat: /home/builder/.pi/agent/models.json: No such file or directory (os error 2)

example Ollama

{
  "providers": {
    "ollama": {
      "baseUrl": "http://localhost:11434/v1",
      "api": "openai-completions",
      "apiKey": "ollama",
      "models": [
        { "id": "llama3.1:8b" },
        { "id": "qwen2.5-coder:7b" }
      ]
    }
  }
}

So, when in my home network, I could use

(base) builder@LuiGi:~/Workspaces$ cd piagent/
(base) builder@LuiGi:~/Workspaces/piagent$ ls
 commander_keen.png   cow.txt        'search?q=commander+keen&tbm=isch'
 commander_keen.txt   cow_ascii.txt   search_results.html
(base) builder@LuiGi:~/Workspaces/piagent$ cat ~/.pi/agent/
auth.json      bin/           models.json    sessions/      settings.json  skills/
(base) builder@LuiGi:~/Workspaces/piagent$ cat ~/.pi/agent/models.json

{
  "providers": {
    "ollama": {
      "baseUrl": "http://192.168.1.143:11434/v1",
      "api": "openai-completions",
      "apiKey": "ollama",
      "models": [
        { "id": "gemma3:4b" },
        { "id": "qwen3:8b" },
        { "id": "qwen2.5-coder:1.5b" },
        { "id": "llama3.1:8b" },
        { "id": "llama3.2:3b" },
        { "id": "deepseek-r1:7b" }
      ]
    }
  }
}

I tried asking gemma3 but it didn’t support tools. I then asked qwen3:8b and it just went out to lunch

However, qwen2.5-coder worked

I did find llama3.1:8b, while slow, did a pretty decent job

Those were using an Ollama on a dedicated host in network. I was curious how well a laptop with no real video card would handle an 8b

(base) builder@LuiGi:~/Workspaces/piagent$ ollama pull llama3.1:8b
pulling manifest
pulling 667b0c1932bc: 100% ▕█████████████████████████████████████████████████████▏ 4.9 GB
pulling 948af2743fc7: 100% ▕█████████████████████████████████████████████████████▏ 1.5 KB
pulling 0ba8f0e314b4: 100% ▕█████████████████████████████████████████████████████▏  12 KB
pulling 56bb8bd477a5: 100% ▕█████████████████████████████████████████████████████▏   96 B
pulling 455f34728c9b: 100% ▕█████████████████████████████████████████████████████▏  487 B
verifying sha256 digest
writing manifest
success

Then I switched up my models to use localhost

(base) builder@LuiGi:~/Workspaces/piagent$ vi ~/.pi/agent/models.json
(base) builder@LuiGi:~/Workspaces/piagent$ cat ~/.pi/agent/models.json

{
  "providers": {
    "ollama": {
      "baseUrl": "http://localhost:11434/v1",
      "api": "openai-completions",
      "apiKey": "ollama",
      "models": [
        { "id": "llama3.1:8b" }
      ]
    }
  }
}

It ran, and after about 10 minutes did display something

I tried a simple python app request

Again, on the LG Gram laptop it was slow, but it did work.

I’ll try on my laptop with a proper GPU

builder@builder-Lenny16:~/Workspaces/pitest$ cat ~/.pi/agent/models.json
{
  "providers": {
    "ollama": {
      "baseUrl": "http://localhost:11434/v1",
      "api": "openai-completions",
      "apiKey": "ollama",
      "models": [
        { "id": "mistral-nemo:12b-instruct-2407-q4_K_M" },
        { "id": "qwen2.5-coder:14b" },
        { "id": "gemma3:12b" },
        { "id": "deepseek-r1:14b" },
        { "id": "qwen3:14b" }
    }
  }
}

I did record it building an app, but it really failed at writing files the first time. Then got hung up on a python library that doesn’t exist.

Here you can see it with a local 14b model improve the UI.

note: it did leak the API key in the video above so I expired it right after

Mixed use

I had the idea of mixing things up. What if I built out the basic app with local models and Pi, then pivoted to Gemini CLI with Stitch to make it ‘pretty’.

I think that would be the most optimized on token use.

I stewed a bit on an idea before coming up with one.

The used to be an Adobe Air app, pomodorio that was this very clean minimalist UI that was reminiscent of WinAmp. I found it very useful. Too many pomodoro apps over complicate things or take the full screen. I need small.

To get this done though, I have a bit of housecleaning. I need to stash my skills, now that I’m actually using them in my regular flow.

I’ll create a private repo in my own Git system (Forgejo)

Part of my flow is to let an admin create repos and then invite my lower privileged user to collaborate

I’m going to try and do this in a plan to plan to do approach.

So that means making an initial plan:

$ cat plan.md
---
name: implementation-planner
description: Creates detailed implementation plans for new features.
prompt: You are an expert software planner. Your task is to generate a comprehensive plan in markdown format.
tools:
  - name: FileSystem
    actions: [read, search]
---

# Plan Request

This app should create a 25 minute timer with 5 minute rest period in the form of the Pomodoro technique.

Required features:
- light/dark mode
- settings with
  - changes to default work/rest times
  - ability to set notification sound (or disable)
  - size (scale with font and UI from 50% to 200% size).

This should build self contained with a dockerfile.

This app should allow download and upload of planned tasks and track "pom"s on each task completed.  we can mark tasks closed.  The input and output should be in a JSON format.

# required outputs

Dockerfile for the app
Helm chart to install the app with
- deployment
- service
- option ingress with annotations

## UI

The UI should be simple and angular based on the original WinAmp style (https://en.wikipedia.org/wiki/Winamp)

We should have a few options for color themes

I fired it up and it went really quite fast

I saw it made some form of an app, tests and dockerfile, but no evidence of a helm chart

It did more on a second pass, but still left some things out

I spent another 5 minutes in Gemini CLI letting it do cleanup and work which didn’t use that many tokens

I continued to test and make minor improvements with Gemini - adding a proper whip sound then fixing the helm chart

Launching in Kubernetes

Now that I have an app, I want to actually test it in my hosted environment.

I need a quick A record first

$ az account set --subscription "Pay-As-You-Go" && az network dns record-set a add-record -g idjdnsrg -z tpk.pw -a 76.156.69.232 -n pomo
{
  "ARecords": [
    {
      "ipv4Address": "76.156.69.232"
    }
  ],
  "TTL": 3600,
  "etag": "1aec837a-3d39-47c8-929d-756b65cbedaa",
  "fqdn": "pomo.tpk.pw.",
  "id": "/subscriptions/d955c0ba-13dc-44cf-a29a-8fed74cbb22d/resourceGroups/idjdnsrg/providers/Microsoft.Network/dnszones/tpk.pw/A/pomo",
  "name": "pomo",
  "provisioningState": "Succeeded",
  "resourceGroup": "idjdnsrg",
  "targetResource": {},
  "trafficManagementProfile": {},
  "type": "Microsoft.Network/dnszones/A"
}

I pushed my container to Dockerhub

and after a quick helm deploy, I had a pretty good functional app

You are welcome to use the app as it’s now hosted at pomo.tpk.pw.

Also, because caring is sharing, I put all the code into Github: https://github.com/idjohnson/pomoApp.

Summary

Thus far Pi looks like a pretty good local tool. I get annoyed that it sometimes fails to write files, but seems to do fine after the files are initially laid down.

I found it’s pretty performant on decent hardware. Yes, that is like saying sports cars go fast, but it’s worth noting that on my Lenovo Legion with a 12gb 5070 it runs smooth, but on the LG Gram with just CPU its a good 10+ minute wait.

This isn’t a deal breaker, however, there are times I’m just happy to ask the LLM to do some work and then set the laptop down and watch a show or get back to other work.

I want to explore pushing the limits of tools next. As we know, the downside to local models is they get out of date and have fixed knowledge. Making sure they can reach out to the interwebs and fetch latest data is key to really making them useful.

However, I plan to definitely keep Pi in my stack as writing tools or coming up with ideas when I’m either offline or in low internet areas is quite useful.

Homelab tweaks: Kubeconfigs and ext IPs

2026-03-24T10:00:01+00:00

One of my challenges is that with rapid experimentation, especially in blasting and redoing my varied Kubernetes clusters, the management of my Kubernetes config files on all my laptops was getting a bit challenging.

A while back I had created a perl script that used to work but frankly it fell down long ago and mangled the shared kubeconfig file.

I thought now might be a good time to both come up with a scalable solution to my hosts (using Ansible) and also notify me when my egress IP changes (as then I have to update my configs for a new IP).

A Better K8s Config

One of my challenges is that over time, my big kubeconfig gets to be a bit much.

My original design was to store a base64’ed version in AKV then pull it down on any laptop I might be using to access all my Kubernetes.

Something like

$ getpass.sh k3sremoteconfig idjakv | base64 --decode | tee ~/.kube/config

which really just does

$ az keyvault secret show --vault-name idjakv --name k3sremoteconfig --subscription Pay-As-You-Go | jq -r .value

note: you can find those scripts (setpass.sh, getpass.sh and listpass.sh) here

However, the combined config got too big for AKV and in the end, it’s mangled and gone

builder@DESKTOP-QADGF36:~/Workspaces$ getpass.sh k3sremoteconfig idjakv

Storing a different way

So I rethought it - really I just need the configs from primary and secondary.

This seems like a good job for a playbook with a script

First, I make a working script - this will find the hostid (4th part of an IPv4 address) then pull the k3s config and store it in AKV

Here is setk8s.sh

#!/bin/bash

# find my local IP
export MYIP=`ifconfig | grep 192.168.1 | head -n1 | sed 's/^.*inet \(.*\)  netmask.*/\1/' | tr -d '\n'`
export MYHOST=`ifconfig | grep 192.168.1 | head -n1 | sed 's/^.*inet 192.168.1.\(.*\)  netmask.*/\1/' |
 tr -d '\n'`

# create local int
cat /etc/rancher/k3s/k3s.yaml | sed "s/127.0.0.1/$MYIP/g" | tee /tmp/k8s-int

# save in AKV
az keyvault secret set --vault-name idjakv --name int$MYHOST-int --file /tmp/k8s-int

Then I need the playbook that will call it for my hosts

- name: Save AKV K8s Int
  hosts: all

  tasks:
  - name: Transfer the script
    copy: src=setk8s.sh dest=/tmp mode=0755

  - name: SaveThisK8sInt
    command: sh /tmp/setk8s.sh
    args:
      chdir: /tmp

Now I could just onboard this job to AWX and call it for each host (primary and secondary control-plane hosts), however it would be best as a general turnkey playbook so I made an inventory of just Kubernetes control-plane (master) hosts.

This might require re-authing to Azure

I could do better with my naming, but i know what it means. I can now see the two creds in AKV

$ listpass.sh idjakv | grep int
int247-int                                 https://idjakv.vault.azure.net/secrets/int247-int                                                                                                                                                                                                                      True
int77-int                                  https://idjakv.vault.azure.net/secrets/int77-int                                                                                                                                                                                                                       True

My old perl script worked for a while, but had hard-coded ports and servers - not really ideal.

This new setup doesn’t b64 the k8s configs, rather stores them as files as it’s just the single ones.

Not AI

So I don’t want to let my brain atrophy further by just letting some LLM write the code. I want to make this. I’ll use an LLM just if I get really stuck.

My first thought is to use yq to replace values.

I can fetch the old certificate authority data for both the “int” (internal URL) and “ext” (external URL) using ‘mac77’ and ‘ext77’.

$ cat ~/.kube/config | yq '.clusters[] | select (.name == "mac77") | .cluster."certificate-authority
-data"'
"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXggZWEgY29tbW9kbyBjb25zZXF1YXQuIER1aXMgYXV0ZSBpcnVyZSBkb2xvciBpbiByZXByZWhlbmRlcml0IGluIHZvbHVwdGF0ZSB2ZWxpdCBlc3NlIGNpbGx1bSBkb2xvcmUgZXUgZnVnaWF0IG51bGxhIHBhcmlhdHVyLiBFeGNlcHRldXIgc2ludCBvY2NhZWNhdCBjdXBpZGF0YXQgbm9uIHByb2lkZW50LCBzdW50IGluIGN1bHBhIHF1aSBvZmZpY2lhIGRlc2VydW50IG1vbGxpdCBhbmltIGlkIGVzdCBsYWJvcnVtCg=="

This might be even easier than I assumed.

I’ll set a variable to the old value

$ export OLDINT=`cat ~/.kube/config | yq -r '.clusters[] | select (.name == "ext77") | .cluster."certificate-authority-data"'`

Then one to my new value

$ export NEWINT=`getpass.sh int77-int idjakv | yq  -r '.clusters[0].cluster."certificate-authority-data"'`

I can now whip up a quick bash script to see if they are a match or different

$ cat ./test.sh
#!/bin/bash

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r '.clusters[] | select (.name == "mac77") | .cluster."certificate-authority-data"' | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int77-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo match
else
  echo different
fi

$ ./test.sh
different

And if it’s been updated

$ ./test.sh
match

Let’s now expand it to cover the user data as well

$ cat ./test.sh
#!/bin/bash

# Current Mapping
SECONDARYCPIP=77

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r '.clusters[] | select (.name == "mac77") | .cluster."certificate-authority-data"' | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  echo "cert auth data different"
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r '.users[] | select (.name == "mac77") | .user."client-certificate-data"' | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int77-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r '.users[] | select (.name == "mac77") | .user."client-key-data"' | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int77-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`


if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
then
  echo "client cert data match"
else
  echo "client cert data different"
fi

if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
then
  echo "client key data match"
else
  echo "client key data different"
fi

Since I know my latest local config is up to date, I expect matches

$ ./test.sh
cert auth data match
client cert data match
client key data match

My next step is to check both Internal and External blocks. I also fixed some hard-coded variables above

$ cat ./test.sh
#!/bin/bash

# Current Mapping
SECONDARYCPIP=77
SECONDARYINTNAME=mac77
SECONDARYEXTNAME=ext77

#####
# Secondary Int

echo "==========================="
echo " Checking $SECONDARYINTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYINTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  echo "cert auth data different"
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`


if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
then
  echo "client cert data match"
else
  echo "client cert data different"
fi

if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
then
  echo "client key data match"
else
  echo "client key data different"
fi

#####
# Secondary Int

echo "==========================="
echo " Checking $SECONDARYEXTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYEXTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  echo "cert auth data different"
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`


if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
then
  echo "client cert data match"
else
  echo "client cert data different"
fi

if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
then
  echo "client key data match"
else
  echo "client key data different"
fi

We can see our “ext” (external) block is in need of TLC

$ ./test.sh
===========================
 Checking mac77
===========================
cert auth data match
client cert data match
client key data match
===========================
 Checking ext77
===========================
cert auth data different
client cert data different
client key data different

Next I added updates with a backup. However, all the bash if else blocks are getting a bit long. I might need to make some functions soon

$ cat ./test.sh
#!/bin/bash

# Current Mapping
SECONDARYCPIP=77
SECONDARYINTNAME=mac77
SECONDARYEXTNAME=ext77

ACTIONIT=1

if [ "$ACTIONIT" -gt "0" ]; then
  echo "we going to action it"
  # backup current file
  export BKUPNAME="config.`date +%s`"
  cp ~/.kube/config ~/.kube/$BKUPNAME
  echo "current config backed up to ~/.kube/$BKUPNAME"
else
  echo "check only"
fi

#####
# Secondary Int

echo "==========================="
echo " Checking $SECONDARYINTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYINTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $SECONDARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $SECONDARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

#####
# Secondary Int

echo "==========================="
echo " Checking $SECONDARYEXTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYEXTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $SECONDARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $SECONDARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

This works just fine to update

$ ./test.sh
we going to action it
current config backed up to ~/.kube/config.1774349638
===========================
 Checking mac77
===========================
cert auth data match
client cert data match
client key data match
===========================
 Checking ext77
===========================
cert auth data match
No client cert data found for ext77. skipping
No client key data found for ext77. skipping

I realized there was one more piece I neglected - the external IP, which does change from time to time

$ kubectx ext77
Switched to context "ext77".
$ kubectl get nodes
E0324 05:56:49.548034   96004 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://75.72.233.202:22222/api?timeout=32s\": dial tcp 75.72.233.202:22222: i/o timeout"

I’ll add a block to test that, knowing that I always keep my harbor.freshbrewed.science updated (as without it, my blogging system falls down)

$ cat test.sh
#!/bin/bash

# Current Mapping
SECONDARYCPIP=77
SECONDARYINTNAME=mac77
SECONDARYEXTNAME=ext77

ACTIONIT=1

if [ "$ACTIONIT" -gt "0" ]; then
  echo "we going to action it"
  # backup current file
  export BKUPNAME="config.`date +%s`"
  cp ~/.kube/config ~/.kube/$BKUPNAME
  echo "current config backed up to ~/.kube/$BKUPNAME"
else
  echo "check only"
fi

#####
# Secondary Int

echo "==========================="
echo " Checking $SECONDARYINTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYINTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $SECONDARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $SECONDARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

#####
# Secondary Ext

echo "==========================="
echo " Checking $SECONDARYEXTNAME "
echo "==========================="

MYEXTIP=`dig +short A harbor.freshbrewed.science | tr -d '\n'`
OLDEXTIP=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYEXTNAME\") | .cluster.server" | sed 's/^.*:\/\///' | sed 's/:.*//' | tr -d '\n'`

if [[ "$OLDEXTIP" == "$MYEXTIP" ]]
then
  echo "ext IPs are a match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "ext IPs are different: Old $OLDEXTIP and new $MYEXTIP. updating"
    sed -i "s/$OLDEXTIP/$MYEXTIP/g" ~/.kube/config
  else
    echo "ext IPs are different: Old $OLDEXTIP and new $MYEXTIP"
  fi
fi

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYEXTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $SECONDARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $SECONDARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

Let’s test

$ ./test.sh
we going to action it
current config backed up to ~/.kube/config.1774350306
===========================
 Checking mac77
===========================
cert auth data match
client cert data match
client key data match
===========================
 Checking ext77
===========================
ext IPs are different: Old 75.72.233.202 and new 76.156.69.232. updating
cert auth data match
No client cert data found for ext77. skipping
No client key data found for ext77. skipping
$ kubectx ext77
Switched to context "ext77".
$ kubectl get nodes
NAME                    STATUS   ROLES           AGE     VERSION
builder-macbookpro8-1   Ready              5d21h   v1.35.1+k3s1
builder-macbookpro8-2   Ready              2d15h   v1.35.1+k3s1
isaac-macbookair        Ready    control-plane   6d10h   v1.35.1+k3s1

My next issue is I need to repeat all this for int247-int which is really int33 and ext33 in my kubeconfig, again, for historical reasons.

