User's banner
Avatar

jax

jax@lemmy.cloudhub.social
Joined
19 posts • 75 comments

(They/Them)

This is my main lemmy account.

Admin of lemmy.cloudhub.social

I can also be found elsewhere on the fediverse at @jax@cloudhub.social

Direct message

Desktop: Windows XP

Linux: Probably Raspbian on a Pi 2 b

Tech has come a long way since then lol

permalink
report
reply

Currently using Nextcloud AIO and it’s pretty decent, though I’ve got 16 vCPU and 32 GB of RAM allocated to it right now, though it’s only using 10% CPU and ~7 GB of RAM at the moment.

I think it takes a while to warm up once you start adding data to it, especially depending on the plug-ins you add and amount of data.

permalink
report
reply

Yeah it very adds some extra complexity and it’s more important for if you are hosting in public clouds anyways IMO.

permalink
report
parent
reply

That makes sense!

Have you played with anything like Istio to secure in-cluster communications? I think Hashicorp Consul can do something similar to encrypt service to service communications.

permalink
report
parent
reply

Yeah for sure! I like to post about both the positive and negative experiences. I find things like that to be a valuable learning tool.

From a security perspective, it’s important to understand the systems you’ve implemented and test that they are working as expected. I think in that example if I had tested user sign-up sooner I could have caught the configuration issue.

It’s also important to have good observability into your system, both metrics and logs. Metrics to help detect if something weird is happening (increased resource usage could point to ransomware or crypto mining) and logging to track down what happened and see what systems are impacted.

From a technical controls standpoint, it’s good practice to segregate your applications from other systems and control planes like IPMI and switching/routing admin interfaces. It’s also good to try to limit holes in your firewall. In this cluster, I have Cloudflare Tunnels setup so that I don’t have to open ports to access web servers, and I get access to their WAF tooling. You could do something similar with a VPS running WireGuard, CrowdSec, and a reverse proxy.

permalink
report
parent
reply

Not at all! I agree, and COVID didn’t help at all. I do want to try and be accurate though :p

permalink
report
parent
reply

Its possible that I estimated the timeline wrong 😅

I’ve added a note to the blog, thanks!

permalink
report
parent
reply

I should look into how to do that on my instance probably. Pictrs always seemed like a bit of a security nightmare.

permalink
report
parent
reply

Ah okay that makes sense, you’re using the internal cluster domain to route to services

permalink
report
parent
reply

Glad I could provide some insight! It’s not something I see talked about too much even on Reddit. Let me know if you have any questions or things I could flesh out more in the article!

I’m still relatively new to ActivityPub and Federated systems in general, though I’ve had my Lemmy and Mastodon instances for 8+ months now I don’t use them as much as I was expecting, sadly. Running your own instance can be very isolating and any content you put directly on your instance probably won’t gain much traction (at least on Mastodon, Lemmy seems to fair a bit better).

It’s one of a handful of blogs that I’ve run over the last couple of years, the other one that’s still online is HomeLab.Blog. I actually meant to run a federated blog platform like WriteFreely, but they don’t have a production docket image, and I saw that Ghost is planning on adding ActivityPub support.

This article might be more appropriate on that blog and an article about my experience with Federated systems might be more on-topic on this one. Oops.

permalink
report
parent
reply