1·
1 year agoI think you might have better luck with your question in r/artificial perhaps
- 0 Posts
- 3 Comments
Joined 1 year ago
Cake day: November 2nd, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
It’s funny how as a self-hoster with no open ports, sort of supply chain attacks are almost my biggest worry… Here’s the tidbits I’ve collected so far, but just getting into this so take it with a grain of salt …
- working out how to run my containers as non-root… Most support this already. It’s adding a user:UID:GID in the compose file and making sure that user can read and write to any dirs you want to map, and it’s done. Now whatever runs in the container does not have root and less chance of shenanigans in its container and on the host.
Some smaller projects, you have to tweak or rebuild.* - If I can manage I’ll also run the docker daemon as rootless as the next milestone. I already had this working on Proxmox Ubuntu VM, but could not get it to work on a netcup VPS, for example.
- Docker sock proxy
- VLANs
- in compose files, if the containers can handle it:
security_opt:
- no-new-privileges:true
cap_drop:
- ALL - (I have to work out the secrets stuff! secrets in files, ansible vault,…)
(* One example for non-rootifying a docker, I got tempo running as non root the other night as it is based on a nginx alpine linux image, after a while I found a nginx.conf file online where all the dirs are redirected to /tmp so nginx can still run if a non-root user launches it. Mapped that config file to the one in the container, set it to run as my user and it works. Did not even have to rebuild it.)
- working out how to run my containers as non-root… Most support this already. It’s adding a user:UID:GID in the compose file and making sure that user can read and write to any dirs you want to map, and it’s done. Now whatever runs in the container does not have root and less chance of shenanigans in its container and on the host.
The NAS can do almost everything you need except offsite C2.
For example Synology ((so far I only had these)) has a built-in DynDNS service that gives you a subdomain you can access the NAS through without extra steps. I bet all the other NAS brands have this built-in as well. Whichever you pick, definitely have 2FA enabled. Also if you can setup your storage pool as btrfs that’s great too.
As others pointed out, you need an offsite copy on some C2 provider or a friend’s NAS or whatever. (if you’ve really no budget, you could get a bunch on free subscriptions (dropbox etc.) and split up the backups between them).
The NAS will have an app that already supports a whole lot of providers + things like external USB drive and you can setup automatic backup there.