Security Tool (hardening) with Ansible remediation

Hello guys!

I work on Squirrel Servers Manager, the open-source monitoring & configuration management platform some of you might know from here or Github.

I am starting starting to build a lightweight security feature for self-hosted / on-prem Linux boxes.

The idea: scan your servers over SSH, spot common config issues or weak points (CIS-style stuff), and suggest ready-to-run Ansible playbooks to fix them. No agents, no magic — just faster, cleaner hardening. Think about it like a lightweight "Ansible Lockdown" with an UI.

Before I go too far and spend too many weekends on it :-), I’d love your input:

Biggest security frustrations/needs right now?
How do you handle server hardening today?
On hardening - what’s the most annoying part? Keeping track of benchmark? Writing fixes? Testing safely?
Would a workflow like this save you time or just add noise?ssh-key ➜ scan (CIS-ish checks + top CVEs) ➜ get a ranked list & matching Ansible/YAML snippets ➜ approve / tweak / run ➜ success/fail ping after 30 min

If you’re curious to try it early or have opinions, I’d love to hear from you here or by DM.

Thanks, and fire away with critique, war stories, or “this already exists, go look at X”! — Manu

https://redd.it/1kbjx53
@r_devops

How to SSH from RHEL6 to RHEL9?

It seems SHA-1 is no longer accepted by default in RHEL9 and RSA keys of any length are no longer accepted. I'm in the process of migrating some RHEL6 servers to RHEL9 and it seems the OpenSSH versions are too different for any ssh keys to be compatible. I've tried various key types and cant manage to make a connection. Cant find a common key/method.

It seems my options are to use a jump box which I'd rather not do or use a legacy option in RHEL9 and lower it's security.


Any other options?


https://redd.it/1kbwhdq
@r_devops

Saw lots of comments that Jenkins is not worth it. Why and if not then what??

I looking to enter devops and just completed jenkins. But iam worried looking at all those comments. And also what other helpful tip you would give. Thank you 🙏

https://redd.it/1kc0vvk
@r_devops

Switching to devops

I am a fronte end engineer with 3 year of experience wanting to switch into devops .What should I learn and how should I learn to transition smoothly into Devops.

https://redd.it/1kc2lco
@r_devops

DevOps vs Machine Learning (NOT A POST RE HOW TO GET A DEVOPS JOB)

hi

i am still an undergrad student having done a few internships in ml and 1 in devops. initially i was the most inclined towards building a career in ml, but i have noticed a sharp increase in the competition in ml jobs especially in the last year or so which made me rethink about my decision in going towards ml and rn im considering a shift to the devops side, considering how ml is an ever-expanding domain (devops is too but at least its not as much as ml because of the math behind everything imo)

whats your take on it? ive heard people saying theres less competition in devops, at least than in ml. correct me if im wrong, and any suggestions or a personal opinion is welcome, thanks

https://redd.it/1kc6rh4
@r_devops

I built a PagerDuty docs AI, LMK what you think!

Hi everyone,

I gave a custom LLM access to all PagerDuty dev center docs(https://developer.pagerduty.com/docs/introduction) to answer technical questions for people using PagerDuty: https://demo.kapa.ai/widget/pagerduty


Any other technical info you think would be helpful to add to the knowledge base?

Would love to hear your thoughts on it!

https://redd.it/1kc8o6c
@r_devops

Should you whitelist known cookies in the WAF?

So recently we had an outage due to a cookie value for a third party monitoring system falling foul of a WAF Rule.

This was tested in QA environment and it didn't trigger the WAF (cookie value was different in qa) so it never was raised as an issue.

This got me thinking that maybe we should whitelist all known cookies but obviously that opens the door to attack via the whitelisted cookie.

On the one hand it's unlikely that a random attacker would stumble upon the right cookie but what about the users? and also, it's not like we use obscure tech, so somebody might try some sort of drive by attack with known cookies.

It seems like a bad idea to whitelist, to say nothing that we were actually not aware of the change, so we wouldn't have been able to whitelist it (though we could put a process in place for to be notified)

So, do you whitelist known cookies in your WAF?

why?

why not?

How do you ensure that cookies do not trigger WAF rules in production?

https://redd.it/1kc8v1c
@r_devops

No job, no cloud..? Made this storage tool out of spite

Hey folks,

After not getting placed during the campus placement season, I was just sitting and messing around with some ideas I’d shelved earlier. Ended up building something over the past couple weekends — it’s called Sietch Vault.

Basically, it’s a decentralized file syncing tool that works without the internet — over LAN, USB drives. I made it mainly out of curiosity, and also frustration with how everything these days relies on cloud infra you don’t control.

It’s open source and still kinda rough, but would really appreciate thoughts from anyone here — whether it's useful, dumb, broken, or something worth polishing further.

