Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
urbanists.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
We're a server for people who like bikes, transit, and walkable cities. Let's get to know each other!

Administered by:

Server stats:

537
active users

urbanists.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#truenas

9 posts8 participants1 post today
Public
Edd

About a week later than planned, I finally have my blogpost on automating step-ca in my #HomeLab, using #Puppet to automatically setup, and ensure renewal of, short-lived ssh certificates on all my hosts.

The end result is that all my internal certificates, both SSH and X509 for TLS have lifespans < 48 hours, so I'm way ahead of the Browser CA Forum's 47-day-lifespan-by-2029-plan.

At least, that's the first half of the post; the second half is then me describing all the services that I can't control through puppet, and how I wrangled them into Supporting SSH certificates whether they wanted to or not. Including #Truenas, #QNAP, #Opnsense, #HomeAssistant and #Forgejo/#Gitea.

It's mostly talking about SSH certs, but it also touches on issuing regular X509 certs for their web interface certificates, for the ones that don't support ACME properly (spoiler: that's most of them 😩)

Given this is probably of interest to maybe a dozen people on the Fediverse, it's probably not worth all the time I put into it, but on the plus side, I feel I understand how everything works incredibly well now, which will be useful going forward. (In before someone puts a comment here telling me how I could have fixed some of the problems I hit here much easier!)

Check it out, if it sounds at all interesting to you: i.am.eddmil.es/posts/ssh-certi

I Am Edd Miles · Trouble with Certificates: Automating my SSH CA and the many many exceptions required
More from Edd
Public
computing competence
#Wochenbericht KW18:

- Mo-Di: Netzwerkübergabe bei einem lokalen Museum. 20 Jahre gewachsene Strukturen wollen erklärt werden. Keine leichte Aufgabe. Schön ist, das eine Reihe von #Debian Servern involviert sind. Sonst diverse Kleinigkeiten: #3CX Einstellungen
- Mi: Übergabe des in KW16 aufgebauten Netzwerks an "Operations" und Erklärung der #Dokumentation, die in #Git gepflegt wird. Begeisterung auf Seiten des Kunden und dem Wunsch die eigene Doku ebenfalls in einem eigenen Repository abzulegen. Sonst diverse Kleinigkeiten: #TrueNAS Update, #Windows Updates
- Do: Feiertag
- Fr: Brückentag, den gönn ich mir

Highlight: Eine Woche der Dokumentationen. Eine echt unterschätze und leider oft vernachlässigte Arbeit. Die ersten Aufgaben konnten im Team @besendorf@chaos.social und @oliver@lfnt.site verteilt werden. Et wird!
Public
MrAndrewD

Nerd alert!

My kingdom for a gold rated SFX 450W power supply with 2 X Molex outlets with stock in Australia. I've waited for stock for over 4 months.

Will even take a 500W one at a pinch, but given that the destination system will probably draw 50W other than during startup, it's at the low efficiency output of the PSU's efficiency curve.

#NAS#TrueNAS#JonsboN2
Public
Kate Hildenbrand

Anyone successfully taken apart a Dell Power Edge and moved all the components to a different case?

We are wondering if it makes more sense to rebuild the Dell or start over (and if so, how?).

If we start over, we'll add a graphics card but we do have the Dell, so we'd prefer continuing to use it instead of figuring out what components to spend money on.

Those finished solutions aren't the right choice for us.

#trueNAS#homeServer
Public
Emory

i wonder if i could move my NVME #zfs zpool to a Thunderbolt-equipped NAS like the #ugreen models, install #trueNAS Scale, and slide my NVME flash storage pool to a filer, instead of my creative workstation, which would free up 4-8 lanes on PCI-E for me?

current mood: pool compatibility flags for zfs-on-#macOS

Public *
Hessenhelden

Bevor ich auf #TrueNAS #Scale umgestiegen bin, war meine erste Wahl für NAS-SW ganz klar #UnRaid – vor allem wegen der größeren Flexibilität bei der Hardware. Was ich jedoch nie nachvollziehen konnte: Wie kann man sich bei einem Betriebssystem ausgerechnet auf einen USB-Stick als Bootmedium verlassen? Die Probleme damit sind doch quasi vorprogrammiert. TNAS ist sicherlich auch nicht fehlerfrei, aber dass es nicht vom USB-Stick bootet, ist definitiv ein Pluspunkt.

forums.unraid.net/topic/184472

#NAS
Public
Edd

Had one of those days of problem chains today. I've rebuilt #homelab internal CA over the past two weeks, and today I wanted to do the simple task of making my #truenas scale server get it's web certificate from it over acme.

Well problem one, truenas doesn't do acme via anything other than dns challenges, which I haven't setup internal dns for yet. So (given my Truenas was still running 24.04) I decided to upgrade it to 24.10 to see if that added any functionality. The upgrade was smooth, but it once again broke my #clevis automatic unlock of my storage pool.

So then I decided to fix my unlock script to cleanly handle updates (and fixed it so that pool passwords could contain " while I was at it, because why not)

Then having fixed that, I decided I should update my blog post (i.am.eddmil.es/posts/clevis-ta) about it from last year with the new more robust script.

I then realised when I'd updated all my firewall rules last month, I'd broken ssh access from my #forgejo runner to my webserver used for auto deploy website updates, so I had to fix the #puppet that controls the firewall rules.

Finally that was all working, so I updated my truenas to 25.04, in the vain hope that would have better acme support (it doesn't, but at least it validated my clevis script updates, and was the only thing today that just worked as intended)!

Finally I hacked something hideous together using github.com/danb35/deploy-freen and acme.sh to get a certificate from my acme server and deploy it (which I could have done at the start and skipped the whole day fixing other problems)

Taking 6 hours to deploy an SSL cert wasn't quite what I had planned for my Easter Sunday, but at least I achieved it in the end. Onwards to see what chaos I can cause tomorrow...

I Am Edd Miles · Clevis and Tang with Truenas Scale
More from Edd
ExploreLive feeds
About