Posts on iTrooz's website

Avoid granting s3:DeleteObjectVersion by mistake in MinIO

Sun, 29 Mar 2026 00:00:00 +0000

This article is an answer to my bug report here: https://github.com/minio/minio/issues/21735

Context

S3 buckets can be configured to keep old versions of objects when overwriting/deleting them. This is called a versioned bucket

Calling DeleteObject on an object in a versioned bucket will not really delete it, but mark it as so with a delete marker. The object will appear deleted, but can still be viewed/deleted by specifying its versionId.

This behaviour is really useful, for example for backups, where you want a client to upload its backups, but not be able to delete them all instantly. In this case, you would allow the client to do DeleteObject calls, but not DeleteObjectVersion, and clean up old versions periodically.

Using nftables as your firewall

Thu, 26 Mar 2026 00:00:00 +0000

I love nftables. I’ve personally found it to be both more simple and featureful compared to other mainstream firewall services.

It can be configured from a file with a simple yet powerful syntax, allowing you to create simple port-blocking rules, but also precisely classify and act on traffic.

Plus, it can be used side by side with other firewall-like services running on your Linux machine, allowing it to be deployed nearly everywhere without disturbing existing applications.

My tweaks to Arch Linux package management

Tue, 09 Dec 2025 00:00:00 +0000

The Arch Linux package management is great. But there are some things I had to change to fit my workflow. There are listed here.

Force yourself to read Arch news before upgrading

Arch Linux will sometimes upload package updates that will break your systems. On the top of my head, I can think of a grub update breaking my system in 2022, or linux-firmware in 2025.
While these breakages are rare, they can happen, and they can leave your computer unusable after an update. Arch Linux expects you to read the Arch News and be aware of them.

How to make RKE2 share port 80/443 with another application

Wed, 12 Nov 2025 00:00:00 +0000

Introduction

TLDR; destination-IP NAT that redirects to RKE2’s ingress input chain

I recently had to make my RKE2 cluster cohabitate with an in-house service running on the same machines, and also exposing a website through port 80.

The obvious problem here is: RKE2 clusters (most of the time) also need to listen on port 80 in order to make our RKE2-hosted websites work. So, how do we share port 80 between RKE2, and another application ?

How to create encrypted Kubernetes backups with Velero

Thu, 02 Oct 2025 00:00:00 +0000

Introduction

Velero allows you to create backups of your k8s cluster. It handles both the resources (the yaml files), and the volumes. But it has a drawback (as of writing): the lack of encryption. In this post, we’re going to see how we can produce encrypted backups, by chaining velero with rclone.

The key point of this post is: rclone is awesome and a Ops’s dream tool. In our case, the 2 features of rclone that we will use are its crypt remote, and its serve (s3) feature.

How to backup your bitwarden vault with restic ?

Fri, 26 Sep 2025 00:00:00 +0000

My goal is to make a daily backup of my bitwarden vault, using restic. I also want to not store my master password on disk, which means backuping the encrypted vault.

The solution to do that is to use a Bitwarden API key. API keys do not seem to have the capability to decrypt the vault, as you need to enter your master password yourself to unlock the vault before viewing items, which make them the perfect tool for the job.

Automating renewal of a wildcard TLS certificate for a specific subdomain on a OHV domain

Sun, 14 Sep 2025 00:00:00 +0000

Introduction

Recently, I wanted to create a bunch of domains on my friend’s server, and have TLS certificates delivered.
The option I find easiest to manage certificates is to ask my CA (Lets Encrypt) for a single, wildcard TLS certificate (e.g. *.itrooz.fr)

If you are using OVH to manage your domain, you can do that automatically by creating an API key for your account, and using the certbot OVH plugin to create/renew the certificate.
Usually, tutorials will tell you to give these permissiont to the API key:

Why do I use 'GPL-2.0-only OR GPL-3.0-or-later with proxy being me' as licence for my Open Source projects ?

Sun, 27 Jul 2025 00:00:00 +0000

If you stumble on one of my projects, you may have seen this licence:
Licence: GPL-2.0-only OR GPL-3.0-or-later with proxy being me

What does that mean ? Why did I choose such a long, and weird licence ?

The reason is that I want:

to be covered by a strong copyleft licence
while being compatible with past/future GPL licences (and not block my project from being used with one that uses a different version of the GPL.)
and not give power to the FSF to issue a new licence in the future that I would not agree with.

The solution to this last point is the proxy clause. Quoting GPL 3.0:

Connect a docker container to a WireGuard VPN (while keeping it accessible to other containers)

Sun, 01 Jun 2025 00:00:00 +0000

A friend of mine wanted to make one of their docker containers go through Wireguard to connect to Internet. I came up with a solution using a docker container to manage the wireguard VPN itself. This allows us to fully isolate the VPN, and use AllowedIPs=0.0.0.0/0 without affecting the rest of the system.

This solution is both simple technically (we just share the same network namespaces) and in usage (just add another container, without even changing the original).

A list of Celeste/Everest bugs I've encountered, and how to fix them

Sun, 20 Apr 2025 00:00:00 +0000

This is a list of bugs I’ve encountered while playing Celeste/Everest with the Olympus launcher, and how to fix them.

1

Bugged light, I can see squares with “more light”, that makes gameplay hard to see
Solution: replace OpenGL renderer with Vulkan. There are several ways to do this:

if using Everest, you need to find everest-launch.txt (in your Celeste install folder) and change #--graphics OpenGL to --graphics Vulkan
if using vanilla Celeste, you need to add /gldevice:Vulkan to CLI arguments (you can do that with launch options in Steam)

Link: https://www.reddit.com/r/celestegame/comments/1bnan6m/comment/m6nly5c/?context=3
Link 2: https://www.reddit.com/r/linux_gaming/comments/1hmrtu0/comment/m4jzvgj/