Posts on Aperture Zone

Watercooling forever

Fri, 17 Apr 2026 00:00:00 +0000

Round three of the water cooling saga. An old-timer, a 2001 Juno P6 Full Tower, a Ryzen 7 5700X that was overheating with air cooling, an angle grinder, a Dremel, and a Corsair iCUE H100i.

> The first two installments of the water cooling saga were intentionally brief—a few photos, the essentials, no long-winded stories. This time, I’ve decided to give you a real treat. You’ve been warned.

“I want one too”

There’s one phrase that sums up the whole project: “I want one too”.

TrueNAS SCALE: unfiltered feedback

Tue, 14 Apr 2026 00:00:00 +0000

In recent years, TrueNAS SCALE has established itself as the go-to open-source solution for building a high-performance NAS for personal use. Based on Debian Linux and powered by ZFS, it promises the best of both worlds: the robustness of an enterprise-grade file system and the flexibility of a modern platform with containers and integrated applications. On paper, it sounds appealing. In practice, it’s a bit more nuanced—and that’s the focus of this article.

Cisco ASA & Firepower FTD - Complete Guide

Sun, 12 Apr 2026 00:00:00 +0000

> Comprehensive Guide: Beginner to Expert — Cisco ASA 5500-X · Firepower FTD · FMC · AnyConnect · Snort IPS 3

Part 1 — Cisco ASA

Part 2 — ASA to FTD Migration

Part 3 — Cisco Firepower FTD

Installing Passbolt CE on Ubuntu 24.04 with an internal CA

Thu, 09 Apr 2026 00:00:00 +0000

> When I decided to set up my own Passbolt server, I relied on the excellent article by caddy666: https://aperturezone.fr/posts/passbolt/. However, the version has evolved quite a bit since then, and several steps no longer matched what I was seeing on my screen. So I decided to write an update—this in no way detracts from the relevance of the original article, which remains a very good introduction to Passbolt, but the steps below reflect the current state of version CE 5.10.0 on Ubuntu 24.04.

OCS Inventory NG - What the doc doesn't say

Thu, 09 Apr 2026 00:00:00 +0000

The Project

The initial idea was simple: deploy OCS Inventory NG to centralize the hardware and software inventory of the infrastructure. A server, agents, a web console. Nothing too complicated.

Spoiler: I thought it would be a piece of cake, but it turned out to be a real headache.

Act 1 — Server Installation, or "Perl Is Your Enemy"

Installing OCS on the server side involves a setup.sh script that asks questions. Lots of questions. And it expects precise answers—pressing Enter without thinking is a recipe for disaster.

DRP on Hyper-V with Veeam: from chaos to clean failover

Fri, 03 Apr 2026 00:00:00 +0000

I have a virtualized infrastructure running on Hyper-V with a separate backup/DRP server. The entire stack runs on 19 VMs: two Active Directory domains with domain joining, Linux DNS forwarders (BIND9), RADIUS, monitoring, application services… in short, not something we can afford to just reboot haphazardly.

The project’s objective was simple to state, but complex to achieve:

> Switchover the entire infrastructure to the DRP server with minimal effort, ensuring service continuity (at the very least, not cutting off internet access), then return to production cleanly.

Backing up GPOs with Ansible and WinRM

Thu, 02 Apr 2026 00:00:00 +0000

Group Policy Objects are at the heart of any robust Active Directory infrastructure. They define security settings, permissions, device configurations, and software restrictions. In the event of a disaster, human error, or simply a need to roll back after a change, not having a backup of your GPOs means facing hours of tedious reconstruction.

The graphical interface of the Group Policy Management Console does offer a backup feature, but it is manual, easy to overlook, and, most importantly, not versioned. The goal of this article is to automate this process cleanly using Ansible via WinRM, on an infrastructure comprising two separate Active Directory domains, with long-term archiving on a NAS and reporting via email.

Active Directory: krbtgt, from theory to practice

Wed, 01 Apr 2026 00:00:00 +0000

In the first part of this article, we laid the groundwork: what the krbtgt account is, why the Golden Ticket is a serious threat, and a theoretical Ansible architecture for automating rotations. If you haven’t read that part, I encourage you to start there.

