Yeah it very adds some extra complexity and it’s more important for if you are hosting in public clouds anyways IMO.
(They/Them)
This is my main lemmy account.
Admin of lemmy.cloudhub.social
I can also be found elsewhere on the fediverse at @jax@cloudhub.social
Yeah it very adds some extra complexity and it’s more important for if you are hosting in public clouds anyways IMO.
That makes sense!
Have you played with anything like Istio to secure in-cluster communications? I think Hashicorp Consul can do something similar to encrypt service to service communications.
Yeah for sure! I like to post about both the positive and negative experiences. I find things like that to be a valuable learning tool.
From a security perspective, it’s important to understand the systems you’ve implemented and test that they are working as expected. I think in that example if I had tested user sign-up sooner I could have caught the configuration issue.
It’s also important to have good observability into your system, both metrics and logs. Metrics to help detect if something weird is happening (increased resource usage could point to ransomware or crypto mining) and logging to track down what happened and see what systems are impacted.
From a technical controls standpoint, it’s good practice to segregate your applications from other systems and control planes like IPMI and switching/routing admin interfaces. It’s also good to try to limit holes in your firewall. In this cluster, I have Cloudflare Tunnels setup so that I don’t have to open ports to access web servers, and I get access to their WAF tooling. You could do something similar with a VPS running WireGuard, CrowdSec, and a reverse proxy.
Not at all! I agree, and COVID didn’t help at all. I do want to try and be accurate though :p
Its possible that I estimated the timeline wrong 😅
I’ve added a note to the blog, thanks!
Ah okay that makes sense, you’re using the internal cluster domain to route to services
Glad I could provide some insight! It’s not something I see talked about too much even on Reddit. Let me know if you have any questions or things I could flesh out more in the article!
I’m still relatively new to ActivityPub and Federated systems in general, though I’ve had my Lemmy and Mastodon instances for 8+ months now I don’t use them as much as I was expecting, sadly. Running your own instance can be very isolating and any content you put directly on your instance probably won’t gain much traction (at least on Mastodon, Lemmy seems to fair a bit better).
It’s one of a handful of blogs that I’ve run over the last couple of years, the other one that’s still online is HomeLab.Blog. I actually meant to run a federated blog platform like WriteFreely, but they don’t have a production docket image, and I saw that Ghost is planning on adding ActivityPub support.
This article might be more appropriate on that blog and an article about my experience with Federated systems might be more on-topic on this one. Oops.
Oh, dev namespaces are a good idea. Do you have a dev domain then too?
Thanks! I find most of the issues occur during upgrades to services, but that is to be expected.
My internet service is usually more of an issue than most services I run. Though some things take longer to get tweaked and running well and that can cause issues.
What’s everyone’s workflows with these systems? Do you catalog both physical and digital documents? Where do you store the documents?
I think I’m going to end up using docker-mailserver for this.
That seems really resource heavy. 4 Gb of RAM for an SMTP relay?
Other than that it looks pretty great.
Having a rack is a massive QOL improvement IMO, I originally had a stack of rackmount servers in an IKEA Lack (LackRack), and it was okay, but the rack is so much nicer.
The only thing I wish I had done was get an enclosed rack to help with noise and dust, rather than just a startech 4 post from Amazon.
And that’s a lot of awesome stuff for free!
Ohh that’s exciting!
Any big hardware plans with the new house? Planning on running ethernet/fiber to the rooms?
Not many changes in my lab this month, other than figuring out that the lemmy issues were related to liveness checks timing out due to the required DB migration on startup that Lemmy implements.
In hindsight, this makes a lot of sense.
Odd, is that federation issue on my end?
Just because it’s not public facing doesn’t mean that it’s not an issue. It might be less of an issue, but it is still a massive vulnerability.
All it takes is one misconfiguration or other vulnerable system to use this as a jumping off point to burrow into other systems. Especially if this system has elevated access to sensitive locations within your network.
Your best bet is going to be a 4U chassis. You can get 2U chassis with consumer PSUs, but they are going to be more expensive and very limited in terms of parts that will work. You can easily find 4U chassis that support regular ATX internals with proper mounting holes for the PSU and mobo standoffs.
There are some small SuperMicro servers that use Xeon-D (I think? Very low power Xeons that are passively cooled), but you’re pretty vendor locked in with those.
Do not use external drives for this. TrueNAS doesn’t support it, and you’ll be limiting your speeds to that of the USB bus, which is not nearly as fast. Pointless going SSDs if you are using external drives.
Desktop: Windows XP
Linux: Probably Raspbian on a Pi 2 b
Tech has come a long way since then lol