• 6 Posts
  • 186 Comments
Joined 1 year ago
cake
Cake day: June 12th, 2023

help-circle
  • Others have already mentioned about the challenges on the software/management side, but you also need to take into consideration hardware failures, power outages, network outages, acceptable downtime and so on. So, even if you could technically shoehorn all of that into a raspberry pi and run it on a windowsill, and I suppose it would run pretty well, you’ll risk losing all of the data if someone spills some coffee on the thing.

    So, if you really insist doing this on your own hardware and maintenance (and want to do it properly), you’d be looking (at least):

    • 2 servers for reundancy, preferably 3rd one laying around for a quick swap
    • Pretty decent UPS setup, again multiple units for reundancy
    • Routers, network hardware, internet uplinks and everything at least duplicated and configured correctly to keep things running
    • A separate backup solution, on at least two different physical locations, so a few more servers and their network, power and other stuff taken care of
    • Monitoring, alerting system in case of failures, someone being on-call for 24/7

    And likely a ton of other stuff I can’t think of right now. So, 10k for hardware, two physical locations and maintenance personnel available all the time. Or you can buy a website hosting (VPS even if you like) for few bucks a month and email service for a 10/month (give or take) and have the services running, backed up and taken care of for far longer than your own hardware lifetime is for a lot cheaper than that hardware alone.



  • I’m currently more of an generic sysadmin than linux admin, as I do both. But the ‘other stuff’ at work runs around teams, office, outlook and things like that, so I’m running a win11 with WSL and it’s good enough for what I need from a workstation. There’s technically a policy in place that only windows workstations are supported, but I suppose I could run linux (and I have separate laptop for linux-only stuff). At the current environment it’s just not worth the hassle, spesifically since I need to maintain windows servers too.

    So, I have my terminals, firefox and whatever I need and I also have the mandated office-suite, malware protection/IDR/IDS by the book and in my mindset I’m using company tools for company jobs. If they take longer, could be more efficient or whatever, it’s not my problem. I’ll just browse my (personal) cellphone while the throbber spins on the screen and I get paid to do that.

    If I switched to linux I’d need to personally take care of my system to meet specs and I wouldn’t have any kind of helpdesk available should I ever need one. So it’s just simpler to stick with what the company provides and if it’s slow then it’s not my headache and I’ve accepted that mindset.


  • The package file, no matter if it’s rpm, deb or something else, contains few things: Files for the software itself (executables, libraries, documentation, default configuration), depencies for other packages (as in to install software A you need also install library B) and installation scripts for the package. There’s also some metadata, info for uninstallation and things like that, but that’s mostly irrelevant for end user.

    And then you need suitable package manager. Like dpkg for deb-packages, rpm (the program) for rpm-packages and so on. So that’s why you mostly can’t run Debian packages on Fedora or other way around. But with derivative distributions, like kubuntu and lubuntu, they use Ubuntu packages but have different default package selection and default configuration. Technically it would be possible to build a kubuntu package which depends on some library version which isn’t on lubuntu and thus the packages wouldn’t be compatible, but I’m almost certain that on those spesific two it’s not the case.

    And then there’s things like Linux Mint, which originally based on Ubuntu but at least some point they had builds from both Debian and Ubuntu and thus they had different package selection. So there’s a ton of nuances on this, but for the most part you can ignore them, just follow documentation for your spesific distribution and you’re good to go.


  • Filtering incoming spam, while not 100% correct, is a pretty straightforward thing to do. Use DNSBL and other lists from spamhaus and it takes care of 90+% of the problem. Incoming spam has not been a huge issue for me, but when people try to send mail to someone in M365 cloud or to Gsuite and they just decide that your server isn’t important enough they just block you out and that’s it. Trying to circumvent that takes a ton of time and effort and while it can be done it’s a huge pain in the rear. And trying to fight your way trough the 1st tier support to someone who actually understands the problem and attempts to fix that while you customers are complaining that “problem with email” is actually affecting on their income is the part I’ll happily leave behind.

