lorentz
@lorentz@feddit.it
- Comment on What steps do you take to secure your server and your selfhosted services? 3 days ago:
My Synology has an auto block feature that from my understanding is essentially fail2ban, what I don’t know is if such a feature works for all my exposed services but Synology’s
I’d be surprised if it works for custom services. Fail2ban has to know what’s running and haw to have access to its log file to know what is a failed authentication request. The best you can do without log access is to rate limit new tcp connections. But still you should know what’s the service behind because 5 new SSH sessions per minute and IP can be reasonable 5 new http1.0 connections likely cannot load a single html page.
- Comment on Encrypting data on local servers? 4 days ago:
If you want to encrypt only the data partition you can use an approach like …stapelberg.ch/…/2023-10-25-my-all-flash-zfs-netw… to ulock it at boot.
TL;DR: store half of the decryption key on the computer and another half online and write a script that at boot fetches the second half and decrypt the drive. There is a timewindow where a thief could decrypt your data before you remove the key if they connect your computer to the network, but depending on your thread model can be acceptable. you can also decrypt the root portion with a similar approach but you need to store the script in the initramfs and it is not trivial.
Another option I’ve seen suggested is storing the decryption key on a USB pendrive and connect it with a long extension cord to the server. The assumption is that a thief would unplug all the cables before stealing your server.
- Comment on Encrypting data on local servers? 4 days ago:
A more detailed guide for dropbear: cyberciti.biz/…/how-to-unlock-luks-using-dropbear…
If I remember correctly, the only outdated bit of information is that the IP configuration doesn’t happen anymore in the initramfs configuration but you must pass a parameter at the kernel by editing /etc/default/grub and passing
GRUB_CMDLINE_LINUX_DEFAULT=“ip=192.168.x.x:::::”
where 192.168.x.x is the IP address that you want at boot
- Comment on Looking for a good RSS Reader 2 weeks ago:
I’ve been using CommaFeed for a while and I’m very happy with it. github.com/Athou/commafeed/ plus it is actively developed. I’ve reported a couple of small feature requests and the author implemented them very quickly.
As far as I know there are many third party android apps that you can use, but its responsive webUI is good enough, once you install it it is essentially as good as an app.
- Comment on What host names do you use? 4 weeks ago:
Devices are named after characters from books I recently read, trying to match the name with the character of the book. But for virtual hosts for services I use their purpose (wiki, files, feed…) because I wasted too much time updating all the bookmarks last time I migrated to a new server.
- Comment on which softwares can I self host without public IP? 5 weeks ago:
I started using headscale (the opensource reimplementation of tailscale server) on a private vps. It is incredibly better compared to plain wireguard. I regret waiting so much before switching.
Something that really made my life easier: wireguard is poor at roaming: switching to and from my wifi created issues because the server wasn’t reachable anymore from its public ip and wireguard didn’t bother to query the DNS again to check the new IP. Also, configuration is dead simple because it takes care of iptables for you (especially good when you enables forwarding to a node).
Since the server just sends small messages for the control plane and all the traffic is p2p between the devices, the smallest vps with the smaller connectivity is more than enough to handle it.
- Comment on Which reverse proxy do you use/recommend? 1 month ago:
Yes, but it is a different cron job that needs to run, and you need to monitor it for failures. Caddy does everything out of the box, including retries.
- Comment on Which reverse proxy do you use/recommend? 1 month ago:
Nginx for my intranet because configuration is fully manual and I have complete control over it.
Caddy for the public services on my vps because it handles cert renewal automatically and most of its configuration is magic which just works.
It is unbelievable how shorter caddy configuration is, but on my intranet:
- I don’t want my reverse proxy to dial on internet to try to fetch new SSL certs. I know it can be disabled, but this is the default.
- I like to learn how stuff works, Nginx forces you to know more details but it is full of good documentation so it is not too painful compared to Caddy.
- Comment on Looking for personal cloud storage alternatives 1 month ago:
I didn’t find anything for syncing yet. But I settled with plain smb shares which works for 99% of my needs and www.filestash.app for a simple webUI which is more convenient when browsing files and photos from the phone.