Ask HN: Can any Hetzner user please explain your workflow on Hetzner?

113 pointsby nerdyadventurerabout 2 years ago

I am thinking of trying out Hetzner for hosting front-ends, back-ends. I have some questions about the workflow on Hetzner.How do you- deploy from source repo? Terraform?- keep software up to date? ex: Postgres, OS- do load balancing? built-in load balancer?- handle scaling? Terraform?- automate backups? ex: databases, storage. Do you use provided backups and snapshots?- maintain security? built-in firewall and DDoS protection?If there is any open source automation scripts please share.

38 comments

alex7734about 2 years ago

Not hetzner but a similar provider:<pre><code> - Deploy by stopping the server, rsyncing in the changes, and starting the server. The whole thing is automated by script and takes 5 seconds which is acceptable for us. - Run apt upgrade manually biweekly or so. - We use client-side load balancing (the client picks an app server at random) but most cloud providers will give you a load balancer IP that transparently does the same thing (not for free though). - For scaling just manually rent more servers. - For backups we use a cronjob that does the backup and then uploads to MEGA - For security we setup a script that runs iptables-restore but this isn't really all that necessary if you don't run anything that listens on the network (except your own server obviously). - DDoS is handled transparently by our provider. </code></pre> While this might change if you're super big and have thousands of servers, in my experience simple is best and "just shell scripts" is the simplest solution to most sysadmin problems.

评论 #35261528 未加载

vlaaadabout 2 years ago

ssh root@hetzner-server-ip "cd my-server && git pull && ./prepare.sh && systemctl restart my.service && journalctl -u my.service -f"To expand a little bit:- It's a very small service- I use sqlite db- Preparation step before the restart ensures all the deps are downloaded for the new repo state. I.e. "a build step"- I use simple nginx in front of the web server itself- Backups are implemented as a cron job that sends my whole db as an email attachment to myself- journalctl shows how it restarted so I see it's working

评论 #35260709 未加载

评论 #35260515 未加载

0xblinqabout 2 years ago

I only use it for side projects right now, and in the past for a real production application for which "high availability" was not a problem (I could do ocasional maintenance windows out of work hours). Here's how I did it in case it helps you:> deploy from source repo? Terraform?I use Dokku (<a href="https://dokku.com/" rel="nofollow">https://dokku.com/</a>), then the workflow is the same as if you'd be using Heroku> keep software up to date? ex: Postgres, OSAutomattic ubuntu updates + I once a week SSH to it and apt-get update, etc.> do load balancing? built-in load balancer?I just don't. I don't need for the load of my projects.> handle scaling? Terraform?Just vertical scaling for now. A single powerful server can do great before you might need to add more servers.> automate backups? ex: databases, storage. Do you use provided backups and snapshots?I just enable the "backup" feature on their admin panel. Adds 20% to the cost but works great and it's easy.> maintain security? built-in firewall and DDoS protection?I only expose the HTTP(s) and SSH ports, and I also have setup fail2ban for bruteforce attacks.> If there is any open source automation scripts please share.Dokku.

nemo136about 2 years ago

> 50 machines at hetzner- install machines with ansible (using hetzner scripts for OS install)- machines communicate over vswitch/vlans, external interfaces disabled whenever possible. Pay attention to the custom mtu trick.- harden machines, unattended-upgrades mandatory on each machine- ssh open with IP whitelists from iptables on gateways- machines organized as k8s clusters, took ~1 year to have everything working cleanly- everything deployed as k8s resources (kustomize, fluxcd, gitops)- use keepalived for external IPs with floating IPs for ingress on 3 machines per clusterMachines are managed as cattle, it takes <1h+ hetzner provisioning time to add as many machines as we need.

