vegetaaaaaaa

@vegetaaaaaaa@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

gitlab.com/nodiscc/ · github.com/nodiscc/

⁨Comment⁩ on ⁨Ansible sounds interesting⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

If you needs are simple, write a simple playbook using the proxmox ansible module docs.ansible.com/…/proxmox_kvm_module.html

Terraform/Opentofu provides more advanced stuff but then you have to worry about persistent state storage, the clunky DSL… used it when acsolutely needed, you can do 90% of this stuff with the proxmox ansible module.

If you need to make your playbook less verbose, move the logic to a role so that you can configure your VMs from a few lines in the playbook/host_vars. Mine looks like this (it’s for libvirt and not proxmox, but the logic is the same)

# playbook.yml
- hosts: hypervisor.example.org
  roles:
    - libvirt

# host_vars/hypervisor.example.org.yml
libvirt_vms:
  - name: vm1.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm1.example.org.xml"
    state: running
    autostart: yes
  - name: vm2.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm2.example.org"
    autostart: no
  - name: vm3.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm3.example.org"
    autostart: no
  - name: vm4.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm4.example.org"
    autostart: no
    disk_size: 100G

⁨Comment⁩ on ⁨Console display options⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
turn that monitor off and save power?
⁨Comment⁩ on ⁨What load balancers can do HA (preferably open source, web gui)⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
apache can do load balancing as well httpd.apache.org/docs/…/mod_proxy_balancer.html

I’d pick something that you already use across your stack, to minimize the number of different integration/config styles/bugs…
⁨Comment⁩ on ⁨Questions about selfhosting Git, and making some small scratch on the side.⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
- Ever tested restoring those backups? Do you have the exact procedure written down? Does it still work? If the service gets compromised/data corrupted on sunday, and your backup runs, do you still have a non-compromised backup and how old is it?
- How timely can you deal with security fixes, and how will you be alerted that a security fix is available?
- How do you monitor your services for resource availability, errors in logs, security events?
- How much downtime is acceptable for routine maintenance, and for incidents?
Not saying this is impossible, you just need to have these questions in mind before you start charging people for the service, and have the support infrastructure ready.

Or you can just provide the service for free, best-effort without guarantees.

I do both (free services for a few friends, paid by customers at $work, small team). Most of the time it’s smooth riding but it needs preparation (and more than 1 guy to handle emergencies - vacations, bus factor and all that).

For the git service I can recommend gitea + gitea-actions (I run the runners in podman). Gitlab has more features but it can be overwhelming if you don’t need them, and it requires more resources.
⁨Comment⁩ on ⁨talon voice, self hosted voice control of your computer⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
Spyware until proven otherwise. Where is the source code?
⁨Comment⁩ on ⁨Alternative to LinkStack and LinkTree⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
github.com/sethcottle/littlelink Or a simple HTML page…
⁨Comment⁩ on ⁨Version Dashboard⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I use RSS feeds, bump version numbers when a new release is out, git commit/push and the CI does the rest (or I’ll run the ansible playbook manually).

I do check the release notes for breaking changes, and sometimes hold back updates for some time (days/weeks) when the release affects a “critical” feature, or when config tweaks are needed.
⁨Comment⁩ on ⁨CrowdSec vs Fail2Ban - What to use?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Fail2ban is a Free/Open-Source program to parse logs and take action based on the content of these logs. The most common use case is to detect authentication failures in logs and issue a firewall level ban based on that. It uses regex filters to parse the logs and uses policies called jails to determine which action to take (wait for more failures, run command xyz…). It’s old, basic, customizable, does its job.

crowdsec is a commercial service [1] with a free offering, and some Free/Open-Source components. The architecture is quite different [2], it connects to Crowdec’s (the company) servers to crowd-source detections, their service establishes a “threat score” for each IP based on detections they receive, and in exchange they provide [3] some of these threat feeds/blocklists back to their users. A separate crowdsec-bouncer process takes action based on your configuration.

If you want to build your own private shared/global blocklist based on crowdsec detections, you’ll need to setup a crowdsec API server and configure all your crowdsec instances to use it. If you want to do this with fail2ban you’ll need to setup your own sync mechanism (there are multiple options, I use a cron job+script that pulls IPs from all fail2ban instances using fail2ban-client status, builds an ipset, and pushes it to all my servers). If you need crowdsourced blocklists, there are multiple free options ([4] can be used directly by ipset).

