This is an option, my main reason for not wanting to use a hosted k8s service is cost. I already have the hardware, so I'd rather use it first if possible.
Though I have been thinking of converting some sites to be statically-generated and hosted externally.
I was more worried about escaping the container, but maybe I shouldn't be. I'm using Talos now as the OS and there isn't much on the OS as it is. I can probably also enforce all of my public services to run as non-root users and not allow privileged containers/etc.
Thanks for recommending crowdsec/falco too. I'll look into those
An alternative I tried before was just whitelisting which IPs are allowed to access specific ingresses, but having the ingress listen on both public/private networks. I like having a separate ingress controller better because I know the ingress isn't accessible at all from a public ip. It keeps the logs separated as well.
Another alternative would be an external load balancer or reverse proxy that can access your cluster. It'd act as the "public" ingress, but would need to be configured to allow specific hostnames/services through.
I did actually consider a 3rd cluster for infra stuff like dns/monitoring/etc, but at the moment I have those things in separate vms so that they don't depend on me not breaking kubernetes.
Do you have your actual public services running in the public cluster, or only the load balancer/ingress for those public resources?
Also how are you liking garage so far? I was looking at it (instead of minio) to set up backups for a few things.
I have not had any issues with Kopia so far, but I have also only used it for maybe a year? My main reason for trying it was that I wanted to be able to give something to family members to use as a backup client with a reasonable ui. I can also control the default exclude list and default policies for compression/etc pretty easily.
I don't know how many years of restic backups I have, but I still rely on it for my most important data. Anything really important on my desktop/laptop gets backed up via kopia, but also gets copied (usually via nextcloud) to a server that has hourly zfs snapshots and daily restic snapshots. Both the restic and kopia snapshots get stored on a local nas and then synced to rsync.net.
I was talking about dumping the database as an alternative to backing up the raw database files without stopping the database first. Taking a filesystem-level snapshot of the raw database without stopping the database first also isn't guaranteed to be consistent. Most databases are fairly resilient now though and can recover themselves even if the raw files aren't completely consistent.
Stopping the database first and then backing up the raw files should be fine.
If you're worried a out a database being corrupt, I'd recommend doing an actual backup dump of the database and not only backing up the raw disk files for it.
That should help provide some consistency. Of course it takes longer too if it's a big db
Sounds pretty cool, thanks for the details! Any chance of some pictures?
My worry would be the same, I don't know if I trust myself not to flood the house lol
I did think about using a mechanical float like in the back of a toilet, and an overflow drain in case it never stops filling
Kanboard is pretty great even if it does feel dated. I tried a lot of the newer alternatives and they all had either weird bugs or quirks I didn't appreciate.
Eh while it sucks, registrars and web hosts get so many abuse reports that sometimes they just err on the side of caution and don't investigate as thoroughly as you'd like.
Of course it also depends a lot on various things like what type of complaint, how much money you spend with them, account history, complaint source, etc.
They should be able to tell you what they had a problem with and give you a chance to fix it.
What's up with the $4.55 "$1 drink"?