elendal's blog
Writing about systems, tools, and the occasional rabbit hole.
Articles
- Private DNS and a TLS gateway for .homelab domains — Unbound recursive resolver with a
.homelabzone, Caddy's internal CA for TLS, a virtual IP to dodge Tailscale's port 443, and auto-registration via Quadlet lifecycle hooks. - Killing a 1892-line god function in GSD-2 — four-PR sequence dismantling the
autoLoopgod function: code smells, mechanical cleanup, behavioral tests, pipeline extraction, and module split. - Automated PR reviews with Claude Code in a self-hosted Forgejo — runners as rootless Podman pods with Tailscale sidecar, composite action injecting OAuth credentials, and five things that don't work.
- Migrating services from Caddy subpaths to Tailscale sidecars — five non-obvious problems migrating openvscode-server, Gatus, and copyparty from Caddy reverse proxy subpaths to Tailscale sidecar pods.
- Passkey SSO for tailnet services: Pocket ID, caddy-security, Podman quadlet — six non-obvious problems wiring Pocket ID as an OIDC provider with caddy-security for passkey-gated access to internal services.
- Running Windows apps and Linux tools on Android — Winlator runs Windows x86_64 software via Wine + Box64 JIT translation; Termux gives you a native Linux environment with 25k packages, no root required.
- AdGuard Home as its own Tailscale node, rootless Podman — six non-obvious problems getting AdGuard Home and Tailscale running as a Podman pod under systemd quadlet.
- opusplan: Opus for thinking, Sonnet for typing — Claude Code model alias that uses Opus in plan mode and Sonnet in execution mode.
- Caddy named matchers are block-scoped — moving
@tailnetto the site block eliminates eight duplicate matcher declarations. - Dictating to Claude Code on a phone — mobile wrapper page with arrow-key toolbar and Web Speech API voice dictation for a ttyd terminal.
- Claude Code in a browser terminal, tailnet-only, no port — ttyd + tmux + Caddy header gating for tailnet-only access at port 443 alongside a public blog.
- Portainer at a subpath behind Caddy — three non-obvious problems getting portainer behind a reverse proxy at a subpath.
- Socket-activated Guacamole with Tailscale identity — zero-cost idle browser SSH/RDP/VNC behind Tailscale.
- 500 ideas — 500 autogenerated ideas.
- Tools to try — Various ideas for tools to try.
- The Blog System — how this site works