Last month I migrated two production clusters from GitHub Actions-only deployments to a hybrid GitOps setup with ArgoCD. The trigger? A misconfigured workflow secret that exposed an AWS key for 11 minutes before our scanner caught it. Nothing happened — this time. But it made me rethink how we handle… Read more →
Security, DevOps & Trading Tech — Practical Guides
-
I Built a CSS Gradient Builder Because Every Existing One Annoyed Me
Last Tuesday I needed a conic gradient. Not a linear one, not a radial one — specifically a conic gradient for a loading spinner I was building. I opened three different gradient generators. None of them supported conic gradients. The ones that did were buried under ads, tracking scripts, and… Read more →
-
Secure TrueNAS Plex Setup for Your Homelab
Learn how to set up Plex on TrueNAS with enterprise-grade security practices tailored for home use. Protect your data while enjoying smooth media streaming. TrueNAS and Plex The error message was cryptic: “Permission denied.” You just wanted to stream your favorite movie, but Plex refused to cooperate. Meanwhile, your TrueNAS server was… Read more →
-
Stop Ngrok Tunnels: Enterprise Security at Home
Learn how to securely stop Ngrok tunnels using enterprise-grade practices scaled down for homelab environments. Protect your home network with these practical tips. Understanding Ngrok and Its Security Implications Did you know that over 60% of homelab enthusiasts use Ngrok to expose local services to the internet, but few take the time… Read more →
-
Free VPN: Cloudflare Tunnel & WARP Guide (2026)
TL;DR: Cloudflare offers two free VPN solutions: WARP (consumer privacy VPN using WireGuard) and Cloudflare Tunnel + Zero Trust (self-hosted VPN replacement for accessing your home network). This guide covers both approaches step-by-step, with Docker Compose configs, split-tunnel setup, and security hardening. Zero Trust is free for up to 50… Read more →
-
Pod Security Standards: A Security-First Guide
Kubernetes Pod Security Standards 📌 TL;DR: I enforce PSS restricted on all production namespaces: runAsNonRoot: true, allowPrivilegeEscalation: false, all capabilities dropped, read-only root filesystem. Start with warn mode to find violations, then switch to enforce. This single change blocks the majority of container escape attacks. 🎯 Quick Answer: Enforce Pod Security Standards… Read more →
-
ArgoCD vs Flux 2025: Secure CI/CD for Kubernetes
I run ArgoCD on my TrueNAS homelab for all container deployments. Every service I self-host — Gitea, Immich, monitoring stacks, even this blog’s CI pipeline — gets deployed through ArgoCD syncing from Git repos on my local Gitea instance. I’ve also deployed Flux for clients who wanted something lighter. After… Read more →
-
OAuth vs JWT: Choosing the Right Tool for Developers
I’ve implemented both OAuth and JWT in production systems across my career—from enterprise SSO rollouts to lightweight API auth for side projects. The single most common mistake I see? Treating OAuth and JWT as the same thing, or worse, picking one when you needed the other. They solve different problems,… Read more →
-
Secrets Management in Kubernetes: A Security-First Guide
Secrets Management in Kubernetes 📌 TL;DR: Kubernetes Secrets are base64-encoded, not encrypted. Enable etcd encryption with aescbc, use External Secrets Operator to sync from Vault or your cloud KMS, set RBAC to restrict Secret access per namespace, and rotate credentials on 24-hour TTLs with Vault dynamic secrets. This is the exact… Read more →
-
PassForge: Building a Password Workstation Beyond One Slider
I was setting up a new server last week and needed twelve unique passwords for different services. I opened three tabs — LastPass’s generator, Bitwarden’s generator, and 1Password’s online tool. Every single one gave me a barebones interface: one slider for length, a few checkboxes, and a single output. Copy,… Read more →