• 0 Posts
  • 7 Comments
Joined 1 year ago
cake
Cake day: June 10th, 2023

help-circle
  • HAproxy is good at what it does but it’s only good at proxying and simple rules.

    It’s possible to write very complex rules/ACLs with HAproxy… stick-tables, ACLs with regexes on whatever HTTP header, source or destination ACLs, map files, geoblocking, lua scripting, load-balancing from round-robin to host header load balancing, dynamic backend servers provisionning through DNS… Not that you can’t do it with Nginx (it started as a reverse-proxy before becoming a jack of all trades), nor that nginx isn’t a great tool (it is!), but HAProxy can do very complex things too. It also follows the good ol’ UNIX philosophy of “one program to do one thing and do it well” and thus doesn’t try to be a webserver, hence why you need a webserver behind it to serve anything from static files to PHP/Python/whatever.



  • 1Gbps down/700Mbps up here, 35€/month (another french provider), no data caps - for 5 bucks/month more I could have 5Gbps down/1Gbps up, but… well, my home network is still using 1Gbps switches - but all the cabling was built with 10Gbps in mind.

    Data caps are pure robbery. We run a non-profit ISP/hosting platform and a non-profit IXP with friends in West France, the only thing you pay (and the only thing end users should have to pay) is goddamn bandwidth.


  • Kudos for mentionning powerDNS, it’s an amazing software :)

    One thing I love with powerDNS is the various backends available, notably the postgreSQL and mariaDB/mysql ones. Only the primary powerdns instance modifies the database records, the secondary instances just read from database (master or replicas). Thus, no real need for AXFR: as soon as you added/modified a record on the primary, the secondary pdns servers will see it in the database.

    The pdnsutil CLI tool is also really convenient, and the powerDNS API is a godsend when you need to automatise stuff for thousands of domains and hundred of thousands of records. There’s also a nice third-party webUI (powerdns-admin, docker image: pdnsadmin/pda-legacy). Bonus, Terraform does have a powerdns provider.

    At work we use dnsdist (from powerDNS too) to load-balance between our powerdns instances (with caching!), and to filter out/rate-limit/temporary ban bad actors (dns laundering, records enumeration and such for example).




  • Everything runs in a kubernetes cluster hosted on my homelab, except the public services access point which is a VM hosted on a non-profit ISP and service provider infrastructure, which I contribute to, through a wireguard VPN between the VM and home:

    Public-facing:

    • an old static website (nginx-unprivileged), which was my first website and which I keep online because nostalgia
    • Ghost, personal blog
    • OpenSMTPd + rspamd + dovecot (dovecot only accessible from home, not public)
    • privatebin
    • picoshare
    • Whoogle + Tor
    • SearxNG

    Work related (I work from home 75% of time), not public-facing:

    • dolibarr ERP for managing prospects and clients billing
    • gitea
    • bookstack for personal documentation
    • edit: forgot Harbor as container registry.
    • vaultwarden
    • eck-operator
    • wireguard operator for personal, family and friends access from outside
    • awx operator
    • draw.io
    • zalando postgresql operator for postgres needs
    • mariadb-galera for mariadb needs
    • bitlbee-libpurple for all clients’ slack needs
    • Authentik as OIDC/LDAP/SAML provider (also used to identify family and friends)
    • internal DNS (pdns-resolver + powerdns with postgres backend) serving work zone and home zone.

    Home stuff, not public-facing:

    • Games: Minetest, EQEmu server (Everquest), planar ally, bzflag, veloren
    • Home-cinema/music: Jellyfin, Koel, alltube, and the usual tools to share Linux isos.
    • Immich to sync photos
    • homeassistant (more a PoC than anything else right now)
    • mealie for recipes (I like cooking original meals for friends and family) and lunch/dinner planning
    • another instance of vaultwarden for family
    • piHole to keep the children a bit safer online (notably blocking malware/scams/nsfw sites)

    all of this running on a 3 control-planes/6 workers talos linux k8s cluster, itself hosted on a franken-proxmox cluster (a mix of server/“old” desktops/Ryzen NUCs) and a bunch of NAS (VM dedicated NAS, data storage NAS, backup NAS).