I just reviewed the post again. It’s a stellar example of modern writing trends.

Read this:
Ultimate Blow Minds Change My Life Your Anything Basic Insane Advanced

Don’t you feel kinda gross now?

This was painful to read. Yuck. It was written like clickbait. Like AI writes. Yuck.
And of course it was crossposted. If you’ve got something you need everyone to know, you gotta crosspost it everywhere.

Cool.

Here. SSH key issues. There was a huge forum war.
https://forum.proxmox.com/threads/ssh-keys-in-a-proxmox-cluster-resolving-replication-host-key-verification-failed-errors.138102/
But its still a thing. That still needs to be fixed by a human. Today that’s me.

Regarding CEPH and corosync on the same network … well I’m just getting started with that now. I do have them on different vlans, but its the same 10gb set of nics. I’m hoping if it gets really lousy, my netadmin can prioritize the corosync vlan. I’ll burn that bridge when I come to it.

EDIT … The linked forum post above leads to the SSH key answer, but its convoluted.
Here’s what I put in my own wiki.

Get the right key from each server.
cat ~/.ssh/id_rsa.pub

Make sure they match in here. Fix em if they don’t.
/etc/pve/priv/authorized_keys

There’s a couple symlinks to fix too, but this should get it.

SSH key management in PVE is handled in a set of secondary files, while the original debian files are replaced with symlinks. Well, that’s still debian. And in some circumstances the symlinks get b0rked or replaced with the original SSH files, the keys get out of sync, and one machine in the cluster can’t talk to another. The really irritating thing about this is that the tools meant to fix it (pvecm updatecerts) don’t work. I’ve got an elaborate set of procedures to gather the certs from the hosts and fix the files when it breaks, but it sux bad enough that I’ve got two clusters I’m putting off fixing.

Corosync is the cluster. It’s a shared file system that immediately replicates any changes to all members. That’s essentially anything under /etc/pve/. Corosync is very sensitive. I believe they ask for 10ms lag or less between hosts, so it can’t work over a WAN connection. Shit like VM restores or vmotion between hosts can flood it out. Looks fukin awful when it goes down. Your whole cluster goes kaput.

All corosync does is push around this set of config files, so a dedicated NIC is overkill, but in busy environments, you might wind up resorting to that. You can put cororsync on its own network, but you obviously need a network for that. And you can establish throttles on various types of host file transfer activities, but that’s a balancing act that I’ve only gotten right in our colos where we only have 1gb networks. I have my systems provisioned on a dedicated corosync vlan and also use a secondary IP on a different physical interface, but corosync is too dumb to fall back to the secondary if the primary is still “up”, regardless of whether its actually communicating, so I get calls on my day off about “the cluster is down!!!1” when people restore backups.

I use PVE professionally. I could spent some time bitching about how it handles ssh keys and the fragile corosync cluster management. I could complain about the sloppy release cycle and the way they move fast and break shit. Or all the janky shit they’ve slapped together in PBS. I could go on.

But I actually pay for a license for my homelab. And ya, it is THE thing at work now.

I’ve often heard it said that Proxmox isn’t a great option. But its the best one.
If you do try it, don’t bother asking questions here.
Go to the source. https://forum.proxmox.com/

The devs are some really strange folks. They would enjoy your discomfiture.

But as OP said, they are really, emphatically, antifa-level before antifa was cool, no-nazi.

I recommend reading their “Frequently Questioned Answers” document, aka Dash1.
https://fqa.9front.org/dash1.release.pdf

I’ve read a lot of tech docs through the years. Hands down, this is my favorite.

I do not recommend installing their OS, unless you have time to kill and curiosity.
9front is completely useless. It’s a programmer’s toy; a sandbox to develop some OS build ideas.

I install 9front releases, screw with a couple windows, and give up again. It’s a cycle.

I’ve been watching this thread, expected to hear this, but not yet …
I know Google’s office products are essentially the same problem, but they are at very least free (in dollars).
I haven’t used MS Office in years. We use Google at work. I use my NextCloud at home.

To be fair, there are a lot of inane articles saying this exact same thing about javascript. If its true, its ancient history, and I’m tired of it. I learned javascript when it was a babe, and watched many other platforms fall by the wayside. I’m not defending anything about it, but javascript works. Still.

Ok. Yes, my use case is a private document and media store. I’m ungoogling.
VPN seems like a good place to start. But I’d like a simple answer, and I expect there are none to be had. As you’ve illustrated here, I’ll find a reason to punch holes in the firewall. And then I’m going to need to secure a web server. Life happens. I’ll keep it simple for now while I sort things. Thanks for your perspective.

Ya. I understand VPN. I do enterprise IT stuff. The things I build assume a secure environment. VPN is step one.
Nailing down a web server on the internet tho … there’s so many ways to attack. There’s so many things to secure. And its a bit complex to manage all that.
The nextcloud site covers hardening the server, but doesn’t even mention vpn.
I’ve been watching threads like this. I’m pretty convinced vpn is the answer.

Well, I might as well put a dog in the fight. I’m considering my final, actually secure deployment of nextcloud.

This discussion has convinced me that a vpn is the only answer.
And almost everyone says wireguard.

K. Thats what I will build.

And this is the start of the longest crypto nerd fight I’ve seen on Lemmy. Well done, people!

Thanks. That’s well laid out, straightforward. I have resources at home that I want access to through my vps. This is a good blueprint.

RTFM. …
… The last thing you try.

Do it. Jump in. Just start with whatever you can assemble.
It’s a great way to keep your room warm.