either create a cert group and give that group permission to the certs, or add a handler to distribute the cert+key on renew to your service’s folder, and change owner/group to whats relevant to the service

Note: the “live” folder only contains links to the archive folder

Are the links correct? @anoyongbot

Run iperf internally to see if your bottleneck is switch/ap or fw. I set up a j1900 pfsense for my sisters family a while back to do qos (gamer bois in the house) amd it had no problem staying at 500mbps. No ids or other stuff.

Not built any opn/pf-sense in a while, but i always use intel server-nic’s. Used to have way better support than other stuff on bsd

Yeah, but if your house burns down copies on different hdd wont matter much. Offsite like cloud will

Basically why i feel more comfortable with LXC than docker for my home lab services. It feels more like a VM in management.

We run a good mix of docker, vm’s and bare metal at work; no containers are auto-updated

Stick to strong keys and keep it on 22 for ease of use

No - ssh is very easy to secure, while an exposed web-service is very hard to secure. Theres no difference in the security of ssh without password and for example WireGuard.

Lolwut? Someone downvotes you for that?

Yeah - industrial computers is the way. I would want something that can run at 60 c, and is water/dust proof. How to keep 20tb on a floating humidifier? Im not sure about this one, but swap drives often is probably a good idea.

Do you ride salt or sweet water?

A reverse proxy is used to expose services that don’t run on exposed hosts. It does not add security but it keeps you from adding attack vectors.

They usually provide load balancing too, also not a security feature.

Edit: in other words what he’s saying is true and equal to “raid isn’t baclup”

All reverse proxies i have used do rudimentary DDoS protection: rate limiting. Enough to keep your local script kiddy at bay - but not advanced stuff.

You can protect your ssh instance with rate limiting too but you’ll likely do this in the firewall and not the proxy.

Lol

what does your trace give? You are setting up a recursive resolver, make sure settings allow for this

IMO venturing out in the unknown using fringe case hardware/software is a hobby by itself. It’s my 2nd hobby besides self hosting. Being more about experimenting than stability and ease of use, it’s not compatible with self hosting so I keep them separate

I still dont understand broadcom’s move except for short term profits. All the kids used to use it, and now they’re on proxmox.

I work in public sector and we’re transitioning away from VMware now, as the people we recruit know proxmox and not VMware.

Just like adobe lets the kids get away with pirating - as that builds following - VMware was giving away single-seat.

I don’t care about internetpoints, and I’ve given up hopes for lemmy as a platform. There’s too many subs compared to people, so people are smeared too thin out.

Reddit had soul back then. It was fresh, new, different. Lemmy is just a bleak copy of Reddit, missing quality content and people.

That’s the main difference between lemmy and early reddit. Reddit had good info from knowledgeable people, and moderation. Here it seems most are 8 years old with 0 knowledge talking shite. Voting to “prove their point”. Like downvoting your reply.

You can also try running ve on Debian https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm

If you can - separate host and storage. Run what ever hyper visor you like - Xcp-ng is also good. Any nas is good

zssh is in most distros, but why not reinvent the wheel by port forwarding http?

Could also be docker network-config. Docker should by default use the hosts resolver config if there’s nothing in /etc/resolve.conf

You can also supply dns server on the docker command or in your compose file if you’re using compose.

As a last resort you can enter server and ip i the container’s /ets/host file if the ip is static. But that’s gone once you rebuild the image.

Or maybe there’s env on the container you use for dns

That’s not too easy methinks. You get kvm vm-s though gui/shell/api with proxmox, but no docker (they use lxc). Unless you set up a podman or similar inside it.

If you’re made of money there’s always https://www.vmware.com/products/vsphere/vsphere-with-tanzu.html

Other than that I’d say go with a xen (xcp-ng). Proxmox or esxi host, and spin up a vm as docker host.

I ditched docker in my latest setup, just running 2 machines in a proxmox cluster. I like lxc - as it’s got the footprint of docker and behaves like a vm

On the host of the nginx rev proxy or in nginx config files. Something seems to block the lookup from name to ip, as ip works you know the proxy works. Check dns config and nginx config on that host

As you can forward by ip but not by name it sounds like resolver issue.

