Not_your_guy_buddy42

joined 1 year ago

So, I run OPNsense in a VM on Proxmox. There is only one drawback I am aware of, which is when I update the Proxmox host itself, I'll need to attach a monitor/keyboard/mouse to it. Theoretically, if the upgrade was fully automatic and never needing any intervention or user input, it'd be possible without: But the reality is more that it might need user input, but the OPNsense VM will not be booted i.e. network will be down i.e. I need direct access to the Proxmox host.

You didn't say how you currently keep your data...

The NAS can do almost everything you need except offsite C2.
For example Synology ((so far I only had these)) has a built-in DynDNS service that gives you a subdomain you can access the NAS through without extra steps. I bet all the other NAS brands have this built-in as well. Whichever you pick, definitely have 2FA enabled. Also if you can setup your storage pool as btrfs that's great too.

As others pointed out, you need an offsite copy on some C2 provider or a friend's NAS or whatever. (if you've really no budget, you could get a bunch on free subscriptions (dropbox etc.) and split up the backups between them).
The NAS will have an app that already supports a whole lot of providers + things like external USB drive and you can setup automatic backup there.

It's funny how as a self-hoster with no open ports, sort of supply chain attacks are almost my biggest worry... Here's the tidbits I've collected so far, but just getting into this so take it with a grain of salt ...

  1. working out how to run my containers as non-root... Most support this already. It's adding a user:UID:GID in the compose file and making sure that user can read and write to any dirs you want to map, and it's done. Now whatever runs in the container does not have root and less chance of shenanigans in its container and on the host.
    Some smaller projects, you have to tweak or rebuild.*
  2. If I can manage I'll also run the docker daemon as rootless as the next milestone. I already had this working on Proxmox Ubuntu VM, but could not get it to work on a netcup VPS, for example.
  3. Docker sock proxy
  4. VLANs
  5. in compose files, if the containers can handle it:
    security_opt:
    - no-new-privileges:true
    cap_drop:
    - ALL
  6. (I have to work out the secrets stuff! secrets in files, ansible vault,...)

(* One example for non-rootifying a docker, I got tempo running as non root the other night as it is based on a nginx alpine linux image, after a while I found a nginx.conf file online where all the dirs are redirected to /tmp so nginx can still run if a non-root user launches it. Mapped that config file to the one in the container, set it to run as my user and it works. Did not even have to rebuild it.)