• 1 Post
  • 154 Comments
Joined 6 months ago
cake
Cake day: June 9th, 2024

help-circle










  • good ideia to run restic as root

    As a general rule, run absolutely nothing as root unless there’s absolutely no other way to do what you’re trying to do. And, frankly, there’s maybe a dozen things that must be root, at most.

    One of the biggest hardening things you can do for yourself is to always, always run everything as the lowest privilege level you can to accomplish what you need.

    If all your data is owned by a user, run the backup tool as that user.

    If it’s owned by several non-priviliged users, then you want to make sure that the group permissions let you access it.

    As a related note, this also applies to containers and software you’re running: you shouldn’t run docker containers as root unless they specifically MUST have a permission that only root has, and I personally don’t run internet facing ones as the same user as all the others: if something gets popped, then they not only do not have root permissions, but they’re also siloed into their own data in the event of a container escape.

    My expectation is that, at some point, I’ll miss a CVE and get pwnt, so the goal is to reduce how much damage someone can do when that happens, rather than assume I’m going to be able to keep it from happening at all, so everything is focused on ‘once this is compromised, how can i make the compromise useless to the attacker’.


  • Unifi Gateway Ultra

    How have you liked the gateway? Any stupid decisions that have annoyed?

    My USG has decided that, after a decade, it’s going to be flaky and crash if it wants to (even after replacing it’s 4th dead PSU and 2nd USB stick) and I’m thinking it’s probably time to upgrade.

    I’ll admit to both liking the Unifi ecosystem and firmly not trusting the Unifi ecosystem one damn bit, which is bit of a weird situation where I’ve been really really unwilling to upgrade anything because that hasn’t always gone uh, smoothly.




  • I just uh, wrote a bash script that does it.

    It dumps databases as needed, and then makes a single tarball of each service. Or a couple depending on what needs doing to ensure a full backup of the data.

    Once all the services are backed up, I just push all the data to a S3 bucket, but you could use rclone or whatever instead.

    It’s not some fancy cool toy kids these days love like any of the dozens of other backup options, but I’m a fan of simple and well, a couple of tarballs in a S3 bucket is about as simple as it gets since restoring doesn’t require any tools or configuration or anything: just snag the tarballs you need, unarchive them, done.

    I also use a couple of tools for monitoring the progress and a separate script that can do a full restore to make sure shit works, but that’s mostly just doing what you did to make and upload the tarballs backwards.


  • I’m finding 8 years to be pretty realistic for when I have drive failures, and I did the math when I was buying drives and came to the same conclusion about buying used.

    For example, I’m using 16tb drives, and for the Exos ones I’m using, a new drive is like $300 and the used pricing seems to be $180.

    If you assume the used drive is 3 years old, and that the expected lifespan is 8 years, then the used drive is very slightly cheaper than the new one.

    But the ‘very slight’ is literally just about a dollar-per-year less ($36/drive/year for used and $37.50/drive/year for new), which doesn’t really feel like it’s worth dealing with essentially unwarrantied, unknown, used and possibly abused drives.

    You could of course get very lucky and get more than 8 years out of the used, or the new one could fail earlier or whatever but, statistically, they’re more or less equally likely to happen to the drives so I didn’t really bother with factoring in those scenarios.

    And, frankly, at 8 years it’s time to yank the drives and replace them anyways because you’re so far down the bathtub curve it’s more like a slip n’ slide of death at that point.


  • I’m going to get downvoted to hell for this but uh, I usually tell clients Squarespace is what they want these days.

    Self-hosting something like Wordpress or Ghost or Drupal or Joomla or whatever CMS you care to name costs time: you have to patch it, back it up, and do a lot of babysitting to keep it up and secure and running. It’s very much not a ship-and-forget - really, nothing selfhosting is.

    I’m very firmly of the opinion that small business people should be focused on their business, not their email or website or whatever, because any time you spend fighting your tech stack is time you could have been actually making money. It’s all a cost, it just depends if you value $20 a month or your time more.

    If I had someone come to me asking to setup this stuff for their business, I’d absolutely tell them to use gSuite for email, file sharing, documents, and such and Squarespace for the website and then not worry about shit, because they’re both reliable and do what they say on the tin.




  • You know, I think I did the thing I always do and forget how bad the idle power for Ryzen cpus are due to how they’re architected.

    Like, my home server is a 10850k, which is a CPU known for using 200+w… except that, of course, at idle/normal background loads it’s sitting at more like 8-15w. I did some tweaking to tell it to both respect it’s TDP and also adjusting turbo boost to uh, don’t, but still: it’s shockingly efficient after fiddling.

    I wouldn’t have expected a 5500u to sit at 30w under normal loads, but I suppose that depends on the load?