I had the same considerations when I self-hosted headscale as the controller for accessing my VPS. However, I figured that it shouldn’t be a big deal, and there’s no chance of someone registering rogue devices on your mesh, because, even though any device can request enrollment to Tailscale, ultimately you need to execute a command in your headscale server to confirm the enrollment/account creation, so there shouldn’t be that much of a problem leaving the web server exposed.

One more question, how did you manage to get the reverse proxy to proxy your pods? I just added two containers to one, and I cannot access the containers anymore by their names. Do I need to expose their ports on the pod configuration?

It seems simple. Does it use pasta as the default networking backend? Also, I guess separating each app into their own network is added security, right? So if anything happens to one app, it cannot move laterally to the other apps unless it manages to gain access to the reverse proxy, which then it would be a huge problem.

Do you have to do this every time you update your phone?

Care to share how you disabled every bit of AI in the phone?

Yet companies are manipulating survey results to justify the FOMO jump to AI bandwagon. I don’t know where companies get the info that people want AI (looking at you Proton).

I maintain the DNS plugin for Vultr and I can say that it’s “safe”, but if you’re worried you should check their source code.

I believe it’s easier to have a vulnerability in the external provider’s API (for example, caddy-dns/vultr uses govultr) than Caddy. But I wouldn’t take things for granted if I was skeptical about these plugins.

I have a k3s cluster for fun and I can admit that k8s is way too complicated.

I don’t want to dig hours through documentation to find what I’m looking for. The docs sometimes feel like they were written for software devs and you should figure part of the solution yourself.

I have a ExternalName service that keeps fucking up my cluster everytime it restarts, bringing down my ingresses, because for some reason it doesn’t work and I have no idea where to look at to figure out why it doesn’t work - I just end up killing the service and reapplying the yaml file and it works.

I had to diagnose why my SSL certificates would get stuck in “issuing” in cert-manager, had to dig through 4 or 5 different resources until I got to an actual, descriptive error message telling me that I configured my ClusterIssuer wrongly.

I wanted a k3s cluster to learn but every time I have issues with it I realize it’s a terrible idea.

I wish I had podman + compose but it does seem like a docker-compose is more complicated. Also, I wish I could do ansible but I have no idea where to start (nor how it works).

EDIT: oh yeah I also lost IPv6 support because k3s by default doesn’t enable v6 and I was planning on using Hetzner CCM to have a 2 node cluster until I realized Hetzner Networks don’t support v6.

Can you use CrowdSec to track logs from a k8s pod? Say I have my website and some other services hosted on a k3s cluster, do I need to spin up a new pod for CrowdSec or should it be installed on the host?

I guess Wifi 6 doesn’t work in 5GHz band?

The VPN bandwidth doesn’t need to be that good, I was checking the GL iNet models and 200 Mbps on WireGuard is enough for me.

I tried 5 different credit cards to setup my account and none of them worked for the free tier. Contacted customer support, they simply said “well we can’t do anything about it, it’s clearly a problem in your end and not ours even though you tried 5 different credit cards to pay for the service”.

I think so, but if you check the official image you can definitely find out how to include custom plugins in it. I think the documentation might mention a thing or two about it too.

You can install the log transformer plugin for Caddy and have it produce a readable log format for fail2ban: https://github.com/caddyserver/transform-encoder

I had this setup on my VPS before I moved to a k3s setup. I will take a look at how to migrate my fail2ban setup to the new server.

Going to therapy doesn’t mean you have a disorder.

Why is Gitness on the news and why is it being considered as the de-facto alternative to GitHub? Why is GitLab/SourceHut/Forgejo (and Codeberg)/Gitea not being considered?

Forgejo for example has almost a 1:1 compatibility with GitHub Actions and it didn’t make the news. If you were to replace GitHub, Codeberg or Forgejo is a very good replacement for it.

Thanks for the suggestions!

I ended up configuring my CI pipeline to build a Caddy docker image that ships with my website files. The pipeline is also publishing the container image to the Codeberg registry and I apply the new image repo and tag to the Caddy Helm chart I found on ArtifactHub.

The only thing that’s left is to setup the CI to automatically restart the pod when a new image is pushed, so it will always have the latest version.

It was easier than expected and I had a few issues like my stylesheets not being applied and image files not rendering, but it was solved by changing the pathType field on the ingress configuration to Prefix.

That’s a nice suggestion. I guess I can make the CI build a Docker image containing my website’s files and then have a plugin for it to restart the pod that serves the website so it fetches the latest image.

How is this different than mounting the folder with the static website using hostPath?

I was looking for it as well. I want to host the website using Caddy because I have a lot of config options available and I can fine tune it for my use cases.

I read a tutorial about using a Hugo Docker image, but then the hosting would be done by Hugo and not Caddy itself.