philipcristiano

philipcristiano@lemmy.philipcristiano.com · 1 year ago

Not git(ea) but Synapse: I use separate Traefik routers for internal and external endpoints. Internal has access to all paths but for external entry points I allow or deny list paths as needed. It’s error prone as it can either break the app if not everything required is allowlisted, or cause a security issue if not everything is deny listed.

philipcristiano@lemmy.philipcristiano.com · 1 year ago

NixOS instances running Nomad/Vault/Consul. Each service behind Traefik with LE certs. Containers can mount NFS shares from a separate NAS which optionally gets backed up to cloud blob storage.

I use SSH and some CLI commands for deployment but only because that’s faster than CICD. I’m only running ~’nomad run …’ for the most part

The goal was to be resilient to single node failures and align with a stack I might use for production ops work. It’s also nice to be able to remove/add nodes fairly easily without worrying about breaking any home automation or hosting.

philipcristiano@lemmy.philipcristiano.com · 1 year ago

Running a reverse proxy then adding your IP to your router/other-DNS-server will make it easy ish. Just don’t pick a domain that is used by other people. If you have a(ny) domain you own then a subdomain you set in your router is fine/safe.

I have *.[house domain] point to a static IP set in my router. The IP is announced via BGP to point to running Traefik instances as a reverse proxy that points to the appropriate container. This also gives certs, but isn’t required.