Anduin Xue
Anduin Xue

Anduin's Tech Blog

All Posts

10
JAN

给Caddy上Cloudflare以清洗流量

The system employs a modular Caddy configuration strategy to securely route traffic through Cloudflare with mutual TLS authentication and strict proxy trust. Caddy is configured to only accept requests from Cloudflare by validating mTLS certificates using Cloudflare's public CA, while also presenting its own certificate signed by Cloudflare to ensure authenticity. The configuration is built dynamically by combining three components: a Cloudflare IP trust definition that whitelists Cloudflare’s edge network IPs, a baseline configuration setting up logging, HTTP redirects, TLS, and HSTS, and individual service configurations for domains like grafana.anduinos.com and download.anduinos.com, each importing the necessary security and routing rules. These components are stitched together at build time via a script that aggregates all *.conf files from multiple service directories into a single Caddyfile, which is then embedded into the final Docker image. During runtime, the real Cloudflare c...--AI Generated

Reverse Proxy ACME Caddy Docker Cloudflare MTLS
06
JAN

AI 时代的普通人究竟应该学习什么?

In an era where AI can generate code, text, and solutions in seconds, the fundamental question isn’t whether to learn—but what to learn, and why. The old model of learning: master basics, then struggle through mid-level problems, hoping for mastery at the end, no longer works. It’s like building a city without a master plan—patches fix symptoms, but the system collapses under its own complexity. The real shift? Reversing the order. Start not with “how to do,” but with “what it should look like when it’s done.” Before writing a single line of code, imagine the system at scale: how it scales, how it fails, how it survives. This is the power of late-game thinking—the ability to see the future state and design backward. AI excels at mid-game execution: it writes CRUD, drafts emails, fills in syntax. But it cannot see the whole picture. It lacks situational awareness. It doesn’t know that a function today will become a bottleneck tomorrow, or that a quick fix today will rot the system in fi...--AI Generated

LateGame EngineeringIntuition Paradigms AI Era Learning Strategy Engineering Intuition
29
DEC

Use yubikey to protect SSH key.

What if your most sensitive digital access could be protected by a small, untraceable hardware token that never lets your private key leave its secure enclave? This guide reveals how a YubiKey transforms SSH authentication from a vulnerable convenience into a fortress of security—by generating a resident Ed25519 key directly on the device, pin-protected and impossible to extract. No more worrying about leaked private keys, no more risky key backups—just insert the key, touch it when prompted, and gain access. But here’s the deeper question: in an era where digital identity is increasingly under siege, how much of our trust should we place in software, and how much should we demand physical, tangible proof of identity? The setup is elegantly simple—load the key with a single command, secure your server with strict authentication policies, and even set up a new machine without transferring a single file. Yet the real power lies in the philosophy: your private key isn’t stored anywhere bu...--AI Generated

YubiKey SSH Security Hardware Key Ed25519 PIN Protection SSH Setup
24
NOV

让模糊的视频变清晰

What if you could breathe new life into grainy, forgotten home videos—transforming decades-old 480p footage into crisp, detailed 4K clarity with a single command? This isn’t science fiction; it’s the power of AI-driven video super-resolution, and this article dives deep into how a simple Bash script turns complex, GPU-intensive image restoration into a seamless, one-click process. At its core lies Real-ESRGAN, a deep learning model trained not on idealized, synthetic data, but on a rich simulation of real-world degradation—motion blur, JPEG artifacts, sensor noise—teaching it to understand and reverse the messy imperfections of actual old footage. The script automates the entire pipeline: splitting videos into frames, applying AI enhancement at 4x resolution using a Vulkan-enabled GPU, then reassembling them into high-fidelity H.265 videos with preserved audio. But beyond the technical elegance lies a deeper question: when AI “invents” missing details—like the texture of a child’s swea...--AI Generated

