xinayder

joined 2 years ago
sorted by: new top controversial old
VoidAuth Release v1.4.0 - SQLite Support ๐Ÿ—ƒ๏ธ in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 6 points 2 months ago

Authentik supports more authentication types and I think it's more stable so you can use it in larger production servers. VoidAuth seems to be a lightweight alternative that only provides OIDC.

Wikipedia editors adopt a policy giving admins the authority to quickly delete AI-generated articles that meet certain criteria, like incorrect citations in c/technology@lemmy.world
[โ€“] xinayder@infosec.pub 2 points 4 months ago (1 children)

Both. How do I get started creating a new article, and how do I contribute to them, or other articles?

Podman Quadlets are so cool in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 1 points 4 months ago

If you have caddy as a reverse proxy inside podman user namespace separated networks, they don't take the upstream client IP address and instead you get local IP addresses assigned to logs. Socket activation is kinda required if you want to get the client's real IP address in your logs.

Your favourite piece of selfhosting - Part 1 - Operating System in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 5 points 4 months ago

I use openSUSE MicroOS as the container host, with podman. It was a bit tricky to install it in my Hetzner VPS and get used to how MicroOS handles system updates (it's an immutable system), but I am quite happy with it. I found it interesting and decided to try out so I could learn how to use the system.

Wikipedia editors adopt a policy giving admins the authority to quickly delete AI-generated articles that meet certain criteria, like incorrect citations in c/technology@lemmy.world
[โ€“] xinayder@infosec.pub 4 points 4 months ago (3 children)

How do I get started on contributing to new articles (written by a human) for my language? I always wanted to help out but never found an easy way to do so.

You Should Run a Certificate Transparency Log in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 1 points 5 months ago

With Encrypted Client Hello you can have some more privacy on obtaining certificates for wildcard domains, IIRC.

Security of running Headscale on a VPS in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 2 points 9 months ago

I had the same considerations when I self-hosted headscale as the controller for accessing my VPS. However, I figured that it shouldn't be a big deal, and there's no chance of someone registering rogue devices on your mesh, because, even though any device can request enrollment to Tailscale, ultimately you need to execute a command in your headscale server to confirm the enrollment/account creation, so there shouldn't be that much of a problem leaving the web server exposed.

Asking for suggestions regarding Rootless Podman in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 0 points 9 months ago* (last edited 9 months ago) (1 children)

One more question, how did you manage to get the reverse proxy to proxy your pods? I just added two containers to one, and I cannot access the containers anymore by their names. Do I need to expose their ports on the pod configuration?

Asking for suggestions regarding Rootless Podman in c/selfhosted@lemmy.world
[โ€“] xinayder@infosec.pub 0 points 9 months ago (3 children)

It seems simple. Does it use pasta as the default networking backend? Also, I guess separating each app into their own network is added security, right? So if anything happens to one app, it cannot move laterally to the other apps unless it manages to gain access to the reverse proxy, which then it would be a huge problem.

2
Asking for suggestions regarding Rootless Podman (infosec.pub)
 

I have a "homelab" (well it's not a lab hosted at home, but on the cloud) running k3s and hosting my website, IRC and Matrix. I'm moving all of these services to Podman, since it's easier and you don't have to deal with the headaches of k3s.

I spent a lot of time the past months searching about Podman and couldn't find so much information about it. I managed to get a Authentik pod up and running with Quadlet (systemd unit), and I have a basic Caddy container acting as the reverse proxy for it. These are hosted in another VPS I have, and they are running rootless.

I want to move the other services to Podman, but I'm a bit lost. Right now, I have all the Podman containers allocate specific ports on the host, and communication between Caddy and Authentik, for example, is done by specifying the local IP address of my VPS.

Is it a bad approach to do inter pod/container communication using the local host IP address? I read that you can create a network that pods/containers can use and each gets assigned its own IP from the network range, but I also read that it doesn't go well with rootless. I started using slirp4netns, but then migrated to pasta since I had some issues with getting IPv6 with the former.

So, what would be the "correct" approach here? Create a separate network for the pods and use their assigned IP addresses, or use the local IP address from the host to communicate between pods?