Blog
Pull, Don't Push: No Spare Key Under the Doormat (Part 3)
2026-07-1300The last piece of the migration: getting code onto a hardened box from CI without handing the pipeline a key worth stealing. Part three of three on why the deploy pulls instead of pushes, the four dumb layers that box a compromised pipeline into a broom closet, and the packet-filter grant I forgot that left my own deploy knocking on a door it wasn't allowed to open.
linuxci/cdgithub actionstailscaleoidcdockerghcrsecurityself-hostingBarring the Doors: Hardware Keys and Self-Inflicted Wounds (Part 2)
2026-06-2700Locking down the new Rocky Linux host with sysctl, fail2ban, and hardware MFA via YubiKeys. Part two of three on migrating from CentOS 7 and the afternoon I accidentally disabled my own shields mid-orbit.
linuxrocky linuxhardeningsysctlfirewalldfail2banyubikeymfasysadminself-hostingvps01 is dead. Long live Radar. (Part 1)
2026-06-1900A two-years-past-EOL CentOS 7 box was quietly running my password vault, container registry, and the LDAP directory every other machine trusted. Part one of three on putting it down and standing up its replacement: why you regenerate instead of resurrect, picking Rocky 10, containerizing the lot, and the night I locked myself out of two boxes at once.
linuxcentosrocky linuxmigrationdockertailscaleldapsysadminself-hostingNo DB, no libraries, no shell: Over-engineering my personal site for fun and security.
2026-06-1311Why and how, I nuked a standard Next.js setup to build a database-free personal site with zero extra runtime dependencies, using flat files, native Node 24 APIs, and a hardened runtime posture.
securityappsecnextjsnodejsarchitecturegitopsdocker