Hands-on walkthroughs covering Linux sysadmin, server setup, networking, and the occasional hardware rescue. Each one is a real-world scenario, revisited with current context and the details that matter on a first attempt.
A Linux distribution where every package, service, and kernel parameter lives in one configuration file and rebuilds atomically. Install, configure, add a service, roll back — and pin nixpkgs with flakes.
An open-source identity provider for every app you self-host. Docker compose stack, the applications + providers + outposts model, OIDC for Grafana-style apps, and forward-auth for everything else.
Pull a model, run local inference, expose an OpenAI-compatible API. Install on Debian/Ubuntu, GPU detection, the systemd env vars worth knowing, and a working embeddings + Open WebUI setup.
WireGuard data plane with NAT traversal, MagicDNS, ACLs and a coordination server you don't run. Install on Linux + Windows, advertise subnet routes, set up an exit node, turn on Tailscale SSH.
An IPS that parses logs, shares anonymized signals with a community blocklist, and decouples detection from enforcement via bouncers. Install on Debian, scenarios, bouncers, and a Caddy forward-auth example.
Install from the official Cloudsmith repo, write a five-line Caddyfile, get automatic Let's Encrypt certificates and HTTP/3. Reverse proxy, SPA fallback, PHP-FPM, multi-site, and a sane troubleshooting list.
Strong default encryption, content-addressed dedup, and direct support for S3, B2, Azure, and SFTP. End-to-end setup including a systemd timer, the forget/prune lifecycle, and monthly integrity checks.
An ANN index inside Postgres that joins to your existing tables. Schema design, HNSW vs IVFFlat, the three distance operators, and why pgvector beats a standalone vector DB on operational simplicity.
Containers as your own UID, supervised by systemd, declared in .container files. The clean replacement for both podman generate systemd and most docker-compose use cases.
An embedded analytical SQL engine that reads Parquet, CSV, JSON, and Arrow directly. Query files in place, join across formats, attach SQLite/Postgres, and read from S3 without an ETL step.
Astral's drop-in replacement for pip, pipx, poetry, pyenv, and virtualenv — one Rust binary, an order of magnitude faster, with cross-platform lockfiles and Python version management built in.
A JavaScript runtime, bundler, package manager, and test runner in one binary. Node-compatible enough that most apps run unmodified, with much faster install and startup — and a single-binary compile mode for deployment.
An open-source reimplementation of the Tailscale coordination server. Same official Tailscale clients, same WireGuard mesh, but the control plane is on your VPS. Install, ACLs, and client enrollment on Linux/Windows/macOS.
An outbound-only QUIC tunnel from your server to Cloudflare's edge. No inbound firewall rule, no public IP, no NAT punching. Cloudflare Access on top gives you SSO and per-route policies for free.
A Rust reimplementation of the Bitwarden server, compatible with every official client. One container plus a database, ~50 MB RAM. Reverse proxy, SMTP, hardening, fail2ban, and backups end-to-end.
Rancher's lightweight Kubernetes distribution — control plane, kubelet, CNI, ingress, and storage in one ~50 MB binary. ACME-enabled Traefik via a HelmChartConfig, local-path storage, and a working manifest end-to-end.
A LAN-wide DNS ad-blocker that resolves queries directly to the root servers instead of forwarding to Cloudflare or Quad9. Install both, wire them together, add encrypted DNS for clients, and back up the lot.
Stream SQLite's WAL to S3/B2/GCS in near real time. Sub-second RPO, point-in-time restore, no application changes — Postgres-grade durability for the workloads that fit in SQLite.
A Rust backend plus the OS's native WebView produces 5–10 MB binaries with a fraction of Electron's memory. Tauri 2 adds first-class Android/iOS targets and capability-scoped IPC.
End-to-end ZFS root install: dual bpool/rpool layout, native encryption, GRUB or zfsbootmenu, and Boot Environments that turn "I broke the system" into a bootloader pick instead of a recovery procedure.
Open-source photo backup with mobile apps, face recognition, and CLIP semantic search ("blue car at sunset" really works). The full docker compose, reverse-proxy tuning for huge uploads, and ML model trade-offs.
Push to a Git branch, get an HTTPS app on your own server — Nixpacks builds, Let's Encrypt via Traefik, managed Postgres/Redis/MariaDB, scheduled backups, and a 70-plus library of one-click services.
An open-source online CA. ACME-compatible (anything that works with Let's Encrypt works against it), short-lived certs by default, and an SSH host/user certificate authority built in. One trust root for the homelab.
Verified bytecode attached to syscalls, kernel and user-space functions, tracepoints, and perf events. Replaces strace/perf for most "what is this process actually doing" questions at a fraction of the overhead.
Render to static HTML at build time, ship JavaScript only when a component opts in. Islands of React/Vue/Svelte alongside plain Markdown, typed content collections with Zod, and adapters for SSR when needed.
