2·
4 months agoI think it’s cool that I can take that config and drop it into kubernetes and it usually just works. I don’t have a cluster anymore, but if I decide to use one in the future, the overhead will be negligible
- 0 Posts
- 30 Comments
Joined 2 years ago
Cake day: December 2nd, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Sure thing, I’ll edit this reply when I get back to my computer. Just note that I also have a tailscale and nginx container in the pod which are not necessary.
You’ll see my nginx config which reverse proxies to the port the service is running on. On public servers I have another nginx running with SSL that proxies to the port I map the pod’s port 80 to.
I usually run my pods as an unpriviledged user with
loginctl enable-lingerwhich starts the enabledsystemctl --userservices on boot.All that being said I haven’t publically exposed linkwarden yet, mainly because it’s the second most resource intensive service I run and I have all my public stuff on a shitty vps.
Edit: My opsec is so bad hahaha
Edit2: I just realized the caps I gave were to the tailscale container, not the linkwarden container. Linkwarden can run with no caps :)
I added the tailscale stuff back
files:
linkwarden-pod.kube:
[Install] WantedBy=default.target [Kube] # Point to the yaml in the same directory Yaml=linkwarden-pod.yml PublishPort=127.0.0.1:7777:80 AutoUpdate=registry [Service] Restart=alwayslinkwarden-pod.yml:
--- apiVersion: v1 kind: Pod metadata: name: linkwarden spec: containers: - name: ts-linkwarden image: docker.io/tailscale/tailscale:latest env: - name: TS_HOSTNAME value: "link" - name: TS_STATE_DIR value: /var/lib/tailscale - name: TS_AUTHKEY valueFrom: secretKeyRef: name: ts-auth-kube key: ts-auth volumeMounts: - name: linkwarden-ts-storage mountPath: /var/lib/tailscale securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - name: linkwarden image: ghcr.io/linkwarden/linkwarden:latest env: - name: INSTANCE_NAME value: link.mydomain.com - name: AUTH_URL value: http://linkwarden:3000/api/v1/auth - name: NEXTAUTH_SECRET value: LOL_I_JUST_PUBLISHED_THIS_I_CHANGED_IT - name: DATABASE_URL value: postgresql://postgres:password@linkwarden-postgres:5432/postgres - name: NEXT_PUBLIC_DISABLE_REGISTRATION value: "true" - name: linkwarden-nginx image: docker.io/library/nginx:alpine volumeMounts: - name: linkwarden-nginx-conf subPath: nginx.conf mountPath: /etc/nginx/nginx.conf readOnly: true - name: linkwarden-postgres image: docker.io/library/postgres:latest env: - name: POSTGRES_PASSWORD value: "password" volumeMounts: - name: linkwarden-postgres-db mountPath: /var/lib/postgresql/data volumes: - name: linkwarden-nginx-conf configMap: name: linkwarden-nginx-conf items: - key: nginx.conf path: nginx.conf - name: linkwarden-postgres-db persistentVolumeClaim: claimName: linkwarden-postgres-db-claim - name: linkwarden-ts-storage persistentVolumeClaim: claimName: linkwarden-ts-pv-claim --- apiVersion: v1 kind: ConfigMap metadata: name: linkwarden-nginx-conf data: nginx.conf: | #user nobody; worker_processes 1; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; #keepalive_timeout 0; keepalive_timeout 65; gzip off; # set_real_ip_from cw.55.55.1; real_ip_header X-Forwarded-For; real_ip_recursive on; server { listen 80; server_name _; location / { proxy_pass http://localhost:3000/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; } } }I also have a little helper script you might like
#!/bin/bash SYSTEMD_DIRECTORY="${HOME}/.config/containers/systemd" POD_NAME="linkwarden-pod" mkdir -p "$SYSTEMD_DIRECTORY" cp "${POD_NAME}".{kube,yml} "${SYSTEMD_DIRECTORY}"/ systemctl --user daemon-reload
So I have mine running in a podman quadlet. It runs as root in the container but it is unpriviledged. Mine has NET_ADMIN and SYS_MODULE but I honestly can’t remember why… SYS_ADMIN seems extreme though
Edit: I’m dumb, and the linkwarden container has no capabilities set. I set them for the tailscale container which definitely needs it.
4·4 months agoHoly shit I had no idea until I read your comment. I thought “surely they will have respected all of my opt outs”. I guess this is my last samsung phone lol
Here’s a cool video about it
https://yewtu.be/watch?v=kbKtFN71Lfs
Edit:
Meant to reply to msfroh, oops
A little but there is also systemd integration with podman.
However for that I usually set up a lingering user with limited permissions. For some cases you need rootful though.
The boy is now in residential care without access to social networks, with specialized educators and regular visitation rights for his parents, the prosecutor told AP.
That’s really interesting. What about 0.0.0.0? Does it resolve to localhost or the “public” ip?
Well, how do you think the milk gets in there?
Start with 10 and subtract 2 for every step
Companies have until January 1, 2026, to create memory safety roadmaps.
Not really the same as dropping entirely
2·1 year agoI would have whipped the Scopuli.
Underrated meme
I was going to say this too, but I’ve never cross compiled a cmake project so I wasn’t sure how much overhead there would be
You can compile on a big pi and copy the binary to your zeros. No need to compile on a zero lol
I just did the same thing with llama and got the same thing
3·1 year agoWomp womp
That sucks
If only there were some standard that companies could follow for the advanced configuration of power interfaces.
Linux has sleep tho
I use privatebin. Has some good features but I dont think it has login
Like 150 micrograms lol