Now we’re getting down to business. The playbook in Part 1 was intentionally simplified to illustrate the concept. In a real production environment, things get complicated—the interactive script that refuses to be controlled, the XML file that can’t be found, the Kerberos double-hop that blocks everything, the root forest that isn’t what we think it is. These are all obstacles I’ve encountered and resolved, which I’m documenting here.

Server 2022 migration: multi-domain forest

Fri, 27 Mar 2026 00:00:00 +0000

In a previous post, I described the 2016 functional upgrade and the approvals audit between my two domains. I ended on this note: "I’ll also need to think about upgrading the OS on my other controllers."

Well, that’s done.

Background

The infrastructure is based on a two-domain Active Directory forest:

A forest root domain, dedicated to servers and hypervisors—two domain controllers ensure its availability. The first holds the domain roles (PDC Emulator, RID Master, Infrastructure Master), while the second holds the forest roles (Schema Master, Domain Naming Master).
A child domain, dedicated to workstations and users—also with two domain controllers. The first holds the domain’s FSMO roles as well as the DNS service and the primary DHCP. The second ensures continuity: Global Catalog, secondary DNS, failover DHCP, and Certificate Authority. Without these roles, a second DC would be nothing more than a passive replica—so we might as well give it a real reason to exist.

All were running on Windows Server 2016, for which mainstream support ended in 2022 and extended support ends in January 2027. The time had come to migrate to Windows Server 2022.

Active Directory: krbtgt the scary account

Wed, 25 Mar 2026 00:00:00 +0000

There are elements in Active Directory that we completely forget about because they never come up in day-to-day operations. The krbtgt account is one of them. Though invisible in everyday use, it is at the heart of all Kerberos authentication in your domain—and its compromise is one of the most catastrophic scenarios an attacker could trigger.

In this article, we’ll explore what this account really is, why you need to change its password regularly, and how to automate this process cleanly with Ansible.

Automate network device configuration backup with Ansible

Mon, 23 Mar 2026 00:00:00 +0000

Whether in a home lab or a professional infrastructure, network equipment is often overlooked in backup strategies. We think about backing up VMs, data, and servers—but rarely the configurations of switches and Wi-Fi access points. However, in the event of a failure or hardware replacement, not having the configuration on hand can result in hours of work to rebuild the system.

In this article, we’ll set up an Ansible playbook that automatically backs up our network equipment configurations, stores them locally with a 30-day retention period, and sends an HTML report via email after each run.

Spanning Tree Protocol: understanding and deploying STP/MSTP

Fri, 13 Mar 2026 00:00:00 +0000

Introduction

If you have multiple switches, you’ve surely heard of the Spanning Tree Protocol. But there’s often a gap between theory and practice—especially when you encounter unusual hardware with unexpected interfaces.

This article details a real-world implementation of MSTP on three HP 1910 switches (based on Comware H3C), including the problems encountered and the solutions found. Spoiler: the GUI won’t be your friend.

Why STP?

The Loop Problem

In a network with multiple interconnected switches, physical loops can exist—whether intentional for redundancy or accidental. Without protection, a broadcast frame enters a loop and circulates indefinitely, duplicating itself with each pass. Within seconds, the network is 100% saturated: this is a broadcast storm, and it renders the infrastructure completely unusable.

Aperture Zone now available in English!

Thu, 12 Mar 2026 00:00:00 +0000

Good news! Aperture Zone is now available in English at aperturezone.com!

Starting today, all of our technical articles are available in both languages:

🇫🇷 French version: aperturezone.fr
🇬🇧 English version: aperturezone.com

Automatic translation

To make our content accessible to as many people as possible, we use DeepL automatic translation. Articles are translated automatically when they are published.

Important note: Caddy666 will manually review and correct the translations to ensure quality and technical accuracy.

PFSENSE - Complete & Professional Guide

Thu, 12 Mar 2026 00:00:00 +0000

> Advanced Professional Guide — pfSense 2.7+ · FreeBSD · OpenVPN · IPsec · VLAN · HAProxy · Snort / Suricata

1. Hardware & environment prerequisites

pfSense is based on FreeBSD and requires dedicated or virtualized hardware for optimal performance in production.

