Establish containerised and more secure infrastructure

[cyckl]

We obviously need to beef up security and isolation between our running services, and find a way to manage the load across many different systems that we have running on the network.

• K8s / K3s seems to be overkill from my short experience with it—microservice focused for individual applications
• Docker is proprietary
• Raw Linux namespace management seems like a pain
• Plan 9 isn't secure nor practical
• I am out of ideas

[doamatto]

For host operating systems, we can use secure lightweight distros of BSD or Linux. If everything we run is in a container, it doesn't matter the host, in fairness. Alpine or OpenBSD would be my best recs in this regard.

As for containers, here are a few ideas:

• Podman— FOSS drop-in for Docker (Simply put: alias docker=podman)
• LXC/LXD— Canonical sponsored container/virtualisation project
• containerd is also an option; it's basically the same software Docker and K8s use.
• Jailing on BSD

We can also set strict rules for firewalls; namely the recommendation from Tailscale. In short,

To                          Action      From
--                          ------      ----
Anywhere on tailscale0      ALLOW IN    Anywhere
41641/udp                   ALLOW       Anywhere
Anywhere (v6) on tailscale0 ALLOW IN    Anywhere (v6)
41641/udp (v6)              ALLOW       Anywhere (v6)

We could leave openings for DNS and open for 443/80 for things like lleb.me and any other public middlemen tools we use along the way. It would be a good start however.

[doamatto]

I also find it pertinent to mention I found this while researching container projects.

[doamatto]

Renamed to provide further clarity in discussions.

[cyckl]

Podman seems to be promising mainly because it's manually orchestrated but still OCI-ready. I'll try to do some testing.

[doamatto]

@cyckl how has Podman testing gone? If it seems to be a good fit, I think it's worth a test deploy of things such as basic web services.

[doamatto]

I've shared internally a dummy mock-up diagram for how operations will likely be in the extended future. I won't post it yet as it's not quite ready for literally any entertainment, but it's good to ensure we can have services mirrored and "peered" per-se with one another so that we can be as spread out as we desire and still access resources at the excess of speeds that we desire.

It's currently planned that the longest distance will be at most ~10'000 kilometres and, at shortest, ~6'700 kilometres. Internet providers on both ends provide speeds that would be sufficient (usually a minimum of 1 gigabit (TWC)/1,2 gigabit (CMCSA) and a maximum of 8 gigabit (SFR)). Mitigating as much latency as possible is ideal. In a perfect world, we'd all be in the same backyard and latency would be a nullifying concept, as well as WAN internet speeds.

I think Podman supports K8s if I'm not mistaken. It means we can begin with Podman and scale easily with Podman "Pods" that are basically just K8s pods. This should ultimately be the best pathway for using containers and the ease of scaling/becoming redundant/improving general performance.

Further insight is not only recommended, but requested, by all those who can provide valuable of such.

[doamatto]

@cyckl Found this to help ease your suicidal tendancies from struggles to deploy LDAP.

https://github.com/glauth/glauth

[doamatto]

It's an alternative to Tail/Headscale that would give us similar functionality. This would be the only step in the way of us being fully independent and in control of our infrastructure. We would still want to use rented servers to host whatever their equivalent is of web UIs, DERP servers, et al.

https://docs.zerotier.com/self-hosting/network-controllers

[doamatto]