![](https://lemmy.cloudhub.social/pictrs/image/cf87da30-e702-4862-a77d-01755abda055.png)
Yeah it very adds some extra complexity and it’s more important for if you are hosting in public clouds anyways IMO.
(They/Them)
This is my main lemmy account.
Admin of lemmy.cloudhub.social
I can also be found elsewhere on the fediverse at @[email protected]
Yeah it very adds some extra complexity and it’s more important for if you are hosting in public clouds anyways IMO.
That makes sense!
Have you played with anything like Istio to secure in-cluster communications? I think Hashicorp Consul can do something similar to encrypt service to service communications.
I should look into how to do that on my instance probably. Pictrs always seemed like a bit of a security nightmare.
Ah okay that makes sense, you’re using the internal cluster domain to route to services
Oh, dev namespaces are a good idea. Do you have a dev domain then too?
Thanks! I find most of the issues occur during upgrades to services, but that is to be expected.
My internet service is usually more of an issue than most services I run. Though some things take longer to get tweaked and running well and that can cause issues.
Yeah, this seems like old news - cookies can be stolen, and FIDO doesn’t change that unless you are prompting the hardware token for validation with every request (which isn’t feasible for most things, though might be a good idea for sensitive actions).
I disabled Pictrs around the time of CSAM attacks and have yet to bother enabling it again
Uhh… what?? When did that happen? I thought pictrs was a requirement also…
Huh, do you have your lemmy config documented somewhere? I keep running into issues with it and I’m not sure which component exactly is failing, but it’s annoying. I’m using this helm chart currently: ananace/lemmy It works, but I don’t have pict-rs setup in HA either.
They store the secrets in a file? Gross. What a poor way of handling that. Pretty sure environment variables would be more secure. Especially in Kubernetes.
Yeah, I used to host a Matrix instance - could do that for this one too.
The issue is more about setting up the Kubernetes manifests and templating them. I usually use the chart’s built-in postgres and redis config, though using an operator would make it more scalable for sure.
I’m using Authentik for auth, but I do also like Keycloak.
I’ve seen that around, but I prefer to run my own services instead of relying on a ready-built system like that. I find they don’t offer that much customization options usually.
I think both of the ones I mentioned have docker-compose
files, which I think I can convert with kompose convert
? I guess from there I would follow your steps and then start parameterizing it once it’s running properly.
Thanks! I think I’ll start trying out PixelFed tomorrow.
That’s actually super helpful! I haven’t done much custom Helm chart-ing, and was kinda lost where to start. That really helps break the process down, and the tip about skipping state to start is very wise.
Yeah, that’s the pain point - building and maintaining the charts.
Also, I know the charts likely wouldn’t have to be super complex, but I’m used to working with Bitnami’s charts that are massively complex - I just don’t have the time to go that in-depth.
Oh, I know I could get them to run with enough work. I just don’t have that much time to spend on initial implementation and upkeep of the charts.
I’m using FluxCD, which I believe can do deployments of plain Kubernetes manifests, but that still requires a decent amount of overhead to keep up to date.
I think I’m going to end up using docker-mailserver for this.
That seems really resource heavy. 4 Gb of RAM for an SMTP relay?
Other than that it looks pretty great.
Having a rack is a massive QOL improvement IMO, I originally had a stack of rackmount servers in an IKEA Lack (LackRack), and it was okay, but the rack is so much nicer.
The only thing I wish I had done was get an enclosed rack to help with noise and dust, rather than just a startech 4 post from Amazon.
And that’s a lot of awesome stuff for free!
Desktop: Windows XP
Linux: Probably Raspbian on a Pi 2 b
Tech has come a long way since then lol