LACP on HP V1910 (H3C Comware)

Wed, 11 Mar 2026 00:00:00 +0000

> Infrastructure involved: HP V1910 (x2), Synology NAS (x3), TrueNAS, Windows Server 2022 (Hyper-V)

LACP (Link Aggregation Control Protocol), defined by the IEEE 802.3ad standard (part of 802.1AX), allows multiple physical links to be grouped into a single logical link called a LAG (Link Aggregation Group). There are numerous benefits:

Increased aggregate bandwidth for multiple traffic flows
Automatic redundancy: if a physical link fails, the others take over without intervention
Dynamic negotiation: the protocol detects and adapts to changes in link status

> ⚠️ Important: LACP does not increase the throughput of a single flow. A given flow always remains on the same physical link (hashing). The benefit is realized across multiple simultaneous flows.

HTTPS on HP ProCurve V1910

Tue, 10 Mar 2026 00:00:00 +0000

Securing access to the web interface of managed switches is one of those tasks that seems trivial on paper. On recent hardware, it is indeed trivial. On HP ProCurve V1910 switches—Comware v5 switches that are still used in many home labs and small infrastructures—it's a different story. This article documents the entire project, the pitfalls, the discoveries, and an honest conclusion about what it's really worth.

The test infrastructure: three HP V1910 switches (firmware 5.20 Release 1519P06) on a dedicated, isolated management VLAN with no Internet access. An internal CA based on OpenSSL runs on a Linux server in the infrastructure.

WiFi WPA2-Enterprise authentication with NPS and Active Directory

Sat, 07 Mar 2026 00:00:00 +0000

Are you tired of managing a shared WiFi key that everyone knows, which you never dare to change for fear of having to reconfigure all your devices? The clean solution is WPA2-Enterprise—each user authenticates with their own Active Directory credentials, without ever entering a WiFi password. The domain-joined laptop connects automatically, transparently, as soon as the Ethernet cable is unplugged.

In this article, we'll transform an existing SSID into WPA2-Enterprise using NPS (Network Policy Server) as the RADIUS server, Active Directory for user management, and a GPO to automate the connection on domain laptops. We'll use Cisco Aironet access points in standalone mode.

Watercooling, oops i did it again!

Fri, 06 Mar 2026 00:00:00 +0000

I emptied my Pea and treated myself to a second Corsair kit (actually, it was on sale and begged me to buy it). Unlike the first article I published, this case was not designed to accommodate water cooling at all. You'll see that you'll need to get out the angle grinder!

Here is the tower before modification. It's not in its prime, but it's functional. It's an Antec from the early 2010s.

Active Directory: 2016 functional upgrade and approval audit

Mon, 02 Mar 2026 00:00:00 +0000

There are some projects that we put off for years. Not because they're impossible, but because there's always something getting in the way. In my case, it was Exchange 2013—that good old mail server that stood in the way of any attempt to modernize the AD. Since migrating to a lighter solution, the coast was clear. So here's the story of a busy night's work.

The context

The infrastructure runs on two separate Active Directory domains linked by a two-way trust relationship:

Hardening AD with PingCastle

Thu, 26 Feb 2026 00:00:00 +0000

PingCastle & Hardening Active Directory

Active Directory is the cornerstone of identity and access management in most Windows environments. Its critical nature also makes it a prime target for attackers. A poorly configured AD can allow privilege escalation, lateral movement, or even total domain compromise.

PingCastle is now one of the benchmark tools for assessing the security posture of an Active Directory. It was developed by Vincent Le Toux, a renowned French expert in offensive security circles whose mastery of Windows and Active Directory internals is widely recognized. He is said to have close ties to ANSSI—a persistent urban legend in the community, fueled by the depth and quality of the tool's detection rules, which reflect a knowledge of attack vectors rarely achieved outside of government circles. Vincent Le Toux is also co-author of mimikatz, the global benchmark tool for extracting Windows credentials.

Integrating a watercooler into an old LianLi box

Wed, 25 Feb 2026 00:00:00 +0000

#For Christmas, I was given a CORSAIR water cooling kit. This isn't an advertisement; I just think it's good equipment. (Yes, Santa Claus does exist! Here's the proof!)

