Hacker News: antoniomika

New comment by antoniomika in "SSH certificates: the better SSH experience"

antoniomika — Sat, 04 Apr 2026 02:16:08 +0000

We added SSH certificates support to pico.sh [1] and it's been great. Utilizing principals gave us the ability to implement a RBAC like system for specific parts of the pico.sh ecosystem. Users get the flexibility they want with limited complexity.

[1] https://pico.sh/access-control#ssh-certificates

New comment by antoniomika in "BorgBackup 2 has no server-side append-only anymore"

antoniomika — Sat, 07 Jun 2025 23:42:58 +0000

Currently, you can either provide the `BORG_REPO_PERMISSIONS` env var to borg [0] or `--permissions` flag to `borg serve` [1]. You can then enforce this as part of your `authorized_keys` command, for example.

[0] https://github.com/borgbackup/borg/blob/3cf8d7cf2f36246ded75...

[1] https://github.com/borgbackup/borg/blob/3cf8d7cf2f36246ded75...

New comment by antoniomika in "BorgBackup 2 has no server-side append-only anymore"

antoniomika — Sat, 07 Jun 2025 22:54:30 +0000

This has been replaced with a permissions feature that still provides both delete and overwrite protections. The difference is the underlying store needs to implement it rather than running a server that understands the permission differences. You can read more about this change here: https://github.com/borgbackup/borg/issues/8823#issuecomment-...

New comment by antoniomika in "Deno Under TinyKVM in Varnish"

antoniomika — Fri, 11 Apr 2025 16:20:49 +0000

Check out sysbox[0], it's a runc based runtime that allows you to run "system" containers without privilege.

[0]: https://github.com/nestybox/sysbox

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Thu, 03 Apr 2025 17:10:33 +0000

Yep! tuns would be the service you want since it can support forwarding arbitrary backends: https://pico.sh/tuns#custom-domains

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Thu, 03 Apr 2025 05:52:30 +0000

We’re actually using Unix sockets as the underlying transport layer for this. We’re also not using sshd, we custom wrote our own daemon that’s entire job is tunneling. If you’re curious about this, you can find the project here: https://github.com/antoniomika/sish

sish was actually my first foray into SSH apps. It was a lot of fun to write and pretty much implements tunnels with a routing system on top. It manages connectivity, routing, and reverse proxying all within user space. No namespaces required!

tuns can actually even tunnel UDP traffic over SSH, also entirely in user space. Docs for that can be found here: https://pico.sh/tuns#udp-tunneling

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Thu, 03 Apr 2025 02:51:26 +0000

We're actually fully open source and all development occurs in the open! Here's the repo https://github.com/picosh/pico and you can find us on Libera IRC

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Thu, 03 Apr 2025 02:02:49 +0000

Hrm that's odd! Just tested and everything looks fine. Any logs or errors you can share?

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Thu, 03 Apr 2025 02:01:45 +0000

Our host keys are published here and are durable: https://pico.sh/host-keys

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Thu, 03 Apr 2025 00:37:31 +0000

Ashburn, VA and Nuremberg, DE!

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 23:57:52 +0000

Woops! Delete is supported, will update that as well

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 23:57:23 +0000

Correct! The tunnels are protected using ssh auth as well, so you can ensure that only the users you want to access it can.

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 23:40:45 +0000

I'd actually highly recommend taking a look at vaxis (https://github.com/rockorager/vaxis). We've moved away from wish/bubbletea and have really enjoyed working with vaxis!

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 23:01:04 +0000

Sorry, this is a focus issue with a tui which we'll fix up soon! Should just need to hit until OK is highlighted and then press enter

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 22:59:59 +0000

We recently changed our tui framework and the functionality for focus is a bit different. You might have to hit until `ADD` is highlighted. You can also rsync/scp/sftp an authorized_keys file and we'll add that to your account!

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 22:38:25 +0000

And we're still free! Just added some payments to help keep things running smoothly and allow us to invest in more infrastructure. pgs (static sites) and tuns (tunneling) are both multi-region for example.

New comment by antoniomika in "Pico.sh – SSH powered services for developers"

antoniomika — Wed, 02 Apr 2025 22:36:31 +0000

And we'd be happy for you too! All of our code/tools are open source and available here: https://github.com/picosh/pico

Bluesky over SSH

antoniomika — Wed, 04 Dec 2024 03:08:56 +0000

Article URL: https://termsky.app/

Comments URL: https://news.ycombinator.com/item?id=42314166

Points: 5

# Comments: 0

New comment by antoniomika in "Fearless SSH: Short-lived certificates bring Zero Trust to infrastructure"

antoniomika — Wed, 23 Oct 2024 22:53:14 +0000

Honestly never had a chance to merge it/review it. Once the company wound down, I had to move onto other things (find a new job, work on other priorities, etc) and lost access to be able to do anything with it after. I thought about forking it and modernizing it but never came to fruition.

New comment by antoniomika in "Fearless SSH: Short-lived certificates bring Zero Trust to infrastructure"

antoniomika — Wed, 23 Oct 2024 22:23:07 +0000

I wrote a system that did this >5 years ago (luckily was able to open source it before the startup went under[0]). The bastion would record ssh sessions in asciicast v2 format and store those for later playback directly from a control panel. The main issue that still isn't solved by a solution like this is user management on the remote (ssh server) side. In a more recent implementation, integration with LDAP made the most sense and allows for separation of user and login credentials. A single integrated solution is likely the holy grail in this space.

[0] https://github.com/notion/bastion