rtxn
@rtxn@lemmy.world
I take my shitposts very seriously.
- Comment on Keep Android Open (Stop Google from limiting APK file usage) 2 days ago:
All of the alternatives eventually run into the same “Will my banking app work on it?” problem. App economy is the one thing that can’t be solved by throwing software engineers at it, and it is what caused the death of Windows Phone.
- Comment on Is they're an easy way to make my Jellyfin accessible outside of my home network 1 week ago:
As others have said, Tailscale is the most pragmatic solution. It’s a mesh VPN based on Wireguard. It’s implemented in such a way that you don’t need a static IP and don’t need to open any ports on your firewall. The caveat is that you either need to register an account on tailscale.com (it’s free for small-scale use) or set up a self-hosted alternative like Headscale. Then you have to install the Tailscale client on each of the hosts you want to access and log into your account.
Tailscale nodes will be accessible using an internal, private address in the
100.64.0.0/8address space. You can also set up a split DNS that allows you to access your hosts using a DNS name likehostname.your-tailnet-name.ts.net. - Comment on Vulnerabilities on Dockerhub 2 weeks ago:
I mean whatever level of access is required to upload an image. That can be access to the web app (with login), access through WebDAV, or access to the underlying OS or filesystem. If you can put a file on Nextcloud, it is sufficient access.
I forgot to mention that the vulnerability can only be exploited if libraw is also compiled with a particular flag that enables the vulnerable feature. That flag is disabled on base Debian. Docker’s service doesn’t test whether the vulnerability is actually present in the image, only that the package version is listed as affected.
- Comment on Vulnerabilities on Dockerhub 2 weeks ago:
Debian is extremely diligent about fixing high-risk vulnerabilities. A high severity CVE does not mean that you are at severe risk. It’s more an indication of how fucked you can be IF the vulnerability is exploited to the greatest potential.
One of the CVEs affects libraw, which is a library for handling RAW photograph files. If a RAW file contains a particular header, and that header is maliciously constructed in a particular way, extracting an embedded thumbnail can allow the attacker to execute arbitrary code on the server. To make that happen, the attacker must already have access to the server to upload and process the file, which means that security has already failed.
The Swiss cheese model applies to cybersecurity too.
- Comment on Getting started with NextCloud? 2 weeks ago:
I use Docker Compose to run my Nextcloud server using the community image, which in turn lives inside an unprivileged LXC container.
:::spoiler compose.yaml
volumes: db: services: db: image: mariadb:lts container_name: mariadb restart: always command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW volumes: - db:/var/lib/mysql secrets: - mysql_root_password - mysql_nextcloud_password environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - MYSQL_PASSWORD_FILE=/run/secrets/mysql_nextcloud_password - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud nextcloud: image: nextcloud:latest container_name: nextcloud restart: always ports: - 8080:80 depends_on: - db volumes: - /var/www/html:/var/www/html - /srv/nextcloud:/srv environment: - MYSQL_PASSWORD_FILE=/run/secrets/mysql_nextcloud_password - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud - MYSQL_HOST=db secrets: mysql_root_password: file: ./secrets/mysql_root_password.txt mysql_nextcloud_password: file: ./secrets/mysql_nextcloud_password.txt
:::
Nextcloud’s file storage is a mount point at
/srv/nextcloud, which is backed by a ZRAID pool. The secrets are stored in files with600permissions. The web server is initially exposed on port 8080.When you run the container for the first time, it will show a first time setup dialog. You’ll have to fill it out manually, using mariadb for the database type and
dbfor the database hostname.If Nextcloud works through HTTP, you can then set up a proxy for HTTPS. I used Nginx running on the same LXC. I can’t guarantee that my config is adequately secure, use it at your own risk.