    I’ll set up a couple of new VPS servers to host my personal and friends emails, but if they complain that the service I’m paying from my personal pocket isn’t what they’re after then they’re free to switch into whatever they like. And as infrastructure for that is something like 100€/year I’ll happily pay it by myself so that no one has an option to say ‘I paid for this so you need to fix it’ anymore. On commercial case that’s obviously not an option and I’ve had my share of running a business in a very hostile environment.


  • Also if you’re running an email server for others, it takes very little from single individual, like a small webshop newsletter, which enough people manually marks as junk and you’re on a block list again. Latest one with microsoft took several days to clear, even if all of their tools and 1st tier support claimed that my IP isn’t on a black list.

    I’ve jumped all the hoops and done everything by the book, but that still doesn’t mean that any of the big players won’t just screw you up because some of their automaton happens to decide so. That’s why I’m shutting my small ISP business down, there’s no more money to make on that and a ton of customers have moved to the cloud anyways, mostly to microsoft due to their office-suite pricing. It was kind of fun while it lasted, but that ship has sailed.


  • Phobia, by definition, is uncontrollable, irrational, and lasting fear for something. In the current geopolitics situation I’d say that it’s not uncontrollable and very much not irrational. Fear, as a fellow Finn, might be a bit strong word, but it’s a definetly a concern.

    When I first read that I thought that the response is a bit harsh, as Russian (and Soviet Union) individuals have traditionally been a big part of open source community and their achievements on computing are pretty significant, but when you dig a bit deeper on that, a majority of Soviet era things are actually built by Ukrainians in Kyiv (obviously Ukraine as a country wasn’t a thing back then).

    Also, based on my very limited sight on the matter, Russians are not banned from contributing, but this is more of an statement that anyone working for the government in Russia can’t be a part of kernel development team. There’s of course legal reasons for that, very much including the trade bans against Russia, but also the moral part of it, which Linus seems to take a stand on.

    Personally I’ve seen individuals at Russia to do quite amazing feats with both hardware and software, but as none of us are in a void without any external infcluence nor affect, I think that, while harsh, the “sanctions” (for a lack of better word) aren’t overshooting anything, but they’re instead leveling the playing field. Any Joe Anynymous could write a code which compromises the kernel as a whole, but should that Joe live in Russia, it might bring a government backed team which can hide their tracks on a quite a bit different level with their resources than any individual could ever even dream about.

    So, while that decision might slow down some implementations and it might include some of the most capable of developers, the fear that one of them might corrupt the whole project isn’t unreasonable and, with ongoing sanctions in place (and legal requirements that follow) the core dev team might not even have a choice on this.

    In current global environment we’re living in, I’d rather have a bit too careful management than one which doesn’t take things seriously enough. We already have Canonical and others to break stuff way too often, we don’t need malicious government to expand on that with nefarious purposes which could compromise a shit on of stuff on a very fundamental level if left unattended.


  • NAS stands for ‘Network Attached Storage’ and there’s dedicated hardware for that task from multiple brands. It’s a somewhat spesific thing and from what I understand you have a multi-purpose server running on your network. For discussion it’s better to use the established terminology to avoid confusion on what’s what. Your generic server can of course act like a NAS, but a 100€ Synlogy NAS can’t (for the most part) act as a generic server.

    Similarly there’s a dedicated hardware for routers and they are not the same than generic servers which can run whatever. Dedicated routers do some things way better/faster than generic server, and there’s pretty much always a trade-off between the two. You can of course install hardware to your server to be as good as or even better than any consumer grade router and run a pfsense on virtual machine on top of it, but that’s going to be at least more expensive than dedicated hardware.