Now, this next block, which is just too damn long, does work

$ cat ./test.sh
#!/bin/bash

# Current Mapping
SECONDARYCPIP=77
SECONDARYINTNAME=mac77
SECONDARYEXTNAME=ext77

ACTIONIT=1

if [ "$ACTIONIT" -gt "0" ]; then
  echo "we going to action it"
  # backup current file
  export BKUPNAME="config.`date +%s`"
  cp ~/.kube/config ~/.kube/$BKUPNAME
  echo "current config backed up to ~/.kube/$BKUPNAME"
else
  echo "check only"
fi

#####
# Secondary Int

echo "==========================="
echo " Checking $SECONDARYINTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYINTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYINTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $SECONDARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $SECONDARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

#####
# Secondary Ext

echo "==========================="
echo " Checking $SECONDARYEXTNAME "
echo "==========================="

MYEXTIP=`dig +short A harbor.freshbrewed.science | tr -d '\n'`
OLDEXTIP=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYEXTNAME\") | .cluster.server" | sed 's/^.*:\/\///' | sed 's/:.*//' | tr -d '\n'`

if [[ "$OLDEXTIP" == "$MYEXTIP" ]]
then
  echo "ext IPs are a match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "ext IPs are different: Old $OLDEXTIP and new $MYEXTIP. updating"
    sed -i "s/$OLDEXTIP/$MYEXTIP/g" ~/.kube/config
  else
    echo "ext IPs are different: Old $OLDEXTIP and new $MYEXTIP"
  fi
fi

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$SECONDARYEXTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$SECONDARYEXTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$SECONDARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $SECONDARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $SECONDARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

# Current Mapping
PRIMARYCPIP=247
PRIMARYINTNAME=int33
PRIMARYEXTNAME=ext33

#####
# Primary Int

echo "==========================="
echo " Checking $PRIMARYINTNAME "
echo "==========================="

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$PRIMARYINTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$PRIMARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$PRIMARYINTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$PRIMARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$PRIMARYINTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$PRIMARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $PRIMARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $PRIMARYINTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

#####
# Primary Ext

echo "==========================="
echo " Checking $PRIMARYEXTNAME "
echo "==========================="

MYEXTIP=`dig +short A harbor.freshbrewed.science | tr -d '\n'`
OLDEXTIP=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$PRIMARYEXTNAME\") | .cluster.server" | sed 's/^.*:\/\///' | sed 's/:.*//' | tr -d '\n'`

if [[ "$OLDEXTIP" == "$MYEXTIP" ]]
then
  echo "ext IPs are a match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "ext IPs are different: Old $OLDEXTIP and new $MYEXTIP. updating"
    sed -i "s/$OLDEXTIP/$MYEXTIP/g" ~/.kube/config
  else
    echo "ext IPs are different: Old $OLDEXTIP and new $MYEXTIP"
  fi
fi

OLDCERTAUTHDATA=`cat ~/.kube/config | yq -r ".clusters[] | select (.name == \"$PRIMARYEXTNAME\") | .cluster.\"certificate-authority-data\"" | tr -d '\n'`
NEWCERTAUTHDATA=`az keyvault secret show --vault-name idjakv --name int$PRIMARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq  -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n'`

if [[ "$OLDCERTAUTHDATA" == "$NEWCERTAUTHDATA" ]]
then
  echo "cert auth data match"
else
  if [ "$ACTIONIT" -gt "0" ]; then
    echo "cert auth data different. updating"
    sed -i "s/$OLDCERTAUTHDATA/$NEWCERTAUTHDATA/g" ~/.kube/config
  else
    echo "cert auth data different"
  fi
fi

# Users

OLDCLIENTCERTDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$PRIMARYEXTNAME\") | .user.\"client-certificate-data\"" | tr -d '\n'`
NEWCLIENTCERTDATA=`az keyvault secret show --vault-name idjakv --name int$PRIMARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n'`

OLDCLIENTKEYDATA=`cat ~/.kube/config | yq -r ".users[] | select (.name == \"$PRIMARYEXTNAME\") | .user.\"client-key-data\"" | tr -d '\n'`
NEWCLIENTKEYDATA=`az keyvault secret show --vault-name idjakv --name int$PRIMARYCPIP-int --subscription Pay-As-You-Go | jq -r .value | yq -r '.users[0].user."client-key-data"' | tr -d '\n'`

if [[ "$OLDCLIENTCERTDATA" == "" ]]; then
  echo "No client cert data found for $PRIMARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTCERTDATA" == "$NEWCLIENTCERTDATA" ]]
  then
    echo "client cert data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client cert data different. updating"
      sed -i "s/$OLDCLIENTCERTDATA/$NEWCLIENTCERTDATA/g" ~/.kube/config
    else
      echo "client cert data different."
    fi
  fi
fi

if [[ "$OLDCLIENTKEYDATA" == "" ]]; then
  echo "No client key data found for $PRIMARYEXTNAME. skipping"
else
  if [[ "$OLDCLIENTKEYDATA" == "$NEWCLIENTKEYDATA" ]]
  then
    echo "client key data match"
  else
    if [ "$ACTIONIT" -gt "0" ]; then
      echo "client key data different. updating"
      sed -i "s/$OLDCLIENTKEYDATA/$NEWCLIENTKEYDATA/g" ~/.kube/config
    else
      echo "client key data different."
    fi
  fi
fi

We can see it does the job

$ ./test.sh
we going to action it
current config backed up to ~/.kube/config.1774350712
===========================
 Checking mac77
===========================
cert auth data match
client cert data match
client key data match
===========================
 Checking ext77
===========================
ext IPs are a match
cert auth data match
No client cert data found for ext77. skipping
No client key data found for ext77. skipping
===========================
 Checking int33
===========================
cert auth data match
client cert data match
client key data match
===========================
 Checking ext33
===========================
ext IPs are a match
cert auth data match
No client cert data found for ext33. skipping
No client key data found for ext33. skipping

But seriously, that is a gnarly long unoptimized script.

A little touch of LLM help

I copied over the ++verbose script to a new folder

builder@DESKTOP-QADGF36:~/Workspaces/jekyll-blog$ cd ..
builder@DESKTOP-QADGF36:~/Workspaces$ mkdir k8scheck
builder@DESKTOP-QADGF36:~/Workspaces$ cd k8scheck/
builder@DESKTOP-QADGF36:~/Workspaces/k8scheck$ cp ../jekyll-blog/test.sh
cp: missing destination file operand after '../jekyll-blog/test.sh'
Try 'cp --help' for more information.
builder@DESKTOP-QADGF36:~/Workspaces/k8scheck$ cp ../jekyll-blog/test.sh ./checkandfix.sh
builder@DESKTOP-QADGF36:~/Workspaces/k8scheck$ ls
checkandfix.sh

I asked Gemini CLI for help

My @checkandfix.sh works, however it is very unoptimized with lots of repeated blocks.  Please clean this script up with a focus on optimizing
   and reuse.  Add comments to any created functions or subroutines.

What is usually really quite fast took nearly 2 minutes

It also failed to update the file. So i had to grab the output from the console and do it myself.

$ cat ./checkandfix.sh
#!/bin/bash

# Configuration
VAULT_NAME="idjakv"
SUBSCRIPTION="Pay-As-You-Go"
KUBECONFIG="$HOME/.kube/config"
ACTIONIT=1

# --- Functions ---

# Backs up the current kubeconfig if ACTIONIT is set
backup_config() {
    if [ "$ACTIONIT" -gt "0" ]; then
        local backup_name="config.$(date +%s)"
        cp "$KUBECONFIG" "$HOME/.kube/$backup_name"
        echo "Current config backed up to ~/.kube/$backup_name"
    else
        echo "Check-only mode. No backup created."
    fi
}

# Compares old and new data and updates the config using sed if ACTIONIT is set
# Usage: check_and_update   
check_and_update() {
    local label="$1"
    local old_val="$2"
    local new_val="$3"

    if [[ -z "$old_val" ]]; then
        echo "No $label found. Skipping."
        return
    fi

    if [[ "$old_val" == "$new_val" ]]; then
        echo "$label matches."
    else
        if [ "$ACTIONIT" -gt "0" ]; then
            echo "$label different. Updating..."
            # Using | as delimiter in case values contain /
            sed -i "s|$old_val|$new_val|g" "$KUBECONFIG"
        else
            echo "$label different."
        fi
    fi
}

# Processes a specific cluster context (Cluster and User entries)
# Usage: process_context   
process_context() {
    local name="$1"
    local secret_data="$2"
    local is_ext="$3"

    echo "==========================="
    echo " Checking $name "
    echo "==========================="

    # 1. Handle IP check for external endpoints
    if [[ "$is_ext" == "true" ]]; then
        local my_ext_ip=$(dig +short A harbor.freshbrewed.science | tr -d '\n')
        local old_ext_ip=$(yq -r ".clusters[] | select (.name == \"$name\") | .cluster.server" "$KUBECONFIG" | sed 's|^.*://||;s|:.*||' | tr -d '\n')

        if [[ "$old_ext_ip" == "$my_ext_ip" ]]; then
            echo "Ext IPs are a match."
        else
            if [ "$ACTIONIT" -gt "0" ]; then
                echo "Ext IPs differ: Old $old_ext_ip, New $my_ext_ip. Updating..."
                sed -i "s|$old_ext_ip|$my_ext_ip|g" "$KUBECONFIG"
            else
                echo "Ext IPs differ: Old $old_ext_ip, New $my_ext_ip."
            fi
        fi
    fi

    # 2. Extract current data from kubeconfig
    local old_ca=$(yq -r ".clusters[] | select (.name == \"$name\") | .cluster.\"certificate-authority-data\"" "$KUBECONFIG" | tr -d '\n')
    local old_cert=$(yq -r ".users[] | select (.name == \"$name\") | .user.\"client-certificate-data\"" "$KUBECONFIG" | tr -d '\n')
    local old_key=$(yq -r ".users[] | select (.name == \"$name\") | .user.\"client-key-data\"" "$KUBECONFIG" | tr -d '\n')

    # 3. Extract new data from the secret (passed as a string)
    local new_ca=$(echo "$secret_data" | yq -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '\n')
    local new_cert=$(echo "$secret_data" | yq -r '.users[0].user."client-certificate-data"' | tr -d '\n')
    local new_key=$(echo "$secret_data" | yq -r '.users[0].user."client-key-data"' | tr -d '\n')

    # 4. Perform comparisons and updates
    check_and_update "Cert auth data" "$old_ca" "$new_ca"
    check_and_update "Client cert data" "$old_cert" "$new_cert"
    check_and_update "Client key data" "$old_key" "$new_key"
}

# --- Main Logic ---

backup_config

# Targets array format: "CPIP_SUFFIX:INT_NAME:EXT_NAME"
targets=(
    "77:mac77:ext77"
    "247:int33:ext33"
)

for target in "${targets[@]}"; do
    IFS=":" read -r cpip int_name ext_name <<< "$target"

    echo "Fetching secret for IP suffix $cpip..."
    # Fetch the secret once per cluster set to optimize API calls
    secret_json=$(az keyvault secret show --vault-name "$VAULT_NAME" --name "int$cpip-int" --subscription "$SUBSCRIPTION" | jq -r .value)

    if [[ -z "$secret_json" ]]; then
        echo "Error: Could not retrieve secret for $cpip. Skipping."
        continue
    fi

    process_context "$int_name" "$secret_json" "false"
    process_context "$ext_name" "$secret_json" "true"
done

This works

$ ./checkandfix.sh
Current config backed up to ~/.kube/config.1774351669
Fetching secret for IP suffix 77...
===========================
 Checking mac77
===========================
Cert auth data matches.
Client cert data matches.
Client key data matches.
===========================
 Checking ext77
===========================
Ext IPs are a match.
Cert auth data matches.
No Client cert data found. Skipping.
No Client key data found. Skipping.
Fetching secret for IP suffix 247...
===========================
 Checking int33
===========================
Cert auth data matches.
Client cert data matches.
Client key data matches.
===========================
 Checking ext33
===========================
Ext IPs are a match.
Cert auth data matches.
No Client cert data found. Skipping.
No Client key data found. Skipping.

I’m just a little bit disappointed in Gemini CLI for being slow and not writing files.

Knowing when IP shifts happen

I have a script for updating Route53, but not Google DNS (steeped.icu) nor Azure DNS (tpk.pw)

I also have a script for just testing if my IP changed and turning on a light bulb in my office

#!/bin/bash 

MYIP="`host -4 myip.opendns.com resolver1.opendns.com | tail -n1 | sed 's/.* //' | tr -d '\n'`"
HARBOR="`host -4 harbor.freshbrewed.science resolver1.opendns.com | tail -n1 | sed 's/.* //' | tr -d '\n'`"

if [ "$MYIP" = "$HARBOR" ]; then
   echo "Strings are Equal . $MYIP matches $HARBOR"
else
   echo "IP CHANGED!  Harbor $HARBOR does not match local $MYIP"
   wget "https://kasarest.freshbrewed.science/on?devip=192.168.1.24&apikey=$1"
   exit 1
fi

I want to start by using Gotify for this.

I’ll make a new app for AWX

Back in February, we wrote about GCP OpenTelemetry and in that article, to prove the idea, i created a “GotifyMe” app which we can now use. (exposed as https://notify.tpk.pw/)

Because this is a FastAPI based app, we can check redoc for it and see the POST should be easy

$ curl -X POST -H 'Content-Type: application/json' https://notify.tpk.pw/
notify -d '{"title": "AWX: homelab IP change", "message": "IP changed from x.x.x.x to y.y.y.y", "priority": 5, "password": "xxxx"}'
{"status":"success","data":{"id":59,"appid":2,"message":"IP changed from x.x.x.x to y.y.y.y","title":"AWX: homelab IP change","priority":5,"date":"2026-03-24T11:57:01.32987876Z"}}

And i can see that fired through

I’ll update the quick test playbook which really hasn’t been used in a long time

builder@DESKTOP-QADGF36:~/Workspaces/ansible-playbooks$ cat testNewIp.sh
#!/bin/bash

export NOTIFYPASS=$1

MYIP="`host -4 myip.opendns.com resolver1.opendns.com | tail -n1 | sed 's/.* //' | tr -d '\n'`"
HARBOR="`host -4 harbor.freshbrewed.science resolver1.opendns.com | tail -n1 | sed 's/.* //' | tr -d '\n'`"

if [ "$MYIP" = "$HARBOR" ]; then
   echo "Strings are Equal . $MYIP matches $HARBOR"

   # Notify
   curl -X POST -H 'Content-Type: application/json' https://notify.tpk.pw/notify -d "{\"title\": \"AWX: homelab IP STILL GOOD\", \\"message\": \"IP of h.f.s is $HARBOR and egress is still $MYIP\", \"priority\": 5, \"password\": \"$NOTIFYPASS\"}"
else
   echo "IP CHANGED!  Harbor $HARBOR does not match local $MYIP"

   # Notify
   curl -X POST -H 'Content-Type: application/json' https://notify.tpk.pw/notify -d "{\"title\": \"AWX: homelab IP change\", \\"message\": \"IP changed from $HARBOR to $MYIP\", \"priority\": 5, \"password\": \"$NOTIFYPASS\"}"

   # light
   wget "https://kasarest.freshbrewed.science/on?devip=192.168.1.24&apikey=$1"
   exit 1
fi

builder@DESKTOP-QADGF36:~/Workspaces/ansible-playbooks$ cat testNewIp.yaml
- name: Check if IP Changed
  hosts: all

  tasks:
  - name: Transfer the script
    copy: src=testNewIp.sh dest=/tmp mode=0755

  - name: Run Script
    command: sh /tmp/testNewIp.sh 

I’ll sync the project for the latest playbooks

I can now add the template and just use one of the utility hosts to run it

hmm…. i messed something up

testing locally shows i definately goofed

 ./testNewIp.sh sadfsadfasdfsadf
Strings are Equal . 76.156.69.232 matches 76.156.69.232
{"detail":[{"type":"json_invalid","loc":["body",40],"msg":"JSON decode error","input":{},"ctx":{"error":"Expecting property name enclosed in double quotes"}}]}curl: (6) Could not resolve host: "IP


curl: (6) Could not resolve host: of
curl: (6) Could not resolve host: h.f.s

I found and fixed an errant double backslash \\

$ ./testNewIp.sh asdfsadfsafda
Strings are Equal . 76.156.69.232 matches 76.156.69.232
{"status":"success","data":{"id":60,"appid":2,"message":"IP of h.f.s is 76.156.69.232 and egress is still 76.156.69.232","title":"AWX: homelab IP STILL GOOD","priority":5,"date":"2026-03-24T12:32:32.466743299Z"}}

which showed up in Gotify.

I pushed the fix, synced the project in AWX

Then tried again, which worked.

Lastly, I commented out the notify line as that would get really old to see every hour

Lastly, I’ll create an hourly schedule so if it changes, I’ll get notified

When saved, I can see it’s scheduled here on out

DOH.

I was all set to write the summary and close this out when it dawned on me - if my IP changes, there is no way notify.tpk.pw would resolve, let alone gotify.

