Contact | RSS | EN → VI
About

Things Worth Sharing

Useful ideas, lessons, and discoveries worth sharing.

KhaVan — co-founder of Viet-AWS (AWS User Group Vietnam, 52,000+ members · 200+ events) and AWS Study Group Vietnam. Community contributor at VMUG. Recipient of AWS APJ Community Leader 2024 — Deliver Results.

Follow along on LinkedIn · GitHub · Email.

Writing philosophy

This is a place for notes, observations, and small pieces of work that would otherwise live inside a Slack thread, a notebook, or a half-written doc that nobody reads. Topics range across technology, learning, work, and life — as long as they are genuinely worth sharing.

The posts are opinionated but try to be honest — what worked, what did not, and the trade-offs I chose. No thought leadership. No listicles. Just what actually works (and what doesn't) in production, without the corporate or marketing filter.

How it's built

Written in Astro 5, compiled to static HTML and served from a single Cloudflare Worker (khavan) via the Workers Assets binding. Content is Markdown/MDX in a git repo — editing a post is just a commit. CI/CD runs through GitHub Actions: every push to main runs npm run build (Astro + Pagefind index) then wrangler deploy. No Pages, no outer CDN layer, no containers.

The "static" part is just the outer shell. The Worker behind it runs a stack of Cloudflare-native APIs:

  • D1 (khavan-subscribers) — subscribers, double-opt-in tokens, webmentions, page views, AI summary cache, contact-form logs.
  • Vectorize (khavan-posts) + Workers AI bge-m3 embeddings — semantic search. The UI toggles between keyword and semantic search, falling back to Pagefind for short queries.
  • Workers AI → OIDC federation → AWS Bedrock (Claude Opus) — the post-summarise feature uses real Opus, not a long-lived access key. The Worker signs its own OIDC token, STS-exchanges for temp credentials, and caches them in KV.
  • Analytics Engine (khavan_events) — custom events for page views, subscribes, summarise, abuse. The dashboard at /admin/analytics queries via the Analytics SQL API.
  • Cloudflare Access fronts /admin/*; the Worker verifies Cf-Access-Jwt-Assertion against the team JWKS and checks an email allowlist before touching any admin logic.
  • Turnstile + an abuse-guard (cheap bot-deny before hitting D1/AI) gate every public write endpoint: subscribe, contact, summarise.
  • Cron trigger (0 2 * * SUN) — weekly digest: query D1 for the week's new posts, send through Resend to confirmed subscribers.
  • Webmention receive + send, with an SSRF guard that blocks private-range hostnames, IPv6-local literals, and redirect chains beyond a small bound.
  • OG image per-post render via resvg WASM → 1200×630 PNG for social crawlers.

Source is public at github.com/vanhoangkha/khavan. Binding inventory, D1 migrations and runbooks live in CLAUDE.md and docs/ in the repo.

Get in touch

Fastest route: khavan.work@gmail.com. For updates, subscribe to the RSS feed.