Patryk's blog

Bitwarden Secrets Manager With Ansible

Mon, 02 Feb 2026 13:00:00 -0800

If you’d like to have a simple solution for managing all the secrets you’re using in your Ansible Playbooks, keep reading on. Bitwarden’s Secrets Manager provides an Ansible collection, which makes it very easy to use this particular Secrets Manager in Ansible Playbooks. I’ll show you how to set up a free Secrets Manager account in Bitwarden. Then I’ll walk you through the setup in an example Ansible Playbook.

YouTube Video version

I’ve also recorded a video version of this article. If you prefer a video, you can find it here.

Choosing Secrets Manager for Homelab

Sun, 11 Jan 2026 15:57:23 -0800

Secrets Manager for Homelab

For a few years, I’ve been managing the configuration of a bunch of self-hosted services using Ansible Playbooks. Each playbook needed at least one secret — the sudo password. Many of them needed to manage more (e.g. SMTP credentials for email notifications). Because I’ve always been paranoid about security, I stored most of those secrets in Ansible Vault, the password for which is stored in only one location — my memory. Therefore, each time I ran any of those playbooks, I’d have to enter two passwords interactively: the sudo password and the Ansible Vault password.

Sanoid on TrueNAS

Thu, 28 Mar 2024 18:18:47 -0700

syncoid to TrueNAS

In my homelab, I have 2 NAS systems:

Linux (Debian)
TrueNAS Core (based on FreeBSD)

On my Linux box, I use Jim Salter’s sanoid to periodically take snapshots of my ZFS pool. I also want to have a proper backup of the whole pool, so I use syncoid to transfer those snapshots to another machine. Sanoid itself is responsible only for taking new snapshots and pruning old ones you no longer care about. For example, you might set up a policy in sanoid to take a day’s worth of hourly snapshots and a year’s worth of monthly snapshots. That means, that sanoid will take a snapshot every hour, but – if executed with --prune-snapshots will delete all the hourlies (hourly snapshots in sanoid’s lingo) that are older than a day, monthlies that are older than a year and so on.

OpenPGP Paper Backup

Fri, 15 Mar 2024 14:42:39 -0700

openpgp-paper-backup

I’ve been using OpenPGP through GnuPG since early 2000’. It’s an essential part of Debian Developer’s workflow. We use it regularly to authenticate package uploads and votes. Proper backups of that key are really important.

Up until recently, the only reliable option for me was backing up a tarball of my ~/.gnupg offline on a set few flash drives. This approach is better than nothing, but it’s not nearly as reliable as I’d like it to be. The main reason is that data on a flash drive degrades over time. You have to remember to periodically plug the flash drive into your computer’s USB port because the electric charge that represents your data wears off with time. I always wanted a more durable medium that I could store both, at home and in a safety deposit box.

Don't store TOTP in Bitwarden for your online accounts!

Fri, 18 Nov 2022 15:45:28 -0800

Since I’ve started working in Information Security space, I’ve been talking to a lot of people about the topics related to protecting ones’ identity online. Basically, trying to answer the question: What does it take to sufficiently secure my online accounts? Of course, the meaning of sufficiently is very subjective here, but I’ve always kept it vague to gauge what it means to them specifically.

I did make sure to talk people of various backgrounds – from deeply technical all the way to not technical at all. Surprisingly, many of them, even among the quite technical crowd, turned out to be lacking the understanding of some important fundamentals. In particular, it’s not always clear to them, what problems Multi-Factor Authentication (MFA) is targeting and solving. What threats do Password Managers are targeting and solving.

Unattended Upgrades Debian

Sun, 13 Nov 2022 06:40:39 -0800

Unattended Upgrades in Debian

Feels like since forever have I been using unattended-upgrades package to automate the Security upgrades on my various Debian Stable based machines.

Default Settings

By default unattended-upgrades will install only Security updates. It also will not send any email reports. That is not surprising – well, you have to have email delivery configured and unattended-upgrades needs to know, what email address to send those reports to.

Tweaking the Config

If you need more than what the defaults give you, it’s easy to modify the config as described in the Debian Wiki. I think the most elegant way of customizing the configuration is described in the README.md of the Debian package source. You basically create /etc/apt/apt.conf.d/52unattended-upgrades-local and put any overrides to the default config you need.

Playing with NitroKey 3 -- PC runner using USBIP

Thu, 14 Jul 2022 16:01:56 -0700

I’ve been wanting to use my brand new NitroKey 3, but TOTP is not supported yet. So, I’m looking to implement it myself, since firmware and tooling are open-source.

NitroKey 3’s firmware is based on Trussed framework. In essence, it’s been designed so that anyone can implement an independent Trussed application. Each such application is like a module that can be added to Trussed-based product. So if I write a Trussed app, I’d be able to add it to NK3’s firmware.