评论 #35263543 未加载

mtmailabout 2 years ago

<a href="https://github.com/hetznercloud/awesome-hcloud/">https://github.com/hetznercloud/awesome-hcloud/</a> collects various devops tools for Hetzner Cloud.

e12eabout 2 years ago

The recent demo of MRSK from 37signals used Hetzner as the first example:> Introducing MRSK - 37signals way to deployT<a href="https://www.youtube.com/watch?v=LL1cV2FXZ5I">https://www.youtube.com/watch?v=LL1cV2FXZ5I</a>

jasonvorheabout 2 years ago

It's not even close to major public cloud providers, but this is my setup:* <a href="https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner">https://github.com/kube-hetzner/terraform-hcloud-kube-hetzne...</a> (Terraform, Kubernetes bootstrap)* Flux for CI* nginx-ingress + Hetzner Loadbalancer (thanks to <a href="https://github.com/hetznercloud/hcloud-cloud-controller-manager">https://github.com/hetznercloud/hcloud-cloud-controller-mana...</a>)* Hetzner storage volumes (thanks to <a href="https://github.com/hetznercloud/csi-driver">https://github.com/hetznercloud/csi-driver</a>)Kube-Hetzner supports Hetzner Cloud loadbalancers and volumes out of the box, though it also supports other components.

cstuderabout 2 years ago

For my hobby server:<pre><code> - Running dokku with Heroku Buildpacks to deploy both from source and to run Docker images behind an ngnix reverse proxy. - Autoupgrade apt's, manually updating the OS. - No load balancing. - No scaling. - Automated backups with restic/rclone to OneDrive. - Hetzner firewall, no DDoS protection.</code></pre>

Y_Yabout 2 years ago

Manually provision long-running VMs and manage containers with yacht.sh and that's it really. There's nothing special about Hetzner that makes it qualitatively different from any other cloud provider, except for enterprises features.

mesmertechabout 2 years ago

- Deploy using docker swarm, CI ssh into machine, pull repo and run- don't remember the last time I updated lol- traefik + worker nodes on docker swarm- again docker swarm- I have a cronjob that makes backup using postgres, then uploads it to a digitalocean spaces, you can just use S3 as well- I'm using cloudflare in front of server, but I also use inbuilt firewall as I host a postgres server with hetzner(only allow traffic from the web server worker nodes)

评论 #35260979 未加载

simon83about 2 years ago

> maintain security? built-in firewall and DDoS protection?I have a Hetzner dedicated server (not the Cloud offering) and I setup OpnSense as an all-in-one routing and firewall solution in a separate VM. All incoming and outgoing traffic goes through this OpnSense VM, which acts as default gateway for the host system and all other VMs/Docker containers. You either need to book a 2nd public IPv4 address (or just use IPv6 for free if that is good enough for your use case, since each server comes with a IPv6 /64 subnet), or if you want to just have 1 IPv4 address you could do some Mac spoofing on the main eth interface of the host OS and give the actual Mac address and public IP to the OpnSense's WAN interface. This is necessary because Hetzner has some Mac address filtering in place, meaning only the Mac address connected to the public IP is allowed to make traffic.

sshineabout 2 years ago

I provision a single VPS that acts as Terraform & Ansible control:<pre><code> - Store and run Terraform setup in git - Store and distribute SSH keys - Store and run Ansible scripts for bootstrapping (e.g. Kubernetes clusters on dedicated, or more VPS'es) - Host VPN and some low-intensity services (I'd delegate both of these if I had a bigger budget) </code></pre> Specifically, this replaces the use of Terraform Cloud.I enjoyed using Terraform Cloud for a more cloudy setup with easy GitHub pull-request integration at a past employer.But I'm specifically aiming for simplicity here. It doesn't scale as well to a team of 2+ without establishing conventions.I haven't explored what self-hosted alternatives there are to Terraform Cloud.

评论 #35261390 未加载

artellectualabout 2 years ago

I have been working on <a href="https://instellar.app" rel="nofollow">https://instellar.app</a> to solve this very problem. It allows you to use s3 compatible storage and your compute / database provider. So you can use hetzner or digitalocean or AWS or google cloud, anything you want. For your database you can use digitalocean’s managed / Aiven.io / RDS / Google cloud SQL. This tool brings it all together and enable you simply focus on shipping code.It does load balancing / automatic ssl issuing out of the box. It will also allow you to scale horizontally. I’m working towards making it public soon.

