Posts

This article will be very similar to Integrate Dnscrypt-proxy with a Home DNS Server, with the main difference that instead of using Dnscrypt-proxy to forward DNS queries to your preferred DoH nameserver, I will use systemd-resolved. At the moment, systemd-resolved only supports DoT (DNS over TLS). Support for DoH is still under development (issue #8639). Configure systemd-resolved Make sure it’s running and that /etc/resolv.conf points to it. sudo systemctl enable --now systemd-resolved Symlink /etc/resolv.conf to the stub resolver: ...

I decided to buy a new laptop so is become the time perform a new installation of Arch, in the past I already installed it from scratch, trying to fine tune every single settings, was really funny but this time I will opt for a more chilly approach and I will use Archinstall. Because I would like to use different technologies I will test my installation first in VirtualBox leveraging the installation over SSH as I explained on a past article Install Arch with SSH ...

For learning purposes, I started looking into IPv6. First, I enabled a Unique local address subnet to leverage K3s dual-stack on my Home Cluster. Then I thought it would be cool to be able to connect to my home from abroad, so I started investigating VPNs. It is at this point that I discovered that my ISP currently is only offering IPv4 behind CGNAT for mobile devices (My Mikrotik connects to internet over LTE. Surfing the web I learned about tunnel broker is a service that provides IPv6 connectivity over an existing IPv4-only internet connection by encapsulating IPv6 traffic inside IPv4 packets. ...

In my K3s home cluster, I use Longhorn as the storage engine for my stateful workloads. Since I’m just starting out and shutting down the cluster every day (to safe my power bill), I’ve noticed that Longhorn takes a long time to be ready, with a messy startup involving a lot of errors and pods going into the CrashLoopBackOff state. Spoiler: It’s always DNS :) Troubleshooting I decided to take a look, so I began my troubleshooting journey by analyzing one of the affected pods. ...

This blog post was initially intended to explain how to migrate from iptables to nftables — there are plenty of similar posts all over the internet. However, I soon realised that I was also running Docker on my laptop, which still does not natively support nftables at the time of writing. I therefore decided to write a dual-aim article: switching to nftables and allowing Docker containers to access the network. Disable iptables To fully transition to nftables and prevent conflicts, it’s important to stop and disable the legacy iptables services. You can do this with the following commands: ...

Why I Did It At first, this was a learning project. I wanted to understand the real nuts and bolts of Kubernetes — not just on paper, but on actual, bare-metal hardware in my home. But over time, it became something more. It became my platform — the place where I host the things I care about, where I experiment, where I break things and fix them again. What I Wanted To learn how things really work under the hood To automate everything — no clicking, no guesswork To host my own services with security and flexibility in mind To power things down when I don’t need them, and boot them up instantly when I do What I Built The stack is simple but powerful: ...

Having worked out how to handle TLS traffic on my K3S setup, it is time to achieve the same goal on Docker. In this guide, I’ll show you how to set up a Raspberry Pi running Docker Swarm, SWAG (Secure Web Application Gateway), and Let’s Encrypt to secure your containerized applications with free TLS certificates. While I’ll use Jellyfin as an example, this approach works for most containerized applications. Getting started Prerequisites A Raspberry Pi with Docker and Docker Swarm. A public domain managed, for example, by Cloudflare. Containerized applications, such as Jellyfin, running on Docker. SWAG to handle reverse proxy and TLS certificates. Folder structure All my Docker containers data is stored on BTRFS volume under /opt/my_pool where I have created a folder for each container and the nas-stack.yml file with all the Docker instructions. ...

In this article, we’ll look at using Traefik in K3S alongside cert-manager to act as an ACME (Automatic Certificate Management Environment) client for acquiring certificates from Let’s Encrypt. In order to obtain certificates, it is necessary to prove domain ownership to a Certificate Authority (CA). One method of verifying ownership is through a DNS-01 challenge. For this guide, we will use Cloudflare as our DNS provider, but the principles outlined can easily be adapted for use with other DNS providers. ...

This is the first part of my MikroTik and OpenTofu series, where I will explain my old and current setup and answer a lot of questions about why. Old setup Many, many years ago I decided to abandon the traditional two-pair wiring hDSL (most widespread, at least in Switzerland) because I was bored of paying the electrician at each house change due to the required changes on the building telephone panel. To cut a long story short, I chose the LTE modem for its versatility, I have no need for high performance and therefore did not choose fibre optics. ...

I recently bought a MikroTik router and I’m spending a lot of time configuring it and trying to understand/learn as much as I can (some posts coming in the near future). With the new router I would like to go a step further and set up some static DNS entries within my home for my devices and for my lab. In this post we will: Prevent dhcpd and NetworkManager to overwrite /etc/resolv.conf Configure Dnscrypt-proxy to use Quad9 with DoH Use Dnscrypt-proxy forwarding feature to resolve hostnames of home devices Manually configure /etc/resolv.conf Configure dhcpd By default, dhcpd obtains nameservers from the DHCP server and configures them in /etc/resolv.conf. If you are a frequent traveller, this means that you will use whatever name servers are configured on the networks you connect to, with some potential security threads (MiTM, DNS Spoofing/Hijacking and privacy risks). To avoid this, we will configure dhcpd to ignore the DNS servers received from the dhcp server and always use Dnscrypt-proxy listening on localhost:53. ...