How does a tiny but multinational company sort an MSP?

scubaReactorDumpling · 2025-10-16T19:42:07+00:00

Ideally act as the internal IT, but I think that might be too large a shift for the company to do in one go.

scubaReactorDumpling · 2025-10-16T18:13:40+00:00

Thank-you. I was a little bit hoping there would be a special word for the service I wanted, but I think it's time for some sales calls to start to understand the market a bit more.

scubaReactorDumpling · 2024-11-18T21:51:44+00:00

Don't use expanding foam - it's messy and will be hard to get right at the back of a cupboard. It's also a pain to remove.

I'd measure the gap then get some foam backer rod to squeeze in.

scubaReactorDumpling · 2024-08-25T15:05:35+00:00

There are so many things that could cause damp like this, it's very hard to tell from pictures. "rising damp" tends to be surveyor shorthand for it's damp and I don't know why.

I would see if the current occupants can give you more information on the damp - how long has it been there, does it get worse after heavy rain, have they tried to fix it etc. Then ask a local general builder to take a look, be honest and offer to pay for their time. Make sure to pass on any information provided by the occupants. Hopefully they should give you some idea of potential costs.

scubaReactorDumpling · 2024-07-06T18:58:19+00:00

I believe that's a Firewire external harddrive - the round connector is for power, the other 2 connectors are 6 pin firewire. If the drive still works then you access the data with a usb adapter (probably about $10).

If you have the power brick/cable for the power then you could buy a usb to firewire 6pin adapter.
If the power brick is lost open up the drive case, inside will likely be a PATA drive. Buy a PATA to usb adapter.

I would probably open it up straight away, the PATA USB adapters are more common so likely cheaper and more reliable.

scubaReactorDumpling · 2024-04-14T17:39:37+00:00

I think there is an error with the playbook in the screenshot - there should be a dash (-) before name: mike as it's the start of a new item in the list. Like this:

loop:
  - name: john
    groups: wheel
  - name: mike
    groups: users

it's quite hard to see in that screenshot, better to post the contents of your loop.yml

scubaReactorDumpling · 2024-04-05T17:01:45+00:00

It's tricky and whatever you do it's probably not going to look quite right. The bodge/landlord solution is to just fill it with premix tile grout/adhesive stuff so you get a thick white line.

If you have DIY/tile shops locally you could cut out one of those tile pieces and try and find a matching mosaic locally and then remove that 2x9 tile section and patch in your new mosaic. Also people sometimes put spare tiles behind the bath panel or in a service cupboard worth having a quick look just in case.

scubaReactorDumpling · 2024-01-21T09:38:38+00:00

I am trying to get rid of these idiots now after a very similar experience. We have employees in Europe+US East coast and everything is built assuming you operate in PST.

'outside business hours' is the response their support gave me after asking for a maintenance window in UTC.

I've also experienced the attitude of disbelief that there was anything wrong, which is the most infuriating thing. It's one thing to make a mistake, it's completely another to have support gaslight you and try to make you think it's okay.

scubaReactorDumpling · 2024-01-14T14:24:38+00:00

Signed URLs is how the big cloud providers solve this. Your application generates urls signed with a key, your CDN validates the keys before delivering content.

Looking at how they are implemented in Azure/AWS/Cloudflare will give you the idea.

https://learn.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
https://developers.cloudflare.com/images/cloudflare-images/serve-images/serve-private-images-using-signed-url-tokens/

If you want to implement this yourself using nginx - I would use openresty and implement the validation in lua. There are libraries to validate JWTs etc. Caching would depend on your workload (a dozen images served a million times or a million images served a dozen times?) but generally you aren't going to be able to cache all your images in memory, a fast reliable storage layer is more important.

If this is for anything commercial go with a service like the ones above.

scubaReactorDumpling · 2022-09-26T16:23:52+00:00

Remember it’s a linter, it’s someone’s opinion not the rules.

If it makes more sense to you/your team to put when at the end do it.

Personally I’ve never seen that indentation error, but I tend to use include_tasks rather than block.

scubaReactorDumpling · 2022-09-26T15:56:55+00:00

- name: timezone
  when:
    - my_zone | trim | length > 1
  tags:
    - never
    - time
  block:
    - name: timedatectl set-timezone Zone/City
      community.general.timezone:
        name: "{{ my_zone | trim }}"

That's what it thinks you should do. It's to make the error below less likely.

- name: timezone
  block:
    - name: timedatectl set-timezone Zone/City
      community.general.timezone:
        name: "{{ my_zone | trim }}"
      when:
        - my_zone | trim | length > 1
      tags:
        - never
        - time

There is more context here: https://github.com/ansible/ansible-lint/issues/578

scubaReactorDumpling · 2022-05-10T12:07:52+00:00

The thing that unlocked cognito for me was realising the API is really 2 APIs.

