top | item 47086808

(no title)

thecopy | 9 days ago

Super timely - thank you! Im in the process of moving the entire stack of my SaaS* fully in EU as well. Hetzner bare-metal, Talos k8s, OVH Object Storage for backups, self-hosted (for now) image repo. For now im still on Cloudflare for CDN, but bunny looks interesting. Using GitOps (FluxCD) as deployment strategy enables no dependencies on e.g. GitHub Actions.

For one thing running on bare-metal @ Hetzner is insane value for money versus GCP GKE. Im a third of the running costs and get ~50x resources.

The only aspect im struggling with is full-disk encryption. Although customer data is still encrypred with envelope encryption in the database, i want to migrate to fully encrypted disks (LUKS + TPM) sooner rather than later. If anyone has any resources and/or experience with this, please let know :)

* Gatana AI MCP gateway: https://www.gatana.ai/

discuss

yread|9 days ago

I'm actually just looking into LUKS on Hetzner.

I've found this - how to do it without ever entrusting any encryption key to Hetzner

https://www.tqdev.com/2023-luks-encrypted-debian-12-server-h...

But it seems like way too much work

There is this easy tutorial (that for some reason disappeared)

https://web.archive.org/web/20260128114859/https://community...

and this on how to get an email when you need to unlock it via SSH

https://dominik.wombacher.cc/posts/email_notification_to_unl...

dwedge|9 days ago

Unless I'm mistaken you can install hetzner from ISO allowing you to use LUKS. You could use teng/clevis to allow it to automatically unlock (or refuse to, given certain conditions)