FrederikNJS

I realised a while ago that it’s way cheaper to hunt for second-hand intel NUCs, and the resulting machine is way more powerful… And the RAM and storage is upgradeable, if the NUC didn’t come with plenty of storage or RAM already…

https://youtube.com/watch?v=VbJ4ilDvGyc

https://docs.renovatebot.com/

All my docker images are in code in Github.

Renovate makes a PR when there are image or helm chart updates.

ArgoCD sees the PR merge and applies to Kubernetes.

For a few special cases I use ArgoCD-image-updater.

Well… Canada has a land border with Denmark…

I have my Firefox configured to force HTTPS, so it’s rather inconvenient to work with any non-HTTPS sites.

Because of that I decided to make my own CA. But since I’m running in Kubernetes and using cert-manager for certs, this was really easy. Add a resource for a self-singed issuer, issue a CA cert, then create an issuer based on that CA cert. 3 Kubernetes resources total: https://cert-manager.io/docs/configuration/ca/ and finally import the CA cert on your various devices.

However this can also be done using LetsEncrypt, with the DNS01 challenge. That way you don’t need to expose anything to the Internet, and you don’t need to import a CA on all of your devices. Any cert you issue will however appear in certificate transparency logs. So if you don’t want anyone to know that you are running a Sonarr instance, you shouldn’t issue a certificate with that in it’s name. A way around that is a wildcard cert. Which you can then apply to all your subservices without exposing the individual service in logs. The wildcard will still be visible in the logs though…

In addition people often use VLANs for security segregation. For example you might buy a bunch of cheap Chinese security cameras, but want to ensure that they can’t send anything back to the manufacturer. Then you can make a VLAN with no Internet access for the cameras.