Uptime Funk

Jan 25, 2026

Listen to this episode

When your self-hosted services become infrastructure, breakage matters. We tackle monitoring that actually helps, alerts you won't ignore, and DNS for local, and multi-mesh network setups.

Transcript

WEBVTT 00:00:11.417 --> 00:00:16.197 Hello, friends, and welcome back to your weekly Linux talk show. My name is Chris. 00:00:16.377 --> 00:00:17.017 My name is Wes. 00:00:17.237 --> 00:00:18.077 And my name is Jeff. 00:00:18.697 --> 00:00:22.837 Hello, gentlemen. Coming up on the show this week, one piehole, 00:00:22.997 --> 00:00:26.857 two VPNs, and zero public exposure. I'm pretty proud of this one. 00:00:27.197 --> 00:00:30.997 Then, it's our pitch to ditch your GUI-only monitoring system, 00:00:31.137 --> 00:00:34.797 and why we rolled out Prometheus and Grafana. 00:00:35.037 --> 00:00:37.417 And then we're going to round the show out with some great boosts, 00:00:37.577 --> 00:00:40.157 some great picks, and a whole lot more. So before we go any further, 00:00:40.357 --> 00:00:43.137 time-appropriate greetings to our virtual lug. Hello, Mumble Room. 00:00:43.677 --> 00:00:45.817 Hello, Wes, and hello, Brent. 00:00:46.137 --> 00:00:50.217 Hi. Yeah, you can join us in the Mumble Room or at jblive.tv. 00:00:50.837 --> 00:00:55.617 Make it a Tuesday on a Sunday. We have the times at jupiterbroadcasting.com slash calendar. 00:00:55.817 --> 00:00:59.197 And a big good morning to our friends over at Defined Networking. 00:00:59.497 --> 00:01:03.797 Go check out Nebula VPN. They have a full managed product, 100 devices, 00:01:04.017 --> 00:01:04.937 no credit card required. 00:01:05.097 --> 00:01:08.037 Support the show, defined.net slash unplugged. 00:01:08.517 --> 00:01:11.777 It is a great service. And, you know, when I've thought about it a lot, 00:01:11.837 --> 00:01:15.697 I talk about how Slack used it and they launched it in 2017 to build out the 00:01:15.697 --> 00:01:18.697 security around the Slack global empire. And I talk about how Rivian uses it 00:01:18.697 --> 00:01:21.677 for real time analytics for the cars to do securely on the road. 00:01:22.805 --> 00:01:27.825 And those are all really big-scale projects. But recently, I've appreciated 00:01:27.825 --> 00:01:33.045 how great Nebula is on a 1, 2, 3 node network. 00:01:33.205 --> 00:01:39.705 And the fact that I can set up a on-demand mesh network that has name resolution 00:01:39.705 --> 00:01:41.305 and everything. We'll talk more about this. 00:01:42.045 --> 00:01:47.085 And there's no big tech login. There's no third-party hosted admin dashboard. 00:01:48.105 --> 00:01:52.825 Nothing like that. It's just two machines using cryptographic keys talking to each other. 00:01:52.945 --> 00:01:54.245 It's just a couple of text files, really. 00:01:54.845 --> 00:02:00.265 It's so powerful for small home lab stuff, and it's so scalable to massive enterprise stuff. 00:02:00.405 --> 00:02:03.525 And you can try it out with our fully managed product and support the show by 00:02:03.525 --> 00:02:06.485 going to define.net slash unplugged. 00:02:06.545 --> 00:02:10.525 You're going to like it a lot. And I'll tell you, I've been using it on extremely 00:02:10.525 --> 00:02:12.145 limited bandwidth connections. 00:02:12.745 --> 00:02:16.265 And it's so much better, and it's so much more resource sensitive. 00:02:16.445 --> 00:02:22.705 It's way lighter. It's way lighter. Check it out, define.net slash Nebula. 00:02:22.945 --> 00:02:25.825 And thank you to Define for sponsoring the Unplugged program. 00:02:28.525 --> 00:02:34.245 All right, you know we've got to mention it. Planet Nix and Scale23x are 39 days away. 00:02:35.125 --> 00:02:39.665 That means 33 days until Brent needs to be going down the road, at least. 00:02:40.105 --> 00:02:41.445 Let's just round that to 30. 00:02:41.725 --> 00:02:45.505 And six, I believe, or five, actually, more Linux Unplugs, maybe, 00:02:45.605 --> 00:02:47.445 until we need to be on the road ourselves. 00:02:47.605 --> 00:02:47.905 Wow. 00:02:47.905 --> 00:02:48.625 So it's coming up. 00:02:48.825 --> 00:02:50.545 I think we better get in the Nixie mood. 00:02:50.825 --> 00:02:54.465 Yeah, and I am really looking forward. Planet Nix has a theme this year. 00:02:54.605 --> 00:02:55.925 It's where builders come together. 00:02:56.225 --> 00:03:00.465 And our Nix coverage is supported again by Phlox, who's focused on making reproducible 00:03:00.465 --> 00:03:02.065 dev environments actually usable. 00:03:02.125 --> 00:03:04.445 And it's a fantastic tool. 00:03:04.605 --> 00:03:10.085 So check out Phlox and come see us at Scale and Planet Nix. You do need to register at Scale. 