Findmysec
@Findmysec@infosec.pub
- Comment on Do you selfhost your own blog/website? 1 month ago:
You should do it on a VPS so that even if it gets infected your home network is not compromised
- Comment on Advice needed for networking/architecting 1 month ago:
I’m afraid I do not follow. TrueNAS scale has support for kubernetes: install containers on top, maybe different containers for different fileshares/uses (one container for VM images, one for media etc).
Mount said network volumes on the compute boxes.
- Comment on Chromecast / Firestick Self Host Replacement 2 months ago:
Just run KODI from anywhere
- Comment on Multiple Kubernetes Services Using Same Port Without SNI 2 months ago:
If you can only use port 22 for multiple SSH endpoints (for example), then yes your going to need multiple IPs. Or Port-mapping as a compromise
- Comment on Multiple Kubernetes Services Using Same Port Without SNI 2 months ago:
In short, you need a reverse-proxy + traffic segregation with domain names (SNI).
I don’t remember much about ingresses, but this can be super easy to set up with Gateway API (I’m looking at it right now).
Basically, you can set up
sftp.my.domain/ssh
to192.168.1.40:22
,sftp.my.domain/sftp
to192.168.1.40:121
(for example). Same with Forgejo,forgejo.my.domain/ssh
will point to192.168.1.50:22
andforgejo.my.domain/gui
will point to192.168.1.50:443
.The Gateway API will simply send it over to the right k8s service.
About your home network: I think you could in theory open up a DMZ and everything should work. I would personally use a cheap VPS as a VPN server and NAT all traffic through it. About traffic from your router maintaining the SNI, that’s a different problem depending on your network setup.
- Comment on Multiple Kubernetes Services Using Same Port Without SNI 2 months ago:
You’d receive traffic on IP:PORT, that’s segregation right there. Slap on a DNS name for convenience.
I might have my MetalLB config laying around somewhere (it’s super easy, I copied most of it from their website), I can probably paste it here if you’d like.
- Comment on Multiple Kubernetes Services Using Same Port Without SNI 2 months ago:
Ingress controllers like Traefik come across as LB services to IPAM modules like MetalLB (I’ve never used Kube-VIP but I suppose it’s the same story). These plug-ins assign IP addresses to these LB services.
You can assign a specific IP to an instance of an “outward-facing route” with labels. I don’t remember technical terms relevant to Ingresses because I’ve been messing with the Gateway API recently.
- Comment on Multiple Kubernetes Services Using Same Port Without SNI 2 months ago:
MetalLB + map new external IP to domain == profit.
- Comment on What's the difference between a $50 HDD and a $200 HDD? 2 months ago:
SMR vs CMR and drive speeds
- Comment on Using Fedora Atomic (CoreOS, IOT) as server OS - Experiences? 2 months ago:
Setting SELinux to permissive is not a good security practice
- Comment on [deleted] 2 months ago:
Why not port knocking over TOR?
- Comment on AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose' 2 months ago:
Well the Star64 from Pine is pretty good, just doesn’t have enough processing power and IO for my liking.
- Comment on AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose' 2 months ago:
Framework has a laptop in progress if you’re interested
- Comment on ICANN approves use of .internal domain for your network 2 months ago:
Yeah that’s your situation. Some people are fine with it
- Comment on ICANN approves use of .internal domain for your network 2 months ago:
Ah, you mean they put the cert in a transparent proxy which logs all traffic? Neat idea
- Comment on ICANN approves use of .internal domain for your network 2 months ago:
Private CA is the only way for donations which cannot be resolved in the Internet
- Comment on Basic Security for your Website | Loudwhisper 3 months ago:
Fail2ban + key-based SSH + self-hosted WAF if you can spin up another machine == 80% of your Web hosting problems gone
- Comment on Why do so many people use NGINX? 3 months ago:
Thanks for the comment, that was a good read
- Comment on Why do so many people use NGINX? 3 months ago:
You can do that with Wireguard and NAT.
- Comment on Why do so many people use NGINX? 3 months ago:
Traefik’s marketing as the “Docker reverse-proxy” put me off since I like technologies to stay agnostic of each other (personal preference).
Your arguments are correct, and usually I’d run a separate web server but I suppose for a homelab having less things to manage is great
- Comment on Why do so many people use NGINX? 3 months ago:
I have heard a lot about Envoy proxy from Istio but never looked into it for baremetal usage. I’ll keep an eye out, thanks
- Comment on [HELP NEEDED] Unable to figure out directory permissions 3 months ago:
It should technically do that already, but as extra insurance I’m running it with the
-u bind
flag inENTRYPOINT
. The problem was solved with achmod 755
- Comment on [HELP NEEDED] Unable to figure out directory permissions 3 months ago:
Thank you, I’ll keep that in mind. I didn’t actually mount volumes into the container yet, the problem was solved upon changing to
chmod 755
- Submitted 3 months ago to selfhosted@lemmy.world | 95 comments
- Submitted 3 months ago to selfhosted@lemmy.world | 4 comments
- Comment on OS recommendations 3 months ago:
I think ZFS does some advanced stuff which makes it better than just relying on hardware checksums (which have been shown to not be so great)
- Comment on OS recommendations 3 months ago:
How about bitrot?
- Comment on Proxmox on Laptop, Network Setup 3 months ago:
Qubes OS doesn’t have GPU acceleration using Virtio-powered interfaces if that’s something you need. Also it’s based on Xen and you are not encouraged to mess around with dom0.
TBH if there’s a way that you can attach to the display output of a VM with a GUI when you start your computer, it will probably fit your use-case perfectly. I haven’t found a method to do this but I think there should be some way to attach directly to the display of a VM after booting up.
- Comment on Restart an OOM killed docker automatically 3 months ago:
Those remote access fears can be solved with a wireguard VPN
- Comment on [deleted] 4 months ago:
They do, but VRAM. Unfortunately, the cards that do have that much of memory are used by OEMs/corporations and are insanely pricey