It’s a new day and a new shiny toy for us homelabers. Last month, the processor on my old laptop finally breathed its last. It was a good laptop, but it was ready to pass on. However, what made this crappy is my little Dell gave up as well. I had to rethink how I was going to do some of my services. So, I started looking. I wanted something small that could run one or two small Dockers. So let’s start finding nimo.
Nimo MPL2B
This little bad boy has made my day. My old laptop was a quad cord with 16 gb of ram. It ran my books and my search engine. Lets talk a little about this guy. Here are the stats
Intel 12th Gen N100 Processor
16 GB LPDDR5 Ram
512 GB Samsung hard drive.
2 HDMI, 3 usb, sd card, usb c, Ethernet port, and audio jack.
Windows 11 Pro (Yes Pro)
The stats are not super powerful, but I only paid 160 USD for it on a amazon sale. Now, what I like about this device is a little more than just what the device itself, but the company behind the device. This small computer has a metal shell, uses a real samsung hard drive. It’s put together very well. On top of all of that, it’s primary focus is education. They give big discounts to college students. So, lets set this bad boy up.
The setup
Alright, so first things first… we’re not rocking Windows 11 on this cute little box. Nope. We’re tossing that out and going full Linux. I mean, we’re homelabbers, right? This is the part where things got fun (and slightly annoying). But let’s make this easy for you, so you don’t spend your morning yelling at your BIOS screen like I did.
Step 1: Smack That F2 Key
Power that baby on and start slapping the F2 key like you’re trying to skip a YouTube ad. This gets you into the BIOS. For the Nimo MPL2B, that’s the magic key. Inside the BIOS, scroll around until you find the boot order section. You want to move USB to the top. If you don’t, it’s going to ignore your pretty flash drive like it owes it money. Save with F10 (usually), and let it reboot.
Step 2: Build That Boot Stick
Now you need to make your Ubuntu USB.
Head over to ubuntu.com and snag the latest Desktop ISO (I used 24.04 LTS because I like things that don’t break).
Fire up balenaEtcher (or Rufus or whatever you use).
Burn that ISO onto a USB stick like it’s 2005 and you’re making a mix CD.
Step 3: Boot and Install
Plug in the stick, boot the Nimo, and it should go into the Ubuntu install menu. If not, go back and double-check that boot order. Trust me, I’ve done that loop.
Choose “Install Ubuntu”
When asked about how to install it, pick Erase disk and install Ubuntu. I don’t dual boot—either we’re Linux or we’re not.
Choose your region, user name, and let Ubuntu do its thing.
Step 4: Reboot and Celebrate
When it’s all done, yank the USB out, hit Enter, and let it reboot into a clean Ubuntu desktop. This is where the magic begins.
OS Setup
Alright, let’s give your fresh Nimo MPL2B some love. We’re going to:
Update Ubuntu (because the install image is already out of date)
Install Tailscale so you can SSH into this little beast from anywhere, even grandma’s house.
We’ll do it step-by-step, and yes, you’re getting the PowerShell/terminal copy-paste magic too.
Step 1: Update and Upgrade Ubuntu
Open Terminal (Ctrl+Alt+T or just click that little black square of doom). Paste this in:
sudo apt update && sudo apt upgrade -y
This fetches the latest package list and updates anything that needs it. The -y flag answers “yes” to all prompts like a good little automaton.
Step 2: Install Tailscale (aka VPN Magic)
Tailscale lets you connect to this mini-PC like it’s on your local network—even if you’re 2 states over, crying in a Starbucks.
First, add the Tailscale repo and key:
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).tailscale.list | \
sudo tee /etc/apt/sources.list.d/tailscale.list
Then update apt again and install Tailscale:
sudo apt update && sudo apt install tailscale -y
Now enable and start it:
sudo tailscale up
That command will open a URL in your terminal. Copy it, paste it in your browser, and sign in to link the device to your Tailscale network. Boom. Your Nimo is now part of the mesh.
Install Docker & Docker Compose
Now open a terminal and paste the code below. This will setup docker and set you as a user for the docker.
Save and exit (Ctrl+X, then Y, then Enter). Now we can run it.
docker compose up -d
You can access it by going to your IP address on port 8080 or your tailscale ip. So, it should be like, http://localhost:8080.
There we have it. Your home lab with a search engine as the starting point. It’s not much, but it will grow. This little Nimo can’t run a corporate system, or a deep advanced AI, but It holds what I like to use. Since I’m the main user, I get to tell the user what I want to do with it. Even when sometimes that user can be overzealous. Don’t forget, you can get around the gnat using this setup as well if you have an external machine somewhere.
What can we learn as a person.
Alright. Let’s take a breather.
This little Nimo box? It’s cool, it’s compact; it’s cheap. And yeah, it runs Docker like a champ most of the time. But here’s where the wheels can start to wobble: expectations.
See, I caught myself doing it. I wanted this $160 mini-PC to replace my old laptop, my Pi-hole box, my local dev stack, and maybe cure my ADHD while it was at it. Did you know that bats arn’t blind? Wait wrong thing. Dang, no ADHD cure yet.
And that’s the trap. The Slow Burn of Expectation
It’s not always the big crashes that break us. Sometimes it’s the micro-disappointments. You expect your container to run. It doesn’t. You expect it to stay cool. It doesn’t. You expect it to be perfect—and suddenly, you’re annoyed at a tiny piece of metal because you needed it to be more than what it is.
That adds up. Day by day. Task by task. And eventually, those micro letdowns become something heavier: dread, frustration, that creeping “what’s even the point?” feeling that whispers depression.
The AA Folks Were Onto Something
There’s this line in the Serenity Prayer:
“Accepting the world as it is, not as I would have it.”
That hits. Hard. We can’t change the laws of thermals. We can’t make N100 CPUs act like Xeons. And no, we can’t Docker our way out of emotional burnout. Even though that would be amazing. Like the time i found a cold diet dr pepper in the back of the fridge, I mean, it was ice cold. Like Amazing… Anyways, squirrel.
But we can manage our expectations. We can say, “This box does this thing. And that’s good enough.” You get way more peace out of that than you do out of pushing it to failure. This is true for your friends, family, coworkers, politicians, even…. YOURSELF. Dumb ass brain, you hear me! wait can brains hear? Ghall my adhd won again. Nimo you failed me on this adhd stuff.
Let the Box Be a Box
Let this little Nimo machine be what it is: a budget-friendly, tinker-happy toy for nerds like us. It’s not your therapist. It’s not your fix. This Nimo just a cool piece of gear that does its job. if you don’t ask it to carry your whole mental load.