Automating Let's Encrypt certificates with Gandi LiveDNS

Thu, 10 Feb 2022 14:43:30 -0800

As a Debian Developer I have a discount on using Gandi and I’ve been using it for quite a long time and have been very happy with it. I’ve been using it for registering domains. For example this blog’s domain is managed by my Gandi account.

Using publicly registered domain in private-only setup

In addition to using this DNS registrar for public stuff, like a blog, one can also use it for a domain accessible only within a private network. For example companies, large and small, use this technique – they have a set of subdomains of the domain they normally use, but those are accessible only when an employee is in the office (connected directly to the company’s network) or connected through a corporate VPN.

How does Google Authenticator work? (Part 3)

Fri, 13 Aug 2021 08:30:00 -0700

This post is the third in a three-part series. The remaining two:

Part 3 is the last part in this short cycle. Here I’ll explain all the details around Time-based One-Time Password algorithm. I’ll finish up by also elaborating on things common to both, HMAC-Based One-Time Password algorithm:

QR Codes used to easily transfer secrets from the server to the Authenticator app
Base32 algorithm – used to store non-printable secret in a URI (effectively stored by the QR Codes mentioned above).

TOTP

One way to avoid the problems with lack of feedback between server and the app would be to shift from using a counter that is increasing with every authentication attempt to a counter based on, for example, a time stamp. This is what TOTP is actually doing.

How does Google Authenticator work? (Part 2)

Thu, 12 Aug 2021 07:10:00 -0700

This post is the the second in a three-part series. The remaining two:

Authenticator apps like Google Authenticator use 2 authenticaion protocol centered around What you have paradigm. Those algorithms are:

HOTP (HMAC-based One Time Password), and
TOTP (Time-based One Time Password).

They obviously are different, but both are centered around the same basic idea: using a rolling hash value, that is predictable only to the server and the authenticator app. Additionally, both are using HMAC-SHA-1 for generating those hash values.

How does Google Authenticator work? (Part 1)

Tue, 10 Aug 2021 12:20:27 -0700

This post is the first in a three-part series. The remaining two:

When you’re accessing services over the WEB – let’s pick GMail as an example – a couple of things have to happen upfront:

The server you’re connecting to (GMail in our example) has to get to know who you are.
Only after getting to know who you are it’s able to decide what resources you are allowed to access (e.g. your own email inbox, your Calendar, Drive etc.).

Step 1 above is called authentication. Step 2 is authorization (server can authorize only after successful authentication).

Debian on TrueNAS Core under bhyve

Wed, 28 Jul 2021 15:45:59 -0700

Installing Debian/GNU Linux under bhyve on TrueNAS Core

I got myself a TrueNAS Mini X+ couple of months ago. I have it running TrueNAS Core based on FreeBSD. In that system you can run VMs under FreeBSD’s native hypervisor, bhyve. Since there are a couple of quirks around running Debian specifically, I decided to write up a quick article about setting up Debian-based VM there.

The quirks

The ones I’ve stumbled upon were:

Authentication in an Enterprise

Tue, 20 Jul 2021 09:47:48 -0700

I’d like to shed some light at the process of Authentication since it’s a fundamental building block in creating secure tools that need to communicate with other actors over the network. When tools and/or users interact with one another – e.g., through a web browser – both ends of the interactions need a way to make sure, they’re communicating with the right party. Some bad actor might for example create a web page that looks like your bank’s online banking portal. With additional DNS spoofing you might be connecting to the wrong website. When you’d be trying to log in you’d be prompted for username and password. If you entered them on that phony web page, you’d provide them to the attacker. It’s imperative for your browser to be able to make sure, that this is not the case here.

Contact me

Wed, 18 Nov 2020 11:41:24 -0800

Your Name (Optional)

Your email:

I'm using Formspree for delivering emails this from this form. If you don't want to share your email with them, better shoot me an email directly.

Your message:

About me

Mon, 01 Jan 0001 00:00:00 +0000

My name’s Patryk Cisek and I’m a long time software engineer working in Cybersecurity space. After hours I’m also a member of Debian project.

Some of my Open-Source projects:

Nitrokey Authenticator - A TOTP Authenticator app for Nitrokey Pro3 / LibremKey USB Security Keys.
openpgp-paper-backup - CLI tool for backing up and restoring OpenPGP Secret Keys in a paper form (printed out backups).
unattended-upgrades-debian - An Ansible Role for enabling automatic upgrades in Debian.
certbot-gandi - An Ansible Role for setting up Let’s Encrypt via Gandi’s LiveDNS API.
nginx-rev-proxy - Simple Ansible role for setting up Reverse Proxy using certificates provided by certbot-gandi.