GPG Agent as SSH Agent

It is possible to use your gpg-agent as an ssh-agent to provide for a consistent UX when unlocking your private keys. Secondarily you set a masking password that is shorter than your original ssh key-pair password. Assuming you're relying on a gpg-agent for your system already, this is a way to roll functionality into a single daemon.

Audit SMB activity with VFS Modules

We have a central instance of smbd that we allow users to have home directories on, as well as project specific shares. It’s a beefy ZFS on Linux instance that we call “tank” in reference to Jeff Bonwick’s discussion of the humble ZFS beginnings within Sun. We run a backup strategy between it and a couple other trailing-mirrored instances that we’ve positioned around the facility. We have a desire to be able to review everything a user did in terms of interaction with tank. This can be accomplished via something called a “Stackable VFS Module”.

{Wire}guard from your ISP

People are getting into a recent uproar about entities like facebook and cambridge analytica while willing putting their information into these ecosystems. We should instead be considerably more concerned about the unwilling surveillance we’re a part of from our ISP. Recently the guardian and some discussion pushed me to finally look into applying wireguard to something like the home network design. So in this we're going to install wireguard on an edgemax router, bring up a wireguard tunnel to a VPN service, send all DNS queries over that tunnel, and send selective hosts or subnets Internet bound traffic over that tunnel.

Pass, with friends

Pass is a simple way to manage passwords locally, and with git one can collaborate on a password database with friends. To use pass with friends you must have pass, git, ssh, and gpg configured. We'll get into how to structure your pass databases for multiple projects and sharing them with multiple people.

ZFS Performance Focused Parameters

We’ve recently gotten some significantly larger storage systems and after running some 50T pools with basically all the defaults it felt like time to dig into what common options are used to chase performance. The intended use for these systems is ultimately CIFS/NFS targets for scientists who are running simulations that generate small (1M) to large (100G) files. I’m not being rigorous and offering any benchmarks, just digging into documented performance parameters and explaining the rational.

Selective Powertop tunables via Systemd

If you've got an intel system and want to have your powertop tunables selectively stick then you can't rely on the auto-tune feature. If you do, you'll notice some subsystems are not available right when you want them (e.g. a mouse). It's better to profile and selectively apply the configurations that make sense for your use.

ECC Certificates and mTLS with Nginx

If you want to be truly paranoid about authentication to services, you can implement your own Public Key Infrastructure (PKI). Many large organizations that are privacy focused have developed a digital/physical PKI strategy, for example the DoD’s Common Access Card. OpenSSL is a software that can be used to setup a “simple” PKI, however it’s command complexity is easy to get lost within. In this guide we’ll set up a “simple” PKI that we’ll use to authenticate users with, while still using the legitimately issued Let’s Encrypt Domain Validation certificates.

BTRFS Maintenance and the SSD parameter

I stumbled across a discussion about using the ssd parameter as a mount option with BTRFS and realized that I was very likely afflicted by what was being discussed in the mailing list. I'd not anticipated any maintenance operations that would be necessary when starting to use BTRFS as a daily driver, but IRC and the community was incredibly helpful.

Modern TLS with Nginx and LetsEncrypt

With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been easier to get these things sorted because there have been significant efforts recently to reduce the barrier. Firstly the Letsencrypt project broke up the cabal of certificate authorities by providing a recognized authority that could issue certificates to verified domain operators without a transaction cost. Secondly, the letsencrypt projects and the EFF collaborated on certbot to provide a fully featured utility for requesting, issuing, and, updating certificates. And, thirdly, the openssl project has been getting a lot more external attention due to recent vulnerabilities being reported in a much more trendy fashion.

Dynamic DNS via EdgeOS and Cloudflare

Dynamic DNS is an essential tool if you're provider is unwilling to provide you with a static address (or has priced it unreasonably). On almost all residential connections with the large providers you're not going to be able to obtain a static address unless you convert over to one of the business contracts, then pay some heft amount like 15USD monthly. EdgeOS can now work with Cloudflare to update DNS records based on your changing WAN interfaces.

Home Network, a novice Design

When you jump beyond the use of a monolithic router/switch to separates it can be a daunting task. Often it is easy to settle into using non-managed switching, which doesn't allow for isolation. In todays age with IoT running rampant having different domains of isolation can be an essential for limiting untrusted but useful devices from ex-filtrating data from your household. Moving to a managed switch platform allows you to do a variety of interesting things for your home network, yet getting started can be a bit daunting.

Limiting Exposure via ssh ProxyJump

ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It's a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. If you're able to run modern openssh you have access to a new feature named ProxyJump, which makes using a jumphost much simpler.

Project Fi, ArchLinux, Thinkpad T470s

It has been a personal desire to have mobile broadband connectivity with a laptop and not have a requirement for peripherals like MiFi or Tethering, for half a decade. When it became possible to get LTE modems in newer model Thinkpads it was time to see if Fi had made data-only SIMs that would work nationally/internationally.

Painless CIFS targets via systemd

Systemd can be leveraged to help manage your CIFS mount-points through its automount features. Once set up it makes for a painless way to on-demand access network targets.

Archlinux Metal to Server With ZFS

A simplified installed procedure that will allow you to go from metal to a server that has the next generation file-system ZFS. This guide stays updated as each time I have to do a new install it is consulted. It guide reflects the pathway I take most commonly with servers responsible for housing some sensitive data. Although ZFS is not an in kernel feature, it is a far more mature basis for doing complex, and trustworthy, storage pools on a single host.

Archlinux Metal to Desktop Environment

A simplified installed procedure that will allow you to go from metal to a machine that has a desktop environment. This guide stays updated as each time I have to do a new install it is consulted. It reflect the paths that I generally use for my (and my families) daily driver machines. We'll be focused on a sort of golden path by using the modern, well maintained technology stack of luks, btrfs, systemd, and gnome.