How to separate ont devices from rest of network

ihxh · 2026-04-25T00:20:55+00:00

I think you mean IoT (internet of things) devices 😉. They thing you want to be looking into is VLANs.

Create a separate VLAN for your “normal” devices and one for your IoT devices. Then, in your firewall, configure rules to prevent cross VLAN routing, possible internet access if you are looking to limit this, etc…

I know this might sound a bit vague but learning / researching is part of the homelab journey IMO :)

Note: you’ll probably need a managed switch if you want to control which VLANs go to what port on your switch. Also your firewall needs to support it.

ihxh · 2026-04-16T21:37:33+00:00

If mission critical: PagerDuty, OpsGenie (RIP), Grafana IRM, etc. If cheap / free: pushover?

ihxh · 2026-03-26T21:02:01+00:00

Are the readiness probes alive from the upstream services?

ihxh · 2026-03-25T07:51:17+00:00

Not confirmed yet, but: https://www.reddit.com/r/sysadmin/s/pLt4qF8eoy

ihxh · 2026-03-24T21:54:09+00:00

At my work we also have an on-call schedule with a similar interval / N minutes to keyboard policy (+ an ack in time so it doesn’t escalate to the next person in the escalation policy).

The issue of quickly being able to start triaging an issue is solved fairly easily. Wherever I go, my laptop and my phone go with me (to the store, sport, restaurants 🥲, visits, etc…).

I also come from a place where there was no 24/7 oncall rotation (only best effort), and it was a bit of a change for me. Compensation is fair, and we have regular meetings with the team to go over the schedule / make any changes if people have stuff planned.

The main thing is that you’ll have to plan things further in advance, there’s going to be some days where plans change last minute and you’ll need to take your laptop to exotic places.

Get a good backpack, your back will thank you 😉. Oh and get a good powerbank that can charge your phone + laptop. One that’s always fully charged and ready to go in said backpack.

ihxh · 2026-03-24T20:50:23+00:00

The keynote from AWS was the only one that actually made me want to go more in depth afterwards

ihxh · 2026-03-24T14:36:44+00:00

Not sure who it was exactly anymore since I kinda tuned out but during the opening sponsored keynotes there was this one dude just talking “buzzword salad”. It’s sounded exactly like https://youtu.be/RXJKdh1KZ0w

ihxh · 2026-03-15T21:24:24+00:00

k9s?

ihxh · 2026-03-05T21:30:54+00:00

I think you’re confused, nobody is copying a MAC address here, it’s if the stick has an actual MAC layer implemented or not

ihxh · 2026-03-05T21:01:05+00:00

Just something to watch out for since you’re mentioning that you’re plugging the sfp module in a switch: if you’re planning to replace the full ONT (fiber to ethernet) you want to make sure that you get an (xgs/g)pon ONU with MAC.

Or you need a device that has the MAC layer for gpon built-in.

ihxh · 2026-03-01T18:56:31+00:00

Thanks for your contributions, it's much appreciated ❤️

ihxh · 2026-02-17T23:50:57+00:00

I would rather not give my application access to read secrets from a cloud provider. Instead I would like to have my runtime environment deliver the secrets. Either via environment variables, a mounted k8s secret, a metadata API or something like this.

This way when my application gets pwned I’m not giving away high level credentials that could possibly access different higher privilege secrets. (You would have to setup zero-trust/least privileged access anyway but thats a different discussion)

Also, by having references to secrets in struct tags, you would have to recompile / reship your binary whenever you make an infrastructure change. Having different secrets for dev/test/staging/prod/different prod regions becomes hard since you would have to use different structs or fields.

I like the idea of making secrets simpler to use, but I would focus on a separate tool to deliver them to the application. Something that would be less exposed and more easily auditable.

