The most common way to verify ownership of a hostname to receive a TLS certificate is the HTTP-01 challenge on port 80, but DNS challenges not only allows you to get wildcard certificates, they can also be used on systems with no incoming internet access, with no manual intervention required on renewals.

One of the main benefits of OPNsense is obviously the web interface, but if you just want to set up a service manually like on FreeBSD, here’s how you can do it. In this case, we’re setting up dnscrypt-proxy.

Node.js and npm has been the standard for a long time when it comes to running web applications written in server-side javascript. Here’s how to set up the Umami analytics application with Bun instead.

If you use Tailscale on your server, you may have services that should only listen on that IP. Unfortunately, the tailscaled service often goes active before it’s actually done, breaking dependencies: here’s how to fix it.

Flatcar Linux is a fork of the now defunct CoreOS, specifically designed to run container workloads. It has an immutable root file system and automatic updates, and here’s how you can run it as a VM under Incus.

Incus helps you manage both containers (LXC) and virtual machines (QEMU), and while many images come prepared, FreeBSD is not one of them: here’s how to set it up.

FrankenPHP is a “modern application server for PHP built on top of the Caddy web server”, which in its simplest form lets you serve PHP apps without the nginx/apache config salad you may be used to. Here’s how to set it up as a service on Debian.

This post is about multiple components involved in deploying FreeBSD to a VMware environment. Since there are many moving parts this may also be interesting in general to anyone doing “infrastructure as code” and cloud deployments, the process is quite similar for Linux.

On newer versions of Debian and Ubuntu, the way repos are authenticated through public keys has changed somewhat. Here’s what I’ve found.

Wildcard certificates are really useful, especially in cases where you are using a load balancer like HAProxy that targets multiple backends serving separate subdomains.