Blog

Linstor with DRBD is the simplest path to replicated block storage on a homelab cluster. This post covers partitioning Talos disks, getting Piraeus running on an immutable OS, configuring StorageClasses with sensible DRBD quorum defaults, and wiring up snapshots through external-snapshotter.

Cilium replaces Flannel and kube-proxy on Talos. You get identity-based policies, kernel-level enforcement, packet-level observability through Hubble, the Gateway API for HTTP routing, and L2 announcement so you can expose Services on a bare-metal home network.

Talos Linux is a Kubernetes-only OS — minimal core, system extensions for the rest, and an API for everything. This post covers why I picked it, how I bootstrap a 3-node cluster with PXE, and the configuration files you need to follow along.

Passwords are losing their footing as the primary authentication mechanism. This post explores how cryptographic proof, hardware security keys, passkeys, digital signatures, and attestation are shifting the foundation of digital trust — and what that means for your accounts, your architecture, and Zero Trust.

Implementation guide for creating an ArgoCD cluster that manages its own configuration and updates through GitOps, including repository structure, app-of-apps pattern, and self-healing configuration.

Limit exposure of web applications on Kubernetes using Traefik ingress controller with IP whitelist middleware configuration.

Running Kubernetes on bare metal can be challenging on several aspects. One of those is the use of load balancers. MetalLB is a bare metal load balancer that uses ARP to dynamically create new load balancers using dedicated internal IP addresses.

Hugo is a static website generator that I’ve used to setup this website which is running on an Azure Static Web App. The website is fully automated, including the provisioning of infrastructure on Azure. In this blog post I share how you can setup this yourself using Terraform, SWA CLI, and ofcourse, Hugo.

Application consent policies in Azure Active Directory can be used to delegate tenant-wide user and admin consent to other users, groups and applications. This blog post explains how to configure these policies using the Microsoft Graph REST API including a test case to show how a test user is able to grant admin consent to an application it owns.

Azure App Registrations are often used as system identities that have access to API’s. Microsoft Graph is one of these API’s that are often used and has application roles that are high privileged and can be abused by an attacker to escalate privileges.