If you're using a VPS from Amazon, Digital Ocean or wtv you're by definition not self-hosting. Still dependent on some cloud company, so not self-hosting in a pure sense... misread comment.
I'm curious is there documented attacks that could've been prevented by this?
From my understanding CPU pinning shouldn't be used that much, the host scheduler is aware that your VM threads are linked and will schedule child threads together. If you pin cores to VM's, you block the host scheduler from making smart choices about scheduling. This is mostly only an issue if your CPU is under constraint, IE its being asked to perform more work than it can handle at once. Pinning is not dedicated, the host scheduler will schedule non-VM work to your pined cores.
I'm under the impression that CPU pinning is an old approach from a time before CPU schedulers were as sophisticated, and did not handle VM threads in a smart manner. This is not the case anymore and might there be a negative performance impact with it.
the more complicated it gets the more likely you are to either screw up unintentionally, or get annoyed at it, and do something dumb on purpose, even though you totally were going to fix it later. (...) Pick the one that makes sense, is easy for you to deploy and maintain
This is an interesting piece of advice.
Anyway maybe I wasn't clear enough, I'm not looking to pick a setup, I've been doing 2.B. for a very long time and I do work on tech and know my way around. Just gauging what others are doing and maybe find a few blind spots :).
No specific concern, I do like in scenario 2, option B. I was just listing the most common options and getting feedback on what others think about those.
I personally believe the setup 2B is more than enough if a nation state isn't after you, but who knows? :)
What you're missing there is that the Europe you describe is only a small sub-set of countries. The rest are committing atrocities against their own people in the form of continuously increasing the number of people living close to poverty and by enacting policies that ended up making majority of the youngest generations unable to buy/rent homes and/or eventually have children.
The nixCraft headline is stupid, just because you are running on IPv6 without any NAT doesn't mean your router doesn't block incoming IPv6 traffic to hosts on the network - this is actually the default in 99.9999% of devices.
Yeah, I was typing that on the phone... thanks for the link:
As the node runs as the root user in order to run plugins as any needed user, it now only listens on localhost as a security measure. You have to edit munin-node.conf in order to listen to the network, and add the master’s IP on the authorized list.
So, I guess the best approach is to just run it inside a management network / internal VPN to avoid exposing the port to the internet.
Looks cool, what about security? Since you’re experienced with it, how does it access the information of the nodes and how secure or insecure that may be? At the end of the day I don’t want to open a port on all nodes just to have it be used as root access to those machines…
Looks cool, but well the Linux app ecosystem and the inability to standardize anything and/or have simple binaries. I really don't get the people that go for Linux for privacy/preservation/not-dependent-constantly-on-the-internet and then everything is a repository hosted somewhere that's hard to archive or crazy container-like formats.
Because Europe, but as you can see the OpenWrt One makes no sense when the BPI-Wifi5 is half the price and the R3 is a 35€ more expensive but has multiple ethernet posts, SFP and a ton of other IO. In fact even for the US market I don't see the price of the OpenWrt One making any sense, because the others are cheaper over there as well.
Or... a decent Openwrt router like the Banana Pi BPI-R3. I believe the only argument for those kinds of devices is the Wifi support but I don't believe the price and specs on the device shared by the OP are reasonable at all. If you don't need Wifi, then yes, a good SBC and a cheap switch will be a much better alternative.
If you're using a VPS from Amazon, Digital Ocean or wtv you're by definition not self-hosting. Still dependent on some cloud company, so not self-hosting in a pure sense...misread comment.