So here's the tower that will integrate the water cooling before modifications. It's a Lian Li case that's between 10 and 15 years old, but still very clean and functional.

There you go, I've made some space to work.

Automation with Ansible

Tue, 24 Feb 2026 00:00:00 +0000

Package updates, NTP synchronization, and HTML email notifications on Ubuntu 24.04

Manually managing multiple Linux servers quickly becomes tedious and prone to errors: forgotten updates, undetected time zone differences, inconsistent NTP configurations, etc. Ansible solves this problem by allowing you to automate system administration in a reproducible way, without having to install an agent on the target machines.

We will set up an Ansible server on Ubuntu 24.04 LTS, configure a server inventory, and deploy a complete playbook that performs the following in a single execution:

Internal mail server with postfix and dovecot

Mon, 23 Feb 2026 00:00:00 +0000

I need an internal mail server (it will not be open to the outside world) to receive posts from the infrastructure in general, router switch, or backup reports. We will do this with Postfix and Dovecot on Ubuntu 24.04. The emails are intended for an existing AD user.

1. Join the server to the Active Directory domain with SSSD

Install the necessary packages

sudo apt update
sudo apt install realmd sssd sssd-tools adcli samba-common-bin libnss-sss libpam-sss

Discover and join the domain

# Check that the domain is accessible
realm discover mydomain.local

# Join the domain (an AD account with sufficient rights is required)
sudo realm join --user=Administrator mydomain.local

Check the join

realm list

You should see something like:

Installing and securing Passbolt

Fri, 20 Feb 2026 00:00:00 +0000

Passbolt Configuration and Security Tutorial

This tutorial covers the installation, configuration, and security of a Passbolt server: Documentation

Prerequisites

A domain name/host name pointing to a server, or at least the ability to reach the server via a static IP address.
A VM with at least 2 cores and 2 GB of RAM
An SMTP server
A functional NTP service to avoid GPG authentication issues
Ubuntu Server 24.04 with LVM encryption
Provision SSL certificates

It is important to use a clean server with no other services or tools already installed. The installation scripts could potentially crash and damage data.

VM configuration:

Clonezilla + Samba server

Thu, 19 Feb 2026 00:00:00 +0000

Okay, we've seen how to create a Clonezilla image, and we've also seen how to restore it. All of that was done locally, so now we're going to do the same thing but with remote storage on the network. We're going to work with a share on a Microsoft server with authentication.

I'll start by creating a user on the AD.

I'm not going to complicate things too much; the user is called clonezilla.

Backup system with Clonezilla

Wed, 18 Feb 2026 00:00:00 +0000

Download the latest ISO from https://clonezilla.org/downloads.php and prepare a bootable USB key or boot pxe with Iventoy, for example

This is the welcome screen. It's minimalist, but that's all you need.

Select French at random.

We'll choose a French keyboard, as it will be more practical.

Select Latin9.

Start Clonezilla, of course.

We are going to create an image of an entire disk, so we select device-image.

Restore system with Clonezilla

Wed, 18 Feb 2026 00:00:00 +0000

We have seen how to create a system image with Clonezilla. Now we are going to restore it. In the previous article, we saw how to start up, set up the French keyboard, etc. I won't repeat the screenshots.

We reselect our /dev/sdd1/CLONEZILLA folder as the source.

And we confirm.

Expert mode, of course.

So this time we select restoredisk

Raid controller replacement

Mon, 16 Feb 2026 00:00:00 +0000

Problem with my IBM ServeRaid M5015 controller. I found the same one second-hand on eBay for €30. So replacement will be seamless with a foreign config import.

Here's the beast. The fan on top is already custom-made because it was heating up a lot.

Removing the fan to reuse it.

Same for the battery.

Here is the replacement

Boote PXE with Iventoy

Sun, 15 Feb 2026 00:00:00 +0000

Ventoy, which many people are familiar with, can be installed on a USB drive or external hard drive. You add ISOs and boot from the ISO you want to use. Less well known is the PXE server version.

