DeltaTangoLima

DeltaTangoLima, 1 year ago

Yeah, I had the same experience with the devs of Pushbullet, after constructively suggesting a few ways they might be able to work with proxy servers, and all I got back was “Proxies are bad, mmmmk?”.

Fucken Peter Pan-level mentality.

DeltaTangoLima, 1 year ago (edited 1 year ago)

Nah - don’t make excuses for them. Here in Australia, we call entitled people like this cunts. With a hard ‘c’. Not the nice one, with a soft ‘c’.

DeltaTangoLima, 1 year ago

It’s about fitness for purpose, IMO.

I recently migrated most of my homelab to Proxmox running on a pair of x86 boxes. I did it because I was cutting the streaming cord, and wanted to build a beefy Plex capability for myself. I also wanted to virtualise my router/firewall with OPNsense.

Once I mastered Proxmox, and truly came to appreciate both the clean separation of services and the rapid prototyping capability it gave me, I migrated a lot of my homelab over.

But, I still use RasPis for a few purposes: Frigate server, second Pi-hole instance, backup Wireguard server. I even have one dedicated to hosting temperature sensors, reed switches, and webcams for our pet lizard’s enclosure.

Each has their place for me.

DeltaTangoLima, 1 year ago

If you have the means, you could self-host a Piped server? Otherwise, try out piped.video.

DeltaTangoLima, 1 year ago

At the time of my move I went through my list of apps I bought and tallied the ones up, that I still used. It was less than $50 of repurchases.

Yeah, I know this what I should do too. As someone else said in this comment thread, gotta tear that bandaid off at some point. Just shits me that I should have to. But the freedom after doing it… <chef’s kiss>

DeltaTangoLima, 1 year ago

Yeah, still got my ancient free Gmail account going. Will probably revert to that.

DeltaTangoLima, 1 year ago

Yeah, that’s the other thing that shits me. Paying for my wife and I on Workspaces, and we don’t have family sharing rights. We’re literally paying to be treated like second-class citizens!

DeltaTangoLima, 1 year ago

Lol - not my first rodeo. I’m blocking dns.google as well, and I’m 99.999% certain Google won’t have coded Chromecasts to use anyone else’s DNS servers.

DeltaTangoLima, 1 year ago

Ah - I only have the Chromecast GTVs. Good to know I don’t need to pay for an upgrade then!

DeltaTangoLima, 1 year ago

Really? I run several Chromecasts, and I block their access to all DNS services except my internal Pi-holes. They work just fine.

DeltaTangoLima, 1 year ago

To answer each question:

• You can run rootless containers but, importantly, you don’t need to run Docker as root. Should the unthinkable happen, and someone “breaks out” of docker jail, they’ll only be running in the context of the user running the docker daemon on the physical host.
• True but, in my experience, most docker images are open source and have git repos - you can freely download the repo, inspect the build files, and build your own. I do this for some images I feel I want 100% control of, and have my own local Docker repo server to hold them.
• It’s the opposite - you don’t really need to care about docker networks, unless you have an explicit need to contain a given container’s traffic to it’s own local net, and bind mounts are just maps to physical folders/files on the host system, with the added benefit of mounting read-only where required.

I run containers on top of containers - Proxmox cluster, with a Linux container (CT) for each service. Most of those CTs are simply a Debian image I’ve created, running Docker and a couple of other bits. The services then sit inside Docker (usually) on each CT.

It’s not messy at all. I use Portainer to manage all my Docker services, and Proxmox to manage the hosts themselves.

Why? I like to play.

Proxmox gives me full separation of each service - each one has its own CT. Think of that as me running dozens of Raspberry Pis, without the headache of managing all that hardware. Docker gives me complete portability and recoverability. I can move services around quite easily, and can update/rollback with ease.

Finally, the combination of the two gives me a huge advantage over bare metal for rapid prototyping.

Let’s say there’s a new contender that competes with Immich. I have Immich hosted on a CT, using Docker, and hiding behind Nginx Proxy Manager (also on a CT).

I can spin up a Proxmox CT from my own template, use my Ansible playbook to provision Docker and all the other bits, load it in my Portainer management platform, and spin up the latest and greatest Immich competitor, all within mere minutes. Like, literally 10 minutes max.

I have a play with the competitor for a bit. If I don’t like it, I just delete the CT and move on. If I do, I can point my photos… hostname (via Nginx Proxy Manager) to the new service and start using it full-time. Importantly, I can still keep my original Immich CT in place - maybe shutdown, maybe not - just in case I discover something I don’t like about the new kid on the block.

DeltaTangoLima, 1 year ago

Yep, all true. I was oversimplifying in my explanation, but you’re right. There’s a lot more to it than what I wrote - I was more relating docker to what we used to do with chroot jails.

DeltaTangoLima, 1 year ago

You still need to do that, but you need the Linux bridge interface to have VLANs defined as well, as the physical switch port that trunks the traffic is going to tag the respective VLANs to/from the Proxmox server and virtual guests.

So, vmbr1 maps to physical interface enp2s0f0. On vmbr1, I have two VLAN interfaces defined - vmbr1.100 (Proxmox guest VLAN) and vmbr1.60 (Phsyical infrastructure VLAN).

My Proxmox server has its own address in vlan60, and my Proxmox guests have addresses (and vlan tag) for vlan100.

The added headfuck (especially at setup) is that I also run an OPNsense VM on Proxmox, and it has its own vlan interfaces defined - essentially virtual interfaces on top of a virtual interface. So, I have:

• switch trunk port
  • enp2s0f0 (physical)
    • vmbr1 (Linux bridge)
      • vmbr1.60 (Proxmox server interface)
      • vmbr1.100 (Proxmox VLAN interface)
        • virtual guest nic (w/ vlan tag and IP address)
      • vtnet1 (OPNsense “physical” nic, but actually virtual)
        • vtnet1_vlan[xxx] (OPNsense virtual nic per vlan)

All virtual guests default route via OPNsense’s IP address in vlan100, which maps to OPNsense virtual interface vtnet1_vlan100.

Like I said, it’s a headfuck when you first set it up. Interface-ception.

The only unnecessary bit in my setup is that my Proxmox server also has an IP address in vlan100 (via vmbr1.100). I had it there when I originally thought I’d use Proxmox firewalling as well, to effectively create a zero trust network for my Proxmox cluster. But, for me, that would’ve been overkill.

DeltaTangoLima, 1 year ago

Saved me the effort, thanks. Although, couldn’t you just block the container from talking outside your network? I can’t see why I’d need a memo app (server) to have access to the internet.

DeltaTangoLima, 1 year ago

Ah, nice one. Still, a bit annoying that it’s opt out, rather than opt in.

DeltaTangoLima, 1 year ago

This is why all my automations are in Node-Red. Reusability.