评论 #35262095 未加载

notpushkinabout 2 years ago

Not a Hetzner user, but I believe you can do pretty much anything you can use any other VPS for. I deploy all my stuff on a single server using <a href="https://lunni.dev/" rel="nofollow">https://lunni.dev/</a> (disclaimer: I'm also the author of Lunni). It is a web interface over Docker Swarm with sane defaults for working with web apps.- Deploy from source repo: Lunni docs guide you how to setup CI building your repo as a docker image, and you can create a webhook that pulls it and redeploys.- Scaling, load balancing: in theory you can just throw more servers in the swarm, tweak your configuration a bit and it should work. However, I've yet to run past what a single, moderately beefy server can handle :')- Automate backups: definitely on my roadmap! Right now I'm configuring them manually on critical services, and doing them manually every now and then using the Vackup script.- Maintain security: Docker's virtual networks acts as a de-facto firewall here. In Lunni, you only expose services you need to the reverse proxy (for HTTP), and if you absolutely must expose some ports directly (e. g. SSH for Git), you have to explicitly list them.Some other similar alternatives to consider: Dokku, Coolify, Portainer with Traefik / Caddy / nginx-gen. I'll be glad if you choose Lunni though :-) Let me know if you have any questions!

blueluabout 2 years ago

For dedicated servers:- deploy from source repo? Terraform?* local build server, which rsyncs to application servers (e.g. files), or through docker registry * scripts to start/stop/restart services * centralised database on which services run on which servers, which serves as base where specific applications run- keep software up to date? ex: Postgres, OSansible for automated installs (through hetzner API) ansible scripts to execute commands on servers (e.g. update software, or adapt firewall when new hosts are being added)- do load balancing? built-in load balancer? * proxy to route requests to multiple backend servers (e.g nginx) * flexi ip (needs to manually mapped to new server in case of failure over API, so you need to check yourself that the IP is reachable)- handle scaling? Terraform?* more servers- automate backups? ex: databases, storage. Do you use provided backups and snapshots?* Seperate hdfs cluster, which allows production nodes to write once and read data, but not delete/overwrite any data. * For less data, you could also use their backup servers. * The "backups and snapshots" feature you mention is only available for vservers, not for dedicated servers.- maintain security? built-in firewall and DDoS protection?* Hetzner router Firewall * Software firewall (managed through ansible) * Don't use their VLAN feature, as there seems to be often some problems with connectivity (see their forum). * Never had DDos issues- monitoring of failures: * internal tool to monitor hardware and software issues (e.g. wrongly deployed software, etc...).

Gordonjcpabout 2 years ago

I run traefik in docker, and then I run various other random shit including my stepdaugher's Minecraft server in docker.Every couple of months I remember to pay the bill, then start browsing the auction page, then think "hey that thing isn't much more than I'm paying now, maybe I should upgrade...", but mostly I just stick with things as they are.

creshalabout 2 years ago

It really depends a lot on what you get from Hetzner. Their cloud offerings are kinda weird (few features, high prices), so we buy dedicated servers and run our own containers on top of that.Deploy from source: Gitlab CI builds and deploys containersKeep software uptodate: Deploy new containers / migrate all containers from a host to upgrade that with OS tools (Debian for us, so just apt dist-upgrade)Load balancing: nginx containerScaling: Hasn't really been an issue for us yet, but terraform/k8s work fine from what I've heardBackups: Dedicated SX server pulls backups via rsnapshot, including DB dumps. All data is on minutely replicated ZFS pools, so we got short-term snapshots for free anyway.Security: Still on IPTables and Fail2ban for on-system stuff. DDoS protection from Hetzner itself is okay-ish, but for really critical sites Akamai or Cloudflare are still the safer choices. Both work fine.

RamblingCTOabout 2 years ago

We use hetzner cloud with terraform and a self-hosted kubernetes cluster. Everything else is self-baked obviously.

throwaway81523about 2 years ago

Lots of fancy scripts around. I don't use any, I just configure new servers with an ansible playbook from my laptop, and generally do stuff by hand after that. I don't have anything I'd call "production", just personal and dev stuff. I have a cheap dedicated server that I use as a beataround and for long running computations, and occasionally spin up Hetzner cloud instances for temporary usages. I don't automate backups. I have 5TB of backup space in Hetzner Storage Box (10 euro/month for that!) and manually backup to it with Borg Backup and a few small shell commands in the .bashrc in my ansible script.

