13 posts
PBS gives you dedup + incremental + verify on top of Proxmox VE. Install, wire it as storage, first backup + restore, prune policy. The why and the how.
Run your own Tailscale control plane with Headscale. Docker compose setup, preauth keys, MagicDNS, point clients with --login-server. No vendor lock-in.
Run a Minecraft, Valheim or Palworld server only your friends can reach. Tailscale mesh, MagicDNS, no DDoS surface, no router config.
Lock down RDP on Windows Server — enforce NLA, restrict the firewall to specific IPs, audit failed logons, kill the bot brute-force traffic. The settings I run on every internet-exposed server.
Three legacy protocols still enabled by default on Windows Server that no modern network needs. PowerShell one-liners to disable each, the rare exceptions, and how to verify.
Enable BitLocker on a Windows Server OS volume via PowerShell — TPM unlock, recovery key handling, the boot quirks specific to Server, and how to unlock from WinPE.
Alternative to the Utilman trick — replace sethc.exe to get SYSTEM-level cmd at the Windows lockscreen. When to use it, how to harden against it.
Real backup setup with Restic — encrypted offsite to S3 or self-hosted MinIO, dedup, retention, and the restore-drill that proves your backups actually work.
The GPOs every domain should have — password policy, account lockout, audit, RDP restrictions, SMBv1 / LLMNR / NTLMv1 kill, BitLocker enforcement. The defaults are not enough.
Install Netdata on Ubuntu for per-second server metrics. Install, bind to localhost, SSH-tunnel the dashboard, ship alerts to Discord.
Minimal WireGuard setup on Ubuntu. Server config, one client, UFW rule, QR code for the phone. The version I run on my home-lab jumpbox.
Lock down SSH on Ubuntu: key-only auth, no root login, MaxAuthTries, AllowUsers, fail2ban. sshd_config reference and gotchas.