Findmysec

@Findmysec@infosec.pub

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Do you selfhost your own blog/website?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You should do it on a VPS so that even if it gets infected your home network is not compromised
⁨Comment⁩ on ⁨Advice needed for networking/architecting⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I’m afraid I do not follow. TrueNAS scale has support for kubernetes: install containers on top, maybe different containers for different fileshares/uses (one container for VM images, one for media etc).

Mount said network volumes on the compute boxes.
⁨Comment⁩ on ⁨Chromecast / Firestick Self Host Replacement⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Just run KODI from anywhere
⁨Comment⁩ on ⁨Multiple Kubernetes Services Using Same Port Without SNI⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
If you can only use port 22 for multiple SSH endpoints (for example), then yes your going to need multiple IPs. Or Port-mapping as a compromise
⁨Comment⁩ on ⁨Multiple Kubernetes Services Using Same Port Without SNI⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
In short, you need a reverse-proxy + traffic segregation with domain names (SNI).

I don’t remember much about ingresses, but this can be super easy to set up with Gateway API (I’m looking at it right now).

Basically, you can set up sftp.my.domain/ssh to 192.168.1.40:22, sftp.my.domain/sftp to 192.168.1.40:121 (for example). Same with Forgejo, forgejo.my.domain/ssh will point to 192.168.1.50:22 and forgejo.my.domain/gui will point to 192.168.1.50:443.

The Gateway API will simply send it over to the right k8s service.

About your home network: I think you could in theory open up a DMZ and everything should work. I would personally use a cheap VPS as a VPN server and NAT all traffic through it. About traffic from your router maintaining the SNI, that’s a different problem depending on your network setup.
⁨Comment⁩ on ⁨Multiple Kubernetes Services Using Same Port Without SNI⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
You’d receive traffic on IP:PORT, that’s segregation right there. Slap on a DNS name for convenience.

I might have my MetalLB config laying around somewhere (it’s super easy, I copied most of it from their website), I can probably paste it here if you’d like.
⁨Comment⁩ on ⁨Multiple Kubernetes Services Using Same Port Without SNI⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Ingress controllers like Traefik come across as LB services to IPAM modules like MetalLB (I’ve never used Kube-VIP but I suppose it’s the same story). These plug-ins assign IP addresses to these LB services.

You can assign a specific IP to an instance of an “outward-facing route” with labels. I don’t remember technical terms relevant to Ingresses because I’ve been messing with the Gateway API recently.
⁨Comment⁩ on ⁨Multiple Kubernetes Services Using Same Port Without SNI⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
MetalLB + map new external IP to domain == profit.
⁨Comment⁩ on ⁨What's the difference between a $50 HDD and a $200 HDD?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
SMR vs CMR and drive speeds
⁨Comment⁩ on ⁨Using Fedora Atomic (CoreOS, IOT) as server OS - Experiences?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Setting SELinux to permissive is not a good security practice
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Why not port knocking over TOR?
⁨Comment⁩ on ⁨AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Well the Star64 from Pine is pretty good, just doesn’t have enough processing power and IO for my liking.
⁨Comment⁩ on ⁨AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Framework has a laptop in progress if you’re interested
⁨Comment⁩ on ⁨ICANN approves use of .internal domain for your network⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Yeah that’s your situation. Some people are fine with it
⁨Comment⁩ on ⁨ICANN approves use of .internal domain for your network⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Ah, you mean they put the cert in a transparent proxy which logs all traffic? Neat idea
⁨Comment⁩ on ⁨ICANN approves use of .internal domain for your network⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Private CA is the only way for donations which cannot be resolved in the Internet
⁨Comment⁩ on ⁨Basic Security for your Website | Loudwhisper⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Fail2ban + key-based SSH + self-hosted WAF if you can spin up another machine == 80% of your Web hosting problems gone
⁨Comment⁩ on ⁨Why do so many people use NGINX?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Thanks for the comment, that was a good read
⁨Comment⁩ on ⁨Why do so many people use NGINX?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
You can do that with Wireguard and NAT.
⁨Comment⁩ on ⁨Why do so many people use NGINX?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Traefik’s marketing as the “Docker reverse-proxy” put me off since I like technologies to stay agnostic of each other (personal preference).

Your arguments are correct, and usually I’d run a separate web server but I suppose for a homelab having less things to manage is great
⁨Comment⁩ on ⁨Why do so many people use NGINX?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
I have heard a lot about Envoy proxy from Istio but never looked into it for baremetal usage. I’ll keep an eye out, thanks
⁨Comment⁩ on ⁨[HELP NEEDED] Unable to figure out directory permissions⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
It should technically do that already, but as extra insurance I’m running it with the -u bind flag in ENTRYPOINT. The problem was solved with a chmod 755
⁨Comment⁩ on ⁨[HELP NEEDED] Unable to figure out directory permissions⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Thank you, I’ll keep that in mind. I didn’t actually mount volumes into the container yet, the problem was solved upon changing to chmod 755
Why do so many people use NGINX?
Submitted ⁨⁨3⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨95⁩ ⁨comments⁩
[HELP NEEDED] Unable to figure out directory permissions
Submitted ⁨⁨3⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨4⁩ ⁨comments⁩
⁨Comment⁩ on ⁨OS recommendations⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
I think ZFS does some advanced stuff which makes it better than just relying on hardware checksums (which have been shown to not be so great)
⁨Comment⁩ on ⁨OS recommendations⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
How about bitrot?
⁨Comment⁩ on ⁨Proxmox on Laptop, Network Setup⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Qubes OS doesn’t have GPU acceleration using Virtio-powered interfaces if that’s something you need. Also it’s based on Xen and you are not encouraged to mess around with dom0.

TBH if there’s a way that you can attach to the display output of a VM with a GUI when you start your computer, it will probably fit your use-case perfectly. I haven’t found a method to do this but I think there should be some way to attach directly to the display of a VM after booting up.
⁨Comment⁩ on ⁨Restart an OOM killed docker automatically⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
Those remote access fears can be solved with a wireguard VPN
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
They do, but VRAM. Unfortunately, the cards that do have that much of memory are used by OEMs/corporations and are insanely pricey