bash Linux REAL-ESRGAN Video Upscaling AI Super Resolution Bash Script
10
SEP

Windows 11: The Last Version of Windows 10

Windows 11 isn’t a new operating system—it’s a rebranded evolution of Windows 10, built on the same 10.0 kernel and shaped by a radical shift in Microsoft’s development philosophy. What began as a promise in 2015 that Windows 10 would be the last version was never about technical limits, but a strategic pivot to “Windows as a Service”—a rolling release model where updates flow continuously, not in monolithic versions. This shift solved Microsoft’s biggest problem: fragmentation. By forcing users onto a single, ever-updating platform, Microsoft regained control over its ecosystem, reduced support costs, and laid the foundation for a more secure, unified experience. Yet this stability comes at a cost—features appear, vanish, or change without warning, turning the OS into a live experiment. The abrupt launch of Windows 11, with its strict hardware requirements like TPM 2.0, wasn’t a technical necessity but a calculated move to drive hardware upgrades, enforce a new security baseline, and ...--AI Generated

TPM2 WindowsAsAService Windows11 RollingRelease PCUpgrade EcosystemControl
13
AUG

Bridging Identity and Email Management Synchronizing Authentik Groups with Mailcow Aliases

What happens when your organization’s identity system knows exactly who belongs to which team, but your email server remains in the dark? This article explores the silent gap between modern identity management and email distribution, revealing how Authentik’s rich group structures can be seamlessly mirrored into Mailcow’s email aliases through automated synchronization. It’s not just about technical integration—it’s about transforming static mailing lists into living, breathing representations of your organization’s evolving structure. The solution hinges on a clever interplay of REST APIs, recursive group resolution, and precise alias management, turning manual, error-prone workflows into a self-updating system where a user’s role change in Authentik instantly reflects in their email access. But beyond the code lies a deeper question: in an age of dynamic teams and fluid collaboration, should our communication tools still lag behind our identity systems? What if every team’s inbox cou...--AI Generated

Data Sync Linux Python Email Organization Tips Authentik OIDC Mailcow
27
JUL

使用 Clickhouse 来可视化 Caddy 产生的日志

The article details the process of setting up a real-time log analysis system using ClickHouse to process Caddy server logs, enabling comprehensive monitoring and visualization of web traffic. By parsing Caddy's JSON logs and ingesting them into ClickHouse via a custom script, the author creates a high-performance database for querying and analyzing traffic patterns. A variety of SQL queries are provided to extract key insights: top-performing hosts, slowest endpoints (using P95 and P99 latency), error rate analysis by status code and URI, request size distribution, client behavior via User-Agent, and traffic heatmaps by day and hour. The system is also used to investigate a DDoS attack in real time, analyzing request volume, IP activity, and URI patterns within a specific UTC timeframe. The data is visualized using ClickHouse’s built-in dashboard and Grafana, producing dynamic, interactive charts that reveal traffic trends, performance bottlenecks, and malicious behavior. The setup pr...--AI Generated

Caddy CaddyV2 Python Docker Clickhouse Superset
15
JUL

我家里搭建了 Authentik,我非常后悔我搭晚了。

Integrating applications with OpenID Connect (OIDC) via Authentik enables seamless single sign-on, allowing users to access multiple services without repeated registration, enhancing user experience and reducing friction. Each application has specific requirements for OIDC configuration, including client ID and secret setup, attribute mapping, group-based role assignment, and handling user merging. Applications like Nextcloud require custom Python property mappings to align Authentik groups with Nextcloud’s admin role logic and preserve user identity via the `nextcloud_user_id` attribute, while GitLab and Open Source platforms such as GitLab, Nextcloud, and OpenMediaVault rely on configuration files or plugins to enable OIDC, sync user attributes, and block local login. Koel uses Forward Auth with Caddy to authenticate users via HTTP headers, creating local users based on identity claims but lacking built-in role management. Services like Jellyfin, GitLab, and Nextcloud support automat...--AI Generated

