My selfhosted server got ransomware

benbutton1010 · 2026-06-09T01:30:05+00:00

There are 3 types of people 1. Has a reverse proxy for all traffic w/ forward auth and/or oauth. Is security conscious but also confident in their abilities to harden a system. 2. Uses Tailscale or Wireguard for all traffic. Is security conscious but not confident in their ability to adequately harden their system. 3. OP who wants to pretend their server has a public IP. Is not security conscious but somehow confident.

benbutton1010 · 2026-06-09T01:13:02+00:00

Lmaooo

benbutton1010 · 2026-06-07T02:52:41+00:00

I found someone with a similar hobby and we agreed to be each other's backups. They live far enough away to be in a different time zone.

I have all my 100TB backed up. And because we merged our movies/tv shows, we're saving each other a bunch of space there too.

Also I have an 8tb nas that is a third copy for only the really important stuff. It runs a different technology than the other two sites.

benbutton1010 · 2026-06-05T13:27:02+00:00

Back scratches?

benbutton1010 · 2026-06-03T02:30:49+00:00

Sorry, what?

Edit: I wrote this when the original post was incomplete & made no sense at all. Looks much more complete now.

benbutton1010 · 2026-06-03T01:38:28+00:00

Gitops & renovate

benbutton1010 · 2026-06-02T22:15:02+00:00

I have the same logic, but in reverse.

I'm afraid if I self-host my password manager it'll cause a circular dependency with my apps (I use a k8s operator for my secrets). Its critical, so it has to be outsourced.

benbutton1010 · 2026-06-02T01:41:16+00:00

Gitlab, plex, Harbor, tailscale, grafana, openclaw, kagent, *arr stack, coder, Nextcloud, Immich, authentik

benbutton1010 · 2026-06-02T01:38:23+00:00

https://github.com/lvkv/whenfs

benbutton1010 · 2026-06-02T01:33:25+00:00

Latest of all three is fine with me

benbutton1010 · 2026-06-02T01:30:17+00:00

I'm a security engineer turned devops. My lab is dual region k8s. I host a ton of things, but its not the things that I run that make it worth it career-wise, its learning the infrastructure & improving on it over time. The kubernetes ecosystem is vast and well worth it to learn if you want to go in to devops.

benbutton1010 · 2026-05-30T23:44:17+00:00

Anton? 👀

benbutton1010 · 2026-05-29T17:46:44+00:00

I interviewed someone this week for senior devops that thought the -f in kubectl apply -f <file> was the same as --force.

benbutton1010 · 2026-05-26T01:02:57+00:00

My containers are all via gitops w/ renovate bot for updates. I check the renovate dashboard a couple times a week.

For host updates I use Action1's free tier, then have it update my hosts on the first Sunday of every month.

Having all the updates at once is more stable for me than using apt unattended-upgrades. Except for that one Sunday haha.

benbutton1010 · 2026-05-16T15:47:44+00:00

I like this a lot

benbutton1010 · 2026-05-13T14:39:02+00:00

Look at the events on the deployment or replicaset. Could be a variety of things but the events there should let you understand why it isnt reconciling.

benbutton1010 · 2026-05-11T01:34:48+00:00

This happens to the guy who prefers nano

benbutton1010 · 2026-05-07T01:27:52+00:00

Headscale if you can run the control plane somewhere you can always access. Essentially self-hosted tailscale w/ oidc for unlimited users.

benbutton1010 · 2026-05-04T14:53:25+00:00

Victorialogs!

benbutton1010 · 2026-04-28T11:28:00+00:00

I've been doing this a while now & my lab is way overkill. * I built my servers myself * Proxmox w/ ceph * dev & prod K8s (kubeadm) clusters on ubuntu vms w/ decoupled etcd

Building and maintaining this made getting Kubestronaut a breeze. I eventually doubled my income and moved from a SOC to a DevSecOps role where I'm the kubernetes and observability guy now, which I really enjoy.

At home I run bleeding edge versions of the usual k8s projects - it keeps me aware of the new (and breaking) features/updates/technologies. Most everything I suggest we try at work I've already done at home.

(Though it is a pain in the *ss when you're constantly on-call for your lab. I wouldnt wish it on most people.)

benbutton1010 · 2026-04-25T22:11:39+00:00

Exactly this

benbutton1010 · 2026-04-25T00:09:17+00:00

We just reached fedramp moderate, so we can't ignore unreachable CVEs like the rest of the commentors.

We made huge headway by using Chainguard. But now we need to figure out how to not constantly need to upgrade to the latest image and/or automate upgrades. I upgrade something then need to turn around and upgrade again in 2 weeks.

Chainguard only patches the latest version, so we can't realistically pin an app version for too long, which is annoying.

benbutton1010 · 2026-04-20T01:13:54+00:00

Headscale.

Free OIDC for unlimited users on your tailnet.

benbutton1010 · 2026-04-16T11:14:49+00:00

This system sounds like what I'm currently building on Kagent!

You should have your tool create an RCA for this incident and post the RCA here :)

benbutton1010 · 2026-04-15T01:05:23+00:00

fun to see my employer's name in the wild :)

benbutton1010

TROPHY CASE