Errar es humano. Propagar errores automáticamente es #devops
- 0 Posts
- 6 Comments
On a completely unrelated side note: I like to see paralellisms of SOLID principles of OOP development and system administration.
A container may have one responsability. Or a service config (like nginx) may be closed to modifications but open to extensions, to avoid some automated client breaking elsewhere, etc, etc.
Sometimes I like to thing about system administration like some kind of very high level development.
spoiler
To mods: I have no problem to delete this comments if it doesn’t fit this community
- For kuberentes stuff, I use external-secrets-operator. It can be paired with selfhosted stuff, like Hashicorp Vault.
- For machines, disk encryption LUKS, and then files in plain text, with minimal permissions: mode 400.
- For my laptop, keepass.
In my opinion, for home selfhosted stuff you don’t have to go for complex solutions. In the industry, the problem is that secrets needs to be served to different systems, by different people, with some kind of audit logs. Unless you are working with lots of people, environment variables are OK. You github/gitlab may have all scripts with variables, and your disk may have a .env file with mode 400. If you make any machine or container with a single responsibility, there should be no secret leaks among them.
For example, let say your wordpress instance gets pwned. It should only have its needed secrets (like its db credentials), so your wikimedia instance is still fine.
Do you really need the RAID online all the time? Because if you can afford to shut it down for a few hours, it is way less work to do a backup, and then build a new RAID with your SSDs.
I’m not sure if the RAID controller will like two different kind of drives. I’d check the docs if it says something.
If you need a vegan pet get a bunny, lol.
Not feeding dogs and cats with meat-based food is cruel af.