Support Mullvad.
You should have bought the framework after they put more effort into Coreboot.
Pine64 and Fairphone are good companies too
Support Mullvad.
You should have bought the framework after they put more effort into Coreboot.
Pine64 and Fairphone are good companies too
Just let her have Gmail if she is willing to divorce you over windows and email (what a handful you’ve caught there lad)
Just run KODI from anywhere
If you can only use port 22 for multiple SSH endpoints (for example), then yes your going to need multiple IPs. Or Port-mapping as a compromise
In short, you need a reverse-proxy + traffic segregation with domain names (SNI).
I don’t remember much about ingresses, but this can be super easy to set up with Gateway API (I’m looking at it right now).
Basically, you can set up sftp.my.domain/ssh
to 192.168.1.40:22
, sftp.my.domain/sftp
to 192.168.1.40:121
(for example). Same with Forgejo, forgejo.my.domain/ssh
will point to 192.168.1.50:22
and forgejo.my.domain/gui
will point to 192.168.1.50:443
.
The Gateway API will simply send it over to the right k8s service.
About your home network: I think you could in theory open up a DMZ and everything should work. I would personally use a cheap VPS as a VPN server and NAT all traffic through it. About traffic from your router maintaining the SNI, that’s a different problem depending on your network setup. Yes, you’ll have to deal with port-mapping because at the end of the day, even Gateway API is NodePort-esque when exposing traffic outside.
You’d receive traffic on IP:PORT, that’s segregation right there. Slap on a DNS name for convenience.
I might have my MetalLB config lying around somewhere (it’s super easy, I copied most of it from their website), I can probably paste it here if you’d like.
Exposing services publicly on the Internet is a L3-L4/L7 networking problem, unfortunately I don’t know enough about your situation to comment.
Edit: the latter end of your post is correct. You could route to different end-points that way
Ingress controllers like Traefik come across as LB services to IPAM modules like MetalLB (I’ve never used Kube-VIP but I suppose it’s the same story). These plug-ins assign IP addresses to these LB services.
You can assign a specific IP to an instance of an “outward-facing route” with labels. I don’t remember technical terms relevant to Ingresses because I’ve been messing with the Gateway API recently.
MetalLB + map new external IP to sub-domain == profit.
Read some of the other comments: it’s not about your control plane. All you need is multiple external IPs which an IPAM module/plug-in can provide (MetalLB, Cilium and maybe Kube-VIP: I’ve never used it).
SMR vs CMR and drive speeds
Why not port knocking over TOR?
Funnily enough Docker compose has never worked for me on Podman. There always seems to be something that is incompatible (also due to me running on Debian). However, I feel like it should become a standard amongst homelabbers and professionals to use Kubernetes manifests going forward, since it is the most portable.
NFS is a pain, no question about it. I used to use longhorn but these days since I’m doing a single node k3s I’m just doing hostpath. It’s that PVCs make intuitive sense to me, but I guess podman will likely work just fine for such cases other than canary deployments and OOTB service-meshes
Well I guess podman works fine for the first few months. Interestingly I still use build-ah heavily for building my custom images
Not needing Kubernetes is a broad statement. It allows for better management of storage and literally gives you a configurable reverse-proxy configured with YAML if you know what you’re doing.
Fail2ban + key-based SSH + self-hosted WAF if you can spin up another machine == 80% of your Web hosting problems gone
Thanks for the comment, that was a good read
You can do that with Wireguard and NAT.
I have heard a lot about Envoy proxy from Istio but never looked into it for baremetal usage. I’ll keep an eye out, thanks
They do, but VRAM. Unfortunately, the cards that do have that much of memory are used by OEMs/corporations and are insanely pricey
Use something that can do TCP, i.e. HAProxy, NGINX or Apache