Not sure if it’d fit your use case 100%, but this has been a nice middle ground solution for LE certs in my lab: https://www.certwarden.com/
- 0 Posts
- 9 Comments
Joined 8 months ago
Cake day: March 27th, 2024
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
My preferred way of solving this is to run a PowerDNS cluster with DNSDist and keepalived. You get all the redundancy via a single (V)IP.
Technitium is probably more user friendly for greenhorns, though… and offers DHCP too. Beats pihole by a mile.
Wezterm is my primary. Love the built-in domain/sshmux features, especially for work. The LUA config rocks, sky is the limit. Highly portable when using something like Chezmoi or YADM.
That said, it’s not always the most performant, especially with certain TUIs. I’ve been running my NVim workspace in Kitty lately just to avoid the minor UI lag (primarily with lazygit). Not a fan of Kitty (or its dev) otherwise, but it serves its purpose.
If Wezterm ever gets optimized, it’ll be the GOAT for me.
Ghostty also sounds like it’s got potential, but haven’t gotten my invite yet. ¯\_(ツ)_/¯
1·3 months agoabsolute madlad
2·3 months agoFor sure! If you do end up taking it for a spin, feel free to ping me with any questions.
I’d like to encourage you to take another look at Authentik, it sounds like their Proxy Provider is exactly what you’re looking for: https://docs.goauthentik.io/docs/providers/proxy/
Authentik can certainly get complex, but only if you want/need it to. It is by far the most user-friendly IDP solution I’ve found, especially for what it offers. Their docs also have step-by-step guides for how to integrate a lot of popular self-hosted apps.
Only takes a couple mins to spin up a test environment using their Docker compose file: https://docs.goauthentik.io/docs/installation/docker-compose
Apps: SSO via Authentik where I can, unique user/pass combo via Bitwarden where I can’t (or, more realistically, don’t want to).
General infra: Unique RSA keys, sometimes Ed25519
Core infra: Yubikey
This is overkill for most, but I’m a systems engineer with a homelab, so it works well for me.
If you’re wanting to practice good security hygiene, the bare minimum would be using unique cred pairs (or at least unique passwords) per app/service, auto-filled via a proper password manager with a browser extension (like KeePassXC or Bitwarden).
Edit: On the network side, if your goal is to just do some basic internal self-hosting, there’s nothing wrong with keeping your topo mostly flat (with the exception of a separate VLAN for IoT, if applicable). Outside of that, making good use of firewalls will help you keep things pretty tight. The networking rabbit hole is a deep one, not always worth the dive unless you’re truly wanting to learn for the sake of a cert/job/etc.
Thanks to The Primeagen, I’ve recently become fond of pronouncing it /skwiːl/
Y’know: Squeal, Squeal-lite, Pee-squeal, etc.
https://pulpproject.org/
Does docker, pypi, apt, ansible galaxy, etc. I use it at work as part of our undercloud for OpenStack. It’s the go-to for StackHPC, too.