I was hacked years ago. I was hosting a test instance of a phpbb for a local club. Work blocked SSH, so I opened up telnet. They either got in from telnet or a php flaw and installed password sniffers and replaced some tools (ps, top) with tools that would hide the sniffer service they installed.

After that, I changed my model. My time lab is for learning and having fun. I’m going to make mistakes and leave something exposed or vulnerable and hackers are going to get in. Under this new model, I need to be able to restore the system easily after a breach. I have a local backup and a remote backup and I have build scripts (ansible) so that I can restore the system if I need to. I’ve had to do this twice. Once from my own mistake and one from hardware failure.

Same. I have spent way more time troubleshooting a pipeline than it saves. I like the idea of automation but laziness prevails.

For my own curiosity, how do you perform a build? Is it all done in pipelines, kicked off on change? Do you execute the whole infra build each time you release an update?

As others have said, a traditional off site backup will work. How do you plan to perform a restore, though? If you need the self hosted source repo, it won’t be available until the infrastructure is stood to creating another circular dependency.

I’m still in the early stages of exploring this, too. My solution is to run a local filesystem git clone of the “main” repo and execute it with a Taskfile that builds a docker image from which it can execute the ansible infrastructure build. It is somewhat manual but I have performed a full rebuild a few times after some Big Mistakes.

After breaking “prod” many times, I have a Dev (local machine), Test (small VM) and Prod (big VM). My test is just less RAM and space and I need to spin down certain K8s things to spin up others, but it’s a close mirror of Prod, just less.

Depending on what your question is asking, search around for Steve Forbes Flat Tax or Ross Perot Flat Tax.

I may have this wrong, but I recall Steve Forbes was proposing to decomplicste the IRS tax codes and implement a flat IRS income tax. In other words, remove the tax brackets and have everyone pay a fixed percent regardless of income.

Similarly, I recall Ross Perot propose that the US remove income tax completely and instead charge a flat tax on purchases (sales tax). If memory serves, it was 13% (inn, addition to state and local sales taxes).

In my uneducated opinion, both of these seem like good ideas at first. Who wouldn’t want a simpler tax code? Upon deeper inspection, I feel like both plans would favor wealthy Americans more than “the average Joe”. As said in other posts here, the wealthy report having less income through deductions and other financial wizardry and the unrich spend a greater percentage of their income on day to day expenses.

This is a good start to explain it. Many of the posts here are also neglecting that the air around the earth is also moving along with the earth, but often at a different speed. It is not fixed in space.

For example, if you’ve ever paddled a canoe across a flowing river, you’ll either end up not across from the point you left from or you’ve steered the canoe as if you were intending to land upstream. This is because the water is pushing the canoe downstream.

Also, the comments (as if the time of this post) are all neglecting the point of reference.

An analogy on point of reference would be if you’re on a train, sitting at a table facing the rear of the train and the train is moving in the forward direction at a constant speed on a plain, if you drop an orange on the floor of the train, will it immediately roll to the back of the train?

In airplanes there is often a big difference between land speed and air speed. That is (one of the reasons) why the return trip is not the same duration when you travel in the east-west (or west-east) direction. The airplane is pushing against the airaround it whereas a car is pushing against the ground (Earth).

Thanks for the feedback. I plan to do some reading on NFSv4 domain mapping this weekend.

I think this is exactly what I’m looking to do. Thanks for such a detailed writeup!

I did some reading last night and think it lines up with what you’re saying. I found docker-mailserver with some configuration. The only thing I need to add is mail filtering to folders and I think that’s included.

I’d like to hide behind the service that I’m paying for without incurring extra fees for retaining it all. I can figure out the pull side by using fetchmail or something to a server that hosts dovecot, but the sending side is confusing since I’d need something that can receive my email and send it via the service. It’s only 1 email address, so I’m not looking for a mail relay, but something like a full caching mail proxy.

I started watching the video. I was not aware that LetsEncrypt supported wildcard certificates. Does this mean that your internal network uses the same domain name as your externally-hosted services?

I tried step-ca to start with, but my primary use case was for certs in the cluster, which cert-manager is more suited for natively. Maybe step-ca has improved, I was using it in the early days. My goal isn’t a short lived cert as much as it is to have an easy configuration and to learn.

I think it may support it, but it’s not well documented. I’ll need to read up a bit. I started with helm charts but like how operators, um operate. They upgrade on their own and are very stable. Honestly, though, it was mostly because I wanted to learn how they work.

I think this is what I’m going to do.

Yes, monthly is too fast. I’m using a K8s operator for cert-manager which defaults to a month. I think I can patch the CSV with an annotation that will bump that out, but when the operator updates the CSV then I need to repatch it.

I was polling the community to see if there’s something that is easy to use but I was not able to find in my searches. It seems like a common problem.

Part of my problem is that I chose to use a K8s operator for cert-manager which isn’t easy to configure. Had I used a helm chart, i’d have bumped the root cert to 10 years and forgotten about it.

I’m using tailscale (which I hear is just a wrapper for wireguard) and love it.

Restic and Borg seem to be the current favorites, but I really like the power and flexibility of Duplicity. I like that I can push to a wide variety of back ends (I’m using the rsync), it can do synchronous or asynchronous encryptions and I like that it can do incremental with timed full backups. I don’t like that it keeps a local cache of index files.

I back up to a Pi 0 with a big local disk and rsync the whole disk to another Pi at a relative’s house over tailscale. I’ve never needed the remote, but it’s there.

I’ve had to do a single directory restore once and it was pretty easy. I was able to restore to a new directory and move only the files that I clobbered.