00:03:10.765 --> 00:03:14.525 And you can take 40% off that registration with our promo code UNPLG, 00:03:14.725 --> 00:03:20.105 U-N-P-L-G. and we'd love to see you there. One other item. 00:03:22.031 --> 00:03:26.391 The meetup page is now live. The details are not yet locked in. 00:03:26.531 --> 00:03:28.571 The date, time, location likely to change. 00:03:29.531 --> 00:03:32.131 But you can join the meetup and you'll be the first to get updates. 00:03:32.431 --> 00:03:37.571 And if you are intending to join us at the meetup, please consider signing up 00:03:37.571 --> 00:03:39.931 for the meetup. Please. We'd love to see you there. 00:03:40.251 --> 00:03:43.811 Last time we had about 80 more people than we expected. Great problem to have. 00:03:44.571 --> 00:03:48.071 It was very stressful on the restaurant staff. And they thankfully could open 00:03:48.071 --> 00:03:51.871 up. They had to open up another wing for us, which they were able to do. 00:03:52.491 --> 00:03:55.651 but this time we wanted to give them a great heads up. So if you're planning 00:03:55.651 --> 00:03:58.191 to make it and I want to bring a guest, there's room for that too. 00:03:58.531 --> 00:04:00.391 Just let us know. And we'll plan accordingly. 00:04:00.871 --> 00:04:04.511 Meetup.com slash Jupiter broadcasting link in the show notes to the direct meetup. 00:04:05.191 --> 00:04:07.411 We'd really appreciate it. If you could make it, if you're in the area, 00:04:07.991 --> 00:04:10.751 even if you can't go to the event, you're welcome to join us at the meetup. 00:04:11.431 --> 00:04:16.451 We did get one submission for that. I saw for a swag idea that we could hopefully 00:04:16.451 --> 00:04:20.531 have together for scale and Linux fest. It was a nice one. 00:04:20.931 --> 00:04:24.091 I'll show it to you boys after the show but I'd like to see a few more send 00:04:24.091 --> 00:04:27.431 them in to unplugged at jupiterbroadcasting.com or tag Wes in Matrix, 00:04:29.191 --> 00:04:33.451 and let us know we'll try to put one together pretty soon so we all have a uniform 00:04:33.451 --> 00:04:37.951 that we can identify each other with and have easy conversation hey I know you 00:04:37.951 --> 00:04:39.331 you listen to the show are. 00:04:39.331 --> 00:04:40.031 We getting hats. 00:04:41.411 --> 00:04:44.671 Ooh you know I'm a hat guy now you know I'm a hat guy now that's right, 00:04:47.918 --> 00:04:52.478 Well, what is, in a name, gentlemen, in short, convenience, right? 00:04:52.838 --> 00:04:56.478 When you set up your home lab or your enterprise network, whatever it is, 00:04:56.578 --> 00:05:00.058 it is eventually inevitable that you need good name resolution. 00:05:00.338 --> 00:05:04.378 I suspect for you there might be a spousal approval factor in the mix for that too. 00:05:04.598 --> 00:05:08.058 Yeah, and also just a memory factor. It gets hard to remember, 00:05:08.118 --> 00:05:10.418 especially the mesh network VPNs and the LAN IPs. 00:05:11.298 --> 00:05:14.318 And, of course, I have to go and make it hard, and I have multiple mesh networks 00:05:14.318 --> 00:05:16.578 now, multiple locations. 00:05:17.618 --> 00:05:22.118 some behind double carrier grade NAT a couple of them behind double carrier 00:05:22.118 --> 00:05:27.658 grade NAT so I had to go and make it hard on myself and I want sensible name 00:05:27.658 --> 00:05:32.418 resolution that works on the LAN and works across the various mesh networks, 00:05:33.538 --> 00:05:38.598 so I can just you know connect by machine name to all of them and then I need 00:05:38.598 --> 00:05:43.318 something also that does fast forwarding out to the internet and then can cache 00:05:43.318 --> 00:05:44.938 that so then future queries are faster. 00:05:44.938 --> 00:05:47.458 And then was it something you wanted to, like, I don't know, 00:05:47.518 --> 00:05:51.318 do you have some of these services that depend on other services in a way where, 00:05:51.318 --> 00:05:53.198 like, DNS is how they find each other? 00:05:53.638 --> 00:05:55.938 Yeah, and there's a lot of things I've set up are just by name now. 00:05:57.198 --> 00:06:03.478 So, you know, I had a basic pie hole going on my tail net, and I had a basic pie hole going on my LAN. 00:06:04.578 --> 00:06:06.078 But then we set up my wife's clinic. 00:06:06.258 --> 00:06:12.338 And was the tail net pie hole was running, like, as a container on a VPS or something? 00:06:12.338 --> 00:06:16.438 Yeah, and it just only had an interface on the Tailnet. So it was just acting 00:06:16.438 --> 00:06:17.738 as name resolution for the Tailnet. 00:06:17.858 --> 00:06:21.378 And then I kind of combined that with MagicDNS and sort of had the whole Tailnet thing solved. 