Duck time again.

I've got this new machine ("hedgehog", hosted by Hetzner, 6 core, 64gb, 1TB disk, 30EUR/month, no ipv4), and I'm still not sure where it fits in the network.

It can, obviously, just be it's own machine. Easy to setup, but it doesn't have IPv4 (and Hetzner don't run a gateway in either direction).

I could put it behind a CDN (only just thought of that!), but I don't want to pay any more than I have to, and I don't wan't to depend on people I don't need to.

Or, and this is what I want really, I can setup a VPN to wepiu and route traffic, possibly by putting both machines into a cluster.

(Or, I can just drop wepiu and spend the extra 2EUR/month on a IPv4 address).

That last one is a new thought, but it's got a point. Oh, but it would mean moving from Mythic's IP reputation to Hetzners. Let's not do that.

Looks like that's most of the work done for the Auth server. Next up is getting it running somewhere.

That depends on getting VMs up and running, which I think is waiting on networking (Wireguard is a layer 3 (IP) tunnel, but simple VM network setups expect a layer 2 (ethernet) tunnel).

Ah, well. Tomorrow's problems.

New infrastructure update: Traefik and let's encrypt are up.

I'm fairly sure I'm over-engineering again, but that's the fun part, yeah?

Request goes to Mythic's proxy over public internet. Proxy connects to tayet, a VM at the end of a VPN that hosts a k3s node. I might be able to eliminate the VPN, but I don't want to, I like having the "internal" network. (Now that it's been pointed out to me, I do wish that Wireguard operated at level 2, but you can't have everything) (TODO: Look up Ipsec, see if it's as bad as people make it out to be).

The dependency tree suggests that the container registry is next, then hydra/oidc, and then 'observability' (grafana et al.).

Also todo, find/write a cheap nuget repo.

To remember your current position in the blog, this page must store some data in this browser.

Are you OK with that?