Most of this blog is written in French. These are the posts translated to English so far — more get added as needed.
Fable 5 on the job: locking down a WebDAV endpoint in one session (and burning through a plan while at it)
I had Fable 5 harden the WebDAV access to my password vault instead of my usual assistant: a bcrypt hash, a Traefik rate limit, and a token bill that climbed faster than expected.
Building real alerting for a homelab (and every quiet way it can fail)
Building a centralized monitoring dashboard (Uptime Kuma + ntfy) for a homelab ended up uncovering a mis-scoped Windows firewall rule, DNS rebinding protection, a JSONata bug, a UTC trap, and a parallel session that had quietly renamed an admin account.
Decommissioning a home DNS server: from "looks simple" to "we broke our own DNS resolution"
What was supposed to be a simple EC2 instance downsizing ended up revealing an old home DNS server was quietly wearing two hats, triggering a self-inflicted DNS outage, and uncovering a hidden network dependency machine by machine.
What a local LLM can do on a $300 card: my home voice assistant with Qwen3
A Qwen3 8B model running in Ollama on a 12GB RTX 3060 genuinely controls the house lights via Home Assistant — TP-Link outlets converted into light entities, a system prompt tailored for a small model, and the reliability lessons of a real local deployment.
Compartmentalizing console tools
Over the last few decades, we've seen growing compartmentalization in how workloads are managed. While we used to host servers on physical machines 30 years ago, today we…
The MOVE that kept failing: a story of a proxy, an HTTP scheme, and a vault that nearly got corrupted
An intermittent 502 on WebDAV led to an HTTP scheme mismatch behind a proxy — and the most tempting workaround could have corrupted an entire password vault.
Zero firewall, one tunnel: migrating a service to a Cloudflare Tunnel
Migrating a service (a home-automation admin interface) from direct Cloudflare-proxy-to-public-IP access to a Cloudflare Tunnel already used by another service, allowing the dedicated AWS security group to be removed entirely. Also covers updating a static-site publish script that quietly depended on the same access.
Giving every server on my network a clean, predictable IPv6 address
Setting up an IPv6 addressing convention (suffix = IPv4 octet in hex) on a stateful-DHCPv6 server network. Covers finding DUIDs via packet capture, a config-reload gotcha after a DHCP engine change, and a case of a DHCPv6 client bound to the wrong interface.
Closing the FTP door on the Internet: moving to private access over WireGuard
Migrating an FTP server (used for scanning documents from a printer-scanner) from public exposure, even IP-restricted, to access only via a private WireGuard tunnel. Covers incomplete WireGuard routing, the classic passive-FTP-behind-a-VPN gotcha, and the method reused for other admin services.