Perhaps I’ve been naieve.

I have local incremental backups and rsync to the remote. Doesn’t syncthing have incremental also? You have a good point about syncing a destroyed disk to your offsite backup. I know S3 has some sort of protection, but haven’t played with it.

I have tailscale mostly set up. What’s the issue with USB drives? I’ve got a raspberry pi on the other end with a RO SD card so it won’t go bad.

This reminds me that I need alerts monitoring set up. ; -)

I’ll have to check this out.

I attended some LUGs before covid and could see something like this being facilitated there. It also reminds me of the Reddit meetups that I never partook in.

That’s something that I hadn’t considered!

I wasn’t aware of the untrusted setting. That sounds like a good option.

Yes. It’s the “put a copy somewhere else” that I’m trying to solve for without a lot of cost and effort. So far, having a remote copy at a relative’s is good for being off site and cost, but the amount of time to support it has been less than ideal since the Pi will sometimes become unresponsive for unknown reasons and getting the family member to reboot it “is too hard”.

Take some time and really analyze your threat model. There are different solutions for each of them. For example, protecting against a friend swiping the drives may be as simple as LUKS on the drive and a USB key with the unlock keys. Another poster suggested leaving the backup computer wide open but encrypting the files that you back up with symmetric or asymmetric, based on your needs. If you’re hiding it from the government, check your local laws. You may be guilty until proven innocent in which case you need “plausible deniability” of what’s on the drive. That’s a different solution. Are you dealing with a well funded nation-state adversary? Maybe keying in the password isn’t such a bad idea.

I’m using LUKS with mandos on a raspberry PI. I back up to a Pi at a friend’s house over TailScale where the disk is wide open, but Duplicity will encrypt the backup file. My threat model is a run of the mill thief swiping the computers and script kiddies hacking in.

You’re doing God’s work!

Over my career, it’s sad to see how the technical communications groups are the first to get cut because “developers should document their own code”. No, most can’t. Also, the lack of good documentation leads to churn in other areas. It’s difficult to measure it, but for those in the know, it’s painfully obvious.

I had one from Sony a long time ago. It even had a cable you could attach between two of 'em (600 CDs!) so that it could seamlessly start playing another track while loading the next song. I dropped it during a move and the next time I opened the door, it spit gears at me. I had intended to fix it some day, but started watching Hoarders and decided it wasn’t worth it.

Can you elaborate on the scenario this is solving for? Isn’t software RAID a performance hit?

This may be the push I need to migrate to Nextcloud. I’m struggling to identify my use cases, though and am wondering if all I really need is Syncthing.

I’m using mandos with the server on a raspberry pi. Unfortunately, mandos doesn’t work with my Fedora boxes as far as I know.

It depends on what you do with Docker. Podman can replace many of the core docker features, but does not ship with a Docker Desktop app (there may be one available). Also, last I checked, there were differences in the docker build command.

That being said, I’m using podman at home and work, doing development things and building images must fine. My final images are built in a pipeline with actual Docker, though.

I jumped ship from Docker (like the metaphor?) when they started clamping down on unregistered users and changed the corporate license. It’s my personal middle finger to them.

I’m using Kubernetes and many of the apps that I use require environment variables to pass secrets. Another option is the pod definition, which is viewable by anybody with read privileges to K8s. Secrets are great to secure it on the K8s side, but the application either needs to read the secret from a file or you build your own helm chart with a shell front end to create app config files on the fly. I’m sure there are other options, but there’s no “one size fits all” type solution.

The real issue here is that the app is happy to expose it’s environment variables with no consideration given to the fact that it may contain data that can be misused by bad actors. It’s security 101 to not expose any more than the user needs to see which is why stack dumps are disabled on production implementations.

