Thanks for your reply! Out of curiosity, what made you go with Prometheus over zabbix and checkmk in the end? Those two seem to be heavily recommended.
Maintaining legacy options is always maintenance overhead or things you need to work around when implementing new features. I suspect that they've concluded that not enough people use it anymore to justify the overhead.
Why not have the reverse proxy also do renewal for the SMTP relay certificate and just rsync it to the relay? For a while I had one of my proxies do all the renewals and the other would rsync it.
I deploy as much as I possibly can via Ansible. Then the Ansible code serves as the documentation. I also keep the underlying OS the same on all machines to avoid different OS conventions. All my machines run Debian. The few things I cannot express in Ansible, such as network topology, I draw a diagram for in draw.io, but that's it.
Also, why not automate the certificate renewal with certbot? I have two reverse proxies and they renew their certificates themselves.
That's because podman-compose is not a goal for the project IIRC. Therefore, it will never be feature complete. They encourage using systemd or other tools to manage the pods. It seems that podman-compose is just not an enterprise use case.
Edit: so if docker-compose is important then yea, stick to docker. I moved to using systemd instead. Podman can generate the systems files for you.
Well, that's just not true. WSL indeed is not Linux, but it does have several of the advantages of Linux.
It is not good if you want a home desktop solution, because that's not what it's there for. However, if you need to use Windows for something, e.g., at work to have full outlook MS office compatibility (access through the web is not great) but need Linux for dev work then WSL is great.
In short, I'd say WSL is there if you want to do dev work on Linux, but everything else on Windows.
ZFS send to a pair of mirrored HDDs on the same machine ever hour and a daily restic backup to S3 storage. Every six months I test and verify the cloud backup.
In addition to what you mentioned, setup logcheck to email you unexpected logs. It does require a bit of time and fine tuning to make it ignore expected logs, but in terms of security measures it's very powerful. I get an email every time I log in, incorrectly type my sudo password, etc. Sounds very verbose, but it also means it's verbose when something unexpected is happening which is what you want security-wise. A nice side effect of having to craft the regexes of what logs to ignore is that I know better what's running on my server :)
I already posted that I recommend fastmail elsewhere in this thread, but you raised so many good points that it reminded me of some extra points :)
Fastmail offers granular, per-app passwords – I have a single password which has read-only access to IMAP in order to back up all the data on a timer. This feature is missing from many (many) other email providers - using the 80/20 rule, if they even offer it it’s a single password with full access (Mailfence, for example)
Since this community is about selfhosting I think it's worth pointing out that this is AMAZING for selfhosting. I have all me selfhosted services sending e-mail via fastmail's SMTP. With per-app passwords I don't need to store my normal e-mail password and the apps can be limited to SMTP only (so no read access). And in case of compromise you can revoke permissions on a per-app granularity.
Fastmail offers full CardDAV (contacts) and CalDAV (calendar) access, which makes plugging it into any other app that supports this very easy - their DNS wizard helps you set up the service records. I use “DavX5” on my Android to sync all Contacts and Calendar outside of using the Fastmail app (which is a self contained app on Android, it’s not too bad)
Fastmail has become my contacts app now - it's really great to have all your e-mail and contacts in the same place. The contacts don't even need to have an e-mail address - I have a lot of contacts stored for whom I only have a phone number. I sync to android using the same DavX5 app and then immediately have these contacts in whatsapp and signal.
I recommend fastmail.com though they do have done shortcomings that you need to consider such as the fact that they're based in Australia (five eyes country) and have servers in the USA. Their advantage is a slick interface, fantastic app based on JMAP, and just generally being super convenient. They allow catch all addresses, masked emails, custom domain etc. I find them super convenient.
If it was just storage/RAM scraping then that could be solved with SSL pass-through though. That way the reverse proxy would not decrypt the traffic and would forward the encrypted traffic further to the home server. I was actually setting that up a few hours ago. However, since the VPS provider owns the IP address of the VPS, they can simply obtain their own certificate for the domain. After all, Let's Encrypt verifies your ownership of the domain by your ability to control the DNS entries. Therefore, even if the certificates weren't on the VPS, the fact that I am redirecting traffic via their IP address makes me vulnerable to a malicious provider.
The "hobby exercise" was just to indicate that this is not for work and that I'm interested in an answer beyond "you need to trust your provider" which I do :) I agree, these are important questions! And they're also interesting!
dr_robot @ dr_robot @kbin.social Posts 4Comments 37Joined 2 yr. ago
Thanks a lot for these tips! Especially about using the upstream deb.