I keep forgetting which systemd sandboxing options are safe defaults for long-running daemons, so writing it down. PrivateTmp, ProtectSystem=strict, NoNewPrivileges, RestrictSUIDSGID, plus a sane CapabilityBoundingSet cover most footguns…
Linux ships with tcp_keepalive_time=7200 by default — two hours before the first probe. On modern NAT'd networks (carrier-grade NAT especially), idle TCP connections die long before that. Notes on tuning…
SQLite's WAL mode is excellent for read-heavy workloads, but a single hot writer can still hit SQLITE_BUSY when checkpoint frequency doesn't match write throughput. Recently fought this on a small panel app…
The depends_on condition syntax in compose v3 was dropped, then partially restored in compose v2. Half-day of confusion later, here's a working pattern for postgres + app dependency…
A 1 GB VPS will happily let journalctl consume a third of the disk before noticing. SystemMaxUse and a vacuum cron solve it, but the syntax differs between drop-in and main config…