A Gitea community fork that's become the default self-hosted Git in 2026. Single Go binary or container, GitHub-Actions-compatible CI, container + npm/Maven/PyPI/Cargo registries, and a clean migration path from GitHub/GitLab.
One Go binary that speaks the full S3 API on your own disks. Single-node and distributed deployments, IAM users with scoped policies, object-lock for immutable backups, and bucket replication.
Loki indexes labels, not full text — an order of magnitude cheaper than ElasticSearch for the same volume. Promtail ships logs, LogQL queries them, Grafana renders them next to your existing dashboards.
A 14 KB JS library that adds AJAX, partial swaps, and SSE as HTML attributes. The server returns HTML fragments instead of JSON; the page swaps them in. Most admin panels and CRUD apps don't need React after this.
Full Debian/Fedora userlands isolated with namespaces and cgroups, supervised by the host's own systemd. No daemon, no registry — systemctl status, journalctl -M, and machinectl are the whole tool set.
A local-first home automation platform with thousands of integrations. HAOS vs Container vs Core, USB radio passthrough, the first three integrations to add, and the local-LLM voice assistant story.
The canonical lightweight open-source MQTT broker. Install, password auth, TLS, ACLs, bridging, retained messages, and integration with Home Assistant and Zigbee2MQTT.
A command-line LLM coding assistant that pairs with a Git repo. Edit requests become diffs, every change is auto-committed, and the model has a tree-sitter map of the whole codebase. Works with OpenAI, Anthropic, and local Ollama.
One encrypted, audited, role-based store for credentials, certificates, and dynamic database passwords. Install (Vault or OpenBao), unseal, mount KV, write policies, and issue short-lived Postgres creds on demand.
Serialize the diff between two read-only snapshots into a stream; pipe it to another Btrfs target. No rsync-style full-tree scan, no checksum walk — bandwidth is exactly the data that changed. Plus btrbk for scheduling.
A self-hosted NVR for IP cameras with real-time object detection on a Coral TPU, Intel iGPU, or NVIDIA GPU. RTSP ingest, motion zones, MQTT events, Home Assistant integration, and the right hardware choices.
A FreeBSD-based router OS with first-class WireGuard, Suricata IPS, multi-WAN, and a coherent UI. Hardware tier, installation, VLANs for IoT, ACL discipline, and DNSBL ad-blocking on Unbound.
A pull-based TSDB, node_exporter on every host, cAdvisor for containers, PromQL by example, alerting rules with sensible dwell times, and Alertmanager routing to Slack/email/PagerDuty.
A single Haskell binary that turns tables into endpoints, views into reports, functions into RPC, and row-level security into authorization. Most CRUD APIs collapse to a 50-line SQL schema.
The NTP daemon that replaces systemd-timesyncd and ntpd. Continuous clock discipline, fast recovery from suspend, NTS over Cloudflare, LAN time-server mode, and Prometheus-friendly drift alerts.
Drop scans, PDFs, photos, or emails in and get a full-text-searchable, tagged document archive. Docker compose, consume folder, mobile scan workflow, Tika for Office docs, and a one-command export for backups.
A visual workflow engine with 500+ integrations, branching, code nodes, schedules, and webhooks. Connect SaaS to SaaS — or pair with local Ollama for AI agents that don't leave the LAN.
The Rust-based polyglot version manager that replaces nvm, pyenv, rbenv, jenv, asdf, and direnv. Per-project versions for Node/Python/Ruby/Go/Java, plus tasks and per-directory env.
One database for IPs, prefixes, VLANs, devices, racks, cables, and circuits. Stable REST + GraphQL API so Ansible / Terraform / observability tools can rely on it instead of spreadsheets.
A Little Snitch-style firewall for Linux. Every new outbound connection prompts per-process and per-destination; rules accumulate into a knowable allow-list. Tame surprising "phone home" traffic on a Linux desktop.
A Rust mail-server stack that ships as one binary — SMTP, JMAP, IMAP, sieve, anti-spam, DKIM/SPF/DMARC, S/MIME — covering what used to take Postfix + Dovecot + SpamAssassin + OpenDKIM. DNS, TLS, deliverability tips, and the honest "should I self-host email" check.
A clean self-hosted alternative to UptimeRobot / Pingdom. HTTP, TCP, ICMP, DNS, push, and database monitors; 90+ notification channels; pretty status pages; SSL-expiry alerts; works alongside Prometheus.
Declarative continuous-delivery driven by a Git repo. Install, your first Application, the app-of-apps pattern for fleets, Helm/Kustomize sources, External Secrets for sensitive values, and OIDC SSO via Authentik.
Rust-rewritten replacements for grep / find / cat / ls / cd, plus fzf as the universal fuzzy picker. Faster, saner defaults, gitignore-aware — and they coexist with the originals so nothing in your scripts breaks.