leephillipsabout 2 years ago

<pre><code> - deploy from source repo? Terraform? rsync - keep software up to date? ex: Postgres, OS apt-get - automate backups? ex: databases, storage. rsync, pg_dump - maintain security? systemd-nspawn</code></pre>

bckygldstnabout 2 years ago

- Applications and DBs run in docker containers. Deploying is basically git pull && docker-compose up --build -d- Apt auto-upgrades, other software updates are handled in docker. The only software on the machine is haproxy, git and docker for deploys, newrelic and vector for monitoring.- Haproxy runs on the server to route requests to docker containers. Cloudflare loadbalancing routes to servers.- Scaling is avoided through over-provisioning cheap Hetzner machines. Adding new machines is done so rarely that a bash script is fine.- DB backups are done in docker.- Ufw locks down to ports 22, 80, 443, and DB ports. Because docker can interact with firewalls in surprising ways, I also replicate the rules in the Hetzner filewall.

jmstfvabout 2 years ago

Migrated from Linode to Hetzner. My workflow has stayed the same:* Deploying using Git and Capistrano: `git push && cap production deploy` (aliased to cpd)* Using Hetzner backups + daily backups to Tarsnap using cron* Updating software by SSH-ing into a server and updating apt packages; I update Ruby gems locally* For security, built-in firewall + ufw, two-factor authentication, public key-only authentication (SSH key is protected with a password), SSH running on a non-standard port with a non-standard username.* I use sqlite as a database and caddy as a web server

saccharoseabout 2 years ago

I am not sure what level of abstraction and automation you are aiming for but there is a pretty neat project for setting up a kubernetes cluster including automatic updates in hetzner [1]. Even if it exceeds your requirements you can scrape it to answer many of your questions.[1] <a href="https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner">https://github.com/kube-hetzner/terraform-hcloud-kube-hetzne...</a>

sergioisidoroabout 2 years ago

I've been using docker swarm + traefik + portainer and I'm quite happy. I orchestrate everything with Ansible [1]. The only manual process I have is provisioning the servers / load balancers.It provides a super nice balance between going all manual VPS and going all on the kubernetes cool aid[1] <a href="https://github.com/sergioisidoro/honey-swarm">https://github.com/sergioisidoro/honey-swarm</a>

KingOfCodersabout 2 years ago

<pre><code> - deploy from source repo? Github copy Go binary - keep software up to date? Using Hetzner Cloud + hosted Postgres - do load balancing? Hetzner LB + DNSMadeEasy LB failover - handle scaling? I don't need to scale fast - automate backups? Snapshots + hosted Postgres - maintain security? SSH on other port, Hetzner private networks, built-in firewall and DDoS protection</code></pre>

nurettinabout 2 years ago

I just ssh 'git pull && ./deploy.sh' which rolls back on deploy error.traffic: no ddos protection, no load balancingbackups: daily automated backups provided by host. no incrementals.update: unattended updates, software is tested doesn't break when databases and message queues restart due to unattended upgrades.security: intact selinux, ufw, proper users and permissions.

styrenabout 2 years ago

Sorry for this blatant self-promotion. If you're looking for managed Kubernetes I'm building <a href="https://symbiosis.host" rel="nofollow">https://symbiosis.host</a> which is a service built on top of Hetzner, with support for terraform, load balancers, storage, etc.

sirodohtabout 2 years ago

Deployment from a bash script that ssh's into the hetzner VPS and git pulls the data and restarts the server.OS kept up-to-date manually.No load balancing necessary, it's one server.No scaling necessary, it's a few thousand users.Backups: cron with script that s3-compatible copies over to off-site cloud every 6 hours.Security: firewall yes, DDoS protection no.

bestestabout 2 years ago

I use their instance to run caprover for all my apps. That's basically about it. I use hetzner's backup service, it saved me once recently.DDoS protection could might be off-loaded to CloudFlare, don't need it personally.I don't need to scale yet. But I believe caprover is somewhat scaleable.Security? As others said, SSH keys.

kjuulhabout 2 years ago

caddy, simple docker compose runtimes with watchtowerrr for updates.Hetzner is just a bunch of vms, they are all connected over wireguard for ease of use. UFW at the edge for locking down ports.No DDoS protection, but I can turn it on in cloudflare which I use for DNS.