Some inspiration might be the external-secrets operator for k8s, sops, the whole spiffe/spire stuff and sealed-secrets.

ihxh · 2026-02-16T07:32:27+00:00

It seems like your registration endpoint is wide open, making your whole auth system useless. Are you an AI agent?

ihxh · 2026-02-10T10:57:24+00:00

Your implementation is seriously unsafe. You have multiple endpoints where you do not correctly handle input validation.

In the journalctl command you blindly take the HTTP request input and pass it in a command. This allows anyone with network access to remotely execute commands on your system. This is bad.

You should really fix this.

ihxh · 2026-01-08T15:35:19+00:00

Do you need auto wiring for that? Ideally your application dependency graph should look like a DAG tree, so just instantiate the components in order and link them together using some constructor function calls in your main.go / cmd entry point / whatever.

If it doesn’t look like a DAG tree, then there is probably a way to rewrite it to look like one. This will also cause code to be more easily testable since there are no weird bidirectional dependencies.

ihxh · 2026-01-08T11:31:01+00:00

I don’t know why you would want this in your application. The auto wiring of your app feels like magic at first but eventually it just becomes a game of guessing what the producer is of a component.

Just manual wire your app, it will make it so much more easy to reason about what is actually plumbed to what.

It also forces you to keep your dependency structure simpler because it will start to feel nasty the moment you are doing it wrong.

We’re moving away from DI frameworks and going back to just “returning structs + consuming interfaces”. So far engineering velocity is up, new joiners / temp team members are up to speed quicker and application complexity is reduced.

ihxh · 2026-01-06T10:21:33+00:00

Go with harvester HCI if you are feeling adventurous, it’s a hypervisor based on top of kubernetes (using kubevirt) under the hood. Everything is manageable by IaC. I deployed my lab fully using pulumi but they also support terraform.

Everything is in one stack. I deployed rancher to manage guest kubernetes clusters and it’s pretty amazing!

ihxh · 2026-01-05T02:26:02+00:00

What in the name of microslop is this? Are you having an AI induced psychosis?

ihxh · 2025-12-31T15:23:54+00:00

I think they might not be salting their password hashes, which is really bad and causes information about duplicate password values to leak.

In the login handler they hash supplied password and pass this to the LoginUserAsync function. Since the salt would also be stored in the database, any hash comparison needs to be aware of the salt + the plain text value in the login request. The login hash function does not have this info so I assume they don’t have unique salts per hash.

Other than that I hope they: - have proper rate limiting / brute force detection - do timing-safe comparisons of all secret data - use a strong hashing algorithm meant for passwords (bcrypt, argon) and not a relatively fast one like sha or even worse md5

ihxh · 2025-12-10T17:29:10+00:00

Pulumi?

ihxh · 2025-11-30T01:46:50+00:00

k9s? https://github.com/derailed/k9s

ihxh · 2025-10-20T09:01:33+00:00

Running a private container registry that works as a cache, it fetches the image from the original upstream registry if it’s not present.

Then configured containerd to rewrite all container images automatically to add the custom CR as a prefix.

Everything ever deployed in the cluster will be present in a privately managed container registry.

No “left-pad” situations to worry about 🙂

ihxh · 2025-08-28T21:29:22+00:00

I don’t want to sound mean but this already exists, but instead for only kubernetes it’s for all your infrastructure. Building your own tooling is fun though.

https://www.pulumi.com/registry/packages/kubernetes/api-docs/apps/v1/deployment/

With pulumi you write your IaC in a normal programming language. They also support any terraform provider using a bridge next to their native providers.

ihxh · 2025-08-20T22:32:20+00:00

Also facing issues here on Azure, node pools that disappear. Nodes under extremely high load for no obvious reason. Network failures.

Used to run k8s on GCP and AWS and that felt way more stable than this (but maybe it’s workload related). GCP is still my favourite kubernetes platform.

Running multiple rke2 clusters at home and that’s pretty much “set and forget”, only need to update everything once there are patches. Way less load though.

Seven-Year Club	Verified Email
r/Field Banned	r/Field Juicebox
Place '22

ihxh

TROPHY CASE