And just like the box, you should let You be you. We have expectations that people put on us, but some of us put expectations on ourselves that just are not realistic. So, look at your expectations, are they realistic? Or are you hoping to cure you… please insert 25 cents to continue… problems with something simple. We are humans, our problems tend to be more complex than running a docker command.
It started like most of my learning sessions do. I cracked open a cold Dr Pepper and decided to poke around Microsoft 365 Explorer just to see how it really works. Not trying to solve a ticket or check alerts, just digging through the Security & Compliance Center to see what kind of metadata I could pull from email traffic. That’s when I saw it. A Teams meeting link. Right there in the email metadata. Not the email body. Not some phishing attempt. Just… a clean, clickable Teams URL, and that’s where the Global Reader role security concerns really hit me.
See, I didn’t have access to the email content. That part is locked down like it should be. But the URLs? Totally visible. Which means any Teams meeting link that comes through email can technically be seen and opened by someone with Global Reader rights. No secret sauce. No elevated permissions. Just the system doing exactly what it was told to do. I didn’t click it. But I could’ve. That’s what stuck with me.
Nobody talks about this kind of thing. We throw these roles around, Global Reader, Security Reader, assuming they’re “read-only” and safe. But safe for who? Because when that read-only view includes working meeting links, especially the ones that don’t require authentication, you’ve got more than just visibility. You’ve got access. Quiet access. That’s not a broken system. It’s just… something we didn’t think all the way through.
What Explorer Actually Shows You
So for anyone who hasn’t wandered into it before, Explorer lives inside Microsoft 365 Defender at https://security.microsoft.com. You head over to Email & Collaboration, click on Explorer, and boom, you’re staring at mail flow. What came in, who it went to, who clicked what, and when it all happened. It’s surprisingly deep.
Now, I didn’t expect much when I first started messing with it. I thought it would show headers, basic sender and recipient info, that kind of thing. But once I started looking closer, I noticed the URLs section. These aren’t just logs. They’re functional. You see the real URLs from real emails. And if one of those is a Teams meeting? Yep, you can open it. And this is with the Global Reader role. You don’t need to be an Exchange Admin or have a bunch of elevated rights. Just Global Reader. That’s where the Global Reader role security concerns really start to matter.
The assumption is that “read-only” means “safe.” But URLs aren’t static. They’re doorways. And if that doorway leads to a Teams meeting, and the meeting doesn’t require you to be on the invite or authenticate, then yeah; you’re walking into places you probably shouldn’t be. So now I’m sitting here thinking… how many people have this role in our org? And how many of them know what they’re really looking at?
When Metadata Becomes a Backdoor
Let’s be real, this isn’t some obscure flaw buried deep in the Microsoft 365 stack. It’s just… there. Working as designed.
When Explorer pulls up an email trace, you can click into the message summary and find a list of all the URLs Microsoft scraped from that email. They’re broken down under the “URLs” section and logged for security scanning. This is great for catching phishing links. But not so great when those URLs are to internal resources.
Clean. Clickable. No auth required, depending on how the meeting was set up. Some orgs have meetings open by default. So yeah, I could’ve joined. Muted my mic, changed my name to “System,” and just lurked. Not that I did. But again, the option was right there. And it’s not just meetings.
I’ve seen password reset URLs, temporary sign-in links, private SharePoint shares, direct file download links. All kinds of things that don’t need full message content to be risky. These links are meant for the recipient, but they’re exposed in the metadata. And the kicker? This isn’t some “Exchange Admin has all the power” situation. This is happening with Global Reader role permissions. Read-only, sure, but reading live, sensitive URLs that can sometimes skip authentication entirely.
That’s where Global Reader role security concerns stop being hypothetical and start being real risk. This is metadata turning into a potential access path. Not because the system is broken, but because it’s quietly giving away more than we think.
What You Can Do About It
Let’s say you’ve just realized what I did—that Global Reader isn’t exactly as harmless as it sounds. The good news? You can do something about it. The bad news? Most orgs don’t, because they assume “read-only” is low risk.
First things first. You need to know who actually has this role. It’s not always obvious in the portal, especially if folks got assigned via nested groups or role assignments that were done years ago. PowerShell to the rescue:
This will pull a list of users with any role containing “Global” in the name. Look out for Global Reader, Global Admin, and anything custom that might have full visibility. Once you know who’s got the keys, ask the hard question: Do they still need it? If the answer is no, yank it. If they only need it occasionally, roll out Privileged Identity Management (PIM) and require just-in-time access. Make them activate it, justify it. Then make it expire.
Another overlooked option is role-specific access. Instead of giving someone full tenant visibility with Global Reader, give them Security Reader, Compliance Viewer, or another scoped role that aligns with their actual job. You don’t give someone a master key to your building just because they need to water a plant in one office. Same idea.
Also, while you’re at it, check your Teams meeting policies. Make sure unauthenticated users can’t just join meetings by URL. A lot of companies leave this wide open because it’s the default. Finally, start the culture shift. Just because someone can see a URL doesn’t mean they know what that link leads to. And if it leads to sensitive content or a live session? That’s a problem waiting to happen.
What Can We Learn as a Person
Let’s be honest. Most of us in IT have had that moment. You see something you weren’t supposed to see—an email subject, a calendar event, a shared file name and suddenly your brain starts filling in the blanks. It’s rarely something major. It’s usually a half-story. A piece of a conversation. Just enough to spark a thought like, “Huh, that’s interesting…”
This is where gossip starts. And this is where it can wreck people. Not just the person you’re looking at, but you too. When you’ve got a role like Global Reader, it’s incredibly easy to see things you shouldn’t. Even if you never touch the actual email content, those metadata breadcrumbs can pile up quick. Meeting titles, URLs, file names, sender names. Your brain builds a story whether you want it to or not.
And the worst part? You don’t even have the full picture.
That’s where the danger really is. Partial visibility creates false narratives. It makes you assume things. It can mess with how you view coworkers, how you talk about them, and how you carry yourself as an admin. I’ve caught myself starting to spiral into “what if” scenarios based on a Teams meeting name I wasn’t supposed to see. It’s not healthy. And it’s not professional.
The power to see isn’t just technical. It’s emotional. And if you don’t check yourself, it’ll eat at your mental health before you realize it. So what can we learn? That being trusted with access means being trusted with restraint. That curiosity can turn toxic if it isn’t managed. And that sometimes, the most responsible thing you can do as an admin… is look away.
