-
BGP part three – eBGP between a VPS and on-prem
In my last blog post, I described setting up a VPN tunnel between my home network and the VPS. This is thus the prerequisites for this post, I have a working VPN connection with point-to-point-connections You also need to make sure that firewall rules doesn’t block the traffic, in particular we need port 179 for…
-
Kubernetes at Home: Internal and external services
Disclaimer: Separating at a hardware level will always be better. But my home lab consists of exactly one server, so I focus on what I can do in software in Kubernetes. So far, I have configured all my services to be exposed to the internet, no matter if they are for external or internal consumption.…
-
Kubernetes tip of the day – external-dns
Having set up a number of services, and making sure everyone of them gets their own IPv6 address, there’s a whole lot of DNS records pointing to services running in Kubernetes. Today, I found a gem: external-dns. This service basically monitors my infrastructure for annotations that tells it to create a DNS record for it.…
-
Kubernetes deep dive part 2 -not all ideas that seem good at the start end up being good….
After a week of playing around, tinkering with stuff, I decideded to let my traefik instance be highly available, so that I could restart it without my web services being down. That led to a lot of discoveries and a lot of reconcidering of concepts. Rather than jumping to the conclusions, I’ll let you follow…
-
Docker networking part four – hacking around docker limitations.
After part 3, my setup was pretty good, and I was pretty sure I had come to the end of the road. There was just one thing that was bugging me: I needed to do NAT (MASQUERADE) in my firewall to get around the fact that docker routing table management is pretty limited. And with…
-
Docker Networking Part 2 – what happens in docker stays in docker.
After having created my docker DMZ in part 1, I realized that if I just connected the networks of the docker-containers I wanted to access from the internet to the firewall container, I could avoid exposing their ports to the underlying machine altogether, thereby reducing the number of open ports on the server itself. I…
-
A virtualized DMZ with docker
Being somewhat of a minimalist, having only one server at home, but still trying to make a good, secure and stable infrastructure, it bothered me to forward network traffic directly to my server. Granted, most of the services exposed was running in docker, but it still was forwarding it directly into my «red zone». A…
-
Changing partitions and zfs disklayout without downtime?
When setting up my SSD zpool – which I basically wanted because I wanted *no* constant disk-access to my disk-based zpool, I was lazy. Laziness almost never pays off. Before starting with ZFS, I had almost my full SSD as an LVM physical volume (except the bootdisk). Then, I added my external disk cabinet and…
-
Moro med backup!
I noen år nå har jeg kjørt duplicity backup både på servesystemer og klienter. Dette har virket bra, men har det samme problemet som all annen inkrementell filbackup: Før eller siden må du ta ny full backup for at det ikke skal bli for tungt å kjøre restore. Med mye data trenger du da relativt…
-
Nok en Microsoft-skatt unngått…..
Min gamle EEE 901 som gjorde nytten på weekendturer hit og dit og var fryktelig grei å ha, har lenge ligget i skapet og samlet støv med en knust LCD-skjerm. Men i sommer tenkte jeg at noe skulle gjøres med den, så jeg ringer leverandøren, som sier: «Nei, beklager. Det vil nok ikke lønne seg,…