dr_robot

@dr_robot@kbin.social

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Paying people to work on open source is good actually⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Many open source projects are not developed by unpaid volunteers. The Linux kernel, for example, is primarily developed by professionals on paid time. I'm not convinced the Linux kernel development would continue without business contribution. I'm not convinced all open source projects could just continue without any payment.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Logcheck. It took ages to make sure innocent logs are ignored, but now I get an email as soon as anything non-routine happens on my servers. I get emails with logs from every update, every time I log in, etc. This has given me the most confidence that nothing unexpected is happening on my servers. Of course, one needs to make sure that the firewall is configured well, and that you use ssh keys etc., but logcheck is how I know I'm doing enough.
⁨Comment⁩ on ⁨How often do you back up?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:

How do you upload a snapshot?

Basically, as you said. Mount the data somewhere and back up its contents.

I back up snapshots rather than current data, because I don't want to stop the running containers that read and write from that data. I'd rather avoid the situation where the container is writing data while it's being backed up. The back up happens shortly after the daily snapshot is made so the difference between current and snapshot data is small.
⁨Comment⁩ on ⁨How often do you back up?⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
As others have said, with an incremental filesystem level mechanism, the backup process won't be too taxing for the CPU. I have ZFS set up which makes this easy and I make hourly snapshots which also get sent to another mirrored pair of connected drives using ZFS send/receive. Then, once a day, I upload encrypted daily snapshots to a bucket in the cloud using restic. Sounds complicated, but actually ZFS and restic do all the heavy lifting. All I did is automate their schedules using systemd timers and some scripts to backup the right directories.
⁨Comment⁩ on ⁨GameVault Update - What's happened 4 months after initial release⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Very interesting project! However, I can't help shake the feeling that whilst you pitch it as a platform for sharing DRM-free games, it will get used for sharing games against the licenses and wishes of publishers. I don't really care about the publishers, but do you not think there is a great risk that once your app gets enough attention, it will draw their ire and force you to shut down? Perhaps not directly, but e.g., removing you from the windows store etc.
⁨Comment⁩ on ⁨Looking for Advice with networking between VPS, Homelab and Cloudflare⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
For caching, are you sure you're generating enough traffic to benefit from it? Plus, CDN caching's strength only really comes into play when the users are geographically distributed which isn't really the case for most self hosters.

For DDoS check if your VPS host does DDoS protection. Some do and include it for free. I've been monitoring my server traffic lately. Since I've ditched Cloudflare, I haven't needed DDoS protection.

You can still use Cloudflare DNS without redirecting traffic via their CDN. I do that.

The point about not revealing the IP address is a personal one it seems. I think it indeed does matter if that IP address is if your home, but not so much of it's of a VPS in some data center. But anyway, this point seems personal.

However, everything is a trade off and everybody has a personal take on which trade off they want to take. When I was in a similar situation, I ditched CDN proxying via Cloudflare though I still kept them for DNS.
⁨Comment⁩ on ⁨Looking for Advice with networking between VPS, Homelab and Cloudflare⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
What benefit do you get from running a Cloudflare proxy if you're directing it to a VPS? I used to run with a Cloudflare proxy when my reverse proxy was hosted at home. Since then, I've moved it to a VPS and I no longer use the Cloudflare proxy, because I only expose the IP address of the VPS which is fine. Arguably Cloudflare provides you with DDoS protection, but that's so far never been a problem for me.
⁨Comment⁩ on ⁨How do you facilitate remote access?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I expose my services to the web via my own VPS proxy :) I simply run only very few of them, use 2FA when supported, keep them up to date, run each service as rootless podman, and have a very verbose logcheck set up in case the container environment gets compromised, and allow only ports 80 and 443, and, very importantly, truly sensitive data (documents and such) is encrypted at rest so that even if my services are compromised that data remains secure.

For ssh, I have set up a separate raspberry pi as a wireguard server into my home network. Therefore, for any ssh management I first connect via this wireguard connection.
⁨Comment⁩ on ⁨Russia starts blocking VPN at the protocol (WireGuard, OpenVPN) level⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Most open source vpn protocols, afaik, do not obfuscate what they are, because they're not designed to work in the presence of a hostile operator. They only encrypt the user data. That is, they will carry information in their header that they are such and such vpn protocol, but the data payload will be encrypted.

You can open up wireshark and see for yourself. Wireshark can very easily recognize and even filter wireguard packets regardless of port number. I've used it to debug my firewall setups.

In the past when I needed a VPN in such a situation, I had to resort to a paid option where the VPN provider had their own protocol which did try to obfuscate the nature of the protocol.
⁨Comment⁩ on ⁨Using systemd-networkd vs ifupdown on Debian⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Thanks for this useful reply! I think I'll just need to closely examine my setup and figure out if I really need the ability to up/down interfaces like I described or whether the more persistent approach of networkd is actually more suitable for me. Sometimes I just want to reproduce behaviour that I've used before, but may not actually need.
⁨Comment⁩ on ⁨Using systemd-networkd vs ifupdown on Debian⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Thanks for your reply! One thing I'm struggling with networkd is hysteresis. That is, toggling the interface down and then back up does not do what I expect it to. That is, setting the interface down does not clear up the configuration, and setting the interface up does not reconfigure the interface. I have to run reconfigure for that. I was hoping that the declarative approach of networkd would make it easy to predict interface state and configuration.

This does make sense because configuration is not the same as operational state. However, what would the equivalent of ifdown (set interface down and remove configuration) and ifup (set interface up and reconfigure) be using networkd and networkctl? This kind of feature would be useful for me to test config changes, debug networking issues, disconnect part of the network while I'm making some changes, etc.
Using systemd-networkd vs ifupdown on Debiankbin.social ↗
Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨8⁩ ⁨comments⁩