{Wire}guard from your ISP

People are getting into a recent uproar about entities like facebook and cambridge analytica while willing putting their information into these ecosystems. We should instead be considerably more concerned about the unwilling surveillance we’re a part of from our ISP. Recently the guardian and some discussion pushed me to finally look into applying wireguard to something like the home network design. So in this we're going to install wireguard on an edgemax router, bring up a wireguard tunnel to a VPN service, send all DNS queries over that tunnel, and send selective hosts or subnets Internet bound traffic over that tunnel.

Selective Powertop tunables via Systemd

If you've got an intel system and want to have your powertop tunables selectively stick then you can't rely on the auto-tune feature. If you do, you'll notice some subsystems are not available right when you want them (e.g. a mouse). It's better to profile and selectively apply the configurations that make sense for your use.

Modern TLS with Nginx and LetsEncrypt

With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been easier to get these things sorted because there have been significant efforts recently to reduce the barrier. Firstly the Letsencrypt project broke up the cabal of certificate authorities by providing a recognized authority that could issue certificates to verified domain operators without a transaction cost. Secondly, the letsencrypt projects and the EFF collaborated on certbot to provide a fully featured utility for requesting, issuing, and, updating certificates. And, thirdly, the openssl project has been getting a lot more external attention due to recent vulnerabilities being reported in a much more trendy fashion.

Limiting Exposure via ssh ProxyJump

ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It's a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. If you're able to run modern openssh you have access to a new feature named ProxyJump, which makes using a jumphost much simpler.