PaywallBusterabout 2 years ago

Ansible for server configuration/changes/deploymentsRundeck to automate/schedule jobs/deployments/upgrades or scale deployments (to fleet of servers)

johne20about 2 years ago

Question for those who encrypt disk on Hetzner with LUKS. How can you get it to auto assign private IP from DHCP on boot?

t312227about 2 years ago

hmmm, mainly:* ansible for CM (first 4 points)btw. i don't do any deploys from source-repos, either build packages and use your favorite distributions package-mgmt or use containers.* some shell/awk/perl/python-scripts for backups & security-related stuff :)

js4everabout 2 years ago

It seems you could be interested in a fully managed service over Hetzner handling security/firewall/monitoring/alerts/backups but also OS / Software updates and CI/CD pipelines from your reposPlease check: <a href="https://elest.io" rel="nofollow">https://elest.io</a>Disclaimer: I'm CTO & founder

x86hacker1010about 2 years ago

I’ve been working on a new fully automated setup with 1 click.Right now I provision my nodes automatically with Terraform. I use cloud init scripts during machine initialization and an adhoc remote provisioner for some firewall stuff and config updates after complete.This is for boot. For configuration management I’m working on getting my Saltstack complete and easy to use.Saltstack can be used like chef/ansible but it’s much more intuitive to me and very flexible. This is for automating and managing package installation on my nodes, firewall rules, grouping nodes by config, etc.What’s also cool with salt is you can have it make changes based on a web hook (salt reactor), ie merging commit into master.My plan is to basically version control everything into salt so things like VPN setup, software, alerts are all automatically setup. I would love to extend this to also manage a NAS with automated backups.Tl;Dr I am migrating my flow to be automated deployments from GitHub using Ansible to automated provisioning and deployments using Salt, Terraform and GitHub/Gitea

Udoabout 2 years ago

Are we talking about their cloud services or dedicated servers? I (and a couple of clients) use their dedicated servers, the procedure is the same as with any bare metal hosting. Here's the setup of my own servers (one at Falkenstein data center and one at Helsinki). My use case is small apps, with a couple hundred concurrent users at most. If you need a more dramatic infrastructure that scales up automatically and auto-deploys software left and right, that's a whole different ball game.- Proxmox as the base OS, stock install. Close every port except SSH, 80, 443 (alternatively you may want to go with Wireguard instead of SSH). There is an nginx instance running in front of the containers, it passes data along to them as per config. Otherwise, nothing is reachable from the outside.- Servers are on Proxmox containers, mostly also Nginx, some Nodejs, some other, you know the drill. The containers are pretty low overhead, so you can implement basically any deployment strategy in that environment. They're also easy to back up and to replicate to other machines.> keep software up to date? ex: Postgres, OSI run a periodic "apt update && apt upgrade -y && apt autoremove -y" as a cron job on most containers. Some configurations tend to break occasionally, so I do those specific ones manually or with additional scripts. I have a repo of scripts and snippets that I use everywhere, just little hacks that accumulated over the years because they automate useful things.> do load balancing? built-in load balancer?That depends on where your loads are, and what the structural needs of your applications are. If this is about external web requests to a mostly read-heavy application, I highly suggest using a CDN such as Cloudflare rather than rolling your own. That being said, Nginx makes load balancing pretty painless.> automate backups? ex: databases, storage. Do you use provided backups and snapshots?Their storage offering is pretty okay, but I would consider restoring a whole-system backup a last resort. Proxmox has built-in support for container snapshots/backups, which gives you more granular control. These snapshots are also easy to rsync periodically to another host. If the physical machine dies, you just start the container on another host from a recent backup. There are HA options for this on Proxmox if you link more than one host into a cluster (which is overkill for most setups).> maintain security? built-in firewall and DDoS protection?Close down your ports. No complicated firewall rules, either. Just block anything that isn't directed at one of your 3 necessary ports. With DDoS protection: don't roll your own, use a CDN. Also, install only things you can audit or come from a reasonably safe source. For instance, I would highly discourage running npm installs/updates unsupervised. If you have a production app that needs to work and needs to be reasonably secure, don't automatically pull data from free-for-all package managers - deploy them with reviewed or known-good versions hard locked (or deploy them with dependencies already included).As a final tip: Hetzner servers come with RAID setups (usually RAID1). Monitor the status of those drives! If one fails, tell them to replace it. They will usually do it within the hour on a running system.

