Just wondering what tools and techniques people are using to keep on top of updates, particularly security-related updates, for their self-hosting fleet.

I’m not talking about docker containers - that’s relatively easy. I have Watchtower pull (not update) latest images once per week. My Saturday mornings are usually spent combing through Portainer and hitting the recreate button for those containers with updated images. After checking the service is good, I manually delete the old images.

But, I don’t have a centralised, automated solution for all my Linux hosts. I have a few RasPis and a bunch of LXCs on a pair of Proxmox nodes, all running their respective variation of Debian.

Not a lot of this stuff is exposed direct to the internet - less than a handful of services, with the rest only accessible over Wireguard. I’m also running OPNsense with IPS enabled, so this problem isn’t exactly keeping me up at night right now. But, as we all know, security is about layers.

Some time ago, on one of my RasPis, I did setup Unattended Upgrades and it works OK, but there was a little bit of work involved in getting it setup just right. I don’t relish the idea of doing that another 40 or so times for the rest of my fleet.

I also don’t want all of those hosts grabbing updates at around the same time, smashing my internet link (yes, I could randomise the cron job within a time range, but I’d rather not have to).

I have a fledgling Ansible setup that I’m just starting to wrap my head around. Is that the answer? Is there something better?

Would love to hear how others are dealing with this.

Cheers!

  • DeltaTangoLima@reddrefuge.comOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Wow. No concerns an update will bork that 90% of your fleet that sits on the VPS? That’s one reason I’m loving LXCs - anything that screws with one specific service doesn’t pose a risk to any other service.

    • Jeena@jemmy.jeena.net
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      It hasn’t in the last 10 or so years, but if it does it’s not a problem I have backups which I can get up and running within half an hour.

      I’m not running anything mission critical, just single user instances of Mastodon, Lemmy, Nextcloud, PeerTube, Matrix, my website, Firefox Sync, some old static websites of mine and my sister which are basically archived. So even if it’s down for a week, nobody but me cares.

      • DeltaTangoLima@reddrefuge.comOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yep, understood. My setup is a little more “mission” critical, if you consider availability of my Plex, *arrs, Home Assistant and Pi-holes being the mission, and the critical bit being that I have impatient teenagers in the house.

      • Haui@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        That’s actually insanely cool! I‘m on a similar path rn. 10+ containers running services, thinking of adding peertube, lemmy and co as well as my webpages. But its still a honeserver so I‘d need to go vps at some point.

        Did you start at home or directly go to vps? How was your journey?

        In any case, thanks for sharing and have a good one. :)

        • Jeena@jemmy.jeena.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Actually my goal is to move everything to a home lab server, but my last one broke a year ago and I didn’t want to spent all the money at once to buy a new one so i just moved everything to the VPS where I already had my website.

          • Haui@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Hrhr thats actually very funny. You are basically the other car in the meme driving in the opposite direction. How did you keep it from being hacked?