Systemd - Tag - arleo.euhttps://www.arleo.eu/en/tags/systemd/Systemd - Tag - arleo.euHugo -- gohugo.ioenSat, 09 May 2026 13:04:20 +0200Post-mortem: 3 MCP timeouts — IPAddressDeny + Cloudflare + NFShttps://www.arleo.eu/en/posts/postmortem-mcp-timeouts-cloudflare/Sat, 09 May 2026 13:04:20 +0200Jmrhttps://www.arleo.eu/en/posts/postmortem-mcp-timeouts-cloudflare/

Context

I deployed a Hugo MCP Server (FastAPI, 7 tools) that lets me edit arleo.eu from Claude.ai. Architecture: claude.ai → mcp-oauth-proxy NUC → hugo-mcp-proxy NUC → MCP server VM.

]]>systemd hardening: taking a Python service from 9.6 to 1.7https://www.arleo.eu/en/posts/hardening-systemd-mcp/Sat, 09 May 2026 13:02:29 +0200Jmrhttps://www.arleo.eu/en/posts/hardening-systemd-mcp/

TL;DR

systemd-analyze security is an underused tool. It scans your unit files and computes an exposure score from 0.0 (UNSAFE) to 10.0 (PERFECT). Custom Python services often score around 9.6 by default — that’s bad.

I took my hugo-mcp service (FastAPI exposing 7 MCP tools) from 9.6 → 1.7 without breaking a single feature. Here are the directives that actually matter, and the ones that are traps.

Initial score

]]>