A nice logo

wget https://github.com/ventoy/PXE/releases/download/v1.0.21/iventoy-1.0.21-linux-free.tar.gz to retrieve the archive

tar -xvf iventoy-1.0.21-linux-free.tar.gz To unzip

sudo ./iventoy.sh start You can now connect to your Iventoy server's GUI

QUADRO Revival

Sat, 14 Feb 2026 00:00:00 +0000

I needed to install a graphics card for a machine intended for office use. I dug out this old Quadro from the grave, but what an unbearable noise it makes! The fan shaft has play, it rubs and squeaks like an animal in agony.

It's not in its prime, but it works…

Oh, there's a nice layer of crap inside…

A quick blast with a 3-bar air gun later…

Mod of an Nvme SSD

Fri, 13 Feb 2026 00:00:00 +0000

I noticed by chance that my M2 SSD was getting really hot. I couldn't even leave my finger on it, so I took it apart.

Here's the baby.

Warranty void if removed… choose between the label or overheating? The choice is easy, we'll remove the label.

I cut a radiator to the right size from an old Pentium 3 radiator that was lying around.

Welcome to Aperture Zone

Fri, 13 Feb 2026 00:00:00 +0000

Beyond Specs. Deep Tech Stories.

Welcome to APERTURE ZONE, a space dedicated to technical experiments, infrastructure, and hacks that go beyond simple specifications. There's a world of difference between the datasheet and reality in the field. Because true expertise isn't found in marketing benchmarks, but in the hours spent debugging, optimizing, and understanding why it overheats, why it lags, why it doesn't scale. We're done with corporations that sell you equipment and promise you the moon, copy-and-paste tutorials that don't work, and best practices that ignore the real constraints of the field. Here, we talk about what really works. What really crashes. Solutions we found at 3 a.m. when everything goes haywire. We're not saying it's better. We're not saying it's for everyone. But it's our way of doing IT. This site is not sponsored. We don't sell anything. We don't do product placement. If we talk about a piece of equipment, it's because we actually use it and have an opinion about it. The configurations we share are what we use ourselves. For real. Not in a sterile lab, but in our racks, with our constraints, our extremely limited budgets, our sometimes aging hardware that we keep running because we know how.

Posts on Aperture Zone

Watercooling forever

“I want one too”

TrueNAS SCALE: unfiltered feedback

Cisco ASA & Firepower FTD - Complete Guide

Table of Contents

Installing Passbolt CE on Ubuntu 24.04 with an internal CA

OCS Inventory NG - What the doc doesn't say

The Project

Act 1 — Server Installation, or "Perl Is Your Enemy"

DRP on Hyper-V with Veeam: from chaos to clean failover

Backing up GPOs with Ansible and WinRM

Active Directory: krbtgt, from theory to practice

Server 2022 migration: multi-domain forest

Background

Active Directory: krbtgt the scary account

Automate network device configuration backup with Ansible

Spanning Tree Protocol: understanding and deploying STP/MSTP

Introduction

Why STP?

The Loop Problem

Aperture Zone now available in English!

Automatic translation

PFSENSE - Complete & Professional Guide

Table of Contents

1. Hardware & environment prerequisites

LACP on HP V1910 (H3C Comware)

HTTPS on HP ProCurve V1910

WiFi WPA2-Enterprise authentication with NPS and Active Directory

Watercooling, oops i did it again!

Active Directory: 2016 functional upgrade and approval audit

The context

Hardening AD with PingCastle

PingCastle & Hardening Active Directory

Integrating a watercooler into an old LianLi box

Automation with Ansible

Package updates, NTP synchronization, and HTML email notifications on Ubuntu 24.04

Internal mail server with postfix and dovecot

1. Join the server to the Active Directory domain with SSSD

Install the necessary packages

Discover and join the domain

Check the join

Installing and securing Passbolt

Passbolt Configuration and Security Tutorial

Prerequisites

It is important to use a clean server with no other services or tools already installed. The installation scripts could potentially crash and damage data.

VM configuration:

Clonezilla + Samba server

Backup system with Clonezilla

Restore system with Clonezilla

Raid controller replacement

Boote PXE with Iventoy

QUADRO Revival

Mod of an Nvme SSD

Welcome to Aperture Zone

Beyond Specs. Deep Tech Stories.