• 1 Post
  • 32 Comments
Joined 1 year ago
cake
Cake day: July 30th, 2023

help-circle



  • Can’t speak for OP but I can say that I switched to proxmox from just running docker and services native. Proxmox offers a lot of flexibility, you can do snapshots, build many different LXC containers very easily, to keep things separate or have better control over resource usage. Also I run mine in a 3 node cluster so I can do live migration of VMs and pretty quick migrations of LXC containers. This all allows me to run my services with little to no downtime and have redundancy.






  • I host vaultwarden at home. No real need for a vps since your passwords are synced to your phone or laptop(whatever client you’re using) and you can just sync it when you’re home if you make changes, or setup a VPN (I use wireguard) and sync on demand when needed.

    That said, I do sync my database to a vps for dr purposes incase my home server suddenly vanishes… for critical services I follow a 3-2-1 backup rule but it’s not absolutely essential.


  • I run pihole on a proxmox cluster (lxc containers), 2 separate IPs and I setup keepalived and made the virtual IP the primary dns ip that my dhcp server hands out, pihole1 is the master and pihole2 secondary. I use gravity sync to keep both piholes in sync. Works very well and I can reboot one at a time without losing dns at all. Techno tim on YouTube has a guide on how to setup keepalived on 2 pihole servers that helped me set it up.





  • Some people are really stupid. Like seriously when it comes to every day functions many people struggle. Especially when it comes to vehicles, some people just know that there is on and off and forward and backwards… never take anything else into account. It’s because of this that flying cars would be a disaster, you can’t have these things breaking down all the time or running out of gas. I’ve seen people literally lock themselves in vehicles before, never change their oil, put antifreeze in the washer fluid canister, drive on a flat until the tire ripped apart, evevtually fell off and had to buy a new rim. Some people should really not be allowed to drive without passing some sort of “basic knowledge about vehicles and what to do when something goes wrong” course.








  • So the opening of ports works, but it’s not the most secure or best way to do it imo… what happens is the certbot registers with letsencrypts api and attempts to request a cert via http challenge, it then hosts a small website with a code from letsencrypt to prove that you do in fact own the domain and are who you say you are. Let’s encrypt then goes to the url, verifies it sees the text, and issues a cert to the certbot. The problem here is you have to open these ports to the internet, and they need to be open when certificates are renewed (let’s encrypt only issues a 90 day cert)… if you want to leave those ports open that’s not exactly a safe practice, and manually doing it every 3 months is less than ideal…

    With dns challenge, the certbot uses the api of your dns provider (cloudflare or porkbun), the process is similar, it talks with letsencrypt, let’s encrypt gives it a string and a dns record it expects to see, then certbot talks to your dns, makes a txt record with the string provided, then let’s encrypt checks for that dns record, if it finds it, it issues a cert to the certbot. In this scenario, certbot is connecting out to your dns provider and making the record for you, no opening of ports. And if you leave the api key active, it will auto renew on a schedule so you don’t have to really worry about it.

    I highly recommend looking into dns challenge some more, watch some videos on it there are lots on YouTube.

    As for the dns record, not sure if it’s not allowing the wildcard record or what but I wouldn’t use *.example.com, make an entry for the actual host/service you are hosting, like portainer.example.com.