Ubuntu 20.04 includes the ability to install with ZFS for the root and boot partitions. However, it does not include an option for encrypting the root volume. Fortunately, it is easy to enable it.
[Read More]Generating Letsencrypt Personal Certs on Route53
Using AMI roles to restrict certificate generation
We have a bunch of machines behind haproxy load balancers. The haproxy is publicly accessible and can use the ACME HTTP method for certificate renewal. The machines behind it are using self-signed certs from our own CA, but there are cases where we might like to have certs on both systems that are “legit”. For example, a gitlab instance that is accessible internally and externally, or our web servers for internal or testing access.
For the internal machines, I came up with the idea of using DNS to verify the registration, while the haproxy continues to do HTTP.
I wanted to restrict the AWS access keys so the compromise of one machine didn’t expose our entire DNS, so I created a recipe that allows for the access key to be limited to a specific name.
[Read More]