    So, your server is running pihole in a container on the same network address/hardware than the rest of your server, and I suppose you already gathered from other messages that the firewall component on it treats traffic coming from outside the server itself differently than traffic originating from the server itself. For this spesific case I’d say it’s just simpler to configure the server to use DNS server as localhost:1053 than trying to work out firewall forwarding rules for it, if possible. If not, and you absolutely insist that your pihole runs on a unprivileged port and that your server also has to use pihole as DNS sever, then you need to dig out a firewall config for outgoing traffic which redirects the destination port. Or you could set up a dns proxy on the server which uses pihole as upstream and serves addresses to localhost only or one of the other multiple ways to achieve what you’re after, but each of those have some kind of trade-off and there’s too many to go trough in a single post.


  • I personally don’t, but many do. But it doesn’t matter, my employer isn’t legally allowed to read my emails, unless it’s a sort of an emergency. My vacation, weekend, short sick leave and things like do not qualify. And even then, if the criteria is met, it’s illegal to read anything else than strictly work related things out of my box.

    We even have a form where people leaving the company sign permission that their mailbox can be accessed by their team leader and without signature we’re not allowed to grant permissions to anyone, unless legal department is on the case and terms for privacy breach are met.


  • If the firewall was running on a router then you’d need to DNAT back to the same network from which they originated and that is (in general) quite a PITA to get running properly. My understanding is that the firewall doing port forwarding is running on the NAS. And we don’t have much information on what that ‘NAS’ even is, I tend to think devices like qnap or synology when talking on NAS-boxes, but that might as well be a full linux-system just running CIFS/NFS/whatever.

    OP could obviously use his router as a DNS server for the network and set upstream DNS server for the router to pihole, but that’s a whole different scenario.


  • This is the same as complaining that my job puts a filter on my work computer that lets them know if I’m googling porn at work. You can cry big brother all you want, but I think most people are fine with the idea that the corporation I work for has a reasonable case for putting monitoring software on the computer they gave me.

    European point of view: My work computer and the network in general has filters so I can’t access porn, gambling, malware and other stuff on it. It has monitoring for viruses and malware, that’s pretty normal and well understood need to have. BUT. It is straight up illegal for my work to actively monitor my email content (they’ll of course have filtering for incoming spam and such), my chats on teams/whatever and in general be intrusive of my privacy even at work.

    There’s of course mechanisms in place where they can access my email if anyting work related requires that. So in case I’m laying in a hospital or something they are allowed to read work related emails from my inbox, but if there’s anything personal it’s protected by the same laws which apply to traditional letters and other communication.

    Monitoring ‘every word’ is just not allowed, no matter how good your intentions are. And that’s a good thing.


  • As it’s only single device I’d suggest configuring DNS server for that to <ip-of-nas>:1053. Port forwarding rule on the nas firewall most likely applies only to ‘incoming’ traffic to the nas and as locally generated DNS request isn’t ‘incoming’ (you can think it as ‘incoming’ traffic is everything coming via ethernet cable into the nas) then the port redirection doesn’t trigger as you’re expecting.


  • Bare metal server sounds like optimal solution for you and set up a hypervisor on top of it, so it’s pretty trivial to migrate VMs to your own hardware when needed. But then for your ‘long term’ environment VPS would most likely be better and migrating a full VM from your hypervisor to VPS is a bit more work, but can be done.

    I don’t know about providers in Australia, but Hetzner has both and combined billing and my personal experience with them is pretty good. But I’m in Europe, so bandwidth nor latency is not a problem.



  • IsoKiero@sopuli.xyztoSelfhosted@lemmy.worldLooking for UPS suggestion
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    22 days ago

    I have older 1500VA FSP UPS, I don’t think that exact model is available anymore, but it’s been solid for several years. It currently has 3rd or 4th set of batteries and they are standard bulk batteries, so replacements are easy to find from anywhere. Only problem I’ve had with that is that on display it doesn’t give out clear warnings when batteries degrade and it has crashed my system few times in a power outage, but I’ve been lazy and didn’t bother to properly monitor it nor have scheduled battery replacements, so that’s mostly on me.