anciequeabout 2 years ago

We use Docker Swarm for our deployments, so I will answer the questions based on that.We have built some tooling around setting up and maintaining the swarm using ansible [0]. We also added some Hetzner flavour to that [1] which allows us to automatically spin up completely new clusters in a really short amount of time.deploy from source repo:- We use Azure DevOps pipelines that automate deployments based on environment configs living in an encrypted state in Git repos. We use [2] and [3] to make it easier to organize the deployments using `docker stack deploy` under the hood.keep software up to date:- We are currently looking into CVE scanners that export into prometheus to give us an idea of what we should updateload balancing:- depending on the project, Hetzner LB or Cloudflarehandle scaling:- manually, but i would love to build some autoscaler for swarm that interacts with our tooling [0] and [1]automate backups:- docker swarm cronjobs either via jobs with restart condition and a delay or [4]maintain security:- Hetzner LB is front facing. Communication is done via encrypted networks inside Hetzner private cloud networks- [0] <a href="https://github.com/neuroforgede/swarmsible">https://github.com/neuroforgede/swarmsible</a>- [1] <a href="https://github.com/neuroforgede/swarmsible-hetzner">https://github.com/neuroforgede/swarmsible-hetzner</a>- [2] <a href="https://github.com/neuroforgede/nothelm.py">https://github.com/neuroforgede/nothelm.py</a>- [3] <a href="https://github.com/neuroforgede/docker-stack-deploy">https://github.com/neuroforgede/docker-stack-deploy</a>===================EDIT - about storage:We use cloud volumes.For drivers:We use <a href="https://github.com/costela/docker-volume-hetzner">https://github.com/costela/docker-volume-hetzner</a> which is really stable.CSI support for Swarm is in beta as well and already merged in the Hetzner CSI driver (<a href="https://github.com/hetznercloud/csi-driver/tree/main/deploy/docker-swarm">https://github.com/hetznercloud/csi-driver/tree/main/deploy/...</a>). There are some rough edges atm with Docker + CSI so I would stick with docker-volume-hetzner for now for prod usage.Disclaimer: I contributed to both repos.