Project link: https://sietch.nilaysharan.in
GitHub: https://github.com/SubstantialCattle5/Sietch

https://preview.redd.it/ev65386qs3ye1.png?width=2527&format=png&auto=webp&s=c93d19a789a7b989428507913e181d896dc05c56

Would love any kind of feedback — design, tech, or even just "bro why" 😅

https://redd.it/1kcbav4
@r_devops

A simple, self-hosted Sentry alternative you can install in 5 minutes (with just one command!)

Hey folks 👋

I got fed up with monthly bills and SaaS lock-in, and I needed a better way to track errors in my apps, so I built Telebugs. It’s an error tracker you pay for once, host yourself, and actually own. It took me 3.5 months of solo Rails work, and I’m really happy with the results.

It’s compatible with Sentry SDKs, so it probably supports your language or framework of choice.

It’s built for people who just want something that works without the headache. Setup is dead simple: one command and you’re rolling in 5 minutes. It automatically sets up your server with an SSL certificate. All you need to do is specify the domain you want it to run on.

It catches your errors, keeps everything on your machine, and doesn’t bug you with upsells or surprise fees.

**Tech stack:**

* Rails 8 + Hotwire + TailwindCSS
* SQLite (yep)
* Runs in a single Docker container
* Compatible with Sentry SDKs
* Push + email alerts (needs to be enabled explicitly)
* Rule-based data cleanup
* No analytics, no third-party calls

Happy to answer any questions here, or over email. Cheers!

[https://telebugs.com/](https://telebugs.com/)

https://redd.it/1kcc8qg
@r_devops

Running Virtual Desktops on AWS or Azure.

What are some options for running virtual desktops to test desktop applications on AWS?

This could potentially scale up to hundreds or thousands of virtual environments. The main use-case is to test our desktop application.

I know that AWS offers workspace and Azure has AVD.

What are some other potential solutions?

https://redd.it/1kce4yr
@r_devops

Meta: How do you all use AI? I'm totally not trying to find ideas for a startup

To not appear too suspicious, I'm going to start this post by talking a little bit about how I, too, am slightly suspect of AI, but that any "reasonable person" would at least give it a try. (And, we all want to be considered reasonable, right?) I've also clearly never searched for similar topics in this subreddit, and don't really have any interest in engaging with the subreddit community at all aside from making this post.

Then, I'll talk a little bit about how I want AI to do some "simple tasks" for me, like... well... literally all of my job. But the existing tools are a little bit piecemeal, leading me to...

...my super awesome tech demo that's just a wrapper for ChatGPT, and a totally coy call-for-action for people to try it out, along with a request for suggestions.

Oh, and I really like to sprinkle emojis into my post, like these: ✨💻🔎🙅‍♂️

\---------

/s

Seriously, can we get some moderation on this kind of nonsense? Our subreddit was already being invaded by people with 0 YOE who couldn't hack SWE interviews and thought that devops would be an "easy" alternative, and now it's being invaded by people who think they can AI-away everything and want to pitch their "one tool to rule them all" idea.

edit: the number of people thinking that I'm seriously asking how they use AI, rather than trying to point out the flood of AI-related spam we're getting, is somewhat bemusing.

https://redd.it/1kce06y
@r_devops

DevOps Related Conferences?

My boss wants to send me to a conference or two this year. Initially I suggested MS Ignite but the timing didn't work out. What are some other conferences that would be of value to a devsevops engineer with a background leaning harder on the ops side than the others?

https://redd.it/1kcgglf
@r_devops

Virtual Desktop Testing Environment on AWS / Azure

I'm currently researching solutions for running virtual desktop environments specifically to test desktop applications on AWS. We're looking at potentially scaling up to hundreds or even thousands of concurrent virtual desktop environments, so scalability, manageability, and cost-effectiveness are key considerations.

We're aware of solutions like AWS WorkSpaces and Azure Virtual Desktop (AVD), but I'm curious about other viable options or alternative approaches that teams here might be using successfully.

Specifically:

What solutions have you successfully deployed for high-volume desktop application testing?

Are there effective alternatives to AWS WorkSpaces or Azure Virtual Desktop?

How do these solutions handle provisioning, automation (e.g., Terraform, Ansible, CircleCI integration), and multi-OS support (Windows, Linux, macOS)?

Are there particular tools or third-party services you've found effective for automating large-scale testing environments?

Any insights, experiences, or recommendations would be greatly appreciated.

Thanks in advance!

https://redd.it/1kcg6gl
@r_devops

Anyone running .http test files in their pipes?

I've got a load of tests already written as http files and i'd like a way to run them when i release. So, I'm after something like newman.
Anyone got anything please?

https://redd.it/1kcg5w9
@r_devops

Audit tool using ebpf

Hey folks,
I'm building an open-core tool that uses eBPF to generate audit-grade logs from Linux systems and containers — primarily for companies that need to comply with SOC 2, PCI-DSS, or HIPAA.

