Backup a sec A while back I wrote a post about restic, which is a great backup solution for incremental, encrypted backups. I played around with it for a bit, created an Ansible playbook to install it on my machines and made it simple to use by only having to add an entry to a file. Since then I’ve not used it again1. Like most backup solutions, it just sort of sat there and didn’t do much.
Making backups of your work is one of those things that we all know we should do, but get lazy about actually setting up1. Things are easier these days, particularly on Windows, where you can have your Documents folder automatically backed up to the cloud. You can also install GoogleDrive, DropBox, NextCloud as drives in Windows and have them sync automatically as well. When it comes to backing up configuration data on my Linux servers, things are a bit more complicated for me.
I’ve had an LDAP setup for a quite a while1, but I’ve never really used it. Sure, I could set up my Dokuwiki to get the logins and groups from LDAP and that’s kind of what it’s for, but that wasn’t enough. I wanted to use LDAP as a central configuration/setup/inventory management system. Configure my mail server to lookup email addresses there, assign port numbers and hosts for my services from there, etc.
Over the Christmas holidays, we spent a couple of weeks abroad with family. During this time, I still like to have access to my network, both for the self-hosted services I have but also so I can play around with new ideas during the downtime. Unfortunately, about halfway through our holiday, I lost access. I couldn’t tell whether this was because my DNS Updater script failed to set the correct dynamic WAN IP on my DNS record, or whether the router had locked up, or my servers were down.
I set up influxdb a while back on my NUC, so that I could have a TIG (Telegraf/Influxdb/Grafana) stack running and capture nice metrics on my home network. What I didn’t find out until later is that you shouldn’t put Influxdb on a network drive, it generated a network storm, maxing out my NUC’s CPU waiting on I/O operations to complete. I tore down the TIG stack and hadn’t used it since.
I’ve been running some of my services so that they are accessible from the outside world. Some of this has been for fun (like my calibre setup) and some because I want to keep control of my own data. I’ve self-hosted a quite a few services on my NUC now, including things like Plex and tinytinyrss. Many of them have been exposed to the internet as subdomain, so that I could use them both from within my own network and when I’m out and about.
I came across a blog post online about how to make an nginx-based reverse proxy more secure and I went about implementing it immediately. It took me all of 30 minutes to follow the steps and get an A grade from SSL Labs! It’s still going to take more to convince me that this will deter all but the most determined hackers, but it allows me to access my services when I’m not at home.
I’ve had my own internal DNS for a while now and it’s been working great. I’ve even pointed my router’s DHCP config to hand out the Raspberry Pi’s IP address as the network’s authoritative DNS Server. At the same time I’ve used AdBlock Plus for a while now in my browser, but I was always unhappy that I couldn’t have the same thing on my Pixel as well. Particularly as ads and popups are even more annoying on a small screen when you just want to look something up.
The NUC that I bought a while back has mainly just been used to run a Plex server. Lately I’ve been playing with setting different things up on my Raspberry Pis, including my own internal DNS. Then I was talking to a colleague of mine about my Munin setup and I really wanted to show him what I’m doing. So, perhaps a little radically, I devided to open up access to the outside world
I’ve been meaning to do this for ages now and today I found the time to do it right. I installed dnsmasq on a spare Raspberry Pi to do three things: Provide nice name resolution on my servers (i.e. *foo*.peterkuehne.com) Log all DNS queries (for stats, etc, not for actual monitoring) Cache DNS lookups and make browsing a few milliseconds faster As far as I can see right now, this all works great.