• MonkeMischief@lemmy.todayEnglish
    6·
    4 hours ago

    Don’t worry, you’re one Docker pull away from having to look up how to manually migrate Postgres databases within running containers!

    (Looks at my PaperlessNGX container still down. Still irritated.)

  • paequ2@lemmy.todayEnglish
    191·
    12 hours ago

    Actually, one thing I want to do is switch from services being on a subdomain to services being on a path.

    immich.myserver.com -> myserver.com/immich
jellyfin.myserver.com -> myserver.com/jellyfin

    I’m getting tired of having to update DNS records every time I want to add a new service.

    I guess the tricky part will be making sure the services support this kind of routing…

    • suicidaleggroll@lemmy.worldEnglish
      17·
      10 hours ago

      Why are you having to update your DNS records when you add a new service? Just set up a wildcard A record to send *.myserver.com to the reverse proxy and you never have to touch it again. If your DNS doesn’t let you set wildcard A records, then switch to a better DNS.

      • Scrath@lemmy.dbzer0.comEnglish
        61·
        8 hours ago

        Not OP but a lot of people probably use pi-hole which doesn’t support wildcards for some inane reason

        • Croquette@sh.itjust.worksEnglish
          3·
          7 hours ago

          That’s my case. I send every new subdomain to my nginx IP on pi-hole and then use nginx as a reverse proxy

          • Scrath@lemmy.dbzer0.comEnglish
            1·
            6 hours ago

            That wasy exact setup as well until I switched to a different router which supported both custom DNS entries and blocklists, thereby making the pi-hole redundant

            • Croquette@sh.itjust.worksEnglish
              1·
              2 hours ago

              I run opnsense, so I need to dump pi-hole. But I don’t have the energy right now to do that.

              Pi-Hole was pretty straightforward at the time and I did not look back since then. Annoying, but easy.

        • qjkxbmwvz@startrek.websiteEnglish
          2·
          6 hours ago

          I switched to Technitium and I’ve been pretty happy. Seems very robust, and as a bonus was easy to use it to stop DNS leaks (each upstream has a static route through a different Mullvad VPN, and since they’re queried in parallel, a VPN connection can go down without losing any DNS…maybe this is how pihole would have handled it too though).

          And of course, wildcards supported no problem.

    • CorvidCawder@sh.itjust.worksEnglish
      15·
      11 hours ago

      Wildcard CNAME pointing to your reverse proxy who then figures out where to route the request to? That’s what I’ve been doing - this way there’s no need to ever update DNS at all :)

      I find the path a bit clunky because the apps themselves will oftentimes get confused (especially front-ends). So keeping everything “bare” wrt path, and just on “separate” subdomains is usually my preferred approach.

    • magic_smoke@lemmy.blahaj.zoneEnglish
      3·
      11 hours ago

      Alternatively if you’re tired of manual DNS configuration:

      FreeIPA, like AD but fer ur *Nix boxes

      Configures users, sudoer group, ssh keys, and DNS in one go.

      Also lotta services can be integrated using LDAP auth too.

      So far I’ve got proxmox, jellyfin, zoneminder, mediawiki, and forgejo authing against freeipa in top of my samba shares.

      Ansible works too just because its uses ssh, but I’ve yet to figure out how to build ansible inventories dynamically off of freeIPA host groups. Seen a coupla old scripts but that’s about it.

      Current freeipa plugin for it seems more about automagic deployment of new domains.

      • youmaynotknow@lemmy.zipEnglish
        1·
        7 hours ago

        Having a very similar infrastructure, I would love to know if you ever find anything that works for this. I’ve been maintaining a SnipeIT instance manually, but that’s a real PITA. Tried the same with ITSM-NG, but haven’t even lookid in it for months.

    • shadowtofu@discuss.tchncs.deEnglish
      2·
      11 hours ago

      I had the same idea, but the solution I thought about is finding a way to define my DNS records as code, so I can automate the deployment. But the pain is tolerable so far (I have maybe 30 subdomains?), I haven’t done anything yet

    • irmadlad@lemmy.worldEnglish
      16·
      12 hours ago

      At 71, I have to document. I started a long time ago. I worked for a mec. contractor long ago, and the rule was: ‘If you didn’t write it down, it didn’t happen.’ That just carried over to everything I do.