Both can be used for roughly the same purpose, but are very different in how they work and the commercial model (or lack of) behind the scenes.
⁨Comment⁩ on ⁨Trying to find a general-use project management software solution⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Odoo major version upgrades are a pain in the ass. Wouldn’t recommend.
⁨Comment⁩ on ⁨CrowdSec vs Fail2Ban - What to use?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Fail2ban unless you need the features that crowdsec provides.
⁨Comment⁩ on ⁨How do I build up a lemmy instance right from the scratch ?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Debian
⁨Comment⁩ on ⁨What webapps do you selfhost that aren't media/game servers?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
There is a pinned post for this lemmy.world/post/60585
⁨Comment⁩ on ⁨How do I build up a lemmy instance right from the scratch ?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
RTFM join-lemmy.org/docs/…/administration.html
⁨Comment⁩ on ⁨SMS/MMS backup and sync?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Tested SMS Import/Export (installed from F-droid), works fine.
⁨Comment⁩ on ⁨Ansible iptables best practices?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:

Ansible should only run to make changes to a existing system.

No. Ansible is fine for provisioning and initial deployment.
⁨Comment⁩ on ⁨Backing up IaC⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Back up your git service/repositories to offline storage.
⁨Comment⁩ on ⁨Good Self hosted MDM?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Right, I just spent 10 minutes looking for documentation that doesn’t involve shitty expensive SaaS/PaaS, couldn’t find anything. That disqualifies it for me as well, sorry for wasting your time.

I’ll keep watching this thread, relevant to my interests as well. At work we let ansible (in pull mode) handle the Linux fleet, Android we don’t have enough devices to bother, and are looking towards jamf for macs. But I’d love to find a FOSS solution too, our requirements are simple enough (as you said install/remove stuff, change basic settings)
⁨Comment⁩ on ⁨Testing vs Prod⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
My prod and testing environments are 2 libvirt VMs on the same hypervisor. They run the same services, deployed and managed by ansible. The testing VM just gets less disk/CPU/RAM resources, and is powered off most of the time. Simple config changes? Straight to prod. New feature, risky change? Testing first.
⁨Comment⁩ on ⁨Recommend EU webhosting provider to replace DreamHost?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Ionos works for me. I’ve used OVH, Scaleway as well, no problems.
⁨Comment⁩ on ⁨Good Self hosted MDM?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
fleetdm.com doesn’t look bad, would this work?
Organic Maps migrates to Forgejo due to GitHub account blocked by Microsoft.programming.dev ↗
Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨33⁩ ⁨comments⁩
⁨Comment⁩ on ⁨An idiots guide?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Data loss is not a problem specific to self-hosting.

Whenever you administrate a system that contains valuable data (a self-hosted network service/application, you personal computer, phone…), think about a backup and recovery strategy for common (and less common) data loss cases:
1. you delete a valuable file by accident
2. a bad actor deletes or encrypts the data (ransomware)
3. the device gets stolen, or destroyed (hardware failure, power surge, fire, flood, hosting provider closing your account)
4. anything you can think of
For these different scenarios try to find a working backup/restore strategy. For me they go like
1. Automatic, daily local backups (anything on my server gets backed up once a day to a backups directory using rsnapshot). Note that file sync like nextcloud won’t protect you against this risk, if you delete a file on the nextcloud client it’s also gone on the Nextcloud server (though there is a recycle bin). Local backups are quick and easy to restore after a simple mistake like this. They wont protect you against 2 and 3.
2. Assuming an attacker gains access to your machine they will also destroy or encrypt your local backups. My strategy against this is to pull a copy of the latest local backup, weekly, to a USB drive, through another computer, using rsync/rsnapshot. Then I unplug the USB drive, store it somewhere safe outside my home, and plug in a second USB drive. I rotate the drives every week (or every 2 weeks when I’m lazy - I have set up a notification to nag me to rotate the drive every saturday, but I sometimes ignore it)
3. The USB strategy also protects me against 3. If both my server and main computer burn down, the second drive is still out there, safely encrypted. It’s the worst case scenario, I’d probably spend quite some time setting up everything again (though most of the setup is automated), and at this point I’d have bigger problems like, you know, burned down house. But I’d still have my data.
There are other strategies, tools, etc, this one works for me. It’s cheap (the USB drives are a one-time investment), the only manual step is to rotate the drives every week or so.
⁨Comment⁩ on ⁨Looking for a good RSS Reader⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
If you’re interested I wrote a quick HOWTO to migrate TT-RSS data from Mysql to Postgres a while ago. Ctrl+F search for Migrating tt-rss data to Postgresql from a MySQL-based installation here

