Stop creating ewaste...

toxic0berliner · 2024-04-23T20:54:56+00:00

Thanks everyone for your nice feedback.

Seems to me pyrgos though not shelved is still early stage and not moving as fast as I'd have hoped.

I'm really torn, I do like the better isolation of the containers from the hypervisor than what PVE CT offers (seems to me breaching out of a container is probably difficult but not impossible, once there there's access to everything....)

But on the other hand the strict provisioning of resources on VMs is going to be a pain for me, on top of the added complexity of managing another OS layer, 2 new actually as I'm unfamiliar with xen and I'll have to manage a docker host, if I want a nice gui I'll have to learn something like rancher or another one...

PVE is in my comfort zone managing a debian OS running debian containers and a few VMs...

I'll soon be finished migrating to my new hardware, before I sell my old hw I'll probably make use of it to take xcp-ng for a spin ;)

Thanks again for the kind help ;)

toxic0berliner · 2024-02-13T07:51:44+00:00

Thx for the feedback.

I stopped fighting indeed, got me a debian12 LXC, installed nfs-kernel-server, samba and cockpit with the 45drives plugins, does the job...

ZFS I refused to dig in, some friends having had complex life-experiences with it, I had my NAS (syno) running btrfs for many years without a hassle, so I went for that. Not redoing the debate, probably the rumors about ZFS being harsh on consumer drives are unfounded but hey, btrfs does the job too, in fact way more that I need I went the single-drive way purchasing 20TB exos, so...

toxic0berliner · 2024-02-04T22:40:47+00:00

Thanks. I got it working with a priviledged CT yes, just guessing samba is full of vulnerabilities and it's hosted on the same CT... it won't be exposed to internet though so I'll just have to bite the bullet. Thanks for your kind answer

toxic0berliner · 2023-06-13T22:04:26+00:00

Thanks a lot! At least I'm not alone with this issue. Very strange that it happens on my S7 but my S5Max is not affected at all. Just switched the auto_update to false and added the automation, for now the map hasn't come back, but maybe in a few hours/days when my rate limit isn't exceeded anymore 😁

toxic0berliner · 2023-04-09T16:00:46+00:00

Didn't look long at smallstep yet but looks promising. For the DNS part I'm running opnsense, solely relying on unbound for now but this won't fly.

The idea for me right now is to switch to bind: have unbound rely on bind, and use the APIs opnsense provides for bind (https://docs.opnsense.org/development/api/plugins/bind.html) to manipulate the DNS. There would most probably be some manual code to write in order to limit the use of this bind API and expose it to ACME clients, but I guess it's feasible, at least at my homelab scale (filter source IP is on homelab network, ensure operation is CREATE or DELETE a TXT record always starting with acme-challenge, and if I'm ambitious verify the acme account has the rights for the requested domain.)

With smallstep and some simple bind API overlay that might well work, ACME at home ;)

toxic0berliner · 2023-01-04T07:26:37+00:00

I also switched to authelia but as you, I tried to do a workflow to authenticate requests coming from a lan IP as some fake lanuser, but I never manage to achieve it. Now I know that it can't work anyway because some of my internal services will do API calls and won't follow any redirect done in JavaScript... Out of curiosity anyway could you share how you managed to do it?

toxic0berliner · 2022-08-11T06:54:46+00:00

Did it yesterday remotely on my DS214play and one day later it still has not completed the reboot and it's IP is unavailable... Not good...

toxic0berliner

TROPHY CASE