Just be aware of the risks involved with running your own CA.
Just be aware of the risks involved with running your own CA.
Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.
Running a CA is cool however, just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
I want the WAN coming in from the router from the Pi’s Ethernet port, and the LAN coming out as Wi-Fi. I may also stick an additional Ethernet adapter to it in the future.
Can you try to explain this a bit more?
If you want a git “server” quick and low maintenance then gitolite is most likely the best choice. https://gitolite.com/gitolite/index.html
It simply acts as a server that you can clone with any git client and the coolest part is that you use git commits to create repositories and manage users as well. Very very or no maintenance at all. I’ve been using it personally for years but also saw it being used at some large companies because it simply gets the job done and doesn’t bother anyone.
So I want to get back into self hosting, but every time I have stopped is because I have lack of documentation to fix things that break. So I pose a question, how do you all go about keeping your setup documented? What programs do you use?
Joplin or Obsidian? Or… plain markdown files with your favorite text editor.
Yeah that one is very good.
Maybe the NextCloud guys will follow… oh wait that would just be yet another perpetually half-finished NC thing.
+1 for this. This is kinda the same issue with encoding, just UTF-8 everything and move on.
Yes ksmtuned
is your friend. For VMs it can be managed / enabled like any other Linux Kernel + QEMU/KVM running with KSM enabled.
On LXC containers it may be a bit harder as it depends a LOT, best results if you’re using systemd both the host and containers. It may work out all out of the box or you’ll have to resort to ksm_wrapper
in both the Incus executable and the stuff running inside your containers.
Don’t forget that:
KSM only operates on those areas of address space which an application has advised to be likely candidates for merging, by using the madvise(2) system call: int madvise(addr, length, MADV_MERGEABLE). https://www.kernel.org/doc/Documentation/vm/ksm.txt
How does it handle Windows VMs
As one would except from QEMU… https://blog.simos.info/how-to-run-a-windows-virtual-machine-on-incus-on-linux/
Does the WebUI give a nice and easy novnc window
Yes it works fine. https://youtu.be/wqEH_d8LC1k?feature=shared&t=508
Actually it would be interesting to see cockpit-machines move to Incus as a virtualization backend and support both LXC containers and QEMU VMs tat way.
LXC is worse than virtualization as it pins to a single core instead of getting scheduled by the kernel scheduler. It also is quiet slow and dated. Either run Podman, Docker or full VMs.
First what you’re saying about the scheduler isn’t even what happens by default, that was some crap that Proxmox pulled when they migrated from OpenVZ to LXC. To be fair, they had a bunch of more or less valid reasons to force that configuration, but again it due to kernel related issues that were affecting Proxmox more than regular Ubuntu and those issues were solved around the end of 2021.
Now Docker and LXC serve different purposes and they aren’t a replacement for each other. Docker is a stateless application container solution while LXC is a full persistent container aimed at running full operating systems…
Docker and LXC share a bunch of underlaying technologies at on the beginning Docker even used LXC as their backed, they later moved to their execution environment called libcontainer because they weren’t using all the featured that LXC provided and wanted more control over the implementation.
For those who really need full systems is LXC definitely faster than a VM. Your argument assumes everything can and should be done inside Docker/Podman when that’s very far from the reality. The Docker guys have written a very good article showcasing the differences and optimal use cases for both.
Here two quotes for you:
LXC is especially beneficial for users who need granular control over their environments and applications that require near-native performance. As an open source project, LXC continues to evolve, shaped by a community of developers committed to enhancing its capabilities and integration with the Linux kernel. LXC remains a powerful tool for developers looking for efficient, scalable, and secure containerization solutions. Efficient access to hardware resources (…) Virtual Desktop Infrastructure (VDI) (…) Close to native performance, suitable for intensive computational tasks.
Docker excels in environments where deployment speed and configuration simplicity are paramount, making it an ideal choice for modern software development. Streamlined deployment (…) Microservices architecture (…) CI/CD pipelines.
Anyways…
It also ships with a newer kernel than Debian although it shouldn’t matter as you are using it for virtualization.
It matters, trust me. Once you start requiring modules it will suddenly matter. Either way even if they ship a kernel that is newer than Debian it is so fucked at that point that you’ll be better with whatever Debian provides out of the box.
Check the bottom of reply, there’s a link there with my experience over the years.
Typically I just run binaries of the services I use, and I don’t tend to use docker or other things
That’s essentially what I do in my NAS with LXD, it’s a great use case for it.
Enjoy.
You can put Incus on a lot of different systems. Don’t like systemd? Put it on Void. Want a declarative setup? NixOS. Minimalist? Alpine.
This is great, yeah.
Well, I understand your POV… but real software freedom instead of messages asking you to buy a license and a questionable kernel is always a good choice :P
I’m glad to know that I could help.
I like that I can switch out my distros underneath Incus instead of being stuck on one weird kernel
This is an interesting take that I never considered before, my experience (be it corporate or at home) is usually around Debian machines running Incus and I never had the need to replace the distro underneath it.
Great sum up, yes, the major issue with VS Code is the licensing issues that Microsoft caused there.
You need to understand what Proxmox gives you, which primarily is ability to run/manage/backup/etc VMs easily
Yeah and after understanding what it gives you then you move to Incus because while it might be a bit harder to setup it delivers around 80% of what Proxmox does without the overhead, mangled kernel and licensing issues.
https://cockpit-project.org/ also does VMs and can work for people without cluster needs.
C’mon just move to Incus: https://lemmy.world/comment/10896868 :P
Just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
For what’s worth, LetsEncrypt with DNS-01 challenge is way easier to deploy and maintain in your internal hosts than adding a CA and dealing with all the devices that might not like custom CAs. Also more secure.