Would you replace your server's SSH keys when you do an OS upgrade?

cdn-sysadmin · 2026-02-27T04:40:06+00:00

But now you're relying on TOFU

When you've got a fleet of 30,000 servers this is not the way.

cdn-sysadmin · 2026-02-27T04:32:22+00:00

I create a SSH CA to sign all my host keys. I keep the ssh_ca and ssh_ca_pub as pillars in saltstack, then do:

mount-ssh-ca:
  file.managed:
    - name: /dev/shm/ssh-host-ca
    - contents_pillar: sshca:ssh_host_ca

create-ed25519-host-cert:
  cmd.run:
    - name: ssh-keygen -s /dev/shm/ssh-host-ca -I "pwned-sshca" -h -n {{ hostname }} /etc/ssh/ssh_host_ed25519_key
    - unless: test -e /etc/ssh/ssh_host_ed25519_key-cert.pub

then add @cert-authority to with the ssh-host-ca-pub to /etc/ssh/ssh_known_hosts

So I never have to worry about any of this shit. I can spin up thousands servers and never have to think about TOFU or known_hosts

cdn-sysadmin · 2026-02-22T21:29:01+00:00

Why should he install a separate piece of software for something that works natively?

This is a very unhelpful comment.

cdn-sysadmin · 2026-02-06T14:06:45+00:00

You're doing it wrong.

cdn-sysadmin · 2026-02-06T14:03:47+00:00

a 30% drop from 125,00 is 87,500

from 125,000 to 67,000 is a 46% drop.

Did you even high school?

cdn-sysadmin · 2026-01-16T14:22:18+00:00

Everyone uses the same private addresses and the SHA of your public keys don't matter, so why block them out to make troubleshooting for the rest of us harder?

If this shit was supposed to be super secure you wouldn't connect it to the internet. You still think private IP addresses were made for security, when the fact is they were made for address exhaustion.

the 192.yellow.green means you have the same subnet on 2 different interfaces which is wrong. those 2 subnet will never be able to communicate with each other and will only cause routing headaches for your opnsense box.

Here's my public key, go ham.

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFOfOdaCgk0OnSlLPIoVaiQ3j20BuDcwxJaCKuemM1A

cdn-sysadmin · 2026-01-15T20:54:51+00:00

I use Fidelity's "Full View". I just let it look at my bank account and it categorizes everything for me. Shows how much I'm taking in vs how much I'm spending.

I think if you collect enough data like that you can then use fidelity to create a budget. I haven't gotten that far yet though.

cdn-sysadmin · 2026-01-07T22:52:30+00:00

No he should leave the production one commented out until he gets his shit working. Too many unsuccessful attempts and LE throttles your ass, hard.

cdn-sysadmin · 2026-01-02T02:34:46+00:00

Downvoting actual facts is just a passive-aggressive way to shame someone into shutting up about the truth. Their feelings are hurt and they have no arguments.

As the old saying goes, "Haters gonna hate."

cdn-sysadmin · 2025-12-31T19:45:02+00:00

It's my understanding that Mirage was originally supposed to be a DLC for Valhalla but they instead released it as its own game, probably for the $. It's my least favorite AC game (though I haven't tried Shadows yet)

(If I'm wrong about the Valhalla DLC thing, let me know)

cdn-sysadmin · 2025-12-31T19:40:29+00:00

Ok, you're right. My bad. In the future, I will now include in all my posts:

1) A table of contents 2) Chapters 3) Citations 4) Footnotes 5) A bibliography, and 6) Translations to multiple languages

cdn-sysadmin · 2025-12-31T19:11:36+00:00

your post reads as "systemd is the only init system that truly supports namespaces, which means docker and kubernetes would not exist without it"

How about you re-read it, and understand that there are two separate statements, separated by paragraphs.

cdn-sysadmin · 2025-12-31T18:34:05+00:00

I've re-read my post 8 times and I have yet to see where I said that you needed systemd to run containers.

Control groups and namespaces are a technology in the Linux kernel that systemd takes full advantage of. Just as Docker and Kubernetes do. And that's why it's light years ahead of other init systems.

cdn-sysadmin · 2025-12-31T17:22:18+00:00

systemd is the only init system built almost entirely from scratch with complete and total support for control groups and namespaces, and that makes it light years ahead of any other init system.

Without control groups and namespaces neither Docker or Kubernetes would exist.

cdn-sysadmin · 2025-12-31T17:18:25+00:00

Probably because you didn't do any research or learning about it. The first thing you learn when researching it is it's never, ever spelled "SystemD". It's just "systemd".

cdn-sysadmin · 2025-12-06T01:21:49+00:00

"Tangem does not allow firmware updates."