    Eaton seems to be pretty solid too, but I don’t have a ton of experience on any of their models. Local suppliers had dirt cheap PowerWalker UPS’s a few years ago, but one of them didn’t survive when battery died, so maybe I got what I paid for. Those worked fine too, but apparently they cooked the carging circuit when battery degraded.

    This is of course just my own experience over a few models, but personally I wouldn’t spend my money on APC. Propietary batteries and multiple failures after battery replacement at work few years back were enough to choose something else.



  • My ecotank died just like all the other inkjets. It went few weeks without printing and blue nozzle dried completely up and on the pipes I can see dried up ink on other colors as well. So I had to dig up old Brother HL3040 back to the duty which I retired after print quality started to drop (it needs new fuse unit or something similar, so not that big of a deal) and I thought having an option to print nice color pictures would be nice.

    So, if you plan to run ecotank (which does have pretty good printing quality when it works) set up a scheduled task on your computer to print something, in color, quite frequently even if it wastes some ink and paper. I think the main issue with mine was that even if I print stuff somewhat often there was a period where I only needed b&w documents so color nozzles went unused for a while.

    I might get a new set of nozzles and ink tanks for my unit as it’s a ton cheaper than a whole new printer, but if you’re looking for a printer this is something to take into consideration, regardless of their marketing material.

    Edit: Mine is Epson, didn’t know that ecotank term is used by other manufacturers.


  • You can run clonezilla on your shell session, just apt install conezilla (or whatever variant you’re using) and it can do the trick. Dd will almost surely work too, but that leaves a ton of responsibility to you instead of making any sanity checks on the way. That makes dd very powerful tool and it has saved my ass a multiple times, but if you already have a working partitioning schema clonezilla has a ton of options to make your life a lot simpler and a likely a bit faster than dd.


  • more specific to a subset of people who have time to bother

    And that subset of people needs to have at least some kind of mindset to learn the viable minimum skills to even start with and a will to learn more and more and more. I’ve done various kinds of hosting as a career for couple of decades and as things change I’m fighting myself if it’s worth my time and effort to keep my home services running or should I just throw money to google/apple/microsoft/whoever to store my stuff and manage my IOT stuff and throw the hardware into recycling bin.

    I have the skill set required for whatever my home network might need up to a point that I could somewhat easily host a small village from my home (money is of course a barrier after a certain point), but I find myself more and more often thinking if it’s worth the effort. My Z-wave setup needs some TLC as something isn’t playing nicely and it causes all kinds of problems with my automations, my wifi network could use a couple of sockets on the walls to work better, I should replace my NVR with something open source to include couple of more cameras around the yard and have better movement recognition and cameras should go to their own VLAN and so on.

    Most of that stuff is pretty basic to set up and configure (well, that z-wave network is a bit of it’s own thing to manage) and it would actually be pretty nice to have all the things working as they should and expand on what I have to make my everyday life even more simpler than it already is. But as there’s a ton of things going on in life I just rather spend few hours gaming from my sofa than tinker with something.

    That’s of course just me, if you get your reward and enjoyement on your network then good for you. Personally I think I’ll keep various things running around, but right now in this place I’m at, the self hosting, home network and automation and all that is more of a chore than a hobby. And I’m pretty sure I don’t like it.


  • IsoKiero@sopuli.xyztoSelfhosted@lemmy.worldDNS?
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    As far as I know it is the default way of handling multiple DNS servers. I’d guess that at least some of the firmware running around treats them as primary/secondary, but based on my (limited) understanding at least majority of linux/bsd based software uses one or the other more or less randomly without any preference. So, it’s not always like that, but I’d say it’s less comon to treat dns entries with any kind of preference instead of picking one out randomly.

    But as there’s a ton of various hardware/firmware around this of course isn’t conclusive, for your spesific case you need to dig out pretty deep to get the actual answer in your situation.