Securing data using Vault in a Home Lab

This article is part of the Self-hosted Finances series.

I have several projects running in my Home Lab that now have to store and use sensitive secrets. In my Self-hosted finances series, I developed software to scrape my own bank statements (more on that coming soon.) In other projects, I store API keys to manage DNS or even my dedicated servers. These applications all run in Kubernetes, which does support Secrets, however, by default, they are not encrypted and are easily accessible to actors that have access to the K8s API.

Securing MQTT Traffic using cert-manager

I use MQTT in my home lab to connect different Home Lab services like ESPHome, Home Assistant, Node Red, etc. It’s great because it’s a light-weight way to decouple these services, but by default there’s no security. I can’t prevent a sensor from manipulating another sensor’s data, I can’t prevent somebody who has network access from monitoring messages. In this post, I’m going to walk through enabling TLS with usernames and passwords or mTLS (Mutual TLS) using cert-manager.

Auto switch between light and dark mode on GNOME

I recently got a Framework laptop and installed Ubuntu on it to give Linux for laptops a chance after using Windows and Mac for work for years. One thing I wanted was to be able to switch between light mode and dark mode automatically depending on the time of day. GNOME had a blue-light filter mode that could automatically turn on, but it didn’t appear to have a way to switch between light mode and dark mode at the same time.

GoDaddy is now blocking API access

I own few domains and one of those domains is registered at GoDaddy. This is for historical reasons because this domain is on the .es TLD but my preferred registrar, PorkBun or CloudFlare, do not support this TLD. I kept it there mainly because I’ve had it for 10+ years and there were some new identify requirements that I didn’t want to deal with yet. I use external-dns as a tool to automatically to take my Kubernetes Ingress resources and register them in my DNS zone.