I was not binding to specific adresses, but was probably a problem with a specific release of Java (Oracle Java maybe.) My distro’s Java was doing weird video things, but the Oracle version was not, but then it could not reach outside the local computer. Debugging logs showed that it tried IPv6 and failed, then quit trying instead of falling back to IPv4. Disabling IPv6 in the Java JRE configuration solved the issue, but set me on the path to “modernize” my network stack. In hindsight, it’s probably not something that I really have the time to take on right now.

I’m trying to be progressive, but after thinking outside of my little network and reading the posts here, it seems like there’s still a long way to go before I should consider it. I don’t have a split network at home and it would potentially affect everyone in the house. Additionally, I don’t have serious needs for production-grade network equipment, so the chancs of that cheap usb-to-ethernet adapter with more Chinese characters than English in the instruction sheet has a high probability of biting me.

This was sort of a wild hare thought of disabling IPv4 vs disabling IPv6 to solve a problem that’s more of an inconvenience. I am probably not ready for this undertaking. Maybe I’ll revisit it when I get around to partitioning my network.

Can you elaborate? Hardware or software or both? Other than one network appliance, most of my stuff isn’t too old.

Now that I start thinking about it, my work stuff may be impacted.

For the frugal sysadmin, Free DNS!

I’d love to hear more about your GitHub to K8s setup. I’ve been thinking about doing something similar, but I’m not sure how to keep my public stuff public while injecting my personalized (private) configuration during deployment.

Kubernetes is abbreviated K8s (because there’s 8 letters between the “k” and the “s”. K3s is a “lite” version. Generally speaking, kubernetes manages your containers. You basicaly tell K8s what the state should be and it does what it needs to do to get the environment as you’ve declared. It’ll check and start or restart services, start containers on a node that can run them (like ensuring enough RAM is available). There’s a lot more, but that’s the general idea.

Helm is one of the reasons I became interested in Kubernetes. I really like the idea of a package where all I have to do is provide my preferences in a values file. Before swarm was mature, I was managing my containers with complicated shell scripts to bring stuff up in the right order and it became fragile and unmaintainable.

One line from your comment struck a chord. The part about maintenance and upgrades. I feel like I get stuff set up and working and go about my life and then a failure happens at the most inopportune moment. Mostly, the failures are when I have a few hours free and decide to upgrade the OS and everything breaks and all the dependencies fall apart and some feature is no longer supported. That’s where I started looking to K8s to just roll back until I have time to manage it.

For me, I find that I learn more effectively when I have a goal. Sure, it’s great to follow somebody’s “Hello World” web site tutorial, but the real learning comes when I start to extend it to include CI/CD for example.

As far as a use case, I’d say that learning IS the use case.

This is tangential to your question, but I’ve been playing with Kubernetes and its ability to ration resources like CPU and RAM. I’m guessing that Docker has a similar facility. Doing this, I hope, will allow me to have Plex transcode videos in the background without affecting the responsiveness of a web app I’m using or will kill and restart that one app I wrote that has a memory leak that I can’t find.

I don’t really need it online all the time, but I don’t expect that I’ll find time to do it all at once and I thought swapping may be a way to break up the job into interruptible segments.

I suspect I’ll have an issue after reading many of the comments. This is also an older Dell server. My only real advantage is that it’s currently hosting 2 VMs and one is just a test server, so I don’t mind losing the data.

This is just a homelab, running on old hardware. I don’t think the raid controller supports RAID-6 and I only got 3 new SSDs, and I read that RAID-6 needs 4 drives.

I have a similar setup, but 2 VMs on each of my 2 servers, then on server 1, I have VM A running one test K3s node and VM B running one live (Production) K3s node with the same on server 2, so I can take one server full down for maintenance, but keep my test and live sites running. It’s way overkill, but allows me to learn about how to set up and maintain resilient systems. One day, I’ll do the same for my network :-(

Docker is a gateway drug to the cloud. My adventure went like this: Docker -> Docker Swarm -> Kubernetes -> Helm -> K8s Operators -> ???

Edit: fixed K8s speling