SillyLilBear

joined 1 year ago
 

I have used Tailscale in the past, and really like it but I had problems at the time where there wasn't a 23 Ubuntu image so I ended up setting up Wireguard on my OPNSense firewall. I have four hosts I use to remote in, everything has been great.

I am now contemplating how to setup some changes I am making.

I have a lot of remote servers which I manage them all via SSH and have no issues. But I am looking at moving a few services from my LAN to WAN. Specifically Uptime-Kuma and CheckMK, as well as a few other things that I don't want to go offline if I lose power during winter storms.

I don't feel comfortable exposing these services to the Internet, so I was thinking I would use wireguard to allow direct access while I am on my LAN. Obviously, Tailscale would be super easy solution. I really don't want these remote servers (rented dedicated servers and VPS) having direct access to my LAN.

I was thinking I'd create a new Wireguard interface, and only allow outbound traffic on it. This way I can access these machines but they can't get on my LAN. I currently use SSH port forwarding when I need to access a web interface remotely and this works great but I got to open up a ssh connection before accessing the website. I like being able to just click on stuff through my Homepage dashboard.

Now that I am adding some new remote servers, I want to set this up right. I feel like setting up Wireguard in OPNSense is the most optimal solution for performance and security, it is just not as easy.

I am considering Netmaker, Tailscale, and my personal favorite option OPNSense.

tldr; I want to set up a wireguard dmz for remote servers so they can't access my LAN while keeping my road warrior trusted wireguard interface that do have full acess. I am using OPNSense.

[–] SillyLilBear@alien.top 1 points 11 months ago (1 children)

docker w/ postgres, but really up to you. Either would be fine.

 

I am looking to move a bulk of my docker containers offsite and use wireguard to access them. Anyone doing this with good success can recommend a provider? I am thinking about a 4 core 8g VPS from OVH which I think should be enough as that's roughly why my proxmox vm is.

I think a dedicated server is overkill for now.

Ideally, I would like to do k3s with the offsite the master with my LAN backup nodes, but I am not sure I want to get into that head ache for now, I can spin up another node and restore backups pretty quickly if needed.

[–] SillyLilBear@alien.top 2 points 11 months ago

SSL is the main reason, this way your traffic is encrypted from snoopers on your land, and you don't get the warning messages about it not being secure.

You can use a sub domain from desec for free to do this.

[–] SillyLilBear@alien.top 1 points 11 months ago

KASA HS300 $39.99 for 6 port smart strip with energy monitoring.

 

I can't seem to figure this out. Ideally I want to use no port number in the git: url. Is there a way to do this without the shim nonsense?

gitea:

image: gitea/gitea:latest

container_name: gitea

environment:

USER_UID: 1000

USER_GID: 1000

GITEA__database__DB_TYPE: postgres

GITEA__database__HOST: gitea-db:5432

[–] SillyLilBear@alien.top 0 points 1 year ago

The latest version isn't always the best version. In a home lab or home network, this is rarely a big problem, but in a production environment, I wouldn't recommend it.

 

I'm having some weird issues with Traefik in front of various containers. Initially it all worked fine, but as I got more containers behind Traefik, I started having weird results. Some containers that were working would stop responding with "gateway timeout" yet still could be accessed without HTTP on their port if I still exposed it.

I seem to have a group of containers that usually are the ones that stop working (metabase, windmill, nextcloud, invidious, searxng). A lot of them continue to work and have never seen them go down.

If I restart containers over and over again or restart traefik will make some combination of them work again, but I can't get them all working at once, but sometimes I can get most of them but one working.

For example, I stop all the problematic containers. I start change detection, it works fine via ssl. I start metabase, now change detection and metabase aren't working. Traefik logs are giving me no errors though. If I shutdown metabase, then try again, change detection doesn't work, but if I restart traefik it starts working.

All the other containers like homepage, portainer, and so on are working fine.

 

For docker stacks, do you typically run stand alone postgres containers, or do you run one postgres container and setup accounts for each new stack that requries it?

Right now I am running a new postgres in docker compose as needed, but seems this is wasteful and it maybe easier to manage/monitor if I just ran one instance.

 

I'm pretty new to traefik, but I have a basic understanding and got everything setup. Setting up Netbootxyz, is it bit more complicated. It has 3 ports 3000, 69 (UDP), and 80.

I added routers rule , entrypoints, and tls.certresolver for both 3000 and 80, and set 80 to be web instead of websecure for entrypoint. I also added services loadblancer for each to so it knows which port since there is more than one. (I usually don't add load balancer as there is only one exposed port).

I haven't tested this yet, as I don't know what to do about 69/udp. If I leave it at 69:69/udp, I don't think it will work as it won't resolve the URL and proxy through traefik, but not sure how I should set up Traefik for it.

I would like all ports to respond on the FQDN.

So far my traefik labels look like this.

```

ports:

- 3000

- 69:69/udp

- 80
labels:

traefik.http.routers.netbootxyz.rule: Host(``)

traefik.http.routers.netbootxyz.entrypoints: websecure

traefik.http.routers.netbootxyz.tls.certresolver: myresolver

traefik.http.services.netbootxyz.loadbalancer.server.port: 3000

traefik.http.routers.netbootxyzassets.rule: Host(``)

traefik.http.routers.netbootxyzassets.entrypoints: web

traefik.http.routers.netbootxyzassets.tls.certresolver: myresolver

traefik.http.services.netbootxyzassets.loadbalancer.server.port: 80

```

 

I am trying to setup a restic job to backup my docker stacks, and with half of everything owned by root it becomes problematic. I've been wanting to look at podman so everything isn't owned by root, but for now I want to backup my work I built.

Also, how do you deal with some docker containers having databases. Do you have to create exports for all docker containers that have some form of database?

I've spent the last few days moving all my docker containers to a dedicated machine. I was using a mix of NFS and local storage before, but now I am doing everything on local NVME. My original plan was having everything on NFS so I would worry about backups there, and I might go back to that.

 

I want to centrally log messages for both internal and remote servers. I was looking at Loki at one point, as it seems to be a good option due to space savings. They also have a generous cloud option to get started and test it out.

Anyone have a setup that you have been using for a while that works really well?
I want to start getting CheckMK and Grafana up eventually along with it.

[–] SillyLilBear@alien.top 1 points 1 year ago

I remember the problem I was having, I was constantly getting complaints from Google throttling me and asking for captcha. Do you get this?

[–] SillyLilBear@alien.top 1 points 1 year ago

this is a better solution

[–] SillyLilBear@alien.top 1 points 1 year ago (3 children)

I have been happy with NordVPN. It is able to give me nearly 100% of my 1.5Gbps connection, and with almost no latency difference I'm able to game without turning it off.

[–] SillyLilBear@alien.top 1 points 1 year ago (3 children)

I tried SearxNG a while ago, but I had a lot of problems. You having good luck with it?