It traces kernel-level events like process execution, file access, network connections etc. It can export compliance reports. I am seeing it as a modern version of auditd

Its a hobby project in rust now. I would like to know if any of you would find this type of tool useful.


Thanks !

https://redd.it/1kcl49l
@r_devops

Experience Setting Up a High-Availability Private Cloud with MinIO Clusters

I recently wrote about my experience building a private cloud storage solution using MinIO in clustered mode. The goal was to achieve S3-compatible, highly available object storage for internal workloads — without relying on public cloud vendors.

The article covers setup, replication, scalability, and some operational lessons learned around HA, persistence, and bucket policies.

If you’re exploring self-hosted alternatives to S3 or interested in resilient storage for on-prem DevOps, I’d love to hear your thoughts or experiences.

Read the article 👉🏻 https://medium.com/@yassine.ramzi2010/revolutionizing-private-cloud-storage-with-minio-clusters-3cc4bd87c6c9


https://redd.it/1kcmb8g
@r_devops

Guide Hardening Docker Images with Trivy, seccomp, and Linux Capabilities

As part of a DevSecOps initiative, I explored practical ways to secure Docker images in CI/CD pipelines. This post walks through using Trivy for vulnerability scanning, applying seccomp profiles, and minimizing Linux capabilities to reduce attack surfaces.

It’s a hands-on guide focused on security without compromising portability or automation.

If you’re working on container hardening, DevSecOps practices, or simply tightening security

https://medium.com/@yassine.ramzi2010/%EF%B8%8F-devsecops-in-action-hardening-your-docker-images-with-trivy-seccomp-and-capabilities-292365a5bd79


https://redd.it/1kcm9qi
@r_devops

Asking for help in implementing a monitoring application?

I'm a junior sofware dev and I want to create a semi-real time monitoring for my application (minor delays are allowed <15min). My application produces a bunch of events with the following states: queued, error, processed, to_be_requeued. I want to track if the state goes to the error state. At the same time, I want to track if an order got queued but didn't get to the processed state (maybe due to an application bug). This will be flagged as an error if the timestamp exceeds some threshold.

I'm stumped on how to approach this problem. My initial poc implementation dumps raw events to a timescale database, and then a web api polls and processes it according to some set interval. The implementation is not performant as I expected, and I want to improve it.

After browsing the internet, I've read up that the ELK stack is commonly used for alert/ monitoring stuff. But I was wondering if this could be applied to my situation. Afaik elastic is just a key value store and kibana is just a visualization tool/ dashboard for said data.


Can this be done with ELK? If not, what are other better approaches/ architectures that I can consider using.

Links to resources would be helpful and I would also appreciate some input from someone that did a similar task before . Thank you!

{
  "user": "mel",
  "order_id": "0001",
  "event-type":  "queued",
  "message": {
    "timestamp": <unix_time>"
  }
},


{
  "user": "mel",
  "order_id": "0002",
  "event-type":  "queued",
  "message": {
    "timestamp": <unix_time>"
  }
},


{
  "user": "mel",
  "order_id": "0003",
  "event-type":  "queued",
  "message": {
    "timestamp": <unix_time>"
  }
},


{
  "user": "mel",
  "order_id": "0001",
  "event-type":  "error",
  "message": {
    "timestamp": <unix_time>"
  }
},

{
  "user": "mel",
  "order_id": "0002",
  "event-type":  "processed",
  "message": {
    "timestamp": <unix_time>"
  }
},



{
  "user": "mel",
  "order_id": "0003",
  "event-type":  "to_be_requeued",
  "message": {
    "timestamp": <unix_time>"
  }
},



{
  "user": "mel",
  "order_id": "0003",
  "event-type":  "queued",
  "message": {
    "timestamp": <unix_time>"
  }
},

{
  "user": "mel",
  "order_id": "0003",
  "event-type":  "processed",
  "message": {
    "timestamp": <unix_time>"
  }
},

https://redd.it/1kcru5c
@r_devops

Tech Support to DevOps?

I'm currently working for a Software-Development company which owns their products/solutions as a Tech-Fuctional support engineer for one of those. This was my first real job and it's been around 3 years.

Right now, I'm looking to jump onto a more technical role, I'm very interested in Networking (CCNA in progress), programming, scripting, server management, and automation. I'm just wondering how hard it is to land a DevOps job, I've applied to some vaccants but HR simply say that despite having some of the requirements of the role, the managers wouldn't consider me due to the lack of experience in a DevOps role.

