Welcome to your haven!

The startup configuration can be bypassed by booting into ROMMON or during normal operation. In either case, a reboot is required.

This is particularly useful, for example, if you need to perform a password recovery because you have forgotten your password, or for troubleshooting purposes.

Configuration in IOS

Switch# configure terminal
! to activate
Switch(config)# system ignore startup-config

! to deactivate
Switch(config)# no system ignore startup-config

Configuration in ROMMON

In the background, the IOS command simply sets the ROMMON variable SWITCH_IGNORE_STARTUP_CONFIG to 1 or 0 which we can also do manually.

Currently we trying out eLux as an replacement of older thin clients with ThinOS or IgelOS. We tried to configure 802.1x authentication and the therefore needed certificate enrollment with our current SCEP/NDES server. We came across the issue that the scep client that eLux uses – sscep – an open source “Simple SCEP client for Unix” doesn’t support certificates requests over HTTPS.

When investigating the problem we found this GitHub issue which explains our problem. Our NDES server was only reachable over HTTPS – both on the administration page and most importantly also on the request web page (certsrv/mscep) where the client requests their certificates.

Since 2023 you could not import updates manually to WSUS. Microsoft offers you a script to download the updates from the update catalog when you provide the UpdateID to the script. The script defaults to localhost if you dont provide the WSUS server. For example:

.\ImportUpdateToWSUS.ps1 -UpdateId 12345678-90ab-cdef-1234-567890abcdef

But this script has a big issue for air-gapped enviroments – it still relies on the microsoft update catalog to download and import it to the WSUS server. But in the background the script just uses the ImportUpdateFromCatalogSite() powershell function. If you look at the parameters, you can parse the UpdateID but also “an array of the local paths where any files required by the update can be found.”

We had an issue where our domain controller lost its domain network profile after a reboot. When it came back up it was set to public instead of domain.

The problem occurred only when Windows NIC teaming (switch-independent) was used in combination with two network adapters in the team. As soon as one network adapter was disabled from the team (while the other remained active), the network profile (domain) was recognized correctly.

SNMP monitoring with grafana and prometheus can be done with the official snmp_exporter from prometheus.
Since I didn’t found any direct forward documentation, blog or any source of documentation in an ELI5 style how this will work, this is my try to document my findings and understanding on how this stuff works. To be honest I still don’t understand all stuff inside the generator configuration file but here is what I found out.

With cv4pve-autosnap, snapshots of VMs and CTs in Proxmox can be automated. Since restoring my VMs from backups can take several hours depending on their size, I wanted a solution for a potentially faster restore in case I broke something while playing around.

The application can be run remotely or locally on the Proxmox host. A user or, since PVE 6.2, an API token can be used to run the snapshots.

Tailscale makes it easy to connect devices securely, but its default settings are designed for convenience rather than strict security. Without a few adjustments, every device in your Tailnet can talk to every other one which in my case I don’t wanted. So I looked into how to raise my security in using Tailscale for accessing my homelab and now share my findings and results.

General Security Advice

Because Tailscale relies on an external identity provider—such as Apple, Microsoft, or Google—it’s essential to secure that account properly.