witten @ witten @lemmy.world

Posts

0

Comments

315

Joined

2 yr. ago

Here's an overview of the Let's Encrypt DNS challenge type in case you haven't seen it: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

Basically, when Traefik goes to request or renew a certificate, Let's Encrypt tries to look up a special DNS record on your domain so you can prove that the request for the certificate is legit. To make that work, Traefik first hits your DNS provider via API and temporarily inserts that special record so it's there when Let's Encrypt performs the lookup for it. In my particular case, I'm using self-hosted PowerDNS and it's built-in API (configured to only respond via a Wireguard tunnel). But you don't have to self-host DNS for this to work.. Traefik has a long list of supported providers: https://doc.traefik.io/traefik/https/acme/#dnschallenge

One additional consideration that's specific to Hetzner (which you may already be aware of): You can only scale down a server after scaling it up if you elected not to increase the (local) disk size. In other words, if you scale up a server with 40 GB storage to one that comes with 80, you can't actually resize your storage from 40 to 80 if you ever want to scale the server back down later. Kind of obnoxious.

Yeah, this experience with Traefik lines up pretty well with mine. It can be a steep learning, and the fact that half the search results out there are for Traefik v1 (with a completely different configuration syntax to v2) doesn't help. But once it's up and running, the dynamic configuration based on container labels is pretty darned nice.

Now I am even debating wether I should keep it at all, because I’d rather not mount the docker sock into my reverse proxy, the one software that ultimately connects to the web directly.

You could switch to Podman, in which case you'd give it a non-root, read-only socket that isn't the keys to the kingdom. Or maybe rootless Docker would be an easier switch and still give you some of those benefits.

Since nobody has responded to the ACME / Let's Encrypt part of the question yet, I'll chime in: I also use Traefik as a reverse proxy (and an ACME client), one unified instance per machine. (There are some exceptions, like for Mailu that requires its own nginx reverse proxy.) But for Let's Encrypt, I recently switched from the TLS challenge to the DNS challenge. That required switching my DNS server from CoreDNS to PowerDNS, but thus far it seems totally worth it. Now I can easily get TLS certs for servers on my private network at home without opening them up to the internet for HTTP/TLS challenges.

I don't know about your particular use case, but I've found that some apps experience problems when the IP address of a resource they're using changes out from under them. Like either they experience temporary connectivity issues during the transition or even just stop being able to reach the resource until restarted. However if your setup is working for you, that's great!

Why not use Wireguard from your phones all the time, even at home? Just performance?

Come join us over at https://lemmy.world/c/writing !

But I imagine this only works if TLS is terminated at HAProxy rather than Traefik, right? Otherwise how can HAProxy mess with the HTTP headers?

One thing that helped a ton with that for Wireguard (for either you or anyone else reading this) is: You can generate QR codes for a peer's full Wireguard config! So you can create the images on your computer and then a non-technical user can just scan the code to get configured.

I dunno, I think part of the trick is not learning every single new technology that comes your way. So much of tech these days is just fashion, and you can safely ignore most stuff until there's a deafening drumbeat bashing down your door. And even then, you should ask if the drumbeat really suits your use cases or if everyone's in such a fervor over it because it's fashionable and they're using it for things it's not suited for.

Don't give into the FOMO. Use your judgment. And don't worry about Podman if what you're doing now is working!

Really good example of one way that Podman's Unix Philosophy is actually helpful!

Podman respects UFW?? That's awesome to hear.

Do it! I think there's a market there. Although the "Podman Compose" name is taken and you'll have to think of something else...

Using Ansible to spew out systemd service boilerplate seems like a good idea. I'll have to try that if I can ever give up my Docker Compose security blanket. And I wish you luck with your mega-container Podman conversion. That one sounds like it'll be... a learning experience.

Okay, thanks. Sounds like another vote for the spray cans. Good to know that I just need to keep at it!

Yup, that totally makes sense. I'm running out of cardboard though. :D

Thanks, I'm watching it now!

EDIT: Looks like they're using one of the spray cans. I've tried one of those before—with uneven results. Maybe I need to work on my technique though.

Awesome, that's good to hear. Do you use the Shelly's with their stock firmware or have you flashed them with something? And do you find that their Wifi signal is strong enough?