Not much takes me by Suprise, but this little tool has really done just that. I want to do a Deepsite Review in today’s post. Deepsite is a unique AI tool that builds websites. Unlike chat gpt, you don’t have to feed it a complex prompt to make one page look decent. I am going to give you some examples of what I was able to make with it and the prompts used.
So what is deep site. Deep site is a hugging face tool made by enzostvs. https://enzostvs-deepsite.hf.space/. It uses deepseek’s AI to help create fairly simple sites to complex sits. I have made everything from flappy bird games to sites about possums. If it can be done inside a browser, deepsite can do it. When you first come to deepsite, this is what you get. A simple prompt, and a page. The HTML will be generated in the side. So lets look at some examples.
It took about 5 minutes and wrote each line of code. You can play this clone at CyberFlap – Cyberpunk Flappy Bird. Is it perfect, no, but is it dang amazing, yes. This would have taken me a full day or two to code. It only took 5 minutes and it was a single file. So no copying and pasting multiple files and folder structing.
Prompt: Create a website for a company called one and two liberty square. Here is the content (content from the previous site).
What amazed me here is it got most of the content together. It’s not the best layout, but it’s useable. The downside can be seen here. The longer the site, the harder it takes to make the site be creatively clean. It did poorly on the dots and sounds the same in a lot of places. That’s where the human charm comes into play.
What I would do to improve this site is change the menu to go to each building. I would also flip the images from one side to another. Then make a section for the corporate partners for it’s own.
One big thing to remember, this can only create the surface level. So, you see that contact us? Yeah, that doesn’t work. So, if your backend guy doesn’t know how to do the back end stuff, good luck.
Prompt: Create a dark themed meme generator where I can upload a picture and add text to the top and bottom and save it to my computer.
So, This was pretty cool. It made it within 5 minutes and only had 1 problem and it still does. It can’t save the three memes it shows in the left hand window because they are not in memory. However, you upload something and add your text, and click save, bam. Quick and easy. Some of the protriat shaped images will have odd text, but for the most part, it works.
Prompt: Make a Zen focus task manager with a dark mode.
Guess what, it will keep as long as you keep your cache. After that it forgets, and the dark mode sucks. So, if you clear your cache or move to a different browser, your stuff will not be there.
Deepsite Review
Pros
Create a basic website in seconds with little interaction
HTML code is split up the site using sections. Which allows for easy editing
The system users tailwindcss.com
Can create unique games with a simple command
Keeps standard praticies
Single html site file.
System will response
Cons
Creates a basic site, but nothing bigger
Keeps standard practices but not best practices
Odd formatting.
No backend
Final thoughts
This tool is great for simple sites and nothing more. If you want more than one page, this tool can’t do that. If you want a fully functioning back and front end product. This isn’t for you. However, front end development, is a yeppers. I personally like making cool 404 pages with this tool. I don’t do reviews often and the main reason why I wanted to bring this tool up is because it’s the beginning. If AI doesn’t eat itself and die, we will see the end of an industry. My last blog post was me asking questions to gpt and it giving me a response. I just told it to make it a blog post and bam, it did it. Which took the fun out of blogging. These tools are powerful and deepsite is just the beginning of replacing front end development. That’s my thinking on this Deepsite Review.
What we can learn as a person
When I was a child, I was told I will never have a calculator. I had to learn the division, exponets, square roots, and more by hand. (Yes, I know I just dated myself). I’m greatful for learning those things. Now when I am working with complex problems, I use the same structures and a lot of times the same formulas. Over the past 20 years, I have used my phone’s calculator. I am noticing a decline in my ability to preform simple maths. More I use chat gpt, I notice a skill drain.
Technology can replace our need to have a skill set over time. Is this a good thing? Sometimes, however, sometimes it’s not. I use AI in my daily life for a lot of things. But I don’t lean 100% into it like many of my peers do. The reason why is because I love to discover what I learn. I enjoy making the mistakes and correcting them. At the end of the day, i want the brain tingles. When I’m in my 70s, that love will keep my brain on track. I have seen a decline as I have gotten older. We all know that one day we will not be able to think like we did when we were 25 and that’s ok.
Two keeps to success
I have learned in this life there are two keys to success. Adaptability and Work. We have the adapt to the world around us. If it takes me 1 hour to code a deployment, but AI takes 5 seconds, might as well use the ai, but make sure I understand the ai’s code. So I can fix it later when it breaks. Adapting is imporatnt, but putting in the work is also as importatnt. Like this Deepsite Review, I could have had gpt do it, but I wanted to figure it out. So, I can see the full scope of what deepsite could do for me. If you don’t work at what you have in life, it doesn’t happen. Sometimes that means we have to work at being adaptable as well. That could mean a 15k paycut to escape a trauma inducing job. Other times it’s using a weed eater instead of a push mower. It means different things for different situations.
So, learn how to adapt. Work at what you do and enjoy. I find joy in work. It’s a simple concept. Seeing a clean room knowing I just did that, is a simple joy. It’s like putting back into myself. It’s worth it and so are you.
Ever feel like you’re just guessing which Intune policy to use?
You go into Microsoft Intune thinking, “I just want to block copy/paste from Teams to a student’s phone,” and suddenly you’re knee-deep in device configs, app restrictions, compliance policies, and something called MAM-WE (which sounds like a failed robot uprising).
If you’ve ever been stumped by the difference between Intune device vs app policies, you’re not alone. And you’re not doing it wrong — the naming is genuinely confusing.
So, let’s break it down the way it actually clicks — using real-world scenarios instead of theory and tech jargon. If you know what you want to do, you’ll know what to use. Lets dive into intune devices vs app policies.
The Three Intune Policy Buckets
Device Configuration Policies – You Own It, You Control It
Think of this like setting the house rules — but only for houses you own.
Device configuration policies give you OS-level control. You can push BitLocker, set PIN rules, enforce Delivery Optimization, apply VPN profiles, and more. But they only work if the device is enrolled in Intune — like, actually enrolled. Not “kinda managed.” Full enrollment.
Lets take a look at a real world senerio. Imagine you have 200 windows 11 laptops and want to enable delivery optimization for windows updates. This would be a Device Configuration Profile. Another example would be if you have 1000 windows 11 laptops that you want to encrypt their fixed drive with bit-locker. Once again, this is another device configuration profile.
If the deivce is apersonal and not enrolled, this policy type is off-limits. No Bitlocker, no VPN, nothing. You don’t own it, you don’t get a say.