00:06:21.638 --> 00:06:23.678 Then I had to go set up another network and all of that. 00:06:24.298 --> 00:06:28.458 And I also just kind of wanted to take another look at this and see if I couldn't do this better. 00:06:28.938 --> 00:06:33.998 But when I had set it up for the Tailnet only on the VPN, I took a shortcut. 00:06:34.698 --> 00:06:38.678 And instead of having to worry about exposing a pie hole to the internet... 00:06:40.126 --> 00:06:43.266 I just only bound it to the tail net interface. 00:06:44.306 --> 00:06:49.106 So I didn't have to worry about public IP and the internet, you know, 00:06:49.186 --> 00:06:52.146 banging on my pie hole server that's on a VPS because it couldn't talk to it. 00:06:52.506 --> 00:06:56.306 But if I wanted to make this pie hole usable across multiple mesh networks, 00:06:56.646 --> 00:07:00.626 it meant undoing that sort of convenience in security I had and coming up with 00:07:00.626 --> 00:07:03.386 a better security architecture to go across multiple networks. 00:07:04.886 --> 00:07:08.366 That's where it got a little kind of more complicated because 00:07:08.366 --> 00:07:12.006 i went from the easy way to the hard way and so 00:07:12.006 --> 00:07:14.726 there's multiple uh layers i kind of took 00:07:14.726 --> 00:07:18.126 to this and i kind of like to hear your guys's feedback on this so the first 00:07:18.126 --> 00:07:23.726 step i took is i wasn't sure if this is the right call but i essentially put 00:07:23.726 --> 00:07:29.886 the pie hole container on host networking so it could see all the interfaces 00:07:29.886 --> 00:07:32.406 And then in the configuration, 00:07:32.866 --> 00:07:38.126 I limited by application configuration to only bind to the tail net and the 00:07:38.126 --> 00:07:41.706 Nebula VPN interfaces and to not bind to the WAN interface. 00:07:42.026 --> 00:07:44.846 So at an application configuration layer, I did that. 00:07:45.126 --> 00:07:51.906 And then at another layer, I also set up ACLs with IP tables, 00:07:52.166 --> 00:07:55.746 just real basic IP tables that blocks all traffic on port 53. 00:07:55.746 --> 00:07:59.486 So like just in case, you know, for a moment, like when PyHole's starting up, 00:07:59.646 --> 00:08:03.166 if for a brief moment it bound to port 53 on the WAN interface, 00:08:03.566 --> 00:08:06.826 this would essentially prevent that from happening. Or if I make a config change 00:08:06.826 --> 00:08:10.566 mistake in the future, it prevents it from exposing it to the public internet. 00:08:11.706 --> 00:08:13.906 And so that's sort of the... 00:08:15.147 --> 00:08:18.507 multi-layer approach in a way and then all the communications just happening 00:08:18.507 --> 00:08:22.687 over the mesh vpns i'm not communicating with the buy hole at all no admin interface 00:08:22.687 --> 00:08:24.207 nothing over any public interface, 00:08:25.087 --> 00:08:29.707 how do you feel i did is that too risky would you brent would you be comfortable 00:08:29.707 --> 00:08:31.747 with that deployment i suppose i. 00:08:31.747 --> 00:08:37.807 Mean to me that feels probably more fine than anything that i've probably deployed 00:08:37.807 --> 00:08:43.167 in the past so it seems okay but really i'm not the pro or anything like that 00:08:43.167 --> 00:08:48.147 but But what I'm getting from you is that this is upping your peace of mind with this. 00:08:48.287 --> 00:08:51.387 But there's also some hesitation. So I'm curious to hear what Wes has to say. 00:08:51.887 --> 00:08:54.907 I do think it seems totally reasonable. You could, you know, 00:08:55.447 --> 00:08:58.587 get with the times and use NF tables already. No, I'm just kidding. 00:08:59.047 --> 00:09:02.487 I did actually, that actually considered, I was like, ah, this is what I know. But yeah. 00:09:02.687 --> 00:09:08.187 I think from background discussions, I picked up maybe you were using a sidecar before? 00:09:08.467 --> 00:09:09.467 A tailscale sidecar, yeah. 00:09:09.987 --> 00:09:14.087 So I think maybe in like another version, if you were going like fully, 00:09:14.107 --> 00:09:19.767 you know, application mesh native could be to just double down on the sidecar. 00:09:19.847 --> 00:09:20.667 Do a nebulous sidecar. 00:09:20.787 --> 00:09:24.247 Yeah. Like have it serve those two interfaces just in its own containerized 00:09:24.247 --> 00:09:25.127 networking environment. 