or4n

joined 1 year ago
[–] [email protected] 2 points 1 year ago

I've never trusted vendors like Asus for their routers. I'm currently using PC Engines APU2E4 with OpenBSD. This setup support everything I can think of.

[–] [email protected] 3 points 1 year ago

Home

Firewall / OpenBSD running on APU2

  • Wireguard (only thing open to the public)
  • IPSec site-to-site to Oracle cloud (only open for Oracle VPN GW IP)
  • NSD for authoritative DNS
  • Unbound for DNS filtering (unbound adblock script)
  • script that updates my public IP to DNS provider should it change

Containers / Debian running on Asus PN62

  • Portainer for controlling local Docker as well as one in the Oracle Cloud
  • certbot with DNS auth to get certificate for local services, this way I don't need to open anything to the Internet
  • Traefik as reverse proxy configured via labels

Cloud

Cloudflare

  • This is in front of public services
  • Public DNS

Oracle Cloud

  • Free tier server (4x vCPU, 24GB RAM) with Docker, Traefik, Portainer agent
  • IPSec from home so I can control Docker on my cloud server

Azure

  • Azure blob storage for backups (Restic)

Everything is separated as much as I can. All stacks are on separate networks with strict firewall rules (iptables) on host to control which container can talk to others. For example Traefik can talk to Gitea but not vice versa. Everything on physical network is separated by VLANs.

[–] [email protected] 1 points 1 year ago (1 children)

Oh, those were the days :D Apache + PHP + MySQL. Then multiple hosted software on that same server. You were screwed when one app needed newer PHP and some other stuff didn't run with new PHP.

[–] [email protected] 2 points 1 year ago

I might add that don't just mindlessly copy-paste things. Try to understand what those commands do and why they are needed.