App Protection Policies – Protecting the Data, Not the Device
This one is magic for BYOD situations. Think of it like zipping up your company’s data in a fireproff pouch, even if it’son someone else’s device. App protection polcies don’t care who owns the device. They care about your data. These policies apply to managed apps. Things like outlook, teams, onedrive, and lets you do things like bloc copy and paste. Require PINs to open apps, wipe work data and more.
Lets take a look at a few real world senerios. Students are copying teams messagers and pasting them into discord on their phones. You can block this using App Protection Policy. Lets say you have truck drivers with ipads with outlook on them. You can force the user to enter a pin each time they check their email. That’s a App Protection Policy.
App Configuration Policies – Pre-setting the Knobs
Here we are putting the settings into place for different apps. We are not locking down the device. So, if you need a pin for the device, you do this with a device configuration policy. If you need chrome to open on a set website, that’s the App Configuration Policy. App configuratin policies let you predefine how apps behave. It’s not about control, but it’s about consistency. You can push bookmarks, force outlook to use only work accounts, set default browsers for teams, and more.
Lets look at a real world. You have 500 Android Zebra scanners, you need to make sure they all open chrome to a local site. This can be done through the App Configuration Policy. One thing we did for was setup auto updates with zebra on our scanners. We did this with a App configuration profile.
The problem with it is the BYOD. App Configuration policies only work with managed apps. This means, if a user installs outlook through the company portal via intune, then you can manage it. However, if you install outlook through the store app, it just doesn’t work.
Why it gets confussing
Let’s be real, the names don’t help. “App Protection” and “App Configuration” sound way to similar. So here’s a simple mental hack to seperating devices vs app policies.
Device Configuration = Control the device itself.
App Configuration = Setup how the app works.
App Protection = Lock down the data inside the app.
Lets test this thinking out with a few senerios.
Possible Answers
Device Configuration Policy
App Configuration Policy
App Protection Policy
You want to prevent employees from copying data from teams to another non-company app.
Your factory has 300 kiosk devices. You want to make sure that the devices can’t be logged into by non-it users.
Doctors are using outlook on their personal phones. You need to prevent attachments from being saved locally.
Your compamy users Android enterprise, and you want to push bookmarks to chrome.
You want to rotate the local admin password on all of your windows 11 devices using windows LAPS
Force outlook to only use work accounts
Encrypt phones and force a pin lock on bring your own devices.
Here is a nice little chart to help with these.
Do I manage the entire device?
↳ Yes ➡ Device Configuration
↳ No ➡ Do I want to protect corporate data?
↳ Yes ➡ App Protection
↳ No ➡ Do I want to change how the app behaves?
↳ Yes ➡ App Configuration
Here are the answers.
App Protection
Device Configuration
App Protection
App Configuration
Device Configuration
App Configuration
None of the above, Yep, I tricked you, maybe. If it wasn’t a bring your own device, then you would be correct if you say device configruation profiles. Other than that, it’s nothing really.
Final Thoughts – “You Know More Than You Think”
This stuff is confusing, and Microsoft doesn’t always make it easy. But now, you’ve got the mental framework:
Device Config = You own the device
App Protection = You own the data
App Config = You shape the experience
Don’t worry about getting it perfect on the first try. Intune is meant to be layered. Pilot first, then scale.
If you ever get stuck again, just ask: “What exactly am I trying to control here?” The answer will almost always tell you the policy you need.
You’ve got this, lets get those devices vs app policies.
What can we learn as a person
In IT, we have access to a lot. More than most people will ever know.
We can shut down Windows Hello, enforce biometric logins, or require ID badges scanned by a camera just to unlock a screen. As system administrators, we often hold keys to every digital door. I could, right now, grant myself full access to every mailbox in the company — all in the name of “making admin easier.” I could quietly assign myself as an owner on every user’s OneDrive and SharePoint site using policies that no one would even notice.
That level of control? It’s terrifying, if you’re honest about it.
Because with great power doesn’t just come great responsibility. It comes with weight. A psychological and emotional load that most people never talk about.
Knowing that you can access someone’s private data — and choosing not to — becomes a moral and mental burden. It sits on your nervous system like a background process you can’t kill. Over time, that mental load becomes stress. That stress becomes anxiety. That anxiety becomes burnout, or worse — panic attacks that don’t go away.
Let’s go back to those access examples:
If you make yourself owner of every mailbox, and something illegal ends up in one — say, child pornography in OneDrive — you’re now not just an admin. You’re a co-owner of that content. You’re legally implicated. That’s not just a technical decision. That’s jail time.
When you hold that kind of access, your body knows, even if your conscious mind tries to ignore it. It keeps a tally. And that tally eventually tips the scale — panic attacks, heart strain, and real, physical damage.
The Illusion of Total Control
I’ve seen brilliant people collapse under the pressure of trying to control everything — juggling complex networks, hybrid systems, countless endpoints, compliance rules, and impossible expectations.
They thought the job was about mastery. But really, it’s about boundaries.
Technology is growing faster than any one human can keep up with. We’re now expected to specialize and generalize. To know cloud, on-prem, security, devices, data — and also keep every system running 24/7 with no mistakes.
That pressure? It breaks people.
So What Can We Learn?
Here’s what I’ve learned — sometimes the hard way:
Control less. Not because you’re lazy — but because your health matters more than a perfect config.
Set boundaries. Just because you can access something doesn’t mean you should.
Say no to full access. Delegate. Distribute. Limit yourself.
Audit yourself. Regularly review what you have access to, and ask: Do I really need this?
Let go. Systems don’t have to be perfect. People don’t have to be flawless. Neither do you.
You’re not here to own everything. You’re here to protect what matters — and that includes you.
So the next time you feel the urge to control every setting, script every failover, and be the hero of the whole system… Pause. Breathe. And remember: the best admins don’t control everything. They know what not to control — and they sleep better because of it.
If you’ve ever needed to extract specific information from a log file or validate user input in a PowerShell script, you’ve probably wished for a magic tool that could do the heavy lifting. Well, that’s exactly where regular expressions (regex) come in.
Regex is one of those tools that feels intimidating at first, but once you get the hang of it, you’ll start seeing patterns everywhere. It’s like suddenly being able to read the Matrix, except instead of dodging bullets, you’re filtering out bad email addresses or pulling MAC addresses from a system log.
Why Use Regex in PowerShell?
PowerShell has built-in support for regex, making it an incredibly powerful tool for system administrators, developers, and anyone who works with structured or unstructured text. Whether you’re:
Validating user input (like email addresses in a script)
Extracting important data from logs (like MAC or IP addresses)
Searching for patterns in massive amounts of text
Regex allows you to do all of this with just a few carefully crafted expressions. It’s like having a Swiss Army knife for text processing.
