You can use OpenEBS to provision and manage LVM volumes. Host path requires you to manually manage the host paths.

That sounds like build automation. You can use some Git forge software.

Some attackers check services that have already cataloged the services you are running, even on uncommon ports. You won’t hear from them unless you are running a potentially vulnerable service.

If you’re self hosting Headscale you can configure your network such that Headscale is reachable on your network with or without internet access and available from the internet.

Don’t expect Gitea to make progress on federation. Forgejo is a fork of Gitea and anybody that cares about federation is probably on the Forgejo side of the fork.

If you’re running Kubernetes, what is the point of LXC or Proxmox in this setup? Kubernetes will give better scaling and utilization.

Giving a container access to the docker socket allows container escapes, but if you’re doing it on purpose with a service designed for that purpose there is no problem. Either you trust Watchtower to manage the other containers on your system or you don’t. Whether it’s managing the containers through a mounted docker socket or with direct socket access doesn’t make a difference in security.

I don’t know if anybody seriously uses Watchtower, but I wouldn’t be surprised. I know that companies use tools like Argo CD, which has a larger attack surface and a similar level of system access via its Kubernetes service user.

Mounting the docker socket into Watchtower is fine from a security perspective, but automatic updates can definitely cause problems. I used to use Rennovate and it would open a pull request to update the version.

Git does have a server component. When git connects to an ssh remote it executes an ssh command that needs to be present.

You’re missing GitLab. I’d be looking at GitLab or Forgejo.

But you might not need this. When you access a private Git repository, you’re normally connecting over SSH and authenticating using SSH keys. By default, if you have Git installed on a server you can SSH to and you have a Git repository on that server in a location you can access, you can use that server as a Git remote. You only really want one these services if you want the CI pipelines or collaboration tools.

The issue says at the bottom that SealedSecrets is unaffected.

At least in the past, if you had a fixed amount of work to complete, underclocking would increase overall power consumption.

Port scanning isn’t abuse but automatically filing frivilous abuse reports is.

It’s not normal for - model-cache:/cache to be deleted on restart or even upgrade. You shouldn’t need to do this.

The server responds with a 404 error. If you’re using a reverse proxy, make sure the reverse proxy rules are right. Does it work when you connect directly?

It’s relatively easy for Cloudflare to profile clients as being web scrapers. A concerning amount of internet traffic goes through their servers in plain text.

Is this a lost karma bot?

A less intrusive solution would be to just put your sensitive data in LUKS and configure services that use that data to depend on the partition being mounted. That doesn’t require modifying the normal system startup process. You’re less likely to mess up your startup process at the expense of needing to be more mindful about where you’re putting your files.

Tang and Clevis have already been mentioned as a way for one server to boot using another server.

You can also create an environment where the server boots into a phase 1 where it obtains network connectivity and then waits for you to provide it the key to continue booting. The first phase is unencrypted, so don’t put sensitive data in there.

It is bad practice because of point 2 and if you have multiple replicas you can probably get different versions running simultaneously (never tried it). Get Rennovate. It creates PRs to increment the version number and it tries to give you the release notes right in the PR.