I have several projects running in my Home Lab that now have to store and use sensitive secrets. In my Self-hosted finances series, I developed software to scrape my own bank statements (more on that coming soon.) In other projects, I store API keys to manage DNS or even my dedicated servers.

These applications all run in Kubernetes, which does support Secrets, however, by default, they are not encrypted and are easily accessible to actors that have access to the K8s API.

I use MQTT in my home lab to connect different Home Lab services like ESPHome, Home Assistant, Node Red, etc. It’s great because it’s a light-weight way to decouple these services, but by default there’s no security. I can’t prevent a sensor from manipulating another sensor’s data, I can’t prevent somebody who has network access from monitoring messages.

In this post, I’m going to walk through enabling TLS with usernames and passwords or mTLS (Mutual TLS) using cert-manager. Cert-manager supports a mechanism to generate self-signed CA certs that I will use.

I recently got a Framework laptop and installed Ubuntu on it to give Linux for laptops a chance after using Windows and Mac for work for years. One thing I wanted was to be able to switch between light mode and dark mode automatically depending on the time of day. GNOME had a blue-light filter mode that could automatically turn on, but it didn’t appear to have a way to switch between light mode and dark mode at the same time.

Previously, in my Self-hosted finances series, I cleaned and identified transfers in my Mint transactions for the purposes of of importing into Firefly-iii. In this post, I’m going to import the transactions into Firefly-iii.

I own few domains and one of those domains is registered at GoDaddy. This is for historical reasons because this domain is on the .es TLD but my preferred registrar, PorkBun or CloudFlare, do not support this TLD. I kept it there mainly because I’ve had it for 10+ years and there were some new identify requirements that I didn’t want to deal with yet.

I use external-dns as a tool to automatically to take my Kubernetes Ingress resources and register them in my DNS zone. This tool would use the GoDaddy API to create, edit, and delete the DNS records automatically for me and point them to my own servers. Sure, I could do this myself because I don’t have that many records, but automation is fun.