Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk

• DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
• #DNSSEC reenabled
• #ExternalDNS and #CertManager configuration vastly simplified.
• #Ingress controller migrated from #Nginx to #Traefik

Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.

Now that's off the TODO-list :-)

#mstdndk

Some time this weekend, we'll be upgrading the #Mastodon #PostgreSQL cluster on #MSTDNDK. The cluster is being managed by #CloudNativePG and upgrades have been successfully tested on multiple other clusters - even upgrades directly from version 15 to 18.

While this is an incredibly smooth and easy process, major upgrades requires that #CNPG takes down the whole database cluster, meaning https://mstdn.dk will be unavailable for a period of time. Exactly how long is unknown, since we've never actually done this before with clusters of this size.

I'll keep you posted and give you fair warning 🙂

I've been a little rough and irresponsible with my #baremetal #Kubernetes cluster, especially when it comes to randomly rebooting nodes. Today I fixed that.

I'm running a bunch of somewhat delicate workloads, including database clusters with CSIs like #Longhorn and #OpenEBS. Checking if everything is in working order has been demanding task and often something I've skipped before rebooting or upgrading nodes - occasionally with horrific results.

Last night I finally took the time and wrote a pretty thorough script that checks that everything is working and healthy, before politely cordoning off a node, draining it and applying upgrades.

I felt so confident today that I tested it by running this new safe upgrade script for all the nodes in the cluster - and it worked! All nodes are now fully upgraded and running kernel 6.12.73 on Debian 13.

This also fixes the outstanding issue caused by #Hetzner no longer supporting obtaining IP addresses through DHCP.

#Linux #MSTDNDK #K8s

Hård uge. Arbejder og sover. Heldigvis holder @leeleedee styr på #mstdndk imens jeg jamrer og klager! Tak for det! 😊

.. og med de ord vil jeg se dyner! 🤣

The #MSTDNDK Mastodon instance just migrated away from Bitnami's #Redis helm chart and container images to #Valkey.

#Bitnami and Redis both seem to be exiting the open source community, which could prevent us from staying current, meaning always running the latest versions of the software components that make up this instance.

We understand the need to monetize software, but see that as an opportunity to add premium paid features, not take away existing ones from open source. Doing so will make your potential future customers look for other solutions. Looking at you, #MinIO, Redis and Bitnami.

Please report any issues you might experience as a result of the move to Valkey. So far it looks peachy.

The #Matrix Homeserver loosely associated with #MSTDNDK - https://mtrix.dk/ - is currently undergoing maintenance. We'll probably be dropping #KeyCloak in favor of the new Matrix Authentication Service to simplify the setup. Stay tuned.

#mtrixdk