a_fancy_kiwi @ a_fancy_kiwi @lemmy.world

Posts

5

Comments

158

Joined

2 yr. ago

Thanks for the info, I appreciate it

awesome, thanks for the info

That's interesting, I didn't know that was a thing. I'll look into it, thanks!

the lack of logs

That's the best part, with a script, you can pipe the output of the updates into a log file you create yourself. I don't currently do that, if something breaks, I just roll back to a previous snapshot and try again later but it's possible and seemingly straight forward.

This askubuntu link will probably help

I know I should learn NixOS, I even tried for a few hours one evening but god damn, the barrier to entry is just a little too high for me at the moment 🫤

I appreciate the info, thanks

That’ll be my impetus to learn how to write a script.

This part caught my eye. You were able to do all that other stuff without ever attempting to write a script? That's surprising and awesome. Assuming you are running everything on a linux server, I feel like a bash script that is run via a cronjob would be your best bet, no need to ssh into the server, just let it do it on it's own. I haven't tested any of this but I do have scripts I wrote that do automatic ZFS backups and scrubs; the order should go something like:

open the terminal on the server and type

mkdir scripts

cd scripts

nano docker-updates.sh

type something along the lines of this (I'm still learning docker so adjust the commands to your needs)

    
#!/bin/bash

cd /path/to/scripts/docker-compose.yml
docker compose pull && docker compose up -d
docker image prune -f


  

save the file and then type sudo chmod +x ./docker-updates.sh to make it executable

and finally set up a cronjob to run the script at specific intervals. type

crontab -e

or

sudo crontab -e (this is if you want to run the script as root but ideally, you just add your user to the docker group so this shouldn't be needed)

and at the bottom of the file type this and save, that's it:

    
# runs script at 1am on the first of every month
0 1 1 * * /path/to/scripts/docker-updates.sh

  

this website will help you choose a different interval

For OS updates you basically do the same thing except the script would look something like: (I forget if you need to type "sudo" or not; it's running as root so I don't think you need it but maybe try it with sudo in front of both "apt"s if it's not working. Also use whatever package manager you have if you aren't using apt)

while in the scripts folder you created earlier

nano os-updates.sh

    
#!/bin/bash

apt update -y && apt upgrade -y
reboot now

  

save and don't forget to make it exectuable

then use

sudo crontab -e (because you'll need root privileges to update. this will run the script as root without requiring you to input your password)

    
# runs script at 12am on the first of every month
0 0 1 * * /path/to/scripts/os-updates.sh

  

Ok so I currently have a cert set up to work with:

domain.com

www.domain.com (some browsers seemingly didn't like it if I didn't have www)

subdomain.domain.com

Are you saying I could just configure it like this:

domain.com

*.domain.com

The idea of not having to keep updating the cert with new subdomains (and potentially break something in the process) is really appealing

Do you mind giving a high level overview of what a Cloudlfare tunnel is doing? Like, what's connected to what and how does the data flow? I've seen cloudflare mentioned a few other times in the comments here. I know Cloudflare offers DNS services via their 1.1.1.1 and 1.0.0.1 IPs and I also know they somehow offer DDoS protection (although I'm not sure how exactly. caching?). However, that's the limit of my knowledge of Cloudflare

I've run into a weird issue where on my phone, tailscale will disconnect and refuse to reconnect for a seemingly random amount of time but usually less than hour. It doesn't happen often but it is often enough that I've started to notice. I'm not sure if it's a network issue or app issue but during that time, I can't connect to my services. All that to say, my tolerance for that is higher than my partner's; the first time something didn't work, they would stop using it lol

You don’t even have to worry about setting up SSL on every individual service

I probably need to look into it more but since traefik is the reverse proxy, doesn't it just get one ssl cert for a domain that all the other services use? I think that's how my current nginx proxy is set up; one cert configured to work with the main domain and a couple subdomains. If I want to add a subdomain, if I remember correctly, I just add it to the config, restart the containers, and certbot gets a new cert for all the domains

there's so many acronyms. Thanks

wildcard let’s encrypt cert

I know what "wildcard" and "let's encrypt cert" are separately but not together. What's going on with that?

How do you have your tailscale stuff working with ssl? And why did you set up ssl if you were accessing via tailscale anyway? I'm not grilling you here, just interested.

I know enough about security to know that I don’t know enough to secure against much anything

I feel that. I keep meaning to set up something like nagios for monitoring and just haven't gotten around to it yet.

"NPM" node package manager?

1. Yeah I've been playing around with docker and a domain to see how all that worked. Got the subdomains to work and everything, just don't have them pointing to services yet.
2. I'm definitely interested in the authentication part here. Do you have an tutorials you could share?
3. Will do, thanks
4. ❤️

I don't know how markdown works. that should be 1,3,4,5

I currently have a nginx docker container and certbot docker container that I have working but don't have in production. No extra features, just a barebones reverse proxy with an ssl cert. Knowing that, I read through Caddy's homepage but since I've never put an internet facing service into production, it's not obvious to me what features I need or what I'm missing out on. Do you mind sharing what the quality of life improvements you benefit from with Caddy are?

Damn, I didn't realize they had public logs like that. Thanks for the heads up

I've played around with reverse proxies and ssl certs and the easiest method I've found so far was docker. Just haven't put anything in production yet. If you don't know how to use docker, learn, it's so worth it.

Here is the tutorial I used and the note I left for myself. You'll need a domain to play around with. Once you figure out how to get NGINX and certbot set up, replacing the helloworld container with a different one is relatively straight forward.

    
DO NOT FORGET, you must give certbot read write permissions in the docker-compose.yml file which isn't shown in this tutorial
-----EXAMPLE, NOT PRODUCTION CODE----

    nginx:
        container_name: nginx
        restart: unless-stopped
        image: nginx
        depends_on:
            - helloworld
        ports:
            - 80:80
            - 443:443
        volumes:
            - ./nginx/nginx.conf:/etc/nginx/nginx.conf
            - ./certbot/conf:/etc/letsencrypt:ro
            - ./certbot/www:/var/www/certbot:ro

    certbot:
      image: certbot/certbot
      container_name: certbot
      volumes: 
        - ./certbot/conf:/etc/letsencrypt:rw
        - ./certbot/www:/var/www/certbot:rw
      command: certonly --webroot -w /var/www/certbot --keep-until-expiring --email *email* -d *domain1* -d *domain2* --agree-tos

  

They make display port cables without the locking feature. I don't have a link unfortunately but I have a few in my box of cables that I'm definitely going to use one day

I like some of the features they are adding but I agree that the asthetic is mediocre. If it weren't for this S-Pen and zoom, I'd probably be using a pixel right now.