Skip to content

Instantly share code, notes, and snippets.

View Jip-Hop's full-sized avatar

Jip-Hop

29 followers · 4 following
View GitHub Profile
@Jip-Hop
Jip-Hop / README.md
Last active January 14, 2026 19:32
Simple but Effective Outbound "Firewall" using Vanilla Docker-Compose

Domain‑Based Egress Control in Docker Using Internal Networks and a Unified TCP Proxy

Modern Kubernetes clusters offer powerful primitives like FQDN‑based network policies (e.g., via Cilium, Calico, or Gatekeeper). These let you express rules such as “this workload may only talk to github.com and example.com” without worrying about IP churn, TLS hostname validation, or container‑level DNS quirks.

Docker, however, does not provide anything comparable out of the box.

This article documents a practical approach to implementing domain‑based egress control in plain Docker Compose, without modifying application containers, without terminating TLS, and without introducing heavyweight service meshes. It also covers the pitfalls we encountered—especially around QUIC/HTTP‑3—and compares our approach with the pattern suggested in the [Creating a Simple but Effective Outbound "Firewall" using Vanilla Docker-Compose](sequentialread.com/creating-a-simple-but-effective-firewall-using-vanilla-docker-co

@Jip-Hop
Jip-Hop / truenas_scale_sysext_example.sh
Last active January 29, 2025 02:07
Temporarily extend available packages in TrueNAS SCALE using systemd-sysext. For educational purposes. Use at your own risk!
#!/usr/bin/env bash
# Specify destination for extension rootfs
ROOTFS_PATH=/mnt/tank/some/dataset/ext/rootfs
# List of packages to install
PACKAGES="usbutils"
# Download minimal debian base rootfs
mkdir -p "$ROOTFS_PATH"
curl -L https://github.com/debuerreotype/docker-debian-artifacts/raw/dist-amd64/bookworm/slim/rootfs.tar.xz | tar -xJ -C "$ROOTFS_PATH" --numeric-owner
@Jip-Hop
Jip-Hop / install_and_run.py
Created June 18, 2024 13:03
Python script which installs packages it requires with pip inside a venv that's created on the fly.
#!/usr/bin/env python3
import os
import sys
__requirements__ = {"docker==7.1.0"}
def _setup_env():
venv = os.path.join(os.path.dirname(__file__), ".venv")
@Jip-Hop
Jip-Hop / README.md
Last active July 6, 2025 02:44
Simple comment preserving ConfigParser class to read/update/write INI files WITHOUT indented sections/keys/comments.

See the example usage inside configparser.py. Output when running the configparser.py file:

# Comments may appear before the first section

[Simple Values]
key = value
spaces in keys = allowed
spaces in values = allowed as well
spaces around the delimiter = obviously
@Jip-Hop
Jip-Hop / Dockerfile
Created March 26, 2023 07:15
Distroless alpine docker image: no shell, no package manager, no busybox. Only the specified packages + dependencies.
FROM alpine as bootstrap
# Optionally add e.g. coreutils (if you don't want to remove the shell)
ARG PACKAGES_TO_INSTALL="openjdk11-jre"
ARG REMOVE_SHELL=1
# Create rootfs folder and enable apk repo
RUN mkdir -p /rootfs/etc/apk && \
cp -a /etc/apk/repositories /rootfs/etc/apk/repositories && \
cp -a /etc/apk/keys /rootfs/etc/apk/keys
@Jip-Hop
Jip-Hop / README.md
Last active May 14, 2025 03:04
Persistent Debian 'jail' on TrueNAS SCALE to install software (docker-compose, portainer, podman, etc.) with full access to all files via bind mounts. Without modifying the host OS at all thanks to systemd-nspawn!
@Jip-Hop
Jip-Hop / pop-up-videos.js
Created October 3, 2021 10:18
Open all videos in a tab as pop-up windows. Basic (non-extension) version of https://github.com/Jip-Hop/pop-up-videos. To be copy-pasted in the browser console.
(function enable() {
var titleSuffixCounter = 0;
var popupWidth = 480;
var popupHeight = 270;
var xOffset = screen.availLeft,
yOffset = screen.availTop;
const data = {
windows: [],
@Jip-Hop
Jip-Hop / boot.sh
Last active December 25, 2025 11:27
Using Docker on TrueNAS SCALE (no Kubernetes)
#!/usr/bin/env bash
#
# Enable docker and docker-compose on TrueNAS SCALE (no Kubernetes)
#
# This script is a hack! Use it at your own risk!!
# Using this script to enable Docker is NOT SUPPORTED by ix-systems!
# You CANNOT use SCALE Apps while using this script!
#
# 1 Create a dedicated Docker zvol on one of your zpools: zfs create -V 100G data/_docker
@Jip-Hop
Jip-Hop / custom_tiny_core_read_only_notes.sh
Created April 25, 2021 18:09
Booting from Custom Tiny Core Linux for Read Only Filesystem (SED PBA) Notes
# references
# https://fabianstumpf.de/articles/tinycore_images.htm
# https://gist.github.com/dankrause/2a9ed5ed30fa7f9aaaa2
# https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive
# follow these steps on Ubuntu
sudo su
qemu-img create core-image.img 120M -f raw
modprobe nbd max_part=8 && sleep 2 && qemu-nbd -c /dev/nbd0 core-image.img -f raw
@Jip-Hop
Jip-Hop / custom-tinycore.sh
Created April 25, 2021 18:07 — forked from dankrause/custom-tinycore.sh
Create a custom tinycore linux iso. Adjust the config at the beginning of the script, or supply a conf as the first arg. Requires xorriso.
#!/bin/bash
set -e
function cleanup() {
# clean up our temp folder
rm -rf "${TMPDIR}"
}
trap cleanup EXIT