Thanks for the analysis; I had also seen the API keys, but I didn’t check the deployments.

I guess this answers my question then: No one is using it because not even the dev gets it deployed – highly “avaliable” 🤣

To be fair, the proxy engine is supposedly written in go, not in nodejs, but yeah, the ddos defense most likely is wishful thinking…

The annoyance grows with the number of hosts ;-) I still want to feel in control, which is why I’m hesitant to implement unattended decryption like with tang/clevis.

But I’m interested in the idea of not messing with the initrd-image, boot into a running system and then wait for decryption of a data-partition. Isn’t it a hassle to manually override all the relevant service declarations etc. to wait for the mount? Or how do you do that?

The passphrase should be stored and transferred encrypted, but that would basically mean reimplementing mandos, a tool that was mentioned in another reply https://lemmy.world/post/38400013/20341900. Besides that yes, that’s one way I’ve also considered. An ansible script with access to all encrypted host’s initrd-ssh-keys that tries to login; if the host is waiting for decryption, provides the key, done. Needs one webhook for notification and one for me to trigger the playbook run… Maybe I will revisit this…

It wasn’t clear to me at first glance how the mandos server gets the approval to supply the client with its desired key, but I figured it out in the meantime: that’s done through the mandos-monitor tui. However, that doesn’t quite fit my ux-expectations. Thanks for mentioning it, though. It’s an interesting project I will keep in mind.

Definitely! I have bmc/kvm everywhere (well, everywhere that matters).

I have talked myself out of this (for now), though. I think if I ever find the time to revisit this, I will try to to it by injecting some oidc-based approval (memo to myself: ciba flow?) into something like clevis/tang.

Sort of, but this seems a bit heavy. (That being said, I was also considering pkcs#11 on a net-hsm, which seems to do basically the same…)

Yes, I was thinking about storing encrypted keys, but still, using claims is clearly just wrong… Using a vault to store the key is probably the way to go, even though it adds another service the setup depends on.

Interesting, do you happen to know how this “approval” works here, concretely?

How long did it take to get zpool-attach? I will not join the waiting list 😉

The selling point of unraid is that you can mix and match different disk sizes and it figures out a (good, efficient?) way to handle them even as you grow a pool. You’re not going to have a good time with a 1TB drive, a 2 TB drive and a 15 TB drive using zfs, unraid doesn’t care… (Using and preferring zfs myself, by the way; this is heresay.)

I love the simplicity of this, I really do, but I don’t consider this SSO. It may be if you’re a single user, but even then, many things I’m hosting have their own authentication layer and allow offloading only to some oidc-/oauth or ldap-provider.

Deployment of NC on kubernetes/docker (and maintenance thereof) is super scary. They copy config files around in dockerfile, e.g., it’s a hell of a mess. (And not just docker: I have one instance running on an old-fashioned webhosting with only ftp access and I have to manually edit .ini and apache config after each update since they’re being overwritten.) As the documentation of OCIS is growing and it gets more features, I might actually change even the larger instances, but for now I must consider it as not feature complete (since people have expectations from nextcloud that aren’t met by ocis and its extensions). Moreover, I have more trust in the long term openness of nextcloud as opposed to owncloud, for historical reasons.

I am considering switching as well, for similar reasons. What has been holding me back (besides missing time to plan and do the migration) is thst I don’t quite trust ownCloud any more, and due to a lack of documentation, I would want to run it in parallel for some time to get the hang of it before migrating the other users (which adds to the time constraint).

I’ll most likely deploy using their helm chart – does anyone have any real-world experience with it?

Thanks, the bootstrapping idea was not mentioned in the comments, yet. And your blog looks promising, will have a more through look soon.

Nice, thanks, again! I overlooked the dependency instructions in the container service file, which is why I wondered how the heck podman figures out the dependencies. It makes a lot of sense to do it like this, now that I think of it.

Awesome, so, essentially, you create a name.pod file like so:

[Unit]
Description=Pod Description

[Pod]
# stuff like PublishPort or networking

and join every container into the pod through the following line in the .container files: Pod=name.pod

and I presume this all gets started via systemctl --user start name.service and systemd/podman figures out somehow which containers will have to be created and joined into the pod, or do they all have to be started individually?

(Either way, I find the documentation of this feature lacking. When I tested this stuff myself, I’ll look into improving it.)

I’ve wondered myself and asked here https://lemmy.world/post/20435712 – got some very reasonable answers