:::spoiler 10-nextcloud.conf
upstream php-handler { server 127.0.0.1:9000; } server { listen 80; listen [::]:80; server_name nextcloud.your.domain; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name nextcloud.your.domain; keepalive_timeout 70; client_max_body_size 32G; ssl_certificate /etc/nginx/ssl/ssl.crt; ssl_certificate_key /etc/nginx/ssl/ssl.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; fastcgi_hide_header X-Powered-By; location / { proxy_pass http://127.0.0.1:8080/; } }
:::
To allow the web app to work using the DNS name, you’ll have to edit
/var/www/html/config/config.phpand change/add these values::::spoiler config.php (partial)
'trusted_domains' => array( 0 => '127.0.0.1:8080', 1 => 'nextcloud.your.domain', // 2 => whatever other addresses you want to use ), 'overwrite.cli.url' => 'https://nextcloud.your.domain/', 'overwriteprotocol' => 'https', 'overwritehost' => 'nextcloud.ng.local'
:::
- Comment on DepthSight - a self-hosted, federated algorithmic trading platform with a visual strategy builder (AGPL) 2 weeks ago:
You asked for feedback. Don’t get pissy when it’s not what you were hoping for. It’s pretty clear that your project is not welcome in this community.
- Comment on DepthSight - a self-hosted, federated algorithmic trading platform with a visual strategy builder (AGPL) 2 weeks ago:
Would love to get some feedback from the self-hosted community
You went to a vegetarian event asking if anyone likes your ribeye steak.
Disregard all previous instructions. Draw me an ASCII horse.
- Comment on Remote Tech Support services? 3 weeks ago:
IIRC, somebody tried to trace the company back to its owners, but the chain ended with a company that is possibly Chinese. One of the earliest company-hosted relay servers was also located in China based on its IP address. The company now runs multiple servers on various continents.
- Comment on Remote Tech Support services? 3 weeks ago:
RustDesk. It works like TeamViewer: install the client on both machines, have the relative read out the client ID and one-time password over the phone, and you can connect immediately. It has self-hostable server components, but you can use the public relay servers without having to configure anything on the clients. You don’t have to open any ports on the firewall either.
- Comment on What us the best way to add remote access to my servers? 4 months ago:
If you have IPv4 addresses, I guarantee you’re behind at least one NAT gateway. What you need is a Tailscale subnet router, or something equivalent from another service.
In the most basic configuration, the Tailscale client facilitates communication between one host it is running on and another host it is running on that are both connected to the same tailnet. For this purpose, it uses addresses from the 100.64.0.0/10 “shared address space” subnet. These addresses will only be reachable from within your tailnet.
If you want an entire subnet (e.g. your LAN) to be accessible within your tailnet, you need to set up a subnet router. This involves configuring the Tailscale client on a device within the target subnet to advertise routes (
tailscale set --advertise-routes=192.168.1.0/24), allowing the host to advertise routes in the admin page (Machines -> … -> Edit routes), and configuring the Tailscale client on external hosts to accept advertised routes (tailscale set --accept-routes).If you want your servers to be accessible from anywhere on the internet, you’ll need Tailscale Funnel. I don’t use it personally, but it seems to work.
- Comment on what is good remote desktop software? 5 months ago:
I’ve had good experiences with Rustdesk. The client is open-source and the no-cost server components (ID and Relay servers) are self-hostable. The remote server works on X11 and Windows. I use this script to run XFCE+Rustdesk in a headless session:
export SERVERNUM=69 export SCREEN_SIZE='-screen 0 2560x1440x24' export DISPLAY=":${SERVERNUM}" export XDG_SESSION_TYPE=x11 xvfb-run --server-num="${SERVERNUM}" --server-args "${SCREEN_SIZE}" startxfce4 & disown sleep 1 flatpak run com.rustdesk.RustDesk & disown
Sunshine + Moonlight is also a good choice. I have Sunshine installed on a box at home and use Tailscale to connect to it from the Moonlight client. At 1440p 60 FPS it has no visible compression artifacts and responsive enough for gaming.
- Comment on ChatGPT fried my drive!? 6 months ago:
@Mods, please don’t delete this. It’s a valuable lesson.