Correct (which is why I mentioned Kata, as that’s a container runtime backed by microvms, sort of like how AWS uses firecracker to run lambdas and “serverless” container workloads)
- 0 Posts
- 16 Comments
Joined 3 years ago
Cake day: July 3rd, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
3·11 days agoI do the port knocking at the firewall level (it’s a pretty simple nft chain setup). Caddy isn’t involved at all. I was thinking about integrating that into my caddy config using something akin to an operator, but I haven’t needed any extra functionality yet.
I went a different path than the VPN route that seems popular in the other comments…
I use a reverse proxy (caddy) with wildcard SSL (so all my hostnames aren’t in the public cert registry) plus port knocking. So normally no outside IPs are allowed to access my internal services, but I can knock and then access anything for a while. Working well so far.
Containers don’t need VT/SVM (unless you’re doing something weird like Kata Containers)
I would also suggest looking into k0s/k0sctl for deploying k8s. I think it’s probably the easiest deployment method I’ve personally used. It also makes updates dead simple.
For deploying things to k8s, these days LLMs can write the k8s manifests pretty easy if there isn’t already helm or kustomize files available.
PCPartPicker is your best bet (hint: sort by price/gb), but they don’t really track shucking prices
I’m pretty sure they’re referring to hdmi-cec, nothing to do with a phone.
I had to disable d3cold on my nvme. Same symptoms. Would work fine on boot and then after some time fail.
Just as an aside, you’re half way to being able to use wildcard certs, you might as well just do the last bit of work so the domain names you’re using are a little less public. Let’s Encrypt puts every domain name on every cert in a public database. I’ve seen much less random probing of my services since moving to wildcards
No support for comments? Hard pass
That’s a basic requirement for almost any company. If you’re into hard coding credentials just use wireguard directly.
I’m not familiar enough with cloudflare proxy stuff. I just have my DNS pointed at my router external IP (and luckily my ISP doesn’t reset my IP ever.) It sounds like CF has designed this intentionally as a profit center. Sorry couldn’t be more help
This isn’t a cloudflare limitation. It’s a TLS limitation. It was a conscious decision not to support multi-level wildcards. You won’t find a service that supports it. Most people get around this by just not using TLS certs like this. You can encode your multi-level name spacing in 1 level So instead of something like svc1.svcgroup.dev.domain.org You can do it like svcgroup-svc1.dev.domain.org
Never heard of a tool to get around this TLS limitation. There are tools that manage lots of certs (cert-manager in k8s comes to mind). If you had a more concrete example it might help people to suggest solutions.
The only Radxa I’d bother with is the Rock 5 and for the price, I’d probably just go with rpi5 (unless you like to tinker… a lot). That’s coming from someone that owns 3 Rock5’s. The new Orion board looks interesting, but if it’s like any other Radxa products it’ll be 2+ years before it gets decent software support.
There’s a fine line between “auto-updates are bad” and “welp, the horribly outdated and security hole riddled CI tool or CMS is how they got in”. I tend to lean toward using something like renovate to queue up the updates and then approve them all at once. I’ve been seriously considering building out a staging and prod env for my homelab. I’m just not sure how to test stuff in staging to the point that I’d feel comfortable auto promoting to prod.
Yet somehow there’s still a ton of money in web3/crypto. It’ll be a long time before the AI money dries up.