I think your best option would be a pi 4 compute for high speed bus. https://www.waveshare.com/cm4-nas-double-deck-c4a.htm

Its also a vital part of software defined networking

Head-less is without screen (head). You’d need to install the desktop of choice. You only get a screen. It’s for server admin not daily use - even with a fancy one like that.

This is awesome, I just want to point out that once you have a pikvm connected it’s no longer headless. That’s kinda the whole idea about any kvm - to provide screen(s), keyboard and mouse to servers so they’re no longer headless

And do use their guide for spf, dkim and dmarc

The Debian installer can be pre-seeded and be automated. You can use cloud-init for non cloud installs but why would you? Preseed or use fai and let your config system handle the rest.

I get that you love this board and think that “the establishment” is evil. But you come off as someone not having the knowledge to back your assumptions.

Sometimes this will be the right board, sometimes a Pi is better. And sometimes 2-3 microcontrollers are a better fit. But the choice should not be based on telemetry in an optional imager, or the fact that your headless setup requires editing of config files.

How is a pi (or other single-board computers) less critical than “a full system”? Do you have any idea how many pi’s are out there running serious stuff? Where I work I bump into them all over - including in security systems and door-access.

This one has two 2.5gb ports, 8 to 32gb ram. This is serious stuff for an sbc, clearly overkill for your pihole install. What’s not equally serious with banana pi is support. I went to their wiki, it lists Android and Debian (previous version) “images” but no download links, so it’s hard for me to verify that this board boots with sshd running or not. Like I said Debian does not, and for a good reason. Raspberry pi os pulls from raspbian, and they pull from Debian.

You can run Ubuntu LTS, fedora or others on your pi.

The telemetry is bad news - soon we will be out of food because someone knows what size of sd-cards you use, and the number of installs you do. So better go buys a silly board, track down some ancient image of an install someone did at some point where they managed to compile the nic drivers and include the binary blob. Because nobody gets to force you to add an empty file to your sd-card!

The extra menu in the flasher does the magic on the sd-card. I’ve been setting up headless pi’s since before 3b came out, and the same options are available today.

The idea that ssh being enabled by default is reasonable is just like your opinion. Did you know you have to enable it during installation on both Debian and canonicals derivative? Maybe it’s still on by default on fedora (with root login enabled to help you!)

If editing your config is fiddling then I struggle to see your use of an sbc.

This and support. My dad could set up a pi, and he doesn’t know what a kernel is or how to compile.

This is not true

This - why add another machine into the equation?

Or set up an account at Tailscale or similar. They let you have like 10 machines in your network w/o payment

Or route to your home network through the vpn interface on the VPS. So you can reference the windows ip, rather than NAT

Your current setup is very complicated. I did not check your rules at all but maybe you are setting up forwarding on your servers lan interface rather than the WireGuard interface.

Also you don’t say much about how the VPS setup is. Do you Nat the other working services? What IP/host do you forward to? Are you rdp’ing from the VPS or is that also some form of forwarder/revproxy?

Yes - I like bind9 with views so I can serve external and internal from same instance. As I only have services for my own use 1 ns on my dynamic ip is enough for my home subdomain.

Bind9 has ok scripting possibilities with rndc and nsupdate.

Why the unmanaged switch? Putting servers on a switch I like to know that the switch can handle VLAN and link aggregation.

Right - so the upstream server is a docker container on the same machine, and you proxy the connection to the servers up on the port forwarded through the magic docker iptables thingy. It might be here that you get the connection closed - maybe check logs on that. Don’t recall if it’s logged by default or you have to set it up

There’s also the possibility of the web service not being proxy friendly

I’m not very familiar with nginx, I use haproxy for my reverse proxy or load balancing needs.

Do the 504 get logged on the proxy? From your screen grabs it seems that nginx have a working connection to the upstream server.

Maybe that website needs special settings that nginx can’t handle or is not set up for?

So this domain resolves to the server you are proxying, not your proxy?