I updated the script and playbook to use email instead (and tested locally)

(base) builder@LuiGi:~/Workspaces/ansible-playbooks$ cat testNewIp.sh
#!/bin/bash

export NOTIFYPASS=$1
export RESENDAPI=$2
export EMAILSENDER=$3

MYIP="`host -4 myip.opendns.com resolver1.opendns.com | tail -n1 | sed 's/.* //' | tr -d '\n'`"
HARBOR="`host -4 harbor.freshbrewed.science resolver1.opendns.com | tail -n1 | sed 's/.* //' | tr -d '\n'`"

if [ "$MYIP" = "$HARBOR" ]; then
   echo "Strings are Equal . $MYIP matches $HARBOR"

   # Notify
   # curl -X POST -H 'Content-Type: application/json' https://notify.tpk.pw/notify -d "{\"title\": \"AWX: homelab IP STILL GOOD\", \"message\": \"IP of h.f.s is $HARBOR and egress is still $MYIP\", \"priority\": 5, \"password\": \"$NOTIFYPASS\"}"
   # curl -X POST 'https://api.resend.com/emails' -H 'Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxx' -H 'Content-Type: application/json' -d "{ \"from\": \"$EMAILSENDER\", \"to\": \"isaac.johnson@gmail.com\", \"subject\": \"AWX - Egress IP stable\", \"html\": \"hello me
The IP of $HARBOR is still $MYIP egress\"}"
else
   echo "IP CHANGED!  Harbor $HARBOR does not match local $MYIP"

   # Notify
   curl -X POST 'https://api.resend.com/emails' -H "Authorization: Bearer $RESENDAPI" -H 'Content-Type: application/json' -d "{ \"from\": \"$EMAILSENDER\", \"to\": \"isaac.johnson@gmail.com\", \"subject\": \"AWX - Egress IP changed\", \"html\": \"hello me
The IP of $HARBOR (harbor.freshbrewed.science) does not match your current egress IP of $MYIP\"}"

   # IF THE IP Changed, this really wont work till its fixed!
   curl -X POST -H 'Content-Type: application/json' https://notify.tpk.pw/notify -d "{\"title\": \"AWX: homelab IP change\", \"message\": \"IP changed from $HARBOR to $MYIP\", \"priority\": 5, \"password\": \"$NOTIFYPASS\"}"

   # light
   wget "https://kasarest.freshbrewed.science/on?devip=192.168.1.24&apikey=$1"
   exit 1
fi

(base) builder@LuiGi:~/Workspaces/ansible-playbooks$ cat testNewIp.yaml
- name: Check if IP Changed
  hosts: all

  tasks:
  - name: Transfer the script
    copy: src=testNewIp.sh dest=/tmp mode=0755

  - name: Run Script
    command: sh /tmp/testNewIp.sh

I then added the keys to the Template in AWX

I let it run on schedule and it had no issues

Summary

Today we created a new script and Ansible playbook to go to the two main control planes in my home lab (I’ll add the Pi clusters later) and update Azure Key Vault (AKV) with updated local configs. Once that was sorted, we then moved on to creating a bash script with yq to find and parse the old entries.

I absconded LLMs for that work until the very end and then asked Gemini to do some cleanup on the script. My last piece of work in all this was to detect with the egress IP changes and notify myself. That involved upating an old script that just turned on a lightbulb to instead using my notify (Gotify) app to send a push notification to my phone. Once working, we set that playbook to run hourly so any egress change should notify my phone within the hour.

Lastly, right before posting, I realized that notifications that depend on ingressing to my cluster from DNS names, which neccessarily would be out of date, would be a bad idea and added some email notifications with Resend.

Hopefully something in here helps others, maybe some ideas on monitors or maintenance. Home labs can be fun, but do require a bit of occasional TLC.

Revisits: Opencode and Resend

2026-03-20T10:00:01+00:00

In a post last year, I looked briefly at Opencode, comparing it with Claude Code, and said then, “circle back… I want to explore some of its other features like agent model and maybe MCP servers.”. Opencode is still quite active so let’s give it a shake and compare the free models to using it with a paid one like Gemini.

Also, last year I looked at Resend for sending emails. Because it lacked SMTP, i really just use it in apps or via curl. Let’s review how to add custom domains and see if perhaps it has some new features.

Resend

Back in September 2025 I said goodbye to Sendgrid and revisited Resend. I just touched on it then, as well as back in 2023 as I had other options in hand.

If you have never used Resend before, you can create an account. For federated IdPs they have Google and Github.

As I mentioned in the past, this is not just some freemium SMTP relay - they will send emails, but only via API calls.

So our first step is to create an API key

I can then use that API key in an email:

$ curl -X POST 'https://api.resend.com/emails' \
  -H 'Authorization: Bearer re_XXXXXXXXXXXXXXXXXXXXXXXX' \
> -H 'Content-Type: application/json' \
  -d $'{
    "from": "onboarding@resend.dev",
    "to": "isaac.johnson@gmail.com",
    "subject": "Hello FB 2026!", "html": "hello friend
Congrats on testing Resend again!"}'
{"id":"84dd43f8-21ef-4588-b69a-c2cab03c342f"}

We can see it sent right away:

As I reviewed it today, however, I noticed a new SMTP section that was not there in the past

Could it be? Did they add SMTP (Now I really do have a drop in replacement for Sendgrid!)

Let’s test with SWAKS. I’ll add SWAKS if missing

$ sudo apt update && sudo apt install swaks
[sudo: authenticate] Password:
Hit:1 https://us-central1-apt.pkg.dev/projects/antigravity-auto-updater-dev antigravity-debian InRelease
Hit:2 http://security.ubuntu.com/ubuntu questing-security InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu questing InRelease
Get:4 https://repository.mullvad.net/deb/stable stable InRelease [3,536 B]
Hit:5 http://us.archive.ubuntu.com/ubuntu questing-updates InRelease
Hit:6 http://us.archive.ubuntu.com/ubuntu questing-backports InRelease
Fetched 3,536 B in 1s (2,394 B/s)
123 packages can be upgraded. Run 'apt list --upgradable' to see them.
Notice: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'https://us-central1-apt.pkg.dev/projects/antigravity-auto-updater-dev antigravity-debian InRelease' doesn't support architecture 'i386'
Installing:
  swaks

Installing dependencies:
  libdigest-bubblebabble-perl  libnet-dns-perl         libsocket6-perl
  libdigest-hmac-perl          libnet-dns-sec-perl
  libio-socket-inet6-perl      libperl4-corelibs-perl

Suggested packages:
  libauthen-ntlm-perl  perl-doc

Summary:
  Upgrading: 0, Installing: 8, Removing: 0, Not Upgrading: 123
  Download size: 558 kB
  Space needed: 1,754 kB / 718 GB available

Continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libdigest-bubblebabble-perl all 0.02-3 [6,724 B]
Get:2 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libdigest-hmac-perl all 1.05+dfsg-1 [8,416 B]
Get:3 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libsocket6-perl amd64 0.29-3build4 [17.6 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libio-socket-inet6-perl all 2.73-1 [14.7 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libnet-dns-perl all 1.50-1ubuntu1 [340 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libnet-dns-sec-perl amd64 1.26-1build1 [40.6 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu questing/main amd64 libperl4-corelibs-perl all 0.005-1 [38.1 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu questing/universe amd64 swaks all 20240103.0-2 [92.4 kB]
Fetched 558 kB in 1s (409 kB/s)
Selecting previously unselected package libdigest-bubblebabble-perl.
(Reading database ... 342210 files and directories currently installed.)
Preparing to unpack .../0-libdigest-bubblebabble-perl_0.02-3_all.deb ...
Unpacking libdigest-bubblebabble-perl (0.02-3) ...
Selecting previously unselected package libdigest-hmac-perl.
Preparing to unpack .../1-libdigest-hmac-perl_1.05+dfsg-1_all.deb ...
Unpacking libdigest-hmac-perl (1.05+dfsg-1) ...
Selecting previously unselected package libsocket6-perl.
Preparing to unpack .../2-libsocket6-perl_0.29-3build4_amd64.deb ...
Unpacking libsocket6-perl (0.29-3build4) ...
Selecting previously unselected package libio-socket-inet6-perl.
Preparing to unpack .../3-libio-socket-inet6-perl_2.73-1_all.deb ...
Unpacking libio-socket-inet6-perl (2.73-1) ...
Selecting previously unselected package libnet-dns-perl.
Preparing to unpack .../4-libnet-dns-perl_1.50-1ubuntu1_all.deb ...         ]
Unpacking libnet-dns-perl (1.50-1ubuntu1) ...                                ]
Selecting previously unselected package libnet-dns-sec-perl.                    ]
Preparing to unpack .../5-libnet-dns-sec-perl_1.26-1build1_amd64.deb ...           ]
Unpacking libnet-dns-sec-perl (1.26-1build1) ...                                     ]
Selecting previously unselected package libperl4-corelibs-perl.
Preparing to unpack .../6-libperl4-corelibs-perl_0.005-1_all.deb ...                   ]
Unpacking libperl4-corelibs-perl (0.005-1) ...                                          ]
Selecting previously unselected package swaks.                                            ]
Preparing to unpack .../7-swaks_20240103.0-2_all.deb ...                                     ]
Unpacking swaks (20240103.0-2) ...
Setting up libperl4-corelibs-perl (0.005-1) ...
Setting up libdigest-hmac-perl (1.05+dfsg-1) ...
Setting up libsocket6-perl (0.29-3build4) ...
Setting up swaks (20240103.0-2) ...
Setting up libdigest-bubblebabble-perl (0.02-3) ...
Setting up libnet-dns-perl (1.50-1ubuntu1) ...
Setting up libio-socket-inet6-perl (2.73-1) ...██████████████████████████▎                 ]  Setting up libnet-dns-sec-perl (1.26-1build1) ...
Processing triggers for man-db (2.13.1-1) ...

Let’s give it a try (I’ll remove parts that show my auth in output)

$ swaks --to isaac.johnson@gmail.com --from isaac@steeped.space --server smtp.resend.com:587 --auth LOGIN --tls --auth-user resend --auth-password 're_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
=== Trying smtp.resend.com:587...
=== Connected to smtp.resend.com.
<-  220 Resend SMTP Relay ESMTP
 -> EHLO LuiGi
<-  250-Resend SMTP Relay Nice to meet you, [10.0.31.199]
<-  250-PIPELINING
<-  250-8BITMIME
<-  250-SMTPUTF8
<-  250-AUTH PLAIN LOGIN
<-  250-STARTTLS
<-  250 SIZE 41943040
 -> STARTTLS
<-  220 Ready to start TLS
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS client certificate not requested and not sent
=== TLS no client certificate set
=== TLS peer[0]   subject=[/CN=*.resend.com]
===               commonName=[*.resend.com], subjectAltName=[DNS:*.apps.resend.com, DNS:*.resend.com, DNS:resend.com] notAfter=[2026-03-31T14:56:52Z]
=== TLS peer[1]   subject=[/CN=*.resend.com]
===               commonName=[*.resend.com], subjectAltName=[DNS:*.apps.resend.com, DNS:*.resend.com, DNS:resend.com] notAfter=[2026-03-31T14:56:52Z]
=== TLS peer[2]   subject=[/C=US/O=Let's Encrypt/CN=E8]
===               commonName=[E8], subjectAltName=[] notAfter=[2027-03-12T23:59:59Z]
=== TLS peer certificate passed CA verification, passed host verification (using host smtp.resend.com to verify)
 ~> EHLO LuiGi
<~  250-Resend SMTP Relay Nice to meet you, [10.0.31.199]
<~  250-PIPELINING
<~  250-8BITMIME
<~  250-SMTPUTF8
<~  250-AUTH PLAIN LOGIN
<~  250 SIZE 41943040
 ~> AUTH LOGIN
<~  334 xxxxxxxxxxxxxxxxxxxxx
<~  334 xxxxxxxxxxxxxxxxxxxxx
<~  235 Authentication successful
 ~> MAIL FROM:
<~  250 Accepted
 ~> RCPT TO:
<~  250 Accepted
 ~> DATA
<~  354 End data with .
 ~> Date: Fri, 20 Mar 2026 07:39:16 -0500
 ~> To: isaac.johnson@gmail.com
 ~> From: isaac@steeped.space
 ~> Subject: test Fri, 20 Mar 2026 07:39:16 -0500
 ~> Message-Id: <20260320073916.039869@LuiGi>
 ~> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 ~>
 ~> This is a test mailing
 ~>
 ~>
 ~> .
<~  250 f23f9f1d-4a40-4dc3-bdd5-820130ab4e07
 ~> QUIT
<~  221 Bye
=== Connection closed with remote host.

However, I never saw it come through. In fairness, I let steeped.space go so perhaps Google blocked it?

I then noticed Resend blocked it now

I delete the expired and started the process to add a new one

I’ll need to set some records for verification

While it said it might take a day to verify, it took less than 30m to come back verified

I’ll give it a shot

$ swaks --to isaac@freshbrewed.science \
--from isaac@steeped.space \
--server smtp.resend.com:587 \
--auth LOGIN --tls \
--auth-user resend \
--auth-password 're_xxxxxxxxxxxxxxxxxxxxx'

And it worked just fine!

We can also see that as a positive result in the logs of Resend

Paid plans

Resend, sadly, just has a $0, US$20, and US$90 plan available today

I really wish vendors would embrace the home-lab type people that just want some more domains but are fine with lesser limits. I would be keen on a $5 or perhaps even $10 a month plan, but not $20 - just for sending mails.

Opencode

Back in August this past year I looked at Opencode. It worked okay with Gemini 2.5 but I was leaning into Qwen3 and Gemini CLI at the time.

It’s still quite active - let’s give it another shot.

$ curl -fsSL https://opencode.ai/install | bash

Let’s see if we can get it to help build an agent skills markdown file for python work:

So, as you saw, using the free MiniMax M2.5 Free model it took a good 10m - but free is free.

If we set a GEMINI API Key, we can use the Google models as well

One issue I noticed is the new “SKILL” made is it omitted the YAML block at the top of the SKILL.md so it doesn’t show up when list skills.

I’ll add it myself to ~/.agents/skills/python-app-setup/SKILL.md

---
name: my-python-app-skill
description: When I ask for my python process, or my python skill, follow these rules.  Use this skill whenCreating a new Python application, Scaffolding a Python project, Setting up a new FastAPI or FastMCP project, or Initializing a Python project from scratch
metadata:
  copyright: Copyright Freshbrewed. 2026
  version: "0.0.1"
---

Now when I fire up OpenCode I can see it listed

However, with Gemini 3 flash, it got hung up on some loops - it was working, just kind of got a bit stuck

I got MiniMax working, but of course as a free model its quite slow

I fired up the app it created

$ uvicorn app.main:app --reload

I mean, the layout looks fine but now way to add notes which is a bit of an issue

I switched to Gemini Pro to try and fix things. One thing we’ll note in Opencode is the running cost in the upper right. This can be handy if really focused on spend

This is important as using the Pro model to fix my ask (and I didn’t need to - Flash would have been fine) would cost me $0.29

Here we can see it in action!

There is a Dockerfile, which was a requirement from the skill we built

$ cat Dockerfile
# 411
FROM python:3.11-slim

WORKDIR /app

COPY --from=build /app/dist /app

EXPOSE 8000

CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

And there exists a SYSTEM.md with a diagram as I desired for the architecture

Of course, sharing is caring, so publishing to Github is next.

You can find the repo at https://github.com/idjohnson/simpleTodo.

Where the mermaid renders in browser without issue

Summary

Today we looked at Resend again and were pleasantly surprised to see they added SMTP support. I added a new domain and tested sending with SWAKS. We wrapped by discussing costs for their paid tier

Then we circled back to Opencode to give it a good try and use it to build a skill, then use the skill in an agentic flow to build, of course, a to-do app. We wrapped it up by fixing it with Gemini Pro, looking at costs, and pushing the resulting app to Github.

I didn’t dive into too much as I don’t want to always promote Google uber alles.. but one of the biggest reasons I lean in on Gemini CLI over tools like Codex and Opencode is how it caches tokens. HUGE savings (and that matters to me). So as you saw, fixing a hole in the app was quick with Gemini Pro in Opencode, but with no token caching, that cost US$0.29 (no worries, i had some credits to cover that). I cannot be certain, but my experience with caching in the past would suggest i would have spent a third of that had I used Gemini CLI.

I do think the use of Skills is a topic we need to followup on. Just this last night the topic of MCP vs Skills came up again and there was a fun passionate debate on usage and pros/cons. Stay tuned for my take on that soon.

K8s VPAs now GA in 1.35

2026-03-18T12:55:01+00:00

I had bookmarked this article on NewStack about VerticalPodAutoscaling finally going GA. It’s been around for a while, and can be really useful with StatefulSets. I wanted to try in on Deployments (Replicasets) and see how it really works.

My “test” cluster was on v1.31.9 so it seemed a simple K3s upgrade aught to sort me out…

Upgrading K3s

Presently my test cluster is running v1.31.9 which is good, but we really want a newer v1.35 to properly test out the built-in vertical pod autoscaling

$ kubectl get nodes
NAME                  STATUS   ROLES                  AGE    VERSION
builder-macbookpro2   Ready                     265d   v1.31.9+k3s1
isaac-macbookair      Ready    control-plane,master   265d   v1.31.9+k3s1
isaac-macbookpro      Ready                     265d   v1.31.9+k3s1

We’ll follow the automated upgrade docs

I’ll first apply the upgrade controller

$ kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml
customresourcedefinition.apiextensions.k8s.io/plans.upgrade.cattle.io created
namespace/system-upgrade created
serviceaccount/system-upgrade created
role.rbac.authorization.k8s.io/system-upgrade-controller created
clusterrole.rbac.authorization.k8s.io/system-upgrade-controller created
clusterrole.rbac.authorization.k8s.io/system-upgrade-controller-drainer created
rolebinding.rbac.authorization.k8s.io/system-upgrade created
clusterrolebinding.rbac.authorization.k8s.io/system-upgrade created
clusterrolebinding.rbac.authorization.k8s.io/system-upgrade-drainer created
configmap/default-controller-env created
deployment.apps/system-upgrade-controller created

Then create an upgrade manifest (and yes, there is a typo I’ll figure out soon)

$ cat updatek3s.yaml
# Server plan
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: server-plan
  namespace: system-upgrade
spec:
  concurrency: 1
  cordon: true
  version: v.1.35.1+k3s1
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
      operator: In
      values:
      - "true"
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  channel: https://update.k3s.io/v1-release/channels/stable
---
# Agent plan
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: agent-plan
  namespace: system-upgrade
spec:
  concurrency: 1
  cordon: true
  version: v.1.35.1+k3s1
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
      operator: DoesNotExist
  prepare:
    args:
    - prepare
    - server-plan
    image: rancher/k3s-upgrade
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  channel: https://update.k3s.io/v1-release/channels/stable

I’ll apply the upgrade plan

$ kubectl apply -f ./updatek3s.yaml
plan.upgrade.cattle.io/server-plan created
plan.upgrade.cattle.io/agent-plan created

and generally this moves fast so I’ll check my nodes

$ kubectl get nodes
NAME                  STATUS                     ROLES                  AGE    VERSION
builder-macbookpro2   Ready                                       265d   v1.31.9+k3s1
isaac-macbookair      Ready,SchedulingDisabled   control-plane,master   265d   v1.31.9+k3s1
isaac-macbookpro      Ready                                       265d   v1.31.9+k3s1

hmm.. nothing is moving… let’s look at the plan status

$ kubectl -n system-upgrade get plans -o wide
NAME          IMAGE                 CHANNEL                                            VERSION         COMPLETE   MESSAGE   APPLYING
agent-plan    rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v.1.35.1+k3s1   False                ["isaac-macbookpro"]
server-plan   rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v.1.35.1+k3s1   False                ["isaac-macbookair"]

Ah! I used v.1.35.1+k3s1 instead of v1.35.1+k3s1! DOH!

