While preparing the infrastructure for migrating RTFM from the DigitalOcean server to AWS (see AWS: basic infrastructure setup for WordPress) I decided to also try AWS ALB mutual authentication (for some reason I thought this feature launched at the last re:Invent, at the end of 2024, but it’s actually been around since late 2023 –… Read More »
Another one of the many nice features of MikroTik – built-in WireGuard support (although even cheap TP-Link Archers have it). In my setup, the MikroTik RB4011 acts as a “VPN Hub” – all clients connect to it and are united into a single network, and the role of VPN is slightly exaggerated is genuinely important… Read More »
It is time to tidy up SSH on FreeBSD itself and on the clients – laptops running Arch Linux, as I am still using password authentication on my home machines. Actually, the settings described below are specific neither to FreeBSD nor to Linux, as the SSH server is the same on all systems (OpenSSH_9.9p2 on… Read More »
I am continuing to set up my home server on FreeBSD 14.3, which is intended to serve as a NAS. In the previous post, FreeBSD: introduction to Packet Filter (PF) firewall, we got acquainted with firewalls; the next step is to configure a VPN for access. The main idea is to (finally!) connect my “office”… Read More »
I’m continuing to gradually set up my home NAS on FreeBSD, and the first thing I want to dive into is FreeBSD firewalls. I used to work with IPFW back in the day – FreeBSD: initial setup of IPFW, from 2012. Currently, there are three “built-in” firewalls in the system – Packet Filter (PF), IP… Read More »
Ephemeral resources and write-only arguments appeared in Terraform a long time ago, back in version 1.10, but there was no opportunity to write about them in detail. The main idea behind them is not to leave “traces” in the state file, which is especially useful for passwords or tokens, because the data only exists during… Read More »
We have a new EKS cluster 1.30 on our project, where we want to completely remove the old IRSA with OIDC and start using EKS Pod Identities – see AWS: EKS Pod Identities – a replacement for IRSA? Simplifying IAM access management. And everything seems to work fine, but when I started deploying our Backend… Read More »
Quite often for a new project that is just building its infrastructure and CI/CD to do so as an MVP/PoC, and at the beginning, no time is spent on tuning AWS IAM Roles and IAM Policies, but simply connecting AdministratorAccess. Actually, this is exactly what happened in my project, but we are growing, and it’s… Read More »
So, we have an AWS Elastic Kubernetes Service cluster with Authentication mode EKS API and ConfigMap, which we enabled during upgrade of the EKS Terraform module from version 19.21 to 20.0. Before switching EKS Authentication mode completely to the API, we need to transfer all users and roles to Access Entries of the EKS cluster… Read More »
Another cool feature that Amazon showed back at the last re:Invent in November 2023 is changes in how AWS Elastic Kubernetes Service authenticates and authorizes users. And this applies not only to the cluster’s users, but also to its WorkerNodes. I mean, it’s not really a new scheme (November 2023) – but I just now… Read More »