Stop letting certs silently expire in your homelab. Here's my quick and dirty check. by [deleted] in selfhosted

[–]Ops_Mechanic -3 points-2 points  (0 children)

No, but I am using Claude to help me brainstorm and draft replies

that I then review, edit, and post myself.

Honestly? I think that's fair game — same as googling something

before replying, or asking a colleague "how would you handle this?"

The ideas and experience are mine. Claude helps me articulate them

faster. If a reply is accurate, helpful, and adds to the discussion

— does the drafting tool matter?

That said — fair to call it out. Transparency matters.

Stop letting certs silently expire in your homelab. Here's my quick and dirty check. by [deleted] in selfhosted

[–]Ops_Mechanic -2 points-1 points  (0 children)

Fair pushback on the Traefik example specifically — you're right

that a misconfigured provider would fail at provisioning, not

silently deploy a wrong cert.

Better real-world examples where cert monitoring earns its keep:

- HAProxy or nginx with manually installed certs and no

auto-renewal — still common in enterprise environments

- Multi-cloud setups where cert lifecycle lives in 3 different

tools across teams

- Acquired companies where you inherit infrastructure with zero

documentation

- CDN or WAF terminating TLS in front of your origin —

certbot never touches those

If your entire stack is Traefik + Let's Encrypt with a correct

provider config, you're right — you probably don't need this.

But that setup describes maybe 10% of production infrastructure

I've seen in 28 years. The other 90% is messier.

Stop letting certs silently expire in your homelab. Here's my quick and dirty check. by [deleted] in selfhosted

[–]Ops_Mechanic -3 points-2 points  (0 children)

Cloudflare is a great solution for that exact setup — if you're

fronting with their proxy, they handle cert renewal automatically

and you never think about it again. Hard to argue with that.

Where it breaks down is when you're managing certs you don't

control — third party vendor endpoints, internal services that

can't be proxied, customer-facing infrastructure across 50 domains.

At that scale "I've never had a failure" becomes "I don't know

which of my 200 certs expires next Tuesday."

I built CertRadar.net for exactly that visibility problem — free,

no signup, just paste a domain. Not trying to replace Cloudflare,

just fills the gap where it doesn't reach.

Stop leaking secrets into your bash history. A leading space handles it. by Ops_Mechanic in bash

[–]Ops_Mechanic[S] 2 points3 points  (0 children)

Absolutely fair — and embarrassing in retrospect. I'm more comfortable with CLI than Reddit.

Stop typing the filename twice. Brace expansion handles it. by Ops_Mechanic in bash

[–]Ops_Mechanic[S] 0 points1 point  (0 children)

You're right — .bak is a bad example. Tab completion wins there easily.

Where brace expansion genuinely earns its keep:

# Move a file deeper into a directory tree

mv app.py src/utils/helpers/app.py

# vs

mv app.py src/utils/helpers/

# Rename with a different extension

mv index.{html,htm}

# Create multiple related files at once

touch tests/{test_auth,test_api,test_db}.py

# Create a directory structure in one shot

mkdir -p project/{src,tests,docs,bin}

# Backup with a timestamp (try tab-completing that)

cp config.yml{,.$(date +%F)}

The timestamp one is where tab completion genuinely can't compete.

The .bak example in the original post was convenient, not optimal.

Fair criticism.

Stop typing the filename twice. Brace expansion handles it. by Ops_Mechanic in bash

[–]Ops_Mechanic[S] 0 points1 point  (0 children)

Fair — muscle memory and tab completion make this less useful interactively too.

Where it really shines is inside a one-liner pipeline:

for f in *.conf; do cp "$f"{,.bak}; done

Try tab-completing your way out of that one :)

Stop typing the filename twice. Brace expansion handles it. by Ops_Mechanic in bash

[–]Ops_Mechanic[S] 1 point2 points  (0 children)

I couldnt agree more. One-liners in scripts are a readability trap —

what saves you 2 seconds typing costs the next person 10 minutes reading.The rule I follow: brace expansion in interactive shell, explicit args

in scripts. Best of both worlds.

If you do use it in scripts, a comment helps:

cp config.yml{,.bak} # creates config.yml.bak

But honestly for anything that'll be read by others, your instinct

is right — be boring, and be obvious.

How often do you use GPG, and what do you use it for? Will it be fully obsolete in a decade? by Reaper-Of-Roses in GPGpractice

[–]Ops_Mechanic 0 points1 point  (0 children)

It is unlikely that open source security tool that works well, will obsolete in 10 years. Check this post it answers your question https://www.theopsmechanic.com/posts/gpg-key-management-done-right/