1·
17 days agoAny plans for OIDC and read-only/non-root/no-cap container running?
glizzyguzzler
- 0 Posts
- 5 Comments
Joined 6 months ago
Cake day: June 20th, 2025
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
I have a USB drive with the key on it. The primary purpose for LUKS for me is so that drives I replace don’t need to be wiped, so I just leave the USB drive in all the time. Makes it so it boots automatically.
If I lived in a place I owned, I’d stash a rpi somewhere deep and have it do network dropbear automatic unlock to protect the data if the server is nicked. Till then it’s yolo
The smlight slzb-mr2 does both and is PoE - makes it more robust. HA comp goes down? Restarts? USB port change and now the passthrough fails? With an independent LAN coordinator the zigbee network is fine. I don’t have threads stuff (yet) but I assume the same applies.
I’ve had no issues, the Ukrainians already got this solved. Get from Ali express (Ukrainians don’t produce them, they’re busy being bombed)
If you’ve got Debian already installed, I cannot resist advocating for Incus (stable branch from Zabbly repo with web ui https://blog.simos.info/how-to-install-and-setup-the-incus-web-ui/) in lieu of proxmox. Does the same thing but you don’t have to rip out the kernel Debian uses.
With Debian 13 you have access to podman quadlets, use that for any non-vm needs. The ease of docker compose files easily removes reason for programs in LXC containers, and podman removes reason for docker in an LXC. LXC is left only for programs that aren’t containerized. VMs for security DMZ. Podman for bulk of stuff you want.
Good luck!
I am loving OIDC giving a single login for all the things I’ve got going, I see it as a near-essential for adding new services!
Read-only is easy! You just need to confine where the writes happen. You use volumes for stuff you want to remember were written and tmpfs for stuff you don’t want to remember. Tmpfs for /tmp if needed, volume for the DB, good to go. It is super useful for security since only what is included in the container can be executed greatly reducing the attack area. No way to introduce a new excutable to the container! (you set noexec for tmpfs/volumes)
I’ve seen difficult setups like a “work directory” where key files, executables, and temp files go. That structure can’t be secured, avoid that. Basically the temp files go in somewhere that’s not a big pile of a “work directory” - like /tmp - and then that structure once again works!
Of course I wouldn’t say no to an LCARS theme either…