00:09:25.127 --> 00:09:25.707 I like that. 00:09:25.847 --> 00:09:28.827 Where things might get more complicated depending on exactly what you want and 00:09:28.827 --> 00:09:32.387 convenience, et cetera. What matters to you is what you're doing with that host. 00:09:32.567 --> 00:09:36.367 And is that host then wanting to query the pie hole? And are you going to let 00:09:36.367 --> 00:09:40.027 that happen over local host? Or in this scenario, you'd either need to replumb 00:09:40.027 --> 00:09:43.687 stuff and forward it or rely on it only querying it over the mesh, 00:09:43.727 --> 00:09:45.627 which would probably be fine, but maybe you don't want to do that. 00:09:45.767 --> 00:09:51.527 The host is also on the tail net. So there's that too. But yeah, that is a tricky part. 00:09:52.547 --> 00:09:57.147 Technically, the host OS can't talk to it over the network, which hasn't been an issue yet. 00:09:58.383 --> 00:10:01.023 But so that's the basic, that's the core network setup, okay? 00:10:01.163 --> 00:10:05.103 And then what I decided to do was I turned off the tailscale MagicDNS stuff 00:10:05.103 --> 00:10:12.923 and didn't like the results because I do not have DNS entries for every machine on my tail net. 00:10:13.023 --> 00:10:16.643 And that's what MagicDNS was solving for me. So my sort of compromise solution 00:10:16.643 --> 00:10:24.143 was I re-enabled MagicDNS and then I added this pie hole as the upstream DNS server for MagicDNS. 00:10:24.503 --> 00:10:26.903 And I think that worked seemingly pretty well. 00:10:27.403 --> 00:10:29.303 and then I enabled the DNS. 00:10:29.503 --> 00:10:33.003 Right, so in that setup, TailScale will answer sort of right away for the TailScale 00:10:33.003 --> 00:10:36.063 host and then forward to your setup for anything it doesn't know about where 00:10:36.063 --> 00:10:37.403 you have to find your own manual entries. 00:10:37.483 --> 00:10:39.563 And that's where you'll find entries for the Nebula devices. 00:10:39.863 --> 00:10:40.123 Nice. 00:10:40.323 --> 00:10:45.743 And then you can configure the Nebula lighthouse to suggest a DNS server to the clients. 00:10:46.990 --> 00:10:51.150 And, um, that is, that's a really simple, it's like two lines of configuration 00:10:51.150 --> 00:10:53.150 on the lighthouse and you just give it the DNS server. 00:10:53.550 --> 00:10:57.450 And then, so that's also helping the Nebula clients discover who they're supposed 00:10:57.450 --> 00:10:58.610 to talk to for name resolution. 00:10:58.950 --> 00:11:02.250 And since I only have like three nodes on this little tiny, maybe four nodes 00:11:02.250 --> 00:11:07.190 now on this little tiny network, I'll talk more about super easy to just add the entries manually. 00:11:07.250 --> 00:11:10.330 And I don't, if this is going to be for a private clinic, so I don't think I'll be adding more hosts. 00:11:10.450 --> 00:11:13.670 One thing we should play with, which I haven't yet, but I'd like to get more 00:11:13.670 --> 00:11:19.090 into is doing either delegation or maybe using an API to trigger updates because 00:11:19.090 --> 00:11:21.970 Nebula lighthouses can serve DNS. 00:11:22.330 --> 00:11:22.410 Yeah. 00:11:22.890 --> 00:11:26.350 So you could also, depending on if you want to, maybe the static has advantages 00:11:26.350 --> 00:11:29.070 too, of course, but you could also maybe set it up so... 00:11:29.070 --> 00:11:29.190 Yeah. 00:11:29.590 --> 00:11:32.930 You know, the pie hole would just query Nebula and be able to answer for the 00:11:32.930 --> 00:11:34.670 Nebula host without you having to hard code it. 00:11:34.750 --> 00:11:39.630 The advantage was on the pie hole DNS server, now I also have a bunch of entries 00:11:39.630 --> 00:11:41.810 for the devices that are on my LANs. 00:11:41.950 --> 00:11:46.150 So it hosts here at the studio and hosts at the RV are also on this DNS server. 00:11:46.270 --> 00:11:50.730 So all the machines, if you're on the LAN, whichever LAN you're on, 00:11:50.870 --> 00:11:54.710 or whichever Mesh VPN network you're on, we all can resolve the same host names now. 00:11:55.070 --> 00:11:57.790 So that's kind of why I didn't go that direction. 00:11:58.490 --> 00:12:01.610 But I think that would be an easier setup if you just had a couple of machines. 00:12:01.870 --> 00:12:04.890 Well, I meant like integrating the two, like keeping the pie hole, 00:12:05.390 --> 00:12:08.090 just letting Nebula answer for the host it knows about. 00:12:08.310 --> 00:12:11.190 Oh, okay. And then would it upstream to the pie hole when it does? 00:12:11.290 --> 00:12:13.750 I see. Yeah, I like, okay. Oh my God, change. 00:12:13.750 --> 00:12:18.430 How do you feel, Chris, about the need for internet access here? 00:12:18.530 --> 00:12:23.990 Because occasionally you don't actually have access whenever a storm comes by 00:12:23.990 --> 00:12:25.430 or you're traveling, that kind of thing. 