1. 1

    Any thoughts on Exoscale vs Vultr vs others?

    1. 2

      Exoscale is cheap and yet it’s perfect. The only drawback is they’re available only in Europe and I live in Québec so I have some unavoidable latency crossing the ocean.

      Vultr is quite good. I recently setup some BGP with them (https://www.vultr.com/features/bgp/) and while the support was reactive on a Friday evening (which I didn’t expect because I pay less than 10$/month) the work was far from perfect. Other than that I think they’re a pretty good deal.

      But I mostly picked both because they officially support OpenBSD. While OpenBSD works fine on KVM virtualization, I don’t want to deal with the support blaming the OS for something unrelated, just because they don’t officially support the OS.

      1. 3

        There’s no such thing as perfect until you try Hetzner Cloud.

        Trust me, never looking back.

        1. 1

          I assume for BGP you have ipv6 prefix? Curious what it was like getting one for yourself. As far as I’ve read it’s quite expensive and annoying to do it personally now.

          1. 1

            Yes my ASN is IPv6 only. I plan to write about that in my next article, but it may be a few weeks/months until I publish it!

            1. 1

              Good to know, I look forward to reading it!

      1. 5

        With your knowledge of OpenBSD, I’m curious why your choice of Ubuntu for ZFS. What made you choose Ubuntu rather than (FreeBSD || HardenedBSD)?

        1. 3

          That’s a good question! It’s mostly because I’ve never really used {Free,Hardened}BSD so I know way better Ubuntu. Since I’ve been using Ubuntu for quite some time, I’ve some automation for it. Using Ubuntu was easier for me :)

          1. 1

            thank you! Great read :)

          1. 1

            ema posted part 1 and 2 but it seems part 3 hasn’t been posted. I missed it, so I guess others may have missed it too.

            1. 4

              I love people documenting their own personal infrastructure/custom tooling (for any purpose). Please share other examples if you know of any :)

                1. 2

                  Awesome, thanks.

                  I love that there’s description of real-world objects as part of the docs:

                  • Blue is for the main internet connection
                  • White is for internal connections
                  1. 2

                    Is that an AvE sticker?

                    1. 1

                      Yeah!

                  2. 3

                    I wrote what I was hosting last year: https://chown.me/blog/infrastructure-2019 I plan to publish a new article with the changes from 2020 in a few weeks. :)

                    1. 1

                      Sweet! This is exactly what I’m after.

                      Give me a shout when the new one gets posted.

                    2. 3

                      Here is mine - all in one file, single command deploy/rollback:

                      https://git.sr.ht/~jamii/tower/tree/master/item/tower.nix

                      1. 1

                        Oh cool! A few things to dig into :)

                        1. 1

                          Oh this makes me miss using NixOS on a server. Nice configuration.

                      1. 4

                        What’s your plan to prevent people from creating sockpuppet account to keep posting their own content?

                        1. 5

                          I don’t think I need a plan, as there are already rules against sockpuppets, right?

                          1. 3

                            It’s worth noting that I don’t go looking for sockpuppets except based on user reports. Most of the time they point out (or I notice) that an account is posting vacuous compliments to an article posted by their inviter/invitee, or that low-quality self-submissions regularly show up on the homepage from someone who invited a half-dozen accounts in a day. It’s an infrequent problem that’s not so overwhelmingly compelling that I think it’s worth searching for effectively by site changes like indefinitely retaining logs, recording an IP/browser fingerprint with all user actions, or otherwise adopting other off-putting techniques and tools common in web advertising.

                            1. 1

                              Correct, also, it’s easy to link that, as Lobste.rs write-access is invite-only, and recorded.

                              It’s trivial to see whether the sites an account is posting are the same as it’s “parent”.

                          1. 6

                            Why put the link behind an url shortener?

                            1. 3

                              I flagged the domain as a url shortener so it can’t be used again.

                              1. 2

                                Because it’s been submitted before: https://lobste.rs/s/hirkhr/ultimate_personal_security_checklist

                                OP is a spammer and I regret inviting them. @pushcx, please review.

                                1. 0

                                  It’s not been submitted before- this is a different post, check the link first. The last one was Security Checklist This is Privacy-respecting software :) - but yes, same GitHub accounts

                                2. 1

                                  Tracking, I guess? I’m not sure why else it would be done in this case..

                                  1. 1

                                    yeah that’s what I assumed but since the link about privacy, I thought I asked OP first :)

                                    1. 1

                                      There’s no tracking on git.io URL’s, it just makes them shorter, because this is a link to a file in a repo it was quite long. Sorry, won’t shorten again

                                    2. 1

                                      I used the URL shortner to just make it shorter, since it is a file in a mono-repo the path is crazy long. No malicious intentions, and I didn’t intend to hurt or spam anyone.