The ~/.ssh/config patterns that turn SSH from a tool into a fabric. ProxyJump for bastions, ControlMaster for fast multiplexed sessions, host + user certificate authorities, safe agent forwarding, and audit-friendly sshd defaults.
Host IDS, log analysis, file integrity monitoring, CVE-based vulnerability detection, and CIS-style compliance scans in one open-source stack. All-in-one server, agents on every host, custom rules, and active response.
A Redis- and Memcached-compatible in-memory store written in C++ with shared-nothing per-core threading. Same RESP protocol, same clients, often 5–25× more ops/sec per machine, and a notably smaller per-key memory footprint.
One binary that receives traces, metrics, and logs in any format, applies processing (sampling, redaction, batching), and exports to any backend. The right shape for observability you don't want to rewrite next year.
A UDP-based remote shell that survives laptop sleep, IP changes, and packet loss. SSH for the initial auth; from then on it's an SSP-protocol stream with predictive local echo. Great alongside tmux.
Modal editing inspired by Vim and Kakoune, with built-in tree-sitter, multi-cursors, LSP, DAP, and fuzzy file picking — no plugins required. Selection-first model means you always see what you're about to act on.
Schedule containers, raw binaries, JARs, and QEMU VMs across a cluster with a single Go binary. Smaller surface area than Kubernetes, multi-region built in, and friendly to non-container workloads.
A PostgreSQL extension that adds automatically-partitioned hypertables, columnar compression, continuous aggregates, and retention policies. Keep ten years of sensor / metric data in plain SQL.
The display-filter language worth learning once. Practical capture filters, tshark one-liners for HTTP / DNS / TLS / TCP-analysis, SSLKEYLOGFILE for dev decryption, and remote capture through SSH.
An open-source media server with mobile / TV / browser clients. Library naming conventions, reverse proxy, hardware-accelerated transcoding on Intel / AMD / NVIDIA, per-user permissions, and the *arr companion stack.
A keyboard-driven TUI for Git. Visual hunk staging, interactive rebase without typing the command, cherry-picking from a list, branch management, custom commands. The fastest way from "I want to do X" to "done."
One Go binary with embedded SQLite that gives you auth, a REST + realtime API, file storage, and an admin UI. Define collections, set per-record API rules, plug in OAuth, extend with JS hooks. Prototype-to-production in one process.
A Rust search engine that returns ranked, typo-tolerant results in milliseconds. Index documents, configure ranking rules, drop in the Algolia-compatible React/Vue components, and add hybrid lexical + vector search.
An OLAP database built for "answer a SQL question against very large tables, fast." MergeTree engines, incremental materialized views, Kafka and S3 ingestion, and the query log that's the secret-weapon system table.
A redundant array on commodity disks via mdadm with LVM layered on top for flexible volumes. RAID-level trade-offs, monitoring, periodic scrub, online grow, and the disk-replacement procedure end-to-end.
Interactive TUI for any Kubernetes cluster. Navigate namespaces, follow logs, exec into pods, port-forward, scale and edit resources, run Popeye sanity scans — all from the keyboard, all faster than kubectl.
A cookieless GDPR-compliant analytics tool with a 1 KB script. Self-hosted on Postgres + ClickHouse via docker compose, with a polished dashboard, goals, funnels, and the ad-blocker-resistant proxy mode.
A Notion-style wiki for teams: realtime collaborative editing on Yjs CRDTs, full-text search, OIDC SSO, granular permissions, and a clean editor. Postgres + Redis + S3 storage backend.
Drop-in replacement for Terraform under MPL-2.0. Same HCL, same provider plugins, same state file format — plus state encryption at rest, dynamic provider iteration, the removed block, and OCI-registry-backed modules and providers.
The reliable L4/L7 load balancer behind countless production deployments. TLS termination with HTTP/2 + HTTP/3, backend health checks, sticky sessions, rate limiting, runtime reconfig via Unix socket, and zero-drop reloads.
A Rust multiplexer in the tmux / screen category, with keybindings visible on screen, sane defaults out of the box, and KDL-based layout files for reproducible project bootstraps. Pairs cleanly with mosh and SSH.
A homeserver for the Matrix protocol — federated, E2E-encrypted real-time chat, voice, and video. Identity-domain delegation, federation health, end-to-end encryption, Element web client, and the bridges to every other chat network.
An immutable Linux distribution with no shell, no SSH, no package manager — only an API. The whole node configuration is one YAML; upgrades are atomic A/B partition swaps. Operate clusters without touching a config file by hand.
A fast cross-shell prompt and a modern shell with auto-suggestions, syntax highlighting, and abbreviations. Per-context info (git, language version, k8s context) without 200 lines of bashrc gymnastics.
Agentless configuration management over SSH. Inventories, idempotent playbooks, roles, handlers, Ansible Vault for secrets, dynamic inventory from NetBox / AWS, and the patterns that scale from one server to a thousand.