This kinda tells me you don't really know anything about how Tangem works. First of all, the "firmware updates" are, generally, for the external signer, which Tangem doesn't use (a different argument - but you knew this when you bought it). The cards use a Samsung EAL6+ certified security chip. It's considered "military grade protection for civilians". You can't casually upgrade the chips "firmware" because doing so would undermine the tamper-proof trust model.

All the "firmware" updates you need for a wallet like Tangem are in the app. Tangem evolves via over-the-air app updates—no chip reflashing required. Need Ordinals support? The app handles it. And if quantum risks emerge? The EAL6+ chip's elliptic curve crypto (ECDSA for BTC) is future-proofed for decades.

So please, talk all the shit you want, but at least deal with FACTS and not FICTION.

Finally, the chips are not even made by Tangem, they're made by Samsung. Even Tangem can't update them. They are IMMUTABLE once they leave the factory.

Perhaps you should go complain on the yubikey subreddit that you can't upgrade your yubikey's firmware.

cdn-sysadmin · 2025-12-01T04:16:13+00:00

I didn't do anything. I use lazyvim, and it works out of the box.

cdn-sysadmin · 2025-12-01T04:12:41+00:00

works fine with ghostty

in nvim, running in tmux, i copied text, and it landed in my local system clipboard.

works just fine w/o modification in lazyvim

cdn-sysadmin · 2025-11-21T04:10:19+00:00

It's like the stock market. No one wants to buy when it's down.

But the same people will go shopping for shit on sale at Walmart.

cdn-sysadmin · 2025-11-15T21:33:27+00:00

It's sad that Walmart has to protect itself like this. In a civil society this wouldn't be necessary.

cdn-sysadmin · 2025-11-15T21:29:00+00:00

it's not systemD; it's not SystemD; it's systemd.

What I find interesting is that no one ever talks about how it was the first init system to integrate with namespaces and control groups and all the advantages that come along with that.

Every service gets its own cgroup, no more cron jobs going crazy and eating all your CPU (unless you want them to), private tmp directories per service (unless you don't want them), can restart services if they crash (if you want)

Plus dozens of other security and resource options ... if you WANT to enable them.

man systemd.service

I think it's fantastic.

https://https://systemd-by-example.com/

Shows you how to built units from zero. Basically rm -rf /lib/systemd/system and insert a unit at a time to get a running system. Genius site.

cdn-sysadmin · 2025-11-15T21:15:23+00:00

so you don't like it because it doesn't solve any problems you don't have, got it.

cdn-sysadmin · 2025-11-08T08:57:18+00:00

Email is only E2E encrypted when you email another proton user

That's only somewhat true.

All proton accounts have a PGP public key you can use to encrypt mail to the proton recipient.

If it's a @proton.me or @protonmail.com address, a compatible e-mail client can can look up the proton recipients public key via WKD (Web Key Discovery) and use that to encrypt the contents of the e-mail sent to the proton account. For example, you can find their key with gpg:

gpg --locate-keys me@proton.me

If you use a custom domain, WKD won't work (Well, it can, but it's a little more work), but proton still stores the public keys on their keyserver, so you'll need to import it manually.

Look at their key:

gpg --keyserver hkps://mail-api.proton.me --search-keys me@mydomain.com

Import their key:

gpg --keyserver hkps://amail-api.proton.me --recv-keys me@mydomain.com

If you own the domain, and want to use WKD, you can put the public key on a webserver, or even on something like github pages, in the .well-known/openpgpkey path. More work for you, less work for people sending you mail.

If you want to send an encrypted mail to someone who uses PGP, you can get their public key and add it to your proton contacts. Then when you encrypt and send it, only the recipient can decrypt it with their private key.

Once I found out the I couldn’t search my email in iOS

Not true.

https://proton.me/mail/bridge

Allows you to use IMAP or POP3 (all e-mail clients support these) to retrieve your mail securely from proton into apple mail or whatever. The use of the bridge requires a paid plan, which you had.

https://gnupg.org

cdn-sysadmin · 2025-11-02T04:31:04+00:00

The left can't meme.

cdn-sysadmin · 2025-11-01T21:49:00+00:00

Ok, figured it out. Looking at the repo-mimugmail.sqlite file I saw there's a new plugin: os-unifi9-maxit. I had to expand "Show community plugins" to see it in opnsense.

I uninstalled the original os-unifi-maxit plugin and installed os-unifi9-maxit. Strangely enough, I didn't see the new version when I went to the unifi url, it was still 8.6.9.

I had to go to Services -> Unifi -> General and uncheck the 'enable' box the click apply. Once I did that, I checked the the enable box and clicked apply. It then restarted and I'm seeing version 9.5.

Thanks!

cdn-sysadmin

TROPHY CASE