00:12:25.530 --> 00:12:29.230 So your name resolution internally on your local network would be affected. 00:12:29.230 --> 00:12:31.110 Is that a correct understanding? 00:12:31.630 --> 00:12:38.510 I did. Yeah. And so for that, I kept my pie hole on my LAN. And it forwards now to this guy. 00:12:38.710 --> 00:12:39.090 Nice. 00:12:39.370 --> 00:12:41.890 But for the most part, because that pie hole has been around so long, 00:12:41.950 --> 00:12:45.590 I have all these same DNS entries already. So, but I did keep it for that reason. 00:12:46.925 --> 00:12:52.905 And I'm very happy now. It adds complexity to have two mesh networks and, 00:12:52.905 --> 00:12:58.365 you know, multiple LANs, but it's seamless now to the end user now that I've done this. 00:12:58.565 --> 00:13:04.465 So I'm pretty happy, and the latency is pretty good even for LTE connections, really. 00:13:05.045 --> 00:13:07.805 Well, you know, it kind of makes sense, too. It's like, it'd be one thing if 00:13:07.805 --> 00:13:10.605 you didn't have the existing infrastructure and all that, but because you kind 00:13:10.605 --> 00:13:14.345 of have hosts that are positioned to fit into both of these networks or could 00:13:14.345 --> 00:13:16.225 bridge them, like it doesn't actually. 00:13:16.225 --> 00:13:18.425 You didn't have to stand up a bunch of new infrastructure. You kind of just 00:13:18.425 --> 00:13:22.245 had to reprovision some of it to better work with your new setup. 00:13:22.465 --> 00:13:25.225 I would like to actually ask, so if you want to boost in or send us a contact, 00:13:25.525 --> 00:13:29.225 if you were building this from scratch, so I already had a pie hole going. 00:13:29.525 --> 00:13:32.105 But if you out there, listener, were building this from scratch, 00:13:32.105 --> 00:13:34.565 what would you have used to do this name resolution? 00:13:34.885 --> 00:13:37.885 Because it did cross my mind. Like, maybe this is just a stupid DNS mask thing. 00:13:37.965 --> 00:13:39.265 I just set up a simple DNS mask. 00:13:39.885 --> 00:13:43.725 But then I like the idea of a little bit of ad blocking for the systems as well. 00:13:43.725 --> 00:13:45.525 That's nice. That's a nice feature that comes with it. 00:13:46.225 --> 00:13:49.165 And you can do dns mask configuration with. 00:13:49.165 --> 00:13:53.105 Pot all right because it uses like a forks version that was my conclusion yeah 00:13:53.105 --> 00:13:57.425 i was like yeah well i might i kind of get and i know how to use it yep and 00:13:57.425 --> 00:14:00.965 it's worked fine for me and it's survived multiple major upgrades now so it's 00:14:00.965 --> 00:14:05.025 past those tests as well so it's a good project but i would be curious like 00:14:05.025 --> 00:14:07.385 i think you probably would use tectidium or technically that would least. 00:14:07.385 --> 00:14:11.145 Be not or like because i know can do sort of like delegate zones where it will 00:14:11.145 --> 00:14:14.825 say like hey for anything in this sub you know maybe you have like dot nebula 00:14:14.825 --> 00:14:18.345 demands or whatever, go query this server for those and then return those. 00:14:18.485 --> 00:14:21.885 It also has some plugin capability, which I haven't really explored. Um, 00:14:23.215 --> 00:14:25.255 Or, you know, there's a lot of good options these days. 00:14:25.295 --> 00:14:27.935 Yeah, I saw some people that were solving this with AdGuard. 00:14:28.895 --> 00:14:31.095 Okay, yeah. Yeah, you could totally use Bind, of course. 00:14:31.495 --> 00:14:33.895 So I'd just be interested to know how people are solving this. 00:14:35.055 --> 00:14:37.975 I would also like to know if anybody has a way to solve this declaratively, 00:14:38.015 --> 00:14:40.175 you know, so that would also be a winner in my book. 00:14:40.635 --> 00:14:41.855 But while we were talking about 00:14:41.855 --> 00:14:45.235 Nebula, you've been working on something that's kind of slick, Wes Pano. 00:14:46.015 --> 00:14:50.055 Yeah, it was just an idea we had while we were toying around with setting up 00:14:50.055 --> 00:14:51.255 the clinic the other week. 00:14:51.255 --> 00:14:56.755 was, well, what if you just had like a low-key, you know, not crazy production 00:14:56.755 --> 00:15:00.555 scale, not being like a whole control plane for Nebula necessarily, 00:15:01.155 --> 00:15:05.175 but just something to make printing new host certs easier. 00:15:05.515 --> 00:15:09.595 Yeah, could you explain that a little bit? So if I'm not using the managed product, 00:15:09.915 --> 00:15:11.855 there's sort of some cert exchanges that have to happen. 00:15:12.375 --> 00:15:16.435 Yeah, right. So you have to, you're basically managing a CA. 00:15:16.735 --> 00:15:16.775 Right? 