At first I tried just applying a fixed copy

$ cat updatek3s.yaml
# Server plan
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: server-plan
  namespace: system-upgrade
spec:
  concurrency: 1
  cordon: true
  version: v1.35.1+k3s1
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
      operator: In
      values:
      - "true"
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  channel: https://update.k3s.io/v1-release/channels/stable
---
# Agent plan
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: agent-plan
  namespace: system-upgrade
spec:
  concurrency: 1
  cordon: true
  version: v1.35.1+k3s1
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
      operator: DoesNotExist
  prepare:
    args:
    - prepare
    - server-plan
    image: rancher/k3s-upgrade
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  channel: https://update.k3s.io/v1-release/channels/stable
$ kubectl apply -f ./updatek3s.yaml
plan.upgrade.cattle.io/server-plan configured
plan.upgrade.cattle.io/agent-plan configured
$ kubectl -n system-upgrade get plans -o wide
NAME          IMAGE                 CHANNEL                                            VERSION        COMPLETE   MESSAGE   APPLYING
agent-plan    rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v1.35.1+k3s1   False                ["isaac-macbookpro"]
server-plan   rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v1.35.1+k3s1   False                ["isaac-macbookair"]

But I saw nothing was moving. So I removed the plan then re-added it

$ kubectl delete -f ./updatek3s.yaml
plan.upgrade.cattle.io "server-plan" deleted
plan.upgrade.cattle.io "agent-plan" deleted

$ kubectl -n system-upgrade get plans -o wide
No resources found in system-upgrade namespace.

$ kubectl apply -f ./updatek3s.yaml
plan.upgrade.cattle.io/server-plan created
plan.upgrade.cattle.io/agent-plan created

Now I’ll check my nodes

$ kubectl get nodes
NAME                  STATUS                     ROLES                  AGE    VERSION
builder-macbookpro2   Ready                                       265d   v1.31.9+k3s1
isaac-macbookair      Ready,SchedulingDisabled   control-plane,master   265d   v1.31.9+k3s1
isaac-macbookpro      Ready                                       265d   v1.31.9+k3s1

Seeing the “SchedulingDisabled” was a good sign.

I checked again

$ kubectl get nodes
NAME                  STATUS   ROLES                  AGE    VERSION
builder-macbookpro2   Ready                     265d   v1.31.9+k3s1
isaac-macbookair      Ready    control-plane,master   265d   v1.35.1+k3s1
isaac-macbookpro      Ready                     265d   v1.31.9+k3s1

and the master was already upgraded

$ kubectl -n system-upgrade get plans -o wide
NAME          IMAGE                 CHANNEL                                            VERSION        COMPLETE   MESSAGE   APPLYING
agent-plan    rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v1.35.1+k3s1   False                ["builder-macbookpro2"]
server-plan   rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v1.35.1+k3s1   True

The nodes, however

$ kubectl -n system-upgrade get plans -o wide
NAME          IMAGE                 CHANNEL                                            VERSION        COMPLETE   MESSAGE   APPLYING
agent-plan    rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v1.35.1+k3s1   False                ["builder-macbookpro2"]
server-plan   rancher/k3s-upgrade   https://update.k3s.io/v1-release/channels/stable   v1.35.1+k3s1   True

$ kubectl get nodes
NAME                  STATUS                        ROLES                  AGE    VERSION
builder-macbookpro2   NotReady,SchedulingDisabled                    265d   v1.31.9+k3s1
isaac-macbookair      Ready                         control-plane,master   265d   v1.35.1+k3s1
isaac-macbookpro      Ready                                          265d   v1.31.9+k3s1

were taking a lot longer (granted they are very very old hosts).

I then pivoted to manually upgrading.

I would get the token and config

root@builder-MacBookPro2:/var/lib/rancher/k3s# cat /etc/systemd/system/k3s-agent.service.env
K3S_TOKEN='K10a18c07f24914cbe61277875fcb3e477fc063ada7cf69312f515909fa08b7dbf7::server:8ae66788f324cc82d03aa0171b9f59c4'
K3S_URL='https://192.168.1.77:6443'

Now I can use that to launch

$ curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.35.1+k3s1 K3S_URL=https://192.168.1.77:6443 K3S_TOKEN=K10a18c07f24914cbe61277875fcb3e477fc063ada7cf69312f515909fa08b7dbf7::server:8ae66788f324cc82d03aa0171b9f59c4 sh -
[INFO]  Using v1.35.1+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.35.1%2Bk3s1/sha256sum-amd64.txt
[INFO]  Skipping binary downloaded, installed k3s matches hash
[INFO]  Skipping installation of SELinux RPM
[INFO]  Skipping /usr/local/bin/kubectl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/crictl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, command exists in PATH at /usr/bin/ctr
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-agent-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s-agent.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s-agent.service
[INFO]  systemd: Enabling k3s-agent unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service → /etc/systemd/system/k3s-agent.service.
[INFO]  systemd: Starting k3s-agent
Job for k3s-agent.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status k3s-agent.service" and "journalctl -xe" for details.

But that still didn’t seem to work

$ kubectl get nodes
NAME                  STATUS                        ROLES                  AGE    VERSION
builder-macbookpro2   NotReady,SchedulingDisabled                    265d   v1.31.9+k3s1
isaac-macbookair      Ready                         control-plane,master   265d   v1.35.1+k3s1
isaac-macbookpro      Ready                                          265d   v1.31.9+k3s1


$ sudo systemctl stop k3s-agent
$ sudo systemctl start k3s-agent

That failed

$ kubectl get nodes
NAME                  STATUS                        ROLES                  AGE    VERSION
builder-macbookpro2   NotReady,SchedulingDisabled                    265d   v1.31.9+k3s1
isaac-macbookair      Ready                         control-plane,master   265d   v1.35.1+k3s1
isaac-macbookpro      Ready                                          265d   v1.31.9+k3s1

Ubuntu 20.04 Focal and Kubernetes 1.35

It took me a whole day (delaying this post). I tried ansible playbooks

I could reset the whole cluster to v1.31.5 without issue. However, trying v1.35.1 failed with errors after hours…

Timing out on the nodes

I then tried manually but it refused to start and join the master. The token was right, the IP of the master instance was right.

Journalctl showed a fatal error at startup saying “k3s kubelet is configured to not run on a host using cgroup v1”.

I then checked my hosts. Master was on an old Macbook Air running Ubuntu 22.04 but the old old old Macbook Pros were on Ubuntu 20.04 (focal). Perhaps this is just a case that the OS is too out of date.

For more hours I tried upgrading… They just refused to find a new release.

The usual pattern of:

$ sudo apt update
$ sudo apt upgrade
$ sudo do-release-upgrade

Would just return “No new release found”.

I then fired up ‘deep thinking’ Gemini to see if it had any other ideas (my next step would be to burn a thumb drive with Jammy and just do it all over - but then i have to pull laptops from a rack and that’s another big hassle)

builder@isaac-MacBookPro:~$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description:    Ubuntu 20.04.6 LTS

Release:        20.04

Codename:       focal

Yet, it refuses to upgrade:

builder@isaac-MacBookPro:~$ sudo do-release-upgrade -d

Checking for a new Ubuntu release

Upgrades to the development release are only

available from the latest supported release.

What can i do to force it to upgrade to Ubuntu 22?

Gemini proposed two paths - so I tried both - each on a different host:

1. “Force” Method via “dist-upgrade”

First, we tell the system to look at Jammy instead of Focal Fossa (20.04)

$ sudo sed -i 's/focal/jammy/g' /etc/apt/sources.list

Then run each of these steps

$ sudo apt update
$ sudo apt upgrade --without-new-pkgs -y
$ sudo apt full-upgrade -y

2. “Fix” the do-release-upgrade

We can force the upgrader tool to reinstall itself and hope that clears out the cobwebs

$ sudo apt install --reinstall ubuntu-release-upgrader-core
$ sudo do-release-upgrade

You have to babysit it a bit - this killed my overnight updates because one timed out asking about the sudoers and the other timed out asking about Firefox being configured for snap. I really wish they had something like “–yolo” or “–fuggoff-and-just-do-it”

Because in both my cases they timed out, closing the SSH session after a while, I had to force kill stuck apt processes and then fix before trying again

$ sudo kill 
$ sudo dpkg --configure -a
$ sudo apt --fix-broken install

FUBAR

In the end, on reboot, both laptops were in a failed state, refusing to boot into a desktop - caught in a recovery mode with little options (as it had no network nor clue how to resolve)

So I was forced to do it the full blast way - use a thumb drive

Also, with 24.04, the old “gnome-tweaks” method of preventing sleep on lid closure is gone so you have t use the logind.conf method (see: askubuntu post)

And i always forget there are crazy people out there that use Nano.. ick.

builder@builder-MacBookPro8-1:~$ sudo update-alternatives --config editor
There are 4 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/ed             -100       manual mode
  2            /bin/nano            40        manual mode
  3            /usr/bin/vim.basic   30        manual mode
  4            /usr/bin/vim.tiny    15        manual mode

Press  to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode

Once live, I did the usual steps of adding docker and openssh-server. But next I wanted to try and rejoin the host to the control-plane:

builder@builder-MacBookPro8-1:~$ curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.35.1+k3s1 K3S_URL=https://192.168.1.77:6443 K3S_TOKEN=K1092e2cff3c646a253da6a2aa177d0edd6626fc1c553d379cda72edf0035742bcb::server:7756fd74f3b4d1b739ab50ce337ef220 sh -
[INFO]  Using v1.35.1+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.35.1%2Bk3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.35.1%2Bk3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, command exists in PATH at /usr/bin/ctr
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-agent-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s-agent.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s-agent.service
[INFO]  systemd: Enabling k3s-agent unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service → /etc/systemd/system/k3s-agent.service.
[INFO]  systemd: Starting k3s-agent

Now we finally see some worker nodes added!

$ kubectl get nodes
NAME                    STATUS   ROLES           AGE   VERSION
builder-macbookpro8-1   Ready              56s   v1.35.1+k3s1
isaac-macbookair        Ready    control-plane   13h   v1.35.1+k3s1

VPA

K3s already has a metrics server, so the first thing we really need to do is add the VPA.

The steps I’ll be following are similar to those in theNewStack article, but not identical.

We can make it easy by using the autoscaler repo and the install script

builder@DESKTOP-QADGF36:~/Workspaces$ git clone https://github.com/kubernetes/autoscaler.git
Cloning into 'autoscaler'...
remote: Enumerating objects: 239035, done.
remote: Counting objects: 100% (1580/1580), done.
remote: Compressing objects: 100% (1108/1108), done.
remote: Total 239035 (delta 987), reused 475 (delta 471), pack-reused 237455 (from 2)
Receiving objects: 100% (239035/239035), 256.72 MiB | 10.56 MiB/s, done.
Resolving deltas: 100% (155817/155817), done.
Updating files: 100% (5897/5897), done.
builder@DESKTOP-QADGF36:~/Workspaces$ cd autoscaler/
builder@DESKTOP-QADGF36:~/Workspaces/autoscaler$ cd vertical-pod-autoscaler/
builder@DESKTOP-QADGF36:~/Workspaces/autoscaler/vertical-pod-autoscaler$

Once cloned down, we can fire up the “hack” install script

builder@DESKTOP-QADGF36:~/Workspaces/autoscaler/vertical-pod-autoscaler$ cat ./hack/vpa-up.sh
#!/bin/bash

# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o errexit
set -o nounset
set -o pipefail

SCRIPT_ROOT=$(dirname ${BASH_SOURCE})/..
DEFAULT_TAG="1.6.0"
TAG_TO_APPLY=${TAG-$DEFAULT_TAG}

if [ "${TAG_TO_APPLY}" == "${DEFAULT_TAG}" ]; then
  git switch --detach vertical-pod-autoscaler-${DEFAULT_TAG}
fi

$SCRIPT_ROOT/hack/vpa-process-yamls.sh apply $*
builder@DESKTOP-QADGF36:~/Workspaces/autoscaler/vertical-pod-autoscaler$ ./hack/vpa-up.sh
HEAD is now at 9196162ba Update VPA default version to 1.6.0
customresourcedefinition.apiextensions.k8s.io/verticalpodautoscalercheckpoints.autoscaling.k8s.io created
customresourcedefinition.apiextensions.k8s.io/verticalpodautoscalers.autoscaling.k8s.io created
clusterrole.rbac.authorization.k8s.io/system:metrics-reader created
clusterrole.rbac.authorization.k8s.io/system:vpa-actor created
clusterrole.rbac.authorization.k8s.io/system:vpa-status-actor created
clusterrole.rbac.authorization.k8s.io/system:vpa-checkpoint-actor created
clusterrole.rbac.authorization.k8s.io/system:evictioner created
clusterrole.rbac.authorization.k8s.io/system:vpa-updater-in-place created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-updater-in-place-binding created
clusterrolebinding.rbac.authorization.k8s.io/system:metrics-reader created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-actor created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-status-actor created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-checkpoint-actor created
clusterrole.rbac.authorization.k8s.io/system:vpa-target-reader created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-target-reader-binding created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-evictioner-binding created
serviceaccount/vpa-admission-controller created
serviceaccount/vpa-recommender created
serviceaccount/vpa-updater created
clusterrole.rbac.authorization.k8s.io/system:vpa-admission-controller created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-admission-controller created
clusterrole.rbac.authorization.k8s.io/system:vpa-status-reader created
clusterrolebinding.rbac.authorization.k8s.io/system:vpa-status-reader-binding created
role.rbac.authorization.k8s.io/system:leader-locking-vpa-updater created
rolebinding.rbac.authorization.k8s.io/system:leader-locking-vpa-updater created
role.rbac.authorization.k8s.io/system:leader-locking-vpa-recommender created
rolebinding.rbac.authorization.k8s.io/system:leader-locking-vpa-recommender created
deployment.apps/vpa-updater created
deployment.apps/vpa-recommender created
Generating certs for the VPA Admission Controller in /tmp/vpa-certs.
Certificate request self-signature ok
subject=CN=vpa-webhook.kube-system.svc
Uploading certs to the cluster.
secret/vpa-tls-certs created
Deleting /tmp/vpa-certs.
service/vpa-webhook created
deployment.apps/vpa-admission-controller created
service/vpa-webhook unchanged

With the pods now running

$ kubectl get po -n kube-system | grep vpa
vpa-admission-controller-5879bdc979-9cf85   1/1     Running   0          2m11s
vpa-recommender-59c7769c67-chrgn            1/1     Running   0          2m12s
vpa-updater-64888c8777-8djfw                1/1     Running   0          2m12s

Setup

First, I need some basic app for which to test.

Let’s fire up a simple hello-app

$ kubectl create deployment hello-server --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0

$ kubectl get po
NAME                            READY   STATUS    RESTARTS   AGE
hello-server-66bd54ff48-vmjsx   1/1     Running   0          32s

I’ll do a nodeport service so we can see it without having to port-forward

$ kubectl expose deployment hello-server --type=NodePort --name=hello-service --port=8080
service/hello-service exposed

$ kubectl get svc
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
hello-service   NodePort    10.43.50.228           8080:31445/TCP   2m56s
kubernetes      ClusterIP   10.43.0.1              443/TCP          12h

And here is our app

Updates without a VPA

Without a VPA, what happens when we edit our deployment to add some resource settings (or change them).

For instance, adding

    resources:
    requests:
        cpu: "50m"
        memory: "64Mi"
    limits:
        cpu: "200m"
        memory: "256Mi"

rotates the pods:

This means that if you have a mission critical workload that could take downtime rotating pods, changing your settings and limits is something pushed to the off-hours or emergency code red times.

Updates with a VPA

However, with VPAs, the Vertical Pod Autoscaler can work with the Metrics server to monitor our workload and adjust settings on demand - without modifying any running pod

Let’s create a new VPA for our deployment, but just to test things, we have “updateMode” set to “off” so it’s going to be a recommendation agent for now.

apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: hello-vpa
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: hello-server
  updatePolicy:
    updateMode: "Off"
  resourcePolicy:
    containerPolicies:
    - containerName: "hello-app"
      minAllowed:
        cpu: "25m"
        memory: "32Mi"
      maxAllowed:
        cpu: "1"
        memory: "512Mi"
      controlledResources: ["cpu", "memory"]

We’ll apply

$ kubectl apply -f ./vpa.yaml
verticalpodautoscaler.autoscaling.k8s.io/hello-vpa created

While you can use the YAML output for verbose details

$ kubectl get vpa hello-vpa -o yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"autoscaling.k8s.io/v1","kind":"VerticalPodAutoscaler","metadata":{"annotations":{},"name":"hello-vpa","namespace":"default"},"spec":{"resourcePolicy":{"containerPolicies":[{"containerName":"hello-app","controlledResources":["cpu","memory"],"maxAllowed":{"cpu":"1","memory":"512Mi"},"minAllowed":{"cpu":"25m","memory":"32Mi"}}]},"targetRef":{"apiVersion":"apps/v1","kind":"Deployment","name":"hello-server"},"updatePolicy":{"updateMode":"Off"}}}
  creationTimestamp: "2026-03-18T13:47:23Z"
  generation: 1
  name: hello-vpa
  namespace: default
  resourceVersion: "25299"
  uid: dce05dec-2e90-4eb3-ad2f-5daf5a1d489b
spec:
  resourcePolicy:
    containerPolicies:
    - containerName: hello-app
      controlledResources:
      - cpu
      - memory
      maxAllowed:
        cpu: "1"
        memory: 512Mi
      minAllowed:
        cpu: 25m
        memory: 32Mi
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: hello-server
  updatePolicy:
    updateMode: "Off"
status:
  conditions:
  - lastTransitionTime: "2026-03-18T13:47:35Z"
    status: "True"
    type: RecommendationProvided
  recommendation:
    containerRecommendations:
    - containerName: hello-app
      lowerBound:
        cpu: 25m
        memory: 250Mi
      target:
        cpu: 25m
        memory: 250Mi
      uncappedTarget:
        cpu: 25m
        memory: 250Mi
      upperBound:
        cpu: 213m
        memory: 250Mi

I rather prefer the wide output:

$ kubectl get vpa hello-vpa -o wide
NAME        MODE   CPU   MEM     PROVIDED   AGE
hello-vpa   Off    25m   250Mi   True       96s

next, I want to allow this to actually modify the resources by changing our update to “InPlaceOrRecreate”. This means it will first try to “patch” the pod, but if the pod acts like a little turd, it will replace and evict it next.

