In an earlier article, AES‑256 Is Enough. Your Secrets Workflow Isn’t, I argued that the cipher is usually not the weak point.
The weak point is the workflow around it.
One of the most common examples is the humble .env file.
If you want to operate a Tor exit node properly, you should avoid doing it by hand.
You need a repeatable bootstrap, a hardened SSH configuration, a firewall that only exposes what you actually need, a local resolver, and a maintenance path that does not turn into improvisation after the first update cycle.
I still like CentOS Stream 9 for this kind of infrastructure work. I explained why in an earlier article here: Why I Continue To Advocate For CentOS Stream In Production Environments.
In this article, I will show a small Ansible setup that bootstraps a CentOS Stream 9 host, configures it as a Tor exit relay, adds a local Unbound resolver, hardens SSH, enables fail2ban, and gives you a minimal maintenance workflow.
All hostnames, IP addresses, nicknames, usernames and contact details below are sanitized examples, but the structure mirrors a real setup.
Read moreMost engineering teams do not start with an image governance problem.
They start with something humble: one Dockerfile for Python, one for Node.js, one for kubectl, maybe one for Maven or a Java runtime. Every repository looks small enough to be harmless. Then the small things start multiplying: slightly different labels, slightly different CI jobs, slightly different versioning schemes, slightly different ways to import internal certificate authorities, slightly different smoke tests, slightly different signing steps.
There is a strange little ritual in engineering teams.
Someone mentions encryption, someone else says “AES‑256,” and for a brief second the room relaxes. The magic number has been spoken. The vault door has appeared. The dragon is asleep.
Then the same team commits a decrypted .env file to Git.
Or stores an age private key in a shared password note.
Or lets CI print a production secret into a build log.
Or keeps the only decryption key on one developer laptop, guarded by vibes, hope, and an unpaid backup plan.
The uncomfortable truth is this: AES‑256 is usually not the weak point. Your workflow is.
Read moreFor certain tasks, I need to use macOS and sometimes prefer to route all my traffic through the Tor network. In this tutorial, I will guide you through the process.
While you can download and use the Tor Browser for enhanced anonymity, I find that simply routing traffic through Tor’s network suffices for my needs while maintaining a civilized workflow.
Read more