What We’ll Cover in This Guide
In this post, we’ll walk through three practical PowerShell regex use cases:
Email Addresses – How to validate email input and extract emails from a document
MAC Addresses – How to validate MAC addresses and find them in logs
IP Addresses – How to check if an IP is valid and pull all IPs from a file
Before we dive into these examples, we’ll go over some regex basics, including common syntax and flags that make regex so powerful. By the end, you’ll not only understand how regex works in PowerShell but also feel confident using it in your own projects.
Let’s get started!
Understanding Regex Flags and Syntax
Regular expressions might look like a confusing mess of symbols at first, kind of like trying to understand a cat’s behavior. One minute it’s purring in your lap, the next it’s knocking your coffee off the table. But once you start recognizing the patterns—like how a tail flick means back away, human—it all starts to make sense.
Regex is the same way. At first glance, it looks like a secret code of slashes, dots, and brackets. But once you learn the building blocks, you start seeing patterns everywhere, and suddenly, text manipulation in PowerShell becomes effortless. PowerShell has native support for regex, meaning you can use it to search, validate, and extract information with just a few well-placed symbols—kind of like bribing a cat with treats to do what you want.
Character Classes: Defining What to Match
Character classes allow you to specify what kind of characters should match. Instead of listing every possibility, regex provides shorthand notations.
Common Character Classes in PowerShell Regex
Character Class
Description
Example Match
\d
Matches any digit (0-9)
123 in abc123
\w
Matches any word character (A-Z, a-z, 0-9, _)
hello in hello_123
\s
Matches any whitespace (space, tab, newline)
The space in "Hello World"
.
Matches any character (except newline)
H or ! in "Hi!"
Example in Powershell:
"This is a test 123" -match "\d+" # Matches "123"
Quantifiers: Controlling Repetitions
Quantifiers define how many times a pattern should repeat.
Common Quantifiers
Quantifier
Description
Example Match
*
Matches 0 or more times
aaa in "aaaaa"
+
Matches 1 or more times
abc in "abc"
?
Matches 0 or 1 time (optional)
a in "a" or empty string
{n}
Matches exactly n times
333 in "333"
{n,}
Matches at least n times
111 in "11111"
{n,m}
Matches between n and m times
55 in "5555" (if {2,3})
Example in PowerShell:
"This is 55555" -match "\d{2,3}" # Matches "555"
Anchors: Defining Position in Text
Anchors don’t match actual characters but instead define where a match should occur.
Common Anchors
Anchor
Description
Example Match
^
Matches the start of a string
Hello in "Hello world"
$
Matches the end of a string
world in "Hello world"
\b
Matches a word boundary
cat in "cat dog" but not "scatter"
Example in PowerShell:
"This is a test" -match "^This" # Matches "This"
Escaping Special Characters
Some characters in regex have special meanings (like . or *). If you want to match them literally, you need to escape them with a backslash \.
Common Special Characters That Need Escaping
. (dot) → Matches any character, so use \. to match a literal dot.
* (asterisk) → Use \* to match an actual asterisk.
? (question mark) → Use \? to match a literal question mark.
Example in PowerShell:
"This is version 1.0.1" -match "1\.0\.1" # Matches "1.0.1"
How to Use Regex in PowerShell
PowerShell provides multiple ways to work with regex:
-match Operator – Checks if a string matches a pattern.
-replace Operator – Replaces matched patterns in a string.
[regex]::matches() – Extracts all matches from a string.
Extracting and Validating Email Addresses with PowerShell
When working with PowerShell scripts, validating user input is crucial—especially when dealing with email addresses. You don’t want users submitting "notanemail@oops" or "hello@.com" and breaking your workflow. Thankfully, regex makes it easy to verify if an email address is properly formatted and even extract all emails from a document.
Before we get into validating and extracting emails, let’s break down the regex pattern that makes it all work.
Breaking Down the Email Regex
Email validation might seem simple at first—just look for an “@” symbol, right? But things get complicated fast. A valid email address follows these rules:
A username section, which can include letters, numbers, dots, dashes, and underscores.
An “@” symbol separating the username from the domain.
A domain name that includes letters and numbers.
A top-level domain (TLD) like .com, .net, .org, etc.
A regex pattern that matches most valid email addresses looks like this:
+ → Ensures one or more of these characters exist.
“@” Symbol: @
The @ is a literal character—every valid email must have it.
Domain Name: [\w\.-]+
Just like the username, the domain allows letters, numbers, dots, and dashes.
Top-Level Domain (TLD): \.\w+
\. → Matches a literal dot before the TLD.
\w+ → Ensures at least one letter (like .com or .net).
Example Matches:
user@example.com
john.doe123@company.co.uk
admin-test@my-site.net
Invalid Matches:
@example.com (No username)
user@.com (Invalid domain name)
user@domain (No TLD)
This regex is great for general email validation, but in PowerShell, we need to apply it properly. Next, we’ll use this pattern in a ValidateSet to enforce correct email input in scripts.
Using Regex for PowerShell ValidateSet
PowerShell has built-in ways to enforce valid input in scripts, and one way to do this is by using regex inside a function. The function below checks if an email matches our regex pattern. If it’s valid, it returns $true; if not, it gives a reason why.
PowerShell Email Validation Function
function Test-EmailAddress {
param (
[string]$Email
)
$pattern = "^[\w\.-]+@[\w\.-]+\.\w+$"
if (-not $Email) {
return "False - No email provided."
}
if ($Email -match $pattern) {
return "True"
}
# Now let's figure out why it failed
if ($Email -notmatch "@") {
return "False - Missing '@' symbol."
}
if ($Email -match "@\." -or $Email -match "@$") {
return "False - Invalid placement of '@' or '.'"
}
if ($Email -notmatch "\.\w+$") {
return "False - Missing top-level domain (e.g., .com, .net)."
}
return "False - Invalid email format."
}
How It Works
Checks if an email is provided – If the input is empty, it immediately returns a failure message.
Validates using regex – If the input matches the regex pattern, it returns True.
Identifies why the email is invalid – It checks for common issues like missing @, misplaced dots, or a missing TLD.
This function is useful for scripts that require valid emails before proceeding. Next, we’ll explore how to extract all emails from a document using regex!