You’ll notice I change the updateMode as well as add “controlledValues” at the end:

$ cat vpa.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metad
  name: hello-vpa
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: hello-server
  updatePolicy:
    updateMode: "InPlaceOrRecreate"
  resourcePolicy:
    containerPolicies:
    - containerName: "hello-app"
      minAllowed:
        cpu: "25m"
        memory: "32Mi"
      maxAllowed:
        cpu: "1"
        memory: "512Mi"
      controlledResources: ["cpu", "memory"]
      controlledValues: "RequestsAndLimits"
$ kubectl apply -f ./vpa.yaml
verticalpodautoscaler.autoscaling.k8s.io/hello-vpa configured
$ kubectl get vpa hello-vpa -o wide
NAME        MODE                CPU   MEM     PROVIDED   AGE
hello-vpa   InPlaceOrRecreate   25m   250Mi   True       5m4s

I can see the pod was not cycled

$ kubectl get po
NAME                           READY   STATUS    RESTARTS   AGE
hello-server-cf5d4d7d5-fddxs   1/1     Running   0          78m

But I also don’t see it modified

$ kubectl describe po hello-server-cf5d4d7d5-fddxs | tail -n 30 | head -n 10
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     200m
      memory:  256Mi
    Requests:
      cpu:        50m
      memory:     64Mi
    Environment:  
    Mounts:

Let’s create some load and see what happens

$ kubectl apply -f ./beat-it-up.yaml
pod/load-generator-1 created
pod/load-generator-2 created

$ kubectl get po
NAME                           READY   STATUS    RESTARTS   AGE
hello-server-cf5d4d7d5-fddxs   1/1     Running   0          89m
load-generator-1               1/1     Running   0          101s
load-generator-2               1/1     Running   0          101s

I let it run for a bit then checked the recommendations

$ kubectl get vpa hello-vpa -o jsonpath='{.status.recommendation.containerRecommendations[0].target}' ; echo
{"cpu":"25m","memory":"250Mi"}

The pod was still in place

$ kubectl get po
NAME                           READY   STATUS    RESTARTS   AGE
hello-server-cf5d4d7d5-fddxs   1/1     Running   0          95m
load-generator-1               1/1     Running   0          7m12s
load-generator-2               1/1     Running   0          7m12s

with the same resource limits/requests

$ kubectl describe po hello-server-cf5d4d7d5-fddxs | tail -n 30 | head -n 10
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     200m
      memory:  256Mi
    Requests:
      cpu:        50m
      memory:     64Mi
    Environment:  
    Mounts:

I bumped my load generators up to 4 just really apply some pressure and then saw the numbers climb

$ kubectl get vpa hello-vpa -o jsonpath='{.status.recommendation.containerRecommendations[0].target}' ; echo
{"cpu":"247m","memory":"250Mi"}

The thing is the deployment has yet to change and the pod is still using the smaller requests

$ kubectl describe po -l app=hello-server | grep -A 3 "Requests:"
    Requests:
      cpu:        50m
      memory:     64Mi
    Environment:  

the VPA is clearly showing it should replace

$ kubectl get vpa hello-vpa
NAME        MODE                CPU    MEM     PROVIDED   AGE
hello-vpa   InPlaceOrRecreate   247m   250Mi   True       39m

I tried recreating the VPA as well with the harsher “Recreate” option

$ cat vpa.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: hello-vpa
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: hello-server
  updatePolicy:
    updateMode: "Recreate"
  resourcePolicy:
    containerPolicies:
    - containerName: "hello-app"
      minAllowed:
        cpu: "25m"
        memory: "32Mi"
      maxAllowed:
        cpu: "1"
        memory: "512Mi"
      controlledResources: ["cpu", "memory"]
      controlledValues: "RequestsAndLimits"
$ kubectl apply -f ./vpa.yaml
verticalpodautoscaler.autoscaling.k8s.io/hello-vpa configured

That seemed to do nothing

$ kubectl get vpa hello-vpa
NAME        MODE       CPU    MEM     PROVIDED   AGE
hello-vpa   Recreate   247m   250Mi   True       41m
$ kubectl describe po -l app=hello-server | grep -A 3 "Requests:"
    Requests:
      cpu:        50m
      memory:     64Mi
    Environment:  
$ kubectl get po
NAME                           READY   STATUS    RESTARTS   AGE
hello-server-cf5d4d7d5-fddxs   1/1     Running   0          113m
load-generator-1               1/1     Running   0          12m
load-generator-2               1/1     Running   0          12m
load-generator-3               1/1     Running   0          12m
load-generator-4               1/1     Running   0          12m

I then forced the VPA to recreate

$ kubectl delete vpa hello-vpa
verticalpodautoscaler.autoscaling.k8s.io "hello-vpa" deleted
$ kubectl apply -f ./vpa.yaml
verticalpodautoscaler.autoscaling.k8s.io/hello-vpa created
$ kubectl get vpa hello-vpa
NAME        MODE       CPU   MEM   PROVIDED   AGE
hello-vpa   Recreate                          8s

It took about 40s to show fresh recommendations

$ kubectl get vpa hello-vpa
NAME        MODE       CPU   MEM   PROVIDED   AGE
hello-vpa   Recreate                          6s

$ kubectl get vpa hello-vpa
NAME        MODE       CPU    MEM     PROVIDED   AGE
hello-vpa   Recreate   247m   250Mi   True       49s

But nothing changed

$ kubectl get po
NAME                           READY   STATUS    RESTARTS   AGE
hello-server-cf5d4d7d5-fddxs   1/1     Running   0          150m
load-generator-1               1/1     Running   0          49m
load-generator-2               1/1     Running   0          49m
load-generator-3               1/1     Running   0          49m
load-generator-4               1/1     Running   0          49m

Pivot

Let’s try using the Nginx pod that the original article used instead. I want to see if it’s just the lightweight app I was using

$ kubectl create ns vpa-demo
namespace/vpa-demo created

$ cat ./vpa-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-vpa-demo
  namespace: vpa-demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-vpa-demo
  template:
    metadata:
      labels:
        app: nginx-vpa-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.25
        resources:
          requests:
            cpu: "50m"
            memory: "64Mi"
          limits:
            cpu: "200m"
            memory: "256Mi"

then apply

$ kubectl apply -f ./vpa-nginx.yaml
deployment.apps/nginx-vpa-demo created

I can see the pods are up

$ kubectl get po -n vpa-demo -l app=nginx-vpa-demo
NAME                              READY   STATUS    RESTARTS   AGE
nginx-vpa-demo-58d8649cf4-d85cb   1/1     Running   0          8m53s
nginx-vpa-demo-58d8649cf4-ptp9c   1/1     Running   0          8m53s

let’s do the recommendation version

$ cat vpa_nginx.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: nginx-vpa
  namespace: vpa-demo
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: nginx-vpa-demo
  updatePolicy:
    updateMode: "Off"
  resourcePolicy:
    containerPolicies:
    - containerName: "nginx"
      minAllowed:
        cpu: "25m"
        memory: "32Mi"
      maxAllowed:
        cpu: "1"
        memory: "512Mi"
      controlledResources: ["cpu", "memory"]
$ kubectl apply -f ./vpa_nginx.yaml
verticalpodautoscaler.autoscaling.k8s.io/nginx-vpa created

And see it works

$ kubectl get vpa -n vpa-demo
NAME        MODE   CPU   MEM     PROVIDED   AGE
nginx-vpa   Off    25m   250Mi   True       60s

I’ll now flip it to inplace replacements

$ cat vpa-inplace.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: nginx-vpa
  namespace: vpa-demo
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: nginx-vpa-demo
  updatePolicy:
    updateMode: "InPlaceOrRecreate"
  resourcePolicy:
    containerPolicies:
    - containerName: "nginx"
      minAllowed:
        cpu: "25m"
        memory: "32Mi"
      maxAllowed:
        cpu: "1"
        memory: "512Mi"
      controlledResources: ["cpu", "memory"]
      controlledValues: "RequestsAndLimits"

$ kubectl apply -f ./vpa-inplace.yaml
verticalpodautoscaler.autoscaling.k8s.io/nginx-vpa configured

$ kubectl get vpa -n vpa-demo
NAME        MODE                CPU   MEM     PROVIDED   AGE
nginx-vpa   InPlaceOrRecreate   25m   250Mi   True       3m33s

I see the requests

$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Requests:"
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  
--
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  

The article was just using pods, but let’s turn it to 11 and just make the load tester a deployment

$ cat ./beat-it-up-new.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-vpa-demo
  namespace: vpa-demo
spec:
  selector:
    app: nginx-vpa-demo
  ports:
  - port: 80
    targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: load-generator
  namespace: vpa-demo
  labels:
    app: load-generator
spec:
  replicas: 10
  selector:
    matchLabels:
      app: load-generator
  template:
    metadata:
      labels:
        app: load-generator
    spec:
      containers:
      - name: busybox
        image: busybox:1.36
        command:
        - /bin/sh
        - -c
        - |
          echo "Starting load generator..."
          while true; do
            wget -q -O- http://nginx-vpa-demo.vpa-demo.svc.cluster.local > /dev/null 2>&1
          done
      restartPolicy: Always


$ kubectl apply -f ./beat-it-up-new.yaml
service/nginx-vpa-demo created
deployment.apps/load-generator created

I can now see pods fired up

$ kubectl get po -n vpa-demo
NAME                              READY   STATUS    RESTARTS   AGE
load-generator-b5756b46-7gbz8     1/1     Running   0          36s
load-generator-b5756b46-8nvcq     1/1     Running   0          36s
load-generator-b5756b46-c6lkv     1/1     Running   0          36s
load-generator-b5756b46-f4txq     1/1     Running   0          36s
load-generator-b5756b46-gzd4z     1/1     Running   0          36s
load-generator-b5756b46-n6lkt     1/1     Running   0          36s
load-generator-b5756b46-p82cl     1/1     Running   0          36s
load-generator-b5756b46-qznc9     1/1     Running   0          36s
load-generator-b5756b46-rwsdz     1/1     Running   0          36s
load-generator-b5756b46-z6czb     1/1     Running   0          36s
nginx-vpa-demo-58d8649cf4-d85cb   1/1     Running   0          20m
nginx-vpa-demo-58d8649cf4-ptp9c   1/1     Running   0          20m

I did a follow to see indeed the Nginx pods were getting hit heavy

$ kubectl logs nginx-vpa-demo-58d8649cf4-d85cb -n vpa-demo --follow

After a bit I saw the recommendations go up

$ kubectl get vpa nginx-vpa -n vpa-demo -o jsonpath='{.status.recommendation.containerRecommendations[0].target}' ; echo
{"cpu":"25m","memory":"250Mi"}

$ kubectl get vpa nginx-vpa -n vpa-demo -o jsonpath='{.status.recommendation.containerRecommendations[0].target}' ; echo
{"cpu":"93m","memory":"250Mi"}

But no pod updates yet

$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Requests:"
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  
--
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  

Let’s really set the burn

$ kubectl get deployment -n vpa-demo
NAME             READY   UP-TO-DATE   AVAILABLE   AGE
load-generator   10/10   10           10          15m
nginx-vpa-demo   2/2     2            2           35m

$ kubectl scale deployment -n vpa-demo load-generator --replicas=100
deployment.apps/load-generator scaled

$ kubectl get deployment -n vpa-demo
NAME             READY    UP-TO-DATE   AVAILABLE   AGE
load-generator   10/100   100          10          15m
nginx-vpa-demo   2/2      2            2           36m

Soon the pods were slammed

$ kubectl get deployment -n vpa-demo
NAME             READY     UP-TO-DATE   AVAILABLE   AGE
load-generator   100/100   100          100         17m
nginx-vpa-demo   2/2       2            2           37m

But not rotated

$ kubectl get po  -n vpa-demo -l app=nginx-vpa-demo
NAME                              READY   STATUS    RESTARTS   AGE
nginx-vpa-demo-58d8649cf4-d85cb   1/1     Running   0          38m
nginx-vpa-demo-58d8649cf4-ptp9c   1/1     Running   0          38m

Success!!!

However, on looking at the Events, I finally saw what I was hoping for - resize events:

$ kubectl describe po nginx-vpa-demo-58d8649cf4-d85cb -n vpa-demo
Name:             nginx-vpa-demo-58d8649cf4-d85cb
Namespace:        vpa-demo
Priority:         0
Service Account:  default
Node:             builder-macbookpro8-1/192.168.1.205
Start Time:       Wed, 18 Mar 2026 10:08:19 -0500
Labels:           app=nginx-vpa-demo
                  pod-template-hash=58d8649cf4
Annotations:      vpaInPlaceUpdated: true
Status:           Running
IP:               10.42.1.10
IPs:
  IP:           10.42.1.10
Controlled By:  ReplicaSet/nginx-vpa-demo-58d8649cf4
Containers:
  nginx:
    Container ID:   containerd://0eeab3e68bcc2a8c9e8341851c7216d8f9f54287cc5ce636e0945fb8074494ea
    Image:          nginx:1.25
    Image ID:       docker.io/library/nginx@sha256:a484819eb60211f5299034ac80f6a681b06f89e65866ce91f356ed7c72af059c
    Port:           
    Host Port:      
    State:          Running
      Started:      Wed, 18 Mar 2026 10:08:41 -0500
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-2m45t (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True
  Initialized                 True
  Ready                       True
  ContainersReady             True
  PodScheduled                True
Volumes:
  kube-api-access-2m45t:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    Optional:                false
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason               Age   From               Message
  ----    ------               ----  ----               -------
  Normal  Scheduled            38m   default-scheduler  Successfully assigned vpa-demo/nginx-vpa-demo-58d8649cf4-d85cb to builder-macbookpro8-1
  Normal  Pulling              38m   kubelet            Pulling image "nginx:1.25"
  Normal  Pulled               38m   kubelet            Successfully pulled image "nginx:1.25" in 18.601s (18.601s including waiting). Image size: 71005258 bytes.
  Normal  Created              38m   kubelet            Container created
  Normal  Started              38m   kubelet            Container started
  Normal  InPlaceResizedByVPA  24m   vpa-updater        Pod was resized in place by VPA Updater.
  Normal  ResizeStarted        24m   kubelet            Pod resize started: {"containers":[{"name":"nginx","resources":{"limits":{"cpu":"100m","memory":"1000Mi"},"requests":{"cpu":"25m","memory":"250Mi"}}}],"generation":2}
  Normal  ResizeCompleted      24m   kubelet            Pod resize completed: {"containers":[{"name":"nginx","resources":{"limits":{"cpu":"100m","memory":"1000Mi"},"requests":{"cpu":"25m","memory":"250Mi"}}}],"generation":2}

The disconnect

The original article had suggested we might see the requests change

$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Requests:"
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  
--
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  

But think about it - the requests really are fine.. its the limits that need fixing!

