lorentz

@lorentz@feddit.it

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨I don't get the love for Nextcloud - alternative for just files?⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
I agree, but having a webui is nicer on android, so I installed www.filestash.app configured to use samba as backend so permissions and passwords are the same
⁨Comment⁩ on ⁨Testing vs Prod⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I don’t have a testing environment, but essentially all my services are on docker saving their data in a directory mounted on the local filesystem. The dockerfile reads the sha version of the image from an env file. I have a shell script which:
1. Triggers a new btrfs snapshot of the volume containing everyithing
2. Pulls the new docker images and stores their hashes in the env file
3. Restarts all the containers.
if a new Docker version is broken rolling back is as simple as copying the old version in the env file and recreating the container. If data gets corrupted I can just copy the last working status from an old snaphot.

The whole os is on a btrfs volume which is snapshotted regularly, so ideally if an update fucks it up beyond recovery I can always boot from a rescue image and restore an old snapshot. But I honestly feel this is extra precaution: in years that I run debian on all my computers, it never reached the point of being not bootable.
⁨Comment⁩ on ⁨What steps do you take to secure your server and your selfhosted services?⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:

My Synology has an auto block feature that from my understanding is essentially fail2ban, what I don’t know is if such a feature works for all my exposed services but Synology’s

I’d be surprised if it works for custom services. Fail2ban has to know what’s running and haw to have access to its log file to know what is a failed authentication request. The best you can do without log access is to rate limit new tcp connections. But still you should know what’s the service behind because 5 new SSH sessions per minute and IP can be reasonable 5 new http1.0 connections likely cannot load a single html page.
⁨Comment⁩ on ⁨Encrypting data on local servers?⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
If you want to encrypt only the data partition you can use an approach like …stapelberg.ch/…/2023-10-25-my-all-flash-zfs-netw… to ulock it at boot.

TL;DR: store half of the decryption key on the computer and another half online and write a script that at boot fetches the second half and decrypt the drive. There is a timewindow where a thief could decrypt your data before you remove the key if they connect your computer to the network, but depending on your thread model can be acceptable. you can also decrypt the root portion with a similar approach but you need to store the script in the initramfs and it is not trivial.

Another option I’ve seen suggested is storing the decryption key on a USB pendrive and connect it with a long extension cord to the server. The assumption is that a thief would unplug all the cables before stealing your server.
⁨Comment⁩ on ⁨Encrypting data on local servers?⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
A more detailed guide for dropbear: cyberciti.biz/…/how-to-unlock-luks-using-dropbear…

If I remember correctly, the only outdated bit of information is that the IP configuration doesn’t happen anymore in the initramfs configuration but you must pass a parameter at the kernel by editing /etc/default/grub and passing

GRUB_CMDLINE_LINUX_DEFAULT=“ip=192.168.x.x:::::”

where 192.168.x.x is the IP address that you want at boot
⁨Comment⁩ on ⁨Looking for a good RSS Reader⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I’ve been using CommaFeed for a while and I’m very happy with it. github.com/Athou/commafeed/ plus it is actively developed. I’ve reported a couple of small feature requests and the author implemented them very quickly.

As far as I know there are many third party android apps that you can use, but its responsive webUI is good enough, once you install it it is essentially as good as an app.
⁨Comment⁩ on ⁨What host names do you use?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Devices are named after characters from books I recently read, trying to match the name with the character of the book. But for virtual hosts for services I use their purpose (wiki, files, feed…) because I wasted too much time updating all the bookmarks last time I migrated to a new server.
⁨Comment⁩ on ⁨which softwares can I self host without public IP?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I started using headscale (the opensource reimplementation of tailscale server) on a private vps. It is incredibly better compared to plain wireguard. I regret waiting so much before switching.

Something that really made my life easier: wireguard is poor at roaming: switching to and from my wifi created issues because the server wasn’t reachable anymore from its public ip and wireguard didn’t bother to query the DNS again to check the new IP. Also, configuration is dead simple because it takes care of iptables for you (especially good when you enables forwarding to a node).

Since the server just sends small messages for the control plane and all the traffic is p2p between the devices, the smallest vps with the smaller connectivity is more than enough to handle it.
⁨Comment⁩ on ⁨Which reverse proxy do you use/recommend?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Yes, but it is a different cron job that needs to run, and you need to monitor it for failures. Caddy does everything out of the box, including retries.
⁨Comment⁩ on ⁨Which reverse proxy do you use/recommend?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Nginx for my intranet because configuration is fully manual and I have complete control over it.

Caddy for the public services on my vps because it handles cert renewal automatically and most of its configuration is magic which just works.

It is unbelievable how shorter caddy configuration is, but on my intranet:
1. I don’t want my reverse proxy to dial on internet to try to fetch new SSL certs. I know it can be disabled, but this is the default.
2. I like to learn how stuff works, Nginx forces you to know more details but it is full of good documentation so it is not too painful compared to Caddy.
⁨Comment⁩ on ⁨Looking for personal cloud storage alternatives⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I didn’t find anything for syncing yet. But I settled with plain smb shares which works for 99% of my needs and www.filestash.app for a simple webUI which is more convenient when browsing files and photos from the phone.