Je réalise qu’en plus de mes DNS, il faudra aussi que je change mon IP dans mon VPN #wireguard lorsque je serai passé à OVH #pensebête

@kat@yarn.girlonthemoon.xyz Using full-blown Cloud services is good for old people like me who don’t want to do on-call duty when a disk fails. 😂 I like sleep! 😂

Jokes aside, I like IaaS as a middle ground. There are IaaS hosters who allow you to spin up VMs as you wish and connect them in a network as you wish. You get direct access to all those Linux boxes and to a layer 2 network, so you can do all the fun networking stuff like BGP, VRRP, IPSec/Wireguard, whatever. And you never have to worry about failing disks, server racks getting full, cable management, all that. 😅

I’m confident that we will always need people who do bare-bones or “low-level” stuff instead of just click some Cloud service. I guess that smaller companies don’t use Cloud services very often (because it’s way too expensive for them).

@prologic@twtxt.net I wish getting a static IP and a (more) stable internet connection wasn’t so hard over here. Then I could do proper self-hosting as well. But as it stands, I need some rented VPS.

I could go ahead and just use the VPS for the IP, i.e. forward all traffic through Wireguard to a box here at home. Big downside is that the network connection would be even slower than it already is and my ISP breaks down all the time for a few minutes … it’s just bad overall and much easier/better to rent a VPS. 🫤

@prologic@twtxt.net YAYYY fuck cloudflare!!! caddy+wireguard amazing combo

I am now proud to say, that as of this moment, I am off of Clownflare 🤣 Still using Cloudflare for DNS, but no longer proxying through their services or terminating TLS at their edge. Instead, all my sites and services now terminate TLS on my own edge proxy running Caddy+Wireguard (so all ingress is actually egress 🤣) 🥳 #Clownflare #Cloudflare

The PoC I have stood up is costing my a $6/month VM in Vultr sitting in front of my infra over a (outbound) Wireguard tunnel.

Starting a couple of new projects (geez where do I find the time?!):

HomeTunnel:

HomeTunnel is a self-hosted solution that combines secure tunneling, proxying, and automation to create your own private cloud. Utilizing Wireguard for VPN, Caddy for reverse proxying, and Traefik for service routing, HomeTunnel allows you to securely expose your home network services (such as Gitea, Poste.io, etc.) to the Internet. With seamless automation and on-demand TLS, HomeTunnel gives you the power to manage your own cloud-like environment with the control and privacy of self-hosting.

CraneOps:

craneops is an open-source operator framework, written in Go, that allows self-hosters to automate the deployment and management of infrastructure and applications. Inspired by Kubernetes operators, CraneOps uses declarative YAML Custom Resource Definitions (CRDs) to manage Docker Swarm deployments on Proxmox VE clusters.

I ended up installing Headscale on my little VPS. Just in case the collide, I turned off WireGuard. Turning that one off (which ran on a container) also frees some memory. Headscale is running quite well! Indeed, I have struggled getting any web management console to work, but it really isn’t needed. Everything needed to commandeer the server is available through the CLI.

@eldersnake@we.loveprivacy.club I wanted to ask you, are you running Headscale and WireGuard on the same VPS? I want to test Headscale, but currently run a small container with WireGuard, and I wonder if I need to stop (and eventually get rid of) the container to get Headscale going. Did you use the provided .deb to install Headscale, or some other method?

aujourd’hui, j’ai configuré un serveur caldav pour éviter les oublis de rendez-vous avec ma chérie, et j’ai configuré unbound pour qu’il fasse le résolveur DNS en même temps qu’être le point de sortie de mon VPN #wireguard. Ça traînait depuis trop longtemps. C’était pas une si mauvaise journée ^^

I’m not sure if it’s possible to have unwind listening on a routing table != 0. It would be handy with my wireguard vpn set up on rdomain 2 (as example) si I can resolve domain names without setting up public DNS server in /etc/resolv.conf #openbsd.

@aelaraji@aelaraji.com Ahh it might very well be a Clownflare thing as @lyse@lyse.isobeef.org eluded to 🤣 One of these days I’m going to get off Clownflare myself, when I do I’ll share it with you. My idea is to basically have a cheap VPS like @eldersnake@we.loveprivacy.club has and use Wireguard to tunnel out. The VPS becomes the Reverse Proxy that faces the internet. My home network then has in inbound whatsoever.

@mckinley@twtxt.net for me:

• a wall mount 6U rack which has:
  
  • 1U patch panel
    
  • 1U switch
    
  • 2U UPS
    
  • 1U server, intel atom 4G ram, debian (used to be main. now just has prometheus)
    
• a mini ryzon 16 core 64G ram, fedora (new main)
  
  • multiple docker services hosted.
    
• synology nas with 4 2TB drives
  
• turris omnia WRT router -> fiber uplink
  

network is a mix of wireguard, zerotier.

• wireguard to my external vms hosted in various global regions.
  
  • this allows me ingress since my ISP has me behind CG-NAT
    
• zerotier is more for devices for transparent vpn into my network
  

i use ssh and remote desktop to get in and about. typically via zerotier vpn. I have one of my VMs with ssh on a backup port for break glass to get back into the network if needed.

everything has ipv6 though my ISP does not provide it. I have to tunnel it in from my VMs.

QOTD: What do you host on your home server? How do you host it? Are you using containers? VMs? Did you install any management interface or do you just SSH in? What OS does it run?

Mine runs Arch (btw) and hosts a handful of things using Docker. Adguard Home, http://mckinley2nxomherwpsff5w37zrl6fqetvlfayk2qjnenifxmw5i4wyd.onion/, and some other things. NFS, Flexo, and Wireguard (peer and bounce server in my personal network) are outside Docker. I have a hotkey in my window manager that spawns a terminal on my server using SSH. It makes things very easy and I highly recommend it.

I am thinking about replacing Docker with Podman because the Common Wisdom seems to say it’s better. I don’t really know if it is or isn’t.

Also, how much of your personal infrastructure is on IPv6? I think all the software I use supports both, but I’ve mostly been using IPv4 because it’s easier to remember the addresses. I’ve been working for the last couple days on making it IPv6-only.

@prologic@twtxt.net I do similar. Though probably much more simple.. I have CGNAT and use wireguard to VMs to punch through for stuff like HTTP/SSH from external.

And for SMTP I have smart hosts on the VMs that will store anf forward to my mailbox if the connection goes down.

@prologic@twtxt.net I find the L2 mode where you have one interface and multiple hosts to be tricky. Its best if you are trying to make a full mesh style. But then all hosts need to be able to see one another.

I have had more success using point-to-point connections where there are only two ends to each interface. It means you have a ton of interfaces and udp ports. but you can share the host IP across the interfaces. Add to that a simple router proto ala OSPF or RIP and you can navigate around not having a full meshnet.

I have dozens of localnet wireguard connections and many more connections to others that use bgp for route propagation.

Hmm when I said “Wireguard is kind of cool” in this twt now I’m not so sure 😢 I can’t get “stable tunnels” to freak’n stay up, survive reboots, survive random disconnections, etc. This is nuts 🤦‍♂️

fractalnetworksco/selfhosted-gateway: Route HTTPS traffic to local Docker containers through a cloud VPS over WireGuard. Ideal for self-hosting behind CGNAT.