med

@med@sh.itjust.works

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Holiday Upgrade Disasters⁩ ⁨⁨6⁩ ⁨days⁩ ago⁩:
I was trying to finalize a backup device to gift to my dad over Christmas. We’re planning to use each other for offsite backup, and save on the cloud costs, while providing a bridge to each other’s networks to get access to services we don’t want to advertise publicly.

It is a Beelink ME Mini running arch, btrfs on luks for the os on the emmc storage and the fTPM handling the decryption automatically.

I have built a few similar boxes since and migrated the build over to ansible, but this one was the proving ground and template for them. It was missing some of the other improvements I had built in to the deployed boxes, notably:
- zfs on luks on the NVMe drives
- the linux-lts kernel (zfs compatibility)
- UKI for the secureboot setup
I don’t know what possessed me, but I decided that question marks and tasks I had in my original build documentation should be investigated as I did it up, I was hoping to export some more specific configuration to ansible to the other boxes once done. I was going to migrate manually to learn some lessons.

I wasn’t sure about bothering with UKII wanted zfs running, and that meant moving to the linux-lts kernel package for arch.

Given systemd-boot’s superior (at current time) support for owner keys, boot time unlocking and direct efi boot, I’ve been using that. However, it works differently if you use plain kernels, compared to if you use UKI. Plain kernels use a loader file to point to the correct locations for the initramfs and the kernel, which existed on this box.

I installed the linux-lts package, all good. I removed the linux kernel package, and something in the pacman hooks failed. The autosigning process for the secure-boot setup couldn’t find the old kernel files when it regenerated my initramfs, but happily signed the new lts ones. Cool, I thought, I’ll remove the old ones from the database, and re-enroll my os drive with systemd-cryotenroll after booting on the new kernel (the PCRs I’m using would be different on a new kernel, so auto-decrypt wouldn’t work anyway.)

So, just to be sure, I regenerated my initram and kernel with mkinitcpio -p linux-lts, everything worked fine, and rebooted. I was greeted with:
```
Reboot to firmware settings
```
as my only boot option. Sigh.

Still, I was determined to learn something from this. After a good long while of reading the arch wiki and mucking about with bootctl (PITA in a live CD booted system) I thought about checking my other machines. I was hoping to find a bootctl loader entry that matched the lts kernel I had on other machines, and copy it to this machine to at least prove to myself that I had sussed the problem.

After checking, I realised no other newer machine had a loader configuration actually specifying where the kernel and initram were. I was so lost. How the fuck is any of this working?

Well, it turns out, if you have UKI set up, as described, it bundles all the major bits together like the kernel, microcode, initram and boot config options in to one direct efi-bootable file. Which is automatically detected by bootctl when installed correctly. All my other machines had UKI set up and I’d forgotten. That was how it was working. Unfortunately, I had used archinstall for setting up UKI, and I had no idea how it was doing it. There was a line in my docs literally telling me to go check this out before it bit me in the ass…

…
- [x] figure out what makes uki from archinstall work ✅ 2025-09-19
- It was systemd-ukify
…

So, after that sidetrack, I did actually prove that the kernel could be described in that bootctl loader entry, then I was able to figure out how I’d done the UKI piece in the other machines, and applied it to this one, so it matched and updated my docs…

…
- IT WASN’T ukify
UKI configuration is in mkinitcpio default configs, but needs changing to make it work.
```
vim /etc/mkinitcpio.d/linux-lts.preset 
```
…

Turns out my Christmas wish came true, I learned I need to keep better notes.
⁨Comment⁩ on ⁨Bracing for impact⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You are right to be afraid. I had a similar story, and am still recovering and sorting what data is recoverable. Nearly lost age 0.5-1.5 years of media of my daughters life this way.

As others have said, don’t replicate your existing backup. Do two backups. Preferably on different mediums, spinning disk/ssd eg.

If one backup is corrupted or something nasty is introduced, you will lose both. This is one of the times it is appropriate to do the work twice.

I’ve built two mini PCs, and I replicate to them pretty continuously. Otherwise, look at something like Borg base/alternatives.

Remember, 3-2-1 and restore testing. It’s not a backup unless you can restore it.
⁨Comment⁩ on ⁨Refrigerator ads are finally here!⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You wouldn’t download a fridge, would you?

fridge0.branchable.com
⁨Comment⁩ on ⁨Assassin's Creed is a "forever brand" because Ubisoft supported huge risks with it, ex director says: "Whereas, say, EA, you get these awful execs and they never made games and they came from toothpaste companies"⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You know what I would buy? Hitman set in ancient Egypt.

Infiltrating a workgang forced to build a pyramid, putting a spitting cobra into a nasty enforcer’s chamber pot because he owes the Potiphar some serious myrrh?

Sign me up.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Everything’s a trade off, as you already know. I still use lets encrypt, despite the fact that I know attackers watch CT logs, and they’ll know as soon as I mint a cert.
⁨Comment⁩ on ⁨18% of people running Nextcloud don't know what database they are using⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Fair enough, I did assume the target audience was selfhosters based on the question.

