I use firewalld as generic firewall and fail2ban as IPS/anti-bruteforce solution (blocks IPs using firewalld’s ipsets)

I have copied the latest git revision c67b943aa894b90103c4752ac430958886b996b2 from https://gitlab.tt-rss.org/tt-rss/tt-rss to my gitea instance which is mirrored to https://gitlab.com/nodiscc/tt-rss and https://github.com/nodiscc/tt-rss.

I don’t intend to make changes or bugfixes (it’s working fine), but I will try to keep it compatible with the PHP version in Debian stable, since I’ve been using it for years and would really like to keep doing so.

If you needs are simple, write a simple playbook using the proxmox ansible module https://docs.ansible.com/ansible/latest/collections/community/general/proxmox_kvm_module.html

Terraform/Opentofu provides more advanced stuff but then you have to worry about persistent state storage, the clunky DSL… used it when acsolutely needed, you can do 90% of this stuff with the proxmox ansible module.

If you need to make your playbook less verbose, move the logic to a role so that you can configure your VMs from a few lines in the playbook/host_vars. Mine looks like this (it’s for libvirt and not proxmox, but the logic is the same)

# playbook.yml
- hosts: hypervisor.example.org
  roles:
    - libvirt

# host_vars/hypervisor.example.org.yml
libvirt_vms:
  - name: vm1.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm1.example.org.xml"
    state: running
    autostart: yes
  - name: vm2.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm2.example.org.xml"
    autostart: no
  - name: vm3.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm3.example.org.xml"
    autostart: no
  - name: vm4.example.org
    xml_file: "{{ playbook_dir }}/data/libvirt/vm4.example.org.xml"
    autostart: no
    disk_size: 100G

turn that monitor off and save power?

• Ever tested restoring those backups? Do you have the exact procedure written down? Does it still work? If the service gets compromised/data corrupted on sunday, and your backup runs, do you still have a non-compromised backup and how old is it?
• How timely can you deal with security fixes, and how will you be alerted that a security fix is available?
• How do you monitor your services for resource availability, errors in logs, security events?
• How much downtime is acceptable for routine maintenance, and for incidents?
• Do you have tooling to ensure you can redeploy the exact same configuration to another host?
• How do you test upgrades before pushing them to production?

Not saying this is impossible, you just need to have these questions in mind, and the answers written down before you start charging people for the service, and have the support infrastructure ready.

Or you can just provide the service for free, best-effort without guarantees.

I do both (free services for a few friends, paid by customers at $work, small team). Most of the time it’s smooth riding but it needs preparation (and more than 1 guy to handle emergencies - vacations, bus factor and all that).

For the git service I can recommend gitea + gitea-actions (I run the runners in podman). Gitlab has more features but it can be overwhelming if you don’t need them, and it requires more resources.

I use RSS feeds, bump version numbers when a new release is out, git commit/push and the CI does the rest (or I’ll run the ansible playbook manually).

I do check the release notes for breaking changes, and sometimes hold back updates for some time (days/weeks) when the release affects a “critical” feature, or when config tweaks are needed, and/or run these against a testing/staging environment first.

Debian

RTFM https://join-lemmy.org/docs/administration/administration.html

Right, I just spent 10 minutes looking for documentation that doesn’t involve shitty expensive SaaS/PaaS, couldn’t find anything. That disqualifies it for me as well, sorry for wasting your time.

I’ll keep watching this thread, relevant to my interests as well. At work we let ansible (in pull mode) handle the Linux fleet, Android we don’t have enough devices to bother, and are looking towards jamf for macs. But I’d love to find a FOSS solution too, our requirements are simple enough (as you said install/remove stuff, change basic settings)

My prod and testing environments are 2 libvirt VMs on the same hypervisor. They run the same services, deployed and managed by ansible. The testing VM just gets less disk/CPU/RAM resources, and is powered off most of the time. Simple config changes? Straight to prod. New feature, risky change? Testing first.

Ionos works for me. I’ve used OVH, Scaleway as well, no problems.

https://fleetdm.com/ doesn’t look bad, would this work?

upgrades:

• distribution packages: unattended-upgrades
• third party software: subscribe to the releases RSS feed (in tt-rss or rss2email), read release notes, bump version number in my ansible playbook, run playbook, done.

vulnerabilities:

• debsecan for distribution packages
• trivy fort third-party applications/libraries/OCI images
• wazuh for larger (work) setups

Follow the official documentation, nothing else comes close.

I have automated this process in my nextcloud ansible role

• simple: rsyslog: all local logs to a central syslog file (using the imfile module), all syslogsfrom all server to a central rsyslog server (over TCP/SSL, example here). Use lnav or something similar to consume the logs
• more complex, resource-heavy: Graylog Open as a replacement for the central rsyslog server, setup pipelines/alerts/whatever… Currently considering replacing my Graylog instance with Wazuh but I don’t know yet if it will be able to replace it completely for me

security

with containers, software maintainers also need to keep their image up-to-date with latest security fixes (most of them don’t) - whereas these are usually handled by unattended-upgrades or similar in a VM. Then put out a new release and expect users to upgrade ASAP. Or rebuild and encourage redeploying the latest image every day or so, which is bad for other reasons (no warning for breaking changes, the software must be tested thoroughly after every commit to master).

In short this adds the burden of proper OS/image maintenance for developers, something usually handled by distro maintainers.

trivy is helpful in assessing the maintenance/vulnerability level of OCI images.

https://lemmy.world/comment/13349298

homebank (desktop app) + weekly import of new transactions using woob/bank and a basic shell script. Homebank database synced via Nextcloud.

Please not these posts again

This thread is pinned for a reason: https://lemmy.world/post/60585

You just have to find the channel_id buried in the page source

I use this Firefox addon for that: https://addons.mozilla.org/en-US/firefox/addon/youtube-rss-finder/ - really useful