Setup your own WireGuard rather than Tailscale.. this is too much like Authy delegating AAA to a third-party.
- Store your SSH public keys and host keys in LDAP.
- Use real Solaris ZFS that works well or stick with mdraid10+XFS, and/or use Ceph. ZoL bit me by creating unmountable volumes and offering zero support when their stuff borked.
- Application-notified, quiesced backups to some other nearline box.
- Do not give all things internet access.
- Have a pair (or a few) bastion jumpboxes, preferably one of the BSDs like OpenBSD. WG and SSH+Yubikey as the only ways inside, both protected by SPA port knocking.
- Divy up hardware with a type 1 hypervisor and run kubernetes inside guests in those.
- Standardize as much as possible.
- Use configuration and infrastructure management tools checked into git. If it ain't automated, it's just a big ball of mud no one know how to recreate.
- Have extra infrastructure capacity for testing and failure hot replacements.
Annoying thing about WireGuard is their outdated and buggy iOS client. When you set up a dns with A and AAAA it'll prefer the A address, even when you're on a 646xlat network, so now that connection is proxied and will time out after a while.
Yep. Other reasons I had to go for IPv4 only a while despite everything else being dual stack. "Argh!" at that one vendor who can't get their act together.
How can one run vanilla wireguard and leverage features offered by headscale? At minimum, a bunch of bash scripts would do the exact same thing, if not worse
Don't do it with bash. You can at least use Ruby, Python to make an API for it, or use configuration management. They really didn't think about being (local) runtime configurable for the dev/ops UX being too ultra *NIX purist with single file plain text configuration. At least it could have a plain text watch directory like daemontools for dynamic reconfiguration.
- Store your SSH public keys and host keys in LDAP.
- Use real Solaris ZFS that works well or stick with mdraid10+XFS, and/or use Ceph. ZoL bit me by creating unmountable volumes and offering zero support when their stuff borked.
- Application-notified, quiesced backups to some other nearline box.
- Do not give all things internet access.
- Have a pair (or a few) bastion jumpboxes, preferably one of the BSDs like OpenBSD. WG and SSH+Yubikey as the only ways inside, both protected by SPA port knocking.
- Divy up hardware with a type 1 hypervisor and run kubernetes inside guests in those.
- Standardize as much as possible.
- Use configuration and infrastructure management tools checked into git. If it ain't automated, it's just a big ball of mud no one know how to recreate.
- Have extra infrastructure capacity for testing and failure hot replacements.