Finding All Email Addresses in a Document
If you’re working with logs, reports, or any large text files, regex is your best friend for extracting structured data like email addresses. Instead of manually scanning through lines of text, PowerShell can do the heavy lifting in seconds.
Here’s a script that:
Reads a file line by line.
Uses regex to find all email addresses.
Outputs the results to the console (or optionally saves them to another file).
PowerShell Script to Extract Emails from a File
function Get-EmailAddressesFromFile {
param (
[string]$FilePath
)
if (-not (Test-Path $FilePath)) {
Write-Host "Error: File not found at path: $FilePath"
return
}
$pattern = "[\w\.-]+@[\w\.-]+\.\w+"
$emails = @()
Get-Content $FilePath | ForEach-Object {
$matches = [regex]::Matches($_, $pattern)
if ($matches.Count -gt 0) {
$emails += $matches.Value
}
}
if ($emails.Count -eq 0) {
Write-Host "No email addresses found in the file."
} else {
Write-Host "Found $($emails.Count) email addresses:"
$emails | Sort-Object -Unique
}
}
# **Example Usage**
Get-EmailAddressesFromFile -FilePath "C:\path\to\your\file.txt"
How It Works
Checks if the file exists – Avoids errors if the file path is incorrect.
Reads the file line by line – Prevents loading large files into memory at once.
Uses regex to find emails – Looks for matches in each line.
Stores and displays unique results – Avoids duplicates and outputs all found emails.
Example File (C:\path\to\your\file.txt)
Hello John, please contact us at support@example.com.
You can also reach admin@company.net for further assistance.
But we dont want to see a snail@the white house.
However, we might @ your friend .com
How about a cheesecake@cheesecakefactory.com?
Script Output
Found 3 email addresses:
admin@company.net
cheesecake@cheesecakefactory.com
support@example.com
This script is super useful for extracting emails from logs, reports, or even messy text files. Next up, we’ll apply these same techniques to MAC addresses!
Extracting andValidating MAC Addresses with PowerShell
MAC addresses (Media Access Control addresses) are unique hardware identifiers assigned to network interfaces. If you’re dealing with network logs, device configurations, or security audits, you may need to validate or extract MAC addresses.
A valid MAC address follows one of these formats:
Colon-separated:00:1A:2B:3C:4D:5E
Hyphen-separated:00-1A-2B-3C-4D-5E
No separator:001A2B3C4D5E
But Cisco devices often use a dot-separated format:
Cisco-style:001A.2B3C.4D5E
Now, let’s break down the regex pattern that will help us match MAC addresses.
Breaking Down the MAC Address Regex
MAC addresses consist of six groups of two hexadecimal digits (0-9 and A-F), separated by colons, hyphens, or nothing at all. Here’s a regex pattern that matches all common formats:
([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2} → Matches colon, hyphen, or no separator formats.
Second Half: Cisco’s Dot-Format
([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4} → Matches two groups of four hex digits separated by dots.
Example Matches:
00:1A:2B:3C:4D:5E
00-1A-2B-3C-4D-5E
001A2B3C4D5E
001A.2B3C.4D5E(Cisco format!)
Invalid Matches:
00:1A:2B:3C:4D (Only five pairs)
00:1G:2B:3C:4D:5E (Invalid hex digit G)
00::1A:2B:3C:4D:5E (Double colon is not valid)
Using Regex for PowerShell ValidateSet (Including Cisco Format)
We’ll now create a PowerShell function that checks if a given MAC address is valid. If it’s valid, it returns True; if not, it returns False with a reason why.
Updated PowerShell MAC Address Validation Function
function Test-MacAddress {
param (
[string]$MacAddress
)
$pattern = "^([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}$|^([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}$"
if (-not $MacAddress) {
return "False - No MAC address provided."
}
if ($MacAddress -match $pattern) {
return "True"
}
# Identify why it failed
if ($MacAddress -notmatch "^[A-Fa-f0-9]+$" -and $MacAddress -notmatch "[:-\.]") {
return "False - Contains invalid characters."
}
if ($MacAddress -notmatch "([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}" -and $MacAddress -notmatch "([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}") {
return "False - Incorrect format. Should be XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, XXXXXXXX, or XXXX.XXXX.XXXX (Cisco)."
}
return "False - Invalid MAC address format."
}
How It Works
Checks if a MAC address is provided – Ensures input isn’t empty.
Uses regex for validation – If the input matches the pattern, it’s valid.
Identifies specific errors – Helps users understand why an input is invalid.
Now that we can validate a single MAC address, let’s move on to extracting all MAC addresses from a file!
Finding All MAC Addresses in a Document
This next script scans a file and extracts all MAC addresses using regex. It works just like our email extraction script, but with a MAC address pattern.
PowerShell Script to Extract MAC Addresses from a File
function Get-MacAddressesFromFile {
param (
[string]$FilePath
)
if (-not (Test-Path $FilePath)) {
Write-Host "Error: File not found at path: $FilePath"
return
}
$pattern = "([A-Fa-f0-9]{2}[:-]?){5}[A-Fa-f0-9]{2}|([A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}"
$macAddresses = @()
Get-Content $FilePath | ForEach-Object {
$matches = [regex]::Matches($_, $pattern)
if ($matches.Count -gt 0) {
$macAddresses += $matches.Value
}
}
if ($macAddresses.Count -eq 0) {
Write-Host "No MAC addresses found in the file."
} else {
Write-Host "Found $($macAddresses.Count) MAC addresses:"
$macAddresses | Sort-Object -Unique
}
}
# **Example Usage**
Get-MacAddressesFromFile -FilePath "C:\path\to\your\file.txt"
How It Works
Checks if the file exists – Prevents errors if the file path is wrong.
Reads the file line by line – Efficient for large files.
Uses regex to extract MAC addresses – Searches each line for matches.
Stores and displays unique results – Removes duplicate addresses for cleaner output.
Found 3 MAC addresses:
00:1A:2B:3C:4D:5E
00-1A-2B-3C-4D-5E
001A.2B3C.4D5E
This script is super useful for network admins who need to extract MAC addresses from logs or reports. Next up, we’ll do the same for IP addresses!
Extracting and Validating IP Addresses with PowerShell
IP addresses are everywhere—logs, configs, audit reports—you name it. If you’re working with networking or security, you’ll often need to validate or extract IPs from text files.
We’re going to cover IPv4 and IPv6, because while IPv4 is still dominant, IPv6 is becoming more common.
What Makes an IP Address Valid?
