Field notes &
technical thinking
Practical writing on cybersecurity, DevOps, and working in enterprise IT — from someone who's done the job, not just studied it.
The first thing most people get wrong is overcomplicating the architecture. You don't need a dedicated server farm — a $35 Raspberry Pi or an old laptop running Ubuntu will handle Wazuh's manager node for a home lab just fine.
Start by installing Wazuh Manager via the official script, then point your endpoints (Windows, Linux, or macOS) at it using the lightweight agent. Within minutes you'll have system logs, authentication events, and file integrity monitoring flowing in.
The real value comes from writing custom rules. Wazuh's XML-based rule engine lets you define alerts like "three failed SSH logins within 60 seconds from the same IP" — classic brute-force detection, built in under an hour. From there, wire up a free Elastic stack for dashboards and you have a genuinely useful home SOC.
Manual deployments are a tax you pay every single time you ship. Even if it takes only five minutes, those five minutes are high-anxiety, easy-to-mess-up, and completely unnecessary once you automate them.
The workflow I use has three jobs: test (run pytest), build (docker buildx), and deploy (call Render's deploy hook via curl). Each job only runs if the previous one passes, so a failing test literally cannot reach production. The whole file is under 45 lines of YAML.
The key insight: store your Render deploy hook URL as a GitHub Actions secret, and your entire CD pipeline costs you $0. Combined with Render's free tier for side projects, you have proper CI/CD for a solo hobby app at no cost whatsoever.
When your users include senior diplomats and department heads, ambiguity is not an option. Every change I made required a change request with a rollback plan. Every incident required a root-cause writeup. At first this felt bureaucratic. Eventually it felt like professional hygiene.
The habit that stuck most: write your ticket as if you'll be explaining the situation to yourself in six months. Because you will be. "User can't log in" is useless. "User jsmith reports intermittent Outlook authentication failure since 14 Feb; reproduced on primary workstation, not on web client; AD account unlocked at 09:42 UTC" is actionable.
Good documentation also builds trust. When an executive escalates an issue, being able to pull up a timestamped, complete record of every action taken is the difference between a 10-minute resolution and a two-hour war room. Document as you go — not after.
The best cron jobs are invisible — they silently prevent disasters you never know about. Here are the ones I install on every server I manage from day one.
Disk space alert: df -h | awk '$5+0>85{print}' | mail -s "Disk warning" admin@example.com — runs hourly. If any filesystem hits 85% you hear about it before users do.
SSL cert expiry check: echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates piped through a date-comparison script — runs weekly. Expired certs cause user-facing outages that are completely avoidable.
Database backup: pg_dump mydb | gzip > /backups/mydb-$(date +%F).sql.gz — nightly, with a 30-day retention cleanup job alongside it. Combine with rclone to push to cloud storage for off-site redundancy.
The remaining seven cover log rotation hygiene, temp-file cleanup, uptime reporting, and a weekly reboot window for patch application. Each one has prevented at least one incident in my career.