Shameless self-plug here. I wrote a blog post to document my methodology after having some issues with publicly available examples of using Podman and traefik in a best-practices config. Hopefully this finds the one other person that was in my shoes and helps them out. Super happy for feedback if others care to share.
Your blog is awesome. I have always wanted someone to break down RF homelabbing for me and I think as your blog progresses I will find such content.
I’m also looking for blogs/material on OS hardening (Linux/*nix), do you plan to write on that (and any recommendations)?
What nice feedback to read. I think you and I are aligned in what this will hopefully become. I really just wanted to start publicly sharing my hobby notes instead of holing them up in a local Joplin file or something, so that’s what I’m going to do. We may have similar hobbies though, which sounds like it’ll benefit you. Haha.
You got an RSS feed for me?
Okay, rudimentary RSS feed added! It’s available in the navbar, and autodiscovery with your RSS aggregator should work from any page. Let me know if you have issues.
Thanks. I don’t see the content of the blogs in the feed, just the title - but maybe that’s a problem with my reader (I use Capy on Android). I’ll try a couple of other readers to see if it works
No, it’s not you, the XML file isn’t including post content yet. I wasn’t sure how to do that, so figured I’d start with the simple thing of generating a list from the posts manifest for the time being. This would at least show you a link for when a new post is up, but you’re right there’s no content yet. When I have a bit more time I’ll research how can I dynamically add the entire post content.
Thanks, looking forward to it
No, and that’s a deficiency. Thank you for asking. I totally had this on the roadmap but let it slip. I’ll work on finalizing that right now. Much appreciated!
Realized I didn’t answer the last question here on hardening. The answer is sure! I don’t have much planned for the blog, as I was just thinking I’d take “public notes” for my tinkerings as they came. I’ve done linux administration for a long time though so I’d be happy to put together a post on baselines and hardening
Thanks man, that would be much appreciated
Very helpful. I was just looking at this the other day.
Ah yes, those examples were helpful and definitely helped inspire this. Glad you found some value in the ramblings. Post 2 will be up soon.
What’s the advantage of socket activation? Is it more secure than exposing a docker port?
Great question. I tried to very briefly touch on it in the post. The bottom line is that its benefits are there mostly for rootless podman, which I’ve chosen not to implement here (yet). You can also configure it so that the socket is always active and that will then trigger the service associated with it, so that you save on resources when the service isn’t needed. However, I didn’t want to do that as it would likely increase page load time for readers.
For anyone who reads this post and sees the mention of headscale – that was the overarching goal here but the blog post started getting long so I decided to chunk it up. As soon as I polish up the headscale writeup I’ve got drafted and get that posted, I’ll drop a link here just in case anyone is interested.
Thanks, I’d be interested in the next part of your Headscale write up!
Excuse the ignorance, what am I actually reading about here?
I read the first few paragraphs and an out of my league.
What are ‘we’ trying to achieve?
The other poster here is correct, this is just an account of my journey through self hosting traefik, and ultimately headscale, without the hurdles along the way. I tried to include a few links to unclear terms along the way in the narrative, maybe those would help you figure things out. Unfortunately I can’t write for an audience of everyone, but hopefully you can still gain some value or learn some new things! Thank you for the feedback.
Wasn’t being critical at all. Not expecting you to write for anyone.
I wondered what this actually provides. If you were explaining to someone with a good knowledge of the world, not grandma!!
No worries, and I’ll accept criticism too, that’s how you improve.
Anyway, this is effectively giving you tailscale, a remote access mesh VPN solution, but with total control and ownership of the control plane server, instead of relying on the opaque tailscale owned and controlled infra. I touched on it briefly again the ‘DERP Config’ section of part 2: https://roguesecurity.dev/blog/headscale-quadlet-part2#DERP Config
I’m not criticising you. I cannot validity criticise you, even if I was so inclined (I’m not), because I cannot proficiently grasp the subject matter. I would like to understand, NOT criticise. You’ve written an engaging piece which is opaque to me; apparently a contradiction. Hopefully I’ve rephrased that enough times to get across that no criticism is intended. 😁
I don’t know the product names. I don’t tend to be focused on product names because they come and go. Your first message didn’t help me.
Your last precis is just what I needed. Ideal. Thank-you. I now know what you’re trying to achieve.
Awesome! Thanks for the banter. It’s easy to get stuck in your own echo chamber working IT every day, so it’s nice to have these kinds of questions. Feel free to drop anything into comments too, maybe other readers will benefit too!
deleted by creator
Just a guide on how OP selfhosts headscale using postman with a few nice features enabled
Thanks fella. What do they actually do? Elevator pitch stylie!
Excited to compare this with my setup (also Quadlet and Traefik-based)!
Excellent! Leave a note somewhere on how it measures up, I can always use more ideas!
Part 2 is live! https://roguesecurity.dev/blog/headscale-quadlet-part2
