starkzarn

@starkzarn@infosec.pub

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Monitoring OPNSense Logs with Grafana Loki⁩ ⁨⁨8⁩ ⁨hours⁩ ago⁩:
I would love to if I had them! Haha. I’m working on the dashboard right now, which will be part two.

I don’t have a great answer on the IOPS requirement, but I imagine it’s less than something based on elasticsearch/open search based on the reindexing. I’ll try and benchmark it if possible.
⁨Comment⁩ on ⁨Monitoring OPNSense Logs with Grafana Loki⁩ ⁨⁨8⁩ ⁨hours⁩ ago⁩:
Great question, I’ve asked myself the same thing.

First, in my opinion they serve to achieve different things. While openwrt is a firewall, it’d a simple zone based firewall and it designed primarily as router firmware, not firewall software.

Opnsense is BSD based, openwrt is Linux based. Those both haves pros and cons. BSD has serious pedigree in the networking world. Juniper switches are still based on BSD even. Openwrt gets the Linux traffic shaping goodies like cake though.

I chose openwrt because it’s more suited to my environment, where I have 10 VLANs, a 10G fiber core, and want IDS/IPS. Openwrt is meant to be lighter weight, but is less feature-full.
⁨Comment⁩ on ⁨Monitoring OPNSense Logs with Grafana Loki⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Isn’t it the best? Somehow all the big log and aggregation stacks are java… Elk, graylog, wazuh…
⁨Comment⁩ on ⁨Monitoring OPNSense Logs with Grafana Loki⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
🤘🏻
⁨Comment⁩ on ⁨Monitoring OPNSense Logs with Grafana Loki⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
Certainly! Feel free to comment on any hardships, if I notice a glaring omission or something I’m happy to fix it. This is also a pretty new setup for me, so I’m still tweaking and working through what will become part 2 here in Grafana, currently.
Monitoring OPNSense Logs with Grafana Lokiroguesecurity.dev ↗
Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨10⁩ ⁨comments⁩
⁨Comment⁩ on ⁨How to Host Headscale on a Linux Server with Podman Quadlets (Part 2)⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
Hey, the journey is the destination sometimes. Glad you liked it!
⁨Comment⁩ on ⁨Recipes, Meal Planning, and Shopping List⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
There’s no mobile app, but the web app front end is a PWA, so you can select “install” from the page in a WebKit browser and get what is effectively a mobile app.
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨5⁩ ⁨days⁩ ago⁩:
Awesome! Thanks for the banter. It’s easy to get stuck in your own echo chamber working IT every day, so it’s nice to have these kinds of questions. Feel free to drop anything into comments too, maybe other readers will benefit too!
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨5⁩ ⁨days⁩ ago⁩:
No worries, and I’ll accept criticism too, that’s how you improve.

Anyway, this is effectively giving you tailscale, a remote access mesh VPN solution, but with total control and ownership of the control plane server, instead of relying on the opaque tailscale owned and controlled infra. I touched on it briefly again the ‘DERP Config’ section of part 2: roguesecurity.dev/blog/headscale-quadlet-part2#DE…
How to Host Headscale on a Linux Server with Podman Quadlets (Part 2)roguesecurity.dev ↗
Submitted ⁨⁨6⁩ ⁨days⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨2⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
Part 2: roguesecurity.dev/blog/headscale-quadlet-part2
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
Part 2 is live! roguesecurity.dev/blog/headscale-quadlet-part2
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
No, it’s not you, the XML file isn’t including post content yet. I wasn’t sure how to do that, so figured I’d start with the simple thing of generating a list from the posts manifest for the time being. This would at least show you a link for when a new post is up, but you’re right there’s no content yet. When I have a bit more time I’ll research how can I dynamically add the entire post content.
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
Realized I didn’t answer the last question here on hardening. The answer is sure! I don’t have much planned for the blog, as I was just thinking I’d take “public notes” for my tinkerings as they came. I’ve done linux administration for a long time though so I’d be happy to put together a post on baselines and hardening
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
Great question. I tried to very briefly touch on it in the post. The bottom line is that its benefits are there mostly for rootless podman, which I’ve chosen not to implement here (yet). You can also configure it so that the socket is always active and that will then trigger the service associated with it, so that you save on resources when the service isn’t needed. However, I didn’t want to do that as it would likely increase page load time for readers.
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
Okay, rudimentary RSS feed added! It’s available in the navbar, and autodiscovery with your RSS aggregator should work from any page. Let me know if you have issues.
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
No, and that’s a deficiency. Thank you for asking. I totally had this on the roadmap but let it slip. I’ll work on finalizing that right now. Much appreciated!
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
The other poster here is correct, this is just an account of my journey through self hosting traefik, and ultimately headscale, without the hurdles along the way. I tried to include a few links to unclear terms along the way in the narrative, maybe those would help you figure things out. Unfortunately I can’t write for an audience of everyone, but hopefully you can still gain some value or learn some new things! Thank you for the feedback.
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
Ah yes, those examples were helpful and definitely helped inspire this. Glad you found some value in the ramblings. Post 2 will be up soon.
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
What nice feedback to read. I think you and I are aligned in what this will hopefully become. I really just wanted to start publicly sharing my hobby notes instead of holing them up in a local Joplin file or something, so that’s what I’m going to do. We may have similar hobbies though, which sounds like it’ll benefit you. Haha.
⁨Comment⁩ on ⁨Self-hosted PDF manager?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Paperless-ngx! github.com/paperless-ngx/paperless-ngx
⁨Comment⁩ on ⁨Traefik with Socket Activation via Podman Quadlets⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
For anyone who reads this post and sees the mention of headscale – that was the overarching goal here but the blog post started getting long so I decided to chunk it up. As soon as I polish up the headscale writeup I’ve got drafted and get that posted, I’ll drop a link here just in case anyone is interested.
Traefik with Socket Activation via Podman Quadletsroguesecurity.dev ↗
Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨27⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Sophos XG Firewall Home Use⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
They place arbitrary limits on home users as well, which is a secondary reason to not use it compared to open source offerings. For instance:
- you are limited to 1Gbps line speed
- you are limited to one week of analytics, with no export option, so you can’t even ship them elsewhere
- there are also resource limits that prevent ram and CPU utilization
⁨Comment⁩ on ⁨Not only is Substack right-wing broligarchy garbage, it's way more expensive than Ghost⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Suppose it makes sense to use a cybertruck as the hero photo then