00:15:16.835 --> 00:15:20.875 So you have your own certificate authority, and then to get hosts onto the network, 00:15:21.535 --> 00:15:25.455 they generate their own private key but then you kind of have to sign the public 00:15:25.455 --> 00:15:28.815 part of that and that's how they get blessed with a host name and an IP address 00:15:28.815 --> 00:15:31.855 on the network and then that's how anything trusts them, 00:15:32.675 --> 00:15:35.635 when you try to communicate with something you need to be able to present that 00:15:35.635 --> 00:15:39.035 public side that is signed by the CA that they all mutually trust and. 00:15:39.035 --> 00:15:43.315 The beauty is the simplicity is it's really coming down to files you're moving 00:15:43.315 --> 00:15:47.455 around that have keys in them and that is the totality of the infrastructure 00:15:47.455 --> 00:15:48.955 actually required to get this working, 00:15:49.895 --> 00:15:54.395 And if you sit with the amazingness of that for a moment, it really is very impressive. 00:15:54.555 --> 00:15:56.495 These machines are discovering themselves. 00:15:56.675 --> 00:15:58.635 You need a lighthouse, but they're discovering or use a public one. 00:15:59.035 --> 00:16:04.455 And they're communicating and creating a mesh VPN just by exchanging these key files. 00:16:04.715 --> 00:16:08.275 Yep. And, you know, just simple concepts of groups and you have stuff signed 00:16:08.275 --> 00:16:10.095 by the right thing and it kind of all just works. But... 00:16:11.582 --> 00:16:14.342 For simple static networks, that works pretty well. But, you know, 00:16:14.562 --> 00:16:19.202 I'd been playing around with my sidecar mesh setup on NixOS. 00:16:19.582 --> 00:16:21.862 And especially for like the demos I was doing and testing it out, 00:16:21.982 --> 00:16:22.682 it was pretty convenient. 00:16:22.862 --> 00:16:26.922 You know, products like Tailscale or Netbird, they have this UX you get with 00:16:26.922 --> 00:16:30.482 basically all you need is one secret, right? Like an API key, 00:16:30.622 --> 00:16:31.962 and you can put that in somewhere. 00:16:32.162 --> 00:16:36.642 And then when the client launches, it goes and uses that to an API and then can onboard itself. 00:16:36.782 --> 00:16:41.202 And I was just like, well, I wonder if we could get that same workflow with Nebula. 00:16:41.822 --> 00:16:47.902 So NACME, or ACME for Nebula, is my little attempt at that. It's super early 00:16:47.902 --> 00:16:49.482 days. I need to do a bunch more testing. 00:16:49.942 --> 00:16:52.562 Eventually, it'd be great to do renewals too. But right now, 00:16:52.702 --> 00:16:56.102 it's at the initial testing stage of just being able to, you run a little server, 00:16:56.302 --> 00:17:01.462 you configure an API key that's bound to certain groups, and then you have a 00:17:01.462 --> 00:17:06.282 little client that can run and go get a new host onboarded. 00:17:06.602 --> 00:17:09.242 And so if you configure that, I also want to set up a bunch of this stuff, 00:17:09.242 --> 00:17:13.442 especially with nick's side but configure it to run before nebula uh you could 00:17:13.442 --> 00:17:17.482 have it go item potently check to see if it needs to configure the the host 00:17:17.482 --> 00:17:20.802 for the first time set up the keys and everything and then have nebula start 00:17:20.802 --> 00:17:23.462 and be ready to go or at least that's the idea. 00:17:24.102 --> 00:17:29.442 Yes this is really neat so it's automated certificate minting and it gives you 00:17:29.442 --> 00:17:33.442 essentially like you said it's a like an api key type type exchange. 00:17:33.442 --> 00:17:36.502 The goal too would be like it's sort of best effort right it's meant for like 00:17:36.502 --> 00:17:39.502 home lab or you know stuff where you maybe you're not going to go the full like 00:17:39.502 --> 00:17:41.382 crazy it automation it's. 00:17:41.382 --> 00:17:43.802 Great for like a small business network like we were just setting. 00:17:43.802 --> 00:17:46.522 And the whole thing with nebula right is like there are some 00:17:46.522 --> 00:17:49.482 trade-offs you have less with those certs and the way it's kind of like more 00:17:49.482 --> 00:17:53.562 like a jwt kind of style of trust you know you don't necessarily have this one 00:17:53.562 --> 00:17:57.222 database that determines all of the truth right in a sort of less eventually 00:17:57.222 --> 00:18:01.602 consistent way but the upside is nebula will just keep working right as long 00:18:01.602 --> 00:18:06.422 as the certs aren't expired like there's no the control plane nothing happens nothing goes down what. 00:18:06.422 --> 00:18:09.122 Freaked me out recently was the idea that maybe, 00:18:10.316 --> 00:18:16.996 My Google account could be suspended because, so PayPal decided to flag my account 00:18:16.996 --> 00:18:18.436 for like re-verification. 