If you look up above, you’ll note we set those limits 200 milicore (0.2 CPU) and 256MiB (memory):

    requests:
        cpu: "50m"
        memory: "64Mi"
    limits:
        cpu: "200m"
        memory: "256Mi"

however, our VPA has moved those upper bounds for us, actually lowering the CPU but greatly increasing the memory

$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Limits:"
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:
--
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:

Let’s remove the pressure

$ kubectl delete -f ./beat-it-up-new.yaml
service "nginx-vpa-demo" deleted
deployment.apps "load-generator" deleted

$ kubectl get po -n vpa-demo
NAME                              READY   STATUS        RESTARTS   AGE
load-generator-b5756b46-2bccv     1/1     Terminating   0          8m41s
load-generator-b5756b46-2lwr7     1/1     Terminating   0          8m38s
load-generator-b5756b46-2ml7z     1/1     Terminating   0          8m38s
load-generator-b5756b46-2pv22     1/1     Terminating   0          8m37s
load-generator-b5756b46-487nl     1/1     Terminating   0          8m41s
load-generator-b5756b46-4nplc     1/1     Terminating   0          8m40s
load-generator-b5756b46-4t59c     1/1     Terminating   0          8m41s
load-generator-b5756b46-4wkgz     1/1     Terminating   0          8m42s
load-generator-b5756b46-562wc     1/1     Terminating   0          8m37s
load-generator-b5756b46-56z92     1/1     Terminating   0          8m39s
load-generator-b5756b46-5946h     1/1     Terminating   0          8m38s
load-generator-b5756b46-5l6wj     1/1     Terminating   0          8m41s
load-generator-b5756b46-5sjrq     1/1     Terminating   0          8m39s
load-generator-b5756b46-5xc47     1/1     Terminating   0          8m36s
load-generator-b5756b46-6749w     1/1     Terminating   0          8m40s
load-generator-b5756b46-68h87     1/1     Terminating   0          8m39s
load-generator-b5756b46-6jds9     1/1     Terminating   0          8m38s
load-generator-b5756b46-6x2nb     1/1     Terminating   0          8m40s
load-generator-b5756b46-787lb     1/1     Terminating   0          8m38s
load-generator-b5756b46-7gbz8     1/1     Terminating   0          24m
load-generator-b5756b46-7j8wp     1/1     Terminating   0          8m41s
load-generator-b5756b46-7lq55     1/1     Terminating   0          8m41s
load-generator-b5756b46-7twkb     1/1     Terminating   0          8m37s
load-generator-b5756b46-8nvcq     1/1     Terminating   0          24m
load-generator-b5756b46-8qjc5     1/1     Terminating   0          8m42s
load-generator-b5756b46-8sxvl     1/1     Terminating   0          8m41s
load-generator-b5756b46-8tjt6     1/1     Terminating   0          8m38s
load-generator-b5756b46-8vjlp     1/1     Terminating   0          8m39s
load-generator-b5756b46-8x7z8     1/1     Terminating   0          8m36s
load-generator-b5756b46-bkzf9     1/1     Terminating   0          8m36s
load-generator-b5756b46-bmgbt     1/1     Terminating   0          8m41s
load-generator-b5756b46-bs6pq     1/1     Terminating   0          8m39s
load-generator-b5756b46-c6cwp     1/1     Terminating   0          8m41s
load-generator-b5756b46-c6lkv     1/1     Terminating   0          24m
load-generator-b5756b46-c7n9j     1/1     Terminating   0          8m37s
load-generator-b5756b46-chtm6     1/1     Terminating   0          8m38s
load-generator-b5756b46-dh5gj     1/1     Terminating   0          8m41s
load-generator-b5756b46-f4s26     1/1     Terminating   0          8m41s
load-generator-b5756b46-f4txq     1/1     Terminating   0          24m
load-generator-b5756b46-f8whk     1/1     Terminating   0          8m42s
load-generator-b5756b46-fqnxl     1/1     Terminating   0          8m42s
load-generator-b5756b46-ft9sn     1/1     Terminating   0          8m41s
load-generator-b5756b46-g2cd9     1/1     Terminating   0          8m40s
load-generator-b5756b46-g8x6r     1/1     Terminating   0          8m41s
load-generator-b5756b46-gm7hj     1/1     Terminating   0          8m41s
load-generator-b5756b46-gt9md     1/1     Terminating   0          8m40s
load-generator-b5756b46-gxqtw     1/1     Terminating   0          8m40s
load-generator-b5756b46-gzd4z     1/1     Terminating   0          24m
load-generator-b5756b46-gznnz     1/1     Terminating   0          8m41s
load-generator-b5756b46-h6qh4     1/1     Terminating   0          8m40s
load-generator-b5756b46-j8hvz     1/1     Terminating   0          8m41s
load-generator-b5756b46-jhzvp     1/1     Terminating   0          8m41s
load-generator-b5756b46-jprd8     1/1     Terminating   0          8m38s
load-generator-b5756b46-jsb6j     1/1     Terminating   0          8m37s
load-generator-b5756b46-k4hk8     1/1     Terminating   0          8m41s
load-generator-b5756b46-khjns     1/1     Terminating   0          8m37s
load-generator-b5756b46-knwmf     1/1     Terminating   0          8m38s
load-generator-b5756b46-knwsw     1/1     Terminating   0          8m37s
load-generator-b5756b46-lcm88     1/1     Terminating   0          8m42s
load-generator-b5756b46-ldf9b     1/1     Terminating   0          8m41s
load-generator-b5756b46-lxcqj     1/1     Terminating   0          8m41s
load-generator-b5756b46-m67nt     1/1     Terminating   0          8m40s
load-generator-b5756b46-mn6md     1/1     Terminating   0          8m41s
load-generator-b5756b46-n6lkt     1/1     Terminating   0          24m
load-generator-b5756b46-n8psf     1/1     Terminating   0          8m40s
load-generator-b5756b46-n9dsk     1/1     Terminating   0          8m40s
load-generator-b5756b46-nb4cl     1/1     Terminating   0          8m37s
load-generator-b5756b46-nbqnh     1/1     Terminating   0          8m42s
load-generator-b5756b46-nbwxf     1/1     Terminating   0          8m38s
load-generator-b5756b46-nt4n5     1/1     Terminating   0          8m41s
load-generator-b5756b46-p67nk     1/1     Terminating   0          8m39s
load-generator-b5756b46-p82cl     1/1     Terminating   0          24m
load-generator-b5756b46-pk22x     1/1     Terminating   0          8m39s
load-generator-b5756b46-ptqdh     1/1     Terminating   0          8m41s
load-generator-b5756b46-pvhqn     1/1     Terminating   0          8m41s
load-generator-b5756b46-q6dp8     1/1     Terminating   0          8m41s
load-generator-b5756b46-qcswz     1/1     Terminating   0          8m41s
load-generator-b5756b46-qkmtj     1/1     Terminating   0          8m40s
load-generator-b5756b46-qnsmh     1/1     Terminating   0          8m40s
load-generator-b5756b46-qt65f     1/1     Terminating   0          8m38s
load-generator-b5756b46-qznc9     1/1     Terminating   0          24m
load-generator-b5756b46-rmzm5     1/1     Terminating   0          8m40s
load-generator-b5756b46-rrm4g     1/1     Terminating   0          8m41s
load-generator-b5756b46-rwsdz     1/1     Terminating   0          24m
load-generator-b5756b46-sb7zm     1/1     Terminating   0          8m41s
load-generator-b5756b46-snmww     1/1     Terminating   0          8m40s
load-generator-b5756b46-t2jtj     1/1     Terminating   0          8m42s
load-generator-b5756b46-t455g     1/1     Terminating   0          8m38s
load-generator-b5756b46-tjgjb     1/1     Terminating   0          8m38s
load-generator-b5756b46-tpqx8     1/1     Terminating   0          8m40s
load-generator-b5756b46-vnf4t     1/1     Terminating   0          8m41s
load-generator-b5756b46-w4k42     1/1     Terminating   0          8m41s
load-generator-b5756b46-wg96d     1/1     Terminating   0          8m40s
load-generator-b5756b46-whmfq     1/1     Terminating   0          8m40s
load-generator-b5756b46-wwvgk     1/1     Terminating   0          8m42s
load-generator-b5756b46-xldl6     1/1     Terminating   0          8m41s
load-generator-b5756b46-xm885     1/1     Terminating   0          8m36s
load-generator-b5756b46-z6czb     1/1     Terminating   0          24m
load-generator-b5756b46-z7crv     1/1     Terminating   0          8m37s
load-generator-b5756b46-zl27d     1/1     Terminating   0          8m36s
nginx-vpa-demo-58d8649cf4-d85cb   1/1     Running       0          44m
nginx-vpa-demo-58d8649cf4-ptp9c   1/1     Running       0          44m

I should soon see the numbers on the recommendation fall

$ kubectl get vpa nginx-vpa -n vpa-demo -o jsonpath='{.status.recommendation.containerRecommendations[0].target}' ; echo
{"cpu":"109m","memory":"250Mi"}

$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Limits:"
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:
--
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:

However, even after a good hour, I didn’t see it really scale back down

$ kubectl get vpa -n vpa-demo
NAME        MODE                CPU   MEM     PROVIDED   AGE
nginx-vpa   InPlaceOrRecreate   78m   250Mi   True       131m

$ kubectl get vpa nginx-vpa -n vpa-demo -o jsonpath='{.status.recommendation.containerRecommendations[0].target}' ; echo
{"cpu":"78m","memory":"250Mi"}

$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Limits:"
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:
--
    Limits:
      cpu:     100m
      memory:  1000Mi
    Requests:
$ kubectl describe pod -n vpa-demo -l app=nginx-vpa-demo | grep -A 3 "Requests:"
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  
--
    Requests:
      cpu:        25m
      memory:     250Mi
    Environment:  

Perhaps it’s happy… I noticed the events got wiped over time so really I would need to add a proper Prometheus stack or observability engine to see it over a longer period.

Summary

Well, this took a lot longer than I had hoped and in the end, caused me to rebuild two old laptops, but we did test VPAs in Kubernetes 1.35. Most of the details of this are in the official Vertical Pod Autoscaling docs which closely match what we covered.

We covered the “Recreate” (though it didn’t do it), “InPlaceOrRecreate” (do it or i boot you) and “Off” update modes. There is a fourth mode, “Initial”, which we didn’t cover, but is worth mentioning. In “Initial”, it sets the requests just when the pods are first created and doesn’t touch them after. This can be useful for gradual horizontal scale outs or changes that roll slowly over time.

Chats: IRC and Matrix

2026-03-12T01:01:01+00:00

Let’s talk about Chat clients. I got to wondering what every happened to IRC. Internet Relay Chat (IRC) has been around since 1988, but I certainly got to know it later in 1996. It was my usual hangout space in the early 2000s but maybe I just got busy - I stopped using it in the ’10s. It never went away. It hasn’t changed at all and only recently, after about 22 years did people hop off Freenode to Libera.chat as the primary server.

We have Matrix as well (I’ve had a Matrix Synapse server here since 2024) but it really didn’t take off. Is IRC any good? With all these negative changes happening to the formerly good and reliable tools like Slack and Discord, is it time to go back to the tried and true? Is it time to Bring back the Time?

Inspirecd Dependencies

Let’s make sure we have the build essential pieces we need

$ sudo apt update
$ sudo apt install -y build-essential git perl g++ make libssl-dev pkg-config

Next, we can clone down Inspirecd from Github

builder@bosgamerz9:~$ cd Workspaces/
builder@bosgamerz9:~/Workspaces$ git clone https://github.com/inspircd/inspircd.git
Cloning into 'inspircd'...
remote: Enumerating objects: 159000, done.
remote: Counting objects: 100% (1145/1145), done.
remote: Compressing objects: 100% (455/455), done.
remote: Total 159000 (delta 899), reused 801 (delta 689), pack-reused 157855 (from 3)
Receiving objects: 100% (159000/159000), 43.06 MiB | 849.00 KiB/s, done.
Resolving deltas: 100% (133861/133861), done.

I went to configure

builder@bosgamerz9:~/Workspaces/inspircd$ perl ./configure --enable-extras ssl_openssl
Enabling the ssl_openssl module ...
argon2          = disabled
geo_maxmind     = disabled
ldap            = disabled
log_json        = disabled
log_syslog      = disabled
mysql           = disabled
pgsql           = disabled
regex_pcre2     = disabled
regex_posix     = disabled
regex_re2       = disabled
regex_tre       = disabled
sqlite3         = disabled
ssl_gnutls      = disabled
ssl_openssl     = enabled
sslrehashsignal = disabled
Remember: YOU are responsible for making sure any libraries needed have been installed!


builder@bosgamerz9:~/Workspaces/inspircd$ perl ./configure
Configuring InspIRCd 4.9.0-cab23b7e5 on Linux 6.14.0-29-generic x86_64.
Checking whether .configure/cache.cfg is available ... no
Checking whether /home/builder/Workspaces/inspircd is writable ... yes
Checking whether `c++` is available ... yes
Checking whether `c++` is compatible ... yes
Checking whether arc4random_buf() is available ... yes
Checking whether clock_gettime() is available ... yes
Checking whether getentropy() is available ... yes
Checking whether epoll is available ... yes
Checking whether kqueue is available ... no
Checking whether poll is available ... yes
Warning: You are building a development version. This contains code which has
not been tested as heavily and may contain various faults which could seriously
affect the running of your server. It is recommended that you use a stable
version instead.

You can obtain the latest stable version from https://www.inspircd.org or by
running `git checkout $(git describe --abbrev=0 --tags insp4)` if you are
installing from Git.

I understand this warning and want to continue anyway.
[no] => yes

Currently, InspIRCd is configured with the following paths:

Binary: /home/builder/Workspaces/inspircd/run/bin
Config: /home/builder/Workspaces/inspircd/run/conf
Data:   /home/builder/Workspaces/inspircd/run/data
Log:    /home/builder/Workspaces/inspircd/run/logs
Manual: /home/builder/Workspaces/inspircd/run/manuals
Module: /home/builder/Workspaces/inspircd/run/modules
Script: /home/builder/Workspaces/inspircd/run

Do you want to change these settings?

[no] => no

Currently, InspIRCd is configured to automatically enable all available extra modules.

Would you like to enable extra modules manually?

[no] => no

Enabling the log_syslog module ...
Enabling the regex_posix module ...
Enabling the sslrehashsignal module ...
Creating .configure ...
Writing .configure/cache.cfg ...
Parsing make/template/apparmor ...
Writing .configure/apparmor ...
Parsing make/template/config.h ...
Writing include/config.h ...
Parsing make/template/deploy-ssl.sh ...
Writing .configure/deploy-ssl.sh ...
Parsing make/template/help.txt ...
Writing .configure/help.txt ...
Parsing make/template/inspircd ...
Writing .configure/inspircd ...
Parsing make/template/inspircd-testssl.1 ...
Writing .configure/inspircd-testssl.1 ...
Parsing make/template/inspircd.1 ...
Writing .configure/inspircd.1 ...
Parsing make/template/inspircd.openrc ...
Writing .configure/inspircd.openrc ...
Parsing make/template/inspircd.service ...
Writing .configure/inspircd.service ...
Parsing make/template/logrotate ...
Writing .configure/logrotate ...
Parsing make/template/main.mk ...
Writing GNUmakefile ...
Parsing make/template/org.inspircd.plist ...

Configuration is complete! You have chosen to build with the following settings:

Compiler:
  Binary:  c++
  Name:    GCC
  Version: 13.3

Extra Modules:
  * log_syslog
  * regex_posix
  * ssl_openssl
  * sslrehashsignal

Paths:
  Binary:  /home/builder/Workspaces/inspircd/run/bin
  Config:  /home/builder/Workspaces/inspircd/run/conf
  Data:    /home/builder/Workspaces/inspircd/run/data
  Example: /home/builder/Workspaces/inspircd/run/conf/examples
  Log:     /home/builder/Workspaces/inspircd/run/logs
  Manual:  /home/builder/Workspaces/inspircd/run/manuals
  Module:  /home/builder/Workspaces/inspircd/run/modules
  Runtime: /home/builder/Workspaces/inspircd/run/data
  Script:  /home/builder/Workspaces/inspircd/run

Execution Group: builder (1000)
Execution User:  builder (1000)
Socket Engine:   epoll

To build with these settings run 'make -j17 install' now.

I can now make the binaries

builder@bosgamerz9:~/Workspaces/inspircd$ make -j17 install
*************************************
*       BUILDING INSPIRCD           *
*                                   *
*   This will take a *long* time.   *
*     Why not read our docs at      *
*     https://docs.inspircd.org     *
*  while you wait for Make to run?  *
*************************************
        BUILD:          channels.cpp
        BUILD:          cull.cpp
        BUILD:          bancache.cpp
        BUILD:          clientprotocol.cpp
        BUILD:          hashcomp.cpp
        BUILD:          configparser.cpp
        BUILD:          dynamic.cpp
        BUILD:          configreader.cpp
        BUILD:          extensible.cpp
        BUILD:          cidr.cpp
        BUILD:          commands.cpp
        BUILD:          channelmanager.cpp
        BUILD:          inspircd.cpp
        BUILD:          helperfuncs.cpp
        BUILD:          listmode.cpp
        BUILD:          base.cpp
        BUILD:          listensocket.cpp
... snip ...


        LINK:           modules/core_xline.so
        LINK:           modules/m_spanningtree.so

*************************************
*        INSTALL COMPLETE!          *
*************************************
Paths:
  Configuration: /home/builder/Workspaces/inspircd/run/conf
  Binaries: /home/builder/Workspaces/inspircd/run/bin
  Modules: /home/builder/Workspaces/inspircd/run/modules
  Data: /home/builder/Workspaces/inspircd/run/data
To start the ircd, run: /home/builder/Workspaces/inspircd/run/inspircd start
Remember to create your config file: /home/builder/Workspaces/inspircd/run/conf/inspircd.conf
Examples are available at: /home/builder/Workspaces/inspircd/run/conf/examples

I’m pretty sure that covered install, but I’ll be explicit about it

builder@bosgamerz9:~/Workspaces/inspircd$ make install
*************************************
*       BUILDING INSPIRCD           *
*                                   *
*   This will take a *long* time.   *
*     Why not read our docs at      *
*     https://docs.inspircd.org     *
*  while you wait for Make to run?  *
*************************************

*************************************
*        INSTALL COMPLETE!          *
*************************************
Paths:
  Configuration: /home/builder/Workspaces/inspircd/run/conf
  Binaries: /home/builder/Workspaces/inspircd/run/bin
  Modules: /home/builder/Workspaces/inspircd/run/modules
  Data: /home/builder/Workspaces/inspircd/run/data
To start the ircd, run: /home/builder/Workspaces/inspircd/run/inspircd start
Remember to create your config file: /home/builder/Workspaces/inspircd/run/conf/inspircd.conf
Examples are available at: /home/builder/Workspaces/inspircd/run/conf/examples

I copied the example conf over and changed things like my name, email and server domain name

builder@bosgamerz9:~/Workspaces/inspircd$ cp run/conf/examples/inspircd.example.conf run/conf/inspircd.conf
builder@bosgamerz9:~/Workspaces/inspircd$ vi run/conf/inspircd.conf

I’m going to want to use a DNS name (as my IP tends to change from time to time), so I’ll set an A-Record to my current ingress IP

$ az account set --subscription "Pay-As-You-Go" && az network dns record-set a add-record -g idjdnsrg -z tpk.pw -a 76.156.69.232 -n irc
{
  "ARecords": [
    {
      "ipv4Address": "76.156.69.232"
    }
  ],
  "TTL": 3600,
  "etag": "d06ff40d-eecf-49a6-bad0-fa93b7754588",
  "fqdn": "irc.tpk.pw.",
  "id": "/subscriptions/d955c0ba-13dc-44cf-a29a-8fed74cbb22d/resourceGroups/idjdnsrg/providers/Microsoft.Network/dnszones/tpk.pw/A/irc",
  "name": "irc",
  "provisioningState": "Succeeded",
  "resourceGroup": "idjdnsrg",
  "targetResource": {},
  "trafficManagementProfile": {},
  "type": "Microsoft.Network/dnszones/A"
}

And I’ll create a forwarding rule

We can now run it

builder@bosgamerz9:~/Workspaces/inspircd$ cd run
builder@bosgamerz9:~/Workspaces/inspircd/run$ ls
apparmor  bin  conf  data  deploy-ssl.sh  inspircd  inspircd.openrc  inspircd.service  logrotate  logs  manuals  modules
builder@bosgamerz9:~/Workspaces/inspircd/run$ ./inspircd start
InspIRCd - Internet Relay Chat Daemon
See /INFO for contributors & authors

InspIRCd Process ID: 1243481

Loading core modules .....................
InspIRCd is now running as 'irc.tpk.pw'[247] with 1048576 max open sockets

I was having a lot of issues sorting out TLS so I stopped the local process

builder@bosgamerz9:~/Workspaces/inspircd/run$ ./inspircd stop
Stopping InspIRCd (pid: 1243481)...
InspIRCd Stopped.