        • irmadlad@lemmy.worldEnglish
          2·
          8 hours ago

          As in a blog or wiki? I do not because I am not authoritative. What I know came from reading, doing, screwing it up, ad nauseam. When something finally clicks for me, I write it down because 9 times out of 10, I will need that info later. But my writing would be so full of inaccuracies that it would be embarrassing and possibly lead someone astray.

    • cenzorrll@piefed.caEnglish
      3·
      14 hours ago

      I’ve moved my homelab twice because it became stable, I really liked the services it was running, and I didn’t want to disturb the last lab**cough**prod server.

      My current homelab will be moar containers. I’m sure I’ll push it to prod instead of changing the IP address and swapping name tags this time.

  • jeffep@lemmy.worldEnglish
    12·
    12 hours ago

    Can’t believe nobody here mentioned nixOS so far? How about moving all of your configs in a flake and manage all of your systems with it?

    • FauxLiving@lemmy.worldEnglish
      9·
      12 hours ago

      I made a git repo and started putting all of my dot files in a Stow and then I forgot why I was doing it in the first place.

      • tal@lemmy.todayEnglish
        1·
        11 hours ago

        So that when setting up a new system, you can migrate all your user configuration easily, while also version-controlling it.

        • FauxLiving@lemmy.worldEnglish
          7·
          11 hours ago
          git commit --message 'So that when setting up a new system, you can migrate all your user configuration easily, while also version-controlling it.'
    • yabbadabaddon@lemmy.zipEnglish
      1·
      10 hours ago

      I already have Ansible to manage my system and I like to have the same base between my pc and my server build muscle memory.

      If I was managing a pc fleet I would consider NixOS, but I don’t see the appeal right now.

      • jeffep@lemmy.worldEnglish
        1·
        5 hours ago

        Okay, but why not create more work for yourself by rebuilding everything from scratch?

    • Sabata@ani.socialEnglish
      441·
      17 hours ago

      If you know how your setup works, then that’s a great time for another project that breaks everything.

      • cenzorrll@piefed.caEnglish
        22·
        15 hours ago

        Saturday morning: “Incus and podman seem interesting. I bet I could swap everything over while the family is out this afternoon”

        Sunday evening: “Dad, when will the lights work again?”

          • tal@lemmy.todayEnglish
            1·
            7 hours ago

            Sure. What that guy is using is actually not the most-interesting diagram style, IMHO, for automatic layout of network maps, if you want large-scale stuff, which is where the automatic layout gets more interesting. I have some scripts floating around somewhere that will generate very large network maps — run a bunch of traceroutes, geolocate IPs, dump the results into an sqlite database, and then generate an automatically laid-out Internet network map. I don’t want to go to the trouble of anonymizing the addresses and locations right now, but if you have a graphviz graph and want to try playing with it, I used:

            goes looking

            Ugh, it’s Python 2, a decade-and-a-half old, and never got ported to Python 3. Lemme gin up an example for the non-hierarchical graphviz stuff:

            graph.dot:

            graph foo {
    a--b
    a--d
    b--c
    d--e
    c--e
    e--f
    b--d
}

            Processed with:

            $ sfdp -Goverlap=prism -Gsep=+5 -Gesep=+4 -Gremincross -Gpack -Gsplines=true -Tpdf -o graph.pdf graph.dot

            Generates something like this:

            That’ll take a ton of graphviz edges and nicely lay them out while trying to avoid crossing edges and stuff, in a non-hierarchical map. Get more complicated maps that it can’t use direct lines on, it’ll use splines to curve lines around nodes. You can create massive network maps like this. Note that I was last looking at graphviz’s automated layout stuff about 15 years ago, so it’s possible that they have better layout algorithms now, but this can deal with enormous numbers of nodes and will do reasonable things with them.

            I just grabbed his example because it was the first graphviz network map example that came up on a Web search.

    • Zink@programming.devEnglish
      1·
      12 hours ago

      This is just as true in my non-computer hobbies that involve physical systems instead of code and configs!