KronisLVabout 2 years ago

I use Hetzner, Contabo, Time4VPS and other platforms in pretty much the same way (as IaaS VPS providers on top of which I run software, as opposed to SaaS/PaaS), but here's a quick glance at how I do things, with mostly cloud agnostic software.> deploy from source repo? Terraform?Personally, I use Gitea for my repos and Drone CI for CI/CD.Gitea: <a href="https://gitea.io/en-us/" rel="nofollow">https://gitea.io/en-us/</a>Drone CI: <a href="https://www.drone.io/" rel="nofollow">https://www.drone.io/</a>Some might prefer Woodpecker due to licensing: <a href="https://woodpecker-ci.org/" rel="nofollow">https://woodpecker-ci.org/</a> but honestly most solutions out there are okay, even Jenkins.Then I have some sort of a container cluster on the servers, so I can easily deploy things: I still like Docker Swarm (projects like CapRover might be nice to look at as well), though many might enjoy the likes of K3s or K0s more (lightweight Kubernetes clusters).Docker Swarm: <a href="https://docs.docker.com/engine/swarm/" rel="nofollow">https://docs.docker.com/engine/swarm/</a> (uses the Compose spec for manifests)K3s: <a href="https://k3s.io/" rel="nofollow">https://k3s.io/</a>K0s: <a href="https://k0sproject.io/" rel="nofollow">https://k0sproject.io/</a> though MicroK8s and others are also okay.I also like having something like Portainer to have a GUI to manage the clusters: <a href="https://www.portainer.io/" rel="nofollow">https://www.portainer.io/</a> for Kubernetes Rancher might offer more features, but will have a higher footprintIt even supports webhooks, so I can do a POST request at the end of a CI run and the cluster will automatically pull and launch the latest tagged version of my apps: <a href="https://docs.portainer.io/user/docker/services/webhooks" rel="nofollow">https://docs.portainer.io/user/docker/services/webhooks</a>> keep software up to date? ex: Postgres, OSI build my own base container images and rebuild them (with recent package versions) on a regular basis, which is automatically scheduled: <a href="https://blog.kronis.dev/articles/using-ubuntu-as-the-base-for-all-of-my-containers" rel="nofollow">https://blog.kronis.dev/articles/using-ubuntu-as-the-base-fo...</a>Drone CI makes this easy to have happen in the background, as long as I don't update across major versions, or Maven decides to release a new version and remove their old version .tar.gz archives from the downloads site for some reason, breaking my builds and making me update the URL: <a href="https://docs.drone.io/cron/" rel="nofollow">https://docs.drone.io/cron/</a>Some images like databases etc. I just proxy to my Nexus instance, version upgrades are relatively painless most of the time, at least as long as I've set up the persistent data directories correctly.> do load balancing? built-in load balancer?This is a bit more tricky. I use Apache2 with mod_md to get Let's Encrypt certificates and Docker Swarm networking for directing the incoming traffic across the services: <a href="https://blog.kronis.dev/tutorials/how-and-why-to-use-apache-httpd-in-2022" rel="nofollow">https://blog.kronis.dev/tutorials/how-and-why-to-use-apache-...</a>Some might prefer Caddy, which is another great web server with automatic HTTPS: <a href="https://caddyserver.com/" rel="nofollow">https://caddyserver.com/</a> but the Apache modules do pretty much everything I need and the performance has never actually been too bad for my needs. Up until now, applications themselves have always been the bottleneck, actually working on a blog post about comparing some web servers in real world circumstances.However, making things a bit more failure resilient might involve just paying Hetzner (in this case) to give you a load balancer: <a href="https://www.hetzner.com/cloud/load-balancer" rel="nofollow">https://www.hetzner.com/cloud/load-balancer</a> which will make everything less painless once you need to scale.Why? Because doing round robin DNS with the ACME certificate directory accessible and synchronized across multiple servers is a nuisance, although servers like Caddy attempt to get this working: <a href="https://caddyserver.com/docs/automatic-https#storage" rel="nofollow">https://caddyserver.com/docs/automatic-https#storage</a> You could also get DNS-01 challenges working, but that needs even more work and integration with setting up TXT records. Even if you have multiple servers for resiliency, not all clients would try all of the IP addresses if one of the servers is down, although browsers should: <a href="https://webmasters.stackexchange.com/a/12704" rel="nofollow">https://webmasters.stackexchange.com/a/12704</a>So if you care about HTTPS certificates and want to do it yourself with multiple servers having the same hostname, you'll either need to get DNS-01 working, do some messing around with shared directories (which may or may not actually work), or will just need to get a regular commercial cert that you'd manually propagate to all of the web servers.From there on out it should be a regular reverse proxy setup, in my case Docker Swarm takes care of the service discovery (hostnames that I can access).> handle scaling? Terraform?None, I manually provision how many nodes I need, mostly because I'm too broke to hand over my wallet to automation.They have an API that you or someone else could probably hook up: <a href="https://docs.hetzner.cloud/" rel="nofollow">https://docs.hetzner.cloud/</a>> automate backups? ex: databases, storage. Do you use provided backups and snapshots?I use bind mounts for all of my containers for persistent storage, so the data is accessible on the host directly.Then I use something like BackupPC to connect to those servers (SSH/rsync) and pull data to my own backup node, which then compresses and deduplicates the data: <a href="https://backuppc.github.io/backuppc/" rel="nofollow">https://backuppc.github.io/backuppc/</a>It was a pain to setup, but it works really well and has saved my hide dozens of times. Some might enjoy Bacula more: <a href="https://www.bacula.org/" rel="nofollow">https://www.bacula.org/</a>> maintain security? built-in firewall and DDoS protection?I personally use Apache2 with ModSecurity and the OWASP ruleset, to act as a lightweight WAF: <a href="https://owasp.org/www-project-modsecurity-core-rule-set/" rel="nofollow">https://owasp.org/www-project-modsecurity-core-rule-set/</a>You might want to just cave in and go with Cloudflare for the most part, though: <a href="https://www.cloudflare.com/waf/" rel="nofollow">https://www.cloudflare.com/waf/</a>

评论 #35286541 未加载