Security

Your homelab cluster runs at home. You’re not always at home. You need access. The traditional approach: forward ports, set up dynamic DNS, configure firewall rules, pray nobody finds your exposed services. The better approach: Tailscale. Zero exposed ports. Secure WireGuard encryption. Your devices find each other, wherever they are. What Is Tailscale? Tailscale is a mesh VPN built on WireGuard. Every device gets a stable IP. Every device can reach every other device. No central server routing your traffic. ...

A cryptographic signature is one of the few things online that means exactly what it says. If the key is yours and the signature verifies, the content came from you. No vendor issued this identity, no CA can revoke it, no platform can suspend it. It exists because you generated the key, and it stays yours as long as you control the private half. Most of what we call “online identity” is on loan from someone else: a handle that can be banned, a checkmark that can be removed, an email address that a domain owner can reclaim. A GPG signature sits outside all of that. Either the key that signed this paragraph is yours, or it is not, and no one else gets to decide. ...

Manual certificate management is a recipe for outages. Certificates expire at 3 AM on a holiday weekend. Renewal processes live in tribal knowledge. Teams deploy services without HTTPS because “it’s too complicated.” cert-manager automates everything. Define what certificates you need, and cert-manager handles issuance, renewal, and Kubernetes Secret management. Forever. This is one of the first things I install in every cluster. How cert-manager Works flowchart TD subgraph cluster["Kubernetes Cluster"] CM["cert-manager"] CERT["Certificate<br/>Resource"] SECRET["TLS Secret"] INGRESS["Ingress"] end subgraph external["External"] LE["Let's Encrypt<br/>ACME Server"] DNS["DNS Provider"] end CERT -->|"watches"| CM CM -->|"creates"| SECRET CM <-->|"ACME protocol"| LE CM <-->|"DNS challenge"| DNS SECRET -->|"mounts"| INGRESS You create a Certificate resource cert-manager requests a certificate from the issuer (Let’s Encrypt, Vault, etc.) cert-manager completes the challenge (HTTP-01 or DNS-01) cert-manager stores the certificate in a Kubernetes Secret Your Ingress/Gateway uses the Secret for TLS Renewal happens automatically 30 days before expiration. ...

Kubernetes networking is notoriously complex. CNI plugins, kube-proxy, iptables chains, service meshes — layers upon layers of abstraction that eventually break in ways nobody understands. Cilium changes this. It uses eBPF to move networking logic into the Linux kernel, bypassing iptables entirely. The result: better performance, more visibility, and network policies that actually make sense. This is what I run in my clusters. Let me show you why. What is eBPF? eBPF (extended Berkeley Packet Filter) lets you run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. ...

Compliance audits are painful. Anyone who’s been through ISO 27001 certification knows the drill: weeks of documentation gathering, screenshots of configurations, evidence of change management processes, proof that what you say you do is what you actually do. But here’s something I’ve realized after running declarative infrastructure for years: systems like Talos and NixOS don’t just make infrastructure better — they make compliance dramatically easier. The same properties that make these systems reliable (immutability, reproducibility, auditability) are exactly what auditors want to see. ...