00:18:19.076 --> 00:18:21.916 And it's a very complicated process. It's not just like a regular, 00:18:22.096 --> 00:18:24.616 it's like a very in-depth, multiple types of documentation. 00:18:24.616 --> 00:18:26.216 What did you do? Nothing. 00:18:26.356 --> 00:18:26.856 I don't know, man. 00:18:26.876 --> 00:18:27.416 That's usually what it is. 00:18:27.496 --> 00:18:32.556 I don't know. But it occurred to me that if our Google Workspace account payment 00:18:32.556 --> 00:18:36.556 got bounced because of PayPal, then I might not be able to authenticate to my tail net anymore. 00:18:37.516 --> 00:18:39.136 And that freaked me out a little bit. 00:18:39.296 --> 00:18:39.516 Yeah. 00:18:39.516 --> 00:18:42.876 And that's where I was like, oh, the simplicity of these keys and the fact that 00:18:42.876 --> 00:18:47.376 they'll work for as long as I issue these keys for is very reassuring. 00:18:47.616 --> 00:18:50.376 And so my thought was this was like worst case, you know, like even if this 00:18:50.376 --> 00:18:54.316 is down, you can still manually add things like this is just a convenience functionality 00:18:54.316 --> 00:18:55.656 to make it easier to onboard hosts. 00:18:55.656 --> 00:19:00.016 So this is not setting up routing. This is not setting up the networking layer 00:19:00.016 --> 00:19:03.636 stuff. This is just keys to get you going to then build that stuff. 00:19:03.796 --> 00:19:04.016 Exactly. 00:19:04.596 --> 00:19:07.396 That's really cool. NACME. I like the name, too. It's very clever. 00:19:07.496 --> 00:19:08.336 I think that could take off. 00:19:08.996 --> 00:19:14.896 so uh we'll put a link in the show notes it's on wes's github n-a-c-m-e mit 00:19:14.896 --> 00:19:20.876 licensed indeed indeed uh and uh version 0.10 was released just recently. 00:19:20.876 --> 00:19:25.596 Yeah we'll see i should cut a new version it's move it's you know it's moving 00:19:25.596 --> 00:19:27.356 fast and uh needs more tests. 00:19:30.795 --> 00:19:34.635 I want to say thank you to our members and our boosters. Next week, 00:19:34.655 --> 00:19:36.355 I'm calling it a birthday episode, boys. 00:19:36.575 --> 00:19:38.915 I don't know what we're going to do, but check this out. 00:19:39.175 --> 00:19:44.255 So Brian and I started podcasting in January, right around my actual birthday, 00:19:44.255 --> 00:19:48.595 almost exactly 20 years ago to the day for next week's episode. 00:19:49.455 --> 00:19:52.775 20 years of podcasting on my birthday next week. 00:19:52.915 --> 00:19:56.275 So if that's not a long-term commitment to the space, I don't know what is. 00:19:56.455 --> 00:19:57.855 So send a birthday boost. 00:19:58.055 --> 00:20:01.735 We'd love that. or become a member and use the promo code bootleg. 00:20:01.855 --> 00:20:04.095 We have a couple of, well, we have a handful of redemptions left. 00:20:05.415 --> 00:20:09.735 And, you know, you become a member at the party or a core contributor and support 00:20:09.735 --> 00:20:10.835 the show at a great discount. 00:20:11.315 --> 00:20:14.455 And if you'd like to get your company or product in front of the world's largest 00:20:14.455 --> 00:20:16.595 and best Linux audience, show me an email. 00:20:16.975 --> 00:20:19.935 Chris at jupiterbroadcasting.com. This space could be yours. 00:20:20.275 --> 00:20:24.575 And thank you to everybody who supports the show. We greatly appreciate it. 00:20:27.683 --> 00:20:30.883 Now, Chris, for the last two episodes, you've been talking about deploying, 00:20:30.883 --> 00:20:35.723 you know, a bunch of new machines at a clinic, making sure you have the responsibility 00:20:35.723 --> 00:20:39.243 for keeping your wife's business happy from a tech perspective. 00:20:39.723 --> 00:20:44.863 And now you're putting up, you know, some infrastructure that you also need 00:20:44.863 --> 00:20:50.143 to be working at all times. I would imagine now is the time to make sure all 00:20:50.143 --> 00:20:52.943 that stuff yells at you whenever it's not in good health. 