And tried using a container (with self-signed certs) instead

builder@bosgamerz9:~/Workspaces/inspircd/run$ docker run --name inspircd -p 6667:6667 -p 6697:6697 -e "INSP_TLS_CN=irc.tpk.pw" inspircd/inspircd-dock
er
Unable to find image 'inspircd/inspircd-docker:latest' locally
latest: Pulling from inspircd/inspircd-docker
589002ba0eae: Pull complete
846eed7a3760: Pull complete
c6b8f6e5ebab: Pull complete
720ba1ca8e28: Pull complete
c9d4b0e16ef1: Pull complete
Digest: sha256:5dd8db6d00eeddea7debd5544f38bdbc731500b0d047ae5f24f9f95110a18156
Status: Downloaded newer image for inspircd/inspircd-docker:latest
** Note: You may use '--sec-param High' instead of '--bits 4096'
Generating a 4096 bit RSA private key...
Generating a self signed certificate...
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 77e3f6ec0d9bd60882c09b73b50962dcacfe35d6
        Validity:
                Not Before: Tue Mar 03 13:13:49 UTC 2026
                Not After: Wed Mar 03 13:13:49 UTC 2027
        Subject: CN=irc.tpk.pw,OU=Example Server Admins,O=Example IRC Network,L=Example City,ST=Example State,C=XZ
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (4096 bits)
                Modulus (bits 4096):
                        00:ba:04:c5:bd:9e:cf:4b:7c:89:4a:76:b5:10:af:d5
                        5e:ce:be:17:4f:a8:40:5e:87:06:22:8d:e2:e6:e3:b6
                        c4:50:a7:c5:9c:fe:05:53:9c:20:50:de:56:7e:24:e5
                        57:55:c7:f6:12:7f:c2:e3:b8:07:47:d6:ea:fc:57:d7
                        50:13:e0:68:0a:7c:a0:7c:e6:1d:54:b8:db:ad:bb:56
                        94:37:d5:56:af:9f:9f:8f:29:6f:49:ef:b2:a3:f8:cb
                        d0:75:3c:7c:ff:b6:db:0a:3f:49:cc:7d:9c:57:b1:17
                        e1:7c:e7:3b:aa:84:d5:08:c3:18:64:ae:a7:98:d1:b3
                        47:94:ac:61:89:06:a7:00:d9:33:74:37:d0:4c:af:67
                        03:f0:e0:38:d4:e2:ae:06:b7:0d:44:84:6d:1e:21:f9
                        13:99:95:a3:fd:97:07:f9:1c:bc:e5:d6:8e:bf:10:8c
                        1d:4d:9d:b8:c1:db:ee:cf:0b:c5:be:3a:41:38:da:8c
                        96:f3:2a:be:ea:3f:1e:ac:15:e3:be:19:8c:46:45:9b
                        20:71:62:4d:a0:1a:c1:1a:9a:63:cd:58:d7:5e:29:a9
                        0b:bd:1d:86:fb:66:0f:cd:70:5f:6d:77:7f:ef:a6:90
                        06:01:44:b5:e0:aa:a6:19:7e:b4:d1:2f:22:71:d5:c1
                        5b:74:35:b0:4b:41:2c:86:c8:16:25:cc:b7:f5:db:fc
                        ae:42:72:95:0b:66:be:8d:9b:8a:26:3f:be:7c:83:6a
                        41:fd:a9:f8:58:e9:62:aa:11:63:a7:45:17:1e:25:b9
                        9e:d5:62:21:d8:50:d0:52:22:a3:2c:8f:2d:2c:d2:4c
                        d8:52:74:07:a8:5c:34:43:04:c5:3b:15:de:06:e4:2d
                        01:61:6c:34:4f:ed:f1:94:90:8e:ad:25:67:52:83:c2
                        63:9c:86:7b:b2:bb:78:24:22:5f:f6:6e:35:28:3b:3e
                        6a:1a:a3:00:33:6f:a1:cd:e8:e6:52:23:e3:9e:7f:7b
                        3a:ee:cd:ed:ae:ad:bb:99:67:93:a9:60:49:4a:4b:0b
                        e5:23:c3:a0:06:7e:a9:9b:4e:dc:03:ae:d4:e6:34:36
                        8a:5a:29:e3:c2:5f:85:3a:3f:81:d9:f2:ed:bf:7e:46
                        9b:0a:21:7d:21:91:dc:60:02:a6:64:c5:df:13:21:90
                        44:cd:77:ce:41:6e:68:4e:68:45:7f:17:85:b7:87:8d
                        a6:4a:37:fc:65:ef:16:5f:01:f5:f3:b4:44:e6:93:d7
                        ec:ef:5c:29:17:af:e0:44:50:01:8f:13:95:df:61:0e
                        e8:70:12:9f:54:a2:a3:9d:9a:ea:fd:a2:65:aa:6a:77
                        31
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Purpose (not critical):
                        TLS WWW Client.
                        TLS WWW Server.
                        OCSP signing.
                        Code signing.
                        Time stamping.
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Subject Key Identifier (not critical):
                        1130f4a689411493d7f0baca26131d773c8d8a69
Other Information:
        Public Key ID:
                sha1:1130f4a689411493d7f0baca26131d773c8d8a69
                sha256:8934fdd15907c11f601b82990247e5174870808f3248770169ae112a10f641a7
        Public Key PIN:
                pin-sha256:iTT90VkHwR9gG4KZAkflF0hwgI8ySHcBaa4RKhD2Qac=



Signing certificate...
Generating DH parameters (2048 bits)...
(might take long time)
InspIRCd - Internet Relay Chat Daemon
See /INFO for contributors & authors

InspIRCd Process ID: 1

Loading core modules .....................
[*] Loading module:     m_account.so
[*] Loading module:     m_alias.so
[*] Loading module:     m_allowinvite.so
[*] Loading module:     m_alltime.so
[*] Loading module:     m_banexception.so
[*] Loading module:     m_banredirect.so
[*] Loading module:     m_bcrypt.so
[*] Loading module:     m_blockcolor.so
[*] Loading module:     m_botmode.so
[*] Loading module:     m_callerid.so
[*] Loading module:     m_cap.so
[*] Loading module:     m_chancreate.so
[*] Loading module:     m_chanfilter.so
[*] Loading module:     m_chanhistory.so
[*] Loading module:     m_channelban.so
[*] Loading module:     m_chghost.so
[*] Loading module:     m_chgident.so
[*] Loading module:     m_chgname.so
[*] Loading module:     m_commonchans.so
[*] Loading module:     m_connectban.so
[*] Loading module:     m_connflood.so
[*] Loading module:     m_conn_umodes.so
[*] Loading module:     m_conn_waitpong.so
[*] Loading module:     m_customprefix.so
[*] Loading module:     m_cycle.so
[*] Loading module:     m_dnsbl.so
[*] Loading module:     m_exemptchanops.so
[*] Loading module:     m_filter.so
[*] Loading module:     m_gateway.so
[*] Loading module:     m_globalload.so
[*] Loading module:     m_globops.so
[*] Loading module:     m_help.so
[*] Loading module:     m_hidechans.so
[*] Loading module:     m_inviteexception.so
[*] Loading module:     m_ircv3.so
[*] Loading module:     m_ircv3_accounttag.so
[*] Loading module:     m_ircv3_batch.so
[*] Loading module:     m_ircv3_capnotify.so
[*] Loading module:     m_ircv3_chghost.so
[*] Loading module:     m_ircv3_ctctags.so
[*] Loading module:     m_ircv3_echomessage.so
[*] Loading module:     m_ircv3_invitenotify.so
[*] Loading module:     m_ircv3_labeledresponse.so
[*] Loading module:     m_ircv3_msgid.so
[*] Loading module:     m_ircv3_servertime.so
[*] Loading module:     m_joinflood.so
[*] Loading module:     m_knock.so
[*] Loading module:     m_log_syslog.so
[*] Loading module:     m_messageflood.so
[*] Loading module:     m_monitor.so
[*] Loading module:     m_multiprefix.so
[*] Loading module:     m_noctcp.so
[*] Loading module:     m_nonotice.so
[*] Loading module:     m_operlog.so
[*] Loading module:     m_opermodes.so
[*] Loading module:     m_passforward.so
[*] Loading module:     m_password_hash.so
[*] Loading module:     m_realnameban.so
[*] Loading module:     m_regex_glob.so
[*] Loading module:     m_sajoin.so
[*] Loading module:     m_sakick.so
[*] Loading module:     m_samode.so
[*] Loading module:     m_sanick.so
[*] Loading module:     m_sapart.so
[*] Loading module:     m_saquit.so
[*] Loading module:     m_satopic.so
[*] Loading module:     m_seenicks.so
[*] Loading module:     m_services.so
[*] Loading module:     m_sethost.so
[*] Loading module:     m_setident.so
[*] Loading module:     m_setname.so
[*] Loading module:     m_sha2.so
[*] Loading module:     m_shun.so
[*] Loading module:     m_silence.so
[*] Loading module:     m_spanningtree.so
[*] Loading module:     m_ssl_gnutls.so
[*] Loading module:     m_sslinfo.so
[*] Loading module:     m_sslmodes.so
[*] Loading module:     m_swhois.so
[*] Loading module:     m_tline.so
[*] Loading module:     m_uhnames.so
[*] Loading module:     m_xline_db.so
InspIRCd is now running as '6c2f16f4e983.example.com'[387] with 1048576 max open sockets

I struggled for a while getting TLS to work and after enough time, decided a containerized approach would be more fruitful.

inspircd-docker

I found this inspircd docker container that would use TLS with self-signed certs.

While I would prefer properly signed, I figured this was a good start.

$ docker run --name inspircd -p 6667:6667 -p 6697:6697 -e "INSP_TLS_CN=irc.tpk.pw" inspircd/inspircd-docker

We already had a forwarding rule set earlier for that DNS name.

I can use an app like xxxx on my phone to now connect.

It will warn about the cert, but I just need to accept

but then it works just fine

Scripting output

I wanted to be able to post messages from processes and builds.

It took a few iterations to sort out TCP piping, but I managed to get it finall work:

$ cat ./testirc3.sh
#!/bin/bash

# Configuration
SERVER="irc.tpk.pw"
PORT="6667"
NICK="mybot"
CHAN="#general"

# 1. Open a bidirectional socket on File Descriptor 3
exec 3<>/dev/tcp/$SERVER/$PORT

# 2. Send registration info to the socket
echo "NICK $NICK" >&3
echo "USER $NICK 8 * :My Bot" >&3

# 3. Read from the socket (Descriptor 3)
while read -u 3 line; do
    # Print server output to your terminal so you can see what's happening
    echo "<< $line"

    case "$line" in
        # Answer the PING immediately
        PING*)
            ID=$(echo "$line" | cut -d':' -f2)
            echo "PONG :$ID" >&3
            echo ">> PONG sent"
            ;;

        # 001 is the "Welcome" numeric. Now we can join and talk.
        *001*)
            echo "JOIN $CHAN" >&3
            sleep 2 # Small buffer for the server to process the join
            echo "PRIVMSG $CHAN :Hello from the command line!" >&3
            echo "QUIT" >&3
            echo ">> Message sent and quitting."
            exit
            ;;

        # Error handling if the nick is taken
        *433*)
            echo "Error: Nickname already in use."
            exit 1
            ;;
    esac
done

Testing shows a completed message

builder@DESKTOP-QADGF36:~/Workspaces$ ./testirc3.sh
<< :6c2f16f4e983.example.com NOTICE * :*** Looking up your hostname...
<< PING :yvof8p1ksK
>> PONG sent
<< :6c2f16f4e983.example.com NOTICE mybot :*** Found your hostname (RT-BE92U-BDA0)
<< :6c2f16f4e983.example.com 001 mybot :Welcome to the ExampleNet IRC Network mybot!mybot@RT-BE92U-BDA0
>> Message sent and quitting.

We can now see it post (i tested twice, it did not post twice).

Having multiple devices try to use my username ended up with a ban I could not solve so I reset the container and connected, this time giving a unique name to each device.

But it did come up and work just fine

Matrix

I don’t often use it - and really, I’m not sure why - perhaps it’s because it’s rather dead without users, but I do have a Matrix Synapse host (matrix.freshbrewed.science).

All my build scripts keep posting there

I looked at my last deploy and see it was from a few years ago (good testament to something that doesnt fall down)

$ helm list | grep matrix matrix-synapse default 1 2024-03-02 08:37:10.310138818 -0600 CST deployed matrix-synapse-3.8.2 1.101.0

Seems the latest chart is up to 1.148.0 (from my 1.101.0)

The upgrade should be just as easy as it was on 2024-01-30…

$ helm upgrade matrix-synapse ananace-charts/matrix-synapse --set serverName=matrix.freshbrewed.science --set wellknown.enabled=true
Release "matrix-synapse" has been upgraded. Happy Helming!
NAME: matrix-synapse
LAST DEPLOYED: Wed Mar 11 10:27:54 2026
NAMESPACE: default
STATUS: deployed
REVISION: 2
NOTES:
** Note, this chart may take a while to finish setup, please be patient **
** Also, remember to disable the signingkey job (signingkey.job.enabled=false) **

Your Synapse install is now starting, you should soon be able to access it on
the following URL(s);
http://matrix.freshbrewed.science

You can create a user in your new Synapse install by running the following
command; (replacing USERNAME and PASSWORD)

    export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=matrix-synapse,app.kubernetes.io/instance=matrix-synapse,app.kubernetes.io/component=synapse" -o jsonpath="{.items[0].metadata.name}")
    kubectl exec --namespace default $POD_NAME -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008

You can also specify --no-admin to create a non-admin user.

As I watched containers, I could see there was a bit of an order issue - as the PostgreSQL container rotated after the app, the app got into a crash loop for a few moments. but then it came back

builder@DESKTOP-QADGF36:~/Workspaces$ kubectl get po | grep matrix
matrix-synapse-55f7b5dbc5-8xzc8                      0/1     Running            1 (2s ago)        19s
matrix-synapse-bfc9b99b7-2gdzp                       1/1     Running            398 (6d5h ago)    207d
matrix-synapse-postgresql-0                          1/1     Terminating        6 (17d ago)       207d
matrix-synapse-redis-master-6986bdf45b-8w6tx         0/1     Running            0                 19s
matrix-synapse-redis-master-8f95f8bd7-p5ptf          1/1     Running            6 (17d ago)       185d
matrix-synapse-wellknown-lighttpd-7496b664b4-7wfxf   1/1     Running            0                 19s
builder@DESKTOP-QADGF36:~/Workspaces$ kubectl get po | grep matrix
matrix-synapse-55f7b5dbc5-8xzc8                      0/1     Error              1 (13s ago)        30s
matrix-synapse-bfc9b99b7-2gdzp                       1/1     Running            398 (6d5h ago)     207d
matrix-synapse-postgresql-0                          1/1     Terminating        6 (17d ago)        207d
matrix-synapse-redis-master-6986bdf45b-8w6tx         1/1     Running            0                  30s
matrix-synapse-wellknown-lighttpd-7496b664b4-7wfxf   1/1     Running            0                  30s
builder@DESKTOP-QADGF36:~/Workspaces$ kubectl get po | grep matrix
matrix-synapse-55f7b5dbc5-8xzc8                      0/1     CrashLoopBackOff   1 (10s ago)        36s
matrix-synapse-bfc9b99b7-2gdzp                       1/1     Running            398 (6d5h ago)     207d
matrix-synapse-postgresql-0                          0/1     Running            0                  5s
matrix-synapse-redis-master-6986bdf45b-8w6tx         1/1     Running            0                  36s
matrix-synapse-wellknown-lighttpd-7496b664b4-7wfxf   1/1     Running            0                  36s
builder@DESKTOP-QADGF36:~/Workspaces$ kubectl get po | grep matrix
matrix-synapse-55f7b5dbc5-8xzc8                      0/1     Running            2 (22s ago)        48s
matrix-synapse-bfc9b99b7-2gdzp                       1/1     Running            398 (6d5h ago)     207d
matrix-synapse-postgresql-0                          1/1     Running            0                  17s
matrix-synapse-redis-master-6986bdf45b-8w6tx         1/1     Running            0                  48s
matrix-synapse-wellknown-lighttpd-7496b664b4-7wfxf   1/1     Running            0                  48s
builder@DESKTOP-QADGF36:~/Workspaces$ kubectl get po | grep matrix
matrix-synapse-55f7b5dbc5-8xzc8                      1/1     Running            2 (75s ago)        101s
matrix-synapse-postgresql-0                          1/1     Running            0                  70s
matrix-synapse-redis-master-6986bdf45b-8w6tx         1/1     Running            0                  101s
matrix-synapse-wellknown-lighttpd-7496b664b4-7wfxf   1/1     Running            0                  101s

A refresh of Cinny showed the room was up and running

while I don’t have Cinny exposed externally, I do have element available to all, which has a container set to “latest” so it’s always up to date

Summary

IRC is still very cool for chat. I think there is more work on my end to figure out how to apply controls (logins, admins, proper SSL).

That said, I’m not certain I need anything beyond Matrix with some proper Matrix clients. Most of my other threads come through Discord, Google Chat, Keybase and Telegram.

What is funny to me is we used to have Pidgin and Trillium long long ago back when there were too many chat options and we wanted a single client that could bridge gchat, yahoo chat, aolchat, ICQ, MSN and more.. Seems we may need to come back to that again.

Side note: Just looking at the Pidgin plugins, I think I have a winner for the future - it coveres all of mine (save for Keybase.io).

Misc Apps: Toolstack and Homehub

2026-03-10T01:01:01+00:00

I had bookmarked this Marius post on Homehub, a nice family hub app. I wanted to check that out and maybe see if I could tweak it a bit.

I also wanted to look at Toolstack, another of that authors public repos that seemed to be a rather clever assortment of useful utilities.

Let’s start with that.

