Hi there, I'm Nicholas!
I’m a developer with a passion for cloud platforms, web development and automation!
I use this blog to write about my interests. They’re usually tech-related, but there’s also the odd music and gaming piece too.
2025-07-12 //
2 min read
//
#ansible
#devops
#tailscale
There’s an oft-quoted phrase in the cloud/DevOps space.
Treat infrastructure as cattle, not pets.
To me, the advice is broad and emblematic for a lot of modern practices. Prefer disposable containers over long-lived hosts. Build infrastructure that scales horizontally to accomodate demand. Design architectures where components can be swapped out on the fly.
I thought I’d recap some recent changes to how I provision and manage this blog - addressing a few places where hostnames were hardcoded for convenience.
Read more →
2025-05-18 //
2 min read
Following on from setting up my blogroll last week, I’ve realised it doesn’t render as a pretty webpage in most web browsers. Serves me right for only testing in Firefox!
Read more →
2025-05-10 //
3 min read
For a while, I’ve provided a list of suggested blog/feeds on my website in a blogroll.
This blogroll takes the form of an OPML file that RSS readers can import. It’s pretty neat, but making it browser-friendly has always been on my wishlist.
So it was pretty cool to stumble across XSLT - a means for transforming XML documents.
Read more →
2023-09-19 //
4 min read
//
#buildkite
#hashicorp-vault
Earlier this year, Buildkite announced support for OpenID Connect tokens. Briefly, a Buildkite agent can request a signed JWT (JSON Web Token) from Buildkite representing details (claims) about its current job. This JWT can then be used to authenticate with systems that accept it.
For Hashicorp Vault, services typically authenticate using the AppRole method with a senstive set of credentials. It’s fine to use this flow on a Buildkite agent to access Vault secrets, but the credentials for this are long-lived.
The new OIDC flow removes to need to manage these long-lived credentials, and also makes it possible to craft fine-grained policies for a Buildkite agent without requiring multiple sets of login credentials!
Read more →
2023-07-17 //
4 min read
//
#buildkite
For a while now, I’ve built and published my own Terraform provider for retrieving secrets from a pass store. One of the requirements to publish a Terraform provider is that every release must be signed with a GPG key.
I have a Buildkite pipeline to build and publish these releases to GitHub. A step in this pipeline has access to a private key for signing, but it’s a different key from the one I use on my own machine. I consider the latter too sensitive to expose freely to my Buildkite agents.
With that said, managing a second key just to publish my Terraform provider is quite irksome when it has no other use for me. However, it’s unfortunately necessary if I don’t want to expose my regular key to my CI environment.
But if the worry is around exposing a secret to Buildkite agents running outside my machine, why not introduce an agent that runs specifically on my machine?
Read more →
