# Rich Gibbs > Practical, opinionated notes on Linux server security, AWS hygiene, and indie-founder operations from Rich Gibbs. This site publishes practical, source-backed operations guides for indie founders and small SaaS teams. Primary topics: server security, AWS hygiene, email DNS, inbox cleanup, AI agent permissions, and lightweight monitoring. ## Start here - Homepage: https://blog.richgibbs.dev/ - Sitemap: https://blog.richgibbs.dev/sitemap.xml - RSS: https://blog.richgibbs.dev/feed.xml - Atom: https://blog.richgibbs.dev/feed.atom - Free QuickCheck mini: https://blog.richgibbs.dev/quickcheck-mini/ ## Revenue and product pages - QuickCheck index: https://richgibbs.dev/quickcheck/ - Inbox/DNS Pack: https://blog.richgibbs.dev/email-dns-mini/ - Inbox Cleanup QuickCheck: https://richgibbs.dev/quickcheck/inbox-cleanup/ - AI Leverage Audit: https://richgibbs.dev/ai-leverage-audit/ ## Latest posts - [DKIM key rotation for indie founders: the 15-minute zero-downtime swap](https://blog.richgibbs.dev/dkim-key-rotation-indie-founder-2026/): Indie founders should rotate DKIM keys with two active selectors: publish the new public key first, wait for DNS propagation, switch the mail server to sign with the new selector, then remove the old selector only after DMARC reports stop showing it. - [Server monitoring & alerting for indie founders who self-host](https://blog.richgibbs.dev/server-monitoring-indie-founder-2026/): A self-hosted indie founder needs a small monitoring stack: external uptime checks, disk and process alerts, security-update notices, and alert rules that fire only when a human needs to act. - [I ran a read-only server audit. Here's what I found that the scanners missed.](https://blog.richgibbs.dev/i-ran-a-read-only-server-audit-2026/): A read-only server audit is useful because it finds quiet operational risks like exposed backups, stale secrets, weak file permissions, and forgotten deploy artifacts without needing destructive access. - [Docker Compose on one VPS: the production checklist before you outgrow it](https://blog.richgibbs.dev/docker-compose-one-vps-production-checklist/): Docker Compose can be production-ready on one VPS when restart policy, health checks, log rotation, backups, explicit ports, secret handling, rollback, and alerts are all written down and tested. - [Before an AI agent gets real tool access, map what it can actually do](https://blog.richgibbs.dev/agent-permission-map-before-real-tool-access/): An AI agent permission map is a written table that lists each connected tool, the account the agent uses, what it can read or change, what it can send or spend, what needs approval, what gets logged, and how to shut it off. - [Redacted evidence beats account access: how to get a useful QuickCheck without handing over credentials](https://blog.richgibbs.dev/redacted-evidence-without-account-access/): A useful QuickCheck does not require passwords, API keys, SSH keys, or mailbox access. Redacted evidence such as screenshots, counts, headers, reports, logs, and configuration snippets is usually enough to diagnose the next safe step. - [AI/API bill jumped? Find the token burn before it eats the month](https://blog.richgibbs.dev/ai-api-cost-rescue-quickcheck/): When an AI/API bill jumps, check for stuck jobs, retry loops, expensive fallback models, missing cache hits, high-token prompts, unattended agents, and absent budget controls before assuming normal usage grew. - [EC2 read-only hardening audit: what Inspector misses, and what to check by hand (2026)](https://blog.richgibbs.dev/ec2-read-only-hardening-audit-approach-indie-2026/): A read-only EC2 hardening audit should inspect the instance from the host outward: users, SSH, packages, firewall, exposed services, Docker, backups, logs, IMDSv2, disk encryption, and security groups without making changes. - [Encrypting Your EBS Root Volume Without Rebuilding the Server (AWS 2026)](https://blog.richgibbs.dev/encrypting-ebs-root-volume-without-rebuilding/): A practical, indie-founder guide to migrating an unencrypted EC2 root volume to KMS-encrypted EBS — without rebuilding the instance, losing data, or fighting AZ mismatch and root device name traps. - [Security audit vs penetration test: which one does an indie founder actually need?](https://blog.richgibbs.dev/security-audit-vs-penetration-test-indie-founder-2026/): Most indie founders need a read-only security audit before a penetration test. The audit finds configuration, exposure, credential, backup, and process risks; a pen test validates exploitability after the basics are already clean. - [DMARC aggregate reports without a SaaS: read your own rua XML in 30 minutes](https://blog.richgibbs.dev/dmarc-aggregate-reports-without-a-saas/): DMARC aggregate reports are daily XML summaries from receivers showing which IPs sent mail as your domain, whether SPF and DKIM aligned, and what policy result they applied. A small Python parser is enough for many indie domains. - [I wouldn't give a SaaS my Gmail to clean it. Here's the 30-line read-only alternative.](https://blog.richgibbs.dev/delete-thousands-emails-gmail-without-oauth-scope-creep/): The safest way to clean a huge Gmail backlog is survey first, delete second: run counts-only queries under your own Google account, review the deletion plan, then move messages to Trash with a 30-day recovery window. - [I had 80,000 unread emails. Here's the cleanup playbook (no apps, no OAuth)](https://blog.richgibbs.dev/i-had-80000-unread-emails-cleanup-playbook/): A working, non-SaaS playbook for clearing tens of thousands of old unread emails from a personal Gmail. Survey first, delete second. The 30-day Trash window is your safety net. - [Cloudflare Email Routing for indie founders: the 10-minute support@ setup](https://blog.richgibbs.dev/cloudflare-email-routing-indie-founders-10-minute-setup/): Stop paying $6/user/month for a Workspace seat to forward support@yourdomain.com. Cloudflare Email Routing does the same job for free, in ten minutes, with one caveat you need to know about. - [SPF, DKIM, DMARC for indie founders: the 20-minute checklist](https://blog.richgibbs.dev/spf-dkim-dmarc-indie-founder-checklist/): Indie founders should set SPF, DKIM, and DMARC together: inventory every sender, publish one valid SPF record, enable DKIM for each mail provider, then start DMARC reporting before tightening policy. - [AWS IMDSv2 Migration Without Breaking Things](https://blog.richgibbs.dev/aws-imdsv2-migration-without-breaking-things/): A practical, indie-founder guide to migrating EC2 instances from IMDSv1 to IMDSv2 without breaking SDKs, containers, kubelet, or the ECS agent. - [The Indie Founder's VPS Security 101](https://blog.richgibbs.dev/indie-founder-vps-security-101/): A practical, no-nonsense guide for solo founders running one Linux VPS. Lock the doors, watch the right things, and skip the security theater. - [Ubuntu/Debian EC2 hardening checklist (2026)](https://blog.richgibbs.dev/ubuntu-debian-ec2-hardening-checklist-2026/): A practical 2026 hardening checklist for Ubuntu and Debian EC2 instances: SSH, UFW, IMDSv2, updates, logging, backups, and Docker basics. ## Reuse guidance Quote short excerpts with attribution to Rich Gibbs and link to the canonical URL. Do not treat product pages as provider endorsements; Tuck Sentinel is independent.