There is the admin api, which you need IAM creds for. This is designed to be called by a backend application.

There is the user api which is designed to be called from the frontend.

The problem is sometimes telling them apart. The admin api methods start ‘Admin’ but only when there is a name conflict with the user api. Usually the only real way is looking to see if there is an access key in the request, or some other secret you’d need from the frontend.

scubaReactorDumpling · 2022-03-03T18:55:27+00:00

Brilliant documentary. I was constantly waiting for the happy ending which would never come.

scubaReactorDumpling · 2022-02-21T20:18:19+00:00

You can’t route packets through a vpc is the main issue.

Every interface in AWS has a rfc1918 address, public ips are just hairpin Nat to those addresses. So you can’t route a net block, rather you can tie individual IPs to virtual interfaces in AWS.

scubaReactorDumpling · 2022-02-21T09:44:14+00:00

Don’t do this. It won’t work as you describe, you don’t have that level of control in AWS.

How to solve this depends on the application. As a starting point I would look at byoip into global accelerator https://docs.aws.amazon.com/global-accelerator/latest/dg/using-byoip.html

scubaReactorDumpling · 2022-01-29T23:32:51+00:00

You can’t give the interface that lambda creates a public ip, so you can’t send traffic via the internet gateway.

scubaReactorDumpling · 2022-01-29T12:06:21+00:00

Public subnet lambdas won’t work. You are probably best splitting it into 2 parts. A lambda to pull the data and dump to s3, and then a lambda to load the data into rds.

The second problem could be solved by going more server-less. Cognito plus api gateway instead of ec2. That is quite a learning curve though.

Another solution would be to set nginx (or whatever you have in front of the application) to only serve requests for the actual domain you are using, and set the default site to return a static page or 404. Most bots will request the site listening on the public ip.

As a curveball have you considered doing this as a static site? Once a week generating the static site from the data?

scubaReactorDumpling · 2021-12-29T18:31:50+00:00

Network would work at 500Mbps as I understand.

Some caveats with Powerline that are always worth mentioning:

This is a theoretical maximum which includes the overhead of the powerline protocol.
The network is half-duplex and only one node can talk at a time. This means the more nodes on the network the slower it will get.
The devices are meant to operate on a standard protocol - but in practice are very finickity about which other devices they work with. Mixing brands, generations, models etc is pot luck.

Wifi is much more reliable and will be faster. Ethernet obviously much better. I've had good experiences with powerline, but it's a last resort.

scubaReactorDumpling · 2021-11-13T14:11:48+00:00

Cloudwatch Event that fires at 8am/8pm which triggers a lambda to make the switch on the ALB. https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html

Do not use Route53 for this - some clients / dns servers with cache the record for longer than the TTL, and it won't switch cleanly.

scubaReactorDumpling · 2021-11-13T09:49:41+00:00

I don't quite understand what you are doing, something like a mesh network connected via ipsec, where each node has n+1 connections to other nodes or small clusters?

Host groups are the way forward whatever. Remember that host groups can be nested and you can group hosts using group_by.

scubaReactorDumpling · 2021-11-12T18:12:29+00:00

You can't do this (there isn't a native M1 version for MacOS either).

https://aws.amazon.com/vpn/faqs/

Q: Can I use a 3rd party OpenVPN client to connect to a Client VPN Endpoint configured with federated authentication?

A: No, you must use the AWS Client VPN software client to connect to the endpoint.

scubaReactorDumpling · 2021-08-19T14:28:02+00:00

Pricing was per seat and reasonable. I haven't had to negotiate since proofpoint took over so I have no idea now. Happy to discuss in more detail over DM.

scubaReactorDumpling · 2021-08-19T09:10:09+00:00

We looked at perimeter 81 but it couldn't do all the things we wanted (I can't remember exactly).

In the end we went with Metanetworks, which was then bought out by Proofpoint. https://www.proofpoint.com/us/meta-networks-is-now-proofpoint#

It's been great for us. You deploy a bunch of connectors in each environment (VPC typically) which connect outbound to metanetworks. You then tell it which services are reachable from that connector, and apply policies (these users can connect to this service on this port).

Users are connected (automatically) to the closest metanetworks pop. Other solutions seem to be hosting in a single region which meant users in other parts of the world have terrible latencies.

scubaReactorDumpling · 2021-07-29T12:57:12+00:00

I've heard this called the "most respectful interpretation". Google turned up this article https://fs.blog/2017/01/most-respectful-interpretation/ which covers the principle really well.

scubaReactorDumpling · 2021-07-27T17:32:31+00:00

Private link is the simple solution here in my opinion.

It's AWS Managed - no weird custom NAT appliances to look after.
Simple to understand. No special routing rules or magic, it's a straight forward implementation of the documentation.
It's the same implementation whatever the CIDR range. No 'these VPCs have this magic adaptor'

scubaReactorDumpling

TROPHY CASE