overview for xinayder

You Should Run a Certificate Transparency Log in c/selfhosted@lemmy.world

[–] xinayder 1 points 3 weeks ago

With Encrypted Client Hello you can have some more privacy on obtaining certificates for wildcard domains, IIRC.

CoolerControl is a feature-rich cooling device control for Linux - v2.0 out now with major new additions in c/linux_gaming@lemmy.world

[–] xinayder 1 points 4 months ago (1 children)

You can, you can create a profile based on a sensor. I had to install the it87 driver for Linux to identify the case cooling fans I had.

Security of running Headscale on a VPS in c/selfhosted@lemmy.world

[–] xinayder 2 points 4 months ago

I had the same considerations when I self-hosted headscale as the controller for accessing my VPS. However, I figured that it shouldn't be a big deal, and there's no chance of someone registering rogue devices on your mesh, because, even though any device can request enrollment to Tailscale, ultimately you need to execute a command in your headscale server to confirm the enrollment/account creation, so there shouldn't be that much of a problem leaving the web server exposed.

Asking for suggestions regarding Rootless Podman in c/selfhosted@lemmy.world

[–] xinayder 1 points 4 months ago* (last edited 4 months ago) (1 children)

One more question, how did you manage to get the reverse proxy to proxy your pods? I just added two containers to one, and I cannot access the containers anymore by their names. Do I need to expose their ports on the pod configuration?

Asking for suggestions regarding Rootless Podman in c/selfhosted@lemmy.world

[–] xinayder 2 points 4 months ago (1 children)

Personally, I would avoid host network mode as you expose those containers to the world (good if you want that, bad if you don’t)… possibly the same with using the public IP address of your instance.

My instance is only exposing the HTTP/HTTPS ports, those are the only ports enabled in the firewall.

Asking for suggestions regarding Rootless Podman in c/selfhosted@lemmy.world

[–] xinayder 1 points 4 months ago (3 children)

It seems simple. Does it use pasta as the default networking backend? Also, I guess separating each app into their own network is added security, right? So if anything happens to one app, it cannot move laterally to the other apps unless it manages to gain access to the reverse proxy, which then it would be a huge problem.

21

Asking for suggestions regarding Rootless Podman (self.selfhosted)

submitted 4 months ago by xinayder to c/selfhosted@lemmy.world

11 comments fedilink

I have a "homelab" (well it's not a lab hosted at home, but on the cloud) running k3s and hosting my website, IRC and Matrix. I'm moving all of these services to Podman, since it's easier and you don't have to deal with the headaches of k3s.

I spent a lot of time the past months searching about Podman and couldn't find so much information about it. I managed to get a Authentik pod up and running with Quadlet (systemd unit), and I have a basic Caddy container acting as the reverse proxy for it. These are hosted in another VPS I have, and they are running rootless.

I want to move the other services to Podman, but I'm a bit lost. Right now, I have all the Podman containers allocate specific ports on the host, and communication between Caddy and Authentik, for example, is done by specifying the local IP address of my VPS.

Is it a bad approach to do inter pod/container communication using the local host IP address? I read that you can create a network that pods/containers can use and each gets assigned its own IP from the network range, but I also read that it doesn't go well with rootless. I started using slirp4netns, but then migrated to pasta since I had some issues with getting IPv6 with the former.

So, what would be the "correct" approach here? Create a separate network for the pods and use their assigned IP addresses, or use the local IP address from the host to communicate between pods?

“Something has gone seriously wrong,” dual-boot systems warn after Microsoft update in c/linux@lemmy.ml

[–] xinayder 2 points 11 months ago

Yes, it made people realize we don't need Secure Boot and it's just a pit of vulnerabilities.

What keeps dimming my monitors? in c/kde@lemmy.kde.social

[–] xinayder 1 points 11 months ago

I realized it happened with me whenever my computer was idle for a few minutes and the monitor turned off. Eventually it fixed itself, but it sure was annoying having to change the brightness back to the value it was before it went on stand-by.

Study Finds Consumers Are Actively Turned Off by Products That Use AI in c/technology@lemmy.world

[–] xinayder 2 points 1 year ago (1 children)

Do you have to do this every time you update your phone?

Study Finds Consumers Are Actively Turned Off by Products That Use AI in c/technology@lemmy.world

[–] xinayder 6 points 1 year ago (3 children)

Care to share how you disabled every bit of AI in the phone?

Study Finds Consumers Are Actively Turned Off by Products That Use AI in c/technology@lemmy.world

[–] xinayder 12 points 1 year ago

Yet companies are manipulating survey results to justify the FOMO jump to AI bandwagon. I don't know where companies get the info that people want AI (looking at you Proton).

From reddit selfhosted: What do you wish you knew from the start in c/selfhosted@lemmy.world

[–] xinayder 1 points 1 year ago

I maintain the DNS plugin for Vultr and I can say that it's "safe", but if you're worried you should check their source code.

I believe it's easier to have a vulnerability in the external provider's API (for example, caddy-dns/vultr uses govultr) than Caddy. But I wouldn't take things for granted if I was skeptical about these plugins.

71

Cheap, OpenWrt compatible routers with WiFi 6? (self.selfhosted)

submitted 1 year ago* (last edited 1 year ago) by xinayder to c/selfhosted@lemmy.world

18 comments fedilink

I am looking for suggestions of cheap, OpenWrt compatible routers that may have Wifi 6, for future proofing. My idea was to use it as a main router, but also as a travel router so I can plug it whenever I travel somewhere else.

I also want to learn how to use OpenWrt (I have an old router at home to test it out, but it's not ideal for everyday use since it's 100Mbps and doesn't have gigabit ports).

It'd be nice to have:

Wifi 6
OpenVPN or WireGuard support
Compatibility with OpenWrt
Ideally less than 60 EUR

A small form factor is also appreciated but not a requirement.

I checked the device tables and lists on the OpenWrt wiki, but it's hard to decide. A beginner's guide to the operating system recommended some routers but most of them are too expensive for my use case.

Currently, I'm leaning towards the GL iNet Opal (1200) but it doesn't support OpenWrt, the other option is the BananaPi BPI-WIfi 6. What would be your suggestions?

16

What's the best approach to deploy a static website to K8s cluster from a CI pipeline? (self.selfhosted)

submitted 2 years ago by xinayder to c/selfhosted@lemmy.world

21 comments fedilink

I have a small VPS that hosts some services I use daily and I'd like to migrate that to a K8s cluster. One of the services being hosted is my personal website, built with Hugo and served by Caddy.

Right now, I have the code for my website on Codeberg and I have a CI pipeline that builds the website and uploads it to my VPS via rsync.

I want to move the website to the k8s cluster, but I have no idea how to do it "securely". What I have right now is a separate user on my VPS called deploy and it rsyncs the files to the data directory Caddy is using to serve my files.

I thought I could do the same on the k8s cluster server, but it's usually not a good idea to mount host paths with k8s unless absolutely necessary, because container escaping is an actual problem.

So far the only alternative I could think of is to change the CI pipeline to publish my website on another branch and signal it to my K8s cluster so the files should be updated, but I'd like to know what better options exist and how easy they are to setup.