I still use that same migrated database 4 years later
⁨Comment⁩ on ⁨How do you keep track of vulnerabilities?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
- distribution packages: unattended-upgrades
- third party software: subscribe to the releases RSS feed (in tt-rss or rss2email), read release notes, bump version number in my ansible playbook, run playbook, done.
⁨Comment⁩ on ⁨Any nice playbook or tutorial to host a static website from home?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Sometimes you need to understand the basics first. The points I listed are sysadmin 101. If you don’t understand these very basic concepts, there is no chance you will be able to keep any kind of server running, understand how it works, debug certificate problems and so on. Once you’re comfortable with that? Sure, use something “simpler” (a.k.a. another abstraction layer), Caddy is nice. The same point was made in the past about Apache (“just use nginx, it’s simpler”). Meanwhile I still use apache, but if needed I’m able to configure any kind of web server because i taught me the fundamentals.

At some point we have to refuse the temptation to go the “easy” way when working with complex systems - IT and networking are complex. Just try the hard way first, read the docs, and if it’s too complex/overwhelming/time-consuming, only then go for a more “noob-friendly” solution (I mean we’re on c/selfhosted, why not just buy a commercial NAS or use a hosted service instead? It’s easier). I use firewalld but I learned the basics of iptables a while ago. I don’t build apache from source when I need to upgrade, but I would know how to get 75% there - the docs would teach me the rest.
⁨Comment⁩ on ⁨Any nice playbook or tutorial to host a static website from home?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
By default nginx will serve the contents of /var/www/html (a.k.a documentroot) directory regardless of what domain is used to access it. So you could put your index.html and all other files directly under that directory, and access your sever at https://ip_address and have your static site served like that.

Step 2 is to automate the process of rebuilding your site and placing the files under the correct directory with the correct ownership and permissions. A basic shell script will do it.

Step 3 is to point your domain (DNS record) at your server’s public IP address and forwarding public port 80 to your server’s port 80. From there you will be able to access the site from the internet at mydomain.org

Step 3 is to configure nginx for proper virtualhost handling (that is, direct requests made for mydomain.org to your site under the /var/www/html/ directory, and all other requests like http://public_ip to a default, blank virtualhost. You may as well use and empty /var/www/html for the default site and move your static site to a dedicated directory.) This is not a requirement but will help in case you need to host multiple sites, and is a requirement for the following step.

Step 4 is to setup SSL/TLS certificates to serve your site at https://my_domain (HTTPS). Nowadays this is mostly done using an automatic certificate generation service such as Let’s Encrypt or any other ACME provider. certbot is the most well-known tool to do this (but not necessarily the simplest).

Step 5 is what you should have done at step 1: harden your server, setup a firewall, fail2ban, SSH keys and anything you can find to make it harder for an attacker to gain write access to your server, or read access to places they shouldn’t be able to read.

Step 6 is to destroy everything and do it again from scratch. You’ve documented or scripted all the steps, right?

As for the question “how do I actually implement all this? Which config files and what do I put in them?”, the answer is the same old one: RTFM. Yes, even the boring nginx docs, manpages and 1990’s Linux stuff. Reading guides can still be a good start for a quick and dirty setup, and will at least show you what can be done. After a few months of practice you will be able to do all that in less than 10 minutes.
⁨Comment⁩ on ⁨Landing page for all my services⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
I wrote my own, using plain HTML/CSS. Actually the final .html file gets templated by ansible depending on what’s installed on the server, but you can easily pick just the parts you need from the j2 template
⁨Comment⁩ on ⁨What are some self hosted services that you think are essential?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
Please not these posts again This thread is pinned for a reason: lemmy.world/post/60585
⁨Comment⁩ on ⁨Podman or rootless docker?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
Podman
- rootless by default
- daemonless
- integration with systemd, made even easier by podman-generate-systemd
- no third-party APT repository required, follows the same lifecycle as my LTS (Debian) distro
- podman and docker command-line are 100% compatible for my use cases
⁨Comment⁩ on ⁨Static site generator for an idiot who doesn't want to learn a new templating language just to have a blog?⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
www.sphinx-doc.org + pradyunsg.me/furo/ theme + myst-parser.readthedocs.io markdown parser + sphinx-design.readthedocs.io extensions.

Just drop all your markdown files in a directory and run sphinx-build. Highly customizable but also works out of the box