Remote access to MariaDB

Continuing to look into and work on migrating my NS7 server to NS8, one of the applications on the NS7 box is my weather web page. It’s fed with data from my personal weather station, using WeeWx in a local VM running Debian 11 (used to be a Raspberry Pi, but the SD cards kept dying) to log the data to a MySQL database on my NS7 server, which runs in a remote VPS. That VPS connects via OpenVPN to my OPNsense router at home, meaning that WeeWx has a “local” IP for MySQL.

Obviously I’ll need to make changes to run that on my NS8 box. The web site itself is easy enough; tar up everything and move it into a virtual host on NS8. The existing database also seems pretty straightforward; mysqldump it and import on NS8 (though it’d sure be nice if the ns8-migration tool handled databases–or web virtual hosts, for that matter).

But I’m less clear about the connection between the WeeWx box and the NS8 box, to log data going forward. I don’t love my current arrangement, in that my NS7 box, if compromised, is now an attack vector for my LAN. So what would be a good way to give this one host on my LAN access to MariaDB on my remote NS8 box, with as little additional access as possible?

I’m seeing a couple of possibilities, though I’m sure there are others (which might be better):

  • Set up a direct point-to-point VPN link from the WeeWx box to the NS8 box. Since Wireguard is already part of NS8, that would seem like a logical way to do that.
    • I’m not sure what, if anything, would need to be done to make the NS8 stack “aware” of this network connection, or to give it access to the MariaDB instance.
  • Similar to the first, but use ZeroTier, Tailscale, or something similar for the VPN link
  • Upgrade the WeeWx box to Debian 12, install NS8 on it, and join it to my current cluster.
    • The cluster already includes a VPN link, and allows instances on any node to access instances on any other node
    • As I understand it, clusters are limited to four nodes, and this would take up one of them–I’m not otherwise planning to expand my cluster at this time, but that still seems like a bit of a drawback
    • Installing NS8 might be a bit “heavy” just to accomplish this goal.

Thoughts on these possibilities, or other suggestions?

There’s a weewx docker implementation maybe usable for an NS8 app but it seems to use sqlite:

Yes but using an “internal node” could also be nice for holding the account provider, samba file sharing, getting UPS data, minio/USB backup etc.

Running WeeWx on NS8 doesn’t really help me, as it still needs to communicate with my weather station over USB. Even if I were to use some sort of USB-over-IP adapter (which seem to be like hens’ teeth to find; it’s a pity that standard isn’t more popular), I’m left with the same problem: getting TCP/IP data between the NS8 box and that device in a secure way that doesn’t expose more of my LAN than necessary.

That’s an interesting idea. Not so much the other applications you mention (NS is worthless as a file server without Active Directory, and I have a pretty hefty TrueNAS system anyway for that purpose; that NAS is intended to be the Minio backup target if that ever works, etc.), but putting the accounts provider internally should be a security benefit, I’d think. Though that means that if my home Internet goes down, the handful of users I have outside my home lose access. Worth thinking about a bit, I think…