00:20:52.943 --> 00:20:54.003 Right he. 00:20:54.003 --> 00:20:57.883 Wanted to uh just leave a business card with my phone number on it but i didn't 00:20:57.883 --> 00:20:58.803 think that was a great idea. 00:20:58.803 --> 00:21:02.723 And part of me is like well we should do this why it's still fresh in the mind 00:21:02.723 --> 00:21:08.563 because this stuff fades oh yeah and i thought well if we're going to do this for hadia's clinic, 00:21:09.383 --> 00:21:12.643 um maybe i should do this for my own infrastructure and then i thought wouldn't 00:21:12.643 --> 00:21:17.003 it be great if we could build something that if we ever did this you know on 00:21:17.003 --> 00:21:19.543 occasion for audience members or whoever, 00:21:20.003 --> 00:21:23.363 wouldn't it be nice if we could also offer to monitor their stuff and i could 00:21:23.363 --> 00:21:26.703 build something that was pretty flexible like this and i'm sure you boys are 00:21:26.703 --> 00:21:28.343 familiar with uptime kuma, 00:21:29.163 --> 00:21:34.123 we actually use it at jb alex set it up for us a while ago and we like it it's 00:21:34.123 --> 00:21:38.983 pretty simple and it alerts us when something goes offline like one of our websites 00:21:38.983 --> 00:21:43.843 via telegram bot and it creates a nice dashboard super easy to self-host and 00:21:43.843 --> 00:21:48.563 they have a demo i'll put a link in the show notes And it does monitoring for HTTP, TCP. 00:21:49.023 --> 00:21:54.843 It can search website keywords, check WebSockets, do ping, check DNS records, stuff like that. 00:21:55.023 --> 00:21:56.663 Very easy, straightforward to get going. 00:21:56.883 --> 00:22:00.863 Yes. So obviously that was the first thing I decided because this is what I 00:22:00.863 --> 00:22:02.003 have the most experience with. 00:22:02.423 --> 00:22:06.783 And I thought this will be the way to go. Can you guess what the problem was? 00:22:07.003 --> 00:22:11.303 Well, I think I know because it's been a longstanding issue we've had with the project. 00:22:11.423 --> 00:22:12.403 In fact. What's that? 00:22:12.603 --> 00:22:14.943 A lack of declarative configuration. 00:22:15.463 --> 00:22:19.323 Yeah, man, it's just really gooey. Well, I had to set up something like, 00:22:19.323 --> 00:22:25.323 you know, 45 hosts and services to monitor and I was sitting there creating 00:22:25.323 --> 00:22:30.423 all the entries and I'm like, this is going to take me to two days to do. 00:22:31.530 --> 00:22:34.890 And also because I wanted them to be actionable and all this stuff. So it's like, oh, my God. 00:22:35.030 --> 00:22:40.230 And then I also wanted tiered escalating alerts. So first ping me via notify. 00:22:40.710 --> 00:22:43.610 So because I have a lot of stuff coming in via NTFY these days. 00:22:44.190 --> 00:22:47.210 And so that's sort of a feed of just checking on my systems. 00:22:47.230 --> 00:22:48.750 And if I'm available, I check it. 00:22:49.150 --> 00:22:54.390 But if I'm not presently thinking about my infrastructure, my systems, I don't check it. 00:22:54.590 --> 00:22:57.850 So I needed something that would break through to Telegram and kind of, you know, kick it up. 00:22:57.850 --> 00:22:58.110 Yeah. 00:22:58.250 --> 00:23:01.730 And so I wanted and I wanted it based on different thresholds and trends. 00:23:01.950 --> 00:23:06.190 And so when I started getting into I need to add, let's just say 45 ish host 00:23:06.190 --> 00:23:11.530 combination services, maybe more and more complex alerting with a little bit more nuance. 00:23:13.395 --> 00:23:17.135 I really started to hit two different walls. Like my GUI exhaustion kicked in. 00:23:17.315 --> 00:23:19.435 Like if I was adding like five systems, I would just done it. 00:23:19.895 --> 00:23:23.675 And then trying to get complex logic around alerts started to get frustrating. 00:23:24.395 --> 00:23:28.055 Yeah, you combine those two. That could be pretty annoying, especially if you 00:23:28.055 --> 00:23:31.695 have to like go configure it and then go run the test and then go see if it 00:23:31.695 --> 00:23:34.895 did the thing you want and then go repeat that cycle a whole bunch. 00:23:35.555 --> 00:23:40.515 Yeah, man. So I decided to break the seal on something that I have never, 00:23:40.515 --> 00:23:45.035 I've never bothered learning. I've never wanted to embrace because of the overhead. 00:23:45.035 --> 00:23:47.575 It's been a long time coming on the show. I'm excited for this. 00:23:47.595 --> 00:23:53.035 It has. Ladies and gentlemen, I have finally deployed my first Prometheus instance. 00:23:53.395 --> 00:23:53.815 Woohoo! 00:23:54.115 --> 00:23:58.155 And of course, once you have a Prometheus instance, you want pretty dashboards 00:23:58.155 --> 00:23:59.475 and you want all the details. 00:23:59.675 --> 00:24:04.255 So along with that, I have also finally deployed my first Grafana instance. 00:24:04.795 --> 00:24:07.355 Yeah, something tells me you really deployed the Grafana and then you just got 00:24:07.355 --> 00:24:08.815

Previous episode

Next episode

Search

Listen on

Apple Podcasts Spotify RSS feed