I use a SSH tunnel. Doesn't need more then a barebones VPS running with OpenSSH.
WiseCookie69
joined 11 months ago
ArgoCD. If there's something that doesn't come with a Helm chart, i just wrap it into bjw-s' common chart (https://github.com/bjw-s/helm-charts/tree/main/charts) and call it a day.
If they're VMs, just install the kernel you want - keeping them updated is your responsibility anyways. If they're containers (Virtuozzo), you're not gonna change the kernel anyways.
Normal background noise. You expose stuff to the public and in return you make friends with a bunch of bots.
Granted I use Kubernetes, but here you go:
- I run stuff with user namespaces, so even a root process within the container is unprivileged on the host
- I isolate namespaces via NetworkPolicies
- Even my Nextcloud instance has no business to check upstream for updates (i have renovate for that)
- I use securityContexts to make my containers as unprivileged as possible
- drop all capabilities
- enforce a read-only container filesystem
- enforce running as a specific UID/GID (many maintainers are lazy and just run their stuff as root)
I'd set up something like that, to hand out the password to a (previously prepared) Keepass database, in case something happens to me. To have everything readily available for my loved ones, to aid with cleaning up after me.