As for provider backups - well, you’d hope. But M$ doesn’t do user available backups, so I’d be surprised if that was bundled by the average SaaS provider.
⁨Comment⁩ on ⁨18% of people running Nextcloud don't know what database they are using⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
And if you don’t know what database you’re running, how are you backing it up?

If you don’t know what database you’re running, are you bothering to do a full shutdown before backups? Are you doing backups at all
⁨Comment⁩ on ⁨[fluff post] If lemmy users are Lemmites, what would we like to call piefed users?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Don’t worry about him, he’s just an anti-Lemmite
⁨Comment⁩ on ⁨Calendar app⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
I haven’t tested the spouse approval factor, but once Radicale is setup, you don’t have to do anything other than create new calendars through a caldav app, or through the web front end.

Android can use DavX to sync if you’re in to foss stuff

I pretty much only use it for tasks and a maintenance calendar, but I’ve had zero problems with it so far
⁨Comment⁩ on ⁨Linkwarden (v2.11.0) - open-source collaborative bookmark manager to collect, organize, and preserve webpages, articles, and documents (tons of new features!) 🚀⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
All I need is for them to fix the public collection RSS feed bug where they embed “https,http” in the feed xml if you’re behind a reverse proxy - which breaks parsing
⁨Comment⁩ on ⁨Monitoring network devices⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
and has integration for Oxidized, smokeping, greylog and more
⁨Comment⁩ on ⁨'A Black Hole of Energy Use': Meta's Massive AI Data Center Is Stressing Out a Louisiana Community⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
They do. There’s some companies that will condition, polish, clean and even eventually rotate out the fuel as part of a subscription.

Between maintaining power supply, backup power and cooling, data centre facilities maintenance is more than a full time job.
⁨Comment⁩ on ⁨I'm guilty of not reading the f..ing documentation⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
Yes. But also, despite having done it literally thousands of times, I still can’t tell you which way round to put the target and the link name for a softlink on the first go.

My first guess is always
```
ln -s $NAME $TARGET
```
No amount of repetition will fix this.
⁨Comment⁩ on ⁨Secrets Management⁩ ⁨⁨7⁩ ⁨months⁩ ago⁩:
Sounds like you have reason to bump it up the list now - two birds with one stone.

I need to do this too. I know I have stuff deployed that has plaintext secrets in .env or even the compose. I’ll never get time to audit everything. So the more I make the baseline deployment safe, the better.
⁨Comment⁩ on ⁨Digg is about to be rebooted. Thoughts?⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
User on both platforms checking in, it’s great!
⁨Comment⁩ on ⁨What host names do you use?⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
It’s the right move.

I tell you, the first time you’re sat in front of a CEO and an auditor and you have to explain why the big list of servers has a highlighted one called C-NT-PRIK-5 is when the fun stops.

Explaining that it’s short for ‘customer network tester Mr. Prickles 5’, and is actually a cacti server never really seems to help the situation.

At least a few of the customers got a laugh out of it being on the reports!
⁨Comment⁩ on ⁨What host names do you use?⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Username checks out
⁨Comment⁩ on ⁨What host names do you use?⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
You had me digging through old hosts files and ssh configs to find some of these.

I try to name them something that resembles what they do or has something to do with what their purpose is.

Short is good, and if it can match more than one of the machine’s purpose/os/software/look, the better.

If it’s some sort of personal machine, it gets a personal name

Phones
- traveller
- pawn
- rook
- bishop
Virtual Workstations
- boxy
- moxy
- sandbox
- cloud
- ship lxc container host
- dock docker host
Laptops
- ciel Razer blade stealth with a rainbow LED keyboard
- arc runs arch.
- lled is a dell
Desktops
- bench
- citadel
- bastion
⁨Comment⁩ on ⁨Digital Fingerprinting: Google launched a new era of tracking worse than cookie banners | Tuta⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
I go to pornhub for the definite article
⁨Comment⁩ on ⁨Solidigm pulls out of consumer SSD market with discontinuation of drives⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Buying 1 tb drives has been my prefered way to to do backup sync and distro hopping for a while now, with a $20 cradle, and a waller of these things, you never have to leave anything behind.
⁨Comment⁩ on ⁨PS5 Homescreen Now Replaces Unique Video Game Art With Annoying Ads You Can’t Turn Off⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Amen!
⁨Comment⁩ on ⁨PS5 Homescreen Now Replaces Unique Video Game Art With Annoying Ads You Can’t Turn Off⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I was interested to know if that could work, supply wise.

According to these articles, the series x and the 5 pro aim to draw around 200W in-game.

USB-PD 3.1 (honestly, fuck the USB naming standard, seriously.) can allow for 240W draw.

So, kinda yeah?
⁨Comment⁩ on ⁨PS5 Homescreen Now Replaces Unique Video Game Art With Annoying Ads You Can’t Turn Off⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Yeah, but how long until it doesn’t come with a power brick, and you have to supply your own?