I'd love to some day land a job as a DevOps Engineer, I don't mind working for it and having that as a medium/long-term objective. I was actually looking for advise or suggestions from people knowing the field. What role or job would you say will help me at this point? What could be a good next-step to start pointing my career to DevOps? Also, in your experience, how feasible it's to make this jump I'm trying to do?

https://redd.it/1kcshr5
@r_devops

Exploring An AI‑Powered DevOps Copilot Enabling One‑Click Production Deployments for Startups and Scale‑Ups

Hey r/devops 👋🏻

**TL;DR** – I’m hacking on *DevOps Agent*, an AI‑driven ChatOps tool that turns “deploy my app” into a one‑line command for lean teams. I’m still at prototype / wait‑list stage and would love feedback from anyone who’s felt the pain of getting an MVP into a reliable production environment.

# Why I’m building this

After a few tours as a DevOps engineer, I noticed the same pattern at scale‑ups:

* Spinning up a prototype is easy; wiring prod‑grade CI/CD takes days (or weeks).
* DevOps talent is scarce/expensive, and outsourcing often adds more complexity.
* A single mis‑configured Helm chart on Friday = sleeper‑cell outage on Monday.

I wondered: **what if ChatGPT‑style natural language could drive infra?**

# What the agent does (early prototype)

bash

# Slack / terminal demo
> @DevOpsAgent deploy --auto --env=staging
🔎 Scanning repo…
📦 Generating Docker & Helm manifests
☁️ Provisioning GKE cluster (europe-west1)
🚀 Deployed in 3m42s | cost est: $12.10/mo

**Under the hood**

* Reads GitHub/GitLab repo → detects language, DB, queue, etc.
* Generates Dockerfiles + Kubernetes/Helm manifests.
* Uses Terraform to spin up AWS / GCP / Azure (your choice).
* Streams cost + health metrics back into chat.
* Lets you roll back or scale via u/DevOpsAgent `scale redis 2x`

**Current status**

* Early Proof‑of‑concept in Encore + VoltAgent + WebContainers + Pulumi
* Can deploy a Node.js / Mongo demo app to GKE & tear it down.
* Private wait‑list live at [**devopsagent.dev**](https://devopsagent.dev) (very bare‑bones)

**Stuff I’m stuck on / would love input**

1. **Ephemeral environments** – What’s the nicest UX you’ve seen for per‑PR previews?
2. **Security guardrails** – Which “sane defaults” would you enable first? (IAM, image scanning, …)
3. **Pricing** – If this saved you a DevOps hire, what’s a sensible monthly tier?
4. **Interface** – Slack/Teams bot vs CLI plugin vs web dashboard: which would you actually use

# How you can help

* **Tear the idea apart** – What’s missing / unrealistic?
* **Share horror stories** – Your worst deploy nightmares help me design guardrails.

Thanks for reading! Any feedback—brutal or kind—totally welcome. 🙏

Alex – [devopsagent.dev](https://devopsagent.dev)

https://redd.it/1kcxee3
@r_devops

Business scaling up - what cloud provider should we use?

Our business is scaling rapidly — we’re currently handling millions of unique requests per week, and this number continues to grow. At the moment, we’re hosted on DigitalOcean, paying approximately €400 per month for the following infrastructure:

* One small Redis server for caching
* Four medium ARM nodes in two data centers
* One MySQL database with two replicas

However, we’re now facing significant performance issues due to unoptimized application code. Our stack includes Symfony (backend), MySQL (database), and a partially VueJS-powered frontend.

# Key Problems

1. **Blocking Requests:** When User A and User B make simultaneous requests, User B is delayed until User A's request completes. If our code executes a long-running operation (e.g., 20 seconds), the server is locked during that time, triggering Cloudflare’s load balancer to mark it as unhealthy. I initially suspected this was related to MySQL’s transaction isolation level (TIL), but DigitalOcean doesn’t allow us to change this setting. Regardless, with our current code inefficiencies, this issue is likely to worsen.
2. **Lack of Scalable Architecture:** We're not using Kubernetes or any dynamic scaling solution. Our infrastructure consists of a fixed number of servers behind Cloudflare’s load balancer. This will likely become a bottleneck as we grow.

# What We Need to Do

1. **Optimize the Application Code:** We need to refactor our backend to avoid inefficient loops and rely more on optimized database queries.**Question:** Does Symfony block concurrent requests by design? Is there a way to configure Symfony or PHP-FPM to handle multiple requests more efficiently? Or is it more likely that MySQL's transaction behavior is the real bottleneck? Would it be hard to migrate to PostgreSQL and is it really that much faster?
2. **Improve Infrastructure & Scalability:** We need a more robust and flexible server architecture with proper failover and autoscaling capabilities.**Question:** Which cloud providers would you recommend for scalable and reliable database hosting? Our primary concern is database performance and availability. Thanks to Cloudflare’s load balancer, we’re flexible with server location and even open to transitioning to Kubernetes.

We’re aiming to stay ahead of any major issues that could impact our platform’s stability. Any advice or insights would be greatly appreciated.

https://redd.it/1kcx1iw
@r_devops