docker hosting linux network rails Security Technology Uncategorized

Self-hosting with Kamal: Watch your ports when shipping.

I’ve been playing around with Kamal from Basecamp (previously called MRSK) for deploying simple apps on a single server.

There’s a lot to like about Kamal’s ergonomics and principles. But there were a few things that I struggled with or that confused me.

It mostly boils down to Kamal offering some kind of a layer of abstraction over docker, SSH and some linux commands. But perhaps more importantly, DHH, the creator of Kamal quite explicitly says that:

“[It] is designed for multi-server operation”.


Why is this distinction important?

Because it implicitly avoids some of the nice (and more secure) features of docker on a single host, primarily: internal network connections and name resolution.

[It] is designed for multi-server operation, so the internal network idea breaks down pretty quick with that. You’d have to unstrip all of that when you go to scale it. So I think we’re better off keeping the network host transparent.


This is a completely fair design choice, and simplifies a lot of complexity for Kamal. However, when you’re running your new startup or a hobby project, you want to keep things simple and run it all on one host.

But you don’t want to compromise on security and unintentionally expose your Database or Redis to the outside world, right?

hosting privacy Security Technology

Why is Backblaze tracking me?

This is a follow-up to my previous post: is onto something with its tracking-pixel blocker. I mentioned contacting Backblaze about their email tracking there.

I didn’t think too much of it at the time, and honestly (or naively?) was expecting some kind of a “Oh, yes, you’re right, there’s no need to track those emails”… But it didn’t unfold in quite the same way.


This is my own interpretation, obviously. Backblaze seems to think that tracking emails is totally fine, even under the GDPR. They’re not going to stop doing it until further notice.

hosting Security Technology

Disposable emails: I gave Fastmail a second chance

About 4 years ago I wrote a rather lengthy rant about Fastmail, and why it didn’t fit my needs: Why I’m not using Fastmail. A few weeks ago, I gave it another chance, and this time the experience was way better.

docker hosting Security Technology

envwarden and kubernetes secrets

envwarden is a simple open-source script that lets you manage your server secrets with Bitwarden.

Read more about envwarden here

Here’s a simple way to update your Kubernetes secrets directly from envwraden, so they are always in-sync.

docker hosting Technology

hosting-compose (or) the sad buyout of Webfaction

docker-compose is one of those essential tools that make working with docker so much better. I do use docker directly occasionally, but anything non-trivial, I’d reach out docker-compose immediately. It allows you to “glue” things together and describe the stack in such a neat way.

I currently handle my dev environments with docker-compose, and even some live and staging deployments (like thumbor). I also manage remote database backups with it (using restic, postgresql, stunnel, redis and rdb-tools). In the latter example, it saves me from installing different versions of the database clients and connectors. I am able to instantly upgrade them, and then connect to the remote databases and back them up or restore. It makes the backup system itself immutable and disposable.

Recently however, I started using docker-compose for something that I haven’t considered before: a replacement for shared hosting.

a snippet of my hosting-compose docker-compose.yml