ev1z.be
Author Image

Cybersecurity, Home Automation & Assorted Chaos

© 2016 - 2025 Eric Viseur
CC BY-SA 4.0
Built with Hugo ❤️ triple-hyde.
The content of this website solely reflects the views and opinions of their author. It does not engage any of their past, current or future employers.
Yubikey & Raspberry Pi based 2-tier CA with step-ca Jan 19, 2021

Why?

Back when I set up the current iteration of my home network in 2018, I decided I wanted an internal CA, and that I wanted things to be simple. After a bit of looking around, I settled for XCA https://hohnstaedt.de/xca/index.php and got it running in a Debian Buster VM.

I ended up with a well working internal CA, fully manual, using RSA 4096 keys.

As of today, I still stand by this choice and still consider XCA to be a reasonably good choice for these needs. However, I was unsatisfied by this solution:

 ...
Some notes on a privacy-minded Pi-Hole deployment Dec 21, 2020

But why?

Pi-Hole logo

There is already a thousand how-to’s on the Web about deploying Pi-Hole as a DNS resolver, and I don’t feel like writing yet one more that will be deprecated for some reason in a few months because some parameter has changed somewhere.

Rather, this article gives pointer to either other posts I’ve found interesting while setting mine up.

Finding Ad lists

When deploying Pi-Hole 5.2.1, I found out one of the built-in lists did not exist anymore.

 ...
unbound DNS-over-TLS forwarding server on Debian Buster Dec 4, 2020

Why write yet another HowTo on unbound?

There’s a real galore of unbound-related HowTo’s, including how to setup DNS-over-TLS for increased privacy. The point of this article is not to go over why it’s important for the privacy-minded.

When setting it up myself in a Debian Buster environment, I stumbled upon several issues.
I’m probably not alone, so I decided to share how to actually get it working properly.

A little bit of context

I believe in sharing actual configuration files that actually works. So, in order for you to understand what’s going on, here is what we’re going to achieve:

 ...
recoll: Going paperless without getting moneyless Nov 23, 2020

Context

For ages, I have wanted to go paperless. Not that I particularly fear the effects of time on paper, as it can be very cruel to digital media too. My issue was much more pragmatic:

  • Unless you have a very efficient memory and/or a very clever organisation system, finding THAT letter you got from the bank 3 years quickly is not always that easy;
  • While I do have the chance to live in a decently vast house, I don’t want to fill it with paper. More precisely, I want what I do keep on paper to fit in one or two binders.

Going paperless involves four things:

 ...
Site-to-site OpenVPN in unprivileged containers on Proxmox VE 5 Oct 24, 2018

⚠️ Museum post

This post is a piece of history of this blog, imported from older times where practices were different. It remains online for the sake of sharing information, but should not be used at face value anymore.

The plan

I recently acquired a VPS and wanted to link it with my home network using the OpenVPN server I already have in place. This VPS runs Proxmox 5.2 to spawn containers. In this article, I explain how to get OpenVPN working in unprivileged containers and the specifics of a site-to-site link with OpenVPN.

 ...