April 11, 2018
WireGuard aims to be as easy to configure and deploy as SSH. You establish a VPN connection by simply exchanging public keys, and the rest is transparently handled by WireGuard.
There are many other technologies, however wireguard is uniquley interesting for:
cryptokey routing: the first principles simply mapping public keys and sets of allowed addreses, making wireguard easier to grok for deployments. endpoints and roaming: also initial principles that facilitate NAT traversal and utilization of dynamic addressing through keepalives.
...
March 30, 2018
pass is a simple way to manage password locally, and with git one can collaborate on a password database with friends. The two technologies; pass and gpg have a lot of resources on-line, but when I went looking to set up a team with pass I found resources in several different places that didn’t match up with practices that made sense. Notably several people were creating key-pairs for each database and sharing the actual key-pairs with collaborators, this seemed insane.
...
February 20, 2018
We’ve recently gotten some significantly larger storage systems and after running some 50T pools with basically all the defaults it felt like time to dig into what common options are used to chase performance. The intended use for these systems is ultimately CIFS/NFS targets for scientists who are running simulations that generate small (1M) to large (100G) files. I’m not being rigorous and offering any benchmarks, just digging into documented performance parameters and explaining the rational.
...
November 2, 2017
Originally in the archlinux metal to desktop guide I advised using the powertop --auto-tune via a systemd unit, however this can be obnoxious if you’ve got peripherals (like usb based keyboards or mice) that you don’t want powering off constantly. For this laptop (T470s) I unplugged from the docking station and on battery ran the following:
powertop --calibrate
powertop --html=powerreport.html
awk -F '</?td ?>' '/tune/ { print $4 }' powerreport.html
...
October 29, 2017
If you want to be truly paranoid about authentication to services, you can implement your own Public Key Infrastructure (PKI). Many large organizations that are privacy focused have developed a digital/physical PKI strategy, for example the DoD’s Common Access Card. OpenSSL is a software that can be used to setup a “simple” PKI, however it’s command complexity is easy to get lost within. In this guide we’ll set up a “simple” PKI that we’ll use to authenticate users with, while still using the legitimately issued Let’s Encrypt Domain Validation certificates.
...
October 23, 2017
I stumbled across this discussion about the ssd parameter that I’d been using in my installation guide and realized that I was very likely afflicted by what was being disucssed in the mailing list. Firing up IRC and jumping into the #btrfs discussion on freenode to ask for some clarification about how I’d examine my current state.
Luckily I was able to talk with several knowledgeable people, and even knorrie who was the original author of the mailing list discussion above.
...
May 19, 2017
With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been easier to get these things sorted because there have been significant efforts recently to reduce the barrier. Firstly the letsencrypt project broke up the cabal of certificate authorities by providing a recognized authority that could issue certificates to verified domain operators without a transaction cost.
...
May 16, 2017
Dynamic DNS is an essential tool if you’re your provider is unwilling to provide you with a static address. On almost all residential connections with the large providers you’re not going to be able to obtain a static address unless you convert over to one of their business accounts, then pay some hefty amount like 15USD monthly.
I’ve used several DNS providers and have been with Cloudflare for a good while now due to their literal speed.
...
May 16, 2017
I’ve written before about network hardware selection, where I surmise that Ubiquiti’s EdgeMax products are what I typically rely on when building out a network. Here I’ll lay out what I think is a good design for a home network using some of the inexpensive EdgeMax and Unifi products. It might seem silly that I would include Unifi in a discussion of implementation with EdgeMax, but really you don’t have a better choice for wireless access point than what Unifi offers.
...
May 16, 2017
ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It’s a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. If you’re able to run modern OpenSSH you have access to a new feature named ProxyJump, which makes using a jumphost much simpler.
...