                                      It’s not for tracking (git.io claims not to track clicks), and it’s not because it’s spam, and it’s not because it’s been posted before (the previous post was a security checklist, this is a list of privacy-respecting software)

                                    1. 1

                                      Enjoyed reading this! Do you find that it’s worth it to run/maintain your own personal infrastructure? The various apps and sites I’ve built and maintain are on cloud providers, which has been really great from a plug ‘n play point of view. I’m interested in setting up something like what you’ve described, at least for the sake of learning about the tools and getting the chance to implement some of my own tooling, but feel like it might be more trouble than it’s worth.

                                      1. 3

                                        I’m glad to hear you enjoyed it :)

                                        If it’s worth it, I don’t know I guess it depends on your priority. I think it boils down to my personality. I hate to rely on people and to feel I owe someone so I don’t really use some random orgs services. I did it in the past and I’m glad that when something is broken, I can go and fix it myself (of course to an extent). I don’t like (nor trust) companies (as you can see with the joke about google killing their services). I tend to be paranoid security wise, I think about surely way too many threats (while being reasonable, i.e. the NSA is not one of them). Therefore, hosting my own stuff is not really a choice ;)

                                        And to be honest, part of it is also it really helps getting a job (as I work as a sysadmin/devops/SRE/whatever the current trend names it).

                                        I do enjoy doing it but it’s not 100% pleasure. I guess it’s like cooking: I don’t always enjoy it, but I feel like I have to, and most of the time, I enjoy the result!

                                        Scratch your own itch and try to have fun while doing so!

                                        1. 1

                                          Makes sense! I think this would be a really cool project for after I graduate and have more free time (which is soon thank goodness)!

                                      1. 1

                                        Great read! Very interesting.

                                        I found a minor typo in a link (Machines section - automated link) its https://chown.me/blog/upgrading-openbsd-with-ansible.html - No captial A in ansible ;)

                                        What Firewall are you using on your APU2? *sense, ipfire?

                                        1. 5

                                          I initially wrote “ansible” everywhere then I thought a capital was better so I use sed like a hammer :D Thanks!

                                          On the apu2, I run OpenBSD as well. A few years ago I ran OpenBSD for everything but hosting mastodon was too complicated (I don’t know well the Ruby ecosystem). I have some Ubuntu because containers make easy to host stuff. Most of the stuff still run on OpenBSD because I know the system well and being an OpenBSD developer I follow quite closely the project.

                                          I would still recommend for anyone to run OpenBSD on a router since it’s quite easy as PacketFilter is fucking awesome.

                                          1. 1

                                            Well, I guessed that. OpenBSD is great for that. I have a a APU2 at home waiting for me to finish it.

                                            Did you just install a plain OpenBSD and configured everything? OPNsense and pfsense are both based on OpenBSD. Right know I have OPNsense installed.

                                            1. 4

                                              Actually:

                                              • OPNsense and pfSense are both based on FreeBSD.
                                              • OPNsense is a fork of pfSense, which in turn is a fork of the good old m0n0wall (which was also based on FreeBSD).
                                              • Deciso/OPNsense is working on a version that is based on HardenedBSD, which in turn is also based on FreeBSD. It should come out very soon[1].

                                              So FreeBSD all the way with these routing/firewall operating systems ;).

                                              I use OPNsense since it came out on my APU2 (and later APU3 for another rack) and I can really recommend it! It’s very user friendly, easy to install and rather complete. I also really like you can use LibreSSL instead of OpenSSL. I also use OpenBSD on another router (like the author) and that also works rock solid/stable for years now. The BSD’s are great for firewalls/routing in my opinion.

                                              [1] https://opnsense.org/about/road-map/

                                              1. 1

                                                Alright! My bad :D

                                                I also really like OPNsense. I just have to figure out some stuff with my ISP and then I am ready to go

                                        1. 1

                                          Company: Vade Secure
                                          Company site: https://www.vadesecure.com
                                          Position(s): DevOps, sysadmin, SRE (whatever you called it ;))
                                          Location: France (Hem, Paris), Canada (Montreal, Vancouver) or Japan (Tokyo)
                                          Description: From our website:

                                          Vade Secure is a global leader in predictive email defense, protecting 600 million mailboxes in 76 countries. We help MSPs and SMBs protect their Office 365 users from advanced email threats, including phishing, spear phishing, and malware.

                                          While we have a bunch of openings, I’m mostly looking for some new coworkers in my Ops team. If you know emails and how to administrate a server, reach out to me? :)
                                          The opening’s pdf is available at https://box.vadesecure.com/index.php/s/iRFqWbXdrmbdwMc
                                          Contact: lobstershr@chown.me