Toolstack

I found this interesting Github repo from Suraj that had a bunch of utilities served up via a web browser.

Let’s just start with cloning the repo down

(base) builder@LuiGi:~/Workspaces$ git clone https://github.com/surajverma/toolstack.git
Cloning into 'toolstack'...
remote: Enumerating objects: 196, done.
remote: Counting objects: 100% (196/196), done.
remote: Compressing objects: 100% (84/84), done.
remote: Total 196 (delta 67), reused 186 (delta 58), pack-reused 0 (from 0)
Receiving objects: 100% (196/196), 275.17 KiB | 304.00 KiB/s, done.
Resolving deltas: 100% (67/67), done.
(base) builder@LuiGi:~/Workspaces$ nvm use lts/jod
Now using node v22.22.0 (npm v10.9.4)
(base) builder@LuiGi:~/Workspaces$ cd toolstack/

Then installing any dependencies

(base) builder@LuiGi:~/Workspaces/toolstack$ npm install

added 375 packages, and audited 376 packages in 13s

141 packages are looking for funding
  run `npm fund` for details

8 vulnerabilities (3 low, 2 moderate, 2 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force

Run `npm audit` for details.

I can now fire it up in dev mode (npm run dev)

(base) builder@LuiGi:~/Workspaces/toolstack$ npm run dev

> toolstack@0.1.0 dev
> next dev --turbopack

   ▲ Next.js 15.3.3 (Turbopack)
   - Local:        http://localhost:3000
   - Network:      http://10.239.189.22:3000

 ✓ Starting...
Attention: Next.js now collects completely anonymous telemetry regarding usage.
This information is used to shape Next.js' roadmap and prioritize features.
You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
https://nextjs.org/telemetry

 ✓ Ready in 727ms

It is actually loaded with little utilities

I like this, but wish I could just put it out on a URL and enjoy it (instead of running NodeJS locally).

I put together a simple Dockerfile

FROM node:20-alpine AS production
WORKDIR /app
COPY . .
EXPOSE 3000
CMD ["npm", "run", "dev", "--", "-H", "0.0.0.0"]

Then build and tested

(base) builder@LuiGi:~/Workspaces/toolstack$ docker build -t mytest:04 .
[+] Building 4.5s (9/9) FINISHED                                                       docker:default
 => [internal] load build definition from Dockerfile                                             0.0s
 => => transferring dockerfile: 170B                                                             0.0s
 => [internal] load metadata for docker.io/library/node:20-alpine                                1.1s
 => [auth] library/node:pull token for registry-1.docker.io                                      0.0s
 => [internal] load .dockerignore                                                                0.0s
 => => transferring context: 2B                                                                  0.0s
 => [1/3] FROM docker.io/library/node:20-alpine@sha256:09e2b3d9726018aecf269bd35325f46bf75046a6  0.0s
 => [internal] load build context                                                                0.5s
 => => transferring context: 1.71MB                                                              0.5s
 => CACHED [2/3] WORKDIR /app                                                                    0.0s
 => [3/3] COPY . .                                                                               1.2s
 => exporting to image                                                                           1.6s
 => => exporting layers                                                                          1.5s
 => => writing image sha256:1870f773c57fb4c01a76ec4f0d67dab1a4482c6889e30418d9df18fbb1178760     0.0s
 => => naming to docker.io/library/mytest:04                                                     0.0s
(base) builder@LuiGi:~/Workspaces/toolstack$ docker run -p 3000:3000 mytest:04

> toolstack@0.1.0 dev
> next dev --turbopack -H 0.0.0.0

   ▲ Next.js 15.3.3 (Turbopack)
   - Local:        http://localhost:3000
   - Network:      http://0.0.0.0:3000

 ✓ Starting...
Attention: Next.js now collects completely anonymous telemetry regarding usage.
This information is used to shape Next.js' roadmap and prioritize features.
You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
https://nextjs.org/telemetry

 ✓ Ready in 890ms
 ○ Compiling / ...
 ✓ Compiled / in 6.5s
 GET / 200 in 6788ms

It’s a pretty simple app, so I’ll just push it up to dockerhub

(venv) (base) builder@LuiGi:~/Workspaces/toolstack$ docker tag mytest:04 idjohnson/toolstack:01
(venv) (base) builder@LuiGi:~/Workspaces/toolstack$ docker push idjohnson/toolstack:01
The push refers to repository [docker.io/idjohnson/toolstack]
3042ce71e8c5: Pushed
5e2c1c4da1e2: Pushed
1dcaf7a5a25b: Mounted from library/node
3bcb0b085764: Mounted from library/node
e881f55858a8: Mounted from library/node
989e799e6349: Mounted from library/node
01: digest: sha256:e5b56fe4eb79665a441a8766ab2a93cf5421165ff4b6a18e83d9b1924ee20b7d size: 1577

I’ll create a quick A record

$ az account set --subscription "Pay-As-You-Go" && az network dns record-set a add-record -g idjdnsrg -z tpk.pw -a 76.156.69.232 -n toolbox
{
  "ARecords": [
    {
      "ipv4Address": "76.156.69.232"
    }
  ],
  "TTL": 3600,
  "etag": "a97f4aeb-5bd9-4b26-ac3e-3e5cb5518305",
  "fqdn": "toolbox.tpk.pw.",
  "id": "/subscriptions/d955c0ba-13dc-44cf-a29a-8fed74cbb22d/resourceGroups/idjdnsrg/providers/Microsoft.Network/dnszones/tpk.pw/A/toolbox",
  "name": "toolbox",
  "provisioningState": "Succeeded",
  "resourceGroup": "idjdnsrg",
  "targetResource": {},
  "trafficManagementProfile": {},
  "type": "Microsoft.Network/dnszones/A"
}

Now I just need a service, deployment and ingress to use that DNS entry

(venv) (base) builder@LuiGi:~/Workspaces/toolstack$ cat ./manifest.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: toolstack-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: toolstack
  template:
    metadata:
      labels:
        app: toolstack
    spec:
      containers:
      - name: toolstack-container
        image: idjohnson/toolstack:01
        ports:
        - containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
  name: toolstack-service
spec:
  selector:
    app: toolstack
  ports:
    - protocol: TCP
      port: 80
      targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: azuredns-tpkpw
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.org/client-max-body-size: "0"
    nginx.org/proxy-connect-timeout: "3600"
    nginx.org/proxy-read-timeout: "3600"
    nginx.org/websocket-services: toolstack-service
  name: toolstack-ingress
spec:
  rules:
  - host: toolbox.tpk.pw
    http:
      paths:
      - backend:
          service:
            name: toolstack-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - toolbox.tpk.pw
    secretName: toolbox-tls

And apply them in k8s

(venv) (base) builder@LuiGi:~/Workspaces/toolstack$ kubectl apply -f ./manifest.yaml
deployment.apps/toolstack-deployment created
service/toolstack-service created
Warning: annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead
ingress.networking.k8s.io/toolstack-ingress created

Once the cert is ready

$ kubectl get cert | grep tool
toolbox-tls                         True    toolbox-tls                         90s

I can now access https://toolbox.tpk.pw

Homehub

Another of his projects is Homehub which like the toolbox, is a catch all for a slew of tools a home might want to share amongst the family unit.

This one came with a container as well as a docker compose

# compose.yml
services:
  homehub:
    container_name: homehub
    image: ghcr.io/surajverma/homehub:latest
    ports:
      - "5000:5000" #app listens internally on port 5000
    environment:
      - FLASK_ENV=production
      - SECRET_KEY=${SECRET_KEY:-} # set via .env; falls back to random if not provided
    volumes:
      - ./uploads:/app/uploads
      - ./media:/app/media
      - ./pdfs:/app/pdfs
      - ./data:/app/data
      - ./config.yml:/app/config.yml:ro

I’ll start by cloning the repo

(venv) (base) builder@LuiGi:~/Workspaces$ git clone https://github.com/surajverma/homehub.git
Cloning into 'homehub'...
remote: Enumerating objects: 487, done.
remote: Counting objects: 100% (116/116), done.
remote: Compressing objects: 100% (57/57), done.
remote: Total 487 (delta 86), reused 59 (delta 59), pack-reused 371 (from 2)
Receiving objects: 100% (487/487), 355.90 KiB | 3.46 MiB/s, done.
Resolving deltas: 100% (284/284), done.

We then need to copy over the example YAML config file

(venv) (base) builder@LuiGi:~/Workspaces$ cd homehub/
(venv) (base) builder@LuiGi:~/Workspaces/homehub$ ls
Dockerfile  README.md  compose.yml         package.json      run.py  tailwind.config.js  tests
LICENSE     app        config-example.yml  requirements.txt  static  templates           wsgi.py
(venv) (base) builder@LuiGi:~/Workspaces/homehub$ cp config-example.yml config.yml

Once I edited the file, i just did a docker compose up to check it out

(venv) (base) builder@LuiGi:~/Workspaces/homehub$ vi config.yml
(venv) (base) builder@LuiGi:~/Workspaces/homehub$ docker compose up
[+] Running 11/11
 ✔ homehub Pulled                                                                                                                        7.0s
   ✔ 1074353eec0d Already exists                                                                                                         0.0s
   ✔ 9e4742745279 Pull complete                                                                                                          0.6s
   ✔ 522560f13f9b Pull complete                                                                                                          1.3s
   ✔ a4581c766c38 Pull complete                                                                                                          1.4s
   ✔ 38b0eea34756 Pull complete                                                                                                          1.5s
   ✔ 4147244d0bd5 Pull complete                                                                                                          4.9s
   ✔ 70974fc3d2fc Pull complete                                                                                                          5.7s
   ✔ c68d49ee74e4 Pull complete                                                                                                          5.7s
   ✔ c726830993c6 Pull complete                                                                                                          5.8s
   ✔ d6e2f8e4672e Pull complete                                                                                                          5.9s
[+] Running 2/2
 ✔ Network homehub_default  Created                                                                                                      0.1s
 ✔ Container homehub        Created                                                                                                      0.2s
Attaching to homehub
homehub  | [2026-03-04 00:09:03 +0000] [1] [INFO] Starting gunicorn 23.0.0
homehub  | [2026-03-04 00:09:03 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
homehub  | [2026-03-04 00:09:03 +0000] [1] [INFO] Using worker: sync
homehub  | [2026-03-04 00:09:03 +0000] [7] [INFO] Booting worker with pid: 7

I can access it on port 5000

We can mark ourselves home or set a status or event

The shared cloud is a nice place to just stash files for sharing

The shopping list creates a nice place to add grocery lists (a bit of our own here)

chores

Recipes

Expiry - I could actually use this as we do dance between a lot of subscription services

The URL Shortener, Media Downloader and PDF Compressor do not really seem like the kind of things we would need.

But the Wifi QR code generator would be nice

And I could imagine an expense tracker to be used, if anything, by the kiddos seeking reimbursement (e.g. fill car with gas, take out sister for dinner, etc)

Now, here is a bit of the rub. This has no auth. And without auth, there is no way I would externalize my home WIFI details, nor our expenses. Thus, as it stands, I might very well just use on a local dockerhost.

Gemini

But it had me wondering - how hard would it be to add some basic auth in there.

Gemini updated the YAML and provided some pytests to go with it.

Next was to test building a local image

(venv) (base) builder@LuiGi:~/Workspaces/homehub$ docker build -t homehub:test1 .
[+] Building 44.6s (20/20) FINISHED                                                                                            docker:default
 => [internal] load build definition from Dockerfile                                                                                     0.1s
 => => transferring dockerfile: 1.24kB                                                                                                   0.0s
 => [internal] load metadata for docker.io/library/python:3.12-alpine                                                                    2.4s
 => [auth] library/python:pull token for registry-1.docker.io                                                                            0.0s
 => [internal] load .dockerignore                                                                                                        0.1s
 => => transferring context: 222B                                                                                                        0.0s
 => [internal] load build context                                                                                                        0.1s
 => => transferring context: 797.25kB                                                                                                    0.0s
 => [builder 1/9] FROM docker.io/library/python:3.12-alpine@sha256:53e7c5ca6ceff2fc02e9b4b0e7cddb7ce8fa9683dedb89fdf73cab1423079c15      2.2s
 => => resolve docker.io/library/python:3.12-alpine@sha256:53e7c5ca6ceff2fc02e9b4b0e7cddb7ce8fa9683dedb89fdf73cab1423079c15              0.0s
 => => sha256:53e7c5ca6ceff2fc02e9b4b0e7cddb7ce8fa9683dedb89fdf73cab1423079c15 10.30kB / 10.30kB                                         0.0s
 => => sha256:1d132f2d802114876d114b0918e01998bf0c07af8332f776c3c4cb8e388c9a5f 1.74kB / 1.74kB                                           0.0s
 => => sha256:e31482fb1094d66a7c2082cd69202658e2f1f8da5b9e455caae09f1e27cdaf9f 5.42kB / 5.42kB                                           0.0s
 => => sha256:6de7811bee64ba64355c278198dcf2e22b4efba35aa596f23f6ed80278ac5afe 460.95kB / 460.95kB                                       0.6s
 => => sha256:6f3f43492c5b00f17f4a416bd78474116d69f3840b50bbc51c6654e4a4f88aa2 13.74MB / 13.74MB                                         1.6s
 => => sha256:89a8227ba99bcd9d5df82f6cb4e5ea1b222c3ec33685ba1a0d8c6db402f012ad 247B / 247B                                               0.5s
 => => extracting sha256:6de7811bee64ba64355c278198dcf2e22b4efba35aa596f23f6ed80278ac5afe                                                0.1s
 => => extracting sha256:6f3f43492c5b00f17f4a416bd78474116d69f3840b50bbc51c6654e4a4f88aa2                                                0.3s
 => => extracting sha256:89a8227ba99bcd9d5df82f6cb4e5ea1b222c3ec33685ba1a0d8c6db402f012ad                                                0.0s
 => [builder 2/9] WORKDIR /app                                                                                                           0.1s
 => [builder 3/9] RUN apk add --no-cache     build-base     zlib-dev     jpeg-dev     nodejs     npm                                     9.8s
 => [stage-1 3/7] RUN apk add --no-cache     ffmpeg     ghostscript     libjpeg-turbo     zlib     libstdc++                            14.5s
 => [builder 4/9] COPY requirements.txt .                                                                                                0.1s
 => [builder 5/9] RUN pip install --no-cache-dir -r requirements.txt                                                                    19.7s
 => [builder 6/9] COPY package.json tailwind.config.js ./                                                                                0.1s
 => [builder 7/9] COPY static/input.css ./static/                                                                                        0.1s
 => [builder 8/9] COPY templates ./templates                                                                                             0.1s
 => [builder 9/9] RUN npm install && npm run build:css                                                                                   7.4s
 => [stage-1 4/7] COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages                    1.1s
 => [stage-1 5/7] COPY --from=builder /usr/local/bin /usr/local/bin                                                                      0.1s
 => [stage-1 6/7] COPY . /app                                                                                                            0.1s
 => [stage-1 7/7] COPY --from=builder /app/static/output.css /app/static/output.css                                                      0.1s
 => exporting to image                                                                                                                   0.7s
 => => exporting layers                                                                                                                  0.6s
 => => writing image sha256:b2a6b9cc93dadfb9970a27870b6954baeb46c2af5ac67ee1dd9b304e3db63979                                             0.0s
 => => naming to docker.io/library/homehub:test1                                                                                         0.0s

I switched the compose file to use my local image

(venv) (base) builder@LuiGi:~/Workspaces/homehub$ cat compose.yml
services:
  homehub:
    container_name: homehub
    image: homehub:test1
    # build: .
    ports:
      - "5000:5000"
    volumes:
      - ./uploads:/app/uploads
      - ./media:/app/media
      - ./pdfs:/app/pdfs
      - ./data:/app/data
      - ./config.yml:/app/config.yml:ro
    environment:
      - FLASK_ENV=production
      - SECRET_KEY=${SECRET_KEY:-}

Then I’ll add passwords for the users. I’m not sure if I also need the family members so I’ll leave them for the moment in the config.yaml

...snip...
users:
  - name: "Mom"
    password: "mompassword"
  - name: "Dad"
    password: "dadpassword"
  - name: "Administrator"
    password: "adminpassword"
  - name: "Freddy"
    password: "d0ntsl33p"
  - name: "Chucky"
    password: "l3tsPl4y"
  - name: "Jason"
    password: "H4ppyH0llow33n"

family_members:
  - Mom
  - Dad
  - Chucky
  - Jason
  - Freddy
... snip ...

Now I can see it needs a login

and if I enter the right password, I can join

I can, of course, log out and login as a different user now

And we can see the logged in user and logout buttons in the top right

I’m not sure if the author would want AI driven updates. But in case he doesn’t, I did stuff this container up into Dockerhub in case any of y’all want a go with it

(venv) (base) builder@LuiGi:~/Workspaces/homehub$ docker tag homehub:test1 idjohnson/homehub:test1
(venv) (base) builder@LuiGi:~/Workspaces/homehub$ docker push idjohnson/homehub:test1
The push refers to repository [docker.io/idjohnson/homehub]
adec628c24d1: Pushed
932acd45322f: Pushed
7c35b30fc0bf: Pushed
e02e32e048a9: Pushed
c2a60e60649b: Pushed
f8156944f2a6: Pushed
f045c92e01b4: Mounted from library/python
60285744fe26: Mounted from library/python
2a320211b927: Mounted from library/python
989e799e6349: Mounted from idjohnson/toolstack
test1: digest: sha256:d4d7cdca9e035712ce3995a45449538cc8d3c17c8818496cd0b5c1d0efa8d843 size: 2413

Summary

Following a Marius post we looked at Homehub and Toolstack, both created by Suraj.

In the case of Homehub, we used Gemini CLI to enhance it to have login and passwords and shared it on Dockerhub for others. With Toolstack, we made a simple Dockerfile and shared it on Kubernetes.

I like Toolstack - it’s pretty useful. I’ll likely keep that https://toolbox.tpk.pw instance running as it’s like a low cost swiss army knife.

The author, Suraj Verma has worked at a lot of eCommerce sites. I’m guessing the public Github repos are just for him to work ideas out as he mentions he’s worked on 50+ websites. My guess is he is a go-getter who does OS stuff on the side between gigs. Either way, good stuff and I’ll likely be back to see what he has in the future.