Linux OAuth Docker Authentik OIDC OAuth 2.0
10
APR

Set up a local docker registry mirror

This guide outlines a comprehensive process for setting up a self-hosted Docker registry to mirror public Docker images locally, ensuring reliable access and improved performance. It details the creation of four essential Python scripts: is_latest.py to check if a Docker image is the latest version, check.py to verify image integrity by inspecting the registry, delete.py to remove outdated or corrupted images, and a bash script mirror.sh that orchestrates the mirroring process. The script uses regctl to interact with the registry, pulls images from public sources, pushes them to the local registry, and validates them through automated checks. The setup includes configuring Docker to trust the insecure local registry by modifying /etc/docker/daemon.json and restarting the Docker service. The process can be containerized using a Dockerfile that installs dependencies, copies scripts, sets up a cron job to run the mirroring task daily at 3:00 AM, and runs the container with access to the D...--AI Generated

Automation Python Docker Registry Mirroring Scripting
31
MAR

复习数据结构 - 撸个哈希树

What if you could build a data structure that guarantees constant-time insertion, lookup, and deletion—no libraries, no built-in hash tables, just pure logic and bit manipulation? This post dives into the elegant yet underappreciated idea of a binary hash trie, a structure that uses the bits of a hash value to navigate a tree-like hierarchy, achieving O(1) performance in theory by treating each bit as a directional path. The beauty lies in its simplicity: every hash bit determines whether to go left or right, recursively drilling down until the leaf level, where a flag marks presence. It’s not a perfect solution—collisions are inevitable, and false positives can creep in, making it probabilistic rather than deterministic—but that very imperfection opens a fascinating door: when is accuracy worth the cost of perfect correctness? Could such a structure be the hidden engine behind high-speed caches, bloom filters, or even distributed systems where speed trumps precision? The implementatio...--AI Generated

Binary Tree Custom Collection Binary Hash Trie Data Structure Hashing Set Operations
13
FEB

Run docker container with GPU in Docker swarm

Running GPU-accelerated containers in Docker Swarm has long been a challenge, as native support for GPU devices in swarm mode is restricted—deploying services with `devices` in `resources.reservations` triggers validation errors. Yet, a clever workaround unlocks this capability by leveraging Docker’s overlay networks and nested containerization. The solution hinges on creating an attachable overlay network to bridge communication between swarm-managed services and a GPU-enabled container running in a privileged context. By deploying a lightweight starter service that launches a GPU-powered container (like Ollama) using `--gpus=all` and sharing the same network, the system effectively bypasses Docker Swarm’s limitations. This approach not only enables GPU access for AI workloads such as large language model inference but also allows seamless interaction with other swarm-managed services, like a warm-up client that periodically queries the model. It’s a powerful demonstration of how arch...--AI Generated

Docker Swarm GPU Resource Management Ollama DeepSeek Model Docker Networking Resource Allocation
03
FEB

使用 NPU 来运行 DeepSeek R1 32B

Running a 32B language model like DeepSeek R1 on a consumer laptop with an Intel Lunar Lake CPU might seem like a fantasy—until you unlock the hidden potential of its built-in NPU. This journey begins with the stark reality of CPU-only inference: sluggish performance, high memory usage, and a frustratingly slow experience that barely justifies the effort. But what if the real bottleneck isn’t the model, but the hardware’s untapped capabilities? Enter OpenVINO—a powerful toolkit that transforms how AI models run on Intel hardware. By diving into the intricacies of NPU driver installation, Level Zero integration, and system-level permissions, the process reveals a deeper truth: modern AI isn’t just about model size, but about how well it’s matched to the silicon beneath. The real breakthrough comes when OpenVINO detects the NPU and compiles a 4-bit quantized version of DeepSeek R1, optimized for this very chip. Suddenly, the model isn’t just running—it’s responding with tangible speed, b...--AI Generated

Ai Lunarlake NPU Deepseek Hugging face OpenVINO