An eBPF-based CNI that replaces kube-proxy with in-kernel datapath, adds L7 network policies, WireGuard encryption, and Hubble for live flow observability. Install on K3s, run connectivity tests, and explore real-time service flows.
The self-hosted answer to Google Drive + Calendar + Contacts + Docs + Photos. AIO container install, app store apps (Talk, Mail, Office, Photos, Deck), CalDAV/CardDAV well-known endpoints, and performance tuning.
Turn an existing Postgres/MySQL/SQLite schema into spreadsheet, form, kanban, and calendar views, with a REST + GraphQL API auto-generated. Connect to an external database, build views, automate via webhooks.
An open-source authoritative DNS server with pluggable backends, a clean REST API, first-class DNSSEC, and the PowerDNS-Admin web UI on top. Set up a zone, sign it, transfer to secondaries, and harden the daemon.
The reverse-engineered Linux port that boots on Apple Silicon. Run the installer, dual-boot cleanly with macOS, and use the conformant Vulkan GPU driver. Current state of audio, sleep, Thunderbolt, and what's still missing.
The three CLIs every shell user should have for structured-data wrangling. jq for JSON, yq for YAML (multi-doc Kubernetes manifests too), dasel for everything-to-everything. The 10 patterns to actually memorize.
One web UI in front of OpenAI, Anthropic, Google, Mistral, Bedrock, and local Ollama. Multi-user with OIDC SSO, per-conversation file upload with RAG, tool calls and plugins, and cost tracking via LiteLLM.
A self-hosted server for audiobooks, podcasts, and ePubs. Library scanning with cover art and metadata, per-user playback progress sync, automatic podcast episode fetching, and polished mobile apps.
IaC in TypeScript / Python / Go / C# / Java instead of HCL. Same provider ecosystem as Terraform / OpenTofu, but with real loops, types, IDE autocomplete, reusable component classes, and unit-testable infra.
The packet-capture tool that ships with every Unix. BPF filter syntax, common filtering patterns, capture to pcap for later analysis in Wireshark, and the "what's actually on the wire" mental model that solves most network bugs.
The missing piece for bare-metal K8s — type: LoadBalancer services that actually get IPs. L2 mode for the LAN, BGP mode for ECMP across nodes, address pools, per-service IP pinning, and the disable-servicelb gotcha on K3s.
A self-hosted LLM frontend organized around document workspaces. Drop in PDFs / sites / Confluence / Notion / audio, get a chat that answers from those documents with inline citations. Works with OpenAI, Anthropic, local Ollama, and more.
A clean self-hosted RSS / Atom aggregator. OPML import, full-text extraction for excerpt-only feeds, Fever + Google Reader API compatibility so every modern RSS mobile app works against it, plus the RSS-Bridge sidecar.
A 2 MB pooler that multiplexes thousands of app connections onto a small backend pool. Session / transaction / statement pooling, the gotchas around prepared statements and LISTEN/NOTIFY, and SCRAM authentication.
A ~$100 Raspberry Pi setup that gives full BIOS-level remote access: video, keyboard, mouse, mountable virtual ISO, ATX power control. The IPMI / iDRAC / iLO equivalent for consumer hardware that doesn't have one.
Code → save → see the change running in K8s in under 5 seconds. File watching, image rebuild + live-update into running pods, live dashboard. The missing piece between "build and apply" and "actually iterate."
An open-source web-based design tool that runs on your own server. SVG-native files, real-time collaboration, components and libraries, design tokens, prototypes, a plugin API. The only Figma-class option that isn't a SaaS.
Horizontally-scalable SQL on Raft + range-sharded KV, with the Postgres wire protocol. Multi-region active-active, strict serializable transactions, online schema changes. Bootstrap a 3-node cluster and migrate from Postgres.
A Rust task runner with Makefile-shaped syntax, minus the tabs-vs-spaces footguns. Recipes, parameters, dependencies, dotenv loading, OS-conditional logic, and a friendly --list. Migrate from Make in 10 minutes.
Raw throughput with iperf3, but the number that matters more — latency under load (bufferbloat) — with flent's RRUL test. Read the output the way it was meant to be read, then fix bufferbloat with CAKE / fq_codel.
A tiny Go-based monitoring system: one hub + one agent per host, clean web UI, Docker container metrics built in, email/webhook alerts. ~30 MB RAM per host. The right pick when Prometheus + Grafana is genuinely too much.
A drop-in Kafka API replacement in C++. No JVM, no ZooKeeper, no separate Schema Registry. Lower P99 latency, smaller footprint, native S3 tiered storage. Most existing Kafka clients work unchanged.
A tiny Go binary that does pub/sub, request/reply, work queues, persistent streams, KV buckets, and S3-like object storage on one connection. Microseconds of LAN latency; trivially debuggable text-based protocol.
An orchestrator that models data assets — tables, ML models, dashboards — as first-class, not the tasks that produce them. Software-defined assets, type-checked I/O, partitioned data, automation conditions, first-class dbt support.
Timer units, OnCalendar syntax, RandomizedDelaySec for fleet-wide staggering, Persistent= for missed-run catchup, template instances, sandboxing, and journal-integrated logging that makes failures actually visible.
A lightweight self-hosted npm registry that's also a caching proxy for the public registry. Scoped private packages, htpasswd/OIDC auth, CI-friendly tokens. Five minutes from zero to a working internal registry.
A 3-node Postgres cluster with automatic leader election, synchronous replication, and clean failover via Patroni + etcd, fronted by HAProxy for transparent client routing. Plus WAL-G to S3 for point-in-time recovery.
A Go binary that manages your dotfiles in Git, templated per-machine, with native secret integration (1Password, Bitwarden, Vault, KeePassXC). One repo, many machines, OS-conditional configs, secrets that never enter Git.
Why your printer is reachable at printer.local and how to make every Linux box on the LAN do the same. Avahi setup, mDNS host publishing, DNS-SD service discovery, and the .local + corporate-DNS pitfalls.
Install + configure WSL 2 properly: the .wslconfig settings that matter, systemd, mirrored networking, GPU passthrough for ML, why source code belongs in the Linux filesystem (not /mnt/c), and SSH-into-WSL.
Each scheduled task pings a unique URL on success; if a ping doesn't arrive in the expected window, you get alerted. The fix for "the backup script has been broken for three weeks and nobody noticed." Plus runitor for one-line wrappers.
A self-hosted proxy that turns 100+ LLM providers into one OpenAI-compatible endpoint. Centralized keys, per-team budgets and rate limits, fallback chains, cost tracking. The right place to put your org's LLM bill.
Run Ubuntu in Fedora, Arch in Debian, RHEL in NixOS — with $HOME mounted, GUI apps passed through to the display, and host commands exportable. Containerized distros without the isolation overhead.
cephadm bootstraps a 3-node cluster from one command. RBD block, CephFS POSIX filesystem, and S3-compatible RGW from the same pool. Self-healing replication; the storage layer for serious homelabs.
A SQLite-backed replacement for shell history with fuzzy search, per-directory + per-machine context, and E2E-encrypted sync via a self-hosted server. Yesterday's command from another laptop is now searchable here.
Stop committing base64-encoded secrets to Git. ESO syncs from Vault / AWS Secrets Manager / 1Password / Bitwarden / Azure Key Vault into native K8s Secrets. The right secrets shape for GitOps.
Rust-based service mesh that adds mTLS, retries, traffic splitting, L7 metrics, and per-server authorization with a tiny per-pod sidecar. CNCF-graduated, much simpler than Istio. The right pick for most teams that want mesh benefits.
A Go binary that runs pre-commit / pre-push / commit-msg checks in parallel, per-language, with per-file filtering. Faster than pre-commit, simpler than husky, no Python or Node runtime dependency.
The classic deduplicating-backup pattern with rsync + hard links. Each snapshot looks like a full copy; unchanged files share inodes. No external tool, no encrypted format — just standard Unix you can restore with cp forever.
Give a vendor / customer / third party file access to one directory via SFTP with no shell, no SSH commands, no escape. The Match Group recipe, the unforgiving ChrootDirectory ownership rule, pubkey auth, and the pattern that doesn't bite later.
GPU inference server with continuous batching, PagedAttention, structured output guidance, prefix caching, and 5-20× the throughput of Ollama on the same hardware. The right shape for serving LLMs at production scale.
The de-facto way to install and upgrade applications on Kubernetes. Charts, values overrides, templating, hooks, the OCI distribution model, plus when to reach for Kustomize instead. Required ops vocabulary.
Admission control without writing Go or learning Rego. Validate / mutate / generate / verify-images all in pure YAML. CNCF-graduated; the simpler counterpart to OPA Gatekeeper.
Expose a disk over TCP/IP so a remote client treats it like local. Linux LIO target + open-iscsi initiator, CHAP auth, multipath for HA, and the concurrent-mount caveat that bites people the moment they try to share one LUN.
The default stub resolver on most Linux distros now. Per-link DNS, DoT to public resolvers, in-process caching, mDNS, split-DNS for VPN scopes. Plus how to actually debug when /etc/resolv.conf is a symlink to a stub.
Declare a project's dev environment in JSON — Node 22, Python 3.13, Postgres 16, ripgrep — and devbox wraps it in a pinned Nix shell that activates on cd. Same versions across every laptop, no Nix syntax required.
Debian-based hypervisor with KVM for VMs, LXC for containers, ZFS / Ceph / NFS storage, a clean web UI, and clustering for HA. Install, configure storage, build VMs and templates, plus ZFS replication for cheap-HA without Ceph.
Auto-PRs for npm / pip / Cargo / Go / Docker / Helm / Terraform / GitHub Actions across 60+ ecosystems. Self-host against GitHub / GitLab / Gitea; group, schedule, automerge with merge-confidence.
Built into kubectl -k. Base manifests + per-environment overlays with patches; no Go templates, no {{ }}. The right shape for "small number of envs with a few diffs each" — or paired with Helm via helmCharts:.
A ~200 KB binary that does DHCP, DNS forwarding, TFTP, PXE booting, IPv6 RA, and DNS hijacking. The thing inside OpenWrt routers, Pi-hole, libvirt, and most embedded gear. Configure LAN DHCP + local-DNS with one config file.
Back up cluster state + persistent volumes to S3 / MinIO. CSI snapshots or file-level copy via Kopia / Restic. Restore, schedule, migrate clusters. Plus pre/post hooks for quiescing databases mid-backup.
The community fork of LXD: system containers (full distros) + KVM VMs from one CLI, on any Linux distro — no dedicated hypervisor OS required. Snapshots, profiles, clustering, live migration.
Smallstep's open-source CA: short-lived TLS for internal services, mTLS client certs, plus first-class SSH user / host certificates. ACME-compatible — existing cert-manager / Caddy / certbot clients work unchanged.
A small, modern encryption tool by Filippo Valsorda. Encrypt to passphrase, an age public key, or directly to someone's SSH public key from GitHub. Pairs cleanly with SOPS for in-Git secrets.
Go-based load tester with JavaScript test scripts. Thresholds-as-assertions, scenario-based load shaping, native Prometheus / InfluxDB export. The modern wrk + Locust replacement in 2026.
Network-Bound Disk Encryption: LUKS volumes auto-unlock at boot if (and only if) a Tang server on the LAN is reachable. Stolen drive can't decrypt off-network; rack reboots still unattended.
CNCF-incubating cost tool: real $$ per pod / deployment / namespace / label, with cloud-provider pricing or a custom price book for on-prem. Prometheus metrics + web UI + API for per-team chargeback.
A lightweight self-hosted notes app: timeline-style memos with markdown, tags, links, attachments. One Go binary + SQLite; iOS/Android apps; clean Twitter-shaped UI for thought capture without ceremony.
CNCF-graduated runtime threat detection. eBPF-tapped syscalls fed through declarative rules: shell-in-container, suspicious file access, crypto-miner names, privilege escalations. Real-time alerts via Falcosidekick.
One unified tool for IPv4 / IPv6 / ARP / bridge filtering. Named sets for O(1) lookups, atomic ruleset replacement, saner syntax than iptables. The right thing to write fresh Linux firewall rules in.
One command. mkcert creates a local CA trusted by your machine + browsers, then issues valid certs for any hostname. No more "Your connection is not private" warnings on local HTTPS dev.
systemd's built-in lightweight container runtime. Boot another distro's userspace in a namespace, manage with machinectl, no extra runtime to install — it's already on every systemd Linux.
A small Go CI system (community Drone fork). YAML pipelines, container steps, server + N agents, Kubernetes backend optional. Default CI for self-hosted Git forges in 2026.
Read SMART attributes from any disk (HDD, SATA SSD, NVMe), schedule self-tests, run smartd to email warnings before drives die. The thing that should be on every homelab box; the attributes that actually predict failure.
A Prometheus drop-in replacement — 10x denser compression, faster queries on long ranges, native multi-tenancy, optional cluster mode. Same scrape configs, same PromQL (plus MetricsQL extensions).
A local stub resolver that encrypts every query upstream via DNSCrypt v2 / DoH / DoT / Anonymized DNS. Curated resolver list, per-domain forwarding, blocklists, and DNS-level privacy on hostile networks.
CNCF-graduated job + DAG orchestrator running entirely as Kubernetes CRDs. Each step is a container; templates compose into multi-step workflows with parameters, artifacts, retries, conditionals. Used for ML, CI, ETL, batch.
Keyless signing via OIDC identities (GitHub Actions, etc.) and public transparency log. Sign images, blobs, attestations and SBOMs; verify via Kyverno admission policies. The standard for supply-chain integrity in 2026.
Markdown notes where every page is also a database row. Frontmatter, hashtags, embedded query blocks for dynamic tables. TypeScript plugin system. The closest thing to self-hosted Obsidian for power users.
PowerShell Core runs natively on Linux + macOS. Object pipelines instead of text streams, real types, .NET access, plus the canonical tool for managing Windows / Azure from a Linux host. Worth knowing alongside bash.
krew is the official kubectl plugin manager. Install ctx + ns + neat + tree + node-shell + view-secret + sniff and kubectl stops being a verbose log-spammer. The must-have plugins after one hour of adoption.
The community fork of Gitea. A small Go binary that hosts repos, issues, PRs, packages, releases, an OCI registry, and CI via Forgejo Actions (GitHub-compatible). Install in 10 minutes on hardware that fits in your hand.
Canary, blue-green, weighted traffic, automatic rollback on metric regression. Drop-in replacement for Deployment as a Rollout CRD; integrates with Istio / Linkerd / Cilium / nginx for actual traffic shaping.
Wraps SQLite in a Raft cluster: 3+ nodes synchronously replicate writes; strong consistency; HTTP API; multiple language clients. Between Litestream's "one writer + replication" and Postgres's heft. The right size for HA config / control-plane data.
Mainline-merged CoW FS with ZFS-style features (snapshots, checksums, compression, encryption) plus built-in tiered storage: small fast SSD transparently caches a large slow HDD pool. The current 2026 stability picture + where it fits vs ZFS / Btrfs.
Self-hosted "save this for later" with full-content extraction, full-page screenshots, OCR on images, and LLM auto-tagging. Mobile apps + browser extensions + REST API. The Pocket-replacement for self-hosters.
The traces piece of the Grafana stack. Ingest OTLP / Jaeger / Zipkin spans, store on S3 / MinIO, query via TraceQL. Auto-generates span metrics + service graphs as a free observability bonus.
Properly-typed, role-separated CRDs (GatewayClass, Gateway, HTTPRoute / GRPCRoute / TCPRoute) replacing annotated Ingress YAML. Portable across implementations. First-class gRPC + TCP + TLS routing.
Rust S3-compatible store designed for asymmetric, geo-distributed deployments. Replicate buckets across 3 cities over regular internet, with WAN-friendly semantics. Between MinIO (LAN-first) and Ceph (heavy ops).
FUSE filesystem that replicates SQLite databases across nodes. Single-writer + N read replicas in N regions; local reads, sub-second lag; lease-based leader election. The Fly.io-popularized pattern for read-heavy SQLite at scale.
Open-source Tailscale-shaped mesh: self-hostable control plane, OIDC SSO first-class, group-based ACLs, NAT traversal coordinated by signal server. Clients for every major OS. The right size for mid-team self-hosted mesh.
Self-hosted notes in a tree, with attributes + relations forming a graph on top. Code notes that execute against the database. Templates, per-note encryption, desktop + server sync. The powerful end of personal knowledge bases.
Small Go-based log DB; ~10x smaller than Elasticsearch / 3-5x smaller than Loki on the same data. LogsQL pipeline queries with extract / stats / top operators. Ingest via Loki / OTLP / Elasticsearch bulk / syslog / JSON.
NFSv4 fixed v3's pain: single TCP port, real ACLs, Kerberos, stateful locking. The canonical Unix-to-Unix file share. Server-side exports, client mounts, performance tuning, the v4.2 features worth knowing.
Give a service a reachable .onion address without public DNS, public IP, or open firewall ports. E2E encrypted; useful behind CGNAT. Vanity addresses, client-auth-gated private services, when to use it vs Cloudflared tunnels.
Per-session access to specific targets instead of "VPN into the network and SSH anywhere." Vault-minted short-lived credentials, OIDC at the front, per-session audit log. Targets never need public IPs.
The canonical Linux SMB server for mixed-OS LANs. SMB 3.x default, per-user auth, vfs_fruit for macOS metadata + Time Machine targets, Avahi advertisements for Finder discovery. The modern config without 1990s baggage.
User home directories as encrypted LUKS images / btrfs subvolumes / fscrypt dirs that you can move between machines. FIDO2 / smart-card auth, recovery keys, the user record carrying its own metadata. Modern Linux home dirs done right.
A small Go OIDC IdP that doesn't store users — federates to upstream backends (LDAP / GitHub / SAML / Google / Microsoft). The canonical kubectl-OIDC bridge; vastly lighter than Keycloak / Authentik when you already have an IdP.
Synchronous certification-based replication across 3+ nodes. Writes commit on majority; reads + writes from any node; lose one node, cluster keeps running. The canonical HA MariaDB / MySQL setup when Postgres isn't an option.
The tail -f for Kubernetes that kubectl logs should have shipped with. Tails N pods matching a label / regex, color-codes per pod, auto-follows new pods during rollouts. Live-debugging without writing scripts.
A small Go SSO portal that integrates with nginx / Traefik / Caddy / HAProxy via forward-auth. Apps stay unmodified; Authelia handles login + TOTP / WebAuthn / Duo + per-resource access rules. Optional limited OIDC mode.
The elder of data orchestration. Python DAGs, the scheduler, the largest operator ecosystem (every cloud / DB / SaaS), CeleryExecutor / KubernetesExecutor for scale. Still the canonical pick for "scheduled batch across many systems."
CZ.NIC's authoritative DNS. Single C binary, file-based zones, automatic DNSSEC key rollover, catalog zones for many domains, kdig as a saner dig. The PowerDNS alternative that prefers zone files over a database.
Rust-based observability pipeline: sources / transforms / sinks composed in TOML. VRL (Vector Remap Language) for fault-tolerant in-flight log shaping. Faster than Logstash / Fluentd; lighter than the OTel Collector for log-heavy pipelines.
Go-based LAN DNS ad-blocker with native encrypted-upstream support, per-client policies, parental controls, integrated DHCP. One binary, polished web UI. The smoother fresh install for self-hosted DNS blocking in 2026.
Swap the lsphp binary behind the LiteSpeed SAPI App. Three-click webadmin change, plus why a hard reboot is worth the two minutes.
Convert an existing root filesystem to Btrfs without reinstalling. Includes fstab/UUID updates, rebuilding GRUB from a chroot, and optional Snapper-based automated snapshots.
A reference sysctl.d drop-in for TCP throughput: window scaling, MTU probing, TCP-Illinois congestion control, sane buffer sizes. What each knob does and when not to set it.
Let the host talk directly to VM guests on a shared subnet. QEMU bridge helper, libvirt polkit rule, virbr0 setup — and what actually needs root.
From apt install python3 to a working scraper: virtualenv, geckodriver, login flow, pagination, and the modern Selenium 4 API (which deprecated find_element_by_*).
Amazon Linux doesn't enable unattended security updates by default. A short walkthrough of yum-cron, versionlock, and why AL2023 needs the dnf variant.
A minimum-viable S3-as-a-filesystem setup on Ubuntu. When it's the right tool, when rclone mount is better, and how to make it survive a reboot.
The original Linux Teams client is long deprecated — here's what to do now (PWA / teams-for-linux), plus why pavucontrol is still the fastest fix for device-selection gremlins.
The default debugger view hides the real fields of a collection. One settings toggle reveals them — indispensable when you've written your own Map or List.
Streisand turns a raw VPS into a multi-protocol VPN in one Ansible run. How to use the sensible subset (OpenVPN + optional WireGuard) and connect a Windows client.
DISM, SFC, long-path support, Windows Store recovery, memory-compression toggle — a collection of one-shot fixes for the weirdness that accumulates in long-lived Windows installs.
When GitLab is too heavy, GitBucket is often the right fit — one .war file, JVM-native, runs happily behind an OpenLiteSpeed reverse proxy. Full setup including SSL and systemd.
When the accelerometer is mounted in an unusual orientation, GNOME ends up rotating the screen the wrong way. A hwdb drop-in with the right mount matrix fixes it for good.
Run GitLab alongside an existing OpenLiteSpeed site without fighting its bundled nginx/puma. External URL, shared Let's Encrypt cert, proxy context — the working path after two days of wrong paths.
Debian's packaged Ruby is too old for most Rails apps. rbenv + ruby-build gives you any version you want, and the OpenLiteSpeed LSAPI shim lets it serve fast without nginx in front.
For server migrations, lftp mirror over SFTP is far simpler than tar-over-SSH or rsync — it resumes, parallelizes, and handles pickup after a dropped connection. A one-page reference.
Last-resort revival for an ASUS laptop that won't POST. SOIC-8 test clip, AsProgrammer, reading an MX25L12873F, and why the vendor's official BIOS file won't work directly.
Why Windows ends up with a single boot-loader across drives, and the exact bcdboot / diskpart sequence that rebuilds it on the correct disk when things go sideways.
A sensible HSTS / CSP / X-Frame-Options / Referrer-Policy baseline applied via a vhost Context. Scores A+ on securityheaders.com and explains what each header actually defends against.
OneDrive has no official Linux client. rclone's OAuth flow, VFS cache modes, and remote-auth trick for headless servers — everything you need to get files off a dying free tier.
A four-command quickstart, plus the real reason Flatpak matters on server desktops: sandboxing, an up-to-date browser on old distros, and zero interference with the system package manager.
Keypair generation, iptables MASQUERADE, full-tunnel routing from a Windows client. Straightforward modern setup — no wg-easy, no UI, just a config file you can actually read.
A complete web-server build from a blank Debian VPS — including the vhost symlink trick, SNI-safe certbot layout, and the forced-HTTPS rewrite rule. My longest tutorial.
A misidentified touchpad, a deadlocked touchscreen, and a rotation matrix that points the wrong way. Two work-days of head-scratching condensed into a recipe that actually works.
XFCE on a VPS, multi-user VNC, an SSH tunnel so the traffic isn't clear-text — and a systemd-era rewrite of the old init.d VNC service script. Plus when to reach for X2Go instead.
The abandoned Windows IP-filter app shipped with an HTTP-only libcurl. Here's the story of rebuilding it against a modern SSL-enabled libcurl — and what to actually use in 2025.