The pool layout you choose on day one is almost impossible to change without a full backup-restore cycle.…
FreeBSD 15’s pkg repository ships Go 1.25.9, and getting a working Go environment takes about two minutes. This…
FreeBSD ships with pf, jails, and ZFS out of the box, but it won’t serve a single HTTPS…
Ubuntu 26.04 LTS, codenamed “Resolute Raccoon”, is the latest long-term support release from Canonical. It ships with Linux…
Running a server without a SIEM in 2026 is a losing game. Logs scroll past, failed logins pile…
A cert rotation that you can’t see coming is a cert rotation that will page you at 3am…
Every article in this series has delivered one piece: the DNSSEC-signed delegated zone, the wildcard cert, the shared…
Consolidation patterns that depend on good intentions decay fast. One PR at 5pm on a Friday that adds…
SPKI pinning is one of the few certificate-layer controls where the public-CA wildcard pattern from the rest of…
The whole consolidation story so far collapses toward one wildcard cert on a shared LB. For most services…
The default advice for new HTTPS services on GCP is “use a Global External ALB.” It’s usually right.…
On GKE, per-service Ingress plus per-service ManagedCertificate is the path of least resistance. It also scales badly: every…
