jax

joined 1 year ago
[–] jax@lemmy.cloudhub.social 3 points 6 months ago* (last edited 6 months ago)

Yeah for sure! I like to post about both the positive and negative experiences. I find things like that to be a valuable learning tool.

From a security perspective, it’s important to understand the systems you’ve implemented and test that they are working as expected. I think in that example if I had tested user sign-up sooner I could have caught the configuration issue.

It's also important to have good observability into your system, both metrics and logs. Metrics to help detect if something weird is happening (increased resource usage could point to ransomware or crypto mining) and logging to track down what happened and see what systems are impacted.

From a technical controls standpoint, it's good practice to segregate your applications from other systems and control planes like IPMI and switching/routing admin interfaces. It's also good to try to limit holes in your firewall. In this cluster, I have Cloudflare Tunnels setup so that I don't have to open ports to access web servers, and I get access to their WAF tooling. You could do something similar with a VPS running WireGuard, CrowdSec, and a reverse proxy.

[–] jax@lemmy.cloudhub.social 3 points 6 months ago* (last edited 6 months ago)

Not at all! I agree, and COVID didn't help at all. I do want to try and be accurate though :p

[–] jax@lemmy.cloudhub.social 4 points 6 months ago* (last edited 6 months ago) (2 children)

Its possible that I estimated the timeline wrong 😅

I’ve added a note to the blog, thanks!

[–] jax@lemmy.cloudhub.social 1 points 6 months ago

I should look into how to do that on my instance probably. Pictrs always seemed like a bit of a security nightmare.

[–] jax@lemmy.cloudhub.social 5 points 6 months ago (2 children)

Glad I could provide some insight! It’s not something I see talked about too much even on Reddit. Let me know if you have any questions or things I could flesh out more in the article!

I’m still relatively new to ActivityPub and Federated systems in general, though I’ve had my Lemmy and Mastodon instances for 8+ months now I don’t use them as much as I was expecting, sadly. Running your own instance can be very isolating and any content you put directly on your instance probably won’t gain much traction (at least on Mastodon, Lemmy seems to fair a bit better).

It’s one of a handful of blogs that I’ve run over the last couple of years, the other one that’s still online is HomeLab.Blog. I actually meant to run a federated blog platform like WriteFreely, but they don’t have a production docket image, and I saw that Ghost is planning on adding ActivityPub support.

This article might be more appropriate on that blog and an article about my experience with Federated systems might be more on-topic on this one. Oops.

 

A slightly less technical post - these are some things I've learned from having a HomeLab for over a decade.

[–] jax@lemmy.cloudhub.social 1 points 6 months ago (2 children)

I disabled Pictrs around the time of CSAM attacks and have yet to bother enabling it again

Uhh… what?? When did that happen? I thought pictrs was a requirement also…

[–] jax@lemmy.cloudhub.social 1 points 6 months ago (4 children)

Huh, do you have your lemmy config documented somewhere? I keep running into issues with it and I'm not sure which component exactly is failing, but it's annoying. I'm using this helm chart currently: ananace/lemmy It works, but I don't have pict-rs setup in HA either.

[–] jax@lemmy.cloudhub.social 1 points 6 months ago (6 children)

They store the secrets in a file? Gross. What a poor way of handling that. Pretty sure environment variables would be more secure. Especially in Kubernetes.

[–] jax@lemmy.cloudhub.social 2 points 6 months ago (8 children)

Yeah, I used to host a Matrix instance - could do that for this one too.

The issue is more about setting up the Kubernetes manifests and templating them. I usually use the chart's built-in postgres and redis config, though using an operator would make it more scalable for sure.

I'm using Authentik for auth, but I do also like Keycloak.

[–] jax@lemmy.cloudhub.social 1 points 6 months ago

I've seen that around, but I prefer to run my own services instead of relying on a ready-built system like that. I find they don't offer that much customization options usually.

[–] jax@lemmy.cloudhub.social 1 points 6 months ago* (last edited 6 months ago)

I think both of the ones I mentioned have docker-compose files, which I think I can convert with kompose convert? I guess from there I would follow your steps and then start parameterizing it once it's running properly.

Thanks! I think I'll start trying out PixelFed tomorrow.

[–] jax@lemmy.cloudhub.social 2 points 6 months ago (2 children)

That's actually super helpful! I haven't done much custom Helm chart-ing, and was kinda lost where to start. That really helps break the process down, and the tip about skipping state to start is very wise.

 

cross-posted from: https://lemmy.cloudhub.social/post/347779

I am running a Kubernetes cluster for this domain, and I'm looking at more services to run (right now I have Mastodon and Lemmy).

I was considering WriteFreely and PixelFed, but they don't seem to have an easy solution for running on Kubernetes (WriteFreely doesn't even have a production-ready docker image).

Is anyone else running federated services in their lab? Do you run any of them on Kubernetes?

view more: next ›