IPv4 Format
Consists of four octets (groups of numbers) separated by dots: 192.168.1.1
Each octet must be between 0 and 255
IPv6 Format
Consists of eight groups of hexadecimal numbers (0-9, A-F), separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Can contain compressed notation (e.g., :: represents consecutive zero blocks)
Breaking Down the IP Address Regex
To match both IPv4 and IPv6, we’ll use two separate regex patterns.
⚠️ This regex does not handle compressed IPv6 addresses (::), but we’ll take care of that in PowerShell logic!
Using Regex for PowerShell ValidateSet
Now, let’s create a PowerShell function to validate both IPv4 and IPv6 addresses.
PowerShell IP Address Validation Function
function Test-IPAddress {
param (
[string]$IPAddress
)
$ipv4Pattern = "^(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}$"
$ipv6Pattern = "^([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}$"
if (-not $IPAddress) {
return "False - No IP address provided."
}
if ($IPAddress -match $ipv4Pattern) {
return "True (IPv4)"
}
if ($IPAddress -match $ipv6Pattern -or $IPAddress -match "^(::|([A-Fa-f0-9]{1,4}:){1,6}:?([A-Fa-f0-9]{1,4})?)$") {
return "True (IPv6)"
}
return "False - Invalid IP address format."
}
How It Works
Checks for input – Ensures an IP address was provided.
Matches against IPv4 regex – If valid, returns True (IPv4).
Matches against IPv6 regex – If valid, returns True (IPv6).
Handles compressed IPv6 (::) – Using additional PowerShell logic.
Returns an error if invalid – Helps troubleshoot incorrect formats.
Now, let’s move on to extracting all IPs from a document!
Finding All IP Addresses in a Document
This script scans a file and extracts all IPv4 and IPv6 addresses.
PowerShell Script to Extract IP Addresses from a File
function Get-IPAddressesFromFile {
param (
[string]$FilePath
)
if (-not (Test-Path $FilePath)) {
Write-Host "Error: File not found at path: $FilePath"
return
}
$ipv4Pattern = "\b((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b"
$ipv6Pattern = "\b([A-Fa-f0-9]{1,4}:){1,7}[A-Fa-f0-9]{1,4}\b"
$ipAddresses = @()
Get-Content $FilePath | ForEach-Object {
$matchesIPv4 = [regex]::Matches($_, $ipv4Pattern)
$matchesIPv6 = [regex]::Matches($_, $ipv6Pattern)
if ($matchesIPv4.Count -gt 0) {
$ipAddresses += $matchesIPv4.Value
}
if ($matchesIPv6.Count -gt 0) {
$ipAddresses += $matchesIPv6.Value
}
}
if ($ipAddresses.Count -eq 0) {
Write-Host "No IP addresses found in the file."
} else {
Write-Host "Found $($ipAddresses.Count) IP addresses:"
$ipAddresses | Sort-Object -Unique
}
}
Example File (C:\path\to\your\file.txt)
Server 1: 192.168.1.1
Server 2: 255.255.255.255
Router: 2001:db8:85a3::8a2e:370:7334
Log Entry: Invalid IP -> 999.999.999.999
Script Output
Found 3 IP addresses:
192.168.1.1
255.255.255.255
2001:db8:85a3::8a2e:370:7334
Regex Exploration in PowerShell
At this point, you’ve seen how regex can validate, extract, and manipulate data in PowerShell. Whether it’s emails, MAC addresses (including Cisco formats), or IPs (both IPv4 and IPv6), you now have practical tools to handle real-world scenarios.
Why Keep Learning Regex?
Regex is one of those skills that pays off the more you use it. The same way a system admin gets better at troubleshooting networks over time, you’ll get faster at spotting patterns and writing efficient expressions.
Here are some great ways to keep sharpening your regex skills:
Practice on Real Logs – Take a firewall log, an Apache log, or an email report and extract useful data.
Use Online Regex Tools – Websites like regex101.com let you test regex patterns with real-time explanations.
Experiment with PowerShell – Try using -match, -replace, and [regex]::Matches() in your daily scripts.
Challenge Yourself – Create a script that finds phone numbers, dates, or even URLs in a document.
Regex is a skill, not magic. It may look complex at first, but like learning any new language, it becomes second nature with practice. The best way to improve? Find a problem and solve it with regex.
So, what’s your next PowerShell regex use case going to be?
What can we learn as a person today?
When a script fails, we don’t just throw our hands up and quit—we debug it. We check the logs, isolate the issue, and find a fix. But when our own minds start feeling overwhelmed, anxious, or burned out, we often just push through, hoping the problem resolves itself. What if we approached our mental health like we approach troubleshooting code? Debugging isn’t just for PowerShell scripts—it can work for stress, too.
Find the errors
The first step in debugging stress is identifying the error messages. In IT, a recurring issue in the logs might mean something deeper is wrong, and the same goes for mental health. Are you feeling exhausted every morning? Snapping at coworkers over small things? Losing focus even on tasks you usually enjoy? These could be your mind’s version of Event ID 1000: Application Crash. Instead of ignoring the warning signs, acknowledge them—just like you would in a system check.
Analyze the variables
Next, we analyze the variables. Just like a misconfigured setting can break a script, small changes in your routine can make or break your mental well-being. Are you sleeping enough? Eating well? Taking breaks? IT professionals are notorious for skipping meals, working through exhaustion, and staying up late chasing down problems. But just like an unstable system needs a reboot, your brain needs rest. Run a self-check—what’s missing from your routine that could improve stability?
Implement something
Finally, implement a fix and test the results. Maybe you start with a simple -replace—swapping out caffeine overload for proper hydration or scheduling actual breaks instead of “just five more minutes.” Maybe you automate self-care reminders, like setting a PowerShell script to remind you every hour to step away from the screen. And if the issue persists? Just like with a stubborn bug, escalate it—talk to a friend, mentor, or even a therapist. There’s no shame in calling in extra support when needed.
In IT, we don’t assume things will “just work”—we test, refine, and optimize. Treat your mental health the same way. Debug your stress, adjust your variables, and don’t be afraid to run an upgrade on your self-care routine. The best systems run smoothly when properly maintained—and that includes you.
Recently I switched ISP providers. The one I was using started the price increase game. We picked up the ISP while it was $70 per month for 1 GB. They are the only physical line provider in my town. The town has a law that “beautifies” the power lines. This means only one ISP with cables is allowed to use them. They also have a digging bill. It was designed by a corrupt city council to keep this one ISP as the primary provider. Well, this ISP has started their price walking. They start off with $10 fines here and there. Finally, it reaches $200 after a year for 1 GB. For years, the only other option has been HughesNet. Thankfully, T-Mobile has stepped in. However, they are CG-Nated and a home lab is hard to work with.
CG-NAT
Most people don’t know what CG-NAT is and how ugly it can get.Carrier-grade NAT is where the carrier places you inside a natted bubble. This saves IP addresses. You are essentially part of a nested network. It’s all nated inside each other. It tends to be standard to have your own network, then the carriers, then the public. So while you can reach therandomadmin.com with a public IP address, you can’t reach my home network with one. CGNs do not allow for port forwarding. These networks are ideal for simple plug-and-play networks. However, they are sad for us IT home lab people.
There is a ray of hope with these types of networks. VPN over SSL. This can be done via WireGuard and other VPN software. The thing to remember is you need an external, public-facing device. That’s where Oracle comes into play. Remember in my blog about free WordPress, we built an Oracle Cloud server. We are going to use this beast to get around our CG-NAT issue and open some of our services to the world. This makes a CG-NATed home lab really hard to work with, but we have magic on our side.
The Magical Connections
Ok, so we are going to use our Oracle Cloud server and combine it with our Tailscale network. Our Oracle Cloud server already has an Apache server on it. All we have to do is enable the reverse proxy settings on it.
Now we need to take our Tailscale network and make some reverse proxies. We are going to be doing the Docker world this time around. You can read about setting up your Docker in WordPress here. Once you have your Docker setup on your home lab server, take note of the IP address and the port number of that Docker. Please ensure you can access it locally before proceeding with any other tasks. With this first step, our CG-NATed home lab is going public.
DNS
The next part is important. I use Namecheap DNS. What you need to do is set the DNS to the Oracle host. For my example, I am pointing to therandomadmin.com host IP address for it.dpb.one. DNS can take some time to populate as well. A good rule of thumb I follow is, if you can’t ping it and get the IP address you want, wait.
Reverse Proxy
Now we will make our reverse proxy on the Apache side. First you will need to make the conf file inside your site’s available location.
The above command will create the file and drop you into the nano prompt. This is a configuration file for one of my home lab devices. I want you to read over this file.
<VirtualHost *:80>
ServerName it.dpb.one
ProxyPreserveHost On
# Point directly to lab app's port (9000 in this example)
ProxyPass / http://100.104.5.106:9000/
ProxyPassReverse / http://100.104.5.106:9000/
RequestHeader set X-Forwarded-Proto "http"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
ErrorLog ${APACHE_LOG_DIR}/it.dpb.one-error.log
CustomLog ${APACHE_LOG_DIR}/it.dpb.one-access.log combined
</VirtualHost>
breaking it down
Just like any other virtual host, we are starting off with our tags. Then we have the name of the server. So, when DNS points the it.dpb.one to the IP address. Apache will be like, I know this. It knows it’s a reverse proxy because it sees that Proxy Preserve Host on. Then it grabs the proxypass and the proxy return pass. This is where we want to put the IP addresses.
Notice this line: ProxyPass / This / is important. If you want to make a subdirectory, this is where you would place it. So, let’s say I wanted it.dpb.one/nextcloud to point to another server that hosts my Nextcloud; that is where I would place it. The next part will be the inside of your network. Notice the IP address is the Tailscale IP address.
RequestHeader set X-Forwarded-Proto "http"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
The next two lines are for custom items. The first tells us we are using HTTP. So the requests internally are HTTP. You can set this to HTTPS if you like. However, you will get cert errors. The second line is to pass the remote user’s IP address and not the host’s to the machine in question. If you don’t want the user’s IP address to hit your machine, then leave this line out. While the final two lines are for logging.
Now run the next two commands; the first is to enable the conf file, and the final is to load it into the Apache system.
Finally, we like having SSL on things. I feel like if you are not using an SSL on a site, something is wrong with you. SSLs are free thanks to Certbot and the Electronic Frontier Foundation. Please donate to these people as they are doing great work. So on the Oracle Cloud server, you can run the certbot command for the domain. If you don’t have Certbot installed, here are some nice instructions.
sudo certbot --apache -d it.dpb.one
Once you have the cert setup, you will notice another file is created inside your sites-available location. Everything else is done for you at this point. Now you can access the website from the remote world. You can’t, however, access SSH remotely. This is a good protection. But, but, Random, I want to access my home lab via SSH.
Setting up SSH Jump Box
So, you want to be able to type ssh and your site’s name and go straight to your home lab. Here is what I have to say: don’t. Years of experience tell me this is a bad idea.
However, what you can do is SSH into the Oracle Cloud, then SSH into the Tailscale box. Your Oracle Cloud is your jump box now. It’s best to keep it that way for security. What’s amazing about Tailscale is if you have it on your PC, you can access your machines via the Tailscale IP address with SSH. If you don’t, just use the Oracle Cloud’s SSH.
Warnings
A CG-NATed home lab is much slower than a regular home lab. The reason why is you are going in and out of that Tailscale network over and over again. It slows things down. It gets much slower when you add the SSL. The first time you connect to it, it takes a good 10 seconds to load because it’s grabbing all of that information. So don’t use it for the following:
Gaming
Plex/Jellyfin
audiobooks
All of those take up large amounts of data. It’s not worth the effort. Your Plex will work locally inside your home network. You may need a DHCP box of some sort; other than that, you are good to go.
What can we learn as a person
While cutting my grass, I noticed that the grass was growing through the asphalt. A little dandelion. I like these flowers, as they make great tea. It was growing through that hard rock. While the others were growing in the grass. This little weed grew and became a beautiful yellow flower. In the plant world, if it didn’t make it through the rock, it would have died. Often times we see these “weeds” growing through these rocks, like concrete. I love seeing a dandelion growing through a concrete slab. It takes advantage of the cracks in the stone and shines.
Often times people face hardships and stop growing. These people don’t make it a habit to find a way around those hardships. Those systems that are in place to keep us locked down. For years women in the science community have been like this. They are beautiful dandelions who have brought so much to this world, but because of their physical gender, many of their discoveries were taken credit for by men. However, when you see one who gets the credit, they shine. The asphalt is the systems we are born into. The hardships we have to face. No one sees those hardships unless they look for them. It’s not part of human nature yet to look for them.
So, if you ever see someone and think, They should be farther along than they are, what hardships did they face, and how much of a dandelion are they? The same is true for those who are shining. There is a story behind everyone, and to explore that story is to find connection and community. With community we can find real joy. We are social creatures, and we all have our own unique stories. Maybe it’s time for us to share more of it with each other.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok
