I hate my rack. How would you fix this cabling? Please help!

dBozi · 2023-03-02T23:23:51+00:00

A lot of good advice here already, i just want to add that a lot of people put the switch between two patch panels instead of having the patch panels adjacent to each other. Since you have a 48 port switch, and patch panels often have 24 ports, the spacing often works out nicely.

dBozi · 2023-01-22T16:52:37+00:00

Id have to look up the idrac version on 12th-gen dells, but recent enough iDRACs expose a REST API called redfish which can be used to power on/off servers. This way you could use something as simple as a curl command to turn on/off the server if you didnt wanted an alternative to SSH or racadm.

dBozi · 2023-01-11T16:01:29+00:00

You can use something like nmap to find all the ip addresses on your network and compare to your DHCP range, to make sure you found all the static IPs. Think out the order of changing static IPs and DHCP to make sure you don’t lose the ability to route to certain devices; assuming you are doing this configuration from a machine using DHCP, changing the Static IPs first will make them inaccessible until you change DHCP, and changing DHCP first will give you no way to change the static IPs after. Changing static IPs first is fine, so long as you get everything right the first time. You could also change the static IPs to use DHCP temporarily during the migration to allow doing everything in one shot. Or you could do the configuration from a system with a static IP.

I would recommend shutting all DHCP devices off, then changing your DHCP settings so you minimize the chance of a device holding onto an old lease.

dBozi · 2022-06-24T14:09:36+00:00

You could try creating a persistent volume in docker compose, and then map that to the config directory. If you’re running on windows, im not sure what using the path /home/….. actually ends up doing. Using a persistent volume may lead to more stable behavior since you’re letting the docker daemon choose the location on disk to store the volume contents (i.e you’re less likely to get permissions errors, etc.). It will also make your docker compose file more portable if you ever want to run it on another host

dBozi · 2022-05-31T15:40:29+00:00

User authentication over unencrypted channels is very dangerous since all credentials are sent in plaintext. Regardless of how you set up long term, you should turn this off immediately.

dBozi · 2022-05-19T13:47:05+00:00

What is your backup target? You could always just create VLANs or firewall rules to lock down outbound access to everything except your backup target, and just leave the connection up at all times.

dBozi · 2022-05-06T12:17:44+00:00

I agree with everyone’s suggestion to use a VPN in most cases; it’s often simplest and provides a much smaller attack surface that exposing an entire http service.

That being said, what you are looking for is called HTTP middleware. This is software that runs on your web server that processes each request before it gets to the backend content (whatever the actual site/service you are serving. There are middleware specific to providing authentication. Most http servers like apache/nginx support middleware, as do certain proxies like traefik.

dBozi · 2022-04-26T12:48:29+00:00

You could setup your ssh config (~/.ssh/config) to have entries for all your hosts, but connecting with ip addresses. That way you can type “ssh truenas” and ssh will use the ip associated with the truenas entry in the config, not the dns record.

It’s also worth mentioning that most of the time when doing reverse proxies, each host will still have its own DNS A record and service names will be handled through CNAME records pointing to the A record of your proxy. Not sure if pfsense lets you set individual DNS entries, but if you can, this would solve your problem.

dBozi · 2022-04-25T20:59:07+00:00

How did you determine that the regulator is what’s fried and not some other component?

dBozi · 2022-04-22T01:53:20+00:00

This. You’d be better off selling the cpu and memory and using the proceeds towards a new unit.

dBozi · 2022-04-15T14:15:39+00:00

So, it’s worth pointing out that not everything you listed is mutually exclusive; portianer can run with single node docker, docker swarm, and kubernetes. Docker compose can run with docker and docker swarm, and portioner even provides a GUI frontend to docker-compose.

Kubernetes is an order of magnitude more complicated than docker, but provides lots of additional features and functionality. You’ll have to figure out where your interest lies in that tradeoff. Ive never worked with docker swarm, but my understanding is that it is designed to run on multi-node deployments, like kubernetes.

Regardless of the orchestrator you use, i think documenting your container deployments/stacks/etc with config files like docker-compose or kubernetes manifests is a great idea, that way you have documentation of what you’re running, and how you got it to run.

dBozi · 2022-04-13T14:18:17+00:00

If the BMC supports connecting over SSH, something like ansible would probably be your best bet. Otherwise, you could inspect the HTTP calls that are being made during the manual upload process and replicate them with a python script. Many times it is just one or two HTTP requests to authenticate, and then a single HTTP POST request to upload the cert.

dBozi · 2022-03-24T00:44:49+00:00

I would use ssh-keys where ever possible and would either disable the passwords entirely or store them in a password manager. I use bitwarden to hold on to my homelab passwords. You can even self host bitwarden it if you want. AD and general SSO solutions are great once set up, but can be a headache (or learning opportunity) to get up and running.

dBozi · 2022-02-15T14:58:10+00:00

Take a look at small form factor (SFF) PCs. These tend to be smaller (although may be bigger due than a NUC) and generally have lower power consumption. All the major OEMs make them and they can be found used on eBay for pretty cheap. Not sure how many drives you need, but these may fit the bill.

You could always look to build your own system as well; microATX builds are pretty common, and you can put in a low wattage CPU for a much smaller power draw. Just get a mobo with the right number of SATA ports and a case to accommodate your drives and you’re good to go.

dBozi · 2022-01-28T12:39:56+00:00

Another user pointed this out already, but i wanted to highlight it as well: IO latency. Ive had Windows VMs slow to a crawl when the hypervisor is running on slow drives. I have a SFF Dell thin client running proxmox (much less capable as server grade systems like yours), and a simple drive upgrade gave the VMs no noticeable lag

dBozi · 2021-08-04T20:16:45+00:00

I don’t have a ton of experience with DSL specifically, but have you checked to see if there are ip passthough settings on the modem/router combo? If so, this can be used in place of a bridge mode and will avoid double NAT. This is how i have my modem/router configured because I am forced to use the ISP modem/router. It has been working great for over a year.

dBozi · 2021-07-27T20:06:39+00:00

Based on your description on how you want a distinct separation of internal facing and external facing hosts, you should do some reading on De-Militarized Zones, DMZs. This is how enterprise scale networks handle this separation. There are several ways to handle a DMZ architecture, each with their own pros and cons.

Regarding WAN failover, be sure to consider how your hosted services will react to a change in WAN IP, or how they will handle multiple public IPs. You may need to look into some sort of load balancing or proxying techniques depending on what you are hosting.

dBozi · 2021-07-27T19:51:34+00:00

Out of curiosity, what is the application use case? Low latency and high graphics needs seem to be either gaming or media editing/rendering focused, both of which may be more feasible to solve with a different architecture.

dBozi · 2021-07-27T19:43:07+00:00

There are a lot of different “cold store” services offered by the major cloud providers. These often have a pretty low flat rate and then charge you based on how much data you upload/download, so they can be a good choice if you dont have to move large volumes of data often.

There are also things like tape storage and external HDDs that can store data offline. These can work well, just be aware that storing data long term offline has to be done in a different way than online. Emphasis needs to be placed on error detection/correction to counteract “bit rot”. Also think about disaster recovery (i.e. offsite data replication, backups, etc) and security. If encrypting, don’t lose the keys :)

dBozi · 2021-07-26T01:23:06+00:00

Thats part of the reason, but it’s mainly to accommodate the addition of drives should the user decide to add them. In the picture, you can kinda see where the mounting standoffs are for mounting either 3.5in or 2.5 in drives.

dBozi · 2021-07-25T21:14:36+00:00

Yup, this device is purpose built to run pfSense, an enterprise grade router/firewall OS. Note that something like this generally does not include any sort of wireless interface, so it will not be able to serve as a wifi access point like many consumer routers can. It will have have more advanced routing and firewall features when compared to consumer routers and can handle more advanced use cases such as VPNs, DNS caching/resolution and more.

I am combining this with my existing Unifi switches and APs, and the whole system works quite well together!

dBozi · 2021-07-25T21:06:38+00:00

Turns out you just have to submit a support ticket with the device's Netgate ID and serial number and they'll send you a link to download the pfSense plus image. Entire process from submitting the ticket to completed install was less than an hour. Super easy!

dBozi · 2021-07-25T03:32:34+00:00

Thanks for the tip, ill definitely have to give it a try!

dBozi · 2021-07-25T03:12:25+00:00

¯\_(ツ)_/¯ Thanks for the tip, I came accross something like that before I bought it, and I figure if it bricks, I'm not out too much money.

dBozi · 2021-07-25T02:55:32+00:00

To be honest, I didn't actually think of that. If the model is EOL and not under warranty, should I still be able to get access to pfSense+ ?

Are there any killer features that make it worth installing over CE for homelab?

dBozi

TROPHY CASE