      If I had to just barely meet the requirements using as little budget as possible while making it easy for other people to work on, that would be called “work.” My brain needs to indulge in some over-engineering and “I need to see it for myself” kind of design decisions.

        • Caveman@lemmy.worldEnglish
          7·
          13 hours ago

          I set my homelab up on Bazzite immutable with podman and SELinux. It took a while to work everything out and have it boot up into a valid state hahaha

            • Caveman@lemmy.worldEnglish
              1·
              30 minutes ago

              At the start I just wanted a desktop machine that runs Steam through sunshine/moonlight so hardware support and gaming stuff such was very important.

              My homelab used to run on my laptop when it could all fit within a couple 100s of GB and I was the only user but moving it was tricky. Since I’m a programmer I’m not afraid of this stuff so I just spent the hours to figure out one problem at a time.

              I ended up figuring out adding HDD whitelist in SELinux, make it accessible in podman, manually edit fstab because tools didn’t work, systemd service for startup, logging in automatically where I already forgot everything and would have not had to do any of this on a bog standard Ubuntu server.

              • Caveman@lemmy.worldEnglish
                1·
                29 minutes ago

                Good for stability, bad for flexibility for when the homelab grows more complex.

              • epicshepich@programming.devEnglish
                1·
                10 hours ago

                I honestly don’t know a ton about immutable distros other than that they let you front-load some difficulty in getting things set up in exchange for making it harder to break. I was just surprised that the distro of choice was Bazzite, since its target audience seems to be gamers.

        • The Stoned Hacker@lemmy.worldEnglish
          3·
          14 hours ago

          It’s not that difficult to get SELinux working with podman quadlets, especially if you run things rootless. I have a kerberized service account for each application I host and my quadlets are configured to run under those. I very rarely encounter applications that simoky can’t be run rootless but I usually can find an adequate alternative. I think right now the only thing that runs as root is one of the talk or collabora containers in my nextcloud stack. No selinux issues either.

          • epicshepich@programming.devEnglish
            1·
            13 hours ago

            I use podman-compose with system accounts and I don’t have a ton of issues. The biggest one is that I can’t seem to get bluetooth and pip working on Home Assistant at the same time. Most of the servers I manage have SELinux and it works fine as long as I use :z/:Z with bind mounts.

            A few years ago, I set up a VPS for my friend’s business; at the time, I didn’t know how to work with SELinux so I just turned it off. I tried to flip it back on, and it somehow bricked the system. We had to restore from a backup. Since then, I’ve been afraid to enable it on my flagship homelab server.

            • WhyJiffie@sh.itjust.worksEnglish
              1·
              13 hours ago

              are you sure it really bricked it? when turning it on, on next boot it needs to go over all the files and retag them or something like that, and it can take a significant amount of time

              • epicshepich@programming.devEnglish
                1·
                12 hours ago

                Honestly, I don’t know what happened, but it was unreachable via SSH and the web console. There shouldn’t have been a ton of files to tag since it was an Almalinux system that started with SELinux enabled, and all we added was a container app or two.

  • DownByLaw@sh.itjust.worksEnglish
    34·
    16 hours ago

    Have you already tried implementing an identity provider like Authentik, so you can add OIDC and ldap for all your services, while you are the only one that’s using them? 🤔

    • Pumpkin Escobar@lemmy.worldEnglish
      14·
      16 hours ago

      Behind a traefik reverse proxy with lets encrypt for ssl even though the services aren’t exposed to the internet?

      • diablomnky666@lemmy.wtfEnglish
        11·
        15 hours ago

        To be fair a lot of apps don’t handle custom CAs like they should. Looking at you Home Assistant! 😠

      • suicidaleggroll@lemmy.worldEnglish
        1·
        10 hours ago

        Who cares if it’s exposed to the internet?

        1. Encrypting your local traffic is still valuable to protect your systems from any bad actors on your local network (neighbor kid cracks your wifi password, some device on your network decides to start snooping on your local traffic, etc)

        2. Many services require HTTPS with a valid cert to function correctly, eg: Bitwarden. Having a real cert for a real domain is much simpler and easier to maintain than setting up your own CA