atzanteol

atzanteol, 8 months ago (edited 18 hours ago)

This is way overcomplicated.

Internet -> router/firewall -> your network with all devices

No DMZ needed or wanted.

You will want a dhcp server which will likely be the router/firewall. It will tell all your internal systems to use it as a “gateway” for Internet traffic. The router then allows outbound for everybody and does NAT - basically it makes requests on that systems behalf and sends the results back. If your want external access to a system you configure port-forwarding on the router (again it acts as the middleman between external and internal systems).

Edited to add: I love that you provided a diagram though! Makes it much easier to discuss.

atzanteol, 8 months ago

Honest question - why would you elevate privs on the bastion?

You can automatically use a bastion host with an SSH config entry as well in case you didn’t know:

<span style="color:#323232;">Host target.example.com
</span><span style="color:#323232;">  User  username
</span><span style="color:#323232;">  ProxyJump username@bastion.example.com
</span>

Then you just ssh target.example.com. Port forwarding is sent through as well.

atzanteol, 8 months ago

A fileserver that does something else is not a fileserver. Squeezing lots of services into a single machine makes it harder to maintain and keep stable.

If you do want to do that it helps to run those other services in docker or some other container to isolate them from the host.

atzanteol, 8 months ago

so clean installed everything to be fedora.

It may not have been necessary to do a complete reinstall. If fedora uses LVM or BTRFS for your partitions (which it likely does) then you could have just formated the windows drive and added it to your “pool”.

atzanteol, 8 months ago

Are you using LVM? It’s a layer that sits under ext4 that allows for partition management similar to btrfs. You can find out if you’re using it by running sudo lvdisplay and you would see some logical volumes listed.

atzanteol, 8 months ago

Just the “about” page has issues? The rest is fine? No messages on the console where you ran python?

atzanteol, 8 months ago

Flask apps are usually run from gunicorn or something. What exactly did you modify on those shell scripts?

atzanteol, 8 months ago

My journey has been similar yet distinctly different. I went from “put it all on one server” to running servers in AWS. But the cost was preventing me from doing much more than run a couple of compute nodes. I hated the feeling of “I could setup a server to do X but it’s gonna cost another $x/month”. So I’ve been shifting back to my own servers.

I do like devops and automation though. Automation is brilliant for creating easily reproducible and stable environments - especially for things you don’t touch very often… Proxmox was what let me start moving back “on prem” as it were. There are “good enough” terraform plugins for proxmox that let me provision standardized VMs from a centralized code-base. And I’ve got ansible handling most of the setup/configure beyond that. I’ve now got like 20 VMs whereas before I only had 2 EC2 nodes due to cost. So much happier…

atzanteol, 8 months ago (edited 6 days ago)

The plugins are for terraform - not proxmox. There’s two that I’ve found that have varying levels of “working”:

• registry.terraform.io/providers/bpg/…/docs
• registry.terraform.io/providers/Telmate/…/docs

The telmate one seems more popular but the bgp one worked better for me (I forget what wasn’t working with the other one). They use the proxmox API to automate creating VMs for me.

atzanteol, 8 months ago

Most people seem to just want to use RPIs as a very slow Linux server for some reason…

Use it to play around with hardware integration with the GPIO pins. Get a sensor HAT and start recording temperatures, write some code that turns on/off an LED, build a robot controller, etc. There are lots of kits and documentation on the various things you can do!

atzanteol, 8 months ago

It is! Especially if you want to write the code yourself. It’s an interesting design problem if you start to consider cases where the PI may be offline (mobile on a battery in my case). Do you lose that data? Store and forward? In memory or to a local data store? It’s a fun rainy-weekend project.

Word of caution - HATs can be a rather inaccurate in their temperature monitoring. The Pi gets warm. I had done my work using a PTC thermistor that was distanced from the Pi itself. I’ve got a friend using a HAT and it’s been very off (up to 10C above ambient!). A Pi Zero may not give off as much heat as, say a Pi4 though. YMMV.

atzanteol, 8 months ago

That’s one of the nice things about them.

