GreenDot 💚

when people have too much free time

Do you have sample of what kind of errors you’re getting? are they docker related or service related? as in jackett can’t connect/reach sonarr for example?

latest cargo crates updated

Navidrome over wireguard, and music library in folders and proper tagging trough beets and picard. using subsonic as a client for it. tried plex and plexamp but I’m moving away from them.

I was hit aggressively by HC sales team last year, we are using TF and Vault, and were looking to add consul, now it is pretty vauge how it will all pan put

Check netmaker for wireguard vpn if you want a ui, but its straightforward to set it up manually.

I’d say, what kind of security are you talking about? Apart from standard HTTPS to keep things encrypted, there are other layers if you want to keep your service exposed to the internet.

Also how things are installed and if they are correct, proper file permissions. nothing different than having it on the server somewhere. You just need to keep thing up to date and you’ll be fine.

I like it here on Lemmy as there are quality talks from people and not too much circlejerking same concepts around. I actually like going trough here.

Yes, very active, there is the #introduction tag there where you can find people (and people find you).

About 6 year uptime on one machine before we shut it down and relocated.

What would be a benefit to run k8s at home, apart from bit dealing with it, compared to docker-compose on a single or two nodes? or docker swarm? Unless there is a big load of services that are selfhosted, which I get, and the autohealing from k8s as the orchestrator.

Just courious, not taking a swing. Thanks!

I’m running both, via docker.

Here’s the basic setup:

NGiNX is standard installation, using certbot to manage the SSL certificates for the domains. Setup is via Nginx virtual hosts (servers), separate for Lemmy and Mastodon. Lemmy and Mastodon run each in their Docker containers, with different listning ports on localhost.

                  lemmy.domain.tld+------------------------+
               +------------------+                        |
               |                  |         Lemmy          |
               |                  |         127.0.0.1:3000 |
               |                  +------------------------+
               |
+--------------+----+
|NGiNX with SSL     |   mastodon.domain.tld
|and separate VHOSTS+--------------+-----------------------+
|                   |              |          Mastodon     |
+-------------------+              |          127.0.0.1:3001
                                   +------------------------

Best option is to directly NAT traffic from VPS to your home server, either directly to your IP or set up a wireguard peer and send traffic via wireguard to your local and do the SSL/TLS termination on your local.

You are best exposing just 443 port on the VPS and moving that traffic over wireguard. Server will have your local public key on the server, and you could implement a wireguard key rotation to change them frequently.

Traffic sent back will be encrypted with the certificate, and even if they get the wireguard server key, you can rotate it, but still they will see encrypted packets.

It depends what kind of things you’re doing on your local. If it is just a website thing, then reverse proxy is fine. Anything other than that, NAT would be cleanest one.

LUKS on the disks would encrypt it the data on the block storage level, and, in theory, they should not have a way of reding block storage files directly. But since it is a VPS they can, technically, gather data from host memory.

Next step might be going down a dedi server route, Luks encryption on disks. Only thing thats needed there would be sufficient network pipe.