You can write code that has access to more resources. I had a RPI once that showed code build status on an led strip (red failed, green passed). It was a Java program that connected to AWS SQS for build event notifications. A micro controller would be much harder to do that on.

atzanteol, 8 months ago (edited 16 days ago)

I believe they used heritrix at one point. The important bit is that there is a special archive format that they use which is a standard. There are several tools that support it (both capturing to it and viewing it) - it allows for capturing a website in a ‘working’ condition with history or something. I’m a bit fuzzy on it since it’s been some time since I looked into it.

atzanteol, 8 months ago

xdg-open will check mime types and open files with preferred applications as well. So ‘xdg-open foo.ods’ will launch libre office for example.

atzanteol, 8 months ago

“social mistakes”???

atzanteol, 8 months ago

He did mention the murder of his wife and said he would detail his regret to anyone who asked.

This is true - I’m reacting more to the title than the content. It’s a very peculiar choice of words.

There’s no forgiving what he did to his wife but there’s at least some evidence he’s changed since that happened.

Perhaps - it’s hard to tell. It still reads a lot like one of his standard narcissistic rants even as he’s complimenting others. It’s still all about his “dream”.

atzanteol, 8 months ago

Yeah - I mean - I don’t want to get into the business of analyzing somebody’s metal state but he definitely seems to have issues with fixation. But I also don’t want to cross the line into saying that he’s necessarily dangerous because of that. He’s dangerous for other reasons though. I agree with your “some evidence” line in that he does seem to be focusing on the part of his personality that does seem to be the most dangerous - inability to manage conflict. Prison does provide for that conflict - but it also provides many rules and structures that he wouldn’t have on the outside. Dunno. I have a difficult time saying that anybody who has murdered their wife should ever see freedom again at all - “reformed” or not.

atzanteol, 8 months ago (edited 16 days ago)

Use a public dns provider. Cloudflare, route53, dyndns (are they still around?), etc. Cheap, reliable, no worries about joining a ddos by accident. Some services are better left to experts until you really know what you’re doing.

And if you do really know what you’re doing you’ll use a dns provider rather than host your own.

atzanteol, 8 months ago

Host your own private DNS - yes, knock yourself out. I highly recommend it.

Public DNS? No - don’t do that.

There are two services homegamers should be extra cautious of and should likely leave alone - DNS and email. These protocols are rife with historic issues that affect everybody, not just the hosting system. A poorly configured DNS server can participate in a DDOS attack without being “hacked” specifically. A poorly configured mail server can be responsible for sending millions of spam emails.

For a homegamer you probably only need a single public DNS record anyway (with multiple CNAME if you want to do host based routing on a load balancer). You take on a lot of risk with almost zero benefit.

atzanteol, 8 months ago

Uh oh - my “nerd creds” are being questioned by a rando on the internet. 🤣

atzanteol, 8 months ago

Yes.

<span style="color:#323232;">$ apt policy php
</span><span style="color:#323232;">php:
</span><span style="color:#323232;">  Installed: (none)
</span><span style="color:#323232;">  Candidate: 2:8.1+92ubuntu1
</span><span style="color:#323232;">  Version table:
</span><span style="color:#323232;">     2:8.1+92ubuntu1 500
</span><span style="color:#323232;">        500 http://mirrors.us.kernel.org/ubuntu jammy/main amd64 Packages
</span><span style="color:#323232;">        500 http://mirrors.us.kernel.org/ubuntu jammy/main i386 Packages
</span><span style="color:#323232;">        500 https://mirrors.mit.edu/ubuntu jammy/main amd64 Packages
</span><span style="color:#323232;">        500 https://mirrors.mit.edu/ubuntu jammy/main i386 Packages
</span><span style="color:#323232;">        500 http://apt.pop-os.org/ubuntu jammy/main amd64 Packages
</span><span style="color:#323232;">        500 http://apt.pop-os.org/ubuntu jammy/main i386 Packages
</span>

atzanteol, 8 months ago (edited 14 days ago)

There’s no need to register an account with Ubuntu at all. You have no idea what you’re talking about. You don’t need a pro license to get updates for an LTS for 5 years of support. The “base packages” are both the “main” and “restricted” repositories - it isn’t just a few “core libraries” as you seem to think.

Debian is an excellent distro but I can’t even find out what Debian considers to be covered by their LTS. Their page about it is very vague. I would guess that it’s the same though - “main” repository is what they cover. Similar to Ubuntu.

atzanteol, 8 months ago

So why does apt tell me that I need to get updates for more packages than it has downloaded each time I run apt update? I have latest LTS (22.04) on my laptop.

“I’m going to provide zero information about a